Angular v19 projects depend on a vulnerable version of babel

[json-derulo]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

v19 Angular projects depend on a vulnerable version of babel, which can lead to the generated code being vulnerable. For more information, see the related GitHub advisory: GHSA-968p-4wvh-cqc8

This is probably also an issue with v18 and v17.

Minimal Reproduction

Creat a new v19 project and run npm audit

Exception or Error

Your Environment

Angular CLI: 19.2.2
Node: 22.14.0
Package Manager: npm 11.2.0
OS: darwin arm64

Angular: 19.2.2
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.2
@angular-devkit/build-angular   19.2.2
@angular-devkit/core            19.2.2
@angular-devkit/schematics      19.2.2
@angular/cdk                    19.2.3
@angular/material               19.2.3
@schematics/angular             19.2.2
ng-packagr                      19.2.0
rxjs                            7.8.2
typescript                      5.8.2
zone.js                         0.15.0

Anything else relevant?

No response

[alan-agius4]

Closed via #29837, #29834 and #29835

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}