chore(deps): update dependency @angular/compiler to v21.2.17 [security] by renovate[bot] · Pull Request #397 · 1stG/configs

renovate · 2026-06-16T02:48:45Z

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	`21.2.15` → `21.2.17`

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

CVE-2026-54265 / GHSA-58w9-8g37-x9v5

More information

Details

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.

Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.

This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).

Impact

Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.

Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Attack Preconditions

To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:

Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., <div [(innerHTML)]="userContent"></div>).
User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via DomSanitizer) before passing the value to the bound property.

Patches

22.0.1
21.2.17
20.3.25

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

angular/angular (@angular/compiler)

`v21.2.17`

Compare Source

Deprecations

platform-server

XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

`v21.2.16`

Compare Source

common

Commit	Type	Description
f6d8e642b0	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
ae1c8a1f7a	fix	move projection attributes into constants

core

Commit	Type	Description
3fd6897a67	fix	harden inherit definition feature against polluted prototypes
7e38336dc7	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

Commit	Type	Description
66821c4ed5	fix	throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6	fix	update domino to latest version

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

changeset-bot · 2026-06-16T02:48:50Z

⚠️ No Changeset found

Latest commit: ab051bc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

codesandbox-ci · 2026-06-16T02:49:12Z

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

github-actions · 2026-06-16T02:49:15Z

📊 Package size report `No changes`

File	Before	After
Total _{(Includes all files)}	`3.5 MB`	`3.5 MB`
Tarball size	`1.1 MB`	`1.1 MB`

Unchanged files

File	Size
`.browserslistrc`	`41 B`
`.changeset/config.json`	`311 B`
`.changeset/README.md`	`510 B`
`.codesandbox/ci.json`	`63 B`
`.commitlintrc`	`35 B`
`.editorconfig`	`145 B`
`.gitattributes`	`115 B`
`.github/workflows/autofix.yml`	`913 B`
`.github/workflows/ci.yml`	`1.7 kB`
`.github/workflows/pkg-pr-new.yml`	`646 B`
`.github/workflows/pkg-size.yml`	`702 B`
`.github/workflows/release.yml`	`1.3 kB`
`.markuplintrc`	`96 B`
`.nano-staged.js`	`48 B`
`.nvmrc`	`6 B`
`.postcssrc.cjs`	`49 B`
`.prettierignore`	`41 B`
`.prettierrc`	`24 B`
`.remarkrc`	`42 B`
`.renovaterc`	`49 B`
`.simple-git-hooks.js`	`49 B`
`.stylelintignore`	`209 B`
`.stylelintrc`	`90 B`
`.yarn/plugins/plugin-prepare-lifecycle.cjs`	`202 B`
`.yarn/releases/yarn-4.15.0.cjs`	`3.0 MB`
`.yarnrc.yml`	`398 B`
`CHANGELOG.md`	`1.1 kB`
`default.json`	`499 B`
`eslint.config.js`	`516 B`
`global.d.ts`	`53 B`
`LICENSE`	`1.1 kB`
`package.json`	`2.7 kB`
`packages/app-config/CHANGELOG.md`	`55.0 kB`
`packages/app-config/package.json`	`769 B`
`packages/app-config/README.md`	`2.7 kB`
`packages/babel-preset/CHANGELOG.md`	`24.7 kB`
`packages/babel-preset/config.js`	`43 B`
`packages/babel-preset/index.js`	`5.6 kB`
`packages/babel-preset/package.json`	`1.6 kB`
`packages/babel-preset/README.md`	`2.7 kB`
`packages/browserslist-config/_not.js`	`140 B`
`packages/browserslist-config/alauda-legacy.js`	`51 B`
`packages/browserslist-config/alauda.js`	`129 B`
`packages/browserslist-config/CHANGELOG.md`	`7.5 kB`
`packages/browserslist-config/index.js`	`116 B`
`packages/browserslist-config/latest.js`	`186 B`
`packages/browserslist-config/modern.js`	`167 B`
`packages/browserslist-config/package.json`	`570 B`
`packages/browserslist-config/README.md`	`2.7 kB`
`packages/commitlint-config/CHANGELOG.md`	`14.5 kB`
`packages/commitlint-config/index.js`	`537 B`
`packages/commitlint-config/package.json`	`638 B`
`packages/commitlint-config/README.md`	`2.7 kB`
`packages/common-config/CHANGELOG.md`	`51.6 kB`
`packages/common-config/package.json`	`954 B`
`packages/common-config/README.md`	`2.7 kB`
`packages/config/CHANGELOG.md`	`4.0 kB`
`packages/config/index.d.ts`	`308 B`
`packages/config/index.js`	`1.1 kB`
`packages/config/package.json`	`599 B`
`packages/config/README.md`	`2.7 kB`
`packages/eslint-config/_util.js`	`2.2 kB`
`packages/eslint-config/angular.js`	`1.2 kB`
`packages/eslint-config/base.d.ts`	`109 B`
`packages/eslint-config/base.js`	`5.8 kB`
`packages/eslint-config/CHANGELOG.md`	`60.8 kB`
`packages/eslint-config/index.d.ts`	`58 B`
`packages/eslint-config/index.js`	`58 B`
`packages/eslint-config/jest.js`	`391 B`
`packages/eslint-config/js-base.js`	`1.4 kB`
`packages/eslint-config/js.js`	`582 B`
`packages/eslint-config/loose.d.ts`	`110 B`
`packages/eslint-config/loose.js`	`1.4 kB`
`packages/eslint-config/overrides.d.ts`	`1.2 kB`
`packages/eslint-config/overrides.js`	`6.3 kB`
`packages/eslint-config/package.json`	`3.1 kB`
`packages/eslint-config/react.js`	`1.7 kB`
`packages/eslint-config/README.md`	`2.7 kB`
`packages/eslint-config/recommended.d.ts`	`116 B`
`packages/eslint-config/recommended.js`	`142 B`
`packages/eslint-config/test.js`	`309 B`
`packages/eslint-config/ts-base.js`	`4.0 kB`
`packages/eslint-config/vitest.js`	`396 B`
`packages/eslint-config/vue.js`	`1.5 kB`
`packages/markuplint-config/angular.js`	`122 B`
`packages/markuplint-config/base.d.ts`	`87 B`
`packages/markuplint-config/base.js`	`413 B`
`packages/markuplint-config/CHANGELOG.md`	`6.5 kB`
`packages/markuplint-config/index.d.ts`	`36 B`
`packages/markuplint-config/index.js`	`36 B`
`packages/markuplint-config/package.json`	`934 B`
`packages/markuplint-config/README.md`	`2.7 kB`
`packages/markuplint-config/vue.d.ts`	`85 B`
`packages/markuplint-config/vue.js`	`240 B`
`packages/nano-staged/_utils.js`	`429 B`
`packages/nano-staged/base.js`	`1.4 kB`
`packages/nano-staged/CHANGELOG.md`	`3.7 kB`
`packages/nano-staged/index.js`	`36 B`
`packages/nano-staged/ngc.js`	`216 B`
`packages/nano-staged/package.json`	`982 B`
`packages/nano-staged/README.md`	`2.7 kB`
`packages/nano-staged/tsc.js`	`255 B`
`packages/nano-staged/vue-tsc.js`	`249 B`
`packages/postcss-config/CHANGELOG.md`	`17.9 kB`
`packages/postcss-config/index.d.ts`	`88 B`
`packages/postcss-config/index.js`	`1.3 kB`
`packages/postcss-config/package.json`	`1.2 kB`
`packages/postcss-config/README.md`	`2.7 kB`
`packages/prettier-config/angular.d.ts`	`36 B`
`packages/prettier-config/angular.js`	`210 B`
`packages/prettier-config/base.d.ts`	`92 B`
`packages/prettier-config/base.js`	`2.0 kB`
`packages/prettier-config/CHANGELOG.md`	`29.5 kB`
`packages/prettier-config/index.d.ts`	`36 B`
`packages/prettier-config/index.js`	`36 B`
`packages/prettier-config/next.d.ts`	`36 B`
`packages/prettier-config/next.js`	`220 B`
`packages/prettier-config/package.json`	`1.5 kB`
`packages/prettier-config/quote.d.ts`	`36 B`
`packages/prettier-config/quote.js`	`94 B`
`packages/prettier-config/README.md`	`2.7 kB`
`packages/prettier-config/semi/angular.d.ts`	`37 B`
`packages/prettier-config/semi/angular.js`	`90 B`
`packages/prettier-config/semi/index.d.ts`	`37 B`
`packages/prettier-config/semi/index.js`	`87 B`
`packages/prettier-config/semi/next.d.ts`	`37 B`
`packages/prettier-config/semi/next.js`	`87 B`
`packages/prettier-config/semi/quote.d.ts`	`37 B`
`packages/prettier-config/semi/quote.js`	`88 B`
`packages/prettier-config/semi/vue.d.ts`	`37 B`
`packages/prettier-config/semi/vue.js`	`86 B`
`packages/prettier-config/vue.d.ts`	`36 B`
`packages/prettier-config/vue.js`	`206 B`
`packages/remark-preset/CHANGELOG.md`	`9.0 kB`
`packages/remark-preset/index.js`	`1.3 kB`
`packages/remark-preset/package.json`	`1.1 kB`
`packages/remark-preset/README.md`	`2.7 kB`
`packages/simple-git-hooks/CHANGELOG.md`	`4.6 kB`
`packages/simple-git-hooks/index.js`	`193 B`
`packages/simple-git-hooks/package.json`	`711 B`
`packages/simple-git-hooks/README.md`	`2.7 kB`
`packages/stylelint-config/_overrides.js`	`939 B`
`packages/stylelint-config/base.d.ts`	`76 B`
`packages/stylelint-config/base.js`	`1.5 kB`
`packages/stylelint-config/CHANGELOG.md`	`23.7 kB`
`packages/stylelint-config/index.d.ts`	`80 B`
`packages/stylelint-config/index.js`	`72 B`
`packages/stylelint-config/loose.d.ts`	`78 B`
`packages/stylelint-config/loose.js`	`76 B`
`packages/stylelint-config/modules.d.ts`	`82 B`
`packages/stylelint-config/modules.js`	`263 B`
`packages/stylelint-config/package.json`	`1.3 kB`
`packages/stylelint-config/README.md`	`2.7 kB`
`packages/stylelint-config/scss/base.d.ts`	`76 B`
`packages/stylelint-config/scss/base.js`	`1.4 kB`
`packages/stylelint-config/scss/index.d.ts`	`36 B`
`packages/stylelint-config/scss/index.js`	`36 B`
`packages/stylelint-config/scss/loose.d.ts`	`78 B`
`packages/stylelint-config/scss/loose.js`	`369 B`
`packages/tsconfig/angular.json`	`306 B`
`packages/tsconfig/app.json`	`282 B`
`packages/tsconfig/CHANGELOG.md`	`11.7 kB`
`packages/tsconfig/dom-lib.json`	`158 B`
`packages/tsconfig/erasable.json`	`147 B`
`packages/tsconfig/lib.json`	`189 B`
`packages/tsconfig/loose.json`	`180 B`
`packages/tsconfig/ng-lib.json`	`387 B`
`packages/tsconfig/node.json`	`236 B`
`packages/tsconfig/node16.json`	`192 B`
`packages/tsconfig/nodenext.json`	`196 B`
`packages/tsconfig/package.json`	`602 B`
`packages/tsconfig/README.md`	`2.7 kB`
`packages/tsconfig/tsconfig.json`	`685 B`
`patches/vue-eslint-parser+10.4.0.patch`	`977 B`
`README.md`	`4.0 kB`
`SECURITY.md`	`212 B`
`tests/_test.ts`	`1.1 kB`
`tests/global.d.ts`	`41 B`
`tests/test.cjs`	`742 B`
`tests/test.component.html`	`142 B`
`tests/test.component.ts`	`198 B`
`tests/test.css`	`53 B`
`tests/test.d.ts`	`409 B`
`tests/test.html`	`191 B`
`tests/test.js`	`753 B`
`tests/test.json`	`23 B`
`tests/test.json5`	`22 B`
`tests/test.jsonc`	`37 B`
`tests/test.less`	`315 B`
`tests/test.md`	`61 B`
`tests/test.mdx`	`143 B`
`tests/test.pug`	`17 B`
`tests/test.scss`	`381 B`
`tests/test.sh`	`20 B`
`tests/test.spec.js`	`129 B`
`tests/test.spec.ts`	`671 B`
`tests/test.svg`	`1.2 kB`
`tests/test.toml`	`16 B`
`tests/test.vue`	`439 B`
`tests/test.yaml`	`13 B`
`tests/test.yml`	`13 B`
`tests/test1.jsx`	`347 B`
`tests/test2.ts`	`1.8 kB`
`tests/test3.tsx`	`395 B`
`tsconfig.json`	`41 B`
`vitest.config.ts`	`227 B`

_{🤖 This report was automatically generated by pkg-size-action}

pkg-pr-new · 2026-06-16T02:49:31Z

Open in StackBlitz

@1stg/app-config

npm i https://pkg.pr.new/@1stg/app-config@397

@1stg/babel-preset

npm i https://pkg.pr.new/@1stg/babel-preset@397

@1stg/browserslist-config

npm i https://pkg.pr.new/@1stg/browserslist-config@397

@1stg/commitlint-config

npm i https://pkg.pr.new/@1stg/commitlint-config@397

@1stg/common-config

npm i https://pkg.pr.new/@1stg/common-config@397

@1stg/config

npm i https://pkg.pr.new/@1stg/config@397

@1stg/eslint-config

npm i https://pkg.pr.new/@1stg/eslint-config@397

@1stg/markuplint-config

npm i https://pkg.pr.new/@1stg/markuplint-config@397

@1stg/nano-staged

npm i https://pkg.pr.new/@1stg/nano-staged@397

@1stg/postcss-config

npm i https://pkg.pr.new/@1stg/postcss-config@397

@1stg/prettier-config

npm i https://pkg.pr.new/@1stg/prettier-config@397

@1stg/remark-preset

npm i https://pkg.pr.new/@1stg/remark-preset@397

@1stg/simple-git-hooks

npm i https://pkg.pr.new/@1stg/simple-git-hooks@397

@1stg/stylelint-config

npm i https://pkg.pr.new/@1stg/stylelint-config@397

@1stg/tsconfig

npm i https://pkg.pr.new/@1stg/tsconfig@397

commit: ab051bc

socket-security · 2026-06-16T02:49:54Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@angular/compiler@21.2.15 ⏵ 21.2.17	⁺¹	⁺²	⁺¹	⁺¹

View full report

chore(deps): update dependency @angular/compiler to v21.2.17 [security]

ab051bc

renovate Bot enabled auto-merge (squash) June 16, 2026 02:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore(deps): update dependency @angular/compiler to v21.2.17 [security]#397

chore(deps): update dependency @angular/compiler to v21.2.17 [security]#397
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-angular-compiler-vulnerability

renovate Bot commented Jun 16, 2026

Uh oh!

changeset-bot Bot commented Jun 16, 2026

Uh oh!

codesandbox-ci Bot commented Jun 16, 2026

Uh oh!

github-actions Bot commented Jun 16, 2026

Uh oh!

pkg-pr-new Bot commented Jun 16, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Uh oh!

Conversation

renovate Bot commented Jun 16, 2026

@​angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

Details

Impact

Attack Preconditions

Patches

Severity

References

Release Notes

v21.2.17

Deprecations

platform-server

common

compiler

core

http

platform-server

service-worker

v21.2.16

common

compiler

core

platform-server

Configuration

Uh oh!

changeset-bot Bot commented Jun 16, 2026

⚠️ No Changeset found

Uh oh!

codesandbox-ci Bot commented Jun 16, 2026

Uh oh!

github-actions Bot commented Jun 16, 2026

📊 Package size report No changes

Uh oh!

pkg-pr-new Bot commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

`v21.2.17`

`v21.2.16`

📊 Package size report `No changes`

pkg-pr-new Bot commented Jun 16, 2026 •

edited

Loading