Update dependency @angular/common to v19 [SECURITY]

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	^18.2.0 → ^19.0.0

---

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

CVE-2025-66035 / GHSA-58c5-g7wp-6w37

More information

Details

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

1. The victim's Angular application must have XSRF protection enabled.
2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

• 19.2.16
• 20.3.14
• 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
• https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
• https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
• https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
• https://github.com/angular/angular/releases/tag/19.2.16
• https://github.com/angular/angular/releases/tag/20.3.14
• https://github.com/angular/angular/releases/tag/21.0.1
• https://nvd.nist.gov/vuln/detail/CVE-2025-66035
• https://github.com/advisories/GHSA-58c5-g7wp-6w37

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/common)

v19.2.16

Compare Source

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler

Commit	Type	Description
24bab55f0c	fix	lexer support for template literals in object literals (#​61601)

migrations

Commit	Type	Description
9e1cd49662	fix	preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common

Commit	Type	Description
2c876b4fc5	fix	avoid injecting ApplicationRef in FetchBackend (#​61649)

service-worker

Commit	Type	Description
b15bddfa04	fix	do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#​61528)
efda872453	fix	prevent reading chunks if app is destroyed (#​61354)

compiler

Commit	Type	Description
44bb328eae	fix	avoid conflicts between HMR code and local symbols (#​61550)

compiler-cli

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#​61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#​61227)

core

Commit	Type	Description
2b1b14f4d3	fix	cleanup rxResource abort listener (#​58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#​61261)
eb53bda470	fix	enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc	fix	unregister onDestroy in toSignal. (#​61514)

platform-server

Commit	Type	Description
8edafd0559	perf	speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common

Commit	Type	Description
89056a0356	fix	cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)

core

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#​61056)

platform-server

Commit	Type	Description
a6f0d5bc20	fix	less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#​61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms

Commit	Type	Description
ea4a211216	fix	make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common

Commit	Type	Description
37ab6814f5	fix	issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)

core

Commit	Type	Description
b144126612	fix	inject migration: replace param with this. (#​60713)

http

Commit	Type	Description
d39e09da41	fix	Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler

Commit	Type	Description
3441f7b914	fix	error if rawText isn't estimated correctly (#​60529) (#​60753)

compiler-cli

Commit	Type	Description
fc946c5f72	fix	ensure HMR works with different output module type (#​60797)

core

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#​60764)
f2bfa3151e	fix	fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#​60776)

language-service

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#​60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit	Type	Description
e61d06afb5	fix	step 6 tutorial docs (#​60630)

animations

Commit	Type	Description
fa48f98d9f	fix	add missing peer dependency on @angular/common (#​60660)

compiler

Commit	Type	Description
ca5aa4d55b	fix	throw for invalid "as" expression in if block (#​60580)

compiler-cli

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4	fix	support relative imports to symbols outside rootDir (#​60555)

core

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#​60565)
8f68d1bec3	fix	fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65	fix	fix regexp for event types (#​60592)
006ac7f22f	fix	fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434	fix	preserve comments in internal inject migration (#​60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#​60571)

language-service

Commit	Type	Description
0e9e0348dd	fix	Update adapter to log instead of throw errors (#​60651)

migrations

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#​60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#​60602)

router

Commit	Type	Description
958e98e4f7	fix	Add missing types to transition (#​60307)

service-worker

Commit	Type	Description
7cd89ad2c6	fix	assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core

Commit	Type	Description
081f5f5a83f	fix	fix used templates are not deleted (#​60459)

localize

Commit	Type	Description
a2f622d82d6	fix	handle @​angular/build:karma in ng add (#​60513)

platform-browser

Commit	Type	Description
8e8ccc79279	fix	ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli

Commit	Type	Description
aa8ea7a5b2	fix	report more accurate diagnostic for invalid import (#​60455)

core

Commit	Type	Description
13a8709b2b	fix	catch hydration marker with implicit body tag (#​60429)
296aded9da	fix	execute timer trigger outside zone (#​60392)
0615ffb4f7	fix	include input name in error message (#​60404)

platform-browser-dynamic

Commit	Type	Description
1e06c8e8b6	fix	ensure compiler is loaded before @angular/common (#​60458)

upgrade

Commit	Type	Description
9e1a1030c8	fix	handle output emitters when downgrading a component (#​60369)

v19.2.2

Compare Source

common

Commit	Type	Description
90a16a1088	fix	support equality function in httpResource (#​60026)

compiler

Commit	Type	Description
56b551d273	fix	incorrect spans for template literals (#​60323) (#​60331)

compiler-cli

Commit	Type	Description
23ca88522b	fix	handle transformed classes when generating HMR code (#​60298)

core

Commit	Type	Description
6dc41265fd	fix	check whether application is destroyed before initializing event replay (#​59789)
bb12b30d52	fix	ensures immediate trigger fires properly with lazy loaded routes (#​60203)
b144dd946e	fix	fix removal of a container reference used in the component file (#​60210)

platform-server

Commit	Type	Description
15c42969fc	fix	add missing peer dependency for rxjs (#​60308)

router

Commit	Type	Description
7bcdf7c143	fix	update symbols (#​60233)

v19.2.1

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.0

Compare Source

common

Commit	Type	Description
3e39da593a	feat	introduce experimental httpResource (#​59876)

compiler

Commit	Type	Description
5b20bab96d	feat	Add Skip Hydration diagnostic. (#​59576)
fe8a68329b	feat	support untagged template literals in expressions (#​59230)

core

Commit	Type	Description
2588985f43	feat	pass signal node to throwInvalidWriteToSignalErrorFn (#​59600)
168516462a	feat	support default value in resource() (#​59655)
bc2ad7bfd3	feat	support streaming resources (#​59573)
146ab9a76e	feat	support TypeScript 5.8 (#​59830)
6c92d65349	fix	add hasValue narrowing to ResourceRef (#​59708)
96e602ebe9	fix	cancel in-progress request when same value is assigned (#​59280)
6789c7ef94	fix	Defer afterRender until after first CD (#​59455) (#​59551)
c87e581dd9	fix	Don't run effects in check no changes pass (#​59455) (#​59551)
127fc0dc84	fix	fix resource()'s previous.state (#​59708)
b592b1b051	fix	fix race condition in resource() (#​59851)
a299e02e91	fix	preserve tracing snapshot until tick finishes (#​59796)

forms

Commit	Type	Description
fa0c3e3210	feat	support type set in form validators (#​45793)

migrations

Commit	Type	Description
1cd3a7db83	feat	add migration to convert templates to use self-closing tags (#​57342)

platform-browser

Commit	Type	Description
e6cb411e43	fix	automatically disable animations on the server (#​59762)

platform-server

Commit	Type	Description
fc5d187da5	fix	decouple server from animations module ([#​59762](https://redirect.github.com/angular/ang

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: ui/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: gcs-metadata-ui@0.0.0
npm error Found: @angular/core@18.2.14
npm error node_modules/@angular/core
npm error   @angular/core@"^18.2.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/core@"19.2.21" from @angular/common@19.2.21
npm error node_modules/@angular/common
npm error   @angular/common@"^19.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-04-29T18_55_31_851Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-04-29T18_55_31_851Z-debug-0.log

[gemini-code-assist]

Code Review

This pull request updates the @angular/common dependency to version 19.0.0. Feedback indicates that this creates a version mismatch with other Angular core packages still on version 18. Additionally, it is recommended to upgrade to version 19.2.16 or higher to resolve a security vulnerability (CVE-2025-66035).

[gemini-code-assist]

Updating only @angular/common to v19 while keeping other Angular dependencies (such as @angular/core, @angular/compiler, and @angular/forms) at v18 creates a version mismatch. Angular framework packages are tightly coupled and must be upgraded together to the same major version to avoid peer dependency conflicts and potential runtime issues. Furthermore, the security fix for CVE-2025-66035 is specifically included in version 19.2.16 and above. The package-lock.json file is also out of sync.

Suggested change

	"@angular/common": "^19.0.0",
	"@angular/common": "^19.2.16",