🐞 bug report

Affected Package

Angular 9 uses vulnerable version of dependency package karma@4.1.0 and http-server@0.11.1. For more detail, refer to the description section

Is this a regression?

This Vulnerability was there in version 9.0.x

Description

Angular 9.1.0 has 3 high-severity vulnerabilities:

✗ High severity vulnerability found in useragent
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-USERAGENT-174737
Introduced through: karma@4.1.0
From: karma@4.1.0 > useragent@2.3.0

✗ High severity vulnerability found in qs
Description: Prototype Override Protection Bypass
Info: https://snyk.io/vuln/npm:qs:20170213
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > union@0.4.6 > qs@2.3.3

✗ High severity vulnerability found in ecstatic
Description: Denial of Service (DoS)
Info: https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
Introduced through: http-server@0.11.1
From: http-server@0.11.1 > ecstatic@3.3.2

For complete SNYK report, refer the attachment

🌍 Your Environment

Angular Version:

Angular CLI: 9.1.0
Node: 12.13.0
OS: darwin x64

Angular: 
... 
Ivy Workspace: 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.901.0
@angular-devkit/core         9.1.0
@angular-devkit/schematics   9.1.0
@schematics/angular          9.1.0
@schematics/update           0.901.0
rxjs                         
[angular 9.1.x snyk-output.txt](https://github.com/angular/angular/files/4429037/angular.9.1.x.snyk-output.txt)
6.5.4