chore(deps): update dependency @angular/platform-server to v18 [security] #31035

renovate · 2025-09-11T01:33:09Z

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/platform-server (source)	`17.3.12` -> `18.2.14`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-59052

Impact

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state.

In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks.

The following APIs were vulnerable and required SSR-only breaking changes:

bootstrapApplication: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit BootstrapContext in a server environment. This function is only used for standalone applications. NgModule-based applications are not affected.
getPlatform: This function previously returned the last platform instance that was created. It now always returns null in a server environment.
destroyPlatform: This function previously destroyed the last platform instance that was created. It's now a no-op when called in a server environment.

For bootstrapApplication, the framework now provides a new argument to the application's bootstrap function:

// Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);

// After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

As is usually the case for changes to Angular, an automatic schematic will take care of these code changes as part of ng update:

# For apps on Angular v20:
ng update @&#8203;angular/cli @&#8203;angular/core

# For apps on Angular v19:
ng update @&#8203;angular/cli@19 @&#8203;angular/core@19

# For apps on Angular v18:
ng update @&#8203;angular/cli@18 @&#8203;angular/core@18

The schematic can also be invoked explicitly if the version bump was pulled in independently:

# For apps on Angular v20:
ng update @&#8203;angular/core --name add-bootstrap-context-to-server-main

# For apps on Angular v19:
ng update @&#8203;angular/core@19 --name add-bootstrap-context-to-server-main

# For apps on Angular v18:
ng update @&#8203;angular/core@18 --name add-bootstrap-context-to-server-main

For applications that still use CommonEngine, the bootstrap property in CommonEngineOptions also gains the same context argument in the patched versions of Angular.

In local development (ng serve), Angular CLI triggered a codepath for Angular's "JIT" feature on the server even in applications that weren't using it in the browser. The codepath introduced async behavior between platform creation and application bootstrap, triggering the race condition even if an application didn't explicitly use getPlatform or custom async logic in bootstrap. Angular applications should never run in this mode outside of local development.

Patches

The issue has been patched in all active release lines as well as in the v21 prerelease:

@angular/platform-server: 21.0.0-next.3
@angular/platform-server: 20.3.0
@angular/platform-server: 19.2.15
@angular/platform-server: 18.2.14
@angular/ssr: 21.0.0-next.3
@angular/ssr: 20.3.0
@angular/ssr: 19.2.16
@angular/ssr: 18.2.21

Workarounds

Disable SSR via Server Routes (v19+) or builder options.
Remove any asynchronous behavior from custom bootstrap functions.
Remove uses of getPlatform() in application code.
Ensure that the server build defines ngJitMode as false.

References

Release Notes

angular/angular (@angular/platform-server)

Commit	Type	Description
5f2d98a1b1	fix	avoid slow stringification when checking for duplicates in dev mode (#58521)
3aa45a2fa1	fix	resolve forward-referenced host directives during directive matching (#58492) (#58500)

Commit	Type	Description
11692c8dab	fix	add multiple :host and nested selectors support (#57796)
66dcc691f5	fix	allow combinators inside pseudo selectors (#57796)
48a1437e77	fix	fix comment typo (#57796)
d325f9b55f	fix	fix parsing of the :host-context with pseudo selectors (#57796)
aea747ab3b	fix	preserve attributes attached to :host selector (#57796)
21be258be6	fix	scope :host-context inside pseudo selectors, do not decrease specificity (#57796)
7a6fd427d5	fix	transform pseudo selectors correctly for the encapsulated view (#57796)

Commit	Type	Description
249d0260f9	fix	execute checks and remove placeholder when image is already loaded (#55444)
46a2ad39f5	fix	prevent warning about oversize image twice (#58021)
8f2b0ede59	fix	skip checking whether SVGs are oversized (#57966)

Commit	Type	Description
106917af878	fix	avoid leaking memory if component throws during creation (#57546)
6d3a2af146a	fix	Do not bubble capture events. (#57476)

