@angular-devkit/build-angular Depends on vulnerable versions of vite CVE-2024-45812 / CVE-2024-45811

[KyrumX]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on an Angular v17 outputs the following:

# npm audit report

vite  5.0.0 - 5.2.13
Severity: moderate
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS - https://github.com/advisories/GHSA-64vr-g452-qvp3
Vite's `server.fs.deny` is bypassed when using `?import&raw` - https://github.com/advisories/GHSA-9cwx-2883-4wfx
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@18.2.4, which is a breaking change
node_modules/vite
  @angular-devkit/build-angular  17.1.0-next.0 - 18.1.0-rc.1
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Angular v18 outputs the following:

# npm audit report

vite  5.4.0 - 5.4.5
Severity: moderate
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS - https://github.com/advisories/GHSA-64vr-g452-qvp3
Vite's `server.fs.deny` is bypassed when using `?import&raw` - https://github.com/advisories/GHSA-9cwx-2883-4wfx
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@18.1.4, which is a breaking change
node_modules/vite
  @angular-devkit/build-angular  >=18.2.0-next.0
  Depends on vulnerable versions of @angular/build
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular
  @angular/build  >=18.2.0-next.0
  Depends on vulnerable versions of vite
  node_modules/@angular/build

3 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Minimal Reproduction

Create a new angular project using the latest v18 @angular-cli or v17 @angular-cli
Run npm audit in the project folder

Exception or Error

No response

Your Environment

_                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 17.3.9
Node: 20.11.1
Package Manager: npm 10.5.2
OS: win32 x64

Angular: 17.3.4
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1703.9
@angular-devkit/build-angular   17.3.9
@angular-devkit/core            17.3.9
@angular-devkit/schematics      17.3.9
@angular/cli                    17.3.9
@schematics/angular             17.3.9
rxjs                            7.8.1
typescript                      5.3.3
zone.js                         0.14.4

Anything else relevant?

No response

[alan-agius4]

It's worth noting that this vulnerability cannot be exploited in our situation, as Vite is mainly used as a development server.

I've submitted a pull request for version 18 (#28437). Backporting this change to version 17 is more complex because it would involve modifications to the builder. Given the risk of causing issues in an LTS version, I have chosen not to proceed with it.

[alan-agius4]

Closed via #28437

[KyrumX]

@alan-agius4 I kind of assumed this would be the case (it not affecting angular), thanks for clarifying!

[Dark-Light-20]

@alan-agius4 Hi Alan, the reasons you say to can't update the peer dependency for Angular 17 LTS apply to Angular 16 LTS? because in the 16.2.x LTS branch i see that vite is declared in version "4.5.3" and the patched version for the CVE is in version "4.5.5", is possible to upgrade the dependency in v16? or its complex like in v17 as you say?

[alan-agius4]

@Dark-Light-20, here's the v16 PR #28440

[Dark-Light-20]

@Dark-Light-20, here's the v16 PR #28440

Wow, that's so fast, thanks for that.

[mos2st]

Is there no way a fix for 17 will be provided? We have dependencies in our project that won't allow us to upgrade to 18...

[plchampigny]

Is upgrading to vite@5.2.14 a possibility for angular v17?

[plchampigny]

@alan-agius4 The CVS fix has been backported to branch 5.1.x. Could you update v17 to fix it using https://github.com/vitejs/vite/releases/tag/v5.1.8 ?

[mos2st]

Our OCaaS scan shows another vulnerability @types/body-parser dependency GHSA-qwcr-r2fm-qrc7 affecting version <1.20.3

@angular-devkit/build-angular@17.3.9
'-- http-proxy-middleware@2.0.6
'-- @types/express@4.17.21
'-- @types/body-parser@1.19.5

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}