loader-utils is vulnerable. Will install @angular-devkit/build-angular@12.2.18

[pawan-gwebs]

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

No

Description

npm audit

npm audit report

loader-utils 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@12.2.18, which is a breaking change
node_modules/loader-utils
@angular-devkit/build-angular 13.0.0-next.0 - 15.0.0-rc.3
Depends on vulnerable versions of loader-utils
node_modules/@angular-devkit/build-angular

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run ng version)

No response

Anything else?

No response

[alan-agius4]

We do not expect that the Angular CLI is used on production where this vulnerability can be exploited. That said, we will update loader-utils in version 13.3 and 14.2 of the Angular CLI.

Please be aware that Angular version 12 is no longer under support. See https://angular.io/guide/releases#actively-supported-versions

[gon250]

I'm having the issue while working with angular-13

npm audit output:

# npm audit report

loader-utils  2.0.0 - 2.0.3 || 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)  - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)  - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@12.2.18, which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/loader-utils
node_modules/loader-utils
  @angular-devkit/build-angular  13.0.0-next.0 - 15.0.0-rc.3
  Depends on vulnerable versions of loader-utils
  node_modules/@angular-devkit/build-angular

package.json details:

"devDependencies": {
    "@angular-devkit/build-angular": "^13.3.9",
    "@angular-eslint/builder": "13.0.1",
    "@angular-eslint/eslint-plugin": "13.0.1",
    "@angular-eslint/eslint-plugin-template": "13.0.1",
    "@angular-eslint/schematics": "13.0.1",
   ....
}

[pawan-gwebs]

We do not expect that the Angular CLI is used on production where this vulnerability can be exploited. That said, we will update loader-utils in version 13.3 and 14.2 of the Angular CLI.

Please be aware that Angular version 12 is no longer under support. See https://angular.io/guide/releases#actively-supported-versions

We are already on Angular version 14.2.9 and I have this in "devDependencies" { "@angular-devkit/build-angular": "^14.2.9" }
This warning was not in "@angular-devkit/build-angular": "^14.2.7".
This vulnerability issue is due to "loader-utils" dependency of "@angular-devkit/build-angular". May be in latest version "loader-utils".

[alan-agius4]

Closed via #24243