Skip to content

@babel/core updates needed on v20 for CVE #69608

Description

@zsharpBDO

Which @angular/* package(s) are the source of the bug?

compiler-cli and localize

Is this a regression?

No

Description

The @babel/core version (7.28.3) used by the latest v20 release of @angular/compiler-cli and @angular/localize (20.3.25) is affected by CVE-2026-49356. Could that be updated to at least 7.29.6 for both packages to eliminate the CVE from the dependency chain?

Please provide a link to a minimal reproduction of the bug

No response

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 20.3.31
Node: 22.22.3
Package Manager: npm 11.17.0
OS: win32 x64
    

Angular: 20.3.25
... animations, common, compiler, compiler-cli, core, forms
... localize, platform-browser, platform-browser-dynamic, router

Package                      Version
------------------------------------
@angular-devkit/architect    0.2003.31
@angular-devkit/core         20.3.31
@angular-devkit/schematics   20.3.31
@angular/build               20.3.31
@angular/cdk                 20.2.14
@angular/cli                 20.3.31
@angular/material            20.2.14
@schematics/angular          20.3.31
rxjs                         7.8.2
typescript                   5.8.3
zone.js                      0.15.1

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area: compilerIssues related to `ngc`, Angular's template compilerarea: i18nIssues related to localization and internationalizationarea: packagingIssues related to Angular's creation of npm packagesgemini-triagedLabel noting that an issue has been triaged by geminisecurityIssues that generally impact framework or application security

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions