Skip to content

CVE-2026-23745 is affecting CLI versions < 21.0.0-rc.6 #32324

Closed
Bug
#32334
Closed
CVE-2026-23745 is affecting CLI versions < 21.0.0-rc.6#32324
Bug
#32334
Labels
area: @angular/clifreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix
@twjacobsen

Description

@twjacobsen
twjacobsen
opened on Jan 19, 2026

Command

other

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running NPM Audit on a project using Angular CLI < 21.0.0-rc.6 will report this CVE: GHSA-8qq5-rm4j-mr97

It's related to the version of pacote < 21 using a vulnerable version of node-tar

Minimal Reproduction

Run npm audit on a project using Angular CLI < 21.0.0-rc.6

Exception or Error

Your Environment

@angular-devkit/architect            0.2003.14
@angular-devkit/build-angular        20.3.14
@angular-devkit/core                 20.3.14
@angular-devkit/schematics           20.3.14
@angular/cdk                         20.2.14
@angular/cli                         20.3.14
@angular/material                    20.2.14
@angular/material-date-fns-adapter   20.2.14
@angular/material-moment-adapter     20.2.14
@schematics/angular                  20.3.14
rxjs                                 7.8.2
typescript                           5.9.3
zone.js                              0.15.1

Anything else relevant?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: @angular/clifreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions