Commit c401baa
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency @angular/compiler to v21.0.7 [security] (#421)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
| [@angular/compiler](https://redirect.github.com/angular/angular)
([source](https://redirect.github.com/angular/angular/tree/HEAD/packages/compiler))
| [`21.0.5` →
`21.0.7`](https://renovatebot.com/diffs/npm/@angular%2fcompiler/21.0.5/21.0.7)
|
|
|
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-22610](https://redirect.github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6)
A Cross-Site Scripting (XSS) vulnerability has been identified in the
Angular Template Compiler. The vulnerability exists because Angular’s
internal sanitization schema fails to recognize the `href` and
`xlink:href` attributes of SVG `<script>` elements as a **Resource URL**
context.
In a standard security model, attributes that can load and execute code
(like a script's source) should be strictly validated. However, because
the compiler does not classify these specific SVG attributes correctly,
it allows attackers to bypass Angular's built-in security protections.
When template binding is used to assign user-controlled data to these
attributes for example, `<script [attr.href]="userInput">` the compiler
treats the value as a standard string or a non-sensitive URL rather than
a resource link. This enables an attacker to provide a malicious
payload, such as a `data:text/javascript` URI or a link to an external
malicious script.
### Impact
When successfully exploited, this vulnerability allows for **arbitrary
JavaScript execution** within the context of the victim's browser
session. This can lead to:
- **Session Hijacking:** Stealing session cookies, localStorage data, or
authentication tokens.
- **Data Exfiltration:** Accessing and transmitting sensitive
information displayed within the application.
- **Unauthorized Actions:** Performing state-changing actions (like
clicking buttons or submitting forms) on behalf of the authenticated
user.
### Attack Preconditions
1. The victim application must explicitly use SVG `<script>` elements
within its templates.
2. The application must use property or attribute binding
(interpolation) for the `href` or `xlink:href` attributes of those SVG
scripts.
3. The data bound to these attributes must be derived from an untrusted
source (e.g., URL parameters, user-submitted database entries, or
unsanitized API responses).
### Patches
- 19.2.18
- 20.3.16
- 21.0.7
- 21.1.0-rc.0
### Workarounds
Until the patch is applied, developers should:
- **Avoid Dynamic Bindings**: Do not use Angular template binding (e.g.,
`[attr.href]`) for SVG `<script>` elements.
- **Input Validation**: If dynamic values must be used, strictly
validate the input against a strict allowlist of trusted URLs on the
server side or before it reaches the template.
### Resources
-
[https://github.com/angular/angular/pull/66318](https://redirect.github.com/angular/angular/pull/66318)
---
### Release Notes
<details>
<summary>angular/angular (@​angular/compiler)</summary>
###
[`v21.0.7`](https://redirect.github.com/angular/angular/blob/HEAD/CHANGELOG.md#2107-2026-01-07)
[Compare
Source](https://redirect.github.com/angular/angular/compare/v21.0.6...v21.0.7)
##### compiler
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ----------------------------------------------------- |
|
[8e808740c9](https://redirect.github.com/angular/angular/commit/8e808740c9311daa0f1c9bab8596ed5e54bdcc6a)
| fix | better types for a few expression AST nodes |
|
[63b1cdcf70](https://redirect.github.com/angular/angular/commit/63b1cdcf70e6de448e8fa4ba1732d7bd7b5400d1)
| fix | produce accurate span for typeof and void expressions |
|
[3c3ae0cb64](https://redirect.github.com/angular/angular/commit/3c3ae0cb64bb112d7167fd9b0bf7739f0c9e6a39)
| fix | provide location information for literal map keys |
|
[523dbaf1c3](https://redirect.github.com/angular/angular/commit/523dbaf1c3646ce27f1cf2e4cfc84c730fea8da9)
| fix | stop ThisReceiver inheritance from ImplicitReceiver |
##### compiler-cli
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- |
--------------------------------------------------------------------------------
|
|
[4d9c4567ed](https://redirect.github.com/angular/angular/commit/4d9c4567edfb8dd424a3336ef54ffdfc6ca7c15f)
| fix | ensure component import diagnostics are reported within the
`imports` expression |
|
[cd405685af](https://redirect.github.com/angular/angular/commit/cd405685afbfad530de7fb841ad352d2b702a9a4)
| fix | fix up spelling of diagnostic |
|
[778460fcca](https://redirect.github.com/angular/angular/commit/778460fccac13d8667bb53fa24ba977a930c0253)
| fix | support qualified names in `typeof` type references |
##### core
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ---------------------------------------------------- |
|
[7c74674eb0](https://redirect.github.com/angular/angular/commit/7c74674eb07491f808f79976e3e21787a841aefb)
