Update dependency angular.js to v1.8.3 #4766
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.6.1
->1.8.3
Release Notes
angular/angular.js (angular.js)
v1.8.3
Compare Source
One final release of AngularJS in order to update package README files on npm.
v1.8.2
Compare Source
Bug Fixes
resourceUrlWhitelist()
is identical totrustedResourceUrlList()
(e41f01,
#17090)
v1.8.1
Compare Source
Bug Fixes
(2fab3d)
Refactorings
(76738102)
(c953af6b)
(a206e267)
Deprecation Notices
.$compileProvider.aHrefSanitizationWhitelist
It is now
aHrefSanitizationTrustedUrlList
..$compileProvider.imgSrcSanitizationWhitelist
It is now
imgSrcSanitizationTrustedUrlList
..$httpProvider.xsrfWhitelistedOrigins
It is now
xsrfTrustedOrigins
..$sceDelegateProvider.resourceUrlWhitelist
It is now
trustedResourceUrlList
..$sceDelegateProvider.resourceUrlBlacklist
It is now
bannedResourceUrlList
.For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.
v1.8.0
Compare Source
This release contains a breaking change to resolve a security issue which was discovered by
Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while
performing a Variant Analysis of CVE-2020-11022
which itself was found and reported by Masato Kinugawa (@masatokinugawa).
Bug Fixes
(2df43c)
Breaking Changes
jqLite due to:
JqLite no longer turns XHTML-like strings like
<div /><span />
to sibling elements<div></div><span></span>
when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to:
<div><span></span></div>
.This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string.
If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling
But you should adjust your code for this change and remove your use of this function as soon as possible.
Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.
v1.7.9
Compare Source
Bug Fixes
(726f49)
(Thanks to the Snyk Security Research Team for identifyng this issue.)
(5edd25,
#16860,
#16868)
v1.7.8
Compare Source
Bug Fixes
(a4c7bd,
#16830,
#16836)
v1.7.7
Compare Source
Bug Fixes
(5ad4f5,
#16814,
#16820)
v1.7.6
Compare Source
Bug Fixes
(772440,
#16797,
#16798)
(27486b,
#16778,
#16779)
(cf919a)
(d4d103,
#16776,
#16777)
contenteditable
before blocking spacebar(289374,
#16762)
(7cbb10)
(eb49f6)
(2f72a6,
#16606)
(90a41d,
#16734)
(eefaa7,
#16164,
#16471)
(0e1bd7,
#16692,
#16715)
ngIf
on the same element(b27080,
#16616,
#16729)
(3cdffc,
#16702)
(d6098e,
#16709)
Performance Improvements
(692622,
#14691,
#16760)
v1.7.5
Compare Source
Bug Fixes
(f3a565,
#16697,
#16699)
v1.7.4
Compare Source
Bug Fixes
(61b335,
#16664,
#16680)
(3105b2,
#16681,
#16677)
(2ceeb7)
(30084c,
#16652,
#16626)
undefined
(668a33,
#16653,
#16656)
v1.7.3
Compare Source
Bug Fixes
(e68697,
#16592,
#16611)
$locationChange*
events due to empty hash(1144b1,
#16632,
#16636)
$exceptionHandler
(4adbf8,
#16644)
(be417f,
#14173,
#16589)
(0a1db2,
#16645)
$animate.enabled(element, enabled)
(4bd424,
#16649)
(05ac70,
#16535,
#16647)
DocumentFragment
bug(10973c,
#16607,
#16615)
(688211)
(535ee3,
#14673,
#14674)
cleanData()
if_data()
returns undefined(7cf4a2,
#16641,
#16642)
(3a517c,
#14665,
#16604)
New Features
(a5914c,
#16428,
#16235,
#16614)
$flushPendingTasks()
and$verifyNoPendingTasks()
(6f7674,
#14336)
(17b139)
(fc64e6,
#12697,
#13059)
(c9d1e6,
#16601,
#14749,
#14517,
#13202)
timeStripZeroSeconds
andtimeSecondsFormat
(b68221,
#10721,
#16510,
#16584)
Performance Improvements
(093635,
#14165,
#14166,
#16613)
v1.7.2
Compare Source
In the previous release, we removed a private, undocumented API that was no longer used by
AngularJS. It turned out that several popular UI libraries (such as
AngularJS Material,
UI Bootstrap,
ngDialog and probably others) relied on that API.
In order to avoid unnecessary pain for developers, this release reverts the removal of the private
API and restores compatibility of the aforementioned libraries with the latest AngularJS.
Reverts
preAssignBindingsEnabled
leftovers(2da495,
#16580,
a81232,
#16595)
v1.7.1
Compare Source
Bug Fixes
(789db8,
#15554,
#15555)
(2b6c98,
#16583,
#16585)
New Features
(f9d1ca,
#14039,
#16553,
#15874)
(bf841d,
#16511)
(3d6c45,
#14744,
#15707,
#16283,
#16299,
#16591)
(7d9d38,
#14602,
#14672,
#14833)
(10a229,
#16543,
#16544)
(a8c263,
#12008,
#12213,
#16587)
$httpBackend
request(773f39,
#16251,
#11637,
#16560)
reloadOnUrl
configuration option(f4f571,
#7925,
#15002)
v1.7.0
Compare Source
Here are the full changes for the release of 1.7.0 that are not already released in the 1.6.x branch,
which includes commits from 1.7.0-rc.0 and commits from 1.7.0 directly.
1.7.0 is the last scheduled release of AngularJS that includes breaking changes. 1.7.x patch
releases will continue to receive bug fixes and non-breaking features until AngularJS enters Long
Term Support mode (LTS) on July 1st 2018.
Bug Fixes
(656c8f,
#4516,
#14667,
#14685)
(aa3f95,
#12761,
#16325)
(627180,
#16537,
#16539)
(b7d396,
#15869,
#16512)
(38f8c9,
#15782)
base[href]
to the list of RESOURCE_URL context attributes(1cf728,
#15597)
(a8bef9,
#16424,
#16476)
(336525,
#16424,
#16476)
(73c646,
#16465)
(ea0585,
#6731,
#9334,
#6865,
#16446)
(c617d6)
(fb0099,
#16225)
(16b82c,
#14204,
#16373)
(67f54b,
#16427,
#16431)
$touchProvider
, and$touch
(11d9ad,
#15761,
#15755)
(0cd392,
#9405)
(223de5,
#10071)
(c2b8fa)
(02c046,
#15127,
#15494)
(6d5ef3,
#15113,
#16367)
(74b04c,
#14292,
#10076,
#16347)
(a784fa,
#16138,
#16139)
null
andundefined
(301fdd)
(87a586)
(2ee503,
#16021)
(de7403)
angular.lowercase
andangular.uppercase
(1daa4f,
#15445)
(e269c1,
#15349,
#15762)
New Features
angular.isArray()
(e3ece2,
#15533,
#15541)
$sce
service(1e9ead)
null
andundefined
greater than other values(1d8046,
#15294,
#16376)
request
andrequestError
interceptors (#15674)(240a3d,
#5146)
(55ba44,
#15411,
#16335)
xlink:href
security context for SVG'sa
andimage
elements(6ccbfa,
#15736)
Performance Improvements
(97b00c)
(15bbd3,
#15947)
(fd4f01,
#15301)
Breaking Changes
jqLite due to:
Before this commit
removeData()
invoked on an element removed its eventhandlers as well. If you want to trigger a full cleanup of an element, change:
to:
In most cases, though, cleaning up after an element is supposed to be done
only when it's removed from the DOM as well; in such cases the following:
will remove event handlers as well.
$cookies due to:
The $cookieStore has been removed. Migrate to the $cookies service. Note that
for object values you need to use the
putObject
&getObject
methods asget
/put
will not correctly save/retrieve them.Before:
After:
$resource due to:
If you are not using
success
orerror
callbacks with$resource
,your app should not be affected by this change.
If you are using
success
orerror
callbacks (with or withoutresponse interceptors), one (subtle) difference is that throwing an
error inside the callbacks will not propagate to the returned
$promise
. Therefore, you should try to use the promises wheneverpossible. E.g.:
Finally, if you are using
success
orerror
callbacks with responseinterceptors, the callbacks will now always run after the interceptors
(and wait for them to resolve in case they return a promise).
Previously, the
error
callback was called before theresponseError
interceptor and the
success
callback was synchronously called afterthe
response
interceptor. E.g.:request
andrequestError
interceptors (#15674)Previously, calling a
$resource
method would synchronously call$http
. Now, it will be called asynchronously (regardless if arequest
/requestError
interceptor has been defined.This is not expected to affect applications at runtime, since the
overall operation is asynchronous already, but may affect assertions in
tests. For example, if you want to assert that
$http
has been calledwith specific arguments as a result of a
$resource
call, you now needto run a
$digest
first, to ensure the (possibly empty) requestinterceptor promise has been resolved.
