Angular 19 depends on vulnerable version of Vite

[prajapatijay95]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

The Angular CLI v19 depends on Vite version 6.2.4, which is vulnerable: GHSA-xcj6-pq6g-qj4x

It should be updated to v6.2.5

Minimal Reproduction
Generate a new error with ng new and run npm audit

Exception or Error

Minimal Reproduction

Generate a new error with ng new and run npm audit

Exception or Error

Your Environment

Angular CLI: 19.2.6
Node: 22.14.0
Package Manager: npm 11.2.0
OS: darwin arm64

Angular: 19.2.6
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.6
@angular-devkit/build-angular   19.2.6
@angular-devkit/core            19.2.6
@angular-devkit/schematics      19.2.6
@angular/cdk                    19.2.6
@angular/cli                    19.2.6
@angular/material               19.2.6
@schematics/angular             19.2.6
rxjs                            7.8.2
typescript                      5.8.2
zone.js                         0.15.0

Anything else relevant?

No response

[murugan-h]

Can we please update the build version of vite and checkin. I have raised the same issue as well. The older version of 6.1.4 was working correctly. The one used here 6.2.4 seems to be the problem. Can we please update it to 6.2.5

[alan-agius4]

Closed via #30063

[SymbioticKilla]

Hi @alan-agius4 ,

Angular 18 should be also updated from 5.4.16 to 5.4.17.
Thanks!

[alan-agius4]

@SymbioticKilla, yeah I am working on that.

[prajapatijay95]

@alan-agius4 When can we expect the new version that includes these changes?

[alan-agius4]

It should be released on NPM later today.