vunerability in webpack-dev-middleware

[joematthews]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

This is not a bug, the dependency webpack-dev-middleware for @angular-devkit/build-angular has a vulnerability.

results of npm audit on a 17.3.1 project:

# npm audit report

webpack-dev-middleware  6.0.0 - 6.1.1
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@15.0.5, which is a breaking change
node_modules/webpack-dev-middleware
  @angular-devkit/build-angular  15.1.0-next.0 - 17.3.1
  Depends on vulnerable versions of webpack-dev-middleware
  node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

Minimal Reproduction

n/a

Exception or Error

n/a

Your Environment

n/a

Anything else relevant?

Is there a tracking issue for this vulnerability within the Angular projects? What are the risks to projects built with this vulnerability?

[JoostK]

Duplicate of #27334, updates will be released in the upcoming days (typically Wednesdays)

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}