CodeQL documentation

Incompatible dependency injection

ID: js/angular/incompatible-service
Kind: problem
Severity: error
Precision: high
Tags:
   - correctness
   - frameworks/angularjs
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

AngularJS has built-in support for dependency injection: components can simply list the names of the services they depend on, and AngularJS will provide appropriate instances and pass them as arguments at runtime.

Each injected service has a kind, this kind influences which components the service is compatible with.

Recommendation

Ensure that declared dependencies have the right kind for the component they are injected into.

Example

The following example shows a config-method that lists a dependency on a service named year. Later, a service of kind value is defined with the name year. This is not allowed, since config-methods can only be injected with services of kind provider or constant.

angular.module('myModule', [])
    .config(['year', function(year) {
        // ...
    }]);

angular.module('myModule')
    .value('year', 2000); // BAD: year is of kind 'value'

To solve this problem, the year service has to be of kind constant.

angular.module('myModule', [])
    .config(['year', function(year) {
        // ...
    }]);

angular.module('myModule')
    .constant('year', 2000); // GOOD: year is of kind 'constant'

References