Npm audit failure in the 20.1.x branch

[jmulw]

Description

There are some severe audit issues, which gives us problems in our pipeline.

Steps to reproduce

1. Check out the 20.1.x branch
2. npm audit

Result

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm.
npm warn Unknown user config "always-auth" (//packages.infragistics.com/npm/js-licensed/:always-auth). This will stop working in the next major version of npm.
# npm audit report

@angular/common  20.0.0-next.0 - 20.3.13
Severity: high
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client - https://github.com/advisories/GHSA-58c5-g7wp-6w37
fix available via `npm audit fix`
node_modules/@angular/common
  @angular/forms  4.4.0-RC.0 - 4.4.0 || 20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/forms
  @angular/platform-browser  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  node_modules/@angular/platform-browser
  @angular/platform-browser-dynamic  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/platform-browser-dynamic
  @angular/platform-server  20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/platform-server
  @angular/router  10.0.0-next.0 - 10.0.0-rc.1 || 20.0.0-next.0 - 20.3.13
  Depends on vulnerable versions of @angular/common
  Depends on vulnerable versions of @angular/platform-browser
  node_modules/@angular/router

astro  <=5.15.8
Severity: high
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - https://github.com/advisories/GHSA-hr2q-hp5q-x767
Astro vulnerable to reflected XSS via the server islands feature - https://github.com/advisories/GHSA-wrwg-2hg8-v723
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - https://github.com/advisories/GHSA-fvmw-cj7j-j39q
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - https://github.com/advisories/GHSA-ggxq-hp9w-j794
Astro development server error page is vulnerable to reflected Cross-site Scripting - https://github.com/advisories/GHSA-w2vj-39qv-7vh7
fix available via `npm audit fix`
node_modules/astro

body-parser  2.2.0
Severity: moderate
body-parser is vulnerable to denial of service when url encoding is used - https://github.com/advisories/GHSA-wqch-xfxh-vrr4
fix available via `npm audit fix`
node_modules/express/node_modules/body-parser

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/gulp-typescript/node_modules/brace-expansion
node_modules/istanbul/node_modules/brace-expansion
node_modules/karma-coverage/node_modules/brace-expansion
node_modules/karma/node_modules/brace-expansion
node_modules/rimraf/node_modules/brace-expansion
node_modules/safe-wipe/node_modules/brace-expansion
node_modules/sassdoc/node_modules/brace-expansion

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@npmcli/package-json/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jasmine/node_modules/glob

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97   
fix available via `npm audit fix --force`
Will install sassdoc@1.10.12, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        sassdoc  >=1.0.1
        Depends on vulnerable versions of sass-convert
        Depends on vulnerable versions of sassdoc-theme-default
        Depends on vulnerable versions of update-notifier
        node_modules/sassdoc

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m 
fix available via `npm audit fix --force`
Will install sassdoc@1.10.12, which is a breaking change
node_modules/html-minifier
  sassdoc-theme-default  >=1.7.0
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of sassdoc-extras
  node_modules/sassdoc-theme-default

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/istanbul/node_modules/js-yaml
node_modules/js-yaml
node_modules/sassdoc/node_modules/js-yaml

lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix --force`
Will install gulp-shell@0.6.3, which is a breaking change
node_modules/lodash.template
  gulp-shell  >=0.6.4
  Depends on vulnerable versions of lodash.template
  node_modules/gulp-shell

marked  <=4.0.9
Severity: high
Regular Expression Denial of Service in marked - https://github.com/advisories/GHSA-ch52-vgq2-943f
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via `npm audit fix --force`
Will install sassdoc@1.10.12, which is a breaking change
node_modules/marked
  sassdoc-extras  *
  Depends on vulnerable versions of marked
  node_modules/sassdoc-extras


semver-regex  <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix`
node_modules/semver-regex
  sass-convert  *
  Depends on vulnerable versions of semver-regex
  node_modules/sass-convert

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/karma/node_modules/tmp

vite  6.0.0 - 6.4.0 || 7.1.0 - 7.1.10
Severity: moderate
vite allows server.fs.deny bypass via backslash on Windows - https://github.com/advisories/GHSA-93m4-6634-74q7
vite allows server.fs.deny bypass via backslash on Windows - https://github.com/advisories/GHSA-93m4-6634-74q7
fix available via `npm audit fix`
node_modules/@angular/build/node_modules/vite
node_modules/vite
  @angular/build  20.2.0-next.0 - 20.3.6 || 21.0.0-next.0 - 21.0.0-rc.6
  Depends on vulnerable versions of vite
  node_modules/@angular/build

27 vulnerabilities (2 low, 8 moderate, 17 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result

Maybe some warnings, but no high vulnerbilities

[jmulw]

User error