-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http-proxy-middleware outdated (Mend vulnerability CVE-2024-21536) #28680
Comments
Hi, @angular/devkit-repo in v17 (17.3.9) points to http-proxy-middleware v2.0.6, that also has this problem. v2.0.7 has a fix too and it would be great to update it. |
… `3.0.3` Address CVE-2024-21536 Closes angular#28680
… `2.0.7` Address CVE-2024-21536 Closes angular#28680
… `3.0.3` Address CVE-2024-21536 Closes #28680
… `2.0.7` Address CVE-2024-21536 Closes #28680
Is 18.2.9 version of angular js s vulnerable ? |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Command
other
Is this a regression?
The previous version in which this bug was not present was
No response
Description
build-angular 18.2.9 (and earlier versions) reference http-proxy-middleware 3.0.0, which contains a vulnerability.
There is a version 3.0.3 that includes a fix.
For more info, please see: https://dnb.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2024-21536
Minimal Reproduction
Use the latest angular packages (build-angular 18.2.9 at the moment of writing) and scan for vulnerabilities with a tool (like Whitesource Mend).
Exception or Error
No response
Your Environment
Angular CLI: 18.2.9
Node: 20.16.0
Package Manager: npm 10.8.3
OS: win32 x64
Angular: 18.2.8
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router
Package Version
@angular-devkit/architect 0.1802.9
@angular-devkit/build-angular 18.2.9
@angular-devkit/core 18.2.9
@angular-devkit/schematics 18.2.9
@angular/cli 18.2.9
@schematics/angular 18.2.9
rxjs 7.8.1
typescript 5.5.4
zone.js 0.14.10
Anything else relevant?
It's not a major issue, since it's on a dev-dependency, but nevertheless it is flagged as a High impact vulnerability (raising red flags and blocks) in our organization and seems like an easy fix to update in build-angular.
The text was updated successfully, but these errors were encountered: