@angular-devkit/build-angular depends on vulnerable version of copy-webpack-plugin

[MikeMatusz]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v20, v21 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of copy-webpack-plugin which depends on 6.x version of serialize-javascript.

Required patched version: copy-webpack-plugin@14.0.0

See more details:
GHSA-76p7-773f-r4q5

Minimal Reproduction

Run npm audit with a dependency on @angular-devkit/build-angular v20 or v21.

Exception or Error

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
No fix available
node_modules/serialize-javascript
  copy-webpack-plugin  4.3.0 - 13.0.1
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin
    @angular-devkit/build-angular  *
    Depends on vulnerable versions of copy-webpack-plugin
    node_modules/@angular-devkit/build-angular
      @angular-builders/custom-webpack  *
      Depends on vulnerable versions of @angular-devkit/build-angular
      node_modules/@angular-builders/custom-webpack

Your Environment

Angular CLI: 20.3.18
Node: 24.13.0
Package Manager: npm 11.6.2
OS: darwin arm64
    

Angular: 20.3.17
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router, upgrade

Package                         Version
---------------------------------------
@angular-devkit/architect       0.2003.18
@angular-devkit/build-angular   20.3.18
@angular-devkit/core            20.3.18
@angular-devkit/schematics      20.3.18
@angular/cdk                    20.2.14
@angular/cli                    20.3.18
@angular/material               20.2.14
@schematics/angular             20.3.18
ng-packagr                      20.3.2
rxjs                            7.8.2
typescript                      5.9.3
webpack                         5.105.3

Anything else relevant?

No response

[leszq]

Additionally: Angular v19 but here copy-webpack-plugin@12.0.2

https://github.com/webpack/copy-webpack-plugin/releases/tag/v13.0.0

[alan-agius4]

Bumping the version of copy-webpack-plugin in version 19 is not viable as this is a breaking change due to the change of dropping support for Node.js version 18.

Version 20 and 21 has been addressed via #32663 and #32661.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}