[deps]: Update @angular/compiler to v21.2.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	21.1.6 → 21.2.4

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

• action
• background
• cite
• codebase
• data
• formaction
• href
• itemtype
• longdesc
• poster
• src
• xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

• Session Hijacking: Stealing session cookies and authentication tokens.
• Data Exfiltration: Capturing and transmitting sensitive user data.
• Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

1. The application must use a vulnerable version of Angular.
2. The application must bind unsanitized user input to one of the attributes mentioned above.
3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

• 22.0.0-next.3
• 21.2.4
• 20.3.18
• 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@​angular/core';
import {DomSanitizer} from '@​angular/platform-browser';

@​Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

---

Release Notes

angular/angular (@​angular/compiler)

v21.2.4

Compare Source

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

v21.2.3

Compare Source

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler

Commit	Type	Description
1df1697c6e	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
670d1660c4	feat	add 'blur' option to debounce rule

v21.2.1

Compare Source

core

Commit	Type	Description
e2e9a9a531	fix	adds transfer cache to httpResource to fix hydration
b4ec3cc4e4	fix	prevent child animation elements from being orphaned
e923d88398	fix	Prevent removal of elements during drag and drop

http

Commit	Type	Description
277ade97ac	fix	correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
72534e2a34	feat	Add support for the instanceof binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support AstVisitor.visitEmptyExpr()
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

compiler-cli

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#​66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
22afbb2f36	feat	add parsing support to native inputs (#​66917)
95c386469c	feat	Add passing focus options to form field
95ecce8334	feat	allow setting submit options at form-level
ebae211add	feat	introduce parse errors in signal forms
3937afc316	feat	introduce SignalFormControl for Reactive Forms compatibility
30f0914754	feat	support binding null to number input (#​66917)
dd208ca259	feat	update submit function to accept options object
27397b3f4f	fix	clear parse errors when model updates (#​66917)
63d8005703	fix	preserve custom-control focus context in signal forms
631f60d1f9	fix	preserve parse errors when parse returns value
adfb83146b	fix	simplify design of parse errors
fb05fc86d0	fix	sort error summary by DOM order
567f292e8e	fix	support custom controls as host directives
bdfb60f3e3	fix	use consistent error format returned from parse
d75046bc09	fix	warn when showing hidden field state

language-server

Commit	Type	Description
ebc90c26f5	feat	Add completions and hover info for inline styles
26fd0839c3	feat	Add folding range support for inline styles
573aadef7e	feat	Add quick info for inline styles
6fb39d9b62	feat	Support client-side file watching via onDidChangeWatchedFiles

language-service

Commit	Type	Description
496967e7b1	feat	add JSON schema for angularCompilerOptions
8c21866f49	feat	add linked editing ranges for HTML tag synchronization
d2137928e8	perf	use lightweight project warmup for Angular analysis

router

Commit	Type	Description
b51bab583d	feat	Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0	feat	Make match options optional in isActive
907a94dcec	feat	Update IsActiveMatchOptions APIs to accept a Partial

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/compiler-cli@21.1.6
npm error Found: @angular/compiler@21.2.4
npm error node_modules/@angular/compiler
npm error   @angular/compiler@"21.2.4" from the root project
npm error   peer @angular/compiler@"^21.0.0" from @angular/build@21.1.5
npm error   node_modules/@angular/build
npm error     dev @angular/build@"21.1.5" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/compiler@"21.1.6" from @angular/compiler-cli@21.1.6
npm error node_modules/@angular/compiler-cli
npm error   dev @angular/compiler-cli@"21.1.6" from the root project
npm error   peer @angular/compiler-cli@"^21.0.0" from @angular/build@21.1.5
npm error   node_modules/@angular/build
npm error     dev @angular/build@"21.1.5" from the root project
npm error   2 more (@ngtools/webpack, jest-preset-angular)
npm error
npm error Conflicting peer dependency: @angular/compiler@21.1.6
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"21.1.6" from @angular/compiler-cli@21.1.6
npm error   node_modules/@angular/compiler-cli
npm error     dev @angular/compiler-cli@"21.1.6" from the root project
npm error     peer @angular/compiler-cli@"^21.0.0" from @angular/build@21.1.5
npm error     node_modules/@angular/build
npm error       dev @angular/build@"21.1.5" from the root project
npm error     2 more (@ngtools/webpack, jest-preset-angular)
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-03-14T02_11_02_469Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-03-14T02_11_02_469Z-debug-0.log