Security Enhancement Opportunity: vite 6.0.0-6.0.8, which is a dependency of @angular/build

[nxpatterns]

Command

build, serve

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Description

We recently identified a moderate severity security vulnerability in the vite package, versions 6.0.0 through 6.0.8, which is a dependency of @angular/build. The vulnerability allows websites to send any requests to the development server and read the response.

Vulnerability Details

• Package: vite
• Affected Versions: 6.0.0 - 6.0.8
• Severity: Moderate
• Description: Websites were able to send any requests to the development server and read the response in vite.
• Reference: GHSA-vg6x-rcgg-rjx6

Impact

This vulnerability potentially exposes sensitive information during development, which could be exploited by malicious actors.

Workaround Implemented

To address this issue, we've implemented the following workaround:

1. Created a local copy of @angular/build in our project.
2. Updated the vite version to 6.0.9 in the local copy's package.json.
3. Modified our main package.json to use the local copy of @angular/build.

This approach allowed us to use a non-vulnerable version of vite without waiting for an official update to @angular/build.

Minimal Reproduction

Steps to Reproduce (for verification)

1. Create a new Angular App via Angular/CLI
2. Run npm audit to confirm

Exception or Error

Your Environment

ng version  
Node.js version v23.5.0 detected.
Odd numbered Node.js versions will not enter LTS status and should not be used for production. For more information, please see https://nodejs.org/en/about/previous-releases/.

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 19.1.4
Node: 23.5.0 (Unsupported)
Package Manager: npm 11.0.0
OS: darwin arm64

Angular: 19.1.3
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1901.4
@angular-devkit/build-angular   19.1.4
@angular-devkit/core            19.1.4
@angular-devkit/schematics      19.1.4
@angular/build                  19.1.4
@angular/cli                    19.1.4
@schematics/angular             19.1.4
rxjs                            7.8.1
typescript                      5.7.3
zone.js                         0.15.0
    
Warning: The current version of Node (23.5.0) is not supported by Angular.

Anything else relevant?

We kindly request the development team to:

1. Update the vite dependency in @angular/build to version 6.0.9 or later.
2. Release a new version of @angular/build with this security fix.

We greatly appreciate the hard work and dedication of the Angular team in maintaining such a robust and feature-rich framework. Your commitment to security and continuous improvement is commendable. We hope this report helps in further enhancing the security of the Angular ecosystem.

Thank you for your attention to this matter. We're happy to provide any additional information or assistance if needed.

[JeanMeche]

This has been fixed by #29471.

[lsmith77]

FTR there has not yet been a release, for 19.x that includes this fix.

[alan-agius4]

@lsmith77, that is indeed the case it will be released later today.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}