[Snyk] Security upgrade @angular/common from 17.3.1 to 19.2.16#46
[Snyk] Security upgrade @angular/common from 17.3.1 to 19.2.16#46
Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMMON-14135651
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a high-severity security vulnerability (SNYK-JS-ANGULARCOMMON-14135651) by upgrading @angular/common from version 17.3.1 to 19.2.16. However, the partial upgrade approach introduces critical compatibility issues.
Key Issue:
- Only
@angular/commonis upgraded to version 19.2.16, while all other Angular packages (core, compiler, forms, platform-browser, router, etc.) remain at version 17.3.1 - This creates unresolvable peer dependency conflicts that will prevent the application from building or running correctly
Recommendation: Reject this PR and coordinate a full Angular ecosystem upgrade to version 19.x for all related packages.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| frontend/package.json | Upgrades @angular/common to 19.2.16 while leaving all other Angular packages at 17.3.1, creating version mismatch |
| frontend/package-lock.json | Reflects the partial upgrade with conflicting peer dependency requirements between Angular v17 and v19 packages |
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/common": "^17.3.1", | ||
| "@angular/common": "^19.2.16", |
There was a problem hiding this comment.
Upgrading only @angular/common to 19.2.16 while keeping all other Angular packages at 17.3.1 will cause critical peer dependency conflicts.
The upgraded @angular/common v19.2.16 requires @angular/core v19.2.16 as a peer dependency, but @angular/core remains at v17.3.1. Additionally, other Angular packages like @angular/forms, @angular/platform-browser, and @angular/platform-browser-dynamic have peer dependencies on @angular/common v17.3.1, which conflicts with this upgrade.
Recommendation: All Angular packages should be upgraded together to the same major version. To properly fix the security vulnerability, upgrade all Angular dependencies (including @angular/core, @angular/compiler, @angular/forms, @angular/platform-browser, @angular/platform-browser-dynamic, @angular/platform-server, @angular/router, @angular/ssr, @angular/animations, @angular/cli, @angular-devkit/build-angular, @angular/compiler-cli, and @angular/language-service) to version 19.x.x to maintain compatibility.
| }, | ||
| "peerDependencies": { | ||
| "@angular/core": "17.3.1", | ||
| "@angular/core": "19.2.16", |
There was a problem hiding this comment.
The peer dependency requirement "@angular/core": "19.2.16" cannot be satisfied because @angular/core is installed at version 17.3.1 (see line 1104). This mismatch will cause the application to fail to build or exhibit runtime errors.
This issue stems from upgrading only @angular/common without upgrading the rest of the Angular ecosystem. All Angular packages must be upgraded together to maintain compatibility.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMMON-14135651
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.