@angular-devkit/build-angular depends on vulnerable versions of vite

[kasual1]

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

Yes

Description

I just updated our Angular app from version 15 to 16.

After the update completed I get the following vulnerability issue for the package: @angular-devkit/build-angular:

# npm audit report

vite  4.3.0 - 4.3.8
Severity: high
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - https://github.com/advisories/GHSA-353f-5xf4-qw67
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@15.2.8, which is a breaking change
node_modules/vite
  @angular-devkit/build-angular  16.0.0-next.0 - 16.1.0-next.1
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

As mentioned in the audit report there seems to be a vulnerability for version 16.0.0-next.0 - 16.1.0-next.1 of @angular-devkit/build-angular. In our package.json we reference the package with: ~16.0.4. As to my understanding it should not install the next versions but just the current stable version.

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

# npm audit report

vite  4.3.0 - 4.3.8
Severity: high
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - https://github.com/advisories/GHSA-353f-5xf4-qw67
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@15.2.8, which is a breaking change
node_modules/vite
  @angular-devkit/build-angular  16.0.0-next.0 - 16.1.0-next.1
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 16.0.4
Node: 18.10

Anything else?

Sorry if this issue should have been created as a vulnerability report. But I wasn't exactly sure whether it is a bug or a vulnerability issue.

[alan-agius4]

Will create a PR to update the Vite package. But this vulnerability does not effect the Angular CLI as we do not expect Vite to be to used as a production server.

[kasual1]

Thanks for the quick response @alan-agius4

[alan-agius4]

Closed via #25321

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}