Commit 5aeda68
committed
Bump @angular/* framework packages to 20.3.25 (security)
Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the
security advisories that Dependabot raised as three separate, individually
unmergeable PRs (DSpace#5850 @angular/core, DSpace#5851 @angular/compiler,
DSpace#5852 @angular/common).
Angular peer dependencies require every @angular/* framework package to be
the exact same version, so bumping one package at a time fails npm install
with ERESOLVE. This bumps the whole peer-locked family together:
animations, common, compiler, core, forms, localize, platform-browser,
platform-browser-dynamic, platform-server, router, and compiler-cli
(compiler-cli has an exact peer on compiler, so it must move in lockstep).
The package-lock.json also picks up a few in-range transitive patch
refreshes in the mirador/react subtree (react-rnd, notistack, goober,
clsx) as a byproduct of npm reconciling the lock. Verified with npm ci.
Advisories resolved (fixed in 20.3.25):
- GHSA-rgjc-h3x7-9mwg (High) @angular/core: hydration DOM clobbering and
response-cache poisoning
- GHSA-39pv-4j6c-2g6v (High) @angular/common: weak 32-bit cache key in
HttpTransferCache, cross-request data leakage
- GHSA-48r7-hpm6-gfxm (High) @angular/common: DoS via OOM in formatDate
- GHSA-58w9-8g37-x9v5 (Med) @angular/compiler: two-way binding
sanitization bypass (XSS)1 parent d929c2c commit 5aeda68
2 files changed
Lines changed: 112 additions & 101 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments