@angular-devkit/build-angular depends on vulnerable version of webpack

[JainDhaval]

Command

new

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Running npm audit on Angular v19 project causes an error output, because @angular-devkit/build-angular depends on vulnerable version of webpack

See more details:
GHSA-8fgc-7cc6-rx7x
GHSA-38r7-794h-5758

Minimal Reproduction

Create new Angular v19 project.
Run npm audit in the project folder

Exception or Error

Your Environment

Angular CLI: 19.2.19
Node: 20.16.0
Package Manager: npm 10.9.2
OS: win32 x64

Angular: 19.2.18
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.19
@angular-devkit/build-angular   19.2.19
@angular-devkit/core            19.2.19
@angular-devkit/schematics      19.2.19
@angular/cdk                    19.2.19
@angular/cli                    19.2.19
@schematics/angular             19.2.19
rxjs                            7.8.2
typescript                      5.8.3
zone.js                         0.15.1

Anything else relevant?

No response