Skip to content

chore(deps): update dependency @angular/compiler to v21.2.4 [security]#293

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-compiler-vulnerability
Mar 14, 2026
Merged

chore(deps): update dependency @angular/compiler to v21.2.4 [security]#293
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-compiler-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 14, 2026

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 21.2.021.2.4 age confidence

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

  • action
  • background
  • cite
  • codebase
  • data
  • formaction
  • href
  • itemtype
  • longdesc
  • poster
  • src
  • xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

  • Session Hijacking: Stealing session cookies and authentication tokens.
  • Data Exfiltration: Capturing and transmitting sensitive user data.
  • Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

  1. The application must use a vulnerable version of Angular.
  2. The application must bind unsanitized user input to one of the attributes mentioned above.
  3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

  • 22.0.0-next.3
  • 21.2.4
  • 20.3.18
  • 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@&#8203;angular/core';
import {DomSanitizer} from '@&#8203;angular/platform-browser';

@&#8203;Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

Release Notes

angular/angular (@​angular/compiler)

v21.2.4

Compare Source

compiler
Commit Type Description
ed2d324f9c fix disallow translations of iframe src
core
Commit Type Description
abbd8797bb fix reverts "feat(core): add support for nested animations"
d1dcd16c5b fix sanitize translated form attributes

v21.2.3

Compare Source

core
Commit Type Description
62a97f7e4b fix ensure definitions compile
21b1c3b2ee fix include signal debug names in their toString() representation
224e60ecb1 fix sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler
Commit Type Description
1df1697c6e fix prevent mutation of children array in RecursiveVisitor
compiler-cli
Commit Type Description
c822bf8e76 fix always parenthesize object literals in TCB
05d022d5e6 fix ignore generated ngDevMode signal branch for code coverage
forms
Commit Type Description
670d1660c4 feat add 'blur' option to debounce rule

v21.2.1

Compare Source

core
Commit Type Description
e2e9a9a531 fix adds transfer cache to httpResource to fix hydration
b4ec3cc4e4 fix prevent child animation elements from being orphaned
e923d88398 fix Prevent removal of elements during drag and drop
http
Commit Type Description
277ade97ac fix correctly cache blob responses in transfer cache (#​67002)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot
Copy link

changeset-bot bot commented Mar 14, 2026

⚠️ No Changeset found

Latest commit: 4d27390

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nx-cloud
Copy link

nx-cloud bot commented Mar 14, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 4d27390

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 59s View ↗
nx run-many --target=build --exclude=examples/** ✅ Succeeded 16s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-14 02:01:18 UTC

@coderabbitai
Copy link

coderabbitai bot commented Mar 14, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3af702dc-107a-4ecc-a961-38ef69f2d192

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/npm-angular-compiler-vulnerability
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 14, 2026

@tanstack/angular-store

npm i https://pkg.pr.new/@tanstack/angular-store@293

@tanstack/preact-store

npm i https://pkg.pr.new/@tanstack/preact-store@293

@tanstack/react-store

npm i https://pkg.pr.new/@tanstack/react-store@293

@tanstack/solid-store

npm i https://pkg.pr.new/@tanstack/solid-store@293

@tanstack/store

npm i https://pkg.pr.new/@tanstack/store@293

@tanstack/svelte-store

npm i https://pkg.pr.new/@tanstack/svelte-store@293

@tanstack/vue-store

npm i https://pkg.pr.new/@tanstack/vue-store@293

commit: d91d465

@renovate renovate bot merged commit ed08d8b into main Mar 14, 2026
5 checks passed
@renovate renovate bot deleted the renovate/npm-angular-compiler-vulnerability branch March 14, 2026 05:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants