Command
new
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Running npm audit on an Angular project reports a vulnerability because the following libraries: @angular-devkit/build-angular, @angular-devkit/core, and @angular/build do not use the required secure version of picomatch (4.0.4).
Existing versions:
v19: 4.0.2
v20, v21, v22-next.2: 4.0.3
GHSA-c2c7-rcm5-vvqj
Minimal Reproduction
Create new Angular v19, v20, v21, v22-next.2 project
Run npm audit in the project folder
Exception or Error
Your Environment
Angular CLI: 19.2.22
Node: 22.22.0
Package Manager: npm 10.9.4
OS: win32 x64
Angular: 19.2.20
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1902.22
@angular-devkit/build-angular 19.2.22
@angular-devkit/core 19.2.22
@angular-devkit/schematics 19.2.22
@angular/cli 19.2.22
@schematics/angular 19.2.22
rxjs 7.8.2
typescript 5.7.3
zone.js 0.15.1
Anything else relevant?
No response
Command
new
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Running
npm auditon an Angular project reports a vulnerability because the following libraries:@angular-devkit/build-angular,@angular-devkit/core, and@angular/builddo not use the required secure version of picomatch (4.0.4).Existing versions:
v19:4.0.2v20,v21,v22-next.2:4.0.3GHSA-c2c7-rcm5-vvqj
Minimal Reproduction
Create new Angular
v19,v20,v21,v22-next.2projectRun
npm auditin the project folderException or Error
Your Environment
Anything else relevant?
No response