Skip to content

chore(deps): update dependency @angular/common to v19 [security] #1750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @angular/common to v19 [security] #1750

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 27, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@angular/common (source) 17.3.12 -> 19.2.16 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

  1. The victim's Angular application must have XSRF protection enabled.
  2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

  • 19.2.16
  • 20.3.14
  • 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Release Notes

angular/angular (@​angular/common)

v19.2.16

Compare Source

http
Commit Type Description
05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler
Commit Type Description
24bab55f0c fix lexer support for template literals in object literals (#​61601)
migrations
Commit Type Description
9e1cd49662 fix preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common
Commit Type Description
2c876b4fc5 fix avoid injecting ApplicationRef in FetchBackend (#​61649)
service-worker
Commit Type Description
b15bddfa04 fix do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common
Commit Type Description
126efc9972 fix cancel reader when app is destroyed (#​61528)
efda872453 fix prevent reading chunks if app is destroyed (#​61354)
compiler
Commit Type Description
44bb328eae fix avoid conflicts between HMR code and local symbols (#​61550)
compiler-cli
Commit Type Description
107180260f fix Always retain prior results for all files (#​61487)
1191e62d70 fix avoid ECMAScript private field metadata emit (#​61227)
core
Commit Type Description
2b1b14f4d3 fix cleanup rxResource abort listener (#​58306)
8f9b05eaaa fix cleanup testability subscriptions (#​61261)
eb53bda470 fix enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6 fix Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc fix unregister onDestroy in toSignal. (#​61514)
platform-server
Commit Type Description
8edafd0559 perf speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common
Commit Type Description
89056a0356 fix cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)
core
Commit Type Description
4623b61448 fix missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89 fix properly handle app stabilization with defer blocks (#​61056)
platform-server
Commit Type Description
a6f0d5bc20 fix less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core
Commit Type Description
946b844e0d fix async EventEmitter error should not prevent stability (#​61028)
dbb87026ca fix call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a fix prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms
Commit Type Description
ea4a211216 fix make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common
Commit Type Description
37ab6814f5 fix issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)
core
Commit Type Description
b144126612 fix inject migration: replace param with this. (#​60713)
http
Commit Type Description
d39e09da41 fix Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler
Commit Type Description
3441f7b914 fix error if rawText isn't estimated correctly (#​60529) (#​60753)
compiler-cli
Commit Type Description
fc946c5f72 fix ensure HMR works with different output module type (#​60797)
core
Commit Type Description
00bbd9b382 fix fix docs for output migration (#​60764)
f2bfa3151e fix fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0 fix reduce total memory usage of various migration schematics (#​60776)
language-service
Commit Type Description
0e82d42774 fix Do not provide element completions in end tag (#​60616)
fcdef1019f fix Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit Type Description
e61d06afb5 fix step 6 tutorial docs (#​60630)
animations
Commit Type Description
fa48f98d9f fix add missing peer dependency on @angular/common (#​60660)
compiler
Commit Type Description
ca5aa4d55b fix throw for invalid "as" expression in if block (#​60580)
compiler-cli
Commit Type Description
f4c4b10ea8 fix Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4 fix support relative imports to symbols outside rootDir (#​60555)
core
Commit Type Description
64da69f7b6 fix check ngDevMode for undefined (#​60565)
8f68d1bec3 fix fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65 fix fix regexp for event types (#​60592)
006ac7f22f fix fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434 fix preserve comments in internal inject migration (#​60588)
dbbddd1617 fix prevent omission of deferred pipes in full compilation (#​60571)
language-service
Commit Type Description
0e9e0348dd fix Update adapter to log instead of throw errors (#​60651)
migrations
Commit Type Description
15f53f035b fix handle shorthand assignments in super call (#​60602)
4b161e6234 fix inject migration not handling super parameter referenced via this (#​60602)
router
Commit Type Description
958e98e4f7 fix Add missing types to transition (#​60307)
service-worker
Commit Type Description
7cd89ad2c6 fix assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core
Commit Type Description
081f5f5a83f fix fix used templates are not deleted (#​60459)
localize
Commit Type Description
a2f622d82d6 fix handle @​angular/build:karma in ng add (#​60513)
platform-browser
Commit Type Description
8e8ccc79279 fix ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli
Commit Type Description
aa8ea7a5b2 fix report more accurate diagnostic for invalid import (#​60455)
core
Commit Type Description
13a8709b2b fix catch hydration marker with implicit body tag (#​60429)
296aded9da fix execute timer trigger outside zone (#​60392)
0615ffb4f7 fix include input name in error message (#​60404)
platform-browser-dynamic
Commit Type Description
1e06c8e8b6 fix ensure compiler is loaded before @angular/common (#​60458)
upgrade
Commit Type Description
9e1a1030c8 fix handle output emitters when downgrading a component (#​60369)

v19.2.2

Compare Source

common
Commit Type Description
90a16a1088 fix support equality function in httpResource (#​60026)
compiler
Commit Type Description
56b551d273 fix incorrect spans for template literals (#​60323) (#​60331)
compiler-cli
Commit Type Description
23ca88522b fix handle transformed classes when generating HMR code (#​60298)
core
Commit Type Description
6dc41265fd fix check whether application is destroyed before initializing event replay (#​59789)
bb12b30d52 fix ensures immediate trigger fires properly with lazy loaded routes (#​60203)
b144dd946e fix fix removal of a container reference used in the component file (#​60210)
platform-server
Commit Type Description
15c42969fc fix add missing peer dependency for rxjs (#​60308)
router
Commit Type Description
7bcdf7c143 fix update symbols (#​60233)

v19.2.1

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.0

Compare Source

common
Commit Type Description
3e39da593a feat introduce experimental httpResource (#​59876)
compiler
Commit Type Description
5b20bab96d feat Add Skip Hydration diagnostic. (#​59576)
fe8a68329b feat support untagged template literals in expressions (#​59230)
core
Commit Type Description
2588985f43 feat pass signal node to throwInvalidWriteToSignalErrorFn (#​59600)
168516462a feat support default value in resource() (#​59655)
bc2ad7bfd3 feat support streaming resources (#​59573)
146ab9a76e feat support TypeScript 5.8 (#​59830)
6c92d65349 fix add hasValue narrowing to ResourceRef (#​59708)
96e602ebe9 fix cancel in-progress request when same value is assigned (#​59280)
6789c7ef94 fix Defer afterRender until after first CD (#​59455) (#​59551)
c87e581dd9 fix Don't run effects in check no changes pass (#​59455) (#​59551)
127fc0dc84 fix fix resource()'s previous.state (#​59708)
b592b1b051 fix fix race condition in resource() (#​59851)
a299e02e91 fix preserve tracing snapshot until tick finishes (#​59796)
forms
Commit Type Description
fa0c3e3210 feat support type set in form validators (#​45793)
migrations
Commit Type Description
1cd3a7db83 feat add migration to convert templates to use self-closing tags (#​57342)
platform-browser
Commit Type Description
e6cb411e43 fix automatically disable animations on the server (#​59762)
platform-server
Commit Type Description
fc5d187da5 fix decouple server from animations module (#​59762)

v19.1.8

Compare Source

benchpress
Commit Type Description
f0990c67e6 fix Ensure future-proof correct initialization order (#​60025)
common
Commit Type Description
1fbaeab37d fix ma

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner November 27, 2025 18:14
@renovate
Copy link
Contributor Author

renovate bot commented Nov 27, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: development/client-angular/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: simple-apollo-angular@0.0.0
npm error Found: @angular/core@17.3.12
npm error node_modules/@angular/core
npm error   dev @angular/core@"17.3.12" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/core@"19.2.16" from @angular/common@19.2.16
npm error node_modules/@angular/common
npm error   dev @angular/common@"19.2.16" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-12-06T17_35_08_976Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-12-06T17_35_08_976Z-debug-0.log

@relativeci
Copy link

relativeci bot commented Nov 27, 2025
edited
Loading

#1581 Bundle Size — 1.93MiB (0%).

f454006(current) vs 00aa451 main#1580(baseline)

Warning

Bundle contains 15 duplicate packages – View duplicate packages

Bundle metrics  no changes
                 Current
#1581		      Baseline
#1580
No change  Initial JS 1.7MiB 1.7MiB
No change  Initial CSS 0B 0B
Change  Cache Invalidation 0% 80.66%
No change  Chunks 5 5
No change  Assets 172 172
No change  Modules 1526 1526
No change  Duplicate Modules 131 131
No change  Duplicate Code 4.71% 4.71%
No change  Packages 185 185
No change  Duplicate Packages 12 12
Bundle size by type  no changes
                 Current
#1581		      Baseline
#1580
No change  JS 1.7MiB 1.7MiB
No change  Other 205.58KiB 205.58KiB
No change  IMG 35.85KiB 35.85KiB
No change  HTML 857B 857B

Bundle analysis reportBranch renovate/npm-angular-common-vuln...Project dashboard

Generated by RelativeCIDocumentationReport issue

@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 27, 2025
edited
Loading 

npm i https://pkg.pr.new/apollographql/apollo-client-devtools@1750

npm i https://pkg.pr.new/apollographql/apollo-client-devtools/@apollo/client-devtools-vscode@1750

commit: f454006

@renovate renovate bot changed the title chore(deps): update dependency @angular/common to v19 [security] chore(deps): update dependency @angular/common to v19 [security] - autoclosed Nov 28, 2025
@renovate renovate bot closed this Nov 28, 2025
@renovate renovate bot deleted the renovate/npm-angular-common-vulnerability branch November 28, 2025 01:29
@renovate renovate bot changed the title chore(deps): update dependency @angular/common to v19 [security] - autoclosed chore(deps): update dependency @angular/common to v19 [security] Dec 1, 2025
@renovate renovate bot reopened this Dec 1, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch 10 times, most recently from 6789289 to 113c36b Compare December 5, 2025 21:20
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 113c36b to f454006 Compare December 6, 2025 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🎄 dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant