The package ng-packagr prior to 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.
ng-packagr project ng-packagr