CVE-2026-23745 is affecting CLI versions < 21.0.0-rc.6

[twjacobsen]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running NPM Audit on a project using Angular CLI < 21.0.0-rc.6 will report this CVE: GHSA-8qq5-rm4j-mr97

It's related to the version of pacote < 21 using a vulnerable version of node-tar

Minimal Reproduction

Run npm audit on a project using Angular CLI < 21.0.0-rc.6

Exception or Error

Your Environment

@angular-devkit/architect            0.2003.14
@angular-devkit/build-angular        20.3.14
@angular-devkit/core                 20.3.14
@angular-devkit/schematics           20.3.14
@angular/cdk                         20.2.14
@angular/cli                         20.3.14
@angular/material                    20.2.14
@angular/material-date-fns-adapter   20.2.14
@angular/material-moment-adapter     20.2.14
@schematics/angular                  20.3.14
rxjs                                 7.8.2
typescript                           5.9.3
zone.js                              0.15.1

Anything else relevant?

No response