Vulnerabilty with ejs which is dependant on angular-devkit
pramodhcm opened this issue · 2 comments
pramodhcm commented
Command
new
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Running npm audit on Angular v16 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of ejs.
for more details: GHSA-ghr5-ch3p-vcr6
Minimal Reproduction
Create new Angular v16 project.
Run npm audit in the project folder
Exception or Error
No response
Your Environment
C:\Users\pramocm>ng version
_ _ ____ _ ___
/ \ _ __ __ _ _ _| | __ _ _ __ / ___| | |_ _|
/ △ \ | '_ \ / _` | | | | |/ _` | '__| | | | | | |
/ ___ \| | | | (_| | |_| | | (_| | | | |___| |___ | |
/_/ \_\_| |_|\__, |\__,_|_|\__,_|_| \____|_____|___|
|___/
Angular CLI: 16.2.5
Node: 20.11.0 (Unsupported)
Package Manager: npm 10.3.0
OS: win32 x64
Angular:
...
Package Version
------------------------------------------------------
@angular-devkit/architect 0.1602.5 (cli-only)
@angular-devkit/core 16.2.5 (cli-only)
@angular-devkit/schematics 16.2.5 (cli-only)
@schematics/angular 16.2.5 (cli-only)
Anything else relevant?
No response
alan-agius4 commented
ejs is not a direct nor a transitive dependency of @angular-devkit/build-angular@16.2.5
$ yarn why ejs
yarn why v1.22.19
[1/4] Why do we have the module "ejs"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.63s.
angular-automatic-lock-bot commented
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
This action has been performed automatically by a bot.