Before:
After:
$templateRequest:
Previously the
tpload
error was namespaced to$compile
. If you havecode that matches errors of the form
[$compile:tpload]
it will nolonger run. You should change the code to match
[$templateRequest:tpload]
.The service now returns the result of
$templateCache.put()
when making a server request to thetemplate. Previously it would return the content of the response directly.
This now means if you are decorating
$templateCache.put()
to manipulate the template, you willnow get this manipulated result also on the first
$templateRequest
rather than only on subsequentcalls (when the template is retrived from the cache).
In practice this should not affect any apps, as it is unlikely that they rely on the template being
different in the first and subsequent calls.
$animate due to:
$animate.cancel(runner) now rejects the underlying
promise and calls the catch() handler on the runner
returned by $animate functions (enter, leave, move,
addClass, removeClass, setClass, animate).
Previously it would resolve the promise as if the animation
had ended successfully.
Example:
Pre-1.7.0, this logs 'success', 1.7.0 and later it logs 'cancelled'.
To migrate, add a catch() handler to your animation runners.
angular.isArray due to:
angular.isArray()
Previously,
angular.isArray()
was an alias forArray.isArray()
.Therefore, objects that prototypally inherit from
Array
where notconsidered arrays. Now such objects are considered arrays too.
This change affects several other methods that use
angular.isArray()
under the hood, such as
angular.copy()
,angular.equals()
,angular.forEach()
, andangular.merge()
.This in turn affects how dirty checking treats objects that prototypally
inherit from
Array
(e.g. MobX observable arrays). AngularJS will nowbe able to handle these objects better when copying or watching.
$sce :
$sce
serviceIf you use
attrs.$set
for URL attributes (a[href] and img[src]) there will nolonger be any automated sanitization of the value. This is in line with other
programmatic operations, such as writing to the innerHTML of an element.
If you are programmatically writing URL values to attributes from untrusted
input then you must sanitize it yourself. You could write your own sanitizer or copy
the private
$$sanitizeUri
service.Note that values that have been passed through the
$interpolate
service within theURL
orMEDIA_URL
will have already been sanitized, so you would not need to sanitizethese values again.
$sce
servicebinding
trustAs()
and the short versions (trustAsResourceUrl()
et al.) tongSrc
,ngSrcset
, andngHref
will now raise an infinite digest error:This is because the
$interpolate
service is now responsible for sanitizingthe attribute value, and its watcher receives a new object from
trustAs()
on every digest.
To migrate, compute the trusted value only when the input value changes:
orderBy due to:
null
andundefined
greater than other valuesWhen using
orderBy
to sort arrays containingnull
values, thenull
valueswill be considered "greater than" all other values, except for
undefined
.Previously, they were sorted as strings. This will result in different (but more
intuitive) sorting order.
Before:
After:
ngScenario due to:
The angular scenario runner end-to-end test framework has been
removed from the project and will no longer be available on npm
or bower starting with 1.7.0.
It was deprecated and removed from the documentation in 2014.
Applications that still use it should migrate to
Protractor.
Technically, it should also be possible to continue using an
older version of the scenario runner, as the underlying APIs have
not changed. However, we do not guarantee future compatibility.
form due to:
Forms will now set $submitted on child forms when they are submitted.
For example:
Submitting this form will set $submitted on "parentform" and "childform".
Previously, it was only set on "parentform".
This change was introduced because mixing form and ngForm does not create
logically separate forms, but rather something like input groups.
Therefore, child forms should inherit the submission state from their parent form.
ngAria due to:
ngAria no longer sets aria-* attributes on input[type="hidden"] with ngModel.
This can affect apps that test for the presence of aria attributes on hidden inputs.
To migrate, remove these assertions.
In actual apps, this should not have a user-facing effect, as the previous behavior
was incorrect, and the new behavior is correct for accessibility.
ngModel, input due to:
Custom parsers that fail to parse on input types "email", "url", "number", "date", "month",
"time", "datetime-local", "week", do no longer set
ngModelController.$error[inputType]
, andthe
ng-invalid-[inputType]
class. Also, custom parsers on input type "range" do nolonger set
ngModelController.$error.number
and theng-invalid-number
class.Instead, any custom parsers on these inputs set
ngModelController.$error.parse
andng-invalid-parse
. This change was made to make distinguishing errors from built-in parsersand custom parsers easier.
ngModelOptions due to:
the 'default' key in 'debounce' now only debounces the default event, i.e. the event
that is added as an update trigger by the different input directives automatically.
