build(angular): atualiza Angular de ~19.0.3 para ~19.2.20 para mitiga…#2812
Closed
pedrodominguesp wants to merge 3 commits into19.x.xfrom
Closed
build(angular): atualiza Angular de ~19.0.3 para ~19.2.20 para mitiga…#2812pedrodominguesp wants to merge 3 commits into19.x.xfrom
pedrodominguesp wants to merge 3 commits into19.x.xfrom
Conversation
…r vulnerabilidades Atualiza o ecossistema Angular dentro da major version 19 (LTS) para corrigir vulnerabilidades de segurança reportadas pelo Dependency Track. Pacotes atualizados: - @angular/core, common, compiler, animations, forms, platform-browser, platform-browser-dynamic, router: ~19.0.3 → ~19.2.20 - @angular/compiler-cli, language-service: ~19.0.3 → ~19.2.20 - @angular/cdk: ~19.0.3 → ~19.2.19 - @angular/cli: ~19.0.4 → ~19.2.24 - @angular-devkit/build-angular: ~19.2.3 → ~19.2.24 - ng-packagr: ~19.2.0 → ~19.2.2 Vulnerabilidades mitigadas: - GHSA-58c5-g7wp-6w37 (HIGH): Leak de XSRF token via URLs protocol-relative no HttpClient - GHSA-v4hv-rgfq-gp49 (HIGH): Stored XSS no Template Compiler via atributos SVG/MathML não sanitizados - GHSA-jrmj-c5cx-3cw6 (HIGH): XSS via href/xlink:href em elementos SVG script no Template Compiler - GHSA-prjf-86w9-mfqv (MEDIUM): XSS no pipeline i18n via ICU messages com conteúdo malicioso - GHSA-g93w-mfhg-p222 (HIGH): XSS via bypass de sanitização em atributos marcados com i18n Riscos residuais: - Nenhum breaking change esperado (patch/minor dentro da v19) - TypeScript ~5.6.3 mantido sem alteração (compatível com Angular 19.2.x que requer >=5.5 <5.9) - Vulnerabilidades em devDependencies (tar, rollup, vite, serialize-javascript, picomatch, eslint, ajv) serão tratadas em etapas futuras Pontos de atenção para validação funcional: - Testar sanitização de URLs em templates com bindings - Testar componentes que usam i18n com ICU messages - Testar HttpClient com diferentes tipos de URLs - Validar build de todas as bibliotecas (ui, templates, storage, sync, code-editor) Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…r vulnerabilidades Atualiza dependências de desenvolvimento com vulnerabilidades conhecidas, utilizando overrides para dependências transitivas. Pacotes atualizados: - rollup: 4.24.4 → 4.59.0 (dependência direta) - vite: 6.3.6 → 6.4.2 (override, alinhado com @angular/build) - serialize-javascript: 6.0.2 → 7.0.5 (override, transitiva via copy-webpack-plugin) Vulnerabilidades mitigadas: - GHSA-mw96-cpmx-2vgc (HIGH): Arbitrary File Write via Path Traversal no rollup 4.x (<4.59.0) - GHSA-93m4-6634-74q7 (HIGH): server.fs.deny bypass via backslash no Windows no vite - GHSA-4w7w-66w2-5vf9 (HIGH): Path Traversal em Optimized Deps .map handling no vite - GHSA-p9ff-h696-f583 (HIGH): Arbitrary File Read via WebSocket no Vite Dev Server - GHSA-6w29-5vg9-w2pm (HIGH): Cross-site Scripting (XSS) no serialize-javascript (<6.0.2 sem fix completo) Riscos residuais: - rollup 4.59.0 é compatível com ng-packagr via @rollup/plugin-json (aceita ^4.0.0) - vite 6.4.2 alinhado com @angular/build@19.2.24 - serialize-javascript 7.0.5 é override sobre ^6.0.2 do copy-webpack-plugin — API compatível Pontos de atenção para validação funcional: - Validar build de todas as bibliotecas (ng-packagr usa rollup) - Testar ng serve (vite como bundler de desenvolvimento) - Verificar builds com webpack (serialize-javascript) Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Adiciona npm overrides para forçar versões seguras de dependências transitivas vulneráveis. Pacotes com override: - tar: 6.2.1 → 7.5.13 (transitiva via pacote → @angular/cli) - picomatch: 4.0.2 → 4.0.4 (transitiva via @angular-devkit/core → @po-ui/ng-schematics@^18.0.0) Vulnerabilidades mitigadas — tar: - GHSA-34x7-hfp2-rc4v (HIGH): Arbitrary File Creation/Overwrite via Hardlink Path Traversal - GHSA-8qq5-rm4j-mr97 (HIGH): Arbitrary File Overwrite e Symlink Poisoning via Insufficient Path Sanitization - GHSA-83g3-92jg-28cx (HIGH): Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain - GHSA-qffp-2rhf-9h96 (HIGH): Hardlink Path Traversal via Drive-Relative Linkpath - GHSA-9ppj-qmqm-q256 (HIGH): Symlink Path Traversal via Drive-Relative Linkpath - GHSA-r6q2-hw4h-h46w (HIGH): Race Condition via Unicode Ligature Collisions em macOS APFS Vulnerabilidades mitigadas — picomatch: - GHSA-3v7f-55p6-f55p (HIGH): Method Injection em POSIX Character Classes causa Glob Matching incorreto - GHSA-c2c7-rcm5-vvqj (HIGH): ReDoS via extglob quantifiers Riscos residuais: - tar 7.x é major bump sobre ^6.1.11 do pacote (usado apenas pelo @angular/cli em operações de install-time, não em build ou runtime) - ajv 8.17.1 (MODERATE, ReDoS em opção $data) NÃO pode ser corrigido via override global pois eslint@8 depende de ajv@^6.x — override para 8.18.0 quebra o lint. Requer migração para eslint@9+ (breaking change) Pontos de atenção para validação funcional: - Testar ng add e ng update (usam pacote/tar) - Validar schematics (@po-ui/ng-schematics usa picomatch via @angular-devkit/core) Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Atualiza o ecossistema Angular dentro da major version 19 (LTS) para corrigir vulnerabilidades de segurança reportadas pelo Dependency Track.
Pacotes atualizados:
Vulnerabilidades mitigadas:
Riscos residuais:
Pontos de atenção para validação funcional:
< COMPONENTE >
< NÚMERO DA ISSUE >
PR Checklist [Revisor]
Qual o comportamento atual?
Qual o novo comportamento?
Simulação