[Snyk] Upgrade @angular-devkit/build-angular from 15.0.0 to 19.0.4 #3

snyk-io · 2024-12-31T17:20:48Z

Snyk has created this PR to upgrade @angular-devkit/build-angular from 15.0.0 to 19.0.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

The recommended version is 218 versions ahead of your current version.
The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	218	Proof of Concept
Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	218	No Known Exploit
Uncontrolled resource consumption SNYK-JS-BRACES-6838727	218	Proof of Concept
Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	218	Proof of Concept
Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	218	Proof of Concept
Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	218	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	218	Proof of Concept
Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	218	No Known Exploit
Uncaught Exception SNYK-JS-SOCKETIO-7278048	218	No Known Exploit
Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	218	No Known Exploit
Uncaught Exception SNYK-JS-ENGINEIO-5496331	218	No Known Exploit
Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	218	No Known Exploit
Sandbox Bypass SNYK-JS-WEBPACK-3358798	218	Proof of Concept
Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	218	Proof of Concept
Denial of Service (DoS) SNYK-JS-WS-7266574	218	Proof of Concept
Denial of Service (DoS) SNYK-JS-WS-7266574	218	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	218	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	218	Proof of Concept
Improper Input Validation SNYK-JS-POSTCSS-5926692	218	No Known Exploit
Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	218	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	218	Proof of Concept
Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	218	Proof of Concept
Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	218	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	218	Proof of Concept
Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	218	No Known Exploit
Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	218	No Known Exploit
Improper Input Validation SNYK-JS-NANOID-8492085	218	No Known Exploit
Open Redirect SNYK-JS-EXPRESS-6474509	218	No Known Exploit
Cross-site Scripting SNYK-JS-EXPRESS-7926867	218	No Known Exploit
Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	218	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-3244450	218	Proof of Concept
Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	218	Proof of Concept
Cross-site Scripting SNYK-JS-SEND-7926862	218	No Known Exploit
Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	218	No Known Exploit

Release notes

Package name: @angular-devkit/build-angular

19.0.4 - 2024-12-05

19.0.4 (2024-12-05)

@ angular-devkit/build-angular

Commit Description

handle windows spec collisions

@ angular/build

Commit Description

show error when Node.js built-ins are used during ng serve

reuse TS package.json cache when rebuilding

19.0.3 - 2024-12-04

19.0.3 (2024-12-04)

@ schematics/angular

Commit	Description
	add required type to `CanDeactivate` guard (#29004)

@ angular/cli

Commit	Description
	correctly select package versions in descending order during `ng add`

@ angular/build

Commit	Description
	add timeout to route extraction
	allow .json file replacements with application builds
	apply define option to JavaScript from scripts option
	avoid deploy URL usage on absolute preload links
	ensure correct handling of `index.output` for SSR

@ angular/ssr

Commit	Description
	apply HTML transformation to CSR responses
	correctly handle serving of prerendered i18n pages
	ensure compatibility for `Http2ServerResponse` type

19.0.2 - 2024-11-25

19.0.2 (2024-11-25)

@ schematics/angular

Commit Description

skip SSR routing prompt in webcontainer

@ angular/build

Commit Description

minimize reliance on esbuild inject to prevent code reordering

prevent errors with parameterized routes when getPrerenderParams is undefined

@ angular/ssr

Commit Description

handle nested redirects not explicitly defined in router config
19.0.1 - 2024-11-21

19.0.1 (2024-11-21)

@ angular-devkit/build-angular

Commit Description

use stylePreprocessorOptions

@ angular/build

Commit Description

ensure accurate content length for server assets

use sha256 instead of sha-256 as hash algorithm name

@ angular/ssr

Commit Description

handle baseHref that start with ./

19.0.0 - 2024-11-19

19.0.0 (2024-11-19)

@ angular/cli

Commit	Description
	handle string key/value pairs, e.g. --define
	recommend optional application update migration during v19 update
	enable Node.js compile code cache when available
	enable Node.js compile code cache when available

