@angular-devkit/build-angular depends on vulnerable version of webpack - CVE-2024-43788

[bgardner-noggin]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm_audit on an Angular v18 project outputs the following

# npm audit report

webpack  <5.94.0
Severity: moderate
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
No fix available
node_modules/webpack
  @angular-devkit/build-angular  *
  Depends on vulnerable versions of webpack
  node_modules/@angular-devkit/build-angular

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Minimal Reproduction

Create a new angular project using the latest v18 @angular-cli
Run npm audit in the project folder

Exception or Error

No response

Your Environment

_                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 18.2.1
Node: 20.16.0
Package Manager: npm 10.8.1
OS: linux x64

Angular: 
... 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.1802.1 (cli-only)
@angular-devkit/core         18.2.1 (cli-only)
@angular-devkit/schematics   18.2.1 (cli-only)
@schematics/angular          18.2.1 (cli-only)

### Anything else relevant?

_No response_

[nicoobkio]

I see you are working on a fix; Can you give us an ETA for the release please ? :-)

[alan-agius4]

Closed via #28294

[alan-agius4]

A release should happen later today.

[SmartKent]

A release should happen later today.

Any patch for previous Angular version, like 17?

[poiuylkkk]

Any patch for previous Angular version, like 16?
@angular-devkit/[email protected] depends on [email protected], which also has the same vulnerability issue

[Brice155]

Any patch for previous Angular version, like 14 ?

"@angular-devkit/build-angular": { "version": "14.2.13", "requires": { [...] "webpack": "5.76.1", [...] },

[alan-agius4]

Versions prior to version 16 are no longer supported. See: https://angular.dev/reference/releases#actively-supported-versions

[programmingPug]

Will v17 be getting the patch?

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}