Command
other
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Per CVE-2026-9496, pacote dependencies should be updated to at least version 21.5.1 (github's page on it is a little behind - Snyk identifies that 21.5.1 has the fix here).
This is currently affecting @angular/cli, both versions 20 and 22
Minimal Reproduction
- Initialize a new Angular project with
npx -p @angular/cli@20 ng new
- In the new project, run
npm explain pacote and note that the version (21.0.4) is affected by the CVE
Your Environment
Angular CLI: 20.3.28
Node: 22.22.3
Package Manager: npm 10.9.8
OS: win32 x64
Angular: 20.3.25
... common, compiler, compiler-cli, core, forms
... platform-browser, router
Package Version
------------------------------------
@angular-devkit/architect 0.2003.28
@angular-devkit/core 20.3.28
@angular-devkit/schematics 20.3.28
@angular/build 20.3.28
@angular/cli 20.3.28
@schematics/angular 20.3.28
rxjs 7.8.2
typescript 5.9.3
zone.js 0.15.1
Anything else relevant?
No response
Command
other
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Per CVE-2026-9496,
pacotedependencies should be updated to at least version 21.5.1 (github's page on it is a little behind - Snyk identifies that 21.5.1 has the fix here).This is currently affecting @angular/cli, both versions 20 and 22
Minimal Reproduction
npx -p @angular/cli@20 ng newnpm explain pacoteand note that the version (21.0.4) is affected by the CVEYour Environment
Anything else relevant?
No response