@angular-devkit/build-angular 19.2.8 vulnerabilities from http-proxy-middleware (CVE-2025-32997, CVE-2025-32996)

[apappas1129]

The version of @angular-devkit/build-angular (19.2.8) currently relies on http-proxy-middleware versions 3.0.0 - 3.0.4, which have been flagged as having moderate vulnerabilities. The dependency needs to address CVE-2025-32996 and CVE-2025-32997`

# npm audit report

http-proxy-middleware  3.0.0 - 3.0.4
Severity: moderate
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed - https://github.com/advisories/GHSA-9gqv-wp59-fq42
http-proxy-middleware can call writeBody twice because "else if" is not used - https://github.com/advisories/GHSA-4www-5p9h-95mh
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@17.3.16, which is a breaking change
node_modules/http-proxy-middleware
  @angular-devkit/build-angular  18.0.0-next.0 - 20.0.0-next.5
  Depends on vulnerable versions of http-proxy-middleware
  node_modules/@angular-devkit/build-angular

2 moderate severity vulnerabilities

Environment

Angular CLI: 19.2.8
Node: 18.19.0
Package Manager: npm 10.8.1
OS: win32 x64

[snolan-ethika]

yeah, this is an odd one, bc unfortunately, when you run npm audit fix --force (for other deps) this will drop angular down to "17.3.16", which then causes more issues/outdated deps. i believe an update on this is necessary

[JoostK]

Has been addressed in #30142, will be in the next patch.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}