Note: This PR body was truncated due to platform limits.
This PR contains the following updates:
[!WARNING]
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.
Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.
Impact
The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.
Attack Preconditions
- The victim's Angular application must have XSRF protection enabled.
- The attacker must be able to make the application send a state-changing HTTP request (e.g.,
POST) to a protocol-relative URL (e.g., //attacker.com) that they control.
Patches
Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Release Notes
angular/angular (@βangular/common)
Compare Source
http
| Commit |
Type |
Description |
| 0276479e7d |
fix |
prevent XSRF token leakage to protocol-relative URLs |
Compare Source
Compare Source
Compare Source
common
| Commit |
Type |
Description |
| 5047849a4a |
fix |
remove placeholder image listeners once view is removed |
compiler
| Commit |
Type |
Description |
| f9d0818087 |
fix |
support arbitrary nesting in :host-context() |
| 106b9040df |
fix |
support commas in :host() argument |
| 9419ea348a |
fix |
support complex selectors in :nth-child() |
| 036c5d2a07 |
fix |
support one additional level of nesting in :host() |
core
| Commit |
Type |
Description |
| dcdd1bcdbb |
fix |
skip leave animations on view swaps |
Compare Source
compiler-cli
| Commit |
Description |
 |
make required inputs diagnostic less noisy |
migrations
| Commit |
Description |
 |
Prevent removal of templates referenced with preceding whitespace characters |
Compare Source
Compare Source
animations
compiler
| Commit |
Type |
Description |
| 891f180262 |
fix |
correctly compile long numeric HTML entities (#β64297) |
compiler-cli
| Commit |
Type |
Description |
| 371274bfc6 |
fix |
missingStructuralDirective diagnostic produces false negatives (#β64470) |
core
| Commit |
Type |
Description |
| 4c89a267c3 |
fix |
pass element removal property through in all locations (#β64565) |
| 2fad4d4ab6 |
fix |
prevent duplicate nodes from being retained with fast `animate.leave`` calls (#β64592) |
router
Compare Source
core
platform-browser
| Commit |
Type |
Description |
| 2ece42866d |
fix |
DomEventsPlugin should always be the last plugin to be called for supports(). (#β50394) |
Compare Source
compiler-cli
core
migrations
router
| Commit |
Type |
Description |
| 6e4bcc7d22 |
fix |
Scroll restoration should use instant scroll behavior for traversals (#β64299) |
Compare Source
core
| Commit |
Type |
Description |
| 853ed169a8 |
fix |
ensure missing leave animations don't queue leave animations (#β64226) |
| 6fed986b7a |
fix |
Fixes animations in conjunction with content projection (#β63776) |
| 76fe5599fe |
fix |
handle undefined CSS time values in parseCssTimeUnitsToMs function (#β64181) |
| 3b959105be |
fix |
prevent early exit from leave animations when multiple transitions are present (#β64225) |
migrations
| Commit |
Type |
Description |
| 65884895ff |
fix |
preserve component imports when pruning NgModules in standalone migration (#β64186) |
Compare Source
compiler
| Commit |
Type |
Description |
| f51ab32fb3 |
fix |
recover template literals with broken expressions (#β64150) |
core
migrations
Compare Source
compiler-cli
core
forms
migrations
Compare Source
compiler
compiler-cli
| Commit |
Type |
Description |
| 8843707919 |
fix |
only bind inputs that are part of microsyntax to a structural directive (#β52453) |
| 38c9921ff3 |
fix |
signal not invoked diagnostic not raised when input has same name in template (#β63754) |
core
migrations
Compare Source
Breaking Changes
core
-
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.
In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
(cherry picked from commit 8bf80c9)
| Commit |
Type |
Description |
| a3f808d7c8 |
fix |
remove refresh button from transfer state tab (#β63592) |
core
| Commit |
Type |
Description |
| 6117ccee2e |
feat |
introduce BootstrapContext for improved server bootstrapping (#β63636) |
Compare Source
core
| Commit |
Type |
Description |
| dc64f3e478 |
fix |
Fixed inject migration schematics for migrate destructured properties (#β62832) |
platform-server
| Commit |
Type |
Description |
| d1d32db972 |
fix |
prevent false warning for duplicate state serialization (#β63525) |
Compare Source
compiler
| Commit |
Type |
Description |
| 479a919f42 |
fix |
fixes regression with event parsing and animate prefix (#β63470) |
core
| Commit |
Type |
Description |
| f87fad3fff |
fix |
avoid injecting internal error handler from a destroyed injector (#β62275) |
| 114906d2d6 |
fix |
Fix cancellation of animation enter classes (#β63442) |
| 596b545130 |
fix |
Prevent an error on cleanup when an rxResource stream threw before returning an Observable (#β63342) |
Compare Source
compiler
| Commit |
Type |
Description |
| d7b6045d61 |
fix |
fixes animations on elements with structural directives (#β63390) |
core
Compare Source
compiler
| Commit |
Type |
Description |
| a28672fb70 |
fix |
Keep paraenthesis in Nullish + Boolean expression. (#β63292) |
Compare Source
Deprecations
animations
core
router
- The Router.getCurrentNavigation method is deprecated. Use the Router.currentNavigation signal instead.
- The Router.getCurrentNavigation method is deprecated. Use the Router.currentNavigation signal instead.
animations
compiler
compiler-cli
core
forms
| Commit |
Type |
Description |
| c353497a01 |
feat |
add support for pushing an array of controls to formarray (#β57102) |
http
| Commit |
Type |
Description |
| 0984b30388 |
feat |
Add redirected property to HttpResponse and HttpErrorResponse (#β62675) |
| be811fee79 |
feat |
add referrer & integrity support for fetch requests in httpResource (#β62461) |
| 1cf9d9064c |
feat |
Add support for fetch referrer & integrity options in HttpClient (#β62417) |
| 1408baff45 |
fix |
Add missing timeout and transferCache options to HttpClient (#β62586) |
language-service
platform-browser
| Commit |
Type |
Description |
| 52b8e07d6e |
feat |
Warns on conflicting hydration and blocking navigation (#β62963) |
router
service-worker
Compare Source
compiler
| Commit |
Type |
Description |
| 691f5ed033 |
fix |
error when ng-content fallback has translated children ([#β63156](https://redirect.gith |
Configuration
π
Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
β οΈ No Changeset found
Latest commit: d8348f751372229cb65aef45e8e7663c51b09b16
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
[!IMPORTANT]
Review skipped
Review was skipped due to path filters
:no_entry: Files ignored due to path filters (1)
-
pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
β¨ Finishing touches
π§ͺ Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
- [ ] Commit unit tests in branch
renovate/npm-angular-common-vulnerability
Comment @coderabbitai help to get the list of available commands and usage tips.
π€ Nx Cloud AI Fix Eligible
An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.
To disable these notifications, a workspace admin can disable them in workspace settings.
View your CI Pipeline Execution β for commit d8348f751372229cb65aef45e8e7663c51b09b16
| Command |
Status |
Duration |
Result |
nx affected --targets=test:sherif,test:knip,tes... |
β Failed |
3m 31s |
View β |
nx run-many --target=build --exclude=examples/*... |
β Failed |
1m 22s |
View β |
βοΈ Nx Cloud last updated this comment at 2025-12-07 19:06:58 UTC
TanStack
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
![nx-cloud[bot] avatar](https://avatars.githubusercontent.com/in/80458?v=4 "Published by a pub.dev verified publisher"){kind=small}