Update dependency @angular/core to v20.3.16 [SECURITY] - autoclosed #2563

renovate · 2026-01-09T19:02:52Z

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/core (source)	`20.1.6` → `20.3.16`

GitHub Vulnerability Alerts

CVE-2026-22610

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

The victim application must explicitly use SVG <script> elements within its templates.
The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

19.2.18
20.3.16
21.0.7
21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

https://github.com/angular/angular/pull/66318

Release Notes

angular/angular (@angular/core)

Commit	Type	Description
f9d0818087	fix	support arbitrary nesting in :host-context()
106b9040df	fix	support commas in :host() argument
9419ea348a	fix	support complex selectors in :nth-child()
036c5d2a07	fix	support one additional level of nesting in :host()

Commit	Type	Description
4c89a267c3	fix	pass element removal property through in all locations (#64565)
2fad4d4ab6	fix	prevent duplicate nodes from being retained with fast `animate.leave`` calls (#64592)

Commit	Type	Description
cfd8ed3fff	fix	Fix outlet serialization and parsing with no primary children (#64505)
182fe78f91	fix	Surface parse errors in Router.parseUrl (#64503)

Commit	Type	Description
8dec92ff9f	fix	capture metadata for undecorated fields (#63957) (#64317)
c2e817b0ef	perf	fix performance of "interpolated signal not invoked" check (#64410)

Commit	Type	Description
f15cfa4cc4	fix	fixes regression in `animate.leave` function bindings (#64413)
d54dd674ca	fix	Prevents early style pruning with leave animations (#64335)

Commit	Type	Description
554573e524	fix	migrating input with more than 1 usage in a method (#64367)
2c79ca0b57	fix	remove error for no matching files in control flow migration (#64253) (#64314)

Commit	Type	Description
853ed169a8	fix	ensure missing leave animations don't queue leave animations (#64226)
6fed986b7a	fix	Fixes animations in conjunction with content projection (#63776)
76fe5599fe	fix	handle undefined CSS time values in parseCssTimeUnitsToMs function (#64181)
3b959105be	fix	prevent early exit from leave animations when multiple transitions are present (#64225)

Commit	Type	Description
542cd0019a	fix	do not rename ARIA property bindings to attributes (#64089)
0e928fbc4a	fix	Fixes animations in conjunction with content projection (#63776)
e5157bd933	fix	prevents unintended early termination of leave animations and hoisting (#64088)

Commit	Type	Description
1710cbd7d4	fix	handle shorthand property declarations in NgModule (#64160)
77b6305a4b	fix	skip migration for inputs with 'this' references (#64142)

Commit	Type	Description
ba40153ac0	fix	capture metadata for undecorated fields (#63904)
1d4f81c8ee	fix	resolve import alias in defer blocks (#63966)

Commit	Type	Description
8843707919	fix	only bind inputs that are part of microsyntax to a structural directive (#52453)
38c9921ff3	fix	signal not invoked diagnostic not raised when input has same name in template (#63754)

Commit	Type	Description
802dbcc2a0	fix	prevent animation events from being cleaned up on destroy (#63414)
3ec8a5c753	fix	Prevent leave animations on a move operation (#63745)

Commit	Type	Description
f87fad3fff	fix	avoid injecting internal error handler from a destroyed injector (#62275)
114906d2d6	fix	Fix cancellation of animation enter classes (#63442)
596b545130	fix	Prevent an error on cleanup when an `rxResource` `stream` threw before returning an `Observable` (#63342)

Commit	Type	Description
9515a70933	fix	fix narrowing of `Resource.hasValue()` (#63994)
e78451cf8a	fix	prevent animations renderer from impacting `animate.leave` (#63921)

Commit	Type	Description
16d0d43ad4	fix	handle import aliases to the same module name (#63934)
3ebaeccb46	fix	handle reused templates in control flow migration (#63996)

Commit	Type	Description
6c421ed65d	fix	Ensures `@for` loop animations never get cancelled (#63328)
9093e0e132	fix	fix memory leak with leaving nodes tracking (#63328)
c8f07daf8f	fix	Fixes `animate.leave` binding to a string with spaces (#63366)

Commit	Type	Description
7767aa640c	fix	allow more characters in square-bracketed attribute names (#62742)
7b51728813	fix	fixes animation event host bindings not firing (#63217)

Commit	Type	Description
5abfe4a899	feat	add diagnostic for uninvoked functions in text interpolation (#59191)
c4917074f1	fix	display proper function in NG8117 message (#62842)
812463c563	fix	Ignore diagnostics on ngTemplateContextGuard lines in TCB (#63054)
45b030b5ce	fix	prevent dom event assertion in TCB generation on older angular versions (#63053)

Commit	Type	Description
6b1f4b9e8b	feat	add enter and leave animation instructions (#62682)
cec91c0035	feat	add option to infer the tag names of components in tests (#62283)
141bb75ff2	feat	Promote zoneless to stable (#62699)
4138aca91f	feat	render ARIA property bindings as attributes (#62630)
a409534d6c	feat	support `as` aliases on `else if` blocks (#63047)
745ea44394	feat	support TypeScript 5.9 (#62541)
593cc8a368	fix	checks if body exists before continuing (#62768)
bdc31675b7	fix	ensure animate events do not have duplicate elements (#63216)
de3a0c5cf3	fix	Fix `animate.enter` class removal when composing classes (#62981)
6597ac0af7	fix	fix support for space separated strings in leave animations (#62979)
ebd622b344	fix	fixes empty animations when recalculating styles (#63007)
455b147488	fix	fixes timing issues with enter animations (#62925)
f9d73cc687	fix	handle cases where classes added have no animations (#63242)
6a1184600c	fix	prevents duplicate nodes when `@if` toggles with leave animations (#63048)
063b5e166f	fix	switch check to documentElement with chaining (#62773)
320de4e96d	refactor	deprecate animations field on component interface (#62895)

Commit	Type	Description
0984b30388	feat	Add redirected property to HttpResponse and HttpErrorResponse (#62675)
be811fee79	feat	add referrer & integrity support for fetch requests in httpResource (#62461)
1cf9d9064c	feat	Add support for fetch referrer & integrity options in HttpClient (#62417)
1408baff45	fix	Add missing timeout and transferCache options to `HttpClient` (#62586)

Commit	Type	Description
c81e345e72	feat	support auto-import for attribute completions (#62797)
d64dd27a02	feat	support to report the deprecated API in the template (#62054)
591c7e2ec8	fix	Support to resolve the re-export component. (#62585)

Commit	Type	Description
d00b3fed58	feat	add a `currentNavigation` signal to the `Router` service. (#62971)
687c374826	feat	add a currentNavigation signal to the Router service. (#63011)
9c45c322d1	fix	ensure preloaded components are properly activated (#62502)

Update dependency @angular/core to v20.3.16 [SECURITY] - autoclosed #2563

Update dependency @angular/core to v20.3.16 [SECURITY] - autoclosed #2563

Uh oh!

Conversation

renovate bot commented Jan 9, 2026

GitHub Vulnerability Alerts

Impact

Attack Preconditions

Patches

Workarounds

Resources

Release Notes

core

compiler

http

common

compiler

core

compiler-cli

migrations

animations

compiler

compiler-cli

core

router

core

platform-browser

compiler-cli

core

migrations

router

core

migrations

compiler

core

migrations

compiler-cli

core

forms

migrations

compiler

compiler-cli

core

migrations

Breaking Changes

core

core

core

platform-server

compiler

core

compiler

core

compiler

Deprecations

animations

core

router

animations

compiler

compiler-cli

core

forms

http

language-service

platform-browser

router

service-worker

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants