fix(deps): Update dependency @angular/common to ^19.2.16 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/common (source)	^19.2.2 -> ^19.2.16

GitHub Vulnerability Alerts

CVE-2025-66035

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header.

Impact

The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

Attack Preconditions

1. The victim's Angular application must have XSRF protection enabled.
2. The attacker must be able to make the application send a state-changing HTTP request (e.g., POST) to a protocol-relative URL (e.g., //attacker.com) that they control.

Patches

• 19.2.16
• 20.3.14
• 21.0.1

Workarounds

Developers should avoid using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.

---

Release Notes

angular/angular (@​angular/common)

v19.2.16

Compare Source

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core

Commit	Type	Description
70d0639bc1	fix	introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler

Commit	Type	Description
24bab55f0c	fix	lexer support for template literals in object literals (#​61601)

migrations

Commit	Type	Description
9e1cd49662	fix	preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common

Commit	Type	Description
2c876b4fc5	fix	avoid injecting ApplicationRef in FetchBackend (#​61649)

service-worker

Commit	Type	Description
b15bddfa04	fix	do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common

Commit	Type	Description
126efc9972	fix	cancel reader when app is destroyed (#​61528)
efda872453	fix	prevent reading chunks if app is destroyed (#​61354)

compiler

Commit	Type	Description
44bb328eae	fix	avoid conflicts between HMR code and local symbols (#​61550)

compiler-cli

Commit	Type	Description
107180260f	fix	Always retain prior results for all files (#​61487)
1191e62d70	fix	avoid ECMAScript private field metadata emit (#​61227)

core

Commit	Type	Description
2b1b14f4d3	fix	cleanup rxResource abort listener (#​58306)
8f9b05eaaa	fix	cleanup testability subscriptions (#​61261)
eb53bda470	fix	enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6	fix	Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc	fix	unregister onDestroy in toSignal. (#​61514)

platform-server

Commit	Type	Description
8edafd0559	perf	speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common

Commit	Type	Description
89056a0356	fix	cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)

core

Commit	Type	Description
4623b61448	fix	missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89	fix	properly handle app stabilization with defer blocks (#​61056)

platform-server

Commit	Type	Description
a6f0d5bc20	fix	less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core

Commit	Type	Description
946b844e0d	fix	async EventEmitter error should not prevent stability (#​61028)
dbb87026ca	fix	call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a	fix	prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms

Commit	Type	Description
ea4a211216	fix	make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common

Commit	Type	Description
37ab6814f5	fix	issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)

core

Commit	Type	Description
b144126612	fix	inject migration: replace param with this. (#​60713)

http

Commit	Type	Description
d39e09da41	fix	Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler

Commit	Type	Description
3441f7b914	fix	error if rawText isn't estimated correctly (#​60529) (#​60753)

compiler-cli

Commit	Type	Description
fc946c5f72	fix	ensure HMR works with different output module type (#​60797)

core

Commit	Type	Description
00bbd9b382	fix	fix docs for output migration (#​60764)
f2bfa3151e	fix	fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0	fix	reduce total memory usage of various migration schematics (#​60776)

language-service

Commit	Type	Description
0e82d42774	fix	Do not provide element completions in end tag (#​60616)
fcdef1019f	fix	Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit	Type	Description
e61d06afb5	fix	step 6 tutorial docs (#​60630)

animations

Commit	Type	Description
fa48f98d9f	fix	add missing peer dependency on @angular/common (#​60660)

compiler

Commit	Type	Description
ca5aa4d55b	fix	throw for invalid "as" expression in if block (#​60580)

compiler-cli

Commit	Type	Description
f4c4b10ea8	fix	Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4	fix	support relative imports to symbols outside rootDir (#​60555)

core

Commit	Type	Description
64da69f7b6	fix	check ngDevMode for undefined (#​60565)
8f68d1bec3	fix	fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65	fix	fix regexp for event types (#​60592)
006ac7f22f	fix	fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434	fix	preserve comments in internal inject migration (#​60588)
dbbddd1617	fix	prevent omission of deferred pipes in full compilation (#​60571)

language-service

Commit	Type	Description
0e9e0348dd	fix	Update adapter to log instead of throw errors (#​60651)

migrations

Commit	Type	Description
15f53f035b	fix	handle shorthand assignments in super call (#​60602)
4b161e6234	fix	inject migration not handling super parameter referenced via this (#​60602)

router

Commit	Type	Description
958e98e4f7	fix	Add missing types to transition (#​60307)

service-worker

Commit	Type	Description
7cd89ad2c6	fix	assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core

Commit	Type	Description
081f5f5a83f	fix	fix used templates are not deleted (#​60459)

localize

Commit	Type	Description
a2f622d82d6	fix	handle @​angular/build:karma in ng add (#​60513)

platform-browser

Commit	Type	Description
8e8ccc79279	fix	ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli

Commit	Type	Description
aa8ea7a5b2	fix	report more accurate diagnostic for invalid import (#​60455)

core

Commit	Type	Description
13a8709b2b	fix	catch hydration marker with implicit body tag (#​60429)
296aded9da	fix	execute timer trigger outside zone (#​60392)
0615ffb4f7	fix	include input name in error message (#​60404)

platform-browser-dynamic

Commit	Type	Description
1e06c8e8b6	fix	ensure compiler is loaded before @angular/common (#​60458)

upgrade

Commit	Type	Description
9e1a1030c8	fix	handle output emitters when downgrading a component (#​60369)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sanity-template-angular-clean	Error		Dec 15, 2025 7:04pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​angular/​common@​19.2.2 ⏵ 19.2.17		+16	+1		-20
	npm/​@​angular/​core@​19.2.17

View full report