Bump @angular/core from 20.3.24 to 20.3.25#5850
Conversation
Bumps [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) from 20.3.24 to 20.3.25. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/core) --- updated-dependencies: - dependency-name: "@angular/core" dependency-version: 20.3.25 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Superseded by #5859, which bumps the entire peer-locked |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the security advisories that Dependabot raised as three separate, individually unmergeable PRs (DSpace#5850 @angular/core, DSpace#5851 @angular/compiler, DSpace#5852 @angular/common). Angular peer dependencies require every @angular/* framework package to be the exact same version, so bumping one package at a time fails npm install with ERESOLVE. This bumps the whole peer-locked family together: animations, common, compiler, core, forms, localize, platform-browser, platform-browser-dynamic, platform-server, router, and compiler-cli (compiler-cli has an exact peer on compiler, so it must move in lockstep). The package-lock.json also picks up a few in-range transitive patch refreshes in the mirador/react subtree (react-rnd, notistack, goober, clsx) as a byproduct of npm reconciling the lock. Verified with npm ci. Advisories resolved (fixed in 20.3.25): - GHSA-rgjc-h3x7-9mwg (High) @angular/core: hydration DOM clobbering and response-cache poisoning - GHSA-39pv-4j6c-2g6v (High) @angular/common: weak 32-bit cache key in HttpTransferCache, cross-request data leakage - GHSA-48r7-hpm6-gfxm (High) @angular/common: DoS via OOM in formatDate - GHSA-58w9-8g37-x9v5 (Med) @angular/compiler: two-way binding sanitization bypass (XSS)
1 participant
Bumps @angular/core from 20.3.24 to 20.3.25.
Release notes
Sourced from @angular/core's releases.
Changelog
Sourced from @angular/core's changelog.
... (truncated)
Commits
ca48b47fix(core): validate lowercase SVG animation attribute names (#69270)1a62130fix(common): use cryptographically secure SHA-256 for transfer cache key gene...49368c1fix(platform-server): harden platform location origin validation during SSR566ad05fix(common): skip transfer cache for uncacheable HTTP traffic768a349fix(core): harden TransferState restoration against DOM clobberingDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.