chore(deps-dev): bump @angular/core from 18.0.6 to 19.2.20 in /packages/angular#4361
Conversation
Bumps [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) from 18.0.6 to 19.2.20. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) --- updated-dependencies: - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "@angular/common": "18.0.6", | ||
| "@angular/compiler-cli": "18.0.6", | ||
| "@angular/core": "18.0.6", | ||
| "@angular/core": "19.2.20", |
There was a problem hiding this comment.
Major version mismatch between Angular packages breaks compatibility
High Severity
Bumping @angular/core to v19.2.20 while all other @angular/* packages (@angular/common, @angular/compiler-cli, @angular/elements, @angular/forms, @angular/platform-browser, @angular/platform-browser-dynamic, @angular/platform-server, @angular/router) remain at v18.0.6 creates a major version mismatch. Angular packages are designed to be used together at the same major version — the v18 packages declare peerDependencies requiring @angular/core: "18.0.6", which is incompatible with the now-installed v19. This will cause peer dependency errors and likely build or runtime failures.
Additional Locations (1)
| "peerDependencies": { | ||
| "rxjs": "^6.5.3 || ^7.4.0", | ||
| "zone.js": "~0.14.0" | ||
| "zone.js": "~0.15.0" |
There was a problem hiding this comment.
zone.js version incompatible with @angular/core v19
High Severity
@angular/core v19.2.20 declares a peer dependency on zone.js: ~0.15.0, but the project has zone.js: 0.14.7 installed and declares zone.js: "0.14.x" as its own peer dependency. This version mismatch means the zone.js version required by the new @angular/core is not satisfied, which will likely cause runtime errors or unexpected behavior.
Additional Locations (1)
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx test @e2e/angular-17-ssr |
❌ Failed | 49s | View ↗ |
nx test @e2e/qwik-city |
✅ Succeeded | 7m 46s | View ↗ |
nx test @e2e/angular-17 |
✅ Succeeded | 6m 37s | View ↗ |
nx test @e2e/nextjs-sdk-next-app |
✅ Succeeded | 6m 46s | View ↗ |
nx test @e2e/nuxt |
✅ Succeeded | 5m 38s | View ↗ |
nx test @e2e/react-sdk-next-15-app |
✅ Succeeded | 5m 15s | View ↗ |
nx test @e2e/angular-19-ssr |
✅ Succeeded | 5m 14s | View ↗ |
nx test @e2e/gen1-remix |
✅ Succeeded | 5m 2s | View ↗ |
Additional runs (37) |
✅ Succeeded | ... | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-03-14 06:12:28 UTC
Bumps @angular/core from 18.0.6 to 19.2.20.
Release notes
Sourced from
@angular/core's releases.... (truncated)
Changelog
Sourced from
@angular/core's changelog.... (truncated)
Commits
621c707fix(core): sanitize translated form attributesb89b0a8fix(core): sanitize translated attribute bindings with interpolations7475487fix(core): block creation of sensitive URI attributes from ICU messages26cdc53fix(core): sanitize sensitive attributes on SVG script elements7c42e2efix(compiler): prevent XSS via SVG animationattributeNameand MathML/SVG URLs70d0639fix(core): introduceBootstrapContextfor improved server bootstrapping (#6...73d3e00build: fix failing test (#61683)9e1cd49fix(migrations): preserve comments when removing unused imports (#61674)a6d5479build: migrate platform-server to rules_js (#61619)2a26944build: migrate platform-browser and platform-browser-dynamic package to use r...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Major-version bump of
@angular/core(while other Angular packages remain on 18.x) can introduce peer-dependency/runtime incompatibilities, especially aroundzone.jsand framework internals.Overview
Updates the
@builder.io/angularpackage’s dev dependency on@angular/corefrom18.0.6to19.2.20inpackage.jsonand regeneratespackage-lock.jsonaccordingly.The lockfile reflects the new
@angular/coreresolution (including updatedzone.jspeer expectation) plus incidental transitive version bumps (e.g.,postcss,nanoid,@types/node) from the re-lock.Written by Cursor Bugbot for commit 1929a4a. This will update automatically on new commits. Configure here.