Skip to content

feat(@angular-devkit/build-angular): move browser-sync as optional dependency #26587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
clydin merged 1 commit into from
Dec 6, 2023
Merged

feat(@angular-devkit/build-angular): move browser-sync as optional dependency #26587

clydin merged 1 commit into from
Dec 6, 2023

Conversation

@alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Dec 5, 2023

browser-sync is now an optional dependency of @angular-devkit/build-angular. This package is only needed when using the legacy @angular-devkit/build-angular:ssr-dev-server builder.

Closes #26349

@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: minor This PR is targeted for the next minor release labels Dec 5, 2023
@alan-agius4 alan-agius4 requested a review from clydin December 5, 2023 15:48
@angular-robot angular-robot bot added the detected: feature PR contains a feature commit label Dec 5, 2023
@alan-agius4 alan-agius4 force-pushed the browser-sync-optional branch 10 times, most recently from 91892db to 22492bd Compare December 6, 2023 11:53
clydin
clydin approved these changes Dec 6, 2023
View reviewed changes
@alan-agius4
feat(@angular-devkit/build-angular): move browser-sync as optional …
75bd83a 
…dependency

`browser-sync` is now an optional dependency of `@angular-devkit/build-angular`. This package is only needed when using the legacy `@angular-devkit/build-angular:ssr-dev-server` builder.

Closes angular#26349
@alan-agius4 alan-agius4 force-pushed the browser-sync-optional branch from 22492bd to 75bd83a Compare December 6, 2023 16:34
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Dec 6, 2023
@clydin clydin merged commit 364a16b into angular:main Dec 6, 2023
@alan-agius4 alan-agius4 deleted the browser-sync-optional branch December 6, 2023 16:57
@jase88
Copy link
Contributor

jase88 commented Dec 7, 2023

Will this also be fixed on v16-lts?

@alan-agius4
Copy link
Collaborator Author

alan-agius4 commented Dec 7, 2023

This is only available for version 17.1.x

@von-maurus
Copy link

von-maurus commented Dec 11, 2023

Hi, is this fixed right now? I'm with this version:

 _                      _                 ____ _     ___
/ \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|

/ △ \ | '_ \ / | | | | |/ _ | '__| | | | | | |
/ ___ | | | | (| | || | | (| | | | || | | |
// __| ||_, |_,||_,|| _|||
|___/

Angular CLI: 17.0.6
Node: 20.10.0
Package Manager: npm 10.2.3
OS: darwin arm64

Angular: 17.0.6
... animations, cli, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1700.6
@angular-devkit/build-angular 17.0.6
@angular-devkit/core 17.0.6
@angular-devkit/schematics 17.0.6
@schematics/angular 17.0.6
rxjs 7.8.1
typescript 5.2.2
zone.js 0.14.2

And still tells me this error:

npm audit report

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/localtunnel/node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
browser-sync >=2.24.0-rc1
Depends on vulnerable versions of localtunnel
node_modules/browser-sync
@angular-devkit/build-angular >=17.0.0-next.0
Depends on vulnerable versions of browser-sync
node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

@alfaproject
Copy link

alfaproject commented Jan 5, 2024

@alan-agius4 any chance you can update to browser-sync v3 in the 17.0 branch, at least? It makes localtunnel optional

@dagerher
Copy link

dagerher commented Jan 10, 2024

@alan-agius4 Is it known if there is still much time left before the release of version 17.1.x?

@JeanMeche
Copy link
Member

JeanMeche commented Jan 10, 2024

@dagerher Release is expected mid of next week !

@lsmith77 lsmith77 mentioned this pull request Jan 10, 2024
Merged
@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented Feb 10, 2024

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@clydin clydin clydin approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker detected: feature PR contains a feature commit target: minor This PR is targeted for the next minor release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm audit on a brand new v17 Angular CLI generated application returns vulnerabilities

7 participants

@alan-agius4 @jase88 @von-maurus @alfaproject @dagerher @JeanMeche @clydin