http-proxy-middleware outdated (CVE-2025-32996) #30140
Description
Command
other
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used, see https://nvd.nist.gov/vuln/detail/CVE-2025-32996.
According to GitHub:
@angular-devkit/build-angular@19.2.8 requires http-proxy-middleware@3.0.3
@angular-devkit/build-angular@19.2.8 requires http-proxy-middleware@^2.0.7 via webpack-dev-server@5.2.0
No patched version available for http-proxy-middleware
The earliest fixed version is 3.0.5, which was published two weeks ago.
Minimal Reproduction
Use the latest Angular packages (build-angular 19.2.8 at the moment of writing) and check the package-lock.json.
Exception or Error
Your Environment
Angular CLI: 19.2.8
Node: 22.13.1
Package Manager: npm 10.9.0
OS: win32 x64
Angular: 19.2.7
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1902.8
@angular-devkit/build-angular 19.2.8
@angular-devkit/core 19.2.8
@angular-devkit/schematics 19.2.8
@angular/cdk 19.2.10
@angular/cli 19.2.8
@angular/material 19.2.10
@schematics/angular 19.2.8
rxjs 7.8.1
typescript 5.6.3
zone.js 0.15.0
Anything else relevant?
No response