Skip to content

Update dependency @angular/common to v19 [SECURITY]#68

Open
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/npm-angular-common-vulnerability
Open

Update dependency @angular/common to v19 [SECURITY]#68
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/npm-angular-common-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Nov 27, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@angular/common (source) ^18.2.0^19.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

  1. The victim's Angular application must have XSRF protection enabled.
  2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

  • 19.2.16
  • 20.3.14
  • 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

Release Notes

angular/angular (@​angular/common)

v19.2.16

Compare Source

http
Commit Type Description
05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler
Commit Type Description
24bab55f0c fix lexer support for template literals in object literals (#​61601)
migrations
Commit Type Description
9e1cd49662 fix preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common
Commit Type Description
2c876b4fc5 fix avoid injecting ApplicationRef in FetchBackend (#​61649)
service-worker
Commit Type Description
b15bddfa04 fix do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common
Commit Type Description
126efc9972 fix cancel reader when app is destroyed (#​61528)
efda872453 fix prevent reading chunks if app is destroyed (#​61354)
compiler
Commit Type Description
44bb328eae fix avoid conflicts between HMR code and local symbols (#​61550)
compiler-cli
Commit Type Description
107180260f fix Always retain prior results for all files (#​61487)
1191e62d70 fix avoid ECMAScript private field metadata emit (#​61227)
core
Commit Type Description
2b1b14f4d3 fix cleanup rxResource abort listener (#​58306)
8f9b05eaaa fix cleanup testability subscriptions (#​61261)
eb53bda470 fix enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6 fix Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc fix unregister onDestroy in toSignal. (#​61514)
platform-server
Commit Type Description
8edafd0559 perf speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common
Commit Type Description
89056a0356 fix cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)
core
Commit Type Description
4623b61448 fix missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89 fix properly handle app stabilization with defer blocks (#​61056)
platform-server
Commit Type Description
a6f0d5bc20 fix less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core
Commit Type Description
946b844e0d fix async EventEmitter error should not prevent stability (#​61028)
dbb87026ca fix call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a fix prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms
Commit Type Description
ea4a211216 fix make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common
Commit Type Description
37ab6814f5 fix issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)
core
Commit Type Description
b144126612 fix inject migration: replace param with this. (#​60713)
http
Commit Type Description
d39e09da41 fix Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler
Commit Type Description
3441f7b914 fix error if rawText isn't estimated correctly (#​60529) (#​60753)
compiler-cli
Commit Type Description
fc946c5f72 fix ensure HMR works with different output module type (#​60797)
core
Commit Type Description
00bbd9b382 fix fix docs for output migration (#​60764)
f2bfa3151e fix fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0 fix reduce total memory usage of various migration schematics (#​60776)
language-service
Commit Type Description
0e82d42774 fix Do not provide element completions in end tag (#​60616)
fcdef1019f fix Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit Type Description
e61d06afb5 fix step 6 tutorial docs (#​60630)
animations
Commit Type Description
fa48f98d9f fix add missing peer dependency on @angular/common (#​60660)
compiler
Commit Type Description
ca5aa4d55b fix throw for invalid "as" expression in if block (#​60580)
compiler-cli
Commit Type Description
f4c4b10ea8 fix Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4 fix support relative imports to symbols outside rootDir (#​60555)
core
Commit Type Description
64da69f7b6 fix check ngDevMode for undefined (#​60565)
8f68d1bec3 fix fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65 fix fix regexp for event types (#​60592)
006ac7f22f fix fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434 fix preserve comments in internal inject migration (#​60588)
dbbddd1617 fix prevent omission of deferred pipes in full compilation (#​60571)
language-service
Commit Type Description
0e9e0348dd fix Update adapter to log instead of throw errors (#​60651)
migrations
Commit Type Description
15f53f035b fix handle shorthand assignments in super call (#​60602)
4b161e6234 fix inject migration not handling super parameter referenced via this (#​60602)
router
Commit Type Description
958e98e4f7 fix Add missing types to transition (#​60307)
service-worker
Commit Type Description
7cd89ad2c6 fix assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core
Commit Type Description
081f5f5a83f fix fix used templates are not deleted (#​60459)
localize
Commit Type Description
a2f622d82d6 fix handle @​angular/build:karma in ng add (#​60513)
platform-browser
Commit Type Description
8e8ccc79279 fix ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli
Commit Type Description
aa8ea7a5b2 fix report more accurate diagnostic for invalid import (#​60455)
core
Commit Type Description
13a8709b2b fix catch hydration marker with implicit body tag (#​60429)
296aded9da fix execute timer trigger outside zone (#​60392)
0615ffb4f7 fix include input name in error message (#​60404)
platform-browser-dynamic
Commit Type Description
1e06c8e8b6 fix ensure compiler is loaded before @angular/common (#​60458)
upgrade
Commit Type Description
9e1a1030c8 fix handle output emitters when downgrading a component (#​60369)

v19.2.2

Compare Source

common
Commit Type Description
90a16a1088 fix support equality function in httpResource (#​60026)
compiler
Commit Type Description
56b551d273 fix incorrect spans for template literals (#​60323) (#​60331)
compiler-cli
Commit Type Description
23ca88522b fix handle transformed classes when generating HMR code (#​60298)
core
Commit Type Description
6dc41265fd fix check whether application is destroyed before initializing event replay (#​59789)
bb12b30d52 fix ensures immediate trigger fires properly with lazy loaded routes (#​60203)
b144dd946e fix fix removal of a container reference used in the component file (#​60210)
platform-server
Commit Type Description
15c42969fc fix add missing peer dependency for rxjs (#​60308)
router
Commit Type Description
7bcdf7c143 fix update symbols (#​60233)

