You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Real-world impact for consumers is bounded — both are dev/build-time, and the esbuild advisory is Windows-only. The request here is procedural: these surface on every npm audit against an Angular 21 project, and downstream consumers (especially those with security-scanning gates in CI) cannot resolve them without forking or moving to v22.
Precedent for backports
Backports of this exact shape have already happened recently, including on this branch:
fix(@angular/build): bump vite to 7.3.5 #33408 — fix(@angular/build): bump vite to 7.3.5, base 21.2.x, merged 2026-06-18. This is the freshest precedent: a security-driven transitive bump landed on 21.2.x yesterday.
Per Angular's release policy at https://angular.dev/reference/releases, a fix qualifies for an LTS branch if it addresses "a newly identified security vulnerability", which the precedent issues above were treated as.
Minimal Reproduction
npx -p @angular/cli@21.2.16 -- ng new repro --defaults --skip-git --skip-install
cd repro
npm i
npm audit
npm audit reports the advisories above against transitives of @angular/build. The same audit run against a project on @angular/cli@22.0.x (post-#33384/#33385) shows the esbuild line cleared.
(Note: vite is already addressed by #33408 on the 21.2.x branch and will clear with the next 21.2.x release.)
Exception or Error
n/a — not a runtime error; advisories surface in `npm audit` only.
Command
build
Is this a regression?
The previous version in which this bug was not present was
No response
Description
@angular/buildon the21.2.xbranch still depends on two transitives with published GitHub security advisories:21.2.xesbuild0.27.30.28.1@babel/core7.29.0sourceMappingURL7.29.6Source confirmed on the branch: https://github.com/angular/angular-cli/blob/21.2.x/packages/angular/build/package.json
Real-world impact for consumers is bounded — both are dev/build-time, and the esbuild advisory is Windows-only. The request here is procedural: these surface on every
npm auditagainst an Angular 21 project, and downstream consumers (especially those with security-scanning gates in CI) cannot resolve them without forking or moving to v22.Precedent for backports
Backports of this exact shape have already happened recently, including on this branch:
fix(@angular/build): bump vite to 7.3.5, base21.2.x, merged 2026-06-18. This is the freshest precedent: a security-driven transitive bump landed on21.2.xyesterday.esbuild/esbuild-wasmto0.28.1on22.0.x, merged 2026-06-16. These are the exact bumps being requested here, just on the active branch.0.28.0#33004 —fix(@angular/build): update esbuild to 0.28.0, base20.3.x, merged 2026-04-14, referencing CVE-2025-68121 @angular/build@20 uses a vulnerable version of "esbuild" - "0.25.9" #32975 (esbuild CVE, triagedseverity6: security).0.28.0#33003 — same fix on base19.2.x, merged the same day.@angular/build@21.2.6, similarly triaged and resolved.Per Angular's release policy at https://angular.dev/reference/releases, a fix qualifies for an LTS branch if it addresses "a newly identified security vulnerability", which the precedent issues above were treated as.
Minimal Reproduction
npm auditreports the advisories above against transitives of@angular/build. The same audit run against a project on@angular/cli@22.0.x(post-#33384/#33385) shows the esbuild line cleared.(Note:
viteis already addressed by #33408 on the21.2.xbranch and will clear with the next 21.2.x release.)Exception or Error
Your Environment
Anything else relevant?
Thanks for considering — and thanks for the prompt vite backport in #33408 yesterday, much appreciated.