[Snyk] Security upgrade @angular/compiler from 17.3.1 to 19.2.17#47
[Snyk] Security upgrade @angular/compiler from 17.3.1 to 19.2.17#47
Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14157154
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a high-severity XSS vulnerability (SNYK-JS-ANGULARCOMPILER-14157154) by upgrading @angular/compiler from version 17.3.1 to 19.2.17. However, the upgrade introduces a critical compatibility issue by only updating the compiler package while leaving all other Angular packages at version 17.3.1.
Key Changes
- Upgrades
@angular/compilerfrom v17.3.1 to v19.2.17 (a two-major-version jump) - Updates package-lock.json with new version, integrity hash, and license field
- Changes Node.js engine requirement from
^18.13.0 || >=20.9.0to^18.19.1 || ^20.11.1 || >=22.0.0
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| frontend/package.json | Updates @angular/compiler dependency to v19.2.17 while other Angular packages remain at v17.3.1 |
| frontend/package-lock.json | Updates compiler package metadata including version, resolved URL, integrity hash, license field, and Node.js engine requirements |
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/cli": "^17.3.1", | ||
| "@angular/common": "^17.3.1", | ||
| "@angular/compiler": "^17.3.1", | ||
| "@angular/compiler": "^19.2.17", |
There was a problem hiding this comment.
Upgrading only @angular/compiler to v19.2.17 while keeping all other Angular packages at v17.3.1 creates a version mismatch. Angular packages should be kept in sync to avoid compatibility issues.
The following packages are still at v17.3.1:
- @angular/animations
- @angular/cli
- @angular/common
- @angular/core
- @angular/forms
- @angular/localize
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/platform-server
- @angular/router
- @angular/ssr
- @angular/compiler-cli (devDependency)
All Angular packages should be upgraded together to the same major version to maintain compatibility.
| "@angular/compiler": "^19.2.17", | |
| "@angular/compiler": "^17.3.1", |
| "@angular/cli": "^17.3.1", | ||
| "@angular/common": "^17.3.1", | ||
| "@angular/compiler": "^17.3.1", | ||
| "@angular/compiler": "^19.2.17", |
There was a problem hiding this comment.
Upgrading only @angular/compiler to v19.2.17 while keeping all other Angular packages at v17.3.1 creates a version mismatch. Angular packages should be kept in sync to avoid compatibility issues.
The following packages are still at v17.3.1:
- @angular/animations
- @angular/cli
- @angular/common
- @angular/core
- @angular/forms
- @angular/localize
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/platform-server
- @angular/router
- @angular/ssr
- @angular/compiler-cli (devDependency)
All Angular packages should be upgraded together to the same major version to maintain compatibility.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14157154
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)