Skip to content

fix(deps): update dependency @angular/compiler to v21.2.4 [security]#3377

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-angular-compiler-vulnerability
Open

fix(deps): update dependency @angular/compiler to v21.2.4 [security]#3377
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-angular-compiler-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Jan 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 21.0.521.2.4 age confidence

GitHub Vulnerability Alerts

CVE-2026-22610

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

  • Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
  • Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
  • Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

  1. The victim application must explicitly use SVG <script> elements within its templates.
  2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
  3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

  • 19.2.18
  • 20.3.16
  • 21.0.7
  • 21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

  • Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
  • Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

  • action
  • background
  • cite
  • codebase
  • data
  • formaction
  • href
  • itemtype
  • longdesc
  • poster
  • src
  • xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

  • Session Hijacking: Stealing session cookies and authentication tokens.
  • Data Exfiltration: Capturing and transmitting sensitive user data.
  • Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

  1. The application must use a vulnerable version of Angular.
  2. The application must bind unsanitized user input to one of the attributes mentioned above.
  3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

  • 22.0.0-next.3
  • 21.2.4
  • 20.3.18
  • 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@&#8203;angular/core';
import {DomSanitizer} from '@&#8203;angular/platform-browser';

@&#8203;Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

References

Release Notes

angular/angular (@​angular/compiler)

v21.2.4

Compare Source

compiler
Commit Type Description
ed2d324f9c fix disallow translations of iframe src
core
Commit Type Description
abbd8797bb fix reverts "feat(core): add support for nested animations"
d1dcd16c5b fix sanitize translated form attributes

v21.2.3

Compare Source

core
Commit Type Description
62a97f7e4b fix ensure definitions compile
21b1c3b2ee fix include signal debug names in their toString() representation
224e60ecb1 fix sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler
Commit Type Description
1df1697c6e fix prevent mutation of children array in RecursiveVisitor
compiler-cli
Commit Type Description
c822bf8e76 fix always parenthesize object literals in TCB
05d022d5e6 fix ignore generated ngDevMode signal branch for code coverage
forms
Commit Type Description
670d1660c4 feat add 'blur' option to debounce rule

v21.2.1

Compare Source

core
Commit Type Description
e2e9a9a531 fix adds transfer cache to httpResource to fix hydration
b4ec3cc4e4 fix prevent child animation elements from being orphaned
e923d88398 fix Prevent removal of elements during drag and drop
http
Commit Type Description
277ade97ac fix correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common
Commit Type Description
18003a33bb feat add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c feat Add Location strategies to manage trailing slash on write
51cc914807 feat support height in ImageLoaderConfig and built-in loaders
compiler
Commit Type Description
72534e2a34 feat Add support for the instanceof binary operator
95b3f37d4a feat Exhaustive checks for switch blocks
04ba09a8d9 feat support AstVisitor.visitEmptyExpr()
ce80136e7b fix optimize away unnecessary restore/reset view calls
3242a61bae fix variable counter visiting some expressions twice
compiler-cli
Commit Type Description
473dd3e1cb fix attach source spans to object literal keys in TCB
a904d9f77b fix support nested component declaration
2ea6dfc6c9 fix update diagnostic to flag no-op arrow functions in listeners
core
Commit Type Description
8d5210c9fe feat add ChangeDetectionStrategy.Eager alias for Default
92d2498910 feat add host node to DeferBlockData (#​66546)
ea2016a6dc feat add support for nested animations
81cabc1477 feat add support for TypeScript 6
1ba9b7ac50 feat resource composition via snapshots
d9923b72a2 feat support arrow functions in expressions
a7e8abbb7e fix correctly handle SkipSelf when resolving from embedded view injector
0806ee3826 fix prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7 fix Remove note to skip arrow functions in best practices
forms
Commit Type Description
f56bb07d83 feat add field param to submit action and onInvalid
ba009b6031 feat add form directive
22afbb2f36 feat add parsing support to native inputs (#​66917)
95c386469c feat Add passing focus options to form field
95ecce8334 feat allow setting submit options at form-level
ebae211add feat introduce parse errors in signal forms
3937afc316 feat introduce SignalFormControl for Reactive Forms compatibility
30f0914754 feat support binding null to number input (#​66917)
dd208ca259 feat update submit function to accept options object
27397b3f4f fix clear parse errors when model updates (#​66917)
63d8005703 fix preserve custom-control focus context in signal forms
631f60d1f9 fix preserve parse errors when parse returns value
adfb83146b fix simplify design of parse errors
fb05fc86d0 fix sort error summary by DOM order
567f292e8e fix support custom controls as host directives
bdfb60f3e3 fix use consistent error format returned from parse
d75046bc09 fix warn when showing hidden field state
language-server
Commit Type Description
ebc90c26f5 feat Add completions and hover info for inline styles
26fd0839c3 feat Add folding range support for inline styles
573aadef7e feat Add quick info for inline styles
6fb39d9b62 feat Support client-side file watching via onDidChangeWatchedFiles
language-service
Commit Type Description
496967e7b1 feat add JSON schema for angularCompilerOptions
8c21866f49 feat add linked editing ranges for HTML tag synchronization
d2137928e8 perf use lightweight project warmup for Angular analysis
router
Commit Type Description
b51bab583d feat Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0 feat Make match options optional in isActive
907a94dcec feat Update IsActiveMatchOptions APIs to accept a Partial

