With version 15, the behavior of the environment variable lookup changed to try to find occurrences in the whole workspace. This could lead to a potential information disclosure vulnerability, by exposing environment variables meant for a backend/Node.js application. This PR mitigates this possibility, by restricting the lookup path of environment variables to sourceRoot of the related angular.json project and excluding files having server in their name (a common pattern for universal apps).
With version 15, the behavior of the environment variable lookup changed to try to find occurrences in the whole workspace. This could lead to a potential information disclosure vulnerability, by exposing environment variables meant for a backend/Node.js application. This PR mitigates this possibility, by restricting the lookup path of environment variables to
sourceRootof the related angular.json project and excluding files havingserverin their name (a common pattern for universal apps).