v19.2.1

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.0

Compare Source

common
Commit Type Description
3e39da593a feat introduce experimental httpResource (#​59876)
compiler
Commit Type Description
5b20bab96d feat Add Skip Hydration diagnostic. (#​59576)
fe8a68329b feat support untagged template literals in expressions (#​59230)
core
Commit Type Description
2588985f43 feat pass signal node to throwInvalidWriteToSignalErrorFn (#​59600)
168516462a feat support default value in resource() (#​59655)
bc2ad7bfd3 feat support streaming resources (#​59573)
146ab9a76e feat support TypeScript 5.8 (#​59830)
6c92d65349 fix add hasValue narrowing to ResourceRef (#​59708)
96e602ebe9 fix cancel in-progress request when same value is assigned (#​59280)
6789c7ef94 fix Defer afterRender until after first CD (#​59455) (#​59551)
c87e581dd9 fix Don't run effects in check no changes pass (#​59455) (#​59551)
127fc0dc84 fix fix resource()'s previous.state (#​59708)
b592b1b051 fix fix race condition in resource() (#​59851)
a299e02e91 fix preserve tracing snapshot until tick finishes (#​59796)
forms
Commit Type Description
fa0c3e3210 feat support type set in form validators (#​45793)
migrations
Commit Type Description
1cd3a7db83 feat add migration to convert templates to use self-closing tags (#​57342)
platform-browser
Commit Type Description
e6cb411e43 fix automatically disable animations on the server (#​59762)
platform-server
Commit Type Description
fc5d187da5 fix decouple server from animations module (#​59762)

v19.1.8

Compare Source

benchpress
Commit Type Description
f0990c67e6 fix Ensure future-proof correct initialization order (#​60025)
common
Commit Type Description
1fbaeab37d fix make types for HttpClient more readable (#​59901)
core

| Commit | Type | Description |
| -------------------------------------------------------------------------------------

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@forking-renovate
Copy link

forking-renovate bot commented Nov 27, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: ui/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: gcs-metadata-ui@0.0.0
npm error Found: @angular/core@18.2.14
npm error node_modules/@angular/core
npm error   @angular/core@"^18.2.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/core@"19.2.20" from @angular/common@19.2.20
npm error node_modules/@angular/common
npm error   @angular/common@"^19.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-03-13T13_51_59_127Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-03-13T13_51_59_127Z-debug-0.log

@gemini-code-assist
Copy link

gemini-code-assist bot commented Nov 27, 2025

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request upgrades the @angular/common package to version 19.0.0. This update is primarily driven by the need to patch a significant security vulnerability, CVE-2025-66035, which could lead to Cross-Site Request Forgery (CSRF) attacks by leaking XSRF tokens when HttpClient makes requests to protocol-relative URLs. Beyond the security patch, this update also integrates a series of bug fixes and minor enhancements across various Angular modules, ensuring the application benefits from the latest stability and performance improvements in the Angular ecosystem.

Highlights

  • Dependency Update: Updates the @angular/common package from version ^18.2.0 to ^19.0.0.
  • Critical Security Fix: Addresses CVE-2025-66035, a credential leak vulnerability in Angular's HttpClient. This vulnerability could lead to unauthorized disclosure of XSRF tokens when making requests to protocol-relative URLs, potentially enabling Cross-Site Request Forgery (CSRF) attacks.
  • Angular 19.2.x Enhancements: Incorporates numerous bug fixes and minor breaking changes from Angular versions 19.2.1 through 19.2.16, including updates to server-side bootstrapping, compiler improvements, and various fixes across core, forms, and other modules.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 27, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates @angular/common to version 19 to address a security vulnerability. However, this introduces a major version mismatch with other @angular packages, which are still on version 18. This will likely break the application.

I've added a critical comment suggesting a less disruptive fix, which is to update to a patch version of Angular 18 (18.2.7) that also contains the security patch. This would avoid the breaking changes associated with a major version upgrade. If the goal is to upgrade to Angular 19, all @angular packages must be updated together in this pull request.

ui/package.json
"@angular/animations": "^18.2.0",
"@angular/cdk": "^18.2.6",
"@angular/common": "^18.2.0",
"@angular/common": "^19.0.0",
Copy link

@gemini-code-assist gemini-code-assist bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Updating only @angular/common to a new major version while leaving other @angular/* packages on v18 will cause dependency mismatches and likely break the application. All @angular packages within a project should be on the same version.

A less disruptive way to fix the security vulnerability (GHSA-58c5-g7wp-6w37) is to update to a patch release of Angular 18, specifically 18.2.7 or later. I recommend changing this to ^18.2.7 and updating all other @angular/* packages to match.

If you do intend to upgrade to v19, you must update all @angular/* packages (including @angular/core, @angular/compiler, etc.) to ^19.0.0 (or a higher compatible version) in this PR.

Suggested change
"@angular/common": "^19.0.0",
"@angular/common": "^18.2.7",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renovate-bot