CVE-2025-32996 @angular-devkit/build-angular uses a vulnerable version of http-proxy-middleware

[hcornelisonJHA]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

From GHSA-4www-5p9h-95mh

@angular-devkit/build-angular@18.2.18 requires http-proxy-middleware@3.0.3
@angular-devkit/build-angular@18.2.18 requires http-proxy-middleware@^2.0.3 via webpack-dev-server@5.0.4
No patched version available for http-proxy-middleware

Transitive dependency http-proxy-middleware 3.0.3 is introduced via
@angular-devkit/build-angular 18.2.18 http-proxy-middleware 3.0.3

Minimal Reproduction

No need for steps to reproduce, the

Exception or Error

Your Environment

Angular CLI: 18.2.18
Node: 22.14.0
Package Manager: npm 10.9.2
OS: win32 x64

Angular: 18.2.13
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1802.18
@angular-devkit/build-angular   18.2.18
@angular-devkit/core            18.2.18
@angular-devkit/schematics      18.2.18
@angular/cli                    18.2.18
@schematics/angular             18.2.18
rxjs                            7.8.1
typescript                      5.5.4
zone.js                         0.14.10

Anything else relevant?

No response

[alan-agius4]

Closed via #30128

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}