[Port dspace-10_x] Bump @angular/* framework packages to 20.3.25 (combines split security PRs #5850/#5851/#5852)#5868
Merged
Conversation
Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the security advisories that Dependabot raised as three separate, individually unmergeable PRs (#5850 @angular/core, #5851 @angular/compiler, #5852 @angular/common). Angular peer dependencies require every @angular/* framework package to be the exact same version, so bumping one package at a time fails npm install with ERESOLVE. This bumps the whole peer-locked family together: animations, common, compiler, core, forms, localize, platform-browser, platform-browser-dynamic, platform-server, router, and compiler-cli (compiler-cli has an exact peer on compiler, so it must move in lockstep). The package-lock.json also picks up a few in-range transitive patch refreshes in the mirador/react subtree (react-rnd, notistack, goober, clsx) as a byproduct of npm reconciling the lock. Verified with npm ci. Advisories resolved (fixed in 20.3.25): - GHSA-rgjc-h3x7-9mwg (High) @angular/core: hydration DOM clobbering and response-cache poisoning - GHSA-39pv-4j6c-2g6v (High) @angular/common: weak 32-bit cache key in HttpTransferCache, cross-request data leakage - GHSA-48r7-hpm6-gfxm (High) @angular/common: DoS via OOM in formatDate - GHSA-58w9-8g37-x9v5 (Med) @angular/compiler: two-way binding sanitization bypass (XSS) (cherry picked from commit 5aeda68)
Merged
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Port of #5859 by @bram-atmire to
dspace-10_x.