fix: upgrade golang version and npm dependencies to reduce CVE (#95)

The following critical CVEs are fixed by bumping the Go version: GHSA-8c83-vp4v-h7fq, GHSA-v4m2-x4rp-hv22 and GHSA-7qhm-5mxq-x7vp

Author: kyubisation

.gitignore

@@ -69,6 +69,7 @@ typings/
 
 # Others
 .vscode
+.nx
 dist
 junit.xml
 

cli/Dockerfile

@@ -1,3 +1,3 @@
-FROM golang:1.17-alpine
+FROM golang:1.22-alpine
 RUN apk add upx
 RUN apk add git

go.mod

@@ -1,6 +1,6 @@
 module ngssc
 
-go 1.17
+go 1.22
 
 require (
 	github.com/bmatcuk/doublestar v1.3.2

package.json

@@ -3,7 +3,7 @@
   "version": "17.0.2",
   "description": "Configure an angular application on the server",
   "scripts": {
-    "build:lib": "ts-node --project scripts/tsconfig.json --esm ./scripts/build-lib.mts",
+    "build:lib": "node --no-warnings=ExperimentalWarning --loader ts-node/esm/transpile-only ./scripts/build-lib.mts",
     "build:cli": "docker-compose run --rm build-go",
     "build:cli:upx": "docker-compose run --rm -e BUILD_UPX=true build-go",
     "build:ngssc": "ng run ngssc-app:ngsscbuild:production",
@@ -45,59 +45,56 @@
   "homepage": "https://github.com/kyubisation/angular-server-side-configuration#readme",
   "private": true,
   "dependencies": {
-    "@angular/animations": "^17.0.1",
-    "@angular/common": "^17.0.1",
-    "@angular/compiler": "^17.0.1",
-    "@angular/core": "^17.0.1",
-    "@angular/forms": "^17.0.1",
-    "@angular/platform-browser": "^17.0.1",
-    "@angular/platform-browser-dynamic": "^17.0.1",
-    "@angular/platform-server": "^17.0.1",
-    "@angular/router": "^17.0.1",
-    "@angular/ssr": "^17.0.0",
+    "@angular/animations": "^17.3.8",
+    "@angular/common": "^17.3.8",
+    "@angular/compiler": "^17.3.8",
+    "@angular/core": "^17.3.8",
+    "@angular/forms": "^17.3.8",
+    "@angular/platform-browser": "^17.3.8",
+    "@angular/platform-browser-dynamic": "^17.3.8",
+    "@angular/platform-server": "^17.3.8",
+    "@angular/router": "^17.3.8",
+    "@angular/ssr": "^17.3.7",
     "rxjs": "7.8.1",
     "tslib": "^2.6.2",
     "zone.js": "~0.14.2"
   },
   "devDependencies": {
-    "@angular-devkit/architect": "^0.1700.0",
-    "@angular-devkit/build-angular": "^17.0.0",
-    "@angular-devkit/core": "^17.0.0",
-    "@angular-devkit/schematics": "^17.0.0",
-    "@angular-eslint/builder": "17.0.0",
-    "@angular-eslint/eslint-plugin": "17.0.0",
-    "@angular-eslint/eslint-plugin-template": "17.0.0",
-    "@angular-eslint/schematics": "17.0.0",
-    "@angular-eslint/template-parser": "17.0.0",
-    "@angular/cli": "^17.0.0",
-    "@angular/compiler-cli": "^17.0.1",
-    "@angular/localize": "17.0.1",
-    "@schematics/angular": "^17.0.0",
-    "@types/jasmine": "~5.1.0",
-    "@types/node": "^20.8.10",
-    "@typescript-eslint/eslint-plugin": "^6.10.0",
-    "@typescript-eslint/parser": "^6.10.0",
+    "@angular-devkit/architect": "^0.1703.7",
+    "@angular-devkit/build-angular": "^17.3.7",
+    "@angular-devkit/core": "^17.3.7",
+    "@angular-devkit/schematics": "^17.3.7",
+    "@angular-eslint/builder": "17.4.0",
+    "@angular-eslint/eslint-plugin": "17.4.0",
+    "@angular-eslint/eslint-plugin-template": "17.4.0",
+    "@angular-eslint/schematics": "17.4.0",
+    "@angular-eslint/template-parser": "17.4.0",
+    "@angular/cli": "^17.3.7",
+    "@angular/compiler-cli": "^17.3.8",
+    "@angular/localize": "17.3.8",
+    "@schematics/angular": "^17.3.7",
+    "@types/jasmine": "~5.1.4",
+    "@types/node": "^20.12.11",
+    "@typescript-eslint/eslint-plugin": "^7.2.0",
+    "@typescript-eslint/parser": "^7.2.0",
     "cross-env": "^7.0.3",
-    "eslint": "^8.53.0",
-    "eslint-plugin-import": "2.29.0",
-    "glob": "^10.3.10",
+    "eslint": "^8.57.0",
+    "eslint-plugin-import": "npm:eslint-plugin-i@^2.29.1",
+    "glob": "^10.3.14",
     "jasmine": "~5.1.0",
     "jasmine-core": "~5.1.1",
-    "karma": "~6.4.2",
+    "karma": "~6.4.3",
     "karma-chrome-launcher": "~3.2.0",
     "karma-coverage": "~2.2.1",
     "karma-jasmine": "~5.1.0",
     "karma-jasmine-html-reporter": "~2.1.0",
-    "ng-packagr": "^17.0.0",
+    "ng-packagr": "^17.3.0",
     "npm-run-all": "^4.1.5",
-    "prettier": "3.0.3",
+    "prettier": "3.2.5",
     "standard-version": "^9.5.0",
-    "ts-node": "^10.9.1",
+    "ts-node": "^10.9.2",
     "typescript": "~5.2.2"
   },
-  "resolutions": {
-    "cliui": "^7.0.0"
-  },
   "prettier": {
     "singleQuote": true,
     "endOfLine": "lf",

projects/angular-server-side-configuration/builders/browser/schema.json

@@ -279,8 +279,7 @@
     },
     "deployUrl": {
       "type": "string",
-      "description": "URL where files will be deployed.",
-      "x-deprecated": "Use \"baseHref\" option, \"APP_BASE_HREF\" DI token or a combination of both instead. For more information, see https://angular.io/guide/deployment#the-deploy-url."
+      "description": "Customize the base path for the URLs of resources in 'index.html' and component stylesheets. This option is only necessary for specific deployment scenarios, such as with Angular Elements or when utilizing different CDN locations."
     },
     "verbose": {
       "type": "boolean",
@@ -445,7 +444,7 @@
       ]
     },
     "allowedCommonJsDependencies": {
-      "description": "A list of CommonJS packages that are allowed to be used without a build time warning.",
+      "description": "A list of CommonJS or AMD packages that are allowed to be used without a build time warning. Use `'*'` to allow all.",
       "type": "array",
       "items": {
         "type": "string"
@@ -524,11 +523,11 @@
           "properties": {
             "src": {
               "type": "string",
-              "pattern": "\\.(([cm]?j|t)sx?|json)$"
+              "pattern": "\\.(([cm]?[jt])sx?|json)$"
             },
             "replaceWith": {
               "type": "string",
-              "pattern": "\\.(([cm]?j|t)sx?|json)$"
+              "pattern": "\\.(([cm]?[jt])sx?|json)$"
             }
           },
           "additionalProperties": false,
@@ -542,11 +541,11 @@
           "properties": {
             "replace": {
               "type": "string",
-              "pattern": "\\.(([cm]?j|t)sx?|json)$"
+              "pattern": "\\.(([cm]?[jt])sx?|json)$"
             },
             "with": {
               "type": "string",
-              "pattern": "\\.(([cm]?j|t)sx?|json)$"
+              "pattern": "\\.(([cm]?[jt])sx?|json)$"
             }
           },
           "additionalProperties": false,

projects/angular-server-side-configuration/builders/dev-server/schema.json

@@ -13,7 +13,7 @@
     "buildTarget": {
       "type": "string",
       "description": "A build builder target to serve in the format of `project:target[:configuration]`. You can also pass in more than one configuration name as a comma-separated list. Example: `project:target:production,staging`.",
-      "pattern": "^[^:\\s]+:[^:\\s]+(:[^\\s]+)?$"
+      "pattern": "^[^:\\s]*:[^:\\s]*(:[^\\s]+)?$"
     },
     "port": {
       "type": "number",
@@ -69,11 +69,11 @@
     },
     "publicHost": {
       "type": "string",
-      "description": "The URL that the browser client (or live-reload client, if enabled) should use to connect to the development server. Use for a complex dev server setup, such as one with reverse proxies."
+      "description": "The URL that the browser client (or live-reload client, if enabled) should use to connect to the development server. Use for a complex dev server setup, such as one with reverse proxies. This option has no effect when using the 'application' or other esbuild-based builders."
     },
     "allowedHosts": {
       "type": "array",
-      "description": "List of hosts that are allowed to access the dev server.",
+      "description": "List of hosts that are allowed to access the dev server. This option has no effect when using the 'application' or other esbuild-based builders.",
       "default": [],
       "items": {
         "type": "string"
@@ -85,7 +85,7 @@
     },
     "disableHostCheck": {
       "type": "boolean",
-      "description": "Don't verify connected clients are part of allowed hosts.",
+      "description": "Don't verify connected clients are part of allowed hosts. This option has no effect when using the 'application' or other esbuild-based builders.",
       "default": false
     },
     "hmr": {
@@ -107,6 +107,30 @@
       "description": "Force the development server to use the 'browser-esbuild' builder when building. This is a developer preview option for the esbuild-based build system.",
       "default": false
     },
+    "prebundle": {
+      "description": "Enable and control the Vite-based development server's prebundling capabilities. To enable prebundling, the Angular CLI cache must also be enabled. This option has no effect when using the 'browser' or other Webpack-based builders.",
+      "oneOf": [
+        {
+          "type": "boolean"
+        },
+        {
+          "type": "object",
+          "properties": {
+            "exclude": {
+              "description": "List of package imports that should not be prebundled by the development server. The packages will be bundled into the application code itself.",
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          },
+          "additionalProperties": false,
+          "required": [
+            "exclude"
+          ]
+        }
+      ]
+    },
     "additionalEnvironmentVariables": {
       "type": "array",
       "description": "Additional environment variables that should be added to ngssc.json"

projects/angular-server-side-configuration/builders/ngsscbuild/index.spec.ts

@@ -2,7 +2,7 @@ import { Architect } from '@angular-devkit/architect';
 import { TestProjectHost } from '@angular-devkit/architect/testing';
 import { normalize, virtualFs } from '@angular-devkit/core';
 
-import { Ngssc } from 'angular-server-side-configuration';
+import type { Ngssc } from 'angular-server-side-configuration';
 
 import { applicationHost, createArchitect, legacyHost } from '../../../../test/test-utils';
 

projects/angular-server-side-configuration/builders/ngsscbuild/index.ts

@@ -54,7 +54,8 @@ export async function detectVariablesAndBuildNgsscJson(
   applicationBuilderVariant: ApplicationBuilderVariant = undefined,
 ) {
   const ngsscContext = await detectVariables(context, options.searchPattern);
-  let outputPath = join(context.workspaceRoot, builderOptions.outputPath);
+  // TODO: Fix possible outputPath options.
+  let outputPath = join(context.workspaceRoot, builderOptions.outputPath as string);
   const ngssc = buildNgssc(
     ngsscContext,
     options,