CAST Issue raised (CVE-2024-21490)

[joelrichardvitrana]

Which @angular/* package(s) are the source of the bug?

core

Is this a regression?

No

Description

We are facing an issue (CVE-2024-21490) on CAST scanner report with a score of 7.5
They had asked to migrate to [@angular/core] for the counter measure but in our project we are already using "@angular/core": "^14.3.0". How do I resolve this?

Here is package.json for reference

"dependencies": {
"@angular-builders/custom-webpack": "^14.1.0",
"@angular/animations": "^14.3.0",
"@angular/cdk": "^14.2.7",
"@angular/common": "^14.3.0",
"@angular/compiler": "^14.3.0",
"@angular/core": "^14.3.0",
"@angular/forms": "^14.3.0",
"@angular/platform-browser": "^14.3.0",
"@angular/platform-browser-dynamic": "^14.3.0",
"@angular/router": "^14.3.0",
"@hilit/hilit-util": "0.0.0-alpha.5",
"@hilit/icon-style": "0.0.16",
"@hilit/microfrontend-interaction": "0.0.0-alpha.1",
"@hilit/tables": "0.0.0-alpha.25",
"@kolkov/angular-editor": "^1.2.0",
"@ngx-translate/core": "0.0.6",
"@ngx-translate/http-loader": "^4.0.0",
"@xmldom/xmldom": "0.8.7",
"async": "^3.2.4",
"chart.js": "^2.9.3",
"crypto-js": "^4.1.1",
"dexie": "^3.2.2",
"diff": "^3.3.1",
"express": "4.17.3",
"follow-redirects": "1.15.2",
"immer": "^9.0.15",
"inline-worker": "^1.1.0",
"jquery": "^3.6.1",
"jsdom": "21.1.1",
"json-schema": "0.4.0",
"jspdf": "^2.3.1",
"jspdf-autotable": "^3.5.25",
"minimist": "^1.2.6",
"moment": "^2.29.4",
"moment-timezone": "^0.5.37",
"ngx-extended-pdf-viewer": "^9.0.5",
"ngx-owl-carousel-o": "^5.1.1",
"optionator": "^0.9.1",
"path-parse": "^1.0.7",
"primeng": "^9.1.3",
"qs": "^6.11.0",
"rxjs": "~6.6.7",
"single-spa-angular": "^7.1.0",
"static-eval": "2.1.0",
"tslib": "^2.0.0",
"web-animations-js": "^2.3.2",
"webpack-merge": "^5.9.0",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^14.2.12",
"@angular/cli": "^14.2.12",
"@angular/compiler-cli": "^14.3.0",
"@angular/language-service": "^14.3.0",
"@types/jasmine": "~3.3.8",
"@types/jasminewd2": "~2.0.10",
"@types/node": "^12.11.1",
"async": "^3.2.4",
"codelyzer": "^5.1.2",
"jasmine-core": "~3.5.0",
"jasmine-spec-reporter": "~5.0.0",
"karma": "~6.4.2",
"karma-coverage": "^2.2.1",
"karma-chrome-launcher": "~3.1.0",
"karma-coverage-istanbul-reporter": "~3.0.2",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.5.0",
"protractor": "~7.0.0",
"ts-node": "~7.0.0",
"tslint": "~6.1.0",
"typescript": "~4.6.4",
"webpack": "^5.88.2"
}

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run ng version)

No response

Anything else?

No response

[alan-agius4]

Angular version 14 is no longer under support. Please see https://angular.io/guide/releases#actively-supported-versions

[joelrichardvitrana]

@alan-agius4 For the supported versions, is the mentioned issue fixed because they have mentioned that all versions above 1.3.0 would have this issue. If that's the case updating the version wouldn't help us.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}