@angular-devkit/build-angular depends on vulnarable version of webpack #24861
Description
Command
new
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Running npm audit on Angular v15 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of webpack 5.75.0.
Minimal Reproduction
- Create new Angular project using the latest
@angular-cliversion15.2.3. - Run
npm auditin the project folder
Exception or Error
webpack 5.0.0 - 5.75.0 Severity: high Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j fix available via `npm audit fix --force` Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change node_modules/webpack @angular-devkit/build-angular 0.1200.0-next.0 - 16.0.0-next.3 Depends on vulnerable versions of webpack node_modules/@angular-devkit/build-angular 2 high severity vulnerabilities Your Environment
Angular CLI: 15.2.3 Node: 16.15.1 Package Manager: npm 8.11.0 OS: win32 x64 Angular: 15.2.2 ... animations, common, compiler, compiler-cli, core, forms ... platform-browser, platform-browser-dynamic, router Package Version --------------------------------------------------------- @angular-devkit/architect 0.1502.3 @angular-devkit/build-angular 15.2.3 @angular-devkit/core 15.2.3 @angular-devkit/schematics 15.2.3 @angular/cli 15.2.3 @schematics/angular 15.2.3 rxjs 7.8.0 typescript 4.9.5 Anything else relevant?
No response