WEB-818: Update dependency @angular/compiler to v20.3.25 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	20.3.24 → 20.3.25

---

@​angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

CVE-2026-54265 / GHSA-58w9-8g37-x9v5

More information

Details

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.

Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.

This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:

1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., <div [(innerHTML)]="userContent"></div>).
2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via DomSanitizer) before passing the value to the bound property.

Patches

• 22.0.1
• 21.2.17
• 20.3.25

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5
• https://github.com/angular/angular/pull/69107
• https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4
• https://github.com/advisories/GHSA-58w9-8g37-x9v5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/compiler)

v20.3.25

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
a68ec702a0	fix	sanitize two-way properties

core

Commit	Type	Description
768a349e6e	fix	harden TransferState restoration against DOM clobbering
ca48b4728d	fix	validate lowercase SVG animation attribute names (#​69270)

http

Commit	Type	Description
06be298267	fix	preserve empty referrer option in HttpRequest
fa940e1f4d	fix	Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
49368c1859	fix	harden platform location origin validation during SSR
d55c94ad81	refactor	deprecate ServerXhr (#​69256)

service-worker

Commit	Type	Description
d65a5f457b	fix	Strips sensitive headers on cross-origin redirects

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @angular/compiler-cli@20.3.24
npm error Found: @angular/compiler@20.3.25
npm error node_modules/@angular/compiler
npm error   @angular/compiler@"20.3.25" from the root project
npm error   peer @angular/compiler@"^20.0.0" from @angular/build@20.3.27
npm error   node_modules/@angular/build
npm error     dev @angular/build@"^20.3.24" from the root project
npm error     @angular/build@"20.3.27" from @angular-devkit/build-angular@20.3.27
npm error     node_modules/@angular-devkit/build-angular
npm error       peer @angular-devkit/build-angular@"^20.0.0" from @angular-builders/jest@20.0.0
npm error       node_modules/@angular-builders/jest
npm error         dev @angular-builders/jest@"^20.0.0" from the root project
npm error   1 more (@vendure/ngx-translate-extract)
npm error
npm error Could not resolve dependency:
npm error peer @angular/compiler@"20.3.24" from @angular/compiler-cli@20.3.24
npm error node_modules/@angular/compiler-cli
npm error   dev @angular/compiler-cli@"20.3.24" from the root project
npm error   peer @angular/compiler-cli@"^20.0.0" from @angular-builders/jest@20.0.0
npm error   node_modules/@angular-builders/jest
npm error     dev @angular-builders/jest@"^20.0.0" from the root project
npm error   6 more (jest-preset-angular, @angular-devkit/build-angular, ...)
npm error
npm error Conflicting peer dependency: @angular/compiler@20.3.24
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"20.3.24" from @angular/compiler-cli@20.3.24
npm error   node_modules/@angular/compiler-cli
npm error     dev @angular/compiler-cli@"20.3.24" from the root project
npm error     peer @angular/compiler-cli@"^20.0.0" from @angular-builders/jest@20.0.0
npm error     node_modules/@angular-builders/jest
npm error       dev @angular-builders/jest@"^20.0.0" from the root project
npm error     6 more (jest-preset-angular, @angular-devkit/build-angular, ...)
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-16T00_11_26_229Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-16T00_11_26_229Z-debug-0.log

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (20.3.25). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.