Commit	Type	Description
98ed5b609e	feat	run JIT transform on classes with `jit: true` opt-out (#56892)
c76b440ac0	fix	add warning for unused let declarations (#57033)
0f0a1f2836	fix	emitting references to ngtypecheck files (#57138)
6c2fbda694	fix	extended diagnostic visitor not visiting template attributes (#57033)
e11c0c42d2	fix	run JIT transforms on `@NgModule` classes with `jit: true` (#57212)

Commit	Type	Description
f7918f5272	feat	Add 'flush' parameter option to fakeAsync to flush after the test (#57239)
fab673a1dd	feat	add ng generate schematic to convert to inject (#57056)
7919982063	feat	Add whenStable helper on ApplicationRef (#57190)
3459289ef0	feat	bootstrapModule can configure NgZone in providers (#57060)
296216cbe1	fix	Allow hybrid CD scheduling to support multiple "Angular zones" (#57267)
8718abce90	fix	Deprecate ignoreChangesOutsideZone option (#57029)
827070e331	fix	Do not run image performance warning checks on server (#57234)
ca89ef9141	fix	handle shorthand assignment in the inject migration (#57134)
5dcdbfcba9	fix	rename the equality function option in toSignal (#56769)
2a4f488a6c	fix	warnings for oversized images and lazy-lcp present with bootstrapModule (#57060)

Commit	Type	Description
4bb558ab0c	feat	support writing code refactorings (#56895)
7663debce1	perf	quick exit if no code fixes can exist (#57000)

Commit	Type	Description
147eee4253	feat	add migration to convert standalone component routes to be lazy loaded (#56428)
cb442a0ce7	fix	account for parameters with union types (#57127)
166166d79e	fix	add alias to inject migration (#57127)
b1a9d0f4de	fix	avoid duplicating comments when generating properties (#57367)
5d76401ff5	fix	preserve optional parameters (#57367)
1cf616f671	fix	remove generic arguments from the injected type reference (#57127)
ba0df30ef6	fix	remove unused imports in inject migration (#57179)
aae9646a1b	fix	unwrap injected forwardRef (#57127)
604270619a	perf	speed up signal input migration by combining two analyze phases (#57318)

Commit	Type	Description
e39b22a932	fix	Account for addEventListener to be passed a Window or Document. (#57282)
db65bc25ca	fix	Account for addEventListener to be passed a Window or Document. (#57354)
0e024ecc27	fix	complete post-hydration cleanup in components that use ViewContainerRef (#57300)
822db64b93	fix	skip hydration for i18n nodes that were not projected (#57356)
810f76f574	fix	take skip hydration flag into account while hydrating i18n blocks (#57299)

Commit	Type	Description
afb05ff1cb	fix	support JIT transforms before other transforms modifying classes (#57262)
bae54a1621	perf	improve performance of `interpolatedSignalNotInvoked` extended diagnostic (#57291)

Commit	Type	Description
f7ab04018e	fix	errors during ApplicationRef.tick should be rethrown for zoneless tests (#56993)
eaa83f9d27	fix	hydration error in some let declaration setups (#57173)

Commit	Type	Description
9e52c1c840	fix	`afterNextRender` hooks return that callback value. (#57031)
b9fb98c67c	fix	tree shake dev mode error message (#57035)

Commit	Type	Description
daf0317bdc	fix	JIT mode incorrectly interpreting host directive configuration in partial compilation (#57002)
d7dca6dbb6	fix	use strict equality for 'code' comparison (#56944)

chore(deps): update dependency @angular/platform-server to v18 [security] #31035

Are you sure you want to change the base?

chore(deps): update dependency @angular/platform-server to v18 [security] #31035

Uh oh!

Conversation

renovate bot commented Sep 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

Breaking Changes

core

core

migrations

compiler-cli

core

compiler

localize

compiler-cli

compiler

compiler-cli

core

platform-server

common

compiler-cli

core

http

migrations

upgrade

compiler-cli

core

migrations

compiler

migrations

http

core

http

router

upgrade

Breaking Changes

core

core

compiler

compiler-cli

core

language-service

migrations

router

compiler-cli

core

compiler

compiler-cli

language-service

compiler

compiler-cli

core

compiler

compiler-cli

core

common

compiler

compiler-cli

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Sep 11, 2025 •

edited

Loading