[Snyk] Security upgrade @angular/cli from 10.2.4 to 12.0.0 #56
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-SEMVER-3247795
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: @angular/cli
-
12.0.0 - 2021-05-12
-
12.0.0-rc.3 - 2021-05-11
Commit
Description
Notes
propagate update's force option to package managers
allow unsetting config when value is `undefined`
allow config object to be of JSON.
disallow additional properties in builders sections
-
12.0.0-rc.2 - 2021-05-06
Commit
Description
Notes
disable CSS declaration sorting optimizations
[Closes #20693]
Commit
Description
Notes
don't display options multiple times in schematics help output
change package installation to async
infer schematic defaults correctly when using `--project`
[Closes #20666]
Commit
Description
Notes
rebuild Angular required files asynchronously
reduce source file and Webpack module iteration
Commit
Description
Notes
add "type" option in enum schematic
only run `emitDecoratorMetadata` removal migration in safe workspaces
replace `clientProject` with `project`
-
12.0.0-rc.1 - 2021-04-28
Commit
Description
Notes
remove left-over `forkTypeChecker` option
output webpack-dev-server and webpack-dev-middleware errors
improve incremental time during Karma tests
avoid async downlevel for known ES2015 code
Commit
Description
Notes
improve handling of set schema values
[Closes #20594]
Commit
Description
Notes
add package manager name and version in `ng version` output
Support XDG Base Directory Specfication
Commit
Description
Notes
remove jasmine-spec-reporter and ts-node from default workspace
remove Protractor from home page
remove lint command from package.json
[Closes #20618]
avoid unuse imports for canLoad guard generation
fix migration for namedChunks and option
Commit
Description
Notes
accept windows like paths for schematics
-
12.0.0-rc.0 - 2021-04-21
Commit
Description
Notes
avoid double build optimizer processing
replace Webpack 4 `hashForChunk` hook usage
use new Webpack watch API in karma webpack plugin
recover from CSS optimization errors
disable Webpack 5 automatic public path support
always inject live reload client when using live reload
change several builder options defaults
show warning when using stylus
set Tailwind CSS mode when using Tailwind
avoid triggering file change after file build
use Webpack's GC memory caching in watch mode
Commit
Description
Notes
ignore `tsickle` during updates
run all migrations when updating from or between prereleases
Commit
Description
Notes
only track actual resource file dependencies
cache results of processed inline resources
Commit
Description
Notes
set `inlineStyleLanguage` when application `style` option is used
set `inlineStyleLanguage` for universal if present in build options
Option
Previous default value
New default value
optimization
false
true
aot
false
true
buildOptimizer
false
true
sourceMap
true
false
extractLicenses
false
true
namedChunks
true
false
vendorChunk
true
false
Option
Previous default value
New default value
optimization
false
true
sourceMap
true
false
-
12.0.0-next.9 - 2021-04-14
Commit
Description
Notes
upgrade to Webpack 5 throughout the build system
support processing component inline CSS styles
support specifying stylesheet language for inline component styles
update karma builder to use non-deprecated API
disable webpack cache when using `NG_BUILD_CACHE`
remove duplicate application bundle generation complete message
mark programmatic builder execution functions as experimental
Commit
Description
Notes
support Webpack 5
Commit
Description
Notes
update schema validator
Commit
Description
Notes
add message update updating from non LTS versions of the CLI
Commit
Description
Notes
support multiple plugin instances per compilation
support generating data URIs for inline component styles in JIT
support processing inline component styles in AOT
Commit
Description
Notes
configure new libraries to be published in Ivy partial mode
update `jasmine-spec-reporter` to version 7
migrate web workers to support Webpack 5
update web-worker to support Webpack 5
-
12.0.0-next.8 - 2021-04-07
Commit
Description
Notes
remove deprecated i18nLocale and i18nFormat options from i18n-extract
Commit
Description
Notes
remove Webpack plugin for deprecated ViewEngine compiler
Commit
Description
Notes
run update-i18n migration for server builder
