@angular/core and @angular/compiler explicitly listed as dependencies in published package.json

[Timebutt]

Describe the bug

I'm seeing a Typescript issue because of @angular/core being explicitly listed as a dependency of codelyzer.

Context and configuration

codelyzer lists @angular/core: 9.0.0 as an explicit dependency in its package.json, while my own app is running @angular/core: 9.2.13. I have a custom rule that extends BasicTemplateAstVisitor.

The following code snippet is a minimal reproduction of the scenario I'm facing:

import { ElementAst } from '@angular/compiler';
import { BasicTemplateAstVisitor } from 'codelyzer';

export class TemplateVisitorController extends BasicTemplateAstVisitor {
    visitElement(elementAst: ElementAst, context: BasicTemplateAstVisitor): void {
        this.validateElement(elementAst);
        super.visitElement(elementAst, context);
    }
}

This throws a Typescript error with the latest version of codelyzer:

libs/design-system-tslint/src/rules/util/designSystemComponentHelper.ts(51,5): error TS2416: Property 'visitElement' in type 'TemplateVisitorController' is not assignable to the same property in base type 'BasicTemplateAstVisitor'.
  Type '(elementAst: ElementAst, context: BasicTemplateAstVisitor) => any' is not assignable to type '(element: ElementAst, context: any) => any'.
    Types of parameters 'elementAst' and 'element' are incompatible.
      Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").ElementAst' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").ElementAst'.
        Types of property 'attrs' are incompatible.
          Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst[]' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst[]'.
            Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst'.
              Types of property 'visit' are incompatible.
                Type '(visitor: import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor, context: any) => any' is not assignable to type '(visitor: import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor, context: any) => any'.
                  Types of parameters 'visitor' and 'visitor' are incompatible.
                    Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor'.
                      Types of property 'visitEmbeddedTemplate' are incompatible.
                        Type '(ast: import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst, context: any) => any' is not assignable to type '(ast: import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst, context: any) => any'.
                          Types of parameters 'ast' and 'ast' are incompatible.
                            Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst'.
                              Types of property 'outputs' are incompatible.
                                Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").BoundEventAst[]' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").BoundEventAst[]'.
                                  Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").BoundEventAst' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").BoundEventAst'.
                                    Types of property 'handler' are incompatible.
                                      Type 'AST' is missing the following properties from type 'ASTWithSource': ast, source, location, errors
libs/design-system-tslint/src/rules/util/designSystemComponentHelper.ts(53,28): error TS2345: Argument of type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").ElementAst' is not assignable to parameter of type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").ElementAst'.
  Types of property 'attrs' are incompatible.
    Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst[]' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst[]'.
      Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").AttrAst'.
        Types of property 'visit' are incompatible.
          Type '(visitor: import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor, context: any) => any' is not assignable to type '(visitor: import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor, context: any) => any'.
            Types of parameters 'visitor' and 'visitor' are incompatible.
              Type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor' is not assignable to type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").TemplateAstVisitor'.
                Types of property 'visitEmbeddedTemplate' are incompatible.
                  Type '(ast: import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst, context: any) => any' is not assignable to type '(ast: import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst, context: any) => any'.
                    Types of parameters 'ast' and 'ast' are incompatible.
                      Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").EmbeddedTemplateAst'.
                        Types of property 'directives' are incompatible.
                          Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").DirectiveAst[]' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").DirectiveAst[]'.
                            Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").DirectiveAst' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").DirectiveAst'.
                              Types of property 'hostProperties' are incompatible.
                                Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").BoundElementPropertyAst[]' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").BoundElementPropertyAst[]'.
                                  Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").BoundElementPropertyAst' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").BoundElementPropertyAst'.
                                    Types of property 'type' are incompatible.
                                      Type 'import("/usr/src/app/node_modules/@angular/compiler/src/template_parser/template_ast").PropertyBindingType' is not assignable to type 'import("/usr/src/app/node_modules/codelyzer/node_modules/@angular/compiler/src/template_parser/template_ast").PropertyBindingType'.

This error stems from the fact that ElementAst in visitElement (node_modules\codelyzer\angular\templates\basicTemplateAstVisitor.d.ts) refers to node_modules\codelyzer\node_modules\@angular\compiler\src\template_parser\template_ast.d.ts as opposed to node_modules\@angular\compiler\compiler.d.ts.

Removing both @angular/core as well as @angular/compiler from the codelyzer package.json and running an npm i in node_modules/codelyzer addresses the issue locally, because it then starts using the right @angular/compiler.

So this makes me wonder: why are @angular/core and @angular/common explicitly listed as dependencies in the published package? AFAIK having dependencies in a package is bad idea, and peerDependencies are the way to go. Am I missing something here?

Expected behavior

No Typescript error should be thrown, since codelyzer should be using @angular/core from your main node_modules.

Proposed fix

Remove @angular/core and @angular/compiler from the published package.json.

Environment

Irrelevant AFAIK, can add if needed.

[yannickl88]

Was upgrading our Angular app and had to upgrade Codelyzer for the support of v11. However, this will result in two different versions of @angular/compiler and @angular/core in my yarn.lock file: one version 11 (Angular itself) and one version 9 (Codelyzer).

This does not seem the desired behavior, so it means our upgrade is blocked because of this.

[codestart]

This error caused me to have to remove Codelyzer from our app. There is a work-around, but we have too many people installing to have to explain work-around to each.

Work-around is to:

1. installl angular core 9
2. install angular compiler 9 (this will have updated package.json)
3. run npm install (or whatever you use) for the rest
4. revert package.json
5. run npm install again (now with correct versions of angular)

Hope this is fixed soon.

[drk-mtr]

This also leads to npm audit vulnerabilities that can't be resolved:

# npm audit report

@angular/core  <11.0.5
Severity: moderate
Cross site scripting in Angular - https://github.com/advisories/GHSA-c75v-2vq8-878f
fix available via `npm audit fix --force`
Will install codelyzer@0.0.28, which is a breaking change
node_modules/codelyzer/node_modules/@angular/core
  codelyzer  >=1.0.0-beta.0
  Depends on vulnerable versions of @angular/core
  node_modules/codelyzer

2 moderate severity vulnerabilities

Running npm audit fix --force will result in codelyzer being downgraded to 0.0.28 which wouldn't be what we want, removing codelyzer from our solution for now.

[robertdempsey]

Having these dependencies results in not being able to build our project that is within a monorepo, as Angular 9.0.0 is what gets installed in the root node_modules directory, as opposed to version ^14.0.0 that our project desires. Is there a chance these are going to be removed?

[TomTimTam]

Bump. Any actions taken around this for the 2+ years the issue has been open?

With Codelyzer currently on 6.0.2, npm resolves it's dependency on vulnerability @angular/core <11.0.5
by downgrading to ^0.0.28.

I would be flattered by a response from the dev team, uninstalling such a fantastic package would be a shame.

54 Open PRs, some date back to 2019?
Apparently this has been abandoned 2 years ago min.