Skip to content

build(deps): bump @angular/core from 19.2.21 to 20.3.18 in /web-user#553

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/web-user/angular/core-19.2.18
Closed

build(deps): bump @angular/core from 19.2.21 to 20.3.18 in /web-user#553
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/web-user/angular/core-19.2.18

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 9, 2026

Copy link
Copy Markdown
Contributor

Bumps @angular/core from 19.2.21 to 20.3.18.

Release notes

Sourced from @​angular/core's releases.

20.3.18

compiler

Commit Description
fix - 02fbf08890 disallow translations of iframe src

core

Commit Description
fix - 72126f9a08 sanitize translated attribute bindings with interpolations
fix - 626bc8bc20 sanitize translated form attributes

20.3.17

core

Commit Description
fix - 7f9de3c118 block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

20.3.16

core

Commit Description
fix - c2c2b4aaa8 sanitize sensitive attributes on SVG script elements

20.3.15

compiler

Commit Description
fix - d1ca8ae043 prevent XSS via SVG animation attributeName and MathML/SVG URLs

20.3.14

http

Commit Description
fix - 0276479e7d prevent XSRF token leakage to protocol-relative URLs

20.3.13

No release notes provided.

20.3.12

No release notes provided.

20.3.11

common

Commit Description

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

19.2.21 (2026-04-15)

platform-server

Commit Type Description
f3a5bfb949 fix prevent SSRF bypasses via protocol-relative and backslash URLs

20.3.19 (2026-04-15)

platform-server

Commit Type Description
303d4cd580 fix prevent SSRF bypasses via protocol-relative and backslash URLs

22.0.0-next.8 (2026-04-15)

Breaking Changes

compiler

  • This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.

compiler

Commit Type Description
47fcbc4704 feat allow safe navigation to correctly narrow down nullables
2c5aabb9da fix don't escape dollar sign in literal expression

compiler-cli

Commit Type Description
e5f96c2d88 fix animation events not type checked properly when bound through HostListener decorator

core

Commit Type Description
4e331062e8 feat allow synchronous values for stream Resources
2f5ab541ea feat enhance profiling with documentation URLs
75f2cb8f56 feat implement Angular DI graph in-page AI tool
8ce9cc4f6b feat register AI runtime debugging tools
cdda51a3b2 feat support bootstrapping Angular applications underneath shadow roots
3c7641151c fix escape forward slashes in transfer state to prevent crawler indexing

forms

Commit Type Description
f9f24fc669 feat shim legacy NG_VALIDATORS into parseErrors for CVA mode (#67943)
72d3ace03c fix use controlValue in NgControl for CVA interop (#67943)

http

Commit Type Description
39e382a756 fix add CSP nonce support to JsonpClientBackend

... (truncated)

Commits
  • 626bc8b fix(core): sanitize translated form attributes
  • 72126f9 fix(core): sanitize translated attribute bindings with interpolations
  • 7f9de3c fix(core): block creation of sensitive URI attributes from ICU messages
  • c2c2b4a fix(core): sanitize sensitive attributes on SVG script elements
  • d1ca8ae fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
  • 820bb39 Revert "refactor(core): let the profiler handle asymmetric events leniently"
  • 2dccdcd Revert "fix(core): notify profiler events in case of errors"
  • a966ff1 refactor(core): let the profiler handle asymmetric events leniently
  • 52cf658 fix(core): notify profiler events in case of errors
  • daae263 docs: Adds links to relevant guides for APIs in core package
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 9, 2026
@sea5kg

sea5kg commented Apr 26, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) from 19.2.21 to 20.3.18.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.18/packages/core)

---
updated-dependencies:
- dependency-name: "@angular/core"
  dependency-version: 19.2.18
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump @angular/core from 14.3.0 to 19.2.18 in /web-user build(deps): bump @angular/core from 19.2.21 to 20.3.18 in /web-user Apr 26, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/web-user/angular/core-19.2.18 branch from b549cce to ee59d95 Compare April 26, 2026 17:23
@dependabot @github

dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #590.

@dependabot dependabot Bot closed this Jun 16, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/web-user/angular/core-19.2.18 branch June 16, 2026 01:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Development

Successfully merging this pull request may close these issues.

1 participant