Update dependency @angular/common to v21 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	^15.0.2 → ^21.0.0

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

1. The victim's Angular application must have XSRF protection enabled.
2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

• 19.2.16
• 20.3.14
• 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

---

Release Notes

angular/angular (@​angular/common)

v21.2.1

Compare Source

core

Commit	Type	Description
e2e9a9a531	fix	adds transfer cache to httpResource to fix hydration
b4ec3cc4e4	fix	prevent child animation elements from being orphaned
e923d88398	fix	Prevent removal of elements during drag and drop

http

Commit	Type	Description
277ade97ac	fix	correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
72534e2a34	feat	Add support for the instanceof binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support AstVisitor.visitEmptyExpr()
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

compiler-cli

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#​66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
22afbb2f36	feat	add parsing support to native inputs (#​66917)
95c386469c	feat	Add passing focus options to form field
95ecce8334	feat	allow setting submit options at form-level
ebae211add	feat	introduce parse errors in signal forms
3937afc316	feat	introduce SignalFormControl for Reactive Forms compatibility
30f0914754	feat	support binding null to number input (#​66917)
dd208ca259	feat	update submit function to accept options object
27397b3f4f	fix	clear parse errors when model updates (#​66917)
63d8005703	fix	preserve custom-control focus context in signal forms
631f60d1f9	fix	preserve parse errors when parse returns value
adfb83146b	fix	simplify design of parse errors
fb05fc86d0	fix	sort error summary by DOM order
567f292e8e	fix	support custom controls as host directives
bdfb60f3e3	fix	use consistent error format returned from parse
d75046bc09	fix	warn when showing hidden field state

language-server

Commit	Type	Description
ebc90c26f5	feat	Add completions and hover info for inline styles
26fd0839c3	feat	Add folding range support for inline styles
573aadef7e	feat	Add quick info for inline styles
6fb39d9b62	feat	Support client-side file watching via onDidChangeWatchedFiles

language-service

Commit	Type	Description
496967e7b1	feat	add JSON schema for angularCompilerOptions
8c21866f49	feat	add linked editing ranges for HTML tag synchronization
d2137928e8	perf	use lightweight project warmup for Angular analysis

router

Commit	Type	Description
b51bab583d	feat	Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0	feat	Make match options optional in isActive
907a94dcec	feat	Update IsActiveMatchOptions APIs to accept a Partial

v21.1.6

Compare Source

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 306f367)

common

Commit	Type	Description
31d3d56496	fix	fix LCP image detection with duplicate URLs

compiler-cli

Commit	Type	Description
24b578ce90	fix	detect uninvoked functions in defer trigger expressions

core

Commit	Type	Description
b858309532	fix	block creation of sensitive URI attributes from ICU messages

v21.1.5

Compare Source

No user facing changes in this release

v21.1.4

Compare Source

compiler

Commit	Type	Description
caab23dfe6	fix	add geolocation element to schema

core

Commit	Type	Description
2b99eaa019	fix	capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c	fix	Fix flakey test due to document injection

forms

Commit	Type	Description
0d1acd0165	feat	support signal-based schemas in validateStandardSchema

http

Commit	Type	Description
3905015ccc	fix	correctly parse ArrayBuffer and Blob in transfer cache

v21.1.3

Compare Source

core

Commit	Type	Description
2b254bc050	fix	linkedSignal.update should propagate errors
e5110b4fa1	fix	export DirectiveWithBindings
2cf4da0ea1	fix	hold constructors weakly in DepsTracker cache
70a5b651be	fix	prevent element duplication with dynamic components

forms

Commit	Type	Description
6f75b6e3f6	fix	Resolves debounce promise on abort in debounceForDuration

localize

Commit	Type	Description
4c7126d23b	fix	add support for unit-test builder in ng-add schematic

router

Commit	Type	Description
d6268c0bbb	fix	limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7	perf	Use .bind to avoid holding other closures in memory

v21.1.2

Compare Source

forms

Commit	Type	Description
9f99b14882	fix	only touch visible, interactive fields on submit

language-service

Commit	Type	Description
c57b0355b5	fix	Detect local project version on creation

router

Commit	Type	Description
21ecdc036a	fix	Do not intercept reload events with Navigation integration

v21.1.1

Compare Source

compiler-cli

Commit	Type	Description
0e1f1ed573	fix	drop .tsx extension for generated relative imports

core

Commit	Type	Description
05adfcf8f2	fix	handle Set in class bindings

forms

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch

v21.1.0

Compare Source

Deprecations

upgrade

• VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.

common

Commit	Type	Description
d8790972be	feat	Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af	feat	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Type	Description
640693da8e	feat	Add support for multiple swich cases matching
0ad3adc7c6	fix	Support empty cases

core

Commit	Type	Description
99ad18a4ee	feat	Add stability debugging utility
a0dfa5fa86	feat	support rest arguments in function calls
6e18fa8bc9	feat	support spread elements in array literals
e407280ab5	feat	support spread expressions in object literals
06be8034bb	fix	Microtask scheduling should be used after any application synchronization
b4f584cf42	fix	return StaticProvider for providePlatformInitializer

forms

Commit	Type	Description
1ea5c97703	feat	allow focusing bound control from field state

platform-browser

Commit	Type	Description
ec9dc94cee	feat	add context to createApplication
ab67988d2e	feat	resolve JIT resources in createApplication

router

Commit	Type	Description
5edceffd04	feat	add controls for route cleanup
a03c82564d	feat	Add scroll behavior controls on router navigation
e44839b016	feat	Add standalone function to create a comptued for isActive
c25d749d85	feat	Execute RunGuardsAndResolvers function in injection context
1c00ab42f8	feat	extend paramters of RedirectFunction to include paramMap and queryParamMap
7003e8d241	feat	Publish Router's integration with platform Navigation API as experimental
c84d372778	feat	Support wildcard params with segments trailing (#​64737)

upgrade

Commit	Type	Description
75fe8f8af9	refactor	deprecate VERSION export

v21.0.9

Compare Source

forms

Commit	Type	Description
82d556a8fb	fix	Ensure the control instruction comes after the other bindings
0055f3cc79	fix	Rename signal form [field] to [formField]

migrations

Commit	Type	Description
e4bfa5c9e7	fix	prevent duplicate imports in common-to-standalone migration

v21.0.8

Compare Source

core

Commit	Type	Description
a6a2621bf9	fix	fix memory leak with event replay
5239e471a1	fix	handle cancelled traversals in fake navigation

v21.0.7

Compare Source

compiler

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the imports expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in typeof type references

core

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

forms

Commit	Type	Description
e3fba182f9	feat	add [formField] directive
561772b152	fix	allow custom controls to require dirty input
f0fb1d8581	fix	allow custom controls to require hidden input
ec110f170b	fix	allow custom controls to require pending input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

router

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0	fix	handle errors from view transition updateCallbackDone promise

v21.0.6

Compare Source

Breaking Changes (affecting only experimental features)

forms

• The shape of SignalFormsConfig.classes has changed

  Previously each function in the classes map took a FieldState. Now
  it takes a Field directive.

  For example if you previously had:

  provideSignalFormsConfig({
    classes: {
      'my-valid': (state) => state.valid()
    }
  })
  

  You would need to update to:

  provideSignalFormsConfig({
    classes: {
      'my-valid': ({state}) => state().valid()
    }
  })
  

  (cherry picked from commit 348f149)

• (cherry picked from commit ae0c590)

core

Commit	Type	Description
4c8fb3631d	fix	throw better errors for potential circular references
48492524ea	fix	use mutable ResponseInit type for RESPONSE_INIT token

forms

Commit	Type	Description
81772b420d	feat	pass field directive to class config
729b96476b	refactor	rename field to fieldTree in FieldContext and ValidationError

language-service

Commit	Type	Description
e0694df3ec	fix	avoid interpolation highlighting inside @​let
5047be4bc1	fix	Prevent language service from crashing on suggestion diagnostic errors

v21.0.5

Compare Source

core

Commit	Type	Description
69d243abb74	fix	avoid false-positive deprecation when using InjectionToken with factory only

forms

Commit	Type	Description
4fd2b722b40	fix	fix signal forms type error

v21.0.4

Compare Source

compiler

Commit	Type	Description
f901cc9eb32	perf	chain query creation instructions

compiler-cli

Commit	Type	Description
65297c62011	fix	expand type for native controls with a dynamic type

forms

Commit	Type	Description
f254ff4f2e0	feat	expose element on signal forms Field directive
5880fbc73c6	feat	redo the signal forms metadata API
55fc677cef4	fix	add signals for dirty, hidden, and pending states in custom controls
cbb10179c80	fix	allow resetting with empty string
bf1c12cd932	fix	memoize reads of child fields in signal forms (#​65802)
6d7475582f9	fix	Reuse key in parent in compat structure

v21.0.3

Compare Source

compiler-cli

Commit	Type	Description
5a80a48e96	fix	avoid allocating an object for signals in production mode
1f1856e897	fix	check that field radio button values are strings

core

Commit	Type	Description
8c3304c766	fix	run animation queue in environment injector context
4bb085311e	fix	unable to inject viewProviders when host directive with providers is present
609699ae17	perf	tree shake unused dynamic [field] binding instructions (#​65599)

forms

Commit	Type	Description
6b4ab876e8	feat	Allows transforms on FormUiControl signals
a5dbd4b382	fix	support dynamic [field] bindings (#​65599)

http

Commit	Type	Description
20474d3f0f	fix	enable XSRF protection for same-origin absolute URLs

router

Commit	Type	Description
48b89f9fbe	fix	handle errors from view transition finished promise

v21.0.2

Compare Source

compiler

Commit	Type	Description
78fd159b78	fix	prevent XSS via SVG animation attributeName and MathML/SVG URLs

v21.0.1

Compare Source

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use in

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
angular-ivy-dw6bbe1	Error		Mar 8, 2026 10:07am
angular-ivy-dw6bbe1-lfj9	Error		Mar 8, 2026 10:07am

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 21b4670

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​angular/​common@​21.2.1

View full report