Fix Dependabot alerts: upgrade Angular 19 to 20 in car-sales-website#101
Merged
Conversation
The Angular SPA sample pinned Angular 19.2.x, which has no patched release for four advisories (vulnerable range `<= 19.2.25`, no 19.x fix published). The lowest patched release that addresses all four is Angular 20.3.25, so this bumps the framework one major version. Addresses: - CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg (high) @angular/core — Client Hydration DOM Clobbering & Response-Cache Poisoning (alert #434) - CVE-2026-54266 / GHSA-39pv-4j6c-2g6v (high) @angular/common — Weak 32-bit cache key hashing in HttpTransferCache (alert #440) - CVE-2026-54268 / GHSA-48r7-hpm6-gfxm (high) @angular/common — DoS via OOM in formatDate (alert #441) - CVE-2026-54265 / GHSA-58w9-8g37-x9v5 (medium) @angular/compiler — Two-way property binding sanitization bypass / XSS (alert #439) Changes: - @angular/* framework packages 19.2.x -> 20.3.25 - @angular/cdk and @angular/material 19.2.x -> 20.2.14 (latest 20.x) - @angular/cli and @angular-devkit/build-angular 19.2.x -> 20.3.29 - typescript ~5.7.2 -> ~5.9.2 (Angular 20 requires >=5.8 <6.0) - overrides: vite 6.4.3 -> 7.3.5. Angular 20's @angular/build is built against the vite 7 API and depends on vite 7.3.2, so the old vite 6 pin broke `ng serve` (the dev server returned HTTP 500 for /@vite/client and the app never bootstrapped). 7.3.5 is the patched release for the vite 7.x line of GHSA-fx2h-pf6j-xcff (server.fs.deny bypass) — the same advisory the original 6.4.3 pin guarded against on the vite 6.x line. - README CLI version reference 19.2.14 -> 20.3.29 Regenerated package-lock.json from a clean install (no manual hash edits) so integrity hashes are correct. Verified with `npm run build`, `ng test` (5/5 specs pass), and by running `ng serve` and loading the app in a browser: the dashboard and lazy-loaded routes render with live data and no new runtime errors. `npm audit` reports 0 vulnerabilities. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The
samples/spa/angular/car-sales-websiteSPA was pinned to Angular 19.2.x, which has four open Dependabot alerts and no patched release on the 19.x line (the advisories list<= 19.2.25as vulnerable with no 19.x fix). Resolving them requires moving the framework forward one major version. The lowest release that patches all four is Angular 20.3.25.Alerts addressed
Approach
Bumped the Angular framework from 19.2.x to 20.x and reconciled the dev toolchain that the new major requires:
@angular/*framework packages 19.2.x -> 20.3.25@angular/cdkand@angular/material19.2.x -> 20.2.14 (latest 20.x)@angular/cliand@angular-devkit/build-angular19.2.x -> 20.3.29typescript~5.7.2 -> ~5.9.2 (Angular 20 requires >=5.8 <6.0)package-lock.jsonwas regenerated from a clean install (no manual integrity-hash edits) so the lockfile stays consistent with the registry.Heads-up for reviewers: the
overridesvite pinThe existing
overridesblock pinnedvite: 6.4.3, which was correct for the Angular 19 tree. Angular 20's@angular/buildis written against the vite 7 API and depends on vite 7.3.2, so keeping the old vite 6 pin brokeng serve: the dev server returned HTTP 500 for/@vite/clientand the app never bootstrapped. A production build still succeeded, so this only surfaced when actually running the app.The fix bumps the override to
vite: 7.3.5, which is the patched release on the vite 7.x line for GHSA-fx2h-pf6j-xcff (server.fs.denybypass) — the same advisory the original 6.4.3 pin guarded against on the vite 6.x line. So the protective intent of the pin is preserved while staying compatible with Angular 20. The other overrides were left unchanged.Verification
npm run buildsucceeds (the two warnings, bundle-budget and missingassets/material-icons.css, are pre-existing and also present on the 19.x baseline).ng testpasses 5/5 specs (ChromeHeadless).ng serveand loaded the app in a browser: the dashboard renders with live data and the lazy-loaded routes (inventory, sales, customers, sales-leads) navigate correctly. The only console messages are pre-existing and benign: the missingmaterial-icons.cssstylesheet (icons still load via Google Fonts) and an AuthService anti-forgery warning for the Power Pages-only token endpoint that does not exist in local dev.npm auditreports 0 vulnerabilities.