Update dependency angular to ~1.8.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
angular (source)	~1.2.28 -> ~1.8.0

GitHub Vulnerability Alerts

GHSA-28hp-fgcr-2r4h

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.

CVE-2019-10768

Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge() does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.

CVE-2020-7676

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code. GHSA-5cp4-xmrw-59wf Summary XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. Description JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment. One of the modifications performed expands an XHTML self-closing tag. If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM. This is similar to a bug in jQuery htmlPrefilter function that was fixed in 3.5.0. Proof of concept const inertPayload = `<div><style><style/><img src=x onerror="alert(1337)"/>`  Note that the style element is not closed and <img would be a text node inside the style if inserted into the DOM as-is. As such, some HTML sanitizers would leave the <img as is without processing it and stripping the onerror attribute. angular.element(document).append(inertPayload); This will alert, as <style/> will be replaced with <style></style> before adding it to the DOM, closing the style element early and reactivating img. Patches The issue is patched in JQLite bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0. Workarounds Changing sanitizer configuration not to allow certain tag grouping (e.g. <option><style></option>) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended. References https://github.com/advisories/GHSA-mhp6-pxh8-r675 https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://snyk.io/vuln/SNYK-JS-ANGULAR-570058 CVE-2019-14863 Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled. Recommendation Upgrade to version 1.5.0-beta.1 or later. Release Notes angular/angular.js v1.8.3 Compare Source One final release of AngularJS in order to update package README files on npm. v1.8.2 Compare Source Bug Fixes $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #​17090) v1.8.1 Compare Source Bug Fixes $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d) Refactorings SanitizeUriProvider: remove usages of whitelist (76738102) httpProvider: remove usages of whitelist and blacklist (c953af6b) sceDelegateProvider: remove usages of whitelist and blacklist (a206e267) Deprecation Notices Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList. Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList. Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins. Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList. Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList. For the purposes of backward compatibility, the previous symbols are aliased to their new symbol. v1.8.0 Compare Source This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@​masatokinugawa). Bug Fixes jqLite: prevent possible XSS due to regex-based HTML replacement (2df43c) Breaking Changes jqLite due to: 2df43c: prevent possible XSS due to regex-based HTML replacement JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>. This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement(); But you should adjust your code for this change and remove your use of this function as soon as possible. Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds. v1.7.9 Compare Source Bug Fixes angular.merge: do not merge proto property (726f49) (Thanks to the Snyk Security Research Team for identifyng this issue.) ngStyle: correctly remove old style when new style value is invalid (5edd25, #​16860, #​16868) v1.7.8 Compare Source Bug Fixes required: correctly validate required on non-input element surrounded by ngIf (a4c7bd, #​16830, #​16836) v1.7.7 Compare Source Bug Fixes ngRequired: set error correctly when inside ngRepeat and false by default (5ad4f5, #​16814, #​16820) v1.7.6 Compare Source Bug Fixes $compile: fix ng-prop-* with undefined values (772440, #​16797, #​16798) compile: properly handle false value for boolean attrs with jQuery (27486b, #​16778, #​16779) ngRepeat: fix reference to last collection value remaining across linkages (cf919a) fix trackBy function being invoked with incorrect scope (d4d103, #​16776, #​16777) aria/ngClick: check if element is contenteditable before blocking spacebar (289374, #​16762) input: prevent browsers from autofilling hidden inputs (7cbb10) Angular: add workaround for Safari / Webdriver problem (eb49f6) $browser: normalize inputted URLs (2f72a6, #​16606) interpolate: do not create directives for constant media URL attributes (90a41d, #​16734) $q: allow third-party promise libraries (eefaa7, #​16164, #​16471) urlUtils: make IPv6 URL's hostname wrapped in square brackets in IE/Edge (0e1bd7, #​16692, #​16715) ngAnimateSwap: make it compatible with ngIf on the same element (b27080, #​16616, #​16729) ngMock: make matchLatestDefinitionEnabled work (3cdffc, #​16702) ngStyle: skip setting empty value when new style has the property (d6098e, #​16709) Performance Improvements input: prevent multiple validations on initialization (692622, #​14691, #​16760) v1.7.5 Compare Source Bug Fixes ngClass: do not break on invalid values (f3a565, #​16697, #​16699) v1.7.4 Compare Source Bug Fixes ngAria.ngClick: prevent default event on space/enter only for non-interactive elements (61b335, #​16664, #​16680) ngAnimate: remove the "prepare" classes with multiple structural animations (3105b2, #​16681, #​16677) $route: correctly extract path params if the path contains a question mark or a hash (2ceeb7) ngHref: allow numbers and other objects in interpolation (30084c, #​16652, #​16626) select: allow to select first option with value undefined (668a33, #​16653, #​16656) v1.7.3 Compare Source Bug Fixes $location: fix infinite recursion/digest on URLs with special characters (e68697, #​16592, #​16611) avoid unnecessary $locationChange* events due to empty hash (1144b1, #​16632, #​16636) ngMock.$httpBackend: pass failed HTTP expectations to $exceptionHandler (4adbf8, #​16644) correctly ignore query params in {expect,when}Route (be417f, #​14173, #​16589) Angular: add workaround for Safari / Webdriver problem (0a1db2, #​16645) $animate: avoid memory leak with $animate.enabled(element, enabled) (4bd424, #​16649) $compile: use correct parent element when requiring on html element (05ac70, #​16535, #​16647) work around Firefox DocumentFragment bug (10973c, #​16607, #​16615) ngEventDirs: pass error in handler to $exceptionHandler when event was triggered in a digest (688211) don't wrap the event handler in $apply if already in $digest (535ee3, #​14673, #​14674) angular.element: do not break on cleanData() if _data() returns undefined (7cf4a2, #​16641, #​16642) ngAria: do not scroll when pressing spacebar on custom buttons (3a517c, #​14665, #​16604) New Features $compile: add support for arbitrary DOM property and event bindings (a5914c, #​16428, #​16235, #​16614) ngMock: add $flushPendingTasks() and $verifyNoPendingTasks() (6f7674, #​14336) core: implement more granular pending task tracking (17b139) $animate: add option data to event callbacks (fc64e6, #​12697, #​13059) form.FormController: add $getControls() (c9d1e6, #​16601, #​14749, #​14517, #​13202) ngModelOptions: add timeStripZeroSeconds and timeSecondsFormat (b68221, #​10721, #​16510, #​16584) Performance Improvements ngAnimate: avoid repeated calls to addClass/removeClass when animation has no duration (093635, #​14165, #​14166, #​16613) v1.7.2 Compare Source In the previous release, we removed a private, undocumented API that was no longer used by AngularJS. It turned out that several popular UI libraries (such as AngularJS Material, UI Bootstrap, ngDialog and probably others) relied on that API. In order to avoid unnecessary pain for developers, this release reverts the removal of the private API and restores compatibility of the aforementioned libraries with the latest AngularJS. Reverts $compile: remove preAssignBindingsEnabled leftovers (2da495, #​16580, a81232, #​16595) v1.7.1 Compare Source Bug Fixes $compile: support transcluding multi-element directives (789db8, #​15554, #​15555) ngModel: do not throw if view value changes on destroyed scope (2b6c98, #​16583, #​16585) New Features $compile: add one-way collection bindings (f9d1ca, #​14039, #​16553, #​15874) ngRef: add directive to publish controller, or element into scope (bf841d, #​16511) errorHandlingConfig: add option to exclude error params from url (3d6c45, #​14744, #​15707, #​16283, #​16299, #​16591) ngAria: add support for ignoring a specific element (7d9d38, #​14602, #​14672, #​14833) ngCookies: support samesite option (10a229, #​16543, #​16544) ngMessages: add support for default message (a8c263, #​12008, #​12213, #​16587) ngMock, ngMockE2E: add option to match latest definition for $httpBackend request (773f39, #​16251, #​11637, #​16560) $route: add support for the reloadOnUrl configuration option (f4f571, #​7925, #​15002) v1.7.0 Compare Source Here are the full changes for the release of 1.7.0 that are not already released in the 1.6.x branch, which includes commits from 1.7.0-rc.0 and commits from 1.7.0 directly. 