Command
serve
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Both versions 20.x and 21.x have had versions released that use vite 7.3.6 in order to allow versions of esbuild that do not contain its most recently identified vulnerabilities. While the 22.1.x pre-release builds have an update to vite 8 that will remediate the vulnerabilities directly, and 22.1's real release is presumably coming soon and will render this largely moot, the 22.0.x branch currently flags esbuild as vulnerable in a standard "npm audit" as a result of targeting vite 7.3.5.
Can we get the same patch applied to 22.0.x to use 7.3.6 as well?
Minimal Reproduction
Just create a new app on 22.0.x and run "npm audit" (or presumably the equivalent in other package managers). You will see a low vulnerability flagged against esbuild that is getting included because of vite.
Exception or Error
Your Environment
_ _ ____ _ ___
/ \ _ __ __ _ _ _| | __ _ _ __ / ___| | |_ _|
/ △ \ | '_ \ / _` | | | | |/ _` | '__| | | | | | |
/ ___ \| | | | (_| | |_| | | (_| | | | |___| |___ | |
/_/ \_\_| |_|\__, |\__,_|_|\__,_|_| \____|_____|___|
|___/
Angular CLI : 22.0.7
Angular : 22.0.7
Node.js : 24.18.0
Package Manager : npm 11.17.0
Operating System : win32 x64
┌───────────────────────────┬───────────────────┬───────────────────┐
│ Package │ Installed Version │ Requested Version │
├───────────────────────────┼───────────────────┼───────────────────┤
│ @angular/build │ 22.0.7 │ ^22.0.7 │
│ @angular/cdk │ 22.0.5 │ ~22.0.5 │
│ @angular/cli │ 22.0.7 │ ^22.0.7 │
│ @angular/common │ 22.0.7 │ ^22.0.7 │
│ @angular/compiler │ 22.0.7 │ ^22.0.7 │
│ @angular/compiler-cli │ 22.0.7 │ ^22.0.7 │
│ @angular/core │ 22.0.7 │ ^22.0.7 │
│ @angular/forms │ 22.0.7 │ ^22.0.7 │
│ @angular/material │ 22.0.5 │ ^22.0.5 │
│ @angular/platform-browser │ 22.0.7 │ ^22.0.7 │
│ @angular/router │ 22.0.7 │ ^22.0.7 │
│ ng-packagr │ 22.0.1 │ ^22.0.1 │
│ rxjs │ 7.8.2 │ ^7.8.2 │
│ typescript │ 6.0.3 │ ~6.0.3 │
│ vitest │ 4.1.10 │ ^4.1.10 │
│ zone.js │ 0.16.2 │ ~0.16.2 │
└───────────────────────────┴───────────────────┴───────────────────┘
Anything else relevant?
Easily worked around with:
overrides: {
"esbuild": ">=0.28.1"
}
Command
serve
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Both versions 20.x and 21.x have had versions released that use vite 7.3.6 in order to allow versions of esbuild that do not contain its most recently identified vulnerabilities. While the 22.1.x pre-release builds have an update to vite 8 that will remediate the vulnerabilities directly, and 22.1's real release is presumably coming soon and will render this largely moot, the 22.0.x branch currently flags esbuild as vulnerable in a standard "npm audit" as a result of targeting vite 7.3.5.
Can we get the same patch applied to 22.0.x to use 7.3.6 as well?
Minimal Reproduction
Just create a new app on 22.0.x and run "npm audit" (or presumably the equivalent in other package managers). You will see a low vulnerability flagged against esbuild that is getting included because of vite.
Exception or Error
Your Environment
Anything else relevant?
Easily worked around with: