[Snyk] Security upgrade @angular/cli from 17.3.1 to 20.3.15#56
[Snyk] Security upgrade @angular/cli from 17.3.1 to 20.3.15#56
Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a directory traversal security vulnerability (SNYK-JS-TAR-15127355) in the tar dependency by upgrading @angular/cli from version 17.3.1 to 20.3.15. However, this approach creates critical compatibility issues.
Changes:
- Upgrades @angular/cli from ^17.3.1 to ^20.3.15 in frontend/package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular-devkit/build-angular": "^17.3.1", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", |
There was a problem hiding this comment.
Upgrading @angular/cli to version 20.3.15 while keeping all other Angular packages at version 17.3.1 will cause severe compatibility issues. The Angular CLI version should match the Angular framework version.
The following packages are still at version 17.3.1 and need to be upgraded together:
- @angular-devkit/build-angular (line 65)
- @angular/animations (line 66)
- @angular/common (line 68)
- @angular/compiler (line 69)
- @angular/core (line 70)
- @angular/forms (line 71)
- @angular/localize (line 72)
- @angular/platform-browser (line 73)
- @angular/platform-browser-dynamic (line 74)
- @angular/platform-server (line 75)
- @angular/router (line 76)
- @angular/ssr (line 77)
- @angular/compiler-cli (line 102, devDependencies)
- @angular/language-service (line 103, devDependencies)
Angular CLI 20.x requires Angular 20.x framework packages. Using mismatched versions will result in build failures and runtime errors. All Angular packages should be upgraded together as a coordinated set, or an alternative approach should be used to address the security vulnerability (such as upgrading just the tar dependency if possible).
| "@angular/cli": "^20.3.15", | |
| "@angular/cli": "^17.3.1", |
| "@angular-devkit/build-angular": "^17.3.1", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", |
There was a problem hiding this comment.
This upgrade may introduce TypeScript version incompatibilities. Angular 20.x typically requires TypeScript 5.5 or later, but the current project uses TypeScript ~5.4.3 (line 113). When upgrading Angular CLI to version 20.x, verify that the TypeScript version is also compatible. This should be coordinated with the full Angular framework upgrade.
| "@angular/cli": "^20.3.15", | |
| "@angular/cli": "^17.3.1", |
| "@angular-devkit/build-angular": "^17.3.1", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", |
There was a problem hiding this comment.
The @ng-bootstrap/ng-bootstrap package (line 83) is currently at version ^16.0.0, which is designed for Angular 16.x. If Angular CLI is upgraded to 20.x (and the framework follows), this package will also need to be upgraded to a version compatible with Angular 20.x to avoid compatibility issues. This is part of the broader ecosystem dependency upgrade required.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal