Skip to content

chore(deps): update dependency @angular/compiler to v20.3.18 [security]#10270

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-angular-compiler-vulnerability
Mar 15, 2026
Merged

chore(deps): update dependency @angular/compiler to v20.3.18 [security]#10270
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-angular-compiler-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 14, 2026

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 20.3.1620.3.18 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

  • action
  • background
  • cite
  • codebase
  • data
  • formaction
  • href
  • itemtype
  • longdesc
  • poster
  • src
  • xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

  • Session Hijacking: Stealing session cookies and authentication tokens.
  • Data Exfiltration: Capturing and transmitting sensitive user data.
  • Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

  1. The application must use a vulnerable version of Angular.
  2. The application must bind unsanitized user input to one of the attributes mentioned above.
  3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

  • 22.0.0-next.3
  • 21.2.4
  • 20.3.18
  • 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@&#8203;angular/core';
import {DomSanitizer} from '@&#8203;angular/platform-browser';

@&#8203;Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

Release Notes

angular/angular (@​angular/compiler)

v20.3.18

Compare Source

compiler
Commit Type Description
02fbf08890 fix disallow translations of iframe src
core
Commit Type Description
72126f9a08 fix sanitize translated attribute bindings with interpolations
626bc8bc20 fix sanitize translated form attributes

v20.3.17

Compare Source

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204)

core
Commit Type Description
7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Mar 14, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 693e054

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 14, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b77a1a94-e989-472c-9b90-9173ed21ef42

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/npm-angular-compiler-vulnerability
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented Mar 14, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 693e054

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 4m 5s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 2s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-15 01:41:48 UTC

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Mar 14, 2026
edited
Loading

More templates

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@10270

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@10270

@tanstack/preact-query

npm i https://pkg.pr.new/@tanstack/preact-query@10270

@tanstack/preact-query-devtools

npm i https://pkg.pr.new/@tanstack/preact-query-devtools@10270

@tanstack/preact-query-persist-client

npm i https://pkg.pr.new/@tanstack/preact-query-persist-client@10270

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@10270

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@10270

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@10270

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@10270

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@10270

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@10270

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@10270

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@10270

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@10270

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@10270

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@10270

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@10270

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@10270

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@10270

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@10270

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@10270

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@10270

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@10270

commit: 693e054

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 14, 2026
edited
Loading

size-limit report 📦

Path Size
react full 11.92 KB (0%)
react minimal 8.95 KB (0%)

@renovate renovate Bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from b7c18c0 to 693e054 Compare March 15, 2026 01:36
@renovate renovate Bot merged commit d4fd941 into main Mar 15, 2026
7 checks passed
@renovate renovate Bot deleted the renovate/npm-angular-compiler-vulnerability branch March 15, 2026 05:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants