The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.