[Snyk] Security upgrade @angular/compiler from 6.0.9 to 19.2.17#5151
[Snyk] Security upgrade @angular/compiler from 6.0.9 to 19.2.17#5151
Conversation
…ckage.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14157154
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a high-severity XSS vulnerability (SNYK-JS-ANGULARCOMPILER-14157154) by upgrading @angular/compiler from version 6.0.9 to 19.2.17. However, this approach creates a critical compatibility issue by upgrading only one Angular package while leaving all other Angular framework dependencies at version 6.0.3, which will break the application.
Key Changes
- Upgrades
@angular/compilerfrom ^6.0.3 to ^19.2.17 (a 13-major-version jump) - Leaves all other Angular packages at v6.0.3, creating severe version mismatches
- Does not update supporting dependencies (TypeScript, CLI tools) required for Angular 19
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/animations": "^6.0.3", | ||
| "@angular/common": "^6.0.3", | ||
| "@angular/compiler": "^6.0.3", | ||
| "@angular/compiler": "^19.2.17", |
There was a problem hiding this comment.
Upgrading only @angular/compiler to v19.2.17 while all other Angular packages remain at v6.0.3 will cause severe compatibility issues. All Angular framework packages (@angular/animations, @angular/common, @angular/core, @angular/forms, @angular/http, @angular/platform-browser, @angular/platform-browser-dynamic, @angular/router, and @angular/compiler-cli) must be upgraded together to the same major version.
This 13-major-version jump will also introduce breaking changes that require:
- Updating TypeScript from ~2.7.2 to at least v4.9.3 (required for Angular 19)
- Migrating through Angular's update guide for each major version
- Updating build tooling and CLI packages
- Reviewing and updating application code for breaking changes
Consider either:
- Upgrading all Angular packages together following the Angular Update Guide, or
- Finding an alternative mitigation for the XSS vulnerability that doesn't require such a major version jump
| "@angular/compiler": "^19.2.17", | |
| "@angular/compiler": "^6.0.3", |
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
spring-boot-modules/spring-boot-angular/src/main/js/ecommerce/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14157154
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)