NPM audit reports denial of service vulnerability in http-proxy

[trevoreyre]

🐞 Bug report

Description

npm audit reports a high severity denial of service vulnerability in the http-proxy dependency.

This is in the @angular-devkit/build-angular package. http-proxy is a downstream dependency of webpack-dev-server.

🔬 Minimal Reproduction

npm install --save-dev @angular-devkit/build-angular
npm audit

🔥 Exception or Error

  High            Denial of Service                                             
                                                                                
  Package         http-proxy                                                    
                                                                                
  Patched in      No patch available                                            
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack-dev-server >          
                  http-proxy-middleware > http-proxy                            
                                                                                
  More info       https://npmjs.com/advisories/1486                             

🌍 Your Environment

Angular CLI: 9.1.0
Node: 12.14.1
OS: linux x64

Angular: 9.1.0
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router
Ivy Workspace: Yes

Package Version

@angular-devkit/architect 0.901.0
@angular-devkit/build-angular 0.901.0
@angular-devkit/build-ng-packagr 0.901.0
@angular-devkit/build-optimizer 0.901.0
@angular-devkit/build-webpack 0.901.0
@angular-devkit/core 9.1.0
@angular-devkit/schematics 9.1.0
@angular/cdk 9.2.0
@ngtools/webpack 9.1.0
@schematics/angular 9.1.0
@schematics/update 0.901.0
ng-packagr 9.1.0
rxjs 6.5.4
typescript 3.8.3
webpack 4.42.0

Anything else relevant?
This isn't a bug directly in this project, but I'd like to open this issue to track the progress of the vulnerability in dependencies.

npm advisoty: https://npmjs.com/advisories/1486
http-proxy issue: http-party/node-http-proxy#1446
webpack-dev-server issue: webpack/webpack-dev-server#2605

[hardik2801]

I' m facing the same issue with Angular CLI: 9.1.6 & Angular: 9.1.7

3 vulnerabilities:

1. @angular-devkit/build-angular > webpack-dev-server > http-proxy-middleware > http-proxy (severity: High)

2. karma > http-proxy (severity: High)

3. @angular-devkit/build-angular > webpack-dev-server > yargs > yargs-parser (severity: Low)

[alan-agius4]

This should be now solved without the need for us to do anything since this is a transitive dependency.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}