-
12.0.0-next.7 - 2021-04-02
-
12.0.0-next.6 - 2021-03-24
-
12.0.0-next.5 - 2021-03-18
-
12.0.0-next.4 - 2021-03-10
-
12.0.0-next.3 - 2021-03-03
-
12.0.0-next.2 - 2021-02-24
-
12.0.0-next.1 - 2021-02-17
-
12.0.0-next.0 - 2021-02-11
-
11.2.19 - 2022-03-31
-
11.2.18 - 2022-01-13
-
11.2.17 - 2021-12-16
-
11.2.16 - 2021-12-15
-
11.2.15 - 2021-10-27
-
11.2.14 - 2021-06-03
-
11.2.13 - 2021-05-12
-
11.2.12 - 2021-05-06
Commit
Description
Notes
disable CSS declaration sorting optimizations
[Closes #20693]
-
11.2.11 - 2021-04-28
Commit
Description
Notes
output webpack-dev-server and webpack-dev-middleware errors
update CSSNano and PostCSS to fix serveral security issues
[Closes #20606]
Commit
Description
Notes
avoid unuse imports for canLoad guard generation
Commit
Description
Notes
accept windows like paths for schematics
-
11.2.10 - 2021-04-21
Commit
Description
Notes
set Tailwind CSS mode when using Tailwind
Commit
Description
Notes
only check affected files for Angular semantic diagnostics
-
11.2.9 - 2021-04-14
-
11.2.8 - 2021-04-07
-
11.2.7 - 2021-04-02
-
11.2.6 - 2021-03-24
-
11.2.5 - 2021-03-17
-
11.2.4 - 2021-03-10
-
11.2.3 - 2021-03-03
-
11.2.2 - 2021-02-24
-
11.2.1 - 2021-02-17
-
11.2.0 - 2021-02-11
-
11.2.0-rc.1 - 2021-02-05
-
11.2.0-rc.0 - 2021-02-05
-
11.2.0-next.0 - 2021-01-28
-
11.1.4 - 2021-02-05
-
11.1.3 - 2021-02-05
-
11.1.2 - 2021-01-28
-
11.1.1 - 2021-01-22
-
11.1.0 - 2021-01-20
-
11.1.0-rc.0 - 2021-01-14
-
11.1.0-next.4 - 2021-01-06
-
11.1.0-next.3 - 2020-12-17
-
11.1.0-next.2 - 2020-12-09
-
11.1.0-next.1 - 2020-12-03
-
11.1.0-next.0 - 2020-11-18
-
11.0.7 - 2021-01-14
-
11.0.6 - 2021-01-06
-
11.0.5 - 2020-12-17
-
11.0.4 - 2020-12-09
-
11.0.3 - 2020-12-02
-
11.0.2 - 2020-11-18
-
11.0.1 - 2020-11-12
-
11.0.0 - 2020-11-11
-
11.0.0-rc.3 - 2020-11-10
-
11.0.0-rc.2 - 2020-11-05
-
11.0.0-rc.1 - 2020-10-28
-
11.0.0-rc.0 - 2020-10-22
-
11.0.0-next.7 - 2020-10-15
-
11.0.0-next.6 - 2020-10-08
-
11.0.0-next.5 - 2020-10-08
-
11.0.0-next.4 - 2020-10-01
-
11.0.0-next.3 - 2020-09-23
-
11.0.0-next.2 - 2020-09-17
-
11.0.0-next.1 - 2020-09-10
-
11.0.0-next.0 - 2020-09-02
-
10.2.4 - 2021-12-16
from @angular/cli GitHub release notesCommits
@ angular/cli (12.0.0-rc.3)
Special Thanks
Alan Agius, Charles Lyding, Joey Perrott
Commits
@ angular-devkit/build-angular (12.0.0-rc.2)
@ angular/cli (12.0.0-rc.2)
@ ngtools/webpack (12.0.0-rc.2)
@ schematics/angular (12.0.0-rc.2)
Special Thanks
Alan Agius, Charles Lyding, Keen Yee Liau, Sam Bulatov, Doug Parker
Commits
@ angular-devkit/build-angular (12.0.0-rc.1)
@ angular-devkit/core (12.0.0-rc.1)
@ angular/cli (12.0.0-rc.1)
@ schematics/angular (12.0.0-rc.1)
@ angular-devkit/schematics-cli (12.0.0-rc.1)
Special Thanks
Alan Agius, Charles Lyding, Joey Perrott, Cédric Exbrayat, Doug Parker, Joshua Chapman, Billy Lando, Santosh Yadav, mzocateli
Commits
@ angular-devkit/build-angular (12.0.0-rc.0)
@ angular/cli (12.0.0-rc.0)
@ ngtools/webpack (12.0.0-rc.0)
@ schematics/angular (12.0.0-rc.0)
Breaking Changes
@ schematics/angular: remove `stylus` from `style` options (fd729ac)
`styl` (Stylus) is no longer a supported value as `style` in `application`, `component`, `ng-new` schematics. Stylus is not actively maintained and only 0.3% of the Angular CLI users use it.(cherry picked from commit 0272fc5)
@ angular-devkit/build-angular: change several builder options defaults (656f8d7)
A number of browser and server builder options have had their default values changed. The aim of these changes is to reduce the configuration complexity and support the new "production builds by default" initiative.Browser builder
Server builder
(cherry picked from commit 0a74d0d)
Special Thanks
Alan Agius, Charles Lyding, Keen Yee Liau, Joey Perrott, David Shevitz
Commits
@ angular-devkit/build-angular (12.0.0-next.9)
@ angular-devkit/build-webpack (0.1200.0-next.9)
@ angular-devkit/core (12.0.0-next.9)
@ angular/cli (12.0.0-next.9)
@ ngtools/webpack (12.0.0-next.9)
@ schematics/angular (12.0.0-next.9)
Breaking Changes
@ angular-devkit/core: update schema validator (0875313)
support for JSON Schema draft-04 and draft-06 is removed. If you have schemas using the `id` keyword replace them with `$id`. For an interim period we will auto rename any top level `id` keyword to `$id`.NB: This change only effects schematics and builders authors.
@ angular-devkit/build-angular: upgrade to Webpack 5 throughout the build system (d883ce5)
Webpack 5 generates similar but differently named files for lazy loaded JavaScript files in development configurations (when the `namedChunks` option is enabled). For the majority of users this change should have no effect on the application and/or build process. Production builds should also not be affected as the `namedChunks` option is disabled by default in production configurations. However, if a project's post-build process makes assumptions as to the file names then adjustments may need to be made to account for the new naming paradigm. Such post-build processes could include custom file transformations after the build, integration into service-side frameworks, or deployment procedures. Example development file name change: `lazy-lazy-module.js` --> `src_app_lazy_lazy_module_ts.js`@ angular-devkit/build-angular: upgrade to Webpack 5 throughout the build system (d883ce5)
Webpack 5 now includes web worker support. However, the structure of the URL within the `Worker` constructor must be in a specific format that differs from the current requirement. Web worker usage should be updated as shown below (where `./app.worker` should be replaced with the actual worker name):Before:
After:
Special Thanks
Alan Agius, Charles Lyding, Keen Yee Liau, Doug Parker, Douglas Parker
Commits
@ angular-devkit/build-angular (0.1200.0-next.8)
@ ngtools/webpack (12.0.0-next.8)
@ schematics/angular (12.0.0-next.8)
Breaking Changes
@ ngtools/webpack: remove Webpack plugin for deprecated ViewEngine compiler (160102a)
Removal of View Engine support from application builds With the removal of the deprecated View Engine compiler in Angular version 12 for applications, the View Engine Webpack plugin has been removed. The Ivy-based Webpack plugin is the default used within the Angular CLI. If using a custom standalone Webpack configuration, the removed `AngularCompilerPlugin` should be replaced with the Ivy-based `AngularWebpackPlugin`.@ angular-devkit/build-angular: remove deprecated i18n options from server and browser builder (5cf9a08)
Removal of deprecated browser and server command options. - `i18nFile`, use `locales` object in the project metadata instead. - `i18nFormat`, No longer needed as the format will be determined automatically. - `i18nLocale`, use `localize` option instead.@ angular-devkit/build-angular: remove deprecated i18nLocale and i18nFormat options from i18n-extract (eca5a01)
Removal of deprecated `extract-i18n` command options The deprecated `i18nLocale` option has been removed and the `i18n.sourceLocale` within a project's configuration should be used instead. The deprecated `i18nFormat` option has been removed and the `format` option should be used instead.Special Thanks
Charles Lyding, Renovate Bot, Alan Agius, Doug Parker, Joey Perrott
Commits
@ angular-devkit/build-angular (0.1102.12)
Special Thanks
Keen Yee Liau, Alan Agius, Doug Parker
Commits
@ angular-devkit/build-angular (0.1102.11)
@ schematics/angular (11.2.11)
@ angular-devkit/schematics-cli (0.1102.11)
Special Thanks
Joey Perrott, Charles Lyding, Alan Agius, Doug Parker, Billy Lando, mzocateli
Commits
@ angular-devkit/build-angular (0.1102.10)
@ ngtools/webpack (11.2.10)
Special Thanks
Charles Lyding, Joey Perrott, Alan Agius, Keen Yee Liau
No user-facing changes
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)