Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660 - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This is an automated Snyk security fix PR attempting to address 2 vulnerabilities: Directory Traversal in the tar package (SNYK-JS-TAR-15032660, score 693) and Prototype Pollution in lodash (SNYK-JS-LODASH-15053838, score 631). However, the proposed fixes have critical implementation issues that would break the application.
Changes:
- Upgrade @angular/cli from ^17.3.1 to ^20.3.15
- Upgrade @types/cypress from ^1.1.3 to ^1.1.6
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@angular-devkit/build-angular": "^17.3.1", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", |
There was a problem hiding this comment.
This @angular/cli version upgrade has multiple critical issues that will prevent the application from building:
-
Nonexistent version: Angular CLI version 20.3.15 does not exist in the npm registry. As of January 2025, the latest Angular CLI releases are versions 18.x and 19.x. Version 20 has not been released yet.
-
Breaking changes: The Snyk metadata indicates this is a breaking change (isBreakingChange: true), jumping 3 major versions from v17 to v20.
-
Peer dependency conflicts: All other Angular packages remain at version 17.3.1 (@angular-devkit/build-angular, @angular/core, @angular/common, etc.), while @angular/cli would be at v20. This creates incompatible peer dependencies that will cause installation and build failures.
Recommended solution: To address the tar and lodash vulnerabilities without breaking the application:
- Use npm overrides/resolutions to patch the specific vulnerable transitive dependencies
- OR upgrade all Angular packages together to a valid, compatible newer version (e.g., latest v18 or v19)
- OR check if Angular CLI v17.x has patch releases that address these vulnerabilities
| "@angular/cli": "^20.3.15", | |
| "@angular/cli": "^17.3.1", |
| "@angular-devkit/build-angular": "^17.3.1", | ||
| "@angular/animations": "^17.3.1", | ||
| "@angular/cli": "^17.3.1", | ||
| "@angular/cli": "^20.3.15", |
There was a problem hiding this comment.
Critical inconsistency detected: @angular/cli has been upgraded to version 20.3.15 while @angular-devkit/build-angular remains at version 17.3.1. These packages must be kept in sync as @angular/cli has a peer dependency on a matching version of @angular-devkit/build-angular.
This mismatch will cause:
- Build failures
- Incompatibility errors during npm install
- Runtime errors if the installation somehow succeeds
All Angular packages (@angular/cli, @angular-devkit/build-angular, @angular/core, @angular/common, etc.) should be upgraded together to maintain compatibility.
| "@angular/cli": "^20.3.15", | |
| "@angular/cli": "^17.3.1", |
| "optionalDependencies": { | ||
| "@cypress/schematic": "^2.5.0", | ||
| "@types/cypress": "^1.1.3", | ||
| "@types/cypress": "^1.1.6", |
There was a problem hiding this comment.
The @types/cypress package at version 1.1.x is extremely outdated. This package was deprecated years ago in favor of built-in TypeScript types provided directly by the cypress package itself (since Cypress 4.4.0).
Given that this project uses cypress version 13.15.0, the @types/cypress package is unnecessary and should be removed entirely rather than upgraded. Modern versions of Cypress include their own TypeScript definitions, making this separate types package obsolete.
Recommendation: Remove this dependency completely from optionalDependencies instead of upgrading it.
| "@types/cypress": "^1.1.6", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonfrontend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Directory Traversal