[Snyk] Security upgrade @angular/compiler from 14.3.0 to 19.2.17

[RayG-XD]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Cross-site Scripting (XSS) SNYK-JS-ANGULARCOMPILER-14157154	706

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

---

Summary by cubic

Upgrade @angular/compiler from 14.3.0 to 19.2.17 to fix a high-severity XSS vulnerability (SNYK-JS-ANGULARCOMPILER-14157154). This may require aligning Angular and Node versions.

• Dependencies

  • Bump @angular/compiler to ^19.2.17 in package.json and package-lock.json.
  • Requires Node ^18.19.1, ^20.11.1, or >=22.0.0.
  • Other Angular packages remain at 14.x and may be incompatible.

• Migration

  • Upgrade the Angular stack to v19 (e.g., ng update @angular/core@19 @angular/cli@19 and related packages).
  • Ensure CI/dev use a compatible Node version (>=18.19.1).
  • Rebuild and run tests to validate.

^{Written for commit 4a50bf6. Summary will update automatically on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clips	Error			Dec 8, 2025 9:43am

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)

duplicated mapping key in ".coderabbit.yaml" (28:1)

 25 | 
 26 | knowledge_base:
 27 | code_guidelines:
 28 | enabled: true
------^
 29 | filePatterns:
 30 |   - "**/.cursorrules"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-0ede6a4c2c2c9a01d02439e75cbd16dd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @RayG-XD, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to resolve a high-severity Cross-site Scripting (XSS) vulnerability by upgrading the @angular/compiler package. The upgrade involves a major version bump from 14.3.0 to 19.2.17, which Snyk identifies as a breaking change, and also updates the required Node.js engine versions. Reviewers should carefully assess potential compatibility impacts with other Angular dependencies.

Highlights

• Security Vulnerability Fix: This pull request addresses a high-severity Cross-site Scripting (XSS) vulnerability (SNYK-JS-ANGULARCOMPILER-14157154) found in the @angular/compiler package.
• Dependency Upgrade: The @angular/compiler package has been upgraded from version 14.3.0 to 19.2.17 to remediate the identified vulnerability.
• Breaking Change Alert: Snyk has flagged this upgrade as a breaking change, indicating potential compatibility issues due to the significant version jump and changes in peer dependencies and Node.js engine requirements.
• Node.js Engine Requirements Update: The required Node.js engine versions for @angular/compiler have been updated to ^18.19.1 || ^20.11.1 || >=22.0.0.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, attempts to fix a security vulnerability by upgrading @angular/compiler. However, it introduces a critical issue by creating a major version mismatch between @angular/compiler (v19) and the rest of the Angular framework packages (v14). This will likely cause the application to fail during build or at runtime. Additionally, the upgraded package requires a newer version of Node.js, which could be a breaking change for your development and deployment environments. I have added comments with more details. I recommend rejecting this PR and instead performing a full, manual upgrade of all Angular packages to a consistent version.

[gemini-code-assist]

The updated @angular/compiler package requires a newer version of Node.js (^18.19.1 || ^20.11.1 || >=22.0.0). This is a significant jump from the previous requirement (^14.15.0 || >=16.10.0) and may break your CI/CD pipeline or local development environments if they are not running a compatible Node.js version. This is another reason why a full, coordinated upgrade of the Angular framework and its dependencies is necessary.

[gemini-code-assist]

This PR introduces a version mismatch between Angular packages. @angular/compiler is upgraded to ^19.2.17, while other @angular packages like @angular/core remain on ^14.0.0. All @angular/* packages within a project should use the same version to ensure compatibility and prevent build/runtime errors. A major version jump from 14 to 19 will almost certainly break the application.

It is recommended to either upgrade all @angular/* packages to the same major version (e.g., ~19.2.17) or find a security patch for @angular/compiler that is compatible with version 14. Since this PR only upgrades a single package, it's best to revert this change and perform a full Angular upgrade in a separate, manual PR.

Suggested change

	"@angular/compiler": "^19.2.17",
	"@angular/compiler": "^14.0.0",

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (all 1 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="package.json">

<violation number="1" location="package.json:18">
P0: Major version mismatch: `@angular/compiler@^19.2.17` is incompatible with all other Angular packages at `^14.0.0`. Angular packages must be kept at the same major version due to strict peer dependencies. This upgrade will cause build failures and runtime errors. To fix the XSS vulnerability, all Angular packages should be upgraded together to version 19, or an alternative patch for v14 should be sought.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P0: Major version mismatch: @angular/compiler@^19.2.17 is incompatible with all other Angular packages at ^14.0.0. Angular packages must be kept at the same major version due to strict peer dependencies. This upgrade will cause build failures and runtime errors. To fix the XSS vulnerability, all Angular packages should be upgraded together to version 19, or an alternative patch for v14 should be sought.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 18:

<comment>Major version mismatch: `@angular/compiler@^19.2.17` is incompatible with all other Angular packages at `^14.0.0`. Angular packages must be kept at the same major version due to strict peer dependencies. This upgrade will cause build failures and runtime errors. To fix the XSS vulnerability, all Angular packages should be upgraded together to version 19, or an alternative patch for v14 should be sought.</comment>

<file context>
@@ -15,7 +15,7 @@
     &quot;@angular/animations&quot;: &quot;^14.0.0&quot;,
     &quot;@angular/common&quot;: &quot;^14.0.0&quot;,
-    &quot;@angular/compiler&quot;: &quot;^14.0.0&quot;,
+    &quot;@angular/compiler&quot;: &quot;^19.2.17&quot;,
     &quot;@angular/core&quot;: &quot;^14.0.0&quot;,
     &quot;@angular/fire&quot;: &quot;^7.1.0&quot;,
</file context>