ember-cli Exposes High-Severity Vulnerabilities Through Unpatched ansi-regex and set-value Dependencies

A high-severity vulnerability gap has been identified in ember-cli, where known security flaws in the ansi-regex and set-value packages remain unpatched across sub-modules despite fixes being available. The vulnerability persists through ember-cli version 3.28, leaving downstream projects exposed to documented security risks that could have been mitigated through timely dependency updates.

The issue centers on ember-cli's failure to propagate patched versions of ansi-regex and set-value into its sub-modules. While maintainers of these packages have released corrected versions addressing the vulnerabilities, ember-cli's dependency tree continues to pull in vulnerable iterations. Security scanning via Snyk confirms the exposure in ember-cli 3.20.2, with the vulnerable path clearly traceable through the framework's module structure. The reporter indicates that the problem extends across ember-cli versions up to and including 3.28, suggesting a systemic gap in how dependency updates flow through the framework's internal packages.

This dependency gap raises supply chain security concerns for projects built on ember-cli, as developers may assume their applications are protected when transitive dependencies remain exposed. The disconnect between upstream patch availability and downstream adoption highlights a persistent friction point in JavaScript ecosystem security: fixes exist, but propagation through complex dependency graphs can lag significantly. Organizations relying on ember-cli should audit their dependency trees and consider manual overrides or lockfile adjustments until ember-cli sub-modules incorporate the corrected package versions. The issue underscores the importance of continuous vulnerability monitoring even when upstream patches have been published.