This repository has been archived by the owner on May 5, 2023. It is now read-only.

Update dependency @angular/core to v11 [SECURITY] #87

Open

renovate wants to merge 1 commit into master from renovate/npm-@angular/core-vulnerability

renovate bot commented Jun 18, 2022 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/core	`8.2.4` -> `11.0.5`

GitHub Vulnerability Alerts

CVE-2021-4231

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.

Release Notes

angular/angular

`v11.0.5`

Bug Fixes

compiler: handle strings inside bindings that contain binding characters (#39826) (f5aab2b), closes #39601
core: fix possible XSS attack in development through SSR. (#40136) (0aa220b)
core: set ngDevMode to false when calling enableProdMode() (#40124) (922f492)
upgrade: fix HMR for hybrid applications (#40045) (c4c7509), closes #39935

`v11.0.4`

Bug Fixes

animations: implement getPosition in browser animation builder (#39983) (5a765f0)
compiler-cli: correct incremental behavior even with broken imports (#39967) (adeeb84)
compiler-cli: remove the concept of an errored trait (#39967) (0aa35ec)
compiler-cli: track poisoned scopes with a flag (#39967) (178cc51)
core: remove application from the testability registry when the root view is removed (#39876) (3680ad1), closes #22106
core: unsubscribe from the onError when the root view is removed (#39940) (35309bb)
language-service: do not return external template that does not exist (#39898) (6b6fcd7)
language-service: do not treat file URIs as general URLs (#39917) (829988b)
service-worker: handle error with ErrorHandler (#39990) (588dbd3), closes #39913
upgrade: avoid memory leak when removing downgraded components (#39965) (97310d3), closes #26209 #39911 #39921

Performance Improvements

animations: use ngDevMode to tree-shake warning (#39964) (72aad32)
common: use ngDevMode to tree-shake warnings (#39964) (bf3de9b)
core: use ngDevMode to tree-shake checkNoChanges (#39964) (2fbb684)
core: use ngDevMode to tree-shake warnings (#39959) (1e3534f)
forms: use ngDevMode to tree-shake _ngModelWarning (#39964) (735556d)

`v11.0.3`

Bug Fixes

animations: getAnimationStyle causes exceptions in older browsers (#29709) (cb1d77a)
animations: replace copy of query selector node-list from "spread" to "for" (#39646) (e95cd2a), closes #38551
common: Prefer to use pageXOffset / pageYOffset instance of scrollX / scrollY (#28262) (5692607)
compiler: ensure that placeholders have the correct sourceSpan (#39717) (8ec7156), closes #39671
compiler: report better error on interpolation in an expression (#30300) (6dc74fd)
compiler-cli: report error when a reference target is missing instead of crashing (#39805) (8634611), closes #38618 #39744
core: Ensure OnPush ancestors are marked dirty when events occur (#39833) (01c1bfd), closes #39832
core: meta addTag() adds incorrect attribute for httpEquiv (#32531) (3114b0a)
core: migration error if program contains files outside the project (#39790) (7dcc212), closes #39778
core: not invoking object's toString when rendering to the DOM (#39843) (75e22ab), closes #38839
core: remove duplicated noop function (#39761) (26a1337)
core: support Attribute DI decorator in deps section of a token (#37085) (aaa3111), closes #36479
router: correctly handle string command in outlets (#39728) (50c19a2), closes #18928
router: remove duplicated getOutlet function (#39764) (df231ad)
service-worker: correctly handle failed cache-busted request (#39786) (7bf73d7), closes #39775 #39775

DEPRECATIONS

forms: Mark the {[key: string]: any} type for the options property of the FormBuilder.group method as deprecated. Using AbstractControlOptions gives the same functionality and is type-safe.

`v11.0.2`

Bug Fixes

router: migration incorrectly replacing deprecated key (#39763) (0237845), closes #38762 #39755

`v11.0.1`

Bug Fixes

compiler-cli: incorrectly type checking calls to implicit template variables (#39686) (e05cfdd), closes #39634 * compiler-cli: setComponentScope should only list used components/pipes (#39662) (8d317df) * core: handle !important in style property value (#39603) (978f081), closes #35323 * core: not inserting ViewContainerRef nodes when inside root of a component (#39599) (20db90a), closes #39556 * core: remove deprecated wtfZoneSpec from NgZone (#37864) (e02bea8), closes #33949
forms: more precise control cleanup (#39623) (050cea9)
http: queue jsonp <script> tag onLoad event handler in microtask (#39512) (10e4ac0), closes #39496

Performance Improvements

compiler: optimize computation of i18n message ids (#39694) (1891455)
compiler: use raw bytes to represent utf-8 encoded strings (#39694) (882ff8f)
compiler-cli: reduce filesystem hits during resource resolution (#39604) (a7adcbd)

`v11.0.0`

Blog post "Version 11 of Angular Now Available".

Bug Fixes

bazel: only providing stamping information if the --stamp flag is used (#39392) (84e09a0)
common: do not round up fractions of a millisecond in DatePipe (#38009) (26f2820), closes #37989
common: mark locale data arrays as readonly (#30397) (6acea54), closes #27003
common: add params and reportProgress options to HttpClient.put() overload (#37873) (dd8d8c8), closes #23600
common: correct and simplify typing of KeyValuePipe (#37447) (4dfe0fa)
common: correct and simplify typing of AsyncPipe (#37447) (5f815c0)
common: correct and simplify typing of I18nPluralPipe (#37447) (3b919ef)
common: correct typing and implementation of SlicePipe (#37447) (4744c22)
common: let case conversion pipes accept type unions with null (#37447) (c7d5555), closes #36259
common: add boolean to valid json for testing (#37893) (3c474ec), closes #20690
common: update locales using new CLDR data (#39343) (3738233)
common: change the week-numbering year format from r -> Y (#39495) (feda78e)
compiler: source span for microsyntax text att should be key span (#38766) (8f349b2)
compiler: promote constants in templates to Trusted Types (#39211) (6e18d2d)
compiler: do not throw away render3 AST on errors (#39413) (d76beda)
compiler: treat i18n attributes with no bindings as static attributes (#39408) (bf1caa7), closes #38231
compiler: preserve this.$event and this.$any accesses in expressions (#39323) (a8e0db7), closes #30278
compiler: ensure that i18n message-parts have the correct source-span (#39486) (63f9e16)
compiler: skipping leading whitespace should not break placeholder source-spans (#39486) (b8e9b3d), closes #39195
compiler-cli: compute source-mappings for localized strings (#38645) (7e0b3fd)
compiler-cli: generate let statements in ES2015+ mode (#38775) (123bff7)
compiler-cli: perform DOM schema checks even in basic mode in g3 (#38943) (40975e0)
compiler-cli: type checking of expressions within ICUs (#39072) (0a16e60), closes #39064
compiler-cli: generating invalid setClassMetadata call in ES5 for class with custom decorator (#39527) (b0bbc1f), closes #39509
compiler-cli: report missing pipes when fullTemplateTypeCheck is disabled (#39320) (67ea7b6), closes #38195
compiler-cli: avoid duplicate diagnostics about unknown pipes (#39517) (c68ca49)
compiler-cli: do not drop non-Angular decorators when downleveling (#39577) (f51cf29), closes #39574
core: remove CollectionChangeRecord symbol (#38668) (fdea180)
core: ensure TestBed is not instantiated before override provider (#38717) (c8f056b)
core: use single quotes for relative link resolution migration to align with style guide (#39070) (8894706)
core: migrate relative link resolution with single quotes (#39102) (049b453)
core: use Trusted Types policy in inert DOM builder (#39208) (7d49299)
core: use Trusted Types policy in createNamedArrayType() (#39209) (f6d5cdf)
core: guard reading of global ngDevMode for undefined. (#36055) (f541e5f)
core: do not error when ngDevMode is undeclared (#39415) (cc32932)
core: store ICU state in LView rather than in TView (#39233) (0992b67), closes #37021 #38144 #38073
core: markDirty() should only mark flags when really scheduling tick. (#39316) (3b6497b), closes #39296
core: access injected parent values using SkipSelf (#39464) (7cb9e19)
elements: update the view of an OnPush component when inputs change (#39452) (dd28855), closes #38948
forms: ensure to emit statusChanges on subsequent value update/validations (#38354) (d9fea85), closes #20424 #14542
forms: type NG_VALUE_ACCESSOR injection token as array (#29723) (2b1b718), closes #29351
forms: improve types of directive constructor arguments (#38944) (246de9a)
forms: include null in .parent of abstract control (#32671) (f4f1bcc), closes #16999
forms: remove validators while cleaning up a control (#39234) (43b4940)
language-service: hybrid visitor returns parent node of BoundAttribute (#38995) (323be39)
language-service: [Ivy] hybrid visitor should not locate let keyword (#39061) (70e13dc)
language-service: [Ivy] create compiler only when program changes (#39231) (8f1317f)
localize: render placeholder types in extracted XLIFF files (#39398) (32163ef), closes #38791
localize: serialize all the message locations to XLIFF (#39411) (f5710c6), closes #39330
ngcc: ensure that "inline exports" can be interpreted correctly (#39267) (822b838)
ngcc: capture UMD/CommonJS inner class implementation node correctly (#39346) (fc2e3cc)
platform-server: resolve absolute URL from baseUrl (#39334) (b4e8399)
platform-webworker: remove @angular/platform-webworker and @angular/platform-webworker-dynamic (#38846) (93c3d8f)
router: fix arguments order for call to shouldReuseRoute (#26949) (3817e5f), closes #16192
router: support lazy loading for empty path named outlets (#38379) (926ffcd), closes #12842
router: set relativeLinkResolution to corrected by default (#25609) (837889f)
router: properly assign ExtraOptions to Router in RouterTestingModule (#39096) (d8c0534), closes #23347
router: allow undefined inputs on routerLink (#39151) (b0b4953)
router: create schematic for preserveQueryParams (#38762) (93ee05d)
router: remove preserveQueryParams symbol (#38762) (783a5bd)
router: fix incorrect type signature for createUrlTree (#39347) (161b278)
router: ensure all outlets are used when commands have a prefix (#39456) (b2f3952)
service-worker: fix condition to check for a cache-busted request (#36847) (5be4edf)

Features

common: add ISO week-numbering year formats support to formatDate (#38828) (984ed39)
common: stricter types for DatePipe (#37447) (daf8b7f)
common: stricter types for number pipes (#37447) (7b2aac9)
compiler: parse and recover on incomplete opening HTML tags (#38681) (6ae3b68), closes #38596
compiler: add keySpan to Variable node (#38965) (239968d)
compiler-cli: TemplateTypeChecker operation to get Symbol from a template node (#38618) (c4556db)
compiler-cli: add ability to get Symbol of Templates and Elements in component template (#38618) (cf2e8b9)
compiler-cli: add ability to get Symbol of AST expression in component template (#38618) (f56ece4)
compiler-cli: add ability to get symbol of reference or variable (#38618) (19598b4)
compiler-cli: define interfaces to be used for TemplateTypeChecker (#38618) (9e77bd3)
compiler-cli: support getting resource dependencies for a source file (#38048) (5dbf357)
core: add automated migration to replace async with waitForAsync (#39212) (5ce71e0)
core: add automated migration to replace ViewEncapsulation.Native (#38882) (0e733f3)
core: add initialNavigation schematic (#36926) (0ec7043)
core: add Trusted Types workaround for Function constructor (#39209) (5913e5c)
core: create internal Trusted Types module (#39207) (0875fd2)
core: depend on type definitions for Trusted Types (#39207) (c4266fb)
core: remove ViewEncapsulation.Native (#38882) (4a1c12c)
forms: add migration for AbstractControl.parent accesses (#39009) (aeec223), closes #32671
language-service: add getDefinitionAndBoundSpan (go to definition) (#39101) (3975dd9)
language-service: add quick info for inline templates in ivy (#39060) (904adb7)
language-service: [Ivy] getSemanticDiagnostics for external templates (#39065) (63624a2)
language-service: add getTypeDefinitionAtPosition (go to type definition) (#39145) (a84976f)
language-service: add module name to directive quick info (#39121) (4604fe9)
router: add migration to update calls to navigateByUrl and createUrlTree with invalid parameters (#38825) (7849fdd)
router: add relativeLinkResolution migration to update default value (#38698) (15ea811)
router: add new initialNavigation options to replace legacy (#37480) (c4becca)
service-worker: add UnrecoverableStateError (#36847) (036a2fa), closes #36539
service-worker: add the option to prefer network for navigation requests (#38565) (a206852), closes #38194

Performance Improvements

compiler-cli: only emit directive/pipe references that are used (#38539) (077f516)
compiler-cli: optimize computation of type-check scope information (#38539) (297c060)
compiler-cli: only generate template context declaration when used (#39321) (1ac0500)
core: do not recurse into modules that have already been registered (#39514) (5c13c67), closes #39487
router: use ngDevMode to tree-shake error messages in router (#38674) (db21c4f)

