From c71beb8722838eb60325e10f3a09e6b1488b1e3a Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 9 Apr 2025 06:24:04 +0000 Subject: [PATCH 1/3] fix(@angular-devkit/build-angular): update vite to 5.4.17 This fixes GHSA-xcj6-pq6g-qj4x Closes #30056 --- package.json | 2 +- packages/angular_devkit/build_angular/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 6539682aaf68..935aec867163 100644 --- a/package.json +++ b/package.json @@ -210,7 +210,7 @@ "undici": "6.11.1", "verdaccio": "5.29.2", "verdaccio-auth-memory": "^10.0.0", - "vite": "5.4.16", + "vite": "~5.4.17", "watchpack": "2.4.0", "webpack": "5.94.0", "webpack-dev-middleware": "6.1.2", diff --git a/packages/angular_devkit/build_angular/package.json b/packages/angular_devkit/build_angular/package.json index cf2241622de1..ed2b93dfcef7 100644 --- a/packages/angular_devkit/build_angular/package.json +++ b/packages/angular_devkit/build_angular/package.json @@ -62,7 +62,7 @@ "tree-kill": "1.2.2", "tslib": "2.6.2", "undici": "6.11.1", - "vite": "5.4.16", + "vite": "~5.4.17", "watchpack": "2.4.0", "webpack": "5.94.0", "webpack-dev-middleware": "6.1.2", From c69f150d566ebc2c4e7c7a9f4c457a4c86fe3f0b Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 9 Apr 2025 06:34:33 +0000 Subject: [PATCH 2/3] ci: update angular dev-infra packages This is needed to refresh the tokens --- .../assistant-to-the-branch-manager.yml | 2 +- .github/workflows/ci.yml | 36 +++++++++---------- .github/workflows/dev-infra.yml | 4 +-- .github/workflows/feature-requests.yml | 2 +- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/assistant-to-the-branch-manager.yml b/.github/workflows/assistant-to-the-branch-manager.yml index 476bd7161572..c3882a2eb6b8 100644 --- a/.github/workflows/assistant-to-the-branch-manager.yml +++ b/.github/workflows/assistant-to-the-branch-manager.yml @@ -16,6 +16,6 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - uses: angular/dev-infra/github-actions/branch-manager@47572aba6019f368057c00966ac7ce354b1d65bc + - uses: angular/dev-infra/github-actions/branch-manager@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 with: angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 495344172474..be6b3683b34a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup ESLint Caching uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 with: @@ -75,11 +75,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel RBE - uses: angular/dev-infra/github-actions/bazel/configure-remote@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/configure-remote@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Build release targets @@ -96,11 +96,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel RBE - uses: angular/dev-infra/github-actions/bazel/configure-remote@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/configure-remote@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Run tests @@ -128,13 +128,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel RBE - uses: angular/dev-infra/github-actions/bazel/configure-remote@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/configure-remote@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Run CLI E2E tests run: yarn bazel test --define=E2E_SHARD_TOTAL=6 --define=E2E_SHARD_INDEX=${{ matrix.shard }} --config=e2e //tests/legacy-cli:e2e.${{ matrix.subset }}_node${{ matrix.node }} @@ -151,13 +151,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel RBE - uses: angular/dev-infra/github-actions/bazel/configure-remote@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/configure-remote@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Run CLI E2E tests run: yarn bazel test --define=E2E_SHARD_TOTAL=6 --define=E2E_SHARD_INDEX=${{ matrix.shard }} --config=e2e //tests/legacy-cli:e2e.snapshots.${{ matrix.subset }}_node${{ matrix.node }} @@ -169,13 +169,13 @@ jobs: SAUCE_TUNNEL_IDENTIFIER: angular-cli-${{ github.workflow }}-${{ github.run_number }} steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Setup Bazel RBE - uses: angular/dev-infra/github-actions/bazel/configure-remote@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/configure-remote@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Run E2E Browser tests env: SAUCE_USERNAME: ${{ vars.SAUCE_USERNAME }} @@ -203,11 +203,11 @@ jobs: CIRCLE_BRANCH: ${{ github.ref_name }} steps: - name: Initialize environment - uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - name: Install node modules run: yarn install --frozen-lockfile - name: Setup Bazel - uses: angular/dev-infra/github-actions/bazel/setup@47572aba6019f368057c00966ac7ce354b1d65bc + uses: angular/dev-infra/github-actions/bazel/setup@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 - run: yarn admin snapshots --verbose env: SNAPSHOT_BUILDS_GITHUB_TOKEN: ${{ secrets.SNAPSHOT_BUILDS_GITHUB_TOKEN }} diff --git a/.github/workflows/dev-infra.yml b/.github/workflows/dev-infra.yml index 8b6092866cf9..6ebbd3b11ee2 100644 --- a/.github/workflows/dev-infra.yml +++ b/.github/workflows/dev-infra.yml @@ -13,13 +13,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: angular/dev-infra/github-actions/commit-message-based-labels@47572aba6019f368057c00966ac7ce354b1d65bc + - uses: angular/dev-infra/github-actions/commit-message-based-labels@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 with: angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }} post_approval_changes: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: angular/dev-infra/github-actions/post-approval-changes@47572aba6019f368057c00966ac7ce354b1d65bc + - uses: angular/dev-infra/github-actions/post-approval-changes@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 with: angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }} diff --git a/.github/workflows/feature-requests.yml b/.github/workflows/feature-requests.yml index 5e922d9c70f0..dd958b875b54 100644 --- a/.github/workflows/feature-requests.yml +++ b/.github/workflows/feature-requests.yml @@ -16,6 +16,6 @@ jobs: if: github.repository == 'angular/angular-cli' runs-on: ubuntu-latest steps: - - uses: angular/dev-infra/github-actions/feature-request@47572aba6019f368057c00966ac7ce354b1d65bc + - uses: angular/dev-infra/github-actions/feature-request@b45dfa77df2021b23eeda5928ca6cd8bb89b21e7 with: angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }} From b99c2c01a2fbd7fadb7ac3f0b84f60d12da500a9 Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 9 Apr 2025 06:46:43 +0000 Subject: [PATCH 3/3] fix(@angular-devkit/build-angular): remove undici from dependencies This fixes CVE-2025-22150 Closes #30066 --- packages/angular_devkit/build_angular/package.json | 1 - .../src/builders/dev-server/specs/ssl_spec.ts | 1 + .../src/builders/ssr-dev-server/specs/ssl_spec.ts | 1 + .../src/utils/server-rendering/fetch-patch.ts | 1 - yarn.lock | 8 ++++---- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/angular_devkit/build_angular/package.json b/packages/angular_devkit/build_angular/package.json index ed2b93dfcef7..f34d1d90a42e 100644 --- a/packages/angular_devkit/build_angular/package.json +++ b/packages/angular_devkit/build_angular/package.json @@ -61,7 +61,6 @@ "terser": "5.29.1", "tree-kill": "1.2.2", "tslib": "2.6.2", - "undici": "6.11.1", "vite": "~5.4.17", "watchpack": "2.4.0", "webpack": "5.94.0", diff --git a/packages/angular_devkit/build_angular/src/builders/dev-server/specs/ssl_spec.ts b/packages/angular_devkit/build_angular/src/builders/dev-server/specs/ssl_spec.ts index cebc2f5b6fdb..6e1ee9c41fb5 100644 --- a/packages/angular_devkit/build_angular/src/builders/dev-server/specs/ssl_spec.ts +++ b/packages/angular_devkit/build_angular/src/builders/dev-server/specs/ssl_spec.ts @@ -9,6 +9,7 @@ import { Architect, BuilderRun } from '@angular-devkit/architect'; import { DevServerBuilderOutput } from '@angular-devkit/build-angular'; import { tags } from '@angular-devkit/core'; +// eslint-disable-next-line import/no-extraneous-dependencies import { Agent, getGlobalDispatcher, setGlobalDispatcher } from 'undici'; import { createArchitect, host } from '../../../testing/test-utils'; diff --git a/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts b/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts index 60130092946f..8330c4b86d0e 100644 --- a/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts +++ b/packages/angular_devkit/build_angular/src/builders/ssr-dev-server/specs/ssl_spec.ts @@ -9,6 +9,7 @@ import { Architect } from '@angular-devkit/architect'; // eslint-disable-next-line import/no-extraneous-dependencies import * as browserSync from 'browser-sync'; +// eslint-disable-next-line import/no-extraneous-dependencies import { Agent, getGlobalDispatcher, setGlobalDispatcher } from 'undici'; import { createArchitect, host } from '../../../testing/test-utils'; import { SSRDevServerBuilderOutput } from '../index'; diff --git a/packages/angular_devkit/build_angular/src/utils/server-rendering/fetch-patch.ts b/packages/angular_devkit/build_angular/src/utils/server-rendering/fetch-patch.ts index aa03111fc740..edcfb6a78d07 100644 --- a/packages/angular_devkit/build_angular/src/utils/server-rendering/fetch-patch.ts +++ b/packages/angular_devkit/build_angular/src/utils/server-rendering/fetch-patch.ts @@ -10,7 +10,6 @@ import { lookup as lookupMimeType } from 'mrmime'; import { readFile } from 'node:fs/promises'; import { extname } from 'node:path'; import { workerData } from 'node:worker_threads'; -import { Response, fetch } from 'undici'; /** * This is passed as workerData when setting up the worker via the `piscina` package. diff --git a/yarn.lock b/yarn.lock index 2cbd979ac1e9..27945cac5edf 100644 --- a/yarn.lock +++ b/yarn.lock @@ -14782,10 +14782,10 @@ vite@5.0.12: optionalDependencies: fsevents "~2.3.3" -vite@5.4.16: - version "5.4.16" - resolved "https://registry.yarnpkg.com/vite/-/vite-5.4.16.tgz#471983257a890ef33f2700cbbbc2134f2d08abf1" - integrity sha512-Y5gnfp4NemVfgOTDQAunSD4346fal44L9mszGGY/e+qxsRT5y1sMlS/8tiQ8AFAp+MFgYNSINdfEchJiPm41vQ== +vite@~5.4.17: + version "5.4.17" + resolved "https://registry.yarnpkg.com/vite/-/vite-5.4.17.tgz#4bf61dd4cdbf64b0d6661f5dba76954cc81d5082" + integrity sha512-5+VqZryDj4wgCs55o9Lp+p8GE78TLVg0lasCH5xFZ4jacZjtqZa6JUw9/p0WeAojaOfncSM6v77InkFPGnvPvg== dependencies: esbuild "^0.21.3" postcss "^8.4.43"