Note: This PR body was truncated due to platform limits.
This PR contains the following updates:
[!WARNING]
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts.
Additionally, a related vulnerability exists involving SVG animation elements (<animate>, <set>, <animateMotion>, <animateTransform>). The attributeName attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like href or xlink:href on other elements. By binding attributeName to "href" and providing a javascript: URL in the values or to attribute, an attacker could bypass sanitization and execute arbitrary code.
Attributes confirmed to be vulnerable include:
- SVG-related attributes: (e.g.,
xlink:href), and various MathML attributes (e.g., math|href, annotation|href).
- SVG animation
attributeName attribute when bound to "href" or "xlink:href".
When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., [attr.xlink:href]="maliciousURL" or <animate [attributeName]="'href'" [values]="maliciousURL">), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a javascript:URL payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.
Impact
When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:
- Session Hijacking: Stealing session cookies and authentication tokens.
- Data Exfiltration: Capturing and transmitting sensitive user data.
- Unauthorized Actions: Performing actions on behalf of the user.
Patches
Attack Preconditions
- The victim's Angular application must render data derived from untrusted input (e.g., from a database or API) and bind it to one of the unsanitized URL attributes or the
attributeName of an SVG animation element.
- The victim must perform a user interaction (e.g., clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.
Workarounds
If you cannot upgrade, you can workaround the issue by ensuring that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters).
- Avoid Affected Template Bindings: Specifically avoid using template bindings (e.g.,
[attr.xlink:href]="maliciousURL") to assign untrusted data to the vulnerable SVG/MathML attributes.
- Avoid Dynamic
attributeName on SVG Animations: Do not bind untrusted data to the attributeName attribute of SVG animation elements (<animate>, <set>, etc.).
- Enable Content Security Policy (CSP): Configure a robust CSP header that disallows
javascript: URLs.
Release Notes
angular/angular (@βangular/compiler)
Compare Source
compiler
| Commit |
Type |
Description |
| d1ca8ae043 |
fix |
prevent XSS via SVG animation attributeName and MathML/SVG URLs |
Compare Source
http
| Commit |
Type |
Description |
| 0276479e7d |
fix |
prevent XSRF token leakage to protocol-relative URLs |
Compare Source
Compare Source
Compare Source
common
| Commit |
Type |
Description |
| 5047849a4a |
fix |
remove placeholder image listeners once view is removed |
compiler
| Commit |
Type |
Description |
| f9d0818087 |
fix |
support arbitrary nesting in :host-context() |
| 106b9040df |
fix |
support commas in :host() argument |
| 9419ea348a |
fix |
support complex selectors in :nth-child() |
| 036c5d2a07 |
fix |
support one additional level of nesting in :host() |
core
| Commit |
Type |
Description |
| dcdd1bcdbb |
fix |
skip leave animations on view swaps |
Compare Source
compiler-cli
| Commit |
Description |
 |
make required inputs diagnostic less noisy |
migrations
| Commit |
Description |
 |
Prevent removal of templates referenced with preceding whitespace characters |
Compare Source
Compare Source
animations
compiler
| Commit |
Type |
Description |
| 891f180262 |
fix |
correctly compile long numeric HTML entities (#β64297) |
compiler-cli
| Commit |
Type |
Description |
| 371274bfc6 |
fix |
missingStructuralDirective diagnostic produces false negatives (#β64470) |
core
| Commit |
Type |
Description |
| 4c89a267c3 |
fix |
pass element removal property through in all locations (#β64565) |
| 2fad4d4ab6 |
fix |
prevent duplicate nodes from being retained with fast `animate.leave`` calls (#β64592) |
router
Compare Source
core
platform-browser
| Commit |
Type |
Description |
| 2ece42866d |
fix |
DomEventsPlugin should always be the last plugin to be called for supports(). (#β50394) |
Compare Source
compiler-cli
core
migrations
router
| Commit |
Type |
Description |
| 6e4bcc7d22 |
fix |
Scroll restoration should use instant scroll behavior for traversals (#β64299) |
Compare Source
core
| Commit |
Type |
Description |
| 853ed169a8 |
fix |
ensure missing leave animations don't queue leave animations (#β64226) |
| 6fed986b7a |
fix |
Fixes animations in conjunction with content projection (#β63776) |
| 76fe5599fe |
fix |
handle undefined CSS time values in parseCssTimeUnitsToMs function (#β64181) |
| 3b959105be |
fix |
prevent early exit from leave animations when multiple transitions are present (#β64225) |
migrations
| Commit |
Type |
Description |
| 65884895ff |
fix |
preserve component imports when pruning NgModules in standalone migration (#β64186) |
Compare Source
compiler
| Commit |
Type |
Description |
| f51ab32fb3 |
fix |
recover template literals with broken expressions (#β64150) |
core
migrations
Compare Source
compiler-cli
core
forms
migrations
Compare Source
compiler
compiler-cli
| Commit |
Type |
Description |
| 8843707919 |
fix |
only bind inputs that are part of microsyntax to a structural directive (#β52453) |
| 38c9921ff3 |
fix |
signal not invoked diagnostic not raised when input has same name in template (#β63754) |
core
migrations
Compare Source
Breaking Changes
core
-
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.
In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
(cherry picked from commit 8bf80c9)
| Commit |
Type |
Description |
| a3f808d7c8 |
fix |
remove refresh button from transfer state tab (#β63592) |
core
| Commit |
Type |
Description |
| 6117ccee2e |
feat |
introduce BootstrapContext for improved server bootstrapping (#β63636) |
Compare Source
core
| Commit |
Type |
Description |
| dc64f3e478 |
fix |
Fixed inject migration schematics for migrate destructured properties (#β62832) |
platform-server
| Commit |
Type |
Description |
| d1d32db972 |
fix |
prevent false warning for duplicate state serialization (#β63525) |
Compare Source
compiler
| Commit |
Type |
Description |
| 479a919f42 |
fix |
fixes regression with event parsing and animate prefix (#β63470) |
core
| Commit |
Type |
Description |
| f87fad3fff |
fix |
avoid injecting internal error handler from a destroyed injector (#β62275) |
| 114906d2d6 |
fix |
Fix cancellation of animation enter classes (#β63442) |
| 596b545130 |
fix |
Prevent an error on cleanup when an rxResource stream threw before returning an Observable (#β63342) |
Compare Source
compiler
| Commit |
Type |
Description |
| d7b6045d61 |
fix |
fixes animations on elements with structural directives (#β63390) |
core
Compare Source
compiler
| Commit |
Type |
Description |
| a28672fb70 |
fix |
Keep paraenthesis in Nullish + Boolean expression. (#β63292) |
Compare Source
Deprecations
animations
core
router
- The Router.getCurrentNavigation method is deprecated. Use the Router.currentNavigation signal instead.
- The Router.getCurrentNavigation method is deprecated. Use the Router.currentNavigation signal instead.
animations
compiler
compiler-cli
core
forms
| Commit |
Type |
Description |
| c353497a01 |
feat |
add support for pushing an array of controls to formarray (#β57102) |
http
| Commit |
Type |
Description |
| 0984b30388 |
feat |
Add redirected property to HttpResponse and HttpErrorResponse (#β62675) |
| be811fee79 |
feat |
add referrer & integrity support for fetch requests in httpResource (#β62461) |
| 1cf9d9064c |
feat |
Add support for fetch referrer & integrity options in HttpClient (#β62417) |
| 1408baff45 |
fix |
Add missing timeout and transferCache options to HttpClient (#β62586) |
language-service
platform-browser
| Commit |
Type |
Description |
| 52b8e07d6e |
feat |
Warns on conflicting hydration and blocking navigation (#β62963) |
router
| Commit |
Type |
Description |
| d00b3fed58 |
feat |
add a currentNavigation signal to the Router service. (#β62971) |
| 687c374826 |
feat |
add a currentNavigation signal to the Router service. (#β63011) |
| 9c45c322d1 |
fix |
ensure preloaded components are properly activated ([#β62502](https://redirect.githu |
Configuration
π
Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
β οΈ No Changeset found
Latest commit: 2c050d0e9b4f564c9fe2c8ea52f5e130f1d06cb6
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
[!IMPORTANT]
Review skipped
Review was skipped due to path filters
:no_entry: Files ignored due to path filters (1)
pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
β¨ Finishing touches
π§ͺ Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
- [ ] Commit unit tests in branch
renovate/npm-angular-compiler-vulnerability
Comment @coderabbitai help to get the list of available commands and usage tips.
π€ Nx Cloud AI Fix Eligible
An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.
To disable these notifications, a workspace admin can disable them in workspace settings.
View your CI Pipeline Execution β for commit 2c050d0e9b4f564c9fe2c8ea52f5e130f1d06cb6
| Command |
Status |
Duration |
Result |
nx affected --targets=test:sherif,test:knip,tes... |
β Failed |
2m 47s |
View β |
nx run-many --target=build --exclude=examples/*... |
β Failed |
1m 22s |
View β |
βοΈ Nx Cloud last updated this comment at 2025-12-07 19:07:55 UTC
TanStack
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
![nx-cloud[bot] avatar](https://avatars.githubusercontent.com/in/80458?v=4 "Published by a pub.dev verified publisher"){kind=small}