Previously, it also applied to other update triggers defined in 'updateOn' that
did not have a corresponding key in the 'debounce'.
This behavior is now supported via a special wildcard / catch-all key: '*'.
See the following example:
Pre-1.7:
'mouseup' is also debounced by 500 milliseconds because 'default' is applied:
1.7:
The pre-1.7 behavior can be re-created by setting '*' as a catch-all debounce value:
In contrast, when only 'default' is used, 'blur' and 'mouseup' are not debounced:
input[number] due to:
input[type=number]
withngModel
now validates the input for themax
/min
restriction againstthe
ngModelController.$viewValue
instead of against thengModelController.$modelValue
.This affects apps that use
$parsers
or$formatters
to transform the input / model value.If you rely on the $modelValue validation, you can overwrite the
min
/max
validator from a custom directive, as seen in the following example directive definition object:input due to:
input[radio]
andinput[checkbox]
now listen to the "change" event instead of the "click" event.Most apps should not be affected, as "change" is automatically fired by browsers after "click"
happens.
Two scenarios might need migration:
Before this change, custom click event listeners on radio / checkbox would be called after the
input element and
ngModel
had been updated, unless they were specifically registered beforethe built-in click handlers.
After this change, they are called before the input is updated, and can call event.preventDefault()
to prevent the input from updating.
If an app uses a click event listener that expects ngModel to be updated when it is called, it now
needs to register a change event listener instead.
Conventional trigger functions:
The change event might not be fired when the input element is not attached to the document. This
can happen in tests that compile input elements and
trigger click events on them. Depending on the browser (Chrome and Safari) and the trigger method,
the change event will not be fired when the input isn't attached to the document.
Before:
With this patch,
$rootScope.checkbox
might not be true, because the click eventhasn't triggered the change event. To make the test, work append the inputElm to the app's
$rootElement
, and the$rootElement
to the$document
.After:
triggerHandler()
:If you are using this jQuery / jqLite function on the input elements, you don't have to attach
the elements to the document, but instead change the triggered event to "change". This is because
triggerHandler(event)
only triggers the exact event when it has been added by jQuery / jqLite.ngStyle due to:
Previously the use of deep watch by ng-style would trigger styles to be
re-applied when nested state changed. Now only changes to direct
properties of the watched object will trigger changes.
$compile due to:
Previously, the
$compileProvider.preAssignBindingsEnabled
flag was supported.The flag controlled whether bindings were available inside the controller
constructor or only in the
$onInit
hook. The bindings are now no longeravailable in the constructor.
To migrate your code:
If you haven't invoked
$compileProvider.preAssignBindingsEnabled()
youdon't have to do anything to migrate.
If you specified
$compileProvider.preAssignBindingsEnabled(false)
, youcan remove that statement - since AngularJS 1.6.0 this is the default so your
app should still work even in AngularJS 1.6 after such removal. Afterwards,
migrating to AngularJS 1.7.0 shouldn't require any further action.
If you specified
$compileProvider.preAssignBindingsEnabled(true)
you needto first migrate your code so that the flag can be flipped to
false
. Theinstructions on how to do that are available in the "Migrating from 1.5 to 1.6"
guide:
https://docs.angularjs.org/guide/migration#migrating-from-1-5-to-1-6
Afterwards, remove the
$compileProvider.preAssignBindingsEnabled(true)
statement.
xlink:href
security context for SVG'sa
andimage
elementsIn the unlikely case that an app relied on RESOURCE_URL whitelisting for the
purpose of binding to the
xlink:href
property of SVG's<a>
or<image>
elements and if the values do not pass the regular URL sanitization, they will
break.
To fix this you need to ensure that the values used for binding to the affected
xlink:href
contexts are considered safe URLs, e.g. by whitelisting them in$compileProvider
'saHrefSanitizationWhitelist
(for<a>
elements) orimgSrcSanitizationWhitelist
(for<image>
elements).Previously when a literal value was passed into a directive/component via
one-way binding it would be watched with a deep watcher.
For example, for
<my-component input="[a]">
, a new instance of the arraywould be passed into the directive/component (and trigger $onChanges) not
only if
a
changed but also if any sub property ofa
changed such asa.b
ora.b.c.d.e
etc.This also means a new but equal value for
a
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.