Today, Minko Gechev, an engineer in the Angular team at Google announced the release of Angular CLI 7.2.1. This release fixes a webpack-dev-server vulnerability and also comes with support for multiselect list prompt, TypeScript 3.2, and Angular 7.2.0-rc.0.
📣 Angular CLI v7.2.1 is out:
✅ Support for multiselect list prompt
✅ Schematics supports TypeScript 3.2 & Angular 7.2.0-rc.0
✅ Webpack-dev-server vulnerability fix (including in LTS)
✅ A bunch of fixeshttps://t.co/rrMESSNoqa
Special thanks to our community contributors ❤️ pic.twitter.com/N41t9SlQs4
— Minko Gechev (@mgechev) January 9, 2019
Understanding the webpack-dev-server vulnerability
The npm install command was showing the Missing Origin Validation vulnerability because webpack-dev-server versions before 3.1.10 are missing origin validation on the websocket server. A remote attacker can take advantage of this vulnerability to steal a developer’s code as the origin of requests to the websocket server, which is used for Hot Module Replacement (HMR) are not validated.
Other updates in Angular 7.2.1 CLI
Several updates and bug fixes were listed in the release notes of Angular CLI’s GitHub repository. Some of them are:
- Support is added for multiselect list prompt
- Support is added for TypeScript 3.2 and Angular 7.2.0-rc.0
- Optimization options are updated
- Warnings are added for overriding flags in arguments
- lintFix is added to several other schematics
- `resourcesOutputPath` is added to the schema to define where style resources will be placed, relative to outputPath.
- The architect command project parsing is improved
- Prompt support is added using Inquirer
- Jobs API is added
- Directly loading component templates is supported