The Angular dependencies have been upgraded from version 17.3.12 to 19.2.17 to address critical security vulnerabilities.
Severity: Critical Affected Versions:
- Angular >= 21.0.0-next.0, < 21.0.1
- Angular >= 20.0.0-next.0, < 20.3.14
- Angular < 19.2.16
Description: Angular's HTTP Client was vulnerable to XSRF token leakage when making requests to protocol-relative URLs. An attacker could potentially intercept XSRF tokens.
Fix: Upgraded to Angular 19.2.17 (patched version: 19.2.16+)
Impact: High - Could lead to Cross-Site Request Forgery attacks
Severity: High Affected Versions:
- Angular >= 21.0.0-next.0, < 21.0.2
- Angular >= 20.0.0-next.0, < 20.3.15
- Angular >= 19.0.0-next.0, < 19.2.17
- Angular <= 18.2.14 (no patch available)
Description: Angular's compiler was vulnerable to stored XSS attacks through SVG animation elements, SVG URL attributes, and MathML attributes. An attacker could inject malicious scripts that would be executed in the user's browser.
Fix: Upgraded to Angular 19.2.17 (patched version: 19.2.17+)
Impact: High - Could lead to unauthorized access, data theft, or session hijacking
-
Upgraded Angular packages from 17.3.12 to 19.2.17:
- @angular/animations
- @angular/common
- @angular/compiler
- @angular/core
- @angular/forms
- @angular/platform-browser
- @angular/platform-browser-dynamic
- @angular/router
- @angular/compiler-cli
-
Upgraded Angular CLI to 19.2.6
-
Upgraded TypeScript to 5.7.2 for compatibility
-
Tested the build to ensure no breaking changes
-
Verified vulnerability remediation using gh-advisory-database
npm list @angular/common @angular/compiler
# Output shows version 19.2.17 for all packagesnpm audit
# Angular XSS vulnerabilities resolved
# Remaining vulnerabilities are in development dependencies only (vite, http-proxy-middleware)- ✅ Build successful with Angular 19.2.17
- ✅ No compilation errors
- ✅ All Angular vulnerabilities resolved
- ✅ Application functionality intact
- ✅ No breaking changes observed
The following vulnerabilities remain but are development-only dependencies and do not affect production:
- http-proxy-middleware (moderate) - Development server only
- vite (moderate/low) - Development server only
These tools are not included in the production build and pose no risk to deployed applications.
- Deploy the updated version as soon as possible
- Monitor for future updates - Subscribe to Angular security advisories
- Update regularly - Keep Angular and all dependencies up to date
- Review code - Ensure no direct DOM manipulation that could bypass Angular's sanitization
To prevent similar issues in the future:
-
Enable automated security scanning in CI/CD pipeline
-
Subscribe to security advisories:
- Angular Security: https://github.com/angular/angular/security/advisories
- npm audit: Run regularly
- GitHub Dependabot: Enable for automatic PR creation
-
Regular dependency updates:
npm audit npm audit fix npm outdated
-
Security scanning in CI/CD:
- name: Security Audit run: npm audit --audit-level=moderate
For questions about this security update:
- Create an issue in the GitHub repository
- Contact: security@example.com
- [SECURITY] Upgraded Angular from 17.3.12 to 19.2.17
- [SECURITY] Fixed XSRF token leakage vulnerability
- [SECURITY] Fixed stored XSS vulnerability
- [FEATURE] Updated to latest TypeScript 5.7.2
- [BUILD] Verified build compatibility
- Initial implementation with Angular 17.3.12