Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-GLOB-14040952 - https://snyk.io/vuln/SNYK-JS-WEBPACK-15235959 - https://snyk.io/vuln/SNYK-JS-WEBPACK-15235969 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
There was a problem hiding this comment.
Pull request overview
This Snyk-generated PR attempts to remediate 5 reported npm dependency vulnerabilities in the frontend workspace by upgrading Angular build tooling packages.
Changes:
- Bumps
@angular-devkit/build-angularfrom^17.3.1to^20.3.15. - Bumps
@angular/clifrom^17.3.1to^20.3.15. - Regenerates
frontend/package-lock.jsonaccordingly.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| frontend/package.json | Upgrades Angular build tooling/CLI versions as part of the vulnerability remediation. |
| frontend/package-lock.json | Updates the resolved dependency graph to match the upgraded Angular tooling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular-devkit/build-angular": "^20.3.15", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", | ||
| "@angular/common": "^17.3.1", | ||
| "@angular/compiler": "^17.3.1", |
There was a problem hiding this comment.
Upgrading only @angular-devkit/build-angular and @angular/cli to v20 while keeping the rest of @angular/* (including @angular/compiler-cli) at v17 will put the workspace in an unsupported mixed-major state. The resulting lockfile pulls in Angular 20 tooling that has peer deps on @angular/core/@angular/compiler-cli ^20 and requires Node >=20.19 and TypeScript >=5.8, which conflicts with the current Angular 17/TypeScript 5.4 setup and the repo’s .nvmrc (v20.8.0). Either complete an Angular major upgrade (align all @angular/*, TS, and Node) or avoid the major bump and instead remediate the vulnerable transitive deps via compatible upgrades/overrides.
Snyk has created this PR to fix 5 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
SNYK-JS-GLOB-14040952
SNYK-JS-WEBPACK-15235959
SNYK-JS-WEBPACK-15235969
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection
🦉 Server-side Request Forgery (SSRF)