Update dependency @angular/core to v19.2.18 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/core (source)	19.2.0 → 19.2.18

GitHub Vulnerability Alerts

CVE-2026-22610

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

• Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
• Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

1. The victim application must explicitly use SVG <script> elements within its templates.
2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

• 19.2.18
• 20.3.16
• 21.0.7
• 21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

• Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
• Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

• https://github.com/angular/angular/pull/66318

---

Release Notes

angular/angular (@​angular/core)

v19.2.18

Compare Source

core

Commit	Type	Description
26cdc53d9c	fix	sanitize sensitive attributes on SVG script elements

v19.2.17

Compare Source

compiler

Commit	Type	Description
7c42e2ebeb	fix	prevent XSS via SVG animation attributeName and MathML/SVG URLs

v19.2.16

Compare Source

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler

Commit	Type	Description
24bab55f0c	fix	lexer support for template literals in object literals (#​61601)

migrations

Commit	Type	Description
9e1cd49662	fix	preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common

Commit	Type	Description
2c876b4fc5	fix	avoid injecting ApplicationRef in FetchBackend (#​61649)

service-worker

Commit	Type	Description
b15bddfa04	fix	do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#​61528)
efda872453	fix	prevent reading chunks if app is destroyed (#​61354)

compiler

Commit	Type	Description
44bb328eae	fix	avoid conflicts between HMR code and local symbols (#​61550)

compiler-cli

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#​61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#​61227)

core

Commit	Type	Description
2b1b14f4d3	fix	cleanup rxResource abort listener (#​58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#​61261)
eb53bda470	fix	enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc	fix	unregister onDestroy in toSignal. (#​61514)

platform-server

Commit	Type	Description
8edafd0559	perf	speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common

Commit	Type	Description
89056a0356	fix	cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)

core

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#​61056)

platform-server

Commit	Type	Description
a6f0d5bc20	fix	less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#​61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms

Commit	Type	Description
ea4a211216	fix	make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common

Commit	Type	Description
37ab6814f5	fix	issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)

core

Commit	Type	Description
b144126612	fix	inject migration: replace param with this. (#​60713)

http

Commit	Type	Description
d39e09da41	fix	Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler

Commit	Type	Description
3441f7b914	fix	error if rawText isn't estimated correctly (#​60529) (#​60753)

compiler-cli

Commit	Type	Description
fc946c5f72	fix	ensure HMR works with different output module type (#​60797)

core

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#​60764)
f2bfa3151e	fix	fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#​60776)

language-service

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#​60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit	Type	Description
e61d06afb5	fix	step 6 tutorial docs (#​60630)

animations

Commit	Type	Description
fa48f98d9f	fix	add missing peer dependency on @angular/common (#​60660)

compiler

Commit	Type	Description
ca5aa4d55b	fix	throw for invalid "as" expression in if block (#​60580)

compiler-cli

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4	fix	support relative imports to symbols outside rootDir (#​60555)

core

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#​60565)
8f68d1bec3	fix	fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65	fix	fix regexp for event types (#​60592)
006ac7f22f	fix	fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434	fix	preserve comments in internal inject migration (#​60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#​60571)

language-service

Commit	Type	Description
0e9e0348dd	fix	Update adapter to log instead of throw errors (#​60651)

migrations

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#​60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#​60602)

router

Commit	Type	Description
958e98e4f7	fix	Add missing types to transition (#​60307)

service-worker

Commit	Type	Description
7cd89ad2c6	fix	assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core

Commit	Type	Description
081f5f5a83f	fix	fix used templates are not deleted (#​60459)

localize

Commit	Type	Description
a2f622d82d6	fix	handle @​angular/build:karma in ng add (#​60513)

platform-browser

Commit	Type	Description
8e8ccc79279	fix	ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli

Commit	Type	Description
aa8ea7a5b2	fix	report more accurate diagnostic for invalid import (#​60455)

core

Commit	Type	Description
13a8709b2b	fix	catch hydration marker with implicit body tag (#​60429)
296aded9da	fix	execute timer trigger outside zone (#​60392)
0615ffb4f7	fix	include input name in error message (#​60404)

platform-browser-dynamic

Commit	Type	Description
1e06c8e8b6	fix	ensure compiler is loaded before @angular/common (#​60458)

upgrade

Commit	Type	Description
9e1a1030c8	fix	handle output emitters when downgrading a component (#​60369)

v19.2.2

Compare Source

common

Commit	Type	Description
90a16a1088	fix	support equality function in httpResource (#​60026)

compiler

Commit	Type	Description
56b551d273	fix	incorrect spans for template literals (#​60323) (#​60331)

compiler-cli

Commit	Type	Description
23ca88522b	fix	handle transformed classes when generating HMR code (#​60298)

core

Commit	Type	Description
6dc41265fd	fix	check whether application is destroyed before initializing event replay (#​59789)
bb12b30d52	fix	ensures immediate trigger fires properly with lazy loaded routes (#​60203)
b144dd946e	fix	fix removal of a container reference used in the component file (#​60210)

platform-server

Commit	Type	Description
15c42969fc	fix	add missing peer dependency for rxjs (#​60308)

router

Commit	Type	Description
7bcdf7c143	fix	update symbols (#​60233)

v19.2.1

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.