Skip to content

Update dependency @angular/common [SECURITY]#20

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-angular-common-vulnerability
Open

Update dependency @angular/common [SECURITY]#20
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-angular-common-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Feb 20, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@angular/common (source) ^9.1.12^9.1.12 || ^21.0.0 age adoption passing confidence
@angular/common (source) ~9.1.12~19.2.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

  1. The victim's Angular application must have XSRF protection enabled.
  2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

  • 19.2.16
  • 20.3.14
  • 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Severity
  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Release Notes

angular/angular (@​angular/common)

v21.2.8

Compare Source

compiler
Commit Type Description
e40d378f3e fix handle nested brackets in host object bindings
compiler-cli
Commit Type Description
2c6781071f fix error for type parameter declarations
core
Commit Type Description
82192deda9 fix handle missing serialized container hydration data
057cc6d09d fix remove obsolete iOS cursor pointer hack in event delegation
language-service
Commit Type Description
7797671257 fix get quick info at local var location to align with TS semantics and support type narrowing

v21.2.7

Compare Source

compiler
Commit Type Description
fea25d1a60 fix register SVG animation attributes in URL security context (#​67797)
compiler-cli
Commit Type Description
bba5ed8e64 fix prevent recursive scope checks for invalid NgModule imports
core
Commit Type Description
d04ddd73df fix prevent binding unsafe attributes on SVG animation elements (#​67797)
8fd896e99a fix resolve component import by exact specifier in route lazy-loading schematic
b682c62873 fix treat object[data] as resource URL context (#​67797)
localize
Commit Type Description
3c41e74fdd fix validate locale in getOutputPathFn to prevent path traversal
router
Commit Type Description
0960592d3d fix pass outlet context to split to fix empty path named outlets

v21.2.6

Compare Source

common
Commit Type Description
b4ab6ba2e8 fix avoid redundant image fetch on destroy with auto sizes
compiler
Commit Type Description
880a57d4b3 fix prevent shimCssText from adding extra blank lines per CSS comment
core
Commit Type Description
ad0156e056 fix fixes a regression with animate.leave and reordering
migrations
Commit Type Description
73d6b01b47 fix inject migration not work in multi-project workspace with option path

v21.2.5

Compare Source

compiler
Commit Type Description
334ae10168 fix ensure generated code compiles
23ea431c4e fix parse named HTML entities containing digits
compiler-cli
Commit Type Description
26c43d14ba fix escape template literal in TCB
67e0ba7e03 fix generic types not filled out correctly in type check block
core
Commit Type Description
1890c3008b fix clean up dehydrated views during HMR component replacement
bf948be4c2 fix run linked signal equality check without reactive consumer
migrations
Commit Type Description
076d41c3f6 fix prevent trailing comma syntax errors after removing NgStyle
service-worker
Commit Type Description
e19150d2b5 fix preserve redirect policy on reconstructed asset requests

v21.2.4

Compare Source

compiler
Commit Type Description
ed2d324f9c fix disallow translations of iframe src
core
Commit Type Description
abbd8797bb fix reverts "feat(core): add support for nested animations"
d1dcd16c5b fix sanitize translated form attributes

v21.2.3

Compare Source

core
Commit Type Description
62a97f7e4b fix ensure definitions compile
21b1c3b2ee fix include signal debug names in their toString() representation
224e60ecb1 fix sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler
Commit Type Description
1df1697c6e fix prevent mutation of children array in RecursiveVisitor
compiler-cli
Commit Type Description
c822bf8e76 fix always parenthesize object literals in TCB
05d022d5e6 fix ignore generated ngDevMode signal branch for code coverage
forms
Commit Type Description
670d1660c4 feat add 'blur' option to debounce rule

v21.2.1

Compare Source

core
Commit Type Description
e2e9a9a531 fix adds transfer cache to httpResource to fix hydration
b4ec3cc4e4 fix prevent child animation elements from being orphaned
e923d88398 fix Prevent removal of elements during drag and drop
http
Commit Type Description
277ade97ac fix correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common
Commit Type Description
18003a33bb feat add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c feat Add Location strategies to manage trailing slash on write
51cc914807 feat support height in ImageLoaderConfig and built-in loaders
compiler
Commit Type Description
72534e2a34 feat Add support for the instanceof binary operator
95b3f37d4a feat Exhaustive checks for switch blocks
04ba09a8d9 feat support AstVisitor.visitEmptyExpr()
ce80136e7b fix optimize away unnecessary restore/reset view calls
3242a61bae fix variable counter visiting some expressions twice
compiler-cli
Commit Type Description
473dd3e1cb fix attach source spans to object literal keys in TCB
a904d9f77b fix support nested component declaration
2ea6dfc6c9 fix update diagnostic to flag no-op arrow functions in listeners
core
Commit Type Description
8d5210c9fe feat add ChangeDetectionStrategy.Eager alias for Default
92d2498910 feat add host node to DeferBlockData (#​66546)
ea2016a6dc feat add support for nested animations
81cabc1477 feat add support for TypeScript 6
1ba9b7ac50 feat resource composition via snapshots
d9923b72a2 feat support arrow functions in expressions
a7e8abbb7e fix correctly handle SkipSelf when resolving from embedded view injector
0806ee3826 fix prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7 fix Remove note to skip arrow functions in best practices
forms
Commit Type Description
f56bb07d83 feat add field param to submit action and onInvalid
ba009b6031 feat add form directive
22afbb2f36 feat add parsing support to native inputs (#​66917)
95c386469c feat Add passing focus options to form field
95ecce8334 feat allow setting submit options at form-level
ebae211add feat introduce parse errors in signal forms
3937afc316 feat introduce SignalFormControl for Reactive Forms compatibility
30f0914754 feat support binding null to number input (#​66917)
dd208ca259 feat update submit function to accept options object
27397b3f4f fix clear parse errors when model updates (#​66917)
63d8005703 fix preserve custom-control focus context in signal forms
631f60d1f9 fix preserve parse errors when parse returns value
adfb83146b fix simplify design of parse errors
fb05fc86d0 fix sort error summary by DOM order
567f292e8e fix support custom controls as host directives
bdfb60f3e3 fix use consistent error format returned from parse
d75046bc09 fix warn when showing hidden field state
language-server
Commit Type Description
ebc90c26f5 feat Add completions and hover info for inline styles
26fd0839c3 feat Add folding range support for inline styles
573aadef7e feat Add quick info for inline styles
6fb39d9b62 feat Support client-side file watching via onDidChangeWatchedFiles
language-service
Commit Type Description
496967e7b1 feat add JSON schema for angularCompilerOptions
8c21866f49 feat add linked editing ranges for HTML tag synchronization
d2137928e8 perf use lightweight project warmup for Angular analysis
router
Commit Type Description
b51bab583d feat Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0 feat Make match options optional in isActive
907a94dcec feat Update IsActiveMatchOptions APIs to accept a Partial

v21.1.6

Compare Source

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 306f367)

common
Commit Type Description
31d3d56496 fix fix LCP image detection with duplicate URLs
compiler-cli
Commit Type Description
24b578ce90 fix detect uninvoked functions in defer trigger expressions
core
Commit Type Description
b858309532 fix block creation of sensitive URI attributes from ICU messages

v21.1.5

Compare Source

No user facing changes in this release

v21.1.4

Compare Source

compiler
Commit Type Description
caab23dfe6 fix add geolocation element to schema
core
Commit Type Description
2b99eaa019 fix capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c fix Fix flakey test due to document injection
forms
Commit Type Description
0d1acd0165 feat support signal-based schemas in validateStandardSchema
http
Commit Type Description
3905015ccc fix correctly parse ArrayBuffer and Blob in transfer cache

v21.1.3

Compare Source

core
Commit Type Description
2b254bc050 fix linkedSignal.update should propagate errors
e5110b4fa1 fix export DirectiveWithBindings
2cf4da0ea1 fix hold constructors weakly in DepsTracker cache
70a5b651be fix prevent element duplication with dynamic components
forms
Commit Type Description
6f75b6e3f6 fix Resolves debounce promise on abort in debounceForDuration
localize
Commit Type Description
4c7126d23b fix add support for unit-test builder in ng-add schematic
router
Commit Type Description
d6268c0bbb fix limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7 perf Use .bind to avoid holding other closures in memory

v21.1.2

Compare Source

forms
Commit Type Description
9f99b14882 fix only touch visible, interactive fields on submit
language-service
Commit Type Description
c57b0355b5 fix Detect local project version on creation
router
Commit Type Description
21ecdc036a fix Do not intercept reload events with Navigation integration

v21.1.1

Compare Source

compiler-cli
Commit Type Description
0e1f1ed573 fix drop .tsx extension for generated relative imports
core
Commit Type Description
05adfcf8f2 fix handle Set in class bindings
forms
Commit Type Description
d89a80a970 feat Ability to manually register a form field binding in signal forms
cb75f9ce85 fix fix control value syncing on touch

v21.1.0

Compare Source

Deprecations

upgrade
  • VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.
common
Commit Type Description
d8790972be feat Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af feat support custom transformations in ImageKit and Imgix loaders
compiler
Commit Type Description
640693da8e feat Add support for multiple swich cases matching
0ad3adc7c6 fix Support empty cases
core
Commit Type Description
99ad18a4ee feat Add stability debugging utility
a0dfa5fa86 feat support rest arguments in function calls
6e18fa8bc9 feat support spread elements in array literals
e407280ab5 feat support spread expressions in object literals
06be8034bb fix Microtask scheduling should be used after any application synchronization
b4f584cf42 fix return StaticProvider for providePlatformInitializer
forms
Commit Type Description
1ea5c97703 feat allow focusing bound control from field state
platform-browser
Commit Type Description
ec9dc94cee feat add context to createApplication
ab67988d2e feat resolve JIT resources in createApplication
router
Commit Type Description
5edceffd04 feat add controls for route cleanup
a03c82564d feat Add scroll behavior controls on router navigation
e44839b016 feat Add standalone function to create a comptued for isActive
c25d749d85 feat Execute RunGuardsAndResolvers function in injection context
1c00ab42f8 feat extend paramters of RedirectFunction to include paramMap and queryParamMap
7003e8d241 feat Publish Router's integration with platform Navigation API as experimental
c84d372778 feat Support wildcard params with segments trailing (#​64737)
upgrade
Commit Type Description
75fe8f8af9 refactor deprecate VERSION export

v21.0.9

Compare Source

forms
Commit Type Description
82d556a8fb fix Ensure the control instruction comes after the other bindings
0055f3cc79 fix Rename signal form [field] to [formField]
migrations
Commit Type Description
e4bfa5c9e7 fix prevent duplicate imports in common-to-standalone migration

v21.0.8

Compare Source

core
Commit Type Description
a6a2621bf9 fix fix memory leak with event replay
5239e471a1 fix handle cancelled traversals in fake navigation

v21.0.7

Compare Source

compiler
Commit Type Description
8e808740c9 fix better types for a few expression AST nodes
63b1cdcf70 fix produce accurate span for typeof and void expressions
3c3ae0cb64 fix provide location information for literal map keys
523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver
compiler-cli
Commit Type Description
4d9c4567ed fix ensure component import diagnostics are reported within the imports expression
cd405685af fix fix up spelling of diagnostic

Configuration

📅 Schedule: (in timezone Europe/Zurich)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-angular-common-vulnerability branch 2 times, most recently from 0bfefe0 to 75f7e97 Compare March 14, 2026 10:55
@renovate renovate Bot force-pushed the renovate/npm-angular-common-vulnerability branch from 75f7e97 to 5d6b284 Compare April 15, 2026 11:49
@renovate renovate Bot changed the title chore(deps): update dependency @angular/common to v19 [security] Update dependency @angular/common [SECURITY] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-angular-common-vulnerability branch from 5d6b284 to 3dc6493 Compare April 19, 2026 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants