Vulnerability problem due to outdated dependency

[areyes05]

A recent scan found a new vulnerability caused by an outdated dependency. The problem may cause data pollution and it has been ranked High severity by the CVV.

This is the dependency tree with a problem.

package	used version	current version
y18n	4.0.0	5.0.5
cacache	12.0.4	15.0.5
pacote	9.5.12	11.1.13
angular/cli	11.0.4	11.0.4

That is, angular/cli uses Pacote 9, which uses Cacache 12 which uses y18n 4. The latter one is where the vulnerability exists.

If angular/cli updates their dependency to request Pacote11, Cacache 15 does not even use y18n as dependency so the problem will be solved for good.

As per the guidelines, an email has been sent to security@angular.io and this issue is created to track its resolution.

[clydin]

y18n version 4.0.1 was released on 2020-11-30 (changelog) and addresses the linked vulnerability report. Based on the semver range used within cacache@12.0.4 (https://github.com/npm/cacache/blob/v12.0.4/package.json#L76), the newer, corrected 4.0.1 version is compatible with cacache@12.0.4. New projects will receive the updated version and existing projects can update their transitive dependencies to resolve the issue.

[alan-agius4]

Closing as per above.