@ schematics/angular

Commit	Description
	add option to export component as default
	add option to setup new workspace or application as zoneless mode
	integrate `withEventReplay()` in `provideClientHydration` for new SSR apps
	update app-shell and ssr schematics to adopt new Server Rendering API
	component spec with export default
	don't show server routing prompt when using `browser` builder
	enable opt-in for new `@ angular/ssr` feature
	explicitly set standalone:false
	remove `declaration` and `sourceMap` from default tsconfig
	use default import for `express`

@ angular-devkit/schematics-cli

Commit	Description
	add package manager option to blank schematic

@ angular-devkit/architect

Commit	Description
	merge object options from CLI

@ angular-devkit/build-angular

Commit	Description
	karma-coverage w/ app builder
	karma+esbuild+watch
	support karma with esbuild
	bring back style tags in browser builder
	fix --watch regression in karma
	fix hanging terminal when `browser-sync` is not installed
	handle basename collisions
	handle main field
	remove double-watch in karma
	serve assets
	zone.js/testing + karma + esbuild
	remove deprecated `browserTarget`
	remove Protractor builder and schematics

@ angular-devkit/core

Commit	Description
	remove deprecated `fileBuffer` function in favor of `stringToFileBuffer`

@ angular/build

Commit	Description
	add `sass` to `stylePreprocessorOptions` in application builder
	Auto-CSP support as a part of angular.json schema
	enable component stylesheet hot replacement by default
	introduce `outputMode` option to the application builder
	introduce `ssr.experimentalPlatform` option
	set development/production condition
	utilize `ssr.entry` during prerendering to enable access to local API routes
	utilize `ssr.entry` in Vite dev-server when available
	add missing redirect in SSR manifest
	add warning when `--prerendering` or `--app-shell` are no-ops
	always clear dev-server error overlay on non-error result
	always record component style usage for HMR updates
	avoid hashing development external component stylesheets
	avoid overwriting inline style bundling additional results
	check referenced files against native file paths
	correctly use dev-server hmr option to control stylesheet hot replacement
	disable dev-server websocket when live reload is disabled
	ensure `index.csr.html` is always generated when prerendering or SSR are enabled
	ensure accurate content size in server asset metadata
	ensure SVG template URLs are considered templates with external stylesheets
	Exclude known `--import` from execArgv when spawning workers
	fully disable component style HMR in JIT mode
	handle `APP_BASE_HREF` correctly in prerendered routes
	incomplete string escaping or encoding
	move lmdb to optionalDependencies
	prevent prerendering of catch-all routes
	relax constraints on external stylesheet component id
	set `ngServerMode` during vite prebundling
	simplify disabling server features with `--no-server` via command line
	skip wildcard routes from being listed as prerendered routes
	synchronize import/export conditions between bundler and TypeScript
	update logic to support both internal and external SSR middlewares
	use named export `reqHandler` for server.ts request handling
	workaround Vite CSS ShadowDOM hot replacement
	remove automatic addition of `@ angular/localize/init` polyfill and related warnings

@ angular/ssr

Commit	Description
	add `createRequestHandler` and `createNodeRequestHandler` utilities
	Add `getHeaders` Method to `AngularAppEngine` and `AngularNodeAppEngine` for handling pages static headers
	add `isMainModule` function
	add server routing configuration API
	dynamic route resolution using Angular router
	export `AngularAppEngine` as public API
	expose `writeResponseToNodeResponse` and `createWebRequestFromNodeRequest` in public API
	improve handling of aborted requests in `AngularServerApp`
	introduce `AngularNodeAppEngine` API for Node.js integration
	introduce new hybrid rendering API
	move `CommonEngine` API to `/node` entry-point
	add missing peer dependency on `@ angular/platform-server`
	add validation to prevent use of `provideServerRoutesConfig` in browser context