Skip to content

Fix Dependabot alerts: upgrade Angular 19 to 20 in car-sales-website#101

Merged
priyanshu92 merged 1 commit into
mainfrom
priyanshu92/fictional-dollop
Jun 17, 2026
Merged

Fix Dependabot alerts: upgrade Angular 19 to 20 in car-sales-website#101
priyanshu92 merged 1 commit into
mainfrom
priyanshu92/fictional-dollop

Conversation

@priyanshu92

Copy link
Copy Markdown
Contributor

Why

The samples/spa/angular/car-sales-website SPA was pinned to Angular 19.2.x, which has four open Dependabot alerts and no patched release on the 19.x line (the advisories list <= 19.2.25 as vulnerable with no 19.x fix). Resolving them requires moving the framework forward one major version. The lowest release that patches all four is Angular 20.3.25.

Alerts addressed

Alert Package Severity Advisory
#434 @angular/core High CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg — Client Hydration DOM Clobbering & Response-Cache Poisoning
#440 @angular/common High CVE-2026-54266 / GHSA-39pv-4j6c-2g6v — Weak 32-bit cache key hashing in HttpTransferCache
#441 @angular/common High CVE-2026-54268 / GHSA-48r7-hpm6-gfxm — DoS via OOM in formatDate
#439 @angular/compiler Medium CVE-2026-54265 / GHSA-58w9-8g37-x9v5 — Two-way property binding sanitization bypass (XSS)

Approach

Bumped the Angular framework from 19.2.x to 20.x and reconciled the dev toolchain that the new major requires:

  • @angular/* framework packages 19.2.x -> 20.3.25
  • @angular/cdk and @angular/material 19.2.x -> 20.2.14 (latest 20.x)
  • @angular/cli and @angular-devkit/build-angular 19.2.x -> 20.3.29
  • typescript ~5.7.2 -> ~5.9.2 (Angular 20 requires >=5.8 <6.0)
  • README "Angular CLI version" reference 19.2.14 -> 20.3.29

package-lock.json was regenerated from a clean install (no manual integrity-hash edits) so the lockfile stays consistent with the registry.

Heads-up for reviewers: the overrides vite pin

The existing overrides block pinned vite: 6.4.3, which was correct for the Angular 19 tree. Angular 20's @angular/build is written against the vite 7 API and depends on vite 7.3.2, so keeping the old vite 6 pin broke ng serve: the dev server returned HTTP 500 for /@vite/client and the app never bootstrapped. A production build still succeeded, so this only surfaced when actually running the app.

The fix bumps the override to vite: 7.3.5, which is the patched release on the vite 7.x line for GHSA-fx2h-pf6j-xcff (server.fs.deny bypass) — the same advisory the original 6.4.3 pin guarded against on the vite 6.x line. So the protective intent of the pin is preserved while staying compatible with Angular 20. The other overrides were left unchanged.

Verification

  • npm run build succeeds (the two warnings, bundle-budget and missing assets/material-icons.css, are pre-existing and also present on the 19.x baseline).
  • ng test passes 5/5 specs (ChromeHeadless).
  • Ran ng serve and loaded the app in a browser: the dashboard renders with live data and the lazy-loaded routes (inventory, sales, customers, sales-leads) navigate correctly. The only console messages are pre-existing and benign: the missing material-icons.css stylesheet (icons still load via Google Fonts) and an AuthService anti-forgery warning for the Power Pages-only token endpoint that does not exist in local dev.
  • npm audit reports 0 vulnerabilities.

The Angular SPA sample pinned Angular 19.2.x, which has no patched
release for four advisories (vulnerable range `<= 19.2.25`, no 19.x
fix published). The lowest patched release that addresses all four is
Angular 20.3.25, so this bumps the framework one major version.

Addresses:
- CVE-2026-54267 / GHSA-rgjc-h3x7-9mwg (high) @angular/core — Client
  Hydration DOM Clobbering & Response-Cache Poisoning (alert #434)
- CVE-2026-54266 / GHSA-39pv-4j6c-2g6v (high) @angular/common — Weak
  32-bit cache key hashing in HttpTransferCache (alert #440)
- CVE-2026-54268 / GHSA-48r7-hpm6-gfxm (high) @angular/common — DoS via
  OOM in formatDate (alert #441)
- CVE-2026-54265 / GHSA-58w9-8g37-x9v5 (medium) @angular/compiler —
  Two-way property binding sanitization bypass / XSS (alert #439)

Changes:
- @angular/* framework packages 19.2.x -> 20.3.25
- @angular/cdk and @angular/material 19.2.x -> 20.2.14 (latest 20.x)
- @angular/cli and @angular-devkit/build-angular 19.2.x -> 20.3.29
- typescript ~5.7.2 -> ~5.9.2 (Angular 20 requires >=5.8 <6.0)
- overrides: vite 6.4.3 -> 7.3.5. Angular 20's @angular/build is built
  against the vite 7 API and depends on vite 7.3.2, so the old vite 6
  pin broke `ng serve` (the dev server returned HTTP 500 for
  /@vite/client and the app never bootstrapped). 7.3.5 is the patched
  release for the vite 7.x line of GHSA-fx2h-pf6j-xcff (server.fs.deny
  bypass) — the same advisory the original 6.4.3 pin guarded against on
  the vite 6.x line.
- README CLI version reference 19.2.14 -> 20.3.29

Regenerated package-lock.json from a clean install (no manual hash
edits) so integrity hashes are correct. Verified with `npm run build`,
`ng test` (5/5 specs pass), and by running `ng serve` and loading the
app in a browser: the dashboard and lazy-loaded routes render with live
data and no new runtime errors. `npm audit` reports 0 vulnerabilities.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@priyanshu92 priyanshu92 merged commit 044a4a7 into main Jun 17, 2026
3 checks passed
@priyanshu92 priyanshu92 deleted the priyanshu92/fictional-dollop branch June 17, 2026 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant