Background – vulnerable package warning
If you get npm install / npm audit warnings similar to below:
(Angular package dependency error)
npm audit report
vite 6.2.0 - 6.2.3
Severity: moderate
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - https://github.com/advisories/GHSA-4r4m-qw57-chr8
fix available via `npm audit fix`
node_modules/vite
@angular/build 19.2.1 - 19.2.5 || 20.0.0-next.0 - 20.0.0-next.3
Depends on vulnerable versions of vite
node_modules/@angular/build
@angular-devkit/build-angular 19.2.1 - 19.2.5 || 20.0.0-next.0 - 20.0.0-next.3
Depends on vulnerable versions of @angular/build
node_modules/@angular-devkit/build-angularBump all packages to latest possible using npm-check-updates
Use the npm-check-updates command to get a list of recommended version updates for all npm packages in the project. This might mean breaking changes if major versions are found.
In Angular project root (where the package.json file is) run:
npx npm-check-updates --peer --upgrade
This will list all dependencies that have newer versions than what’s in your package.json.
It will also check peer dependencies of installed packages and filter updates to compatible versions, then modifies your package.json with the latest versions.
Delete package-lock.json
Install the updated packages:
npm install --force
npm audit fix --force
Now your package.json and node_modules are fully in sync with the latest possible versions.
Verify application still works.
More info: https://www.npmjs.com/package/npm-check-updates
Bump packages in a more controlled manner
Get a list of possible target version numbers:
npx npm-check-updates --peer
(is just a dry run wont change anything)
A recommended approach is to update all “Angular” type of packages first and then any “non Angular packages”.
In Angular project root edit package.json:
Bump all packages with the word “angular” in them to the latest version number (see output from the npm-check-updates command). See this example:
Then run:
npm install
-> might get dependency errors, cant install
npm install --force
-> forces the install of angular packages
In the above mentioned scenario (just bump angular packages) this works.
As a second step; repeat this for all non-angular packages.
Package.json version interval handling
Whats the difference between ~ and ^ in the acceptable version “interval” value in package.json?
See:
https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json
| value | desc |
|---|---|
~version |
Approximately equivalent to version, i.e., only accept new patch versions See npm semver – Tilde Ranges |
^version |
Compatible with version, i.e., accept new minor and patch versions See npm semver – Caret Ranges |
version |
Must match version exactly |
>version |
Must be greater than version |
>=version |
Must be equal or greater than version |
<version |
Must be lesser than version |
<=version |
Must be equal or lesser than version |
1.2.x |
1.2.0, 1.2.1, etc., but not 1.3.0 |
* |
Matches any version |
latest |
Obtains latest release |
The above list is not exhaustive. Other version specifiers include GitHub urls and GitHub user repo’s, local paths and packages with specific npm tags