v21.1.6

Compare Source

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 306f367)

common
Commit Type Description
31d3d56496 fix fix LCP image detection with duplicate URLs
compiler-cli
Commit Type Description
24b578ce90 fix detect uninvoked functions in defer trigger expressions
core
Commit Type Description
b858309532 fix block creation of sensitive URI attributes from ICU messages

v21.1.5

Compare Source

No user facing changes in this release

v21.1.4

Compare Source

compiler
Commit Type Description
caab23dfe6 fix add geolocation element to schema
core
Commit Type Description
2b99eaa019 fix capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c fix Fix flakey test due to document injection
forms
Commit Type Description
0d1acd0165 feat support signal-based schemas in validateStandardSchema
http
Commit Type Description
3905015ccc fix correctly parse ArrayBuffer and Blob in transfer cache

v21.1.3

Compare Source

core
Commit Type Description
2b254bc050 fix linkedSignal.update should propagate errors
e5110b4fa1 fix export DirectiveWithBindings
2cf4da0ea1 fix hold constructors weakly in DepsTracker cache
70a5b651be fix prevent element duplication with dynamic components
forms
Commit Type Description
6f75b6e3f6 fix Resolves debounce promise on abort in debounceForDuration
localize
Commit Type Description
4c7126d23b fix add support for unit-test builder in ng-add schematic
router
Commit Type Description
d6268c0bbb fix limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7 perf Use .bind to avoid holding other closures in memory

v21.1.2

Compare Source

forms
Commit Type Description
9f99b14882 fix only touch visible, interactive fields on submit
language-service
Commit Type Description
c57b0355b5 fix Detect local project version on creation
router
Commit Type Description
21ecdc036a fix Do not intercept reload events with Navigation integration

v21.1.1

Compare Source

compiler-cli
Commit Type Description
0e1f1ed573 fix drop .tsx extension for generated relative imports
core
Commit Type Description
05adfcf8f2 fix handle Set in class bindings
forms
Commit Type Description
d89a80a970 feat Ability to manually register a form field binding in signal forms
cb75f9ce85 fix fix control value syncing on touch

v21.1.0

Compare Source

Deprecations

upgrade
  • VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.
common
Commit Type Description
d8790972be feat Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af feat support custom transformations in ImageKit and Imgix loaders
compiler
Commit Type Description
640693da8e feat Add support for multiple swich cases matching
0ad3adc7c6 fix Support empty cases
core
Commit Type Description
99ad18a4ee feat Add stability debugging utility
a0dfa5fa86 feat support rest arguments in function calls
6e18fa8bc9 feat support spread elements in array literals
e407280ab5 feat support spread expressions in object literals
06be8034bb fix Microtask scheduling should be used after any application synchronization
b4f584cf42 fix return StaticProvider for providePlatformInitializer
forms
Commit Type Description
1ea5c97703 feat allow focusing bound control from field state
platform-browser
Commit Type Description
ec9dc94cee feat add context to createApplication
ab67988d2e feat resolve JIT resources in createApplication
router
Commit Type Description
5edceffd04 feat add controls for route cleanup
a03c82564d feat Add scroll behavior controls on router navigation
e44839b016 feat Add standalone function to create a comptued for isActive
c25d749d85 feat Execute RunGuardsAndResolvers function in injection context
1c00ab42f8 feat extend paramters of RedirectFunction to include paramMap and queryParamMap
7003e8d241 feat Publish Router's integration with platform Navigation API as experimental
c84d372778 feat Support wildcard params with segments trailing (#​64737)
upgrade
Commit Type Description
75fe8f8af9 refactor deprecate VERSION export

v21.0.9

Compare Source

forms
Commit Type Description
82d556a8fb fix Ensure the control instruction comes after the other bindings
0055f3cc79 fix Rename signal form [field] to [formField]
migrations
Commit Type Description
e4bfa5c9e7 fix prevent duplicate imports in common-to-standalone migration

v21.0.8

Compare Source

core
Commit Type Description
a6a2621bf9 fix fix memory leak with event replay
5239e471a1 fix handle cancelled traversals in fake navigation

v21.0.7

Compare Source

compiler
Commit Type Description
8e808740c9 fix better types for a few expression AST nodes
63b1cdcf70 fix produce accurate span for typeof and void expressions
3c3ae0cb64 fix provide location information for literal map keys
523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver
compiler-cli
Commit Type Description
4d9c4567ed fix ensure component import diagnostics are reported within the imports expression
cd405685af fix fix up spelling of diagnostic
778460fcca fix support qualified names in typeof type references
core
Commit Type Description
7c74674eb0 fix avoid leaking view data in animations
0edbee4550 fix explicitly cast signal node value to String
f9c29572d2 fix sanitize sensitive attributes on SVG script elements
forms
Commit Type Description
e3fba182f9 feat add [formField] directive
561772b152 fix allow custom controls to require dirty input
f0fb1d8581 fix allow custom controls to require hidden input
ec110f170b fix allow custom controls to require pending input
ae1dc16bb0 fix clean up abort listener after timeout
9748b0d5da fix support custom controls with non signal-based models
6bd22df987 fix Support readonly arrays in signal forms
router
Commit Type Description
41cd4a6af8 fix Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0 fix handle errors from view transition updateCallbackDone promise

v21.0.6

Compare Source

Breaking Changes (affecting only experimental features)

forms

  • The shape of SignalFormsConfig.classes has changed

    Previously each function in the classes map took a FieldState. Now
    it takes a Field directive.

    For example if you previously had:

    provideSignalFormsConfig({
  classes: {
    'my-valid': (state) => state.valid()
  }
})

    You would need to update to:

    provideSignalFormsConfig({
  classes: {
    'my-valid': ({state}) => state().valid()
  }
})

    (cherry picked from commit 348f149)

  • (cherry picked from commit ae0c590)

core
Commit Type Description
4c8fb3631d fix throw better errors for potential circular references
48492524ea fix use mutable ResponseInit type for RESPONSE_INIT token
forms
Commit Type Description
81772b420d feat pass field directive to class config
729b96476b refactor rename field to fieldTree in FieldContext and ValidationError
language-service
Commit Type Description
e0694df3ec fix avoid interpolation highlighting inside @​let
5047be4bc1 fix Prevent language service from crashing on suggestion diagnostic errors

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 9, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Jan 9, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/compiler-cli@21.0.5
npm error Found: @angular/compiler@21.2.4
npm error node_modules/@angular/compiler
npm error   @angular/compiler@"21.2.4" from the root project
npm error   peer @angular/compiler@"^21.0.0" from @angular/build@21.0.3
npm error   node_modules/@angular/build
npm error     @angular/build@"21.0.3" from @angular-devkit/build-angular@21.0.3
npm error     node_modules/@angular-devkit/build-angular
npm error       dev @angular-devkit/build-angular@"21.0.3" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/compiler@"21.0.5" from @angular/compiler-cli@21.0.5
npm error node_modules/@angular/compiler-cli
npm error   dev @angular/compiler-cli@"21.0.5" from the root project
npm error   peer @angular/compiler-cli@"^21.0.0" from @angular-devkit/build-angular@21.0.3
npm error   node_modules/@angular-devkit/build-angular
npm error     dev @angular-devkit/build-angular@"21.0.3" from the root project
npm error   2 more (@angular/build, @ngtools/webpack)
npm error
npm error Conflicting peer dependency: @angular/compiler@21.0.5
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"21.0.5" from @angular/compiler-cli@21.0.5
npm error   node_modules/@angular/compiler-cli
npm error     dev @angular/compiler-cli@"21.0.5" from the root project
npm error     peer @angular/compiler-cli@"^21.0.0" from @angular-devkit/build-angular@21.0.3
npm error     node_modules/@angular-devkit/build-angular
npm error       dev @angular-devkit/build-angular@"21.0.3" from the root project
npm error     2 more (@angular/build, @ngtools/webpack)
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-04-01T17_44_50_419Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-04-01T17_44_50_419Z-debug-0.log

@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from b522550 to 625e374 Compare January 19, 2026 14:41
@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from 625e374 to 5d5fb1f Compare February 2, 2026 20:02
@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from 5a690c4 to fbd261e Compare February 17, 2026 15:56
@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from fbd261e to 3efa16f Compare March 5, 2026 15:36
@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from 3efa16f to 97af841 Compare March 14, 2026 01:49
@renovate renovate bot changed the title fix(deps): update dependency @angular/compiler to v21.0.7 [security] fix(deps): update dependency @angular/compiler to v21.2.4 [security] Mar 14, 2026
@renovate renovate bot changed the title fix(deps): update dependency @angular/compiler to v21.2.4 [security] fix(deps): update dependency @angular/compiler to v21.2.4 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-angular-compiler-vulnerability branch March 27, 2026 01:25
@renovate renovate bot changed the title fix(deps): update dependency @angular/compiler to v21.2.4 [security] - autoclosed fix(deps): update dependency @angular/compiler to v21.2.4 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch 2 times, most recently from 97af841 to 532564b Compare March 30, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants