[Snyk] Security upgrade @angular/compiler from 17.2.4 to 19.2.17#42
[Snyk] Security upgrade @angular/compiler from 17.2.4 to 19.2.17#42
Conversation
…lities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14157154
There was a problem hiding this comment.
Pull request overview
This PR attempts to address a high-severity XSS vulnerability (SNYK-JS-ANGULARCOMPILER-14157154) by upgrading @angular/compiler from version 17.2.4 to 19.2.17. However, this approach creates critical compatibility issues that will prevent the application from building or running correctly.
Key Issues:
- Only the
@angular/compilerpackage is upgraded to v19, while all other Angular packages remain at v17 - This creates peer dependency conflicts, particularly with
@angular/compiler-cli - Angular packages must be upgraded together as a cohesive unit due to tight coupling
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| front/package.json | Updates @angular/compiler dependency to ^19.2.17, creating version mismatch with other Angular v17 packages |
| front/package-lock.json | Resolves @angular/compiler to 19.2.17, introducing peer dependency conflicts and incompatible Node engine requirements |
Files not reviewed (1)
- front/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/animations": "^17.2.0", | ||
| "@angular/common": "^17.2.0", | ||
| "@angular/compiler": "^17.2.0", | ||
| "@angular/compiler": "^19.2.17", |
There was a problem hiding this comment.
Upgrading only @angular/compiler to version 19.2.17 while keeping all other Angular packages at version 17.2.0 will cause compatibility issues. Angular packages are designed to work together at the same major version.
All Angular packages should be upgraded together to version 19, including:
- @angular/animations
- @angular/common
- @angular/core
- @angular/forms
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/platform-server
- @angular/router
- @angular/ssr
- @angular/compiler-cli (in devDependencies)
- @angular-devkit/build-angular (in devDependencies)
- @angular/cli (in devDependencies)
This is a major version upgrade that requires coordinated updates and may involve breaking changes requiring code modifications.
| "version": "19.2.17", | ||
| "resolved": "https://registry.npmjs.org/@angular/compiler/-/compiler-19.2.17.tgz", | ||
| "integrity": "sha512-qo8psYASAlDiQ8fAL8i/E2JfWH2nPTpZDKKZxSWvgBVA8o+zUEjYAJu6/k6btnu+4Qcb425T0rmM/zao6EU9Aw==", |
There was a problem hiding this comment.
The upgraded @angular/compiler version 19.2.17 is incompatible with @angular/compiler-cli version 17.2.4, which has a peer dependency requiring @angular/compiler at version 17.2.4 (see line 360). This mismatch will cause peer dependency conflicts and build failures.
The @angular/compiler-cli must also be upgraded to version 19 to be compatible with the upgraded compiler.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
front/package.jsonfront/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14157154
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)