CodeQL documentation

Incompatible dependency injection

ID: js/angular/incompatible-service
Kind: problem
Security severity: 
Severity: error
Precision: high
   - correctness
   - frameworks/angularjs
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

AngularJS has built-in support for dependency injection: components can simply list the names of the services they depend on, and AngularJS will provide appropriate instances and pass them as arguments at runtime.

Each injected service has a kind, this kind influences which components the service is compatible with.


Ensure that declared dependencies have the right kind for the component they are injected into.


The following example shows a config-method that lists a dependency on a service named year. Later, a service of kind value is defined with the name year. This is not allowed, since config-methods can only be injected with services of kind provider or constant.

angular.module('myModule', [])
    .config(['year', function(year) {
        // ...

    .value('year', 2000); // BAD: year is of kind 'value'

To solve this problem, the year service has to be of kind constant.

angular.module('myModule', [])
    .config(['year', function(year) {
        // ...

    .constant('year', 2000); // GOOD: year is of kind 'constant'


  • © GitHub, Inc.
  • Terms
  • Privacy