[Snyk] Security upgrade @angular/compiler from 8.2.13 to 19.2.17#78
[Snyk] Security upgrade @angular/compiler from 8.2.13 to 19.2.17#78
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14157154
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a high-severity XSS vulnerability (SNYK-JS-ANGULARCOMPILER-14157154) by upgrading @angular/compiler from version 8.2.13 to 19.2.17. However, this upgrade will break the application because it only upgrades a single Angular package while leaving all other Angular dependencies at version 8.2.13, creating critical version incompatibilities.
Key Issues:
- Only @angular/compiler is upgraded to v19.2.17; all other Angular packages remain at v8.2.13
- Angular requires all framework packages to be at the same major version
- TypeScript 3.5.3 is incompatible with Angular 19 (requires TypeScript 5.6+)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/animations": "~8.2.13", | ||
| "@angular/common": "~8.2.13", | ||
| "@angular/compiler": "~8.2.13", | ||
| "@angular/compiler": "~19.2.17", |
There was a problem hiding this comment.
This upgrade introduces a critical version mismatch. The @angular/compiler is being upgraded from v8.2.13 to v19.2.17 (a jump of 11 major versions), but all other Angular packages remain at v8.2.13:
- @angular/animations: ~8.2.13
- @angular/common: ~8.2.13
- @angular/core: ~8.2.13
- @angular/forms: ~8.2.13
- @angular/platform-browser: ~8.2.13
- @angular/platform-browser-dynamic: ~8.2.13
- @angular/router: ~8.2.13
- @angular/compiler-cli: ~8.2.13 (in devDependencies)
Angular packages must be kept in sync at the same major version. This mismatch will cause compilation errors and runtime failures because the compiler version is incompatible with the other Angular packages.
Recommendation: Upgrade all Angular packages together to v19.2.17, or find a security patch for Angular v8 if a full migration is not feasible. A major version upgrade from v8 to v19 requires careful migration following Angular's update guides for each major version.
| "@angular/compiler": "~19.2.17", | |
| "@angular/compiler": "~8.2.13", |
| "@angular/animations": "~8.2.13", | ||
| "@angular/common": "~8.2.13", | ||
| "@angular/compiler": "~8.2.13", | ||
| "@angular/compiler": "~19.2.17", |
There was a problem hiding this comment.
Angular 19 requires TypeScript 5.6 or later, but this project is using TypeScript ~3.5.3. This version incompatibility will cause build failures even if the Angular version mismatch is resolved.
If upgrading all Angular packages to v19, the TypeScript dependency must also be updated to at least v5.6 to match Angular 19's requirements.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
myshop-angular/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14157154
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)