Skip to content

[Port dspace-10_x] Bump @angular/* framework packages to 20.3.25 (combines split security PRs #5850/#5851/#5852)#5868

Merged
tdonohue merged 1 commit into
dspace-10_xfrom
backport-5859-to-dspace-10_x
Jun 24, 2026
Merged

[Port dspace-10_x] Bump @angular/* framework packages to 20.3.25 (combines split security PRs #5850/#5851/#5852)#5868
tdonohue merged 1 commit into
dspace-10_xfrom
backport-5859-to-dspace-10_x

Conversation

@dspace-bot

Copy link
Copy Markdown
Contributor

Port of #5859 by @bram-atmire to dspace-10_x.

Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the
security advisories that Dependabot raised as three separate, individually
unmergeable PRs (#5850 @angular/core, #5851 @angular/compiler,
#5852 @angular/common).

Angular peer dependencies require every @angular/* framework package to be
the exact same version, so bumping one package at a time fails npm install
with ERESOLVE. This bumps the whole peer-locked family together:
animations, common, compiler, core, forms, localize, platform-browser,
platform-browser-dynamic, platform-server, router, and compiler-cli
(compiler-cli has an exact peer on compiler, so it must move in lockstep).

The package-lock.json also picks up a few in-range transitive patch
refreshes in the mirador/react subtree (react-rnd, notistack, goober,
clsx) as a byproduct of npm reconciling the lock. Verified with npm ci.

Advisories resolved (fixed in 20.3.25):
- GHSA-rgjc-h3x7-9mwg (High)  @angular/core: hydration DOM clobbering and
  response-cache poisoning
- GHSA-39pv-4j6c-2g6v (High)  @angular/common: weak 32-bit cache key in
  HttpTransferCache, cross-request data leakage
- GHSA-48r7-hpm6-gfxm (High)  @angular/common: DoS via OOM in formatDate
- GHSA-58w9-8g37-x9v5 (Med)   @angular/compiler: two-way binding
  sanitization bypass (XSS)

(cherry picked from commit 5aeda68)
@dspace-bot dspace-bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 24, 2026
@tdonohue tdonohue added this to the 10.1 milestone Jun 24, 2026
@tdonohue tdonohue merged commit 35c9dea into dspace-10_x Jun 24, 2026
18 of 19 checks passed
@tdonohue tdonohue deleted the backport-5859-to-dspace-10_x branch June 24, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

Development

Successfully merging this pull request may close these issues.

3 participants