Skip to content

security: vulnerability found in transitive dependency picomatch #32842

New issue
New issue
Open
Open
security: vulnerability found in transitive dependency picomatch#32842
#32849 (+2)
Assignees
alan-agius4
Labels
area: @angular/cligemini-triagedLabel noting that an issue has been triaged by geminiseverity6: security
@leszq

Description

@leszq
leszq
opened on Mar 26, 2026

Command

new

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on an Angular project reports a vulnerability because the following libraries: @angular-devkit/build-angular, @angular-devkit/core, and @angular/build do not use the required secure version of picomatch (4.0.4).

Existing versions:
v19: 4.0.2
v20, v21, v22-next.2: 4.0.3

GHSA-c2c7-rcm5-vvqj

Minimal Reproduction

Create new Angular v19, v20, v21, v22-next.2 project
Run npm audit in the project folder

Exception or Error

Your Environment

Angular CLI: 19.2.22
Node: 22.22.0
Package Manager: npm 10.9.4
OS: win32 x64

Angular: 19.2.20
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.22
@angular-devkit/build-angular   19.2.22
@angular-devkit/core            19.2.22
@angular-devkit/schematics      19.2.22
@angular/cli                    19.2.22
@schematics/angular             19.2.22
rxjs                            7.8.2
typescript                      5.7.3
zone.js                         0.15.1

Anything else relevant?

No response

Metadata

Metadata

Assignees

Labels

area: @angular/cligemini-triagedLabel noting that an issue has been triaged by geminiseverity6: security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions