Skip to content

chore(deps): update dependency @angular/platform-server to v18 [security] #560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency @angular/platform-server to v18 [security] #560

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 11, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@angular/platform-server (source) ^16.2.12 -> ^18.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

  • bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
  • getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
  • destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @​angular/cli @​angular/core

# For apps on Angular v19:
ng update @​angular/cli@19 @​angular/core@19

# For apps on Angular v18:
ng update @​angular/cli@18 @​angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @​angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @​angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @​angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

  • @angular/platform-server: 21.0.0-next.3

  • @angular/platform-server: 20.3.0

  • @angular/platform-server: 19.2.15

  • @angular/platform-server: 18.2.14

  • @angular/ssr: 21.0.0-next.3

  • @angular/ssr: 20.3.0

  • @angular/ssr: 19.2.16

  • @angular/ssr: 18.2.21

Workarounds

  • Disable SSR via Server Routes (v19+) or builder options.
  • Remove any asynchronous behavior from custom bootstrap functions.
  • Remove uses of getPlatform() in application code.
  • Ensure that the server build defines ngJitMode as false.

References

Release Notes

angular/angular (@​angular/platform-server)

v18.2.14

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

    (cherry picked from commit 8bf80c9)

core
Commit Type Description
9d1fb33f5e fix introduce BootstrapContext for improved server bootstrapping (#​63640)

v18.2.13

Compare Source

migrations
Commit Type Description
06d70a25ea fix take care of tests that import both HttpClientModule & HttpClientTestingModule. (#​58777)

v18.2.12

Compare Source

compiler-cli
Commit Type Description
4c38160853 fix correct extraction of generics from type aliases (#​58548)

v18.2.11

Compare Source

core
Commit Type Description
5f2d98a1b1 fix avoid slow stringification when checking for duplicates in dev mode (#​58521)
3aa45a2fa1 fix resolve forward-referenced host directives during directive matching (#​58492) (#​58500)

v18.2.10

Compare Source

compiler
Commit Type Description
69dce38e778 fix transform pseudo selectors correctly for the encapsulated view. (#​58417)
localize
Commit Type Description
3b989ac5bd9 fix Adding arb format to the list of valid formats in the localization extractor cli (#​58287)

v18.2.9

Compare Source

compiler-cli
Commit Type Description
b0ab653965 fix report when NgModule imports or exports itself (#​58231)

v18.2.8

Compare Source

compiler
Commit Type Description
11692c8dab fix add multiple :host and nested selectors support (#​57796)
66dcc691f5 fix allow combinators inside pseudo selectors (#​57796)
48a1437e77 fix fix comment typo (#​57796)
d325f9b55f fix fix parsing of the :host-context with pseudo selectors (#​57796)
aea747ab3b fix preserve attributes attached to :host selector (#​57796)
21be258be6 fix scope :host-context inside pseudo selectors, do not decrease specificity (#​57796)
7a6fd427d5 fix transform pseudo selectors correctly for the encapsulated view (#​57796)
compiler-cli
Commit Type Description
f187c3abf8 fix defer symbols only used in types (#​58104)
core
Commit Type Description
46bafb0b0a fix clean up afterRender after it is executed (#​58119)
platform-server
Commit Type Description
b40875a2cc fix destroy PlatformRef when error happens during the bootstrap() phase (#​58112) (#​58135)

v18.2.7

Compare Source

common
Commit Type Description
249d0260f9 fix execute checks and remove placeholder when image is already loaded (#​55444)
46a2ad39f5 fix prevent warning about oversize image twice (#​58021)
8f2b0ede59 fix skip checking whether SVGs are oversized (#​57966)
compiler-cli
Commit Type Description
901c1e1a7f fix correctly get the type of nested function call expressions (#​57010)
core
Commit Type Description
2f347ef8fc fix provide flag to opt into manual cleanup for after render hooks (#​57917)
http
Commit Type Description
ca637fe6a9 fix cleanup JSONP script listeners once loading completed (#​57877)
migrations
Commit Type Description
b9d846dad7 fix delete constructor if it only has super call (#​58013)
upgrade
Commit Type Description
e40a4fa3c7 fix support input signal bindings (#​57020)

v18.2.6

Compare Source

v18.2.5

Compare Source

compiler-cli
Commit Type Description
e685ed883a fix extended diagnostics not validating ICUs (#​57845)
core
Commit Type Description
76709d5d6e fix Handle @let declaration with array when preparingForHydration (#​57816)
migrations
Commit Type Description
5c866942a1 fix account for explicit standalone: false in migration (#​57803)

v18.2.4

Compare Source

compiler
Commit Type Description
b619d6987e fix produce less noisy errors when parsing control flow (#​57711)
migrations
Commit Type Description
9895e4492f fix replace leftover modules with their exports during pruning (#​57684)

v18.2.3

Compare Source

http
Commit Type Description
de68e049e4 fix Dynamicaly call the global fetch implementation (#​57531)

v18.2.2

Compare Source

core
Commit Type Description
106917af878 fix avoid leaking memory if component throws during creation (#​57546)
6d3a2af146a fix Do not bubble capture events. (#​57476)
http
Commit Type Description
5d2e243c76a fix Dynamicaly call the global fetch implementation (#​57531)
router
Commit Type Description
804925b1149 fix Do not unnecessarily run matcher twice on route matching (#​57530)
upgrade
Commit Type Description
03ec620e31a fix Address Trusted Types violations in @​angular/upgrade (#​57454)

v18.2.1

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

    (cherry picked from commit 8bf80c9)

core
Commit Type Description
9d1fb33f5e fix introduce BootstrapContext for improved server bootstrapping (#​63640)

v18.2.0

Compare Source

compiler
Commit Type Description
c8e2885136 feat Add extended diagnostic to warn when there are uncalled functions in event bindings (#​56295) (#​56295)
compiler-cli
Commit Type Description
98ed5b609e feat run JIT transform on classes with jit: true opt-out (#​56892)
c76b440ac0 fix add warning for unused let declarations (#​57033)
0f0a1f2836 fix emitting references to ngtypecheck files (#​57138)
6c2fbda694 fix extended diagnostic visitor not visiting template attributes (#​57033)
e11c0c42d2 fix run JIT transforms on @NgModule classes with jit: true (#​57212)
core
Commit Type Description
f7918f5272 feat Add 'flush' parameter option to fakeAsync to flush after the test (#​57239)
fab673a1dd feat add ng generate schematic to convert to inject (#​57056)
7919982063 feat Add whenStable helper on ApplicationRef (#​57190)
3459289ef0 feat bootstrapModule can configure NgZone in providers (#​57060)
296216cbe1 fix Allow hybrid CD scheduling to support multiple "Angular zones" (#​57267)
8718abce90 fix Deprecate ignoreChangesOutsideZone option (#​57029)
827070e331 fix Do not run image performance warning checks on server (#​57234)
ca89ef9141 fix handle shorthand assignment in the inject migration (#​57134)
5dcdbfcba9 fix rename the equality function option in toSignal (#​56769)
2a4f488a6c fix warnings for oversized images and lazy-lcp present with bootstrapModule (#​57060)
language-service
Commit Type Description
4bb558ab0c feat support writing code refactorings (#​56895)
7663debce1 perf quick exit if no code fixes can exist (#​57000)
migrations
Commit Type Description
147eee4253 feat add migration to convert standalone component routes to be lazy loaded (#​56428)
cb442a0ce7 fix account for parameters with union types (#​57127)
166166d79e fix add alias to inject migration (#​57127)
b1a9d0f4de fix avoid duplicating comments when generating properties (#​57367)
5d76401ff5 fix preserve optional parameters (#​57367)
1cf616f671 fix remove generic arguments from the injected type reference (#​57127)
ba0df30ef6 fix remove unused imports in inject migration (#​57179)
aae9646a1b fix unwrap injected forwardRef (#​57127)
604270619a perf speed up signal input migration by combining two analyze phases (#​57318)
router
Commit Type Description
6c76c91e15 feat Add defaultQueryParamsHandling to router configuration (#​57198)

v18.1.5

Compare Source

compiler-cli
Commit Type Description
5401332b0e fix generate valid TS 5.6 type checking code (#​57303)
core
Commit Type Description
e39b22a932 fix Account for addEventListener to be passed a Window or Document. (#​57282)
db65bc25ca fix Account for addEventListener to be passed a Window or Document. (#​57354)
0e024ecc27 fix complete post-hydration cleanup in components that use ViewContainerRef (#​57300)
822db64b93 fix skip hydration for i18n nodes that were not projected (#​57356)
810f76f574 fix take skip hydration flag into account while hydrating i18n blocks (#​57299)

v18.1.4

Compare Source

compiler
Commit Type Description
6a99f83659 fix reduce chance of conflicts between generated factory and local variables (#​57181)
compiler-cli
Commit Type Description
afb05ff1cb fix support JIT transforms before other transforms modifying classes (#​57262)
bae54a1621 perf improve performance of interpolatedSignalNotInvoked extended diagnostic (#​57291)
language-service
Commit Type Description
6ac209c24f fix avoid generating TS suggestion diagnostics for templates (#​56241)

v18.1.3

Compare Source

compiler
Commit Type Description
31dea066d6 fix reduce chance of conflicts between generated factory and local variables (#​57181)
compiler-cli
Commit Type Description
1f9e090910 fix emitting references to ngtypecheck files (#​57138) (#​57202)
core
Commit Type Description
f7ab04018e fix errors during ApplicationRef.tick should be rethrown for zoneless tests (#​56993)
eaa83f9d27 fix hydration error in some let declaration setups (#​57173)

v18.1.2

Compare Source

compiler
Commit Type Description
463945003d fix limit the number of chained instructions (#​57069)
compiler-cli
Commit Type Description
e904f34020 fix add warning for unused let declarations (#​57033)
core
Commit Type Description
9e52c1c840 fix afterNextRender hooks return that callback value. (#​57031)
b9fb98c67c fix tree shake dev mode error message (#​57035)

v18.1.1

Compare Source

common
Commit Type Description
a1cb9dfc0d fix Don't run preconnect assertion on the server. (#​56213)
compiler
Commit Type Description
daf0317bdc fix JIT mode incorrectly interpreting host directive configuration in partial compilation (#​57002)
d7dca6dbb6 fix use strict equality for 'code' comparison (#​56944)
compiler-cli
Commit Type Description
c94a897248 fix avoid emitting references to typecheck files in TS 5.4 ([#​56961](https://redirect.github.com/angular/a

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Sep 11, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: [email protected]
npm error Found: @angular/[email protected]
npm error node_modules/@angular/animations
npm error   dev @angular/animations@"16.2.12" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @angular/animations@"18.2.14" from @angular/[email protected]
npm error node_modules/@angular/platform-server
npm error   dev @angular/platform-server@"^18.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-12-03T17_39_53_363Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-12-03T17_39_53_363Z-debug-0.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant