[Snyk] Fix for 2 vulnerabilities#53
Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14908872 - https://snyk.io/vuln/SNYK-JS-ANGULARCORE-14908871
There was a problem hiding this comment.
Pull request overview
This pull request attempts to fix 2 high-severity Cross-site Scripting (XSS) vulnerabilities in Angular by upgrading @angular/compiler and @angular/core from version 17.3.1 to 19.2.18. However, the PR only upgrades these two packages while leaving all other Angular framework packages and Angular-dependent third-party libraries at their current versions, creating critical compatibility issues.
Changes:
- Upgraded @angular/compiler from 17.3.1 to 19.2.18
- Upgraded @angular/core from 17.3.1 to 19.2.18
- Updated package-lock.json with new dependency versions
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| frontend/package.json | Upgraded @angular/compiler and @angular/core to version 19.2.18 to address XSS vulnerabilities |
| frontend/package-lock.json | Updated lockfile with new versions and dependency tree for upgraded Angular packages |
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/compiler": "^19.2.18", | ||
| "@angular/core": "^19.2.18", |
There was a problem hiding this comment.
Upgrading only @angular/compiler and @angular/core to version 19.2.18 while keeping all other Angular packages at version 17.3.1 creates a severe version mismatch. Angular requires all framework packages to be on the same major version. This configuration will likely cause runtime errors, compilation failures, and unpredictable behavior.
All Angular packages should be upgraded together, including:
- @angular-devkit/build-angular
- @angular/animations
- @angular/cli
- @angular/common
- @angular/forms
- @angular/localize
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/platform-server
- @angular/router
- @angular/ssr
- @angular/compiler-cli (in devDependencies)
- @angular/language-service (in devDependencies)
| "@angular/compiler": "^19.2.18", | |
| "@angular/core": "^19.2.18", | |
| "@angular/compiler": "^17.3.1", | |
| "@angular/core": "^17.3.1", |
| "peerDependencies": { | ||
| "rxjs": "^6.5.3 || ^7.4.0", | ||
| "zone.js": "~0.14.0" | ||
| "zone.js": "~0.15.0" |
There was a problem hiding this comment.
The zone.js peer dependency requirement has changed from ~0.14.0 (for Angular 17) to ~0.15.0 (for Angular 19). However, the current package.json specifies zone.js version "~0.14.4" at line 99. This version mismatch will cause peer dependency warnings or potential runtime issues. The zone.js version should be updated to ~0.15.0 to match the peer dependency requirement of @angular/core 19.2.18.
| "@angular/compiler": "^19.2.18", | ||
| "@angular/core": "^19.2.18", |
There was a problem hiding this comment.
Upgrading only @angular/compiler and @angular/core to version 19.2.18 creates multiple critical compatibility issues:
-
Angular Framework Version Mismatch: All other Angular packages remain at version 17.3.1 (@angular/animations, @angular/cli, @angular/common, @angular/forms, @angular/localize, @angular/platform-browser, @angular/platform-browser-dynamic, @angular/platform-server, @angular/router, @angular/ssr, @angular/compiler-cli, @angular/language-service). Angular requires all framework packages to be on the same major version to function correctly.
-
zone.js Peer Dependency Mismatch: Angular 19 requires zone.js ~0.15.0, but the current package.json specifies zone.js "~0.14.4".
-
Third-party Angular Package Incompatibilities: Several Angular-dependent packages are incompatible with Angular 19:
- @ng-bootstrap/ng-bootstrap at version 16.0.0 (designed for Angular 16)
- ngx-echarts at version 17.2.0 (designed for Angular 17)
- ngx-infinite-scroll at version 17.0.0 (designed for Angular 17)
This partial upgrade will cause compilation failures, runtime errors, and unpredictable behavior. A complete Angular upgrade strategy is required, upgrading all Angular packages and their dependencies together.
| "@angular/compiler": "^19.2.18", | |
| "@angular/core": "^19.2.18", | |
| "@angular/compiler": "^17.3.1", | |
| "@angular/core": "^17.3.1", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14908872
SNYK-JS-ANGULARCORE-14908871
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)