@angular-devkit/build-angular depends on vulnerable version of tar

[JainDhaval]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v16 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of TAR.
See more details: GHSA-f5x3-32g6-xq36

Minimal Reproduction

Create new Angular v16 project.
Run npm audit in the project folder

Exception or Error

No response

Your Environment

Angular CLI: 16.2.10
Node: 18.18.1
Package Manager: npm 10.2.0
OS: win32 x64

Angular: 16.2.12
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1602.10
@angular-devkit/build-angular   16.2.14
@angular-devkit/core            16.2.10
@angular-devkit/schematics      16.2.10
@angular/cli                    16.2.10
@schematics/angular             16.2.10
rxjs                            7.8.1
typescript                      4.9.5
zone.js                         0.13.3

Anything else relevant?

No response

[JoostK]

I think this is because of a lockfile you may have, pinning its version to a version with the CVE. The tar version being used by @angular/cli ends up at 6.2.1, and @angular-devkit/build-angular@16.2.14 does not have a tar dependency judging by the graph.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}