Skip to content

Bump @angular/platform-server from 19.1.4 to 19.2.21 in /starters/angular/basic#560

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/starters/angular/basic/angular/platform-server-19.2.21
Open

Bump @angular/platform-server from 19.1.4 to 19.2.21 in /starters/angular/basic#560
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/starters/angular/basic/angular/platform-server-19.2.21

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 17, 2026

Bumps @angular/platform-server from 19.1.4 to 19.2.21.

Release notes

Sourced from @​angular/platform-server's releases.

19.2.21

platform-server

Commit Description
fix - f3a5bfb949 prevent SSRF bypasses via protocol-relative and backslash URLs

19.2.20

compiler

Commit Description
fix - 5be912eb55 disallow translations of iframe src

core

Commit Description
fix - b89b0a83a4 sanitize translated attribute bindings with interpolations
fix - 621c7071ad sanitize translated form attributes

19.2.19

core

Commit Description
fix - 747548721d block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit Description
fix - 26cdc53d9c sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit Description
fix - 7c42e2ebeb prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit Description
fix - 05fe6686a9 prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit Description

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

19.2.21 (2026-04-15)

platform-server

Commit Type Description
f3a5bfb949 fix prevent SSRF bypasses via protocol-relative and backslash URLs

20.3.19 (2026-04-15)

platform-server

Commit Type Description
303d4cd580 fix prevent SSRF bypasses via protocol-relative and backslash URLs

22.0.0-next.8 (2026-04-15)

Breaking Changes

compiler

  • This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.

compiler

Commit Type Description
47fcbc4704 feat allow safe navigation to correctly narrow down nullables
2c5aabb9da fix don't escape dollar sign in literal expression

compiler-cli

Commit Type Description
e5f96c2d88 fix animation events not type checked properly when bound through HostListener decorator

core

Commit Type Description
4e331062e8 feat allow synchronous values for stream Resources
2f5ab541ea feat enhance profiling with documentation URLs
75f2cb8f56 feat implement Angular DI graph in-page AI tool
8ce9cc4f6b feat register AI runtime debugging tools
cdda51a3b2 feat support bootstrapping Angular applications underneath shadow roots
3c7641151c fix escape forward slashes in transfer state to prevent crawler indexing

forms

Commit Type Description
f9f24fc669 feat shim legacy NG_VALIDATORS into parseErrors for CVA mode (#67943)
72d3ace03c fix use controlValue in NgControl for CVA interop (#67943)

http

Commit Type Description
39e382a756 fix add CSP nonce support to JsonpClientBackend

... (truncated)

Commits
  • f3a5bfb fix(platform-server): prevent SSRF bypasses via protocol-relative and backsla...
  • 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
  • a6d5479 build: migrate platform-server to rules_js (#61619)
  • 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
  • 8edafd0 perf(platform-server): speed up resolution of base (#61392)
  • 899cb4a refactor: add explicit types for exports relying on inferred call return type...
  • 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
  • a6f0d5b fix(platform-server): less aggressive ngServerMode cleanup (#61106)
  • 2e140a1 fix(core): prevent stash listener conflicts [patch] (#61063)
  • f4b5977 refactor(platform-server): switching to relative imports within the `platform...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump @angular/platform-server in /starters/angular/basic
79e7b29 
Bumps [@angular/platform-server](https://github.com/angular/angular/tree/HEAD/packages/platform-server) from 19.1.4 to 19.2.21.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v19.2.21/packages/platform-server)

---
updated-dependencies:
- dependency-name: "@angular/platform-server"
  dependency-version: 19.2.21
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 17, 2026
@dependabot dependabot bot requested a review from jamesdaniels as a code owner April 17, 2026 00:16
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Apr 17, 2026
@dependabot dependabot bot added the javascript Pull requests that update Javascript code label Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamesdaniels jamesdaniels Awaiting requested review from jamesdaniels jamesdaniels is a code owner

@Yuangwang Yuangwang Awaiting requested review from Yuangwang Yuangwang is a code owner

@annajowang annajowang Awaiting requested review from annajowang annajowang is a code owner

@abhis3 abhis3 Awaiting requested review from abhis3 abhis3 is a code owner

@falahat falahat Awaiting requested review from falahat falahat is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants