Current Behavior
npm audit report
picomatch 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via npm audit fix --force
Will install @nx/angular@20.6.2, which is a breaking change
node_modules/@nx/angular/node_modules/picomatch
node_modules/@nx/js/node_modules/picomatch
node_modules/@nx/workspace/node_modules/picomatch
@nx/angular <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/eslint
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/module-federation
Depends on vulnerable versions of @nx/rspack
Depends on vulnerable versions of @nx/web
Depends on vulnerable versions of @nx/webpack
Depends on vulnerable versions of @nx/workspace
Depends on vulnerable versions of picomatch
node_modules/@nx/angular
@nx/js <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/workspace
Depends on vulnerable versions of picomatch
node_modules/@nx/js
@nx/eslint <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/eslint
@nx/eslint-plugin <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/eslint-plugin
@nx/jest <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/jest
@nx/module-federation <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/web
node_modules/@nx/module-federation
@nx/rspack <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/module-federation
Depends on vulnerable versions of @nx/web
node_modules/@nx/rspack
@nx/web <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/web
@nx/webpack <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/webpack
@nx/workspace <=0.0.0-pr-34253-d811c6c || >=20.5.1
Depends on vulnerable versions of picomatch
Expected Behavior
Do not have known vulnerabilities related to picomatch in @nx/angular, @nx/js, @nx/workspace.
GitHub Repo
No response
Steps to Reproduce
- Create a project with @nx/angular
- Run
npm audit
Nx Report
NX Report complete - copy this into the issue template
Node : 24.10.0
OS : darwin-arm64
Native Target : aarch64-macos
npm : 11.6.1
daemon : Available
nx : 22.6.3
@nx/js : 22.6.3
@nx/eslint : 22.6.3
@nx/workspace : 22.6.3
@nx/angular : 22.6.3
@nx/jest : 22.6.3
@nx/devkit : 22.6.3
@nx/eslint-plugin : 22.6.3
@nx/module-federation : 22.6.3
@nx/rspack : 22.6.3
@nx/web : 22.6.3
@nx/webpack : 22.6.3
typescript : 5.9.3
---------------------------------------
Community plugins:
@ionic/angular : 8.8.2
@ionic/angular-toolkit : 12.3.0
@maskito/angular : 5.2.1
@ngrx/component : 21.1.0
ng-mocks : 14.15.2
---------------------------------------
Failure Logs
Package Manager Version
No response
Operating System
Additional Information
No response
Current Behavior
npm audit report
picomatch 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via
npm audit fix --forceWill install @nx/angular@20.6.2, which is a breaking change
node_modules/@nx/angular/node_modules/picomatch
node_modules/@nx/js/node_modules/picomatch
node_modules/@nx/workspace/node_modules/picomatch
@nx/angular <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/eslint
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/module-federation
Depends on vulnerable versions of @nx/rspack
Depends on vulnerable versions of @nx/web
Depends on vulnerable versions of @nx/webpack
Depends on vulnerable versions of @nx/workspace
Depends on vulnerable versions of picomatch
node_modules/@nx/angular
@nx/js <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/workspace
Depends on vulnerable versions of picomatch
node_modules/@nx/js
@nx/eslint <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/eslint
@nx/eslint-plugin <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/eslint-plugin
@nx/jest <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/jest
@nx/module-federation <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/web
node_modules/@nx/module-federation
@nx/rspack <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
Depends on vulnerable versions of @nx/module-federation
Depends on vulnerable versions of @nx/web
node_modules/@nx/rspack
@nx/web <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/web
@nx/webpack <=0.0.0-pr-34253-d811c6c || >=20.5.0-beta.0
Depends on vulnerable versions of @nx/js
node_modules/@nx/webpack
@nx/workspace <=0.0.0-pr-34253-d811c6c || >=20.5.1
Depends on vulnerable versions of picomatch
Expected Behavior
Do not have known vulnerabilities related to picomatch in @nx/angular, @nx/js, @nx/workspace.
GitHub Repo
No response
Steps to Reproduce
npm auditNx Report
Failure Logs
Package Manager Version
No response
Operating System
Additional Information
No response