| fix | avoid leaking view data in animations |
|
[0edbee4550](https://redirect.github.com/angular/angular/commit/0edbee4550e85b933e9bd2ba3c5511ef6fbf7304)
| fix | explicitly cast signal node value to String |
|
[f9c29572d2](https://redirect.github.com/angular/angular/commit/f9c29572d28feef878c73edad562b3a6451825a6)
| fix | sanitize sensitive attributes on SVG script elements |
##### forms
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ---------------------------------------------------- |
|
[e3fba182f9](https://redirect.github.com/angular/angular/commit/e3fba182f90a2673040cf267a970c54c07d4840f)
| feat | add `[formField]` directive |
|
[561772b152](https://redirect.github.com/angular/angular/commit/561772b152458e1d91d4bf3ef45d9645a731f2b1)
| fix | allow custom controls to require `dirty` input |
|
[f0fb1d8581](https://redirect.github.com/angular/angular/commit/f0fb1d8581671ca499bcb4790b0549825eb36a91)
| fix | allow custom controls to require `hidden` input |
|
[ec110f170b](https://redirect.github.com/angular/angular/commit/ec110f170bbba95f023c8ae0e4429c35bfedc572)
| fix | allow custom controls to require `pending` input |
|
[ae1dc16bb0](https://redirect.github.com/angular/angular/commit/ae1dc16bb0d30b6e87b0f98b7989e6685d856e31)
| fix | clean up abort listener after timeout |
|
[9748b0d5da](https://redirect.github.com/angular/angular/commit/9748b0d5da6ffb1fd2498b23cc452240f46e0549)
| fix | support custom controls with non signal-based models |
|
[6bd22df987](https://redirect.github.com/angular/angular/commit/6bd22df987e433a9e3cb759e35eb6403991cf4b7)
| fix | Support readonly arrays in signal forms |
##### router
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ---------------------------------------------------------------
|
|
[41cd4a6af8](https://redirect.github.com/angular/angular/commit/41cd4a6af800cf7807c46862c99ae036457d8fa7)
| fix | Fix RouterLink href not updating with `queryParamsHandling` |
|
[5e9e09aee0](https://redirect.github.com/angular/angular/commit/5e9e09aee0c08901d2a4d48b60bd13692c73e76e)
| fix | handle errors from view transition `updateCallbackDone` promise
|
<!-- CHANGELOG SPLIT MARKER -->
###
[`v21.0.6`](https://redirect.github.com/angular/angular/blob/HEAD/CHANGELOG.md#2106-2025-12-17)
[Compare
Source](https://redirect.github.com/angular/angular/compare/v21.0.5...v21.0.6)
#### Breaking Changes (affecting only experimental features)
##### forms
- The shape of `SignalFormsConfig.classes` has changed
Previously each function in the `classes` map took a `FieldState`. Now
it takes a `Field` directive.
For example if you previously had:
```
provideSignalFormsConfig({
classes: {
'my-valid': (state) => state.valid()
}
})
```
You would need to update to:
```
provideSignalFormsConfig({
classes: {
'my-valid': ({state}) => state().valid()
}
})
```
(cherry picked from commit
[`348f149`](https://redirect.github.com/angular/angular/commit/348f149e8b06d6885f54bac4cf03a9481a8b19b7))
- (cherry picked from commit
[`ae0c590`](https://redirect.github.com/angular/angular/commit/ae0c59028a2f393ea5716bf222db2c38e7a3989f))
##### core
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ------------------------------------------------------ |
|
[4c8fb3631d](https://redirect.github.com/angular/angular/commit/4c8fb3631d58e22d693aba0b89243f2e9ecb0807)
| fix | throw better errors for potential circular references |
|
[48492524ea](https://redirect.github.com/angular/angular/commit/48492524ea4adfa232b0daee0d955924be31ebea)
| fix | use mutable ResponseInit type for RESPONSE\_INIT token |
##### forms
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| -------- |
------------------------------------------------------------- |
|
[81772b420d](https://redirect.github.com/angular/angular/commit/81772b420dcda2cbe2a8cb75e50c6da2e1ecdc68)
| feat | pass field directive to class config |
|
[729b96476b](https://redirect.github.com/angular/angular/commit/729b96476b73f1670a0f7c6ab3f36be9d38ebcac)
| refactor | rename field to fieldTree in FieldContext and
ValidationError |
##### language-service
| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- |
---------------------------------------------------------------------- |
|
[e0694df3ec](https://redirect.github.com/angular/angular/commit/e0694df3eccae3d31a4ea537dffe1db1368ef34a)
| fix | avoid interpolation highlighting inside
[@​let](https://redirect.github.com/let) |
|
[5047be4bc1](https://redirect.github.com/angular/angular/commit/5047be4bc1c6f6016263703c743f8033f669f0ee)
| fix | Prevent language service from crashing on suggestion diagnostic
errors |
<!-- CHANGELOG SPLIT MARKER -->
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/mnahkies/openapi-code-generator).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 79252b0 commit c401baa
1 file changed
+33
-33
lines changedSome generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments