security: vulnerability found in transitive dependency picomatch

[leszq]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on an Angular project reports a vulnerability because the following libraries: @angular-devkit/build-angular, @angular-devkit/core, and @angular/build do not use the required secure version of picomatch (4.0.4).

Existing versions:
v19: 4.0.2
v20, v21, v22-next.2: 4.0.3

GHSA-c2c7-rcm5-vvqj

Minimal Reproduction

Create new Angular v19, v20, v21, v22-next.2 project
Run npm audit in the project folder

Exception or Error

Your Environment

Angular CLI: 19.2.22
Node: 22.22.0
Package Manager: npm 10.9.4
OS: win32 x64

Angular: 19.2.20
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.22
@angular-devkit/build-angular   19.2.22
@angular-devkit/core            19.2.22
@angular-devkit/schematics      19.2.22
@angular/cli                    19.2.22
@schematics/angular             19.2.22
rxjs                            7.8.2
typescript                      5.7.3
zone.js                         0.15.1

Anything else relevant?

No response