@angular/cli depends on vulnerable version of @modelcontextprotocol/sdk #32224
Description
Command
other
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Current versions of @modelcontextprotocol/sdk 1.25.1 and lower contain CVE-2026-0621
Implement update once the package issue for that library is resolved and published.
CLI package.json
Minimal Reproduction
npm audit should be updated soon to reveal this
Exception or Error
Your Environment
Angular CLI : 21.0.4
Angular : 21.0.5
Node.js : 22.21.1
Package Manager : npm 11.7.0
Operating System : win32 x64
┌───────────────────────────────────┬───────────────────┬───────────────────┐
│ Package │ Installed Version │ Requested Version │
├───────────────────────────────────┼───────────────────┼───────────────────┤
│ @angular-devkit/build-angular │ 21.0.3 │ ^21.0.3 │
│ @angular/animations │ 21.0.5 │ ^21.0.5 │
│ @angular/cdk │ 21.0.3 │ ^21.0.0 │
│ @angular/cli │ 21.0.4 │ ^21.0.4 │
│ @angular/common │ 21.0.5 │ ^21.0.5 │
│ @angular/compiler │ 21.0.5 │ ^21.0.5 │
│ @angular/compiler-cli │ 21.0.5 │ ^21.0.5 │
│ @angular/core │ 21.0.5 │ ^21.0.5 │
│ @angular/elements │ 21.0.5 │ ^21.0.5 │
│ @angular/forms │ 21.0.5 │ ^21.0.5 │
│ @angular/platform-browser │ 21.0.5 │ ^21.0.5 │
│ @angular/platform-browser-dynamic │ 21.0.5 │ ^21.0.5 │
│ @angular/router │ 21.0.5 │ ^21.0.5 │
│ rxjs │ 7.8.2 │ ~7.8.1 │
│ typescript │ 5.9.3 │ ~5.9.2 │
│ zone.js │ 0.15.1 │ ~0.15.1 │
└───────────────────────────────────┴───────────────────┴───────────────────┘
Anything else relevant?
No response