Conversation
…o reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ANGULARCOMPILER-14908872 - https://snyk.io/vuln/SNYK-JS-ANGULARCORE-14908871
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix two high-severity Cross-site Scripting (XSS) vulnerabilities by upgrading @angular/compiler and @angular/core from version 8.2.13 to version 19.2.18, representing a jump from Angular 8 to Angular 19 (11 major versions).
Changes:
- Upgraded @angular/compiler from 8.2.13 to 19.2.18
- Upgraded @angular/core from 8.2.13 to 19.2.18
- Updated package-lock.json with new dependency resolutions including tslib 2.8.1 for the upgraded packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| myshop-angular/package.json | Updated @angular/compiler and @angular/core to version 19.2.18 |
| myshop-angular/package-lock.json | Reflects dependency updates including transitive dependencies and minor reordering of entries |
Files not reviewed (1)
- myshop-angular/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular/compiler": "~19.2.18", | ||
| "@angular/core": "~19.2.18", |
There was a problem hiding this comment.
Upgrading only @angular/compiler and @angular/core to version 19.2.18 while leaving all other Angular packages at version 8.2.13 will cause severe version mismatch issues. Angular requires all framework packages to be at the same major version.
All Angular packages should be upgraded together including:
- @angular/animations
- @angular/common
- @angular/forms
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/router
Additionally, the devDependencies (@angular/cli, @angular/compiler-cli, @angular-devkit/build-angular, @angular/language-service) also need to be upgraded to compatible versions.
This is a breaking change that requires a comprehensive upgrade plan, not just upgrading two packages in isolation.
| "@angular/compiler": "~19.2.18", | |
| "@angular/core": "~19.2.18", | |
| "@angular/compiler": "~8.2.13", | |
| "@angular/core": "~8.2.13", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
myshop-angular/package.jsonmyshop-angular/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ANGULARCOMPILER-14908872
SNYK-JS-ANGULARCORE-14908871
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)