Skip to content

Commit 5aeda68

Browse files
committed
Bump @angular/* framework packages to 20.3.25 (security)
Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the security advisories that Dependabot raised as three separate, individually unmergeable PRs (DSpace#5850 @angular/core, DSpace#5851 @angular/compiler, DSpace#5852 @angular/common). Angular peer dependencies require every @angular/* framework package to be the exact same version, so bumping one package at a time fails npm install with ERESOLVE. This bumps the whole peer-locked family together: animations, common, compiler, core, forms, localize, platform-browser, platform-browser-dynamic, platform-server, router, and compiler-cli (compiler-cli has an exact peer on compiler, so it must move in lockstep). The package-lock.json also picks up a few in-range transitive patch refreshes in the mirador/react subtree (react-rnd, notistack, goober, clsx) as a byproduct of npm reconciling the lock. Verified with npm ci. Advisories resolved (fixed in 20.3.25): - GHSA-rgjc-h3x7-9mwg (High) @angular/core: hydration DOM clobbering and response-cache poisoning - GHSA-39pv-4j6c-2g6v (High) @angular/common: weak 32-bit cache key in HttpTransferCache, cross-request data leakage - GHSA-48r7-hpm6-gfxm (High) @angular/common: DoS via OOM in formatDate - GHSA-58w9-8g37-x9v5 (Med) @angular/compiler: two-way binding sanitization bypass (XSS)
1 parent d929c2c commit 5aeda68

2 files changed

Lines changed: 112 additions & 101 deletions

File tree

package-lock.json

Lines changed: 101 additions & 90 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)