Conversation
…lities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14908872 - https://snyk.io/vuln/SNYK-JS-ANGULARCORE-14908871
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix two XSS vulnerabilities (SNYK-JS-ANGULARCOMPILER-14908872 and SNYK-JS-ANGULARCORE-14908871) by upgrading @angular/compiler and @angular/core from version 17.2.0 to 19.2.18.
Changes:
- Upgraded @angular/compiler from ^17.2.0 to ^19.2.18
- Upgraded @angular/core from ^17.2.0 to ^19.2.18
- Updated package-lock.json with new version metadata and dependencies
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| front/package.json | Updates @angular/compiler and @angular/core to version 19.2.18 |
| front/package-lock.json | Updates lockfile with new package versions, integrity hashes, and dependency metadata including new license field and updated Node.js engine requirements |
Files not reviewed (1)
- front/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/compiler": "^19.2.18", | ||
| "@angular/core": "^19.2.18", |
There was a problem hiding this comment.
Upgrading only @angular/compiler and @angular/core to version 19.2.18 while leaving other Angular packages at version 17.2.0 will cause runtime errors and compatibility issues. All Angular packages must be upgraded together to maintain compatibility. The following packages also need to be upgraded to version 19.x:
- @angular/animations (line 17)
- @angular/common (line 18)
- @angular/forms (line 21)
- @angular/platform-browser (line 22)
- @angular/platform-browser-dynamic (line 23)
- @angular/platform-server (line 24)
- @angular/router (line 25)
- @angular/ssr (line 26)
- @angular/compiler-cli (devDependency, line 36)
| "@angular/compiler": "^19.2.18", | ||
| "@angular/core": "^19.2.18", |
There was a problem hiding this comment.
This upgrade creates an incompatible peer dependency situation. The @angular/core package at version 19.2.18 has a peer dependency on zone.js ~0.15.0 (as seen in line 377 of the package-lock.json), but the current package.json specifies zone.js ~0.14.3. Additionally, other Angular packages like @angular/common (line 18), @angular/forms (line 21), and @angular/platform-browser (line 22) have peer dependencies requiring @angular/core 17.2.4, which will conflict with the upgraded version 19.2.18. This will cause npm/yarn to report peer dependency warnings or errors and may result in runtime failures.
| "@angular/compiler": "^19.2.18", | |
| "@angular/core": "^19.2.18", | |
| "@angular/compiler": "^17.2.0", | |
| "@angular/core": "^17.2.0", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
front/package.jsonfront/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14908872
SNYK-JS-ANGULARCORE-14908871
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)