fix(deps): update dependency @angular/compiler to v21.2.4 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	~19.2.19 → ~21.2.0
@angular/compiler (source)	~21.1.0 → ~21.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

• action
• background
• cite
• codebase
• data
• formaction
• href
• itemtype
• longdesc
• poster
• src
• xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

• Session Hijacking: Stealing session cookies and authentication tokens.
• Data Exfiltration: Capturing and transmitting sensitive user data.
• Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

1. The application must use a vulnerable version of Angular.
2. The application must bind unsanitized user input to one of the attributes mentioned above.
3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

• 22.0.0-next.3
• 21.2.4
• 20.3.18
• 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@​angular/core';
import {DomSanitizer} from '@​angular/platform-browser';

@​Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

References

• Fix 1
• Fix 2

---

Release Notes

angular/angular (@​angular/compiler)

v21.2.4

Compare Source

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

v21.2.3

Compare Source

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler

Commit	Type	Description
1df1697c6e	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
670d1660c4	feat	add 'blur' option to debounce rule

v21.2.1

Compare Source

core

Commit	Type	Description
e2e9a9a531	fix	adds transfer cache to httpResource to fix hydration
b4ec3cc4e4	fix	prevent child animation elements from being orphaned
e923d88398	fix	Prevent removal of elements during drag and drop

http

Commit	Type	Description
277ade97ac	fix	correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
72534e2a34	feat	Add support for the instanceof binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support AstVisitor.visitEmptyExpr()
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

compiler-cli

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#​66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
22afbb2f36	feat	add parsing support to native inputs (#​66917)
95c386469c	feat	Add passing focus options to form field
95ecce8334	feat	allow setting submit options at form-level
ebae211add	feat	introduce parse errors in signal forms
3937afc316	feat	introduce SignalFormControl for Reactive Forms compatibility
30f0914754	feat	support binding null to number input (#​66917)
dd208ca259	feat	update submit function to accept options object
27397b3f4f	fix	clear parse errors when model updates (#​66917)
63d8005703	fix	preserve custom-control focus context in signal forms
631f60d1f9	fix	preserve parse errors when parse returns value
adfb83146b	fix	simplify design of parse errors
fb05fc86d0	fix	sort error summary by DOM order
567f292e8e	fix	support custom controls as host directives
bdfb60f3e3	fix	use consistent error format returned from parse
d75046bc09	fix	warn when showing hidden field state

language-server

Commit	Type	Description
ebc90c26f5	feat	Add completions and hover info for inline styles
26fd0839c3	feat	Add folding range support for inline styles
573aadef7e	feat	Add quick info for inline styles
6fb39d9b62	feat	Support client-side file watching via onDidChangeWatchedFiles

language-service

Commit	Type	Description
496967e7b1	feat	add JSON schema for angularCompilerOptions
8c21866f49	feat	add linked editing ranges for HTML tag synchronization
d2137928e8	perf	use lightweight project warmup for Angular analysis

router

Commit	Type	Description
b51bab583d	feat	Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0	feat	Make match options optional in isActive
907a94dcec	feat	Update IsActiveMatchOptions APIs to accept a Partial

v21.1.6

Compare Source

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 306f367)

common

Commit	Type	Description
31d3d56496	fix	fix LCP image detection with duplicate URLs

compiler-cli

Commit	Type	Description
24b578ce90	fix	detect uninvoked functions in defer trigger expressions

core

Commit	Type	Description
b858309532	fix	block creation of sensitive URI attributes from ICU messages

v21.1.5

Compare Source

No user facing changes in this release

v21.1.4

Compare Source

compiler

Commit	Type	Description
caab23dfe6	fix	add geolocation element to schema

core

Commit	Type	Description
2b99eaa019	fix	capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c	fix	Fix flakey test due to document injection

forms

Commit	Type	Description
0d1acd0165	feat	support signal-based schemas in validateStandardSchema

http

Commit	Type	Description
3905015ccc	fix	correctly parse ArrayBuffer and Blob in transfer cache

v21.1.3

Compare Source

core

Commit	Type	Description
2b254bc050	fix	linkedSignal.update should propagate errors
e5110b4fa1	fix	export DirectiveWithBindings
2cf4da0ea1	fix	hold constructors weakly in DepsTracker cache
70a5b651be	fix	prevent element duplication with dynamic components

forms

Commit	Type	Description
6f75b6e3f6	fix	Resolves debounce promise on abort in debounceForDuration

localize

Commit	Type	Description
4c7126d23b	fix	add support for unit-test builder in ng-add schematic

router

Commit	Type	Description
d6268c0bbb	fix	limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7	perf	Use .bind to avoid holding other closures in memory

v21.1.2

Compare Source

forms

Commit	Type	Description
9f99b14882	fix	only touch visible, interactive fields on submit

language-service

Commit	Type	Description
c57b0355b5	fix	Detect local project version on creation

router

Commit	Type	Description
21ecdc036a	fix	Do not intercept reload events with Navigation integration

v21.1.1

Compare Source

compiler-cli

Commit	Type	Description
0e1f1ed573	fix	drop .tsx extension for generated relative imports

core

Commit	Type	Description
05adfcf8f2	fix	handle Set in class bindings

forms

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch

v21.1.0

Compare Source

Deprecations

upgrade

• VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.

common

Commit	Type	Description
d8790972be	feat	Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af	feat	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Type	Description
640693da8e	feat	Add support for multiple swich cases matching
0ad3adc7c6	fix	Support empty cases

core

Commit	Type	Description
99ad18a4ee	feat	Add stability debugging utility
a0dfa5fa86	feat	support rest arguments in function calls
6e18fa8bc9	feat	support spread elements in array literals
e407280ab5	feat	support spread expressions in object literals
06be8034bb	fix	Microtask scheduling should be used after any application synchronization
b4f584cf42	fix	return StaticProvider for providePlatformInitializer

forms

Commit	Type	Description
1ea5c97703	feat	allow focusing bound control from field state

platform-browser

Commit	Type	Description
ec9dc94cee	feat	add context to createApplication
ab67988d2e	feat	resolve JIT resources in createApplication

router

Commit	Type	Description
5edceffd04	feat	add controls for route cleanup
a03c82564d	feat	Add scroll behavior controls on router navigation
e44839b016	feat	Add standalone function to create a comptued for isActive
c25d749d85	feat	Execute RunGuardsAndResolvers function in injection context
1c00ab42f8	feat	extend paramters of RedirectFunction to include paramMap and queryParamMap
7003e8d241	feat	Publish Router's integration with platform Navigation API as experimental
c84d372778	feat	Support wildcard params with segments trailing (#​64737)

upgrade

Commit	Type	Description
75fe8f8af9	refactor	deprecate VERSION export

v21.0.9

Compare Source

forms

Commit	Type	Description
82d556a8fb	fix	Ensure the control instruction comes after the other bindings
0055f3cc79	fix	Rename signal form [field] to [formField]

migrations

Commit	Type	Description
e4bfa5c9e7	fix	prevent duplicate imports in common-to-standalone migration

v21.0.8

Compare Source

core

Commit	Type	Description
a6a2621bf9	fix	fix memory leak with event replay
5239e471a1	fix	handle cancelled traversals in fake navigation

v21.0.7

Compare Source

compiler

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the imports expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in typeof type references

core

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

forms

Commit	Type	Description
e3fba182f9	feat	add [formField] directive
561772b152	fix	allow custom controls to require dirty input
f0fb1d8581	fix	allow custom controls to require hidden input
ec110f170b	fix	allow custom controls to require pending input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

router

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0	fix	handle errors from view transition updateCallbackDone promise

v21.0.6

Compare Source

Breaking Changes (affecting only experimental features)

forms

• The shape of SignalFormsConfig.classes has changed

  Previously each function in the classes map took a FieldState. Now
  it takes a Field directive.

  For example if you previously had:

  provideSignalFormsConfig({
    classes: {
      'my-valid': (state) => state.valid()
    }
  })
  

  You would need to update to:

  provideSignalFormsConfig({
    classes: {
      'my-valid': ({state}) => state().valid()
    }
  })
  

  (cherry picked from commit 348f149)

• (cherry picked from commit ae0c590)

core

Commit	Type	Description
4c8fb3631d	fix	throw better errors for potential circular references
48492524ea	fix	use mutable ResponseInit type for RESPONSE_INIT token

forms

Commit	Type	Description
81772b420d	feat	pass field directive to class config
729b96476b	refactor	rename field to fieldTree in FieldContext and ValidationError

language-service

Commit	Type	Description
e0694df3ec	fix	avoid interpolation highlighting inside @​let
5047be4bc1	fix	Prevent language service from crashing on suggestion diagnostic errors

v21.0.5

Compare Source

core

Commit	Type	Description
69d243abb74	fix	avoid false-positive deprecation when using InjectionToken with factory only

forms

Commit	Type	Description
4fd2b722b40	fix	fix signal forms type error

v21.0.4

Compare Source

compiler

Commit	Type	Description
f901cc9eb32	perf	chain query creation instructions

compiler-cli

Commit	Type	Description
65297c62011	fix	expand type for native controls with a dynamic type

forms

Commit	Type	Description
f254ff4f2e0	feat	expose element on signal forms Field directive
5880fbc73c6	feat	redo the signal forms metadata API
55fc677cef4	fix	add signals for dirty, hidden, and pending states in custom controls
cbb10179c80	fix	allow resetting with empty string
bf1c12cd932	fix	memoize reads of child fields in signal forms (#​65802)
6d7475582f9	fix	Reuse key in parent in compat structure

v21.0.3

Compare Source

compiler-cli

Commit	Type	Description
5a80a48e96	fix	avoid allocating an object for sig

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.