1.7.0 is the last scheduled release of AngularJS that includes breaking changes. 1.7.x patch releases will continue to receive bug fixes and non-breaking features until AngularJS enters Long Term Support mode (LTS) on July 1st 2018. Bug Fixes input: listen on "change" instead of "click" for radio/checkbox ngModels (656c8f, #​4516, #​14667, #​14685) input[number]: validate min/max against viewValue (aa3f95, #​12761, #​16325) input[date]: correctly parse 2-digit years (627180, #​16537, #​16539) jqLite: make removeData() not remove event handlers (b7d396, #​15869, #​16512) $compile: remove the preAssignBindingsEnabled flag (38f8c9, #​15782) add base[href] to the list of RESOURCE_URL context attributes (1cf728, #​15597) $interval: throw when trying to cancel non-$interval promise (a8bef9, #​16424, #​16476) $timeout: throw when trying to cancel non-$timeout promise (336525, #​16424, #​16476) $cookies: remove the deprecated $cookieStore factory (73c646, #​16465) $resource: fix interceptors and success/error callbacks (ea0585, #​6731, #​9334, #​6865, #​16446) $templateRequest: give tpload error the correct namespace (c617d6) always return the template that is stored in the cache (fb0099, #​16225) $animate: let cancel() reject the runner promise (16b82c, #​14204, #​16373) ngTouch: deprecate the module and its contents (67f54b, #​16427, #​16431) remove ngClick override, $touchProvider, and $touch (11d9ad, #​15761, #​15755) ngScenario: completely remove the angular scenario runner (0cd392, #​9405) form: set $submitted to true on child forms when parent is submitted (223de5, #​10071) $rootScope: provide correct value of one-time bindings in watchGroup (c2b8fa) don't allow explicit digest calls to affect $evalAsync (02c046, #​15127, #​15494) ngAria: do not set aria attributes on input[type="hidden"] (6d5ef3, #​15113, #​16367) ngModel, input: improve handling of built-in named parsers (74b04c, #​14292, #​10076, #​16347) $httpParamSerializerJQLike: call functions as jQuery does (a784fa, #​16138, #​16139) follow jQuery for null and undefined (301fdd) $parse: do not pass scope/locals to interceptors of one-time bindings (87a586) always pass the intercepted value to watchers (2ee503, #​16021) respect the interceptor.$stateful flag (de7403) Angular: remove angular.lowercase and angular.uppercase (1daa4f, #​15445) $controller: remove instantiating controllers defined on window (e269c1, #​15349, #​15762) New Features angular.isArray: support Array subclasses in angular.isArray() (e3ece2, #​15533, #​15541) $sce: handle URL sanitization through the $sce service (1e9ead) orderBy: consider null and undefined greater than other values (1d8046, #​15294, #​16376) $resource: add support for request and requestError interceptors (#​15674) (240a3d, #​5146) ngModelOptions: add debounce catch-all + allow debouncing 'default' only (55ba44, #​15411, #​16335) $compile: lower the xlink:href security context for SVG's a and image elements (6ccbfa, #​15736) Performance Improvements $rootScope: allow $watchCollection use of expression input watching (97b00c) ngStyle: use $watchCollection (15bbd3, #​15947) $compile: do not use deepWatch in literal one-way bindings (fd4f01, #​15301) Breaking Changes jqLite due to: b7d396: make removeData() not remove event handlers Before this commit removeData() invoked on an element removed its event handlers as well. If you want to trigger a full cleanup of an element, change: elem.removeData(); to: angular.element.cleanData(elem); In most cases, though, cleaning up after an element is supposed to be done only when it's removed from the DOM as well; in such cases the following: elem.remove(); will remove event handlers as well. $cookies due to: 73c646: remove the deprecated $cookieStore factory The $cookieStore has been removed. Migrate to the $cookies service. Note that for object values you need to use the putObject & getObject methods as get/put will not correctly save/retrieve them. Before: $cookieStore.put('name', {key: 'value'}); $cookieStore.get('name'); // {key: 'value'} $cookieStore.remove('name'); After: $cookies.putObject('name', {key: 'value'}); $cookies.getObject('name'); // {key: 'value'} $cookies.remove('name'); $resource due to: ea0585: fix interceptors and success/error callbacks If you are not using success or error callbacks with $resource, your app should not be affected by this change. If you are using success or error callbacks (with or without response interceptors), one (subtle) difference is that throwing an error inside the callbacks will not propagate to the returned $promise. Therefore, you should try to use the promises whenever possible. E.g.: // Avoid User.query(function onSuccess(users) { throw new Error(); }). $promise. catch(function onError() { /* Will not be called. */ }); // Prefer User.query(). $promise. then(function onSuccess(users) { throw new Error(); }). catch(function onError() { /* Will be called. */ }); Finally, if you are using success or error callbacks with response interceptors, the callbacks will now always run after the interceptors (and wait for them to resolve in case they return a promise). Previously, the error callback was called before the responseError interceptor and the success callback was synchronously called after the response interceptor. E.g.: var User = $resource('/api/users/:id', {id: '@&#8203;id'}, { get: { method: 'get', interceptor: { response: function(response) { console.log('responseInterceptor-1'); return $timeout(1000).then(function() { console.log('responseInterceptor-2'); return response.resource; }); }, responseError: function(response) { console.log('responseErrorInterceptor-1'); return $timeout(1000).then(function() { console.log('responseErrorInterceptor-2'); return $q.reject('Ooops!'); }); } } } }); var onSuccess = function(value) { console.log('successCallback', value); }; var onError = function(error) { console.log('errorCallback', error); }; // Assuming the following call is successful... User.get({id: 1}, onSuccess, onError); // Old behavior: // responseInterceptor-1 // successCallback, {/* Promise object */} // responseInterceptor-2 // New behavior: // responseInterceptor-1 // responseInterceptor-2 // successCallback, {/* User object */} // Assuming the following call returns an error... User.get({id: 2}, onSuccess, onError); // Old behavior: // errorCallback, {/* Response object */} // responseErrorInterceptor-1 // responseErrorInterceptor-2 // New behavior: // responseErrorInterceptor-1 // responseErrorInterceptor-2 // errorCallback, Ooops! 240a3d: add support for request and requestError interceptors (#​15674) Previously, calling a $resource method would synchronously call $http. Now, it will be called asynchronously (regardless if a request/requestError interceptor has been defined. This is not expected to affect applications at runtime, since the overall operation is asynchronous already, but may affect assertions in tests. For example, if you want to assert that $http has been called with specific arguments as a result of a $resource call, you now need to run a $digest first, to ensure the (possibly empty) request interceptor promise has been resolved. Before: it('...', function() { $httpBackend.expectGET('/api/things').respond(...); var Things = $resource('/api/things'); Things.query(); expect($http).toHaveBeenCalledWith(...); }); After: it('...', function() { $httpBackend.expectGET('/api/things').respond(...); var Things = $resource('/api/things'); Things.query(); $rootScope.$digest(); expect($http).toHaveBeenCalledWith(...); }); $templateRequest: due to c617d6: give tpload error the correct namespace Previously the tpload error was namespaced to $compile. If you have code that matches errors of the form [$compile:tpload] it will no longer run. You should change the code to match [$templateRequest:tpload]. due to (fb0099: always return the template that is stored in the cache The service now returns the result of $templateCache.put() when making a server request to the template. Previously it would return the content of the response directly. This now means if you are decorating $templateCache.put() to manipulate the template, you will now get this manipulated result also on the first $templateRequest rather than only on subsequent calls (when the template is retrived from the cache). In practice this should not affect any apps, as it is unlikely that they rely on the template being different in the first and subsequent calls. $animate due to: 16b82c: let cancel() reject the runner promise $animate.cancel(runner) now rejects the underlying promise and calls the catch() handler on the runner returned by $animate functions (enter, leave, move, addClass, removeClass, setClass, animate). Previously it would resolve the promise as if the animation had ended successfully. Example: var runner = $animate.addClass('red'); runner.then(function() { console.log('success')}); runner.catch(function() { console.log('cancelled')}); runner.cancel(); Pre-1.7.0, this logs 'success', 1.7.0 and later it logs 'cancelled'. To migrate, add a catch() handler to your animation runners. angular.isArray due to: e3ece2: support Array subclasses in angular.isArray() Previously, angular.isArray() was an alias for Array.isArray(). Therefore, objects that prototypally inherit from Array where not considered arrays. Now such objects are considered arrays too. This change affects several other methods that use angular.isArray() under the hood, such as angular.copy(), angular.equals(), angular.forEach(), and angular.merge(). This in turn affects how dirty checking treats objects that prototypally inherit from Array (e.g. MobX observable arrays). AngularJS will now be able to handle these objects better when copying or watching. $sce : due to 1e9ead: handle URL sanitization through the $sce service If you use attrs.$set for URL attributes (a[href] and img[src]) there will no longer be any automated sanitization of the value. This is in line with other programmatic operations, such as writing to the innerHTML of an element. If you are programmatically writing URL values to attributes from untrusted input then you must sanitize it yourself. You could write your own sanitizer or copy the private $$sanitizeUri service. Note that values that have been passed through the $interpolate service within the URL or MEDIA_URL will have already been sanitized, so you would not need to sanitize these values again. due to 1e9ead: handle URL sanitization through the $sce service binding trustAs() and the short versions (trustAsResourceUrl() et al.) to ngSrc, ngSrcset, and ngHref will now raise an infinite digest error: $scope.imgThumbFn = function(id) { return $sce.trustAsResourceUrl(someService.someUrl(id)); }; <img ng-src="{{imgThumbFn(imgId)}}"> This is because the $interpolate service is now responsible for sanitizing the attribute value, and its watcher receives a new object from trustAs() on every digest. To migrate, compute the trusted value only when the input value changes: $scope.$watch('imgId', function(id) { $scope.imgThumb = $sce.trustAsResourceUrl(someService.someUrl(id)); }); <img ng-src="{{imgThumb}}"> orderBy due to: 1d8046: consider null and undefined greater than other values When using orderBy to sort arrays containing null values, the null values will be considered "greater than" all other values, except for undefined. Previously, they were sorted as strings. This will result in different (but more intuitive) sorting order. Before: orderByFilter(['a', undefined, 'o', null, 'z']); //--> 'a', null, 'o', 'z', undefined After: orderByFilter(['a', undefined, 'o', null, 'z']); //--> 'a', 'o', 'z', null, undefined ngScenario due to: 0cd392: completely remove the angular scenario runner The angular scenario runner end-to-end test framework has been removed from the project and will no longer be available on npm or bower starting with 1.7.0. It was deprecated and removed from the documentation in 2014. Applications that still use it should migrate to Protractor. Technically, it should also be possible to continue using an older version of the scenario runner, as the underlying APIs have not changed. However, we do not guarantee future compatibility. form due to: 223de5: set $submitted to true on child forms when parent is submitted Forms will now set $submitted on child forms when they are submitted. For example: <form name="parentform" ng-submit="$ctrl.submit()"> <ng-form name="childform"> <input type="text" name="input" ng-model="my.model" /> </ng-form> <input type="submit" /> </form> Submitting this form will set $submitted on "parentform" and "childform". Previously, it was only set on "parentform". This change was introduced because mixing form and ngForm does not create logically separate forms, but rather something like input groups. Therefore, child forms should inherit the submission state from their parent form. ngAria due to: 6d5ef3: do not set aria attributes on input[type="hidden"] ngAria no longer sets aria-* attributes on input[type="hidden"] with ngModel. This can affect apps that test for the presence of aria attributes on hidden inputs. To migrate, remove these assertions. In actual apps, this should not have a user-facing effect, as the previous behavior was incorrect, and the new behavior is correct for accessibility. ngModel, input due to: 74b04c: improve handling of built-in named parsers Custom parsers that fail to parse on input types "email", "url", "number", "date", "month", "time", "datetime-local", "week", do no longer set ngModelController.$error[inputType], and the ng-invalid-[inputType] class. Also, custom parsers on input type "range" do no longer set ngModelController.$error.number and the ng-invalid-number class. Instead, any custom parsers on these inputs set ngModelController.$error.parse and ng-invalid-parse. This change was made to make distinguishing errors from built-in parsers and custom parsers easier. ngModelOptions due to: 55ba44: add debounce catch-all + allow debouncing 'default' only the 'default' key in 'debounce' now only debounces the default event, i.e. the event that is added as an update trigger by the different input directives automatically. Previously, it also applied to other update triggers defined in 'updateOn' that did not have a corresponding key in the 'debounce'. This behavior is now supported via a special wildcard / catch-all key: '*'. See the following example: Pre-1.7: 'mouseup' is also debounced by 500 milliseconds because 'default' is applied: ng-model-options="{ updateOn: 'default blur mouseup', debounce: { 'default': 500, 'blur': 0 } } 1.7: The pre-1.7 behavior can be re-created by setting '*' as a catch-all debounce value: ng-model-options="{ updateOn: 'default blur mouseup', debounce: { '*': 500, 'blur': 0 } } In contrast, when only 'default' is used, 'blur' and 'mouseup' are not debounced: ng-model-options="{ updateOn: 'default blur mouseup', debounce: { 'default': 500 } } input[number] due to: aa3f95: validate min/max against viewValue input[type=number] with ngModel now validates the input for the max/min restriction against the ngModelController.$viewValue instead of against the ngModelController.$modelValue. This affects apps that use $parsers or $formatters to transform the input / model value. If you rely on the $modelValue validation, you can overwrite the min/max validator from a custom directive, as seen in the following example directive definition object: { restrict: 'A', require: 'ngModel', link: function(scope, element, attrs, ctrl) { var maxValidator = ctrl.$validators.max; ctrl.$validators.max = function(modelValue, viewValue) { return maxValidator(modelValue, modelValue); }; } } input due to: 656c8f: listen on "change" instead of "click" for radio/checkbox ngModels input[radio] and input[checkbox] now listen to the "change" event instead of the "click" event. Most apps should not be affected, as "change" is automatically fired by browsers after "click" happens. Two scenarios might need migration: Custom click events: Before this change, custom click event listeners on radio / checkbox would be called after the input element and ngModel had been updated, unless they were specifically registered before the built-in click handlers. After this change, they are called before the input is updated, and can call event.preventDefault() to prevent the input from updating. If an app uses a click event listener that expects ngModel to be updated when it is called, it now needs to register a change event listener instead. Triggering click events: Conventional trigger functions: The change event might not be fired when the input element is not attached to the document. This can happen in tests that compile input elements and trigger click events on them. Depending on the browser (Chrome and Safari) and the trigger method, the change event will not be fired when the input isn't attached to the document. Before: it('should update the model', inject(function($compile, $rootScope) { var inputElm = $compile('<input type="checkbox" ng-model="checkbox" />')($rootScope); inputElm[0].click(); // Or different trigger mechanisms, such as jQuery.trigger() expect($rootScope.checkbox).toBe(true); }); With this patch, $rootScope.checkbox might not be true, because the click event hasn't triggered the change event. To make the test, work append the inputElm to the app's $rootElement, and the $rootElement to the $document. After: it('should update the model', inject(function($compile, $rootScope, $rootElement, $document) { var inputElm = $compile('<input type="checkbox" ng-model="checkbox" />')($rootScope); $rootElement.append(inputElm); $document.append($rootElement); inputElm[0].click(); // Or different trigger mechanisms, such as jQuery.trigger() expect($rootScope.checkbox).toBe(true); }); triggerHandler(): If you are using this jQuery / jqLite function on the input elements, you don't have to attach the elements to the document, but instead change the triggered event to "change". This is because triggerHandler(event) only triggers the exact event when it has been added by jQuery / jqLite. ngStyle due to: 15bbd3: use $watchCollec Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. [ ] If you want to rebase/retry this PR, check this box This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.