@angular-devkit/build-angular depends on vulnarable version of webpack

[clusterberries]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v15 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of webpack 5.75.0.

Minimal Reproduction

1. Create new Angular project using the latest @angular-cli version 15.2.3.
2. Run npm audit in the project folder

Exception or Error

webpack  5.0.0 - 5.75.0
Severity: high
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/webpack
  @angular-devkit/build-angular  0.1200.0-next.0 - 16.0.0-next.3
  Depends on vulnerable versions of webpack
  node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

Your Environment

Angular CLI: 15.2.3
Node: 16.15.1
Package Manager: npm 8.11.0
OS: win32 x64

Angular: 15.2.2
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1502.3
@angular-devkit/build-angular   15.2.3
@angular-devkit/core            15.2.3
@angular-devkit/schematics      15.2.3
@angular/cli                    15.2.3
@schematics/angular             15.2.3
rxjs                            7.8.0
typescript                      4.9.5

Anything else relevant?

No response

[SymbioticKilla]

Please port the fix to 13.x version if possible.
Thanks!

[marianoAlvez]

Good morning, I have the same problem in Angular 14. In the console, I see this message: webpack 5.0.0 - 5.75.0
Severity: high
Cross-realm object access in Webpack 5 - GHSA-hc6q-2mpp-qw7j
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/webpack
@angular-devkit/build-angular 0.1200.0-next.0 - 16.0.0-next.3
Depends on vulnerable versions of webpack
node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

[dutta-arnab1]

Could you please port this fix back to 14.2.x version?

[jvyden]

Could you please port this fix back to 14.2.x version?

The same patch is replicated for 14.2.x here:

#24863

[alan-agius4]

Webpack version has been updated in 13.3.11, 14.2.11 and 15.2.4.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}