BREAKING CHANGES

common:
- 6acea54:
  The locale data API has been marked as returning readonly arrays, rather than mutable arrays, since these arrays are shared across calls to the API.
  If you were mutating them (e.g. calling sort(), push(), splice(), etc.) then your code will no longer compile.
  If you need to mutate the array, you should now make a copy (e.g. by calling slice()) and mutate the copy.
- 26f2820:
  When passing a date-time formatted string to the DatePipe in a format that contains fractions of a millisecond, the milliseconds will now always be rounded down rather than to the nearest millisecond.
  Most applications will not be affected by this change.
  If this is not the desired behaviour then consider pre-processing the string to round the millisecond part before passing it to the DatePipe.
- 4744c22:
  The slice pipe now returns null for the undefined input value, which is consistent with the behavior of most pipes.
  If you rely on undefined being the result in that case, you now need to check for it explicitly.
- 4dfe0fa:
  The typing of the keyvalue pipe has been fixed to report that for input objects that have number keys, the result will contain the string representation of the keys.
  This was already the case and the types have simply been updated to reflect this.
  Please update the consumers of the pipe output if they were relying on the incorrect types.
  Note that this does not affect use cases where the input values are Maps, so if you need to preserve numbers, this is an effective way.
- 7b2aac9:
  The signatures of the number pipes now explicitly state which types are accepted.
  This should only cause issues in corner cases, as any other values would result in runtime exceptions.
- daf8b7f:
  The signature of the date pipe now explicitly states which types are accepted.
  This should only cause issues in corner cases, as any other values would result in runtime exceptions.
- 5f815c0:
  The async pipe no longer claims to return undefined for an input that was typed as undefined.
  Note that the code actually returned null on undefined inputs.
  In the unlikely case you were relying on this, please fix the typing of the consumers of the pipe output.
- c7d5555:
  The case conversion pipes no longer let falsy values through.
  They now map both null and undefined to null and raise an exception on invalid input (0, false, NaN) just like most "common pipes".
  If your code required falsy values to pass through, you need to handle them explicitly.
compiler:
- 736e064:
  TypeScript 3.9 is no longer supported, please upgrade to TypeScript 4.0.
compiler-cli:
- 0a16e60:
  Expressions within ICUs are now type-checked again, fixing a regression in Ivy.
  This may cause compilation failures if errors are found in expressions that appear within an ICU.
  Please correct these expressions to resolve the type-check errors.
core:
- fdea180:
  CollectionChangeRecord has been removed, use IterableChangeRecord instead.
- c8f056b:
  If you call TestBed.overrideProvider after TestBed initialization, provider overrides are not applied.
  This behavior is consistent with other override methods (such as TestBed.overrideDirective, etc.) but they throw an error to indicate that, when the check was missing in the TestBed.overrideProvider function.
  Now calling TestBed.overrideProvider after TestBed initialization also triggers an error, thus there is a chance that some tests (where TestBed.overrideProvider is called after TestBed initialization) will start to fail and require updates to move TestBed.overrideProvider calls before TestBed initialization is completed.
- 4ca1c73:
  In v10, IE 9, 10, and IE mobile support was deprecated.
  In v11, Angular framework removes IE 9, 10, and IE mobile support completely.
  Supporting outdated browsers like these increases bundle size, code complexity, and test load, and also requires time and effort that could be spent on improvements to the framework.
  For example, fixing issues can be more difficult, as a straightforward fix for modern browsers could break old ones that have quirks due to not receiving updates from vendors.
- 4a1c12c:
  ViewEncapsulation.Native has been removed. Use ViewEncapsulation.ShadowDom instead.
  Existing usages will be updated automatically by ng update.
forms:
- d9fea85:
  Previously if FormControl, FormGroup and FormArray class instances had async validators defined at initialization time, the status change event was not emitted once async validators completed.
  After this change the status event is emitted into the statusChanges observable.
  If your code relies on the old behavior, you can filter/ignore this additional status change event.
- 246de9a:
  Directives in the @angular/forms package used to have any[] as a type of validators and asyncValidators arguments in constructors.
  Now these arguments are properly typed, so if your code relies on directive constructor types it may require some updates to improve type safety.
- f4f1bcc:
  Type of AbstractFormControl.parent now includes null.
  null is now included in the types of .parent.
  If you don't already have a check for this case, the TypeScript compiler might complain.
  A v11 migration exists which adds the non-null assertion operator where necessary.
  In an unlikely case your code was testing the parent against undefined with strict equality, you'll need to change this to === null instead, since the parent is now explicitly initialized with null instead of being left undefined.
platform-server:
- b4e8399:
  If you use useAbsoluteUrl to set up platform-server, you now need to also specify baseUrl.
  We are intentionally making this a breaking change in a minor release, because if useAbsoluteUrl is set to true then the behavior of the application could be unpredictable, resulting in issues that are hard to discover but could be affecting production environments.
platform-webworker:
- 93c3d8f:
  @angular/platform-webworker and @angular/platform-webworker-dynamic have been removed as they were deprecated in v8.
router:
- 3817e5f:
  This change corrects the argument order when calling RouteReuseStrategy#shouldReuseRoute.
  Previously, when evaluating child routes, they would be called with the future and current arguments would be swapped.
  If your RouteReuseStrategy relies specifically on only the future or current snapshot state, you may need to update the shouldReuseRoute implementation's use of "future" and "current" ActivatedRouteSnapshots.
- e4f4d18:
  While the new parameter types allow a variable of type NavigationExtras to be passed in, they will not allow object literals, as they may only specify known properties.
  They will also not accept types that do not have properties in common with the ones in the Pick.
  To fix this error, only specify properties from the NavigationExtras which are actually used in the respective function calls or use a type assertion on the object or variable: as NavigationExtras.
- 837889f:
  This commit changes the default value of relativeLinkResolution from 'legacy' to 'default'.
  If your application previously used the default by not specifying a value in the ExtraOptions and uses relative links when navigating from children of empty path routes, you will need to update your RouterModule to specifically specify 'legacy' for relativeLinkResolution.
  See https://angular.io/api/router/ExtraOptions#relativeLinkResolution for more details.
- c4becca:
  The initialNavigation property for the options in RouterModule.forRoot no longer supports legacy_disabled, legacy_enabled, true, or false as valid values.
  legacy_enabled (the old default) is instead enabledNonBlocking.
- c4becca:
  enabled is deprecated as a valid value for the RouterModule.forRoot initialNavigation option.
  enabledBlocking has been introduced to replace it.
- 783a5bd:
  preserveQueryParams has been removed, use queryParamsHandling: "preserve" instead.
- b0b4953:
  If you were accessing the RouterLink values of queryParams, fragment or queryParamsHandling you might need to relax the typing to also accept undefined and null.

