Lets say for example I have an angular application built with the Angular v6 cli and that depends on an Angular library built with the Angular v8 cli. Is it safe to use this library as a dependency or should the application be updated to angular v8?
Same question for the opposite scenario. If my application is built with angular v8 cli and it depends on an Angular library built with the Angular v6 cli, should the Angular library be updated to build with Angular v8 cli?
Well, if it compiles and you have tests in your code, I think it's completely safe in terms of features. But you must have written tests for your code to make sure all the features you need from the libraries are working correctly (you don't need to test the library, of course, just the integration of its features into your components).
From the security point of view, you're open to out-of-date nano dependencies security flaws not corrected in the out-of-date libraries (this is the cancer of javascript projects: nano dependencies).
Using a library built upon a greater version of angular than that in your project may or may not work. If the author of the library specified the version as a peerDependency something like @angular/core:^8.0 and you're trying to use it in a @angular 6 project, you'll get a warning during npm install and may have trouble during runtime (if the author have real reasons to specify that version as a peer dependency).
It's not uncommon for the authors to just keep the peer dependencies up to date, so it is possible in many cases to ignore the warning messages during the build and use the library. But to do it in a trustful way, you must have a bunch of tests covering the features you're using from that library.
