fix(deps): update dependency @angular/ssr to v18 [security] #28

renovate · 2025-09-11T00:56:56Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/ssr	`^17.0.2` → `^18.0.0`

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @&#8203;angular/cli @&#8203;angular/core

# For apps on Angular v19:
ng update @&#8203;angular/cli@19 @&#8203;angular/core@19

# For apps on Angular v18:
ng update @&#8203;angular/cli@18 @&#8203;angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @&#8203;angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @&#8203;angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @&#8203;angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

@angular/platform-server: 21.0.0-next.3
@angular/platform-server: 20.3.0
@angular/platform-server: 19.2.15
@angular/platform-server: 18.2.14
@angular/ssr: 21.0.0-next.3
@angular/ssr: 20.3.0
@angular/ssr: 19.2.16
@angular/ssr: 18.2.21

Workarounds

Disable SSR via Server Routes (v19+) or builder options.
Remove any asynchronous behavior from custom bootstrap functions.
Remove uses of getPlatform() in application code.
Ensure that the server build defines ngJitMode as false.

References

Release Notes

angular/angular-cli (@angular/ssr)

Commit	Type	Description
c8bee8415	fix	allow .js file replacements in all configuration cases
93f552112	fix	improve URL rebasing for hyphenated Sass namespaced variables

Commit	Type	Description
d749ba6a3	fix	allow direct bundling of TSX files with application builder
b91c82d89	fix	avoid race condition in sass importer

Commit	Type	Description
b522002ff	fix	add validation for component and directive class name
dfd2d5c05	fix	include `index.csr.html` in resources asset group

Commit	Type	Description
9445916f9	fix	`Ctrl + C` not terminating dev-server with SSR
9b5cfaa8c	fix	always generate a new hash for optimized chunk

Commit	Type	Description
8274184e1	fix	add `animate` to valid self-closing elements
2648e811e	fix	add few more SVG elements animateMotion, animateTransform, and feBlend etc. to valid self-closing elements
736e126e4	fix	separate Vite cache by project

Commit	Type	Description
9d0b67124	fix	allow missing HTML file request to fallback to index
5fea635b2	fix	update rollup to 4.22.4

Commit	Type	Description
707431625	fix	support HTTP HEAD requests for virtual output files
1032b3da1	fix	update vite to `5.4.6`

Commit	Type	Description
f8b092711	fix	allow explicitly disabling TypeScript incremental mode
f3a5970fc	fix	lazy load Node.js inspector for dev server

Commit	Type	Description
a28615d7d	fix	add CSP `nonce` attribute to script tags when inline critical CSS is disabled
747a1447c	fix	prevent build failures with remote CSS imports when Tailwind is configured
c0933f2c0	fix	resolve error with `extract-i18n` builder for libraries

Commit	Type	Description
5b9378a3b	fix	account for HTML base HREF for dev-server externals
3e4ea77d7	fix	correctly detect comma in Sass URL lexer
d868270f1	fix	prevent redirection loop
3573ac655	fix	serve HTML files directly

Commit	Type	Description
96dc7e6ed	fix	remove Vite "/@id/" prefix for explicit external dependencies
bdef39801	fix	resolve only ".wasm" files

Commit	Type	Description
687a6c7ec	feat	add `--inspect` option to the dev-server
628d87a94	feat	support WASM/ES Module integration proposal
3e359da8d	fix	address rxjs undefined issues during SSR prebundling
4ff914a16	fix	allow additional module preloads up to limit
fb8e3c39a	fix	allow top-level await in zoneless applications
83b75af9f	fix	check inlineSourceMap option with isolated modules optimization
cd97134a6	fix	normalize paths during module resolution in Vite
13d2100dd	fix	read WASM file from script location on Node.js
3091956f5	fix	support import attributes in JavaScript transformer
dd94a831b	perf	enable dependency prebundling for server dependencies
3acb77683	perf	use direct transpilation with isolated modules

Commit	Type	Description
9b43ecbd0	fix	reduce the number of max workers to available CPUs minus one
03dad6806	fix	rollback terser to `5.29.2`

Commit	Type	Description
fc928f638	fix	correctly name entry points to match budgets
2d51e8607	fix	redirect to path with trailing slash for asset directories
16f1c1e01	fix	reduce the number of max workers to available CPUs minus one

Commit	Type	Description
bdd168f37	fix	add CSP nonce to script with src tags
405c14809	fix	automatically resolve `.mjs` files when using Vite
7360a346e	fix	use Node.js available parallelism for default worker count

Commit	Type	Description
791ef809d	fix	do not reference sourcemaps in web workers and global stylesheet bundles when hidden setting is enabled
20fc6ca05	fix	generate module preloads next to script elements in index HTML
3a1bf5c8a	fix	Initiate PostCSS only once
78c611754	fix	issue warning when auto adding `@angular/localize/init`

Commit	Type	Description
43a2a7d13	fix	avoid escaping rebased Sass URL values
9acb5c7ca	fix	disable JS transformer persistent cache on web containers
346df4909	fix	improve Sass rebaser ident token detection
6526a5f59	fix	watch all related files during a Sass error

Commit	Type	Description
9967c04b8	fix	check both application builder packages in SSR schematic
92b48ab14	fix	set builders `assets` option correctly for new applications

Commit	Type	Description
3bb06c37d	fix	disable Worker wait loop for Sass compilations in web containers
c4cf35923	fix	print Sass `@warn` location
352879804	fix	support valid self-closing MathML tags in HTML index file
476f3084a	fix	support valid self-closing SVG tags in HTML index file

Commit	Type	Description
7d253e9cd	fix	avoid rebasing URLs with function calls
6b6a76a99	fix	disable persistent disk caching inside webcontainers by default
ba70a50b6	fix	handle esbuild-browser `polyfills` option as `string` during `ng serve`
706423aca	fix	only import persistent cache store with active caching

Uh oh!

fix(deps): update dependency @angular/ssr to v18 [security] #28

Are you sure you want to change the base?

fix(deps): update dependency @angular/ssr to v18 [security] #28

Uh oh!

Conversation

renovate bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

Breaking Changes

Breaking Changes

Breaking Changes

Configuration

Uh oh!

renovate bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: package-lock.json

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Sep 11, 2025 •

edited

Loading

renovate bot commented Sep 11, 2025 •

edited

Loading