low severity npm audit vulnerability in devkit/build-angular due to webpack-dev-server > yargs depedency #17716
Description
🐞 Bug report
Is this a regression?
No
Description
npm audit reports a low severity "Prototype Pollution" vulnerability in yargs-parser, which is a dependency of @angular-devkit/build-angular via webpack-dev-server. This has been fixed in webpack-dev-server 3.11.0, so the dependency just needs to be updated to that version.
🔥 Exception or Error
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server > yargs >
yargs-parser
More info https://npmjs.com/advisories/1500
🌍 Your Environment
Angular CLI: 8.3.26
Node: 12.13.0
OS: win32 x64
Angular: 8.2.14
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router
Package Version
--------------------------------------------------------------------
@angular-devkit/architect 0.803.26
@angular-devkit/build-angular 0.803.26
@angular-devkit/build-optimizer 0.803.26
@angular-devkit/build-webpack 0.803.26
@angular-devkit/core 8.3.26
@angular-devkit/schematics 8.3.26
@angular/cdk 8.2.3
@angular/cli 8.3.26
@angular/material 8.2.3
@angular/material-moment-adapter 8.2.3
@ngtools/webpack 8.3.26
@nguniversal/module-map-ngfactory-loader v8.2.6
@schematics/angular 8.3.26
@schematics/update 0.803.26
rxjs 6.5.5
typescript 3.5.3
webpack 4.39.2