Code Refactoring

compiler: remove support for TypeScript 3.9 (#39313) (736e064)
router: adjust type of parameter in navigateByUrl and createUrlTree to be more accurate (#38227) (e4f4d18), closes #18798

`v10.2.5`

`v10.2.4`

`v10.2.3`

`v10.2.2`

`v10.2.1`

`v10.2.0`

`v10.1.6`

`v10.1.5`

`v10.1.4`

`v10.1.3`

`v10.1.2`

`v10.1.1`

`v10.1.0`

`v10.0.14`

`v10.0.13`

`v10.0.12`

`v10.0.11`

`v10.0.10`

`v10.0.9`

`v10.0.8`

`v10.0.7`

`v10.0.6`

`v10.0.5`

`v10.0.4`

`v10.0.3`

`v10.0.2`

`v10.0.1`

`v10.0.0`

`v9.1.13`

`v9.1.12`

`v9.1.11`

`v9.1.10`

`v9.1.9`

`v9.1.8`

`v9.1.7`

`v9.1.6`

`v9.1.5`

`v9.1.4`

`v9.1.3`

`v9.1.2`

`v9.1.1`

`v9.1.0`

`v9.0.7`

`v9.0.6`

`v9.0.5`

`v9.0.4`

`v9.0.3`

`v9.0.2`

`v9.0.1`

`v9.0.0`

`v8.2.14`

`v8.2.13`

`v8.2.12`

`v8.2.11`

`v8.2.10`

`v8.2.9`

`v8.2.8`

`v8.2.7`

`v8.2.6`

`v8.2.5`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency @angular/core to 11.0.5 [SECURITY]

fb7f2d4

renovate bot changed the title ~~Update dependency @angular/core to 11.0.5 [SECURITY]~~ Update dependency @angular/core to v11 [SECURITY]

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.