jtneal
commented
3 years ago I realize you probably hard-coded to 8.0.0 because you use some of the schematics APIs that are considered private. Meaning the Angular team can catch them at any time, even in patch versions, and there's no official support there. So I can agree with sticking with a hard coded version for now, but can we see if ngx-build-plus works with 8.3.29?
See: https://snyk.io/vuln/SNYK-JS-AJV-584908
Currently hard-coded to
8.0.0: https://github.com/manfredsteyer/ngx-build-plus/blob/cli8/lib/package.json#L24Version
8.3.29is latest, and is the newest version that has mitigated the AJV vulnerability: https://github.com/angular/angular-cli/blob/v8.3.29/packages/angular_devkit/core/package.json#L11If ngx-build-plus is compatible with
8.3.29, can we get this updated? And perhaps change it to use a semver range of patch~or^minor so that future issues like this that are resolved in patch/minor versions don't require updating ngx-build-plus to mitigate?