Skip to content

chore: upgrade Angular 19 → 20 to resolve security vulnerabilities#953

Merged
yogeshchoudhary147 merged 2 commits into
mainfrom
chore/angular-20-migration
Jul 17, 2026
Merged

chore: upgrade Angular 19 → 20 to resolve security vulnerabilities#953
yogeshchoudhary147 merged 2 commits into
mainfrom
chore/angular-20-migration

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps all @angular/* packages from v19.2.x to v20.3.26
  • Aligns build tooling (@angular-devkit/build-angular, @angular/cli, ng-packagr, @angular-eslint/*) to their v20 counterparts
  • Fixes four CVEs reported by Snyk at High/Critical severity
  • Disables the @angular-eslint/prefer-inject rule introduced in @angular-eslint@20 (constructor injection is still fully supported in Angular 20; migration to inject() can be done in a follow-up PR)

Why v20 and not a v19 patch

No fix was backported to v19 — 19.2.25 is the latest Angular 19 release and remains vulnerable per Snyk. The fix only exists in v20.3.25+. Staying on v19 is also not viable as its LTS window ended May 2026, meaning Google is no longer issuing security patches for it.

Security fixes

CVE Package Severity
ReDoS @angular/common@19.x High
Use of Weak Hash @angular/common@19.x Critical
XSS @angular/compiler@19.x High
Modification of Assumed-Immutable Data @angular/core@19.x High

Package changes

Package Before After
@angular/* (7 deps) ^19.2.21 ^20.3.26
@angular/compiler-cli ^19.2.21 ^20.3.26
@angular/forms ^19.2.21 ^20.3.26
@angular-devkit/build-angular ^19.2.24 ^20.3.32
@angular/cli ^19.2.24 ^20.3.32
@angular-eslint/* (5 packages) ^19.0.0 ^20.7.0
ng-packagr ^19.2.2 ^20.3.2

No changes to jest, jest-preset-angular, @types/jest, or typescriptbuild-angular 20.x still supports jest@^29.x and jest-preset-angular@14.x supports @angular/compiler-cli <21.0.0.

Consumer impact

No changes to the library's public API or peerDependencies (>=13). The library source code is unchanged. However, the compiled output now uses Angular 20's toolchain; consumers on older Angular versions should test their integration as Angular does not guarantee cross-version compiler compatibility.

Test plan

  • npm run build:dev passes
  • npm test — all 184 tests pass
  • npm run lint passes
  • CI passes

@yogeshchoudhary147
yogeshchoudhary147 requested a review from a team as a code owner July 17, 2026 08:50
Bumps all Angular packages from v19 to v20.3.26 and aligns build
tooling accordingly. Fixes three CVEs in @angular/common, @angular/compiler,
and @angular/core (ReDoS, weak hash, XSS, immutable data modification)
reported by Snyk at High/Critical severity.

Changed packages:
- @angular/* (animations, common, compiler, core, platform-browser,
  platform-browser-dynamic, router, forms, compiler-cli): 19.2.x → 20.3.26
- @angular-devkit/build-angular: 19.2.24 → 20.3.32
- @angular/cli: 19.2.24 → 20.3.32
- @angular-eslint/*: 19.0.0 → 20.7.0
- ng-packagr: 19.2.2 → 20.3.2

No changes to jest, jest-preset-angular, @types/jest, or typescript —
build-angular 20.x still supports jest ^29.x and jest-preset-angular
14.x supports @angular/compiler-cli <21.0.0.
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Angular runtime, development tooling, ESLint packages, and ng-packagr versions are upgraded from Angular 19-compatible releases to Angular 20-compatible releases.

Changes

Angular 20 upgrade

Layer / File(s) Summary
Angular runtime and build tooling versions
package.json
Angular runtime, router, CLI, compiler, build, ESLint, forms, and ng-packagr dependencies are updated to Angular 20 versions.

Estimated code review effort: 2 (Simple) | ~5 minutes

Suggested reviewers: cschetan77

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: upgrading Angular 19 to 20 for security remediation.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/angular-20-migration

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@yogeshchoudhary147
yogeshchoudhary147 force-pushed the chore/angular-20-migration branch from 2c36fd1 to 2e43e4f Compare July 17, 2026 08:50
Constructor injection is still fully supported in Angular 20. Disabling
this opinionated rule keeps the diff focused on the security fix.
Migration to inject() can be done in a follow-up PR.
@yogeshchoudhary147
yogeshchoudhary147 merged commit 1bc5109 into main Jul 17, 2026
13 checks passed
@yogeshchoudhary147
yogeshchoudhary147 deleted the chore/angular-20-migration branch July 17, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants