@angular-devkit/build-angular ---> glob_parent DOS

[gubo]

Q. will you upgrade build-angular to webpack 5 ?
currently it is at a version which has (dev) security vulnerabilities

npm audit:

{
  "actions": [
    {
      "action": "review",
      "module": "glob-parent",
      "resolves": [
        {
          "id": 1751,
          "path": "@angular-devkit/build-angular>webpack-dev-server>chokidar>glob-parent",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "@nrwl/nest>@nrwl/node>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent",
          "dev": true,
          "optional": true,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "@nrwl/node>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent",
          "dev": true,
          "optional": true,
          "bundled": false
        }
      ]
    },
    {
      "action": "review",
      "module": "css-what",
      "resolves": [
        {
          "id": 1754,
          "path": "@angular-devkit/build-angular>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>css-what",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "1751": {
      "findings": [
        {
          "version": "3.1.0",
          "paths": [
            "@angular-devkit/build-angular>webpack-dev-server>chokidar>glob-parent"
          ]
        },
        {
          "version": "3.1.0",
          "paths": [
            "@nrwl/nest>@nrwl/node>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent",
            "@nrwl/node>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent"
          ]
        }
      ],
      "id": 1751,
      "created": "2021-06-07T21:57:10.135Z",
      "updated": "2021-06-07T21:58:07.745Z",
      "deleted": null,
      "title": "Regular expression denial of service",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "glob-parent",
      "cves": [
        "CVE-2020-28469"
      ],
      "vulnerable_versions": "<5.1.2",
      "patched_versions": ">=5.1.2",
      "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.",
      "recommendation": "Upgrade to version 5.1.2 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1751"
    },
    "1754": {
      "findings": [
        {
          "version": "4.0.0",
          "paths": [
            "@angular-devkit/build-angular>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>css-what"
          ]
        }
      ],
      "id": 1754,
      "created": "2021-06-07T22:13:06.506Z",
      "updated": "2021-06-07T22:21:16.027Z",
      "deleted": null,
      "title": "Denial of Service",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "css-what",
      "cves": [
        "CVE-2021-33587"
      ],
      "vulnerable_versions": "<5.0.1",
      "patched_versions": ">=5.0.1",
      "overview": "`css-what` before 5.0.1 does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.",
      "recommendation": "Upgrade to version 5.0.1 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-33587)\n- [GitHub Advisory](https://github.com/advisories/GHSA-q8pj-2vqx-8ggc)\n",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 7,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1754"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 3,
      "high": 1,
      "critical": 0
    },
    "dependencies": 600,
    "devDependencies": 1749,
    "optionalDependencies": 153,
    "totalDependencies": 2459
  },
  "runId": "89df43d4-3fb8-4eb4-b2e8-c079486ebb88"
}

Angular CLI: 12.0.4
Node: 14.8.0
Package Manager: npm 6.14.7
OS: darwin x64

Angular: 12.0.4
... animations, cdk, cdk-experimental, cli, common, compiler
... compiler-cli, core, forms, language-service, material
... platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1200.4
@angular-devkit/build-angular 12.0.5
@angular-devkit/core 12.0.4
@angular-devkit/schematics 12.0.4
@angular/flex-layout 12.0.0-beta.34
@angular/localize 11.2.14
@schematics/angular 12.0.4
rxjs 6.5.5
typescript 4.2.4

[alan-agius4]

Kindly see #21097.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}