Skip to content

@angular/build@19 and @20 depend on vulnerable version of rollup #32592

New issue
New issue
Closed
Bug
#32597
Closed
@angular/build@19 and @20 depend on vulnerable version of rollup#32592
Bug
#32597
Assignees
alan-agius4
Labels
freq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix
@leszq

Description

@leszq
leszq
opened on Feb 26, 2026

Command

new

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v19, v20 project causes an error output, because @angular/build depends on vulnerable version of rollup (fixed "rollup": "4.34.8" for @angular/build@19.2.21 and fixed "rollup": " 4.52.3" for @angular/build@20.3.17 - required patched version: rollup@4.59.0
See more details:
GHSA-mw96-cpmx-2vgc

Minimal Reproduction

Create new Angular v19 or v20 project.
Run npm audit in the project folder

Exception or Error

Your Environment

Angular CLI: 19.2.21
Node: 22.22.0
Package Manager: npm 10.9.4
OS: win32 x64

Angular: 19.2.19
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.21
@angular-devkit/build-angular   19.2.21
@angular-devkit/core            19.2.21
@angular-devkit/schematics      19.2.21
@angular/cli                    19.2.21
@schematics/angular             19.2.21
rxjs                            7.8.2
typescript                      5.7.3
zone.js                         0.15.1

Anything else relevant?

No response

Metadata

Metadata

Assignees

Labels

freq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions