Note: This PR body was truncated due to platform limits.
This PR contains the following updates:
GitHub Vulnerability Alerts
The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.
Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.
Impact
The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.
Attack Preconditions
- The victim's Angular application must have XSRF protection enabled.
- The attacker must be able to make the application send a state-changing HTTP request (e.g.,
POST) to a protocol-relative URL (e.g., //attacker.com) that they control.
Patches
Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Release Notes
angular/angular (@angular/common)
Compare Source
http
| Commit |
Type |
Description |
| 05fe6686a9 |
fix |
prevent XSRF token leakage to protocol-relative URLs |
Compare Source
Breaking Changes
core
-
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.
In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
core
| Commit |
Type |
Description |
| 70d0639bc1 |
fix |
introduce BootstrapContext for improved server bootstrapping (#63639) |
Compare Source
compiler
| Commit |
Type |
Description |
| 24bab55f0c |
fix |
lexer support for template literals in object literals (#61601) |
migrations
| Commit |
Type |
Description |
| 9e1cd49662 |
fix |
preserve comments when removing unused imports (#61674) |
Compare Source
common
| Commit |
Type |
Description |
| 2c876b4fc5 |
fix |
avoid injecting ApplicationRef in FetchBackend (#61649) |
service-worker
| Commit |
Type |
Description |
| b15bddfa04 |
fix |
do not register service worker if app is destroyed before it is ready to register (#61101) |
Compare Source
common
compiler
| Commit |
Type |
Description |
| 44bb328eae |
fix |
avoid conflicts between HMR code and local symbols (#61550) |
compiler-cli
core
platform-server
Compare Source
Compare Source
common
| Commit |
Type |
Description |
| 89056a0356 |
fix |
cleanup updateLatestValue if view is destroyed before promise resolves (#61064) |
core
| Commit |
Type |
Description |
| 4623b61448 |
fix |
missing useExisting providers throwing for optional calls (#61152) |
| 400dbc5b89 |
fix |
properly handle app stabilization with defer blocks (#61056) |
platform-server
| Commit |
Type |
Description |
| a6f0d5bc20 |
fix |
less aggressive ngServerMode cleanup (#61106) |
Compare Source
core
| Commit |
Type |
Description |
| 946b844e0d |
fix |
async EventEmitter error should not prevent stability (#61028) |
| dbb87026ca |
fix |
call DestroyRef on destroy callback if view is destroyed [patch] (#61061) |
| 2e140a136a |
fix |
prevent stash listener conflicts [patch] (#61063) |
Compare Source
forms
| Commit |
Type |
Description |
| ea4a211216 |
fix |
make NgForm emit FormSubmittedEvent and FormResetEvent (#60887) |
Compare Source
common
| Commit |
Type |
Description |
| 37ab6814f5 |
fix |
issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#60883) |
core
| Commit |
Type |
Description |
| b144126612 |
fix |
inject migration: replace param with this. (#60713) |
http
| Commit |
Type |
Description |
| d39e09da41 |
fix |
Include HTTP status code and headers when HTTP requests errored in httpResource (#60802) |
Compare Source
compiler
compiler-cli
| Commit |
Type |
Description |
| fc946c5f72 |
fix |
ensure HMR works with different output module type (#60797) |
core
language-service
Compare Source
animations
| Commit |
Type |
Description |
| fa48f98d9f |
fix |
add missing peer dependency on @angular/common (#60660) |
compiler
| Commit |
Type |
Description |
| ca5aa4d55b |
fix |
throw for invalid "as" expression in if block (#60580) |
compiler-cli
| Commit |
Type |
Description |
| f4c4b10ea8 |
fix |
Produce fatal diagnostic on duplicate decorated properties (#60376) |
| 22a0e54ac4 |
fix |
support relative imports to symbols outside rootDir (#60555) |
core
language-service
| Commit |
Type |
Description |
| 0e9e0348dd |
fix |
Update adapter to log instead of throw errors (#60651) |
migrations
| Commit |
Type |
Description |
| 15f53f035b |
fix |
handle shorthand assignments in super call (#60602) |
| 4b161e6234 |
fix |
inject migration not handling super parameter referenced via this (#60602) |
router
service-worker
| Commit |
Type |
Description |
| 7cd89ad2c6 |
fix |
assign initializing client's app version, when a request is for worker script (#58131) |
Compare Source
core
localize
platform-browser
| Commit |
Type |
Description |
| 8e8ccc79279 |
fix |
ensure platformBrowserTesting includes platformBrowser providers (#60480) |
Compare Source
compiler-cli
| Commit |
Type |
Description |
| aa8ea7a5b2 |
fix |
report more accurate diagnostic for invalid import (#60455) |
core
platform-browser-dynamic
| Commit |
Type |
Description |
| 1e06c8e8b6 |
fix |
ensure compiler is loaded before @angular/common (#60458) |
upgrade
| Commit |
Type |
Description |
| 9e1a1030c8 |
fix |
handle output emitters when downgrading a component (#60369) |
Compare Source
common
| Commit |
Type |
Description |
| 90a16a1088 |
fix |
support equality function in httpResource (#60026) |
compiler
compiler-cli
| Commit |
Type |
Description |
| 23ca88522b |
fix |
handle transformed classes when generating HMR code (#60298) |
core
| Commit |
Type |
Description |
| 6dc41265fd |
fix |
check whether application is destroyed before initializing event replay (#59789) |
| bb12b30d52 |
fix |
ensures immediate trigger fires properly with lazy loaded routes (#60203) |
| b144dd946e |
fix |
fix removal of a container reference used in the component file (#60210) |
platform-server
| Commit |
Type |
Description |
| 15c42969fc |
fix |
add missing peer dependency for rxjs (#60308) |
router
Compare Source
Breaking Changes
core
-
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.
In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
core
| Commit |
Type |
Description |
| 70d0639bc1 |
fix |
introduce BootstrapContext for improved server bootstrapping (#63639) |
Compare Source
common
| Commit |
Type |
Description |
| 3e39da593a |
feat |
introduce experimental httpResource (#59876) |
compiler
core
forms
| Commit |
Type |
Description |
| fa0c3e3210 |
feat |
support type set in form validators (#45793) |
migrations
| Commit |
Type |
Description |
| 1cd3a7db83 |
feat |
add migration to convert templates to use self-closing tags (#57342) |
platform-browser
| Commit |
Type |
Description |
| e6cb411e43 |
fix |
automatically disable animations on the server (#59762) |
platform-server
| Commit |
Type |
Description |
| fc5d187da5 |
fix |
decouple server from animations module (#59762) |
Compare Source
benchpress
| Commit |
Type |
Description |
| f0990c67e6 |
fix |
Ensure future-proof correct initialization order (#60025) |
common
| Commit | Type
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
DevExpress
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}