Update dependency @angular/core [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/core (source)	^6.0.0-rc.0 || ^6.0.0 → ^6.0.0-rc.0 || ^6.0.0 || ^22.0.0
@angular/core (source)	7.2.12 → 10.2.5

---

Angular vulnerable to Cross-site Scripting

CVE-2021-4231 / GHSA-c75v-2vq8-878f

More information

Details

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 10.2.5, 11.0.5 or 11.1.0-next.3 is advised to to address this issue.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-4231
• https://github.com/angular/angular/issues/40136
• https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09
• https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902
• https://vuldb.com/?id.181356
• https://github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36
• https://github.com/angular/angular/commit/47d9b6d72dab9d60c96bc1c3604219f6385649ea
• https://github.com/advisories/GHSA-c75v-2vq8-878f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/core)

v22.0.1

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
  (cherry picked from commit 8446e46)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#​68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Type	Description
43a0e28729	fix	prevent external template inlay hints from appearing in TS files

platform-server

Commit	Type	Description
ed48ca7f51	fix	harden platform location origin validation during SSR
1881ede3a7	refactor	deprecate ServerXhr

router

Commit	Type	Description
43edc8410f	fix	use native URL object for navigation boundary and comparison

service-worker

Commit	Type	Description
cf97b1f828	fix	Strips sensitive headers on cross-origin redirects

v22.0.0

Compare Source

common

Commit	Type	Description
4795b35d5b	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
2891f7e787	fix	move projection attributes into constants

core

Commit	Type	Description
e3e25b5a53	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

migrations

Commit	Type	Description
9d9855a415	fix	Make the safe optional chaining idempotent

platform-server

Commit	Type	Description
7b9130931d	fix	throw on suspicious URLs and restrict protocol-relative URLs

v21.2.17

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#​69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#​69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

v21.2.16

Compare Source

common

Commit	Type	Description
f6d8e642b0	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
ae1c8a1f7a	fix	move projection attributes into constants

core

Commit	Type	Description
3fd6897a67	fix	harden inherit definition feature against polluted prototypes
7e38336dc7	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

Commit	Type	Description
66821c4ed5	fix	throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6	fix	update domino to latest version

v21.2.15

Compare Source

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68925)
eb1cbbf2eb	fix	prevent namespaced SVG <style> elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#​68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#​68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#​68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#​68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

v21.2.14

Compare Source

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

v21.2.13

Compare Source

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

v21.2.12

Compare Source

core

Commit	Type	Description
fe13bb669d	fix	allow explicit read generic with signal input transforms
3430251fef	fix	i18n flags leaking on errors
1aeebbe304	fix	respect ngSkipHydration on components with projectable nodes in LContainers
9e38ed7d57	fix	sanitizer typings
7a05a9a71a	fix	validate security-sensitive attributes in i18n bindings
c37f6ca42f	fix	visit ng-let expression value in signal migration schematics

forms

Commit	Type	Description
03ad53863b	fix	prohibit concurrent submits in signal forms

v21.2.11

Compare Source

common

Commit	Type	Description
10ad3c0692	fix	prevent focus from scrollToAnchor

compiler

Commit	Type	Description
4f5d8a2c0b	fix	let declaration span not including end character

core

Commit	Type	Description
a40e2cebc8	fix	fix ordering of view queries metadata in JIT mode
885a1a1d97	fix	guard against non-object events and avoid listener wrapper identity mismatch
7a64aff9b5	fix	prevent event replay double-invocation when element hydrates before app stability

platform-server

Commit	Type	Description
be1f80a253	fix	ensure origin has a trailing slash when parsing url

v21.2.10

Compare Source

docs

Commit	Type	Description
0d5ee9ae1b	fix	link formatting in "Animating your Application with CSS"

migrations

Commit	Type	Description
5533ab4f56	fix	fix NgClass leaving trailing comma after removal

router

Commit	Type	Description
580212c995	fix	restore internal URL on popstate when browserUrl is used

v21.2.9

Compare Source

core

Commit	Type	Description
f603d4714f	fix	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

platform-server

Commit	Type	Description
e0b5078cf2	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Type	Description
684e9fd53d	fix	normalize multiple leading slashes in URL parser

v21.2.8

Compare Source

compiler

Commit	Type	Description
e40d378f3e	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
2c6781071f	fix	error for type parameter declarations

core

Commit	Type	Description
82192deda9	fix	handle missing serialized container hydration data
057cc6d09d	fix	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Type	Description
7797671257	fix	get quick info at local var location to align with TS semantics and support type narrowing

v21.2.7

Compare Source

compiler

Commit	Type	Description
fea25d1a60	fix	register SVG animation attributes in URL security context (#​67797)

compiler-cli

Commit	Type	Description
bba5ed8e64	fix	prevent recursive scope checks for invalid NgModule imports

core

Commit	Type	Description
d04ddd73df	fix	prevent binding unsafe attributes on SVG animation elements (#​67797)
8fd896e99a	fix	resolve component import by exact specifier in route lazy-loading schematic
b682c62873	fix	treat object[data] as resource URL context (#​67797)

localize

Commit	Type	Description
3c41e74fdd	fix	validate locale in getOutputPathFn to prevent path traversal

router

Commit	Type	Description
0960592d3d	fix	pass outlet context to split to fix empty path named outlets

v21.2.6

Compare Source

common

Commit	Type	Description
b4ab6ba2e8	fix	avoid redundant image fetch on destroy with auto sizes

compiler

Commit	Type	Description
880a57d4b3	fix	prevent shimCssText from adding extra blank lines per CSS comment

core

Commit	Type	Description
ad0156e056	fix	fixes a regression with animate.leave and reordering

migrations

Commit	Type	Description
73d6b01b47	fix	inject migration not work in multi-project workspace with option path

v21.2.5

Compare Source

compiler

Commit	Type	Description
334ae10168	fix	ensure generated code compiles
23ea431c4e	fix	parse named HTML entities containing digits

compiler-cli

Commit	Type	Description
26c43d14ba	fix	escape template literal in TCB
67e0ba7e03	fix	generic types not filled out correctly in type check block

core

Commit	Type	Description
1890c3008b	fix	clean up dehydrated views during HMR component replacement
bf948be4c2	fix	run linked signal equality check without reactive consumer

migrations

Commit	Type	Description
076d41c3f6	fix	prevent trailing comma syntax errors after removing NgStyle

service-worker

Commit	Type	Description
e19150d2b5	fix	preserve redirect policy on reconstructed asset requests

v21.2.4

Compare Source

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

[v21.2.3](https://redir

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.