loader-utils vulnerability

[Ariel-Dayan]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

13

Description

when running npm audit after upgrading angular version to 16 or 17, received the following vulnerability about loader-utils.
on npm ls loader-utils it's seem like it's in used of @angular-devkit/build-angular -> resolve-url-loader@5.0.0

Minimal Reproduction

npm audit & npm ls loader-utils

Exception or Error

npm audit report:


loader-utils 2.0.0 - 2.0.3
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488

### Your Environment

```text
16.2.12

Anything else relevant?

No response

[alan-agius4]

These issues have all been fixed upstream. The issue likely stems from an outdated and unmaintained lock file. Please ensure it's updated.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}