Skip to content

fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY]#38

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-angular-common-vulnerability
Open

fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY]#38
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-angular-common-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@angular/common (source) ^19.2.2^19.2.16 age confidence

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

  1. The victim's Angular application must have XSRF protection enabled.
  2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

  • 19.2.16
  • 20.3.14
  • 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Release Notes

angular/angular (@​angular/common)

v19.2.16

Compare Source

http
Commit Type Description
05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler
Commit Type Description
24bab55f0c fix lexer support for template literals in object literals (#​61601)
migrations
Commit Type Description
9e1cd49662 fix preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common
Commit Type Description
2c876b4fc5 fix avoid injecting ApplicationRef in FetchBackend (#​61649)
service-worker
Commit Type Description
b15bddfa04 fix do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common
Commit Type Description
126efc9972 fix cancel reader when app is destroyed (#​61528)
efda872453 fix prevent reading chunks if app is destroyed (#​61354)
compiler
Commit Type Description
44bb328eae fix avoid conflicts between HMR code and local symbols (#​61550)
compiler-cli
Commit Type Description
107180260f fix Always retain prior results for all files (#​61487)
1191e62d70 fix avoid ECMAScript private field metadata emit (#​61227)
core
Commit Type Description
2b1b14f4d3 fix cleanup rxResource abort listener (#​58306)
8f9b05eaaa fix cleanup testability subscriptions (#​61261)
eb53bda470 fix enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6 fix Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc fix unregister onDestroy in toSignal. (#​61514)
platform-server
Commit Type Description
8edafd0559 perf speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common
Commit Type Description
89056a0356 fix cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)
core
Commit Type Description
4623b61448 fix missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89 fix properly handle app stabilization with defer blocks (#​61056)
platform-server
Commit Type Description
a6f0d5bc20 fix less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core
Commit Type Description
946b844e0d fix async EventEmitter error should not prevent stability (#​61028)
dbb87026ca fix call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a fix prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms
Commit Type Description
ea4a211216 fix make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common
Commit Type Description
37ab6814f5 fix issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)
core
Commit Type Description
b144126612 fix inject migration: replace param with this. (#​60713)
http
Commit Type Description
d39e09da41 fix Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler
Commit Type Description
3441f7b914 fix error if rawText isn't estimated correctly (#​60529) (#​60753)
compiler-cli
Commit Type Description
fc946c5f72 fix ensure HMR works with different output module type (#​60797)
core
Commit Type Description
00bbd9b382 fix fix docs for output migration (#​60764)
f2bfa3151e fix fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0 fix reduce total memory usage of various migration schematics (#​60776)
language-service
Commit Type Description
0e82d42774 fix Do not provide element completions in end tag (#​60616)
fcdef1019f fix Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit Type Description
e61d06afb5 fix step 6 tutorial docs (#​60630)
animations
Commit Type Description
fa48f98d9f fix add missing peer dependency on @angular/common (#​60660)
compiler
Commit Type Description
ca5aa4d55b fix throw for invalid "as" expression in if block (#​60580)
compiler-cli
Commit Type Description
f4c4b10ea8 fix Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4 fix support relative imports to symbols outside rootDir (#​60555)
core
Commit Type Description
64da69f7b6 fix check ngDevMode for undefined (#​60565)
8f68d1bec3 fix fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65 fix fix regexp for event types (#​60592)
006ac7f22f fix fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434 fix preserve comments in internal inject migration (#​60588)
dbbddd1617 fix prevent omission of deferred pipes in full compilation (#​60571)
language-service
Commit Type Description
0e9e0348dd fix Update adapter to log instead of throw errors (#​60651)
migrations
Commit Type Description
15f53f035b fix handle shorthand assignments in super call (#​60602)
4b161e6234 fix inject migration not handling super parameter referenced via this (#​60602)
router
Commit Type Description
958e98e4f7 fix Add missing types to transition (#​60307)
service-worker
Commit Type Description
7cd89ad2c6 fix assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core
Commit Type Description
081f5f5a83f fix fix used templates are not deleted (#​60459)
localize
Commit Type Description
a2f622d82d6 fix handle @​angular/build:karma in ng add (#​60513)
platform-browser
Commit Type Description
8e8ccc79279 fix ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli
Commit Type Description
aa8ea7a5b2 fix report more accurate diagnostic for invalid import (#​60455)
core
Commit Type Description
13a8709b2b fix catch hydration marker with implicit body tag (#​60429)
296aded9da fix execute timer trigger outside zone (#​60392)
0615ffb4f7 fix include input name in error message (#​60404)
platform-browser-dynamic
Commit Type Description
1e06c8e8b6 fix ensure compiler is loaded before @angular/common (#​60458)
upgrade
Commit Type Description
9e1a1030c8 fix handle output emitters when downgrading a component (#​60369)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@vercel
Copy link

vercel bot commented Nov 27, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
sanity-template-angular-clean Error Error Feb 16, 2026 7:41pm

Request Review

@socket-security
Copy link

socket-security bot commented Nov 27, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​angular/​common@​19.2.2 ⏵ 19.2.1898100 +1679 +198 +1100
Addednpm/​@​angular/​core@​19.2.18811008098100

View full report

@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from ec34187 to a7d9599 Compare December 3, 2025 16:34
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] Dec 3, 2025
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Dec 3, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from a7d9599 to a4c0fc3 Compare December 3, 2025 22:32
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from a4c0fc3 to 4f7fbab Compare December 11, 2025 15:51
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] Dec 11, 2025
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Dec 11, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 4f7fbab to dbc5bac Compare December 11, 2025 21:43
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from dbc5bac to 13d4fc3 Compare December 15, 2025 15:47
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] Dec 15, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 13d4fc3 to 51acf6a Compare December 15, 2025 19:04
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Dec 15, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 51acf6a to 569fe59 Compare December 30, 2025 15:47
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] Dec 30, 2025
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 569fe59 to 8553c88 Compare December 30, 2025 19:33
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.17 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Dec 30, 2025
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] Jan 8, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from f1a3afb to 96998bd Compare January 9, 2026 02:37
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Jan 9, 2026
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] Jan 19, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 96998bd to 62b48f8 Compare January 19, 2026 17:55
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 62b48f8 to 433b0c7 Compare January 19, 2026 22:55
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Jan 19, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 433b0c7 to 8c13cd4 Compare February 2, 2026 15:47
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] Feb 2, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 8c13cd4 to 9344ee0 Compare February 2, 2026 22:08
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Feb 2, 2026
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] Feb 12, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 9344ee0 to 133a1ac Compare February 12, 2026 13:41
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 133a1ac to 7ef7ff7 Compare February 12, 2026 20:32
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Feb 12, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 7ef7ff7 to 3aa4ec8 Compare February 16, 2026 12:48
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] Feb 16, 2026
@renovate renovate bot force-pushed the renovate/npm-angular-common-vulnerability branch from 3aa4ec8 to 303df20 Compare February 16, 2026 19:40
@renovate renovate bot changed the title fix(deps): Update dependency @angular/common to ^19.2.18 [SECURITY] fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY] Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants