chore(deps): update dependency @angular/core to v21.2.4 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/core (source)	21.2.1 → 21.2.4

GitHub Vulnerability Alerts

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

• action
• background
• cite
• codebase
• data
• formaction
• href
• itemtype
• longdesc
• poster
• src
• xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

• Session Hijacking: Stealing session cookies and authentication tokens.
• Data Exfiltration: Capturing and transmitting sensitive user data.
• Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

1. The application must use a vulnerable version of Angular.
2. The application must bind unsanitized user input to one of the attributes mentioned above.
3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

• 22.0.0-next.3
• 21.2.4
• 20.3.18
• 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@​angular/core';
import {DomSanitizer} from '@​angular/platform-browser';

@​Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

References

• Fix 1
• Fix 2

---

Release Notes

angular/angular (@​angular/core)

v21.2.4

Compare Source

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

v21.2.3

Compare Source

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler

Commit	Type	Description
1df1697c6e	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
670d1660c4	feat	add 'blur' option to debounce rule

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @openmfp/webcomponents@0.1.0
npm error Found: @angular/compiler@21.2.1
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"^21.0.0" from @angular/build@21.2.1
npm error   node_modules/@angular/build
npm error     peerOptional @angular/build@"^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @analogjs/vite-plugin-angular@2.3.1
npm error     node_modules/@analogjs/vite-plugin-angular
npm error       dev @analogjs/vite-plugin-angular@"^2.3.1" from the root project
npm error     @angular/build@"21.2.1" from @angular-devkit/build-angular@21.2.1
npm error     node_modules/@angular-devkit/build-angular
npm error       peerOptional @angular-devkit/build-angular@"^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @analogjs/vite-plugin-angular@2.3.1
npm error       node_modules/@analogjs/vite-plugin-angular
npm error         dev @analogjs/vite-plugin-angular@"^2.3.1" from the root project
npm error       2 more (@storybook/angular, the root project)
npm error     1 more (the root project)
npm error   peer @angular/compiler@"21.2.1" from @angular/compiler-cli@21.2.1
npm error   node_modules/@angular/compiler-cli
npm error     peer @angular/compiler-cli@"^21.0.0" from @angular-devkit/build-angular@21.2.1
npm error     node_modules/@angular-devkit/build-angular
npm error       peerOptional @angular-devkit/build-angular@"^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @analogjs/vite-plugin-angular@2.3.1
npm error       node_modules/@analogjs/vite-plugin-angular
npm error         dev @analogjs/vite-plugin-angular@"^2.3.1" from the root project
npm error       2 more (@storybook/angular, the root project)
npm error     peer @angular/compiler-cli@"^21.0.0" from @angular/build@21.2.1
npm error     node_modules/@angular/build
npm error       peerOptional @angular/build@"^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @analogjs/vite-plugin-angular@2.3.1
npm error       node_modules/@analogjs/vite-plugin-angular
npm error         dev @analogjs/vite-plugin-angular@"^2.3.1" from the root project
npm error       2 more (@angular-devkit/build-angular, the root project)
npm error     4 more (@ngtools/webpack, @storybook/angular, ng-packagr, the root project)
npm error   3 more (@angular/platform-browser-dynamic, ...)
npm error
npm error Could not resolve dependency:
npm error peer @angular/core@"21.2.4" from the root project
npm error
npm error Conflicting peer dependency: @angular/compiler@21.2.4
npm error node_modules/@angular/compiler
npm error   peerOptional @angular/compiler@"21.2.4" from @angular/core@21.2.4
npm error   node_modules/@angular/core
npm error     peer @angular/core@"21.2.4" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-04-03T15_14_16_184Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-04-03T15_14_16_184Z-debug-0.log

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: 71fe87ff-a348-42bd-b50f-b16e93e06b4c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.