Vite security vulnerability

[manojsridharsrinivasan]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

There is a reported security vulnerability in Vite 7.3.1 (GHSA-p9ff-h696-f583). The latest @angular/build version 21.2.6 still depends on Vite 7.3.1, which introduces a transitive dependency vulnerability in Angular CLI projects.

Related issue - GHSA-v2wj-q39q-566r

Minimal Reproduction

N/A

Exception or Error

vite@7.3.1 – Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket (high severity)

Your Environment

21.2.5

Anything else relevant?

No response

[alan-agius4]

Closed via #32953

[rgbweb]

Hi @alan-agius4, thanks for the quick fix. If I see it correctly, the fix has only been implemented for the latest Angular 21 branch. Unfortunately, the latest Angular 20 version is also affected. It references Vite 7.1.11. Is a fix planned for this as well?

[alan-agius4]

There are already PRs in flight for this: #32956 and #32955

[manojsridharsrinivasan]

Hi @alan-agius4 Thank you for the fix. Will there be angular/build version 21.2.7 published for the fix?

[emilycarter6561-byte]

Thanks for the update, @alan-agius4! I see the PRs for Angular 21, but is there any plan to backport this to Angular 20 since it’s also affected by the Vite 7.1.11 issue? Let me know if that’s in the works!

…

On Wed, Apr 8, 2026, 8:04 AM Manoj Sridhar Srinivasan < ***@***.***> wrote: *manojsridharsrinivasan* left a comment (angular/angular-cli#32945) <#32945 (comment)> Hi @alan-agius4 <https://github.com/alan-agius4> Thank you for the fix. Will there be angular/build version 21.2.7 published for the fix? — Reply to this email directly, view it on GitHub <#32945 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B7Z2X6CUODHD33PQ223FYZD4UZE6XAVCNFSM6AAAAACXOO3VOOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DEMBWGQZDSMBYGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[rgbweb]

Thanks for the update, @alan-agius4! I see the PRs for Angular 21, but is
there any plan to backport this to Angular 20 since it’s also affected by
the Vite 7.1.11 issue? Let me know if that’s in the works!
…

Hi @emilycarter6561-byte, that's exactly what I asked earlier today and Alan already answered with the two existing PRs with the fixes for Angular 20 and 19. So, the answer is yes. But the PRs are still open at the moment.

[pjlowrey]

When will this be published?