Visit Angular NES Home Page
Angular 12
Comprehensive release notes and changelog for Angular 12, including security patches, bug fixes, and feature updates across all supported versions.
5 Patched Vulnerabilities
VEX Statements
Angular
v12.3.6 - March 10, 2026
Notes
- Full package name(s) and version(s):
@neverendingsupport/angular-animations@12.2.17-angular-12.3.6@neverendingsupport/angular-bazel@12.2.17-angular-12.3.6@neverendingsupport/angular-common@12.2.17-angular-12.3.6@neverendingsupport/angular-compiler@12.2.17-angular-12.3.6@neverendingsupport/angular-compiler-cli@12.2.17-angular-12.3.6@neverendingsupport/angular-core@12.2.17-angular-12.3.6@neverendingsupport/angular-elements@12.2.17-angular-12.3.6@neverendingsupport/angular-forms@12.2.17-angular-12.3.6@neverendingsupport/angular-language-service@12.2.17-angular-12.3.6@neverendingsupport/angular-localize@12.2.17-angular-12.3.6@neverendingsupport/angular-platform-browser@12.2.17-angular-12.3.6@neverendingsupport/angular-platform-browser-dynamic@12.2.17-angular-12.3.6@neverendingsupport/angular-platform-server@12.2.17-angular-12.3.6@neverendingsupport/angular-router@12.2.17-angular-12.3.6@neverendingsupport/angular-service-worker@12.2.17-angular-12.3.6@neverendingsupport/angular-upgrade@12.2.17-angular-12.3.6
Security Fixes
- core: Block creation of sensitive URI attributes from ICU messages.
- This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-27970).
Breaking Changes
core
- Block creation of sensitive URI attributes from ICU messages:
Translators can no longer introduce URI attributes—attribute values are blocked to avoid malicious links, and sanitization now relies on an allowlist of known attributes (still sanitizing URI ones). Translated ICU content keeps only recognized attributes and drops everything else.
v12.3.5 - February 24, 2026
Notes
- Full package name(s) and version(s):
@neverendingsupport/angular-animations@12.2.17-angular-12.3.5@neverendingsupport/angular-bazel@12.2.17-angular-12.3.5@neverendingsupport/angular-common@12.2.17-angular-12.3.5@neverendingsupport/angular-compiler@12.2.17-angular-12.3.5@neverendingsupport/angular-compiler-cli@12.2.17-angular-12.3.5@neverendingsupport/angular-core@12.2.17-angular-12.3.5@neverendingsupport/angular-elements@12.2.17-angular-12.3.5@neverendingsupport/angular-forms@12.2.17-angular-12.3.5@neverendingsupport/angular-language-service@12.2.17-angular-12.3.5@neverendingsupport/angular-localize@12.2.17-angular-12.3.5@neverendingsupport/angular-platform-browser@12.2.17-angular-12.3.5@neverendingsupport/angular-platform-browser-dynamic@12.2.17-angular-12.3.5@neverendingsupport/angular-platform-server@12.2.17-angular-12.3.5@neverendingsupport/angular-router@12.2.17-angular-12.3.5@neverendingsupport/angular-service-worker@12.2.17-angular-12.3.5@neverendingsupport/angular-upgrade@12.2.17-angular-12.3.5
Security Fixes
- core: Sanitize sensitive attributes on SVG script elements.
- This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).
v12.3.4 - December 18, 2025
Notes
- Full package name(s) and version(s):
@neverendingsupport/angular-animations@12.2.17-angular-12.3.4@neverendingsupport/angular-bazel@12.2.17-angular-12.3.4@neverendingsupport/angular-common@12.2.17-angular-12.3.4@neverendingsupport/angular-compiler@12.2.17-angular-12.3.4@neverendingsupport/angular-compiler-cli@12.2.17-angular-12.3.4@neverendingsupport/angular-core@12.2.17-angular-12.3.4@neverendingsupport/angular-elements@12.2.17-angular-12.3.4@neverendingsupport/angular-forms@12.2.17-angular-12.3.4@neverendingsupport/angular-language-service@12.2.17-angular-12.3.4@neverendingsupport/angular-localize@12.2.17-angular-12.3.4@neverendingsupport/angular-platform-browser@12.2.17-angular-12.3.4@neverendingsupport/angular-platform-browser-dynamic@12.2.17-angular-12.3.4@neverendingsupport/angular-platform-server@12.2.17-angular-12.3.4@neverendingsupport/angular-router@12.2.17-angular-12.3.4@neverendingsupport/angular-service-worker@12.2.17-angular-12.3.4@neverendingsupport/angular-upgrade@12.2.17-angular-12.3.4
Security Fixes
- compiler: Prevent stored XSS via SVG animation
attributeNameand MathML/SVG URLs.- This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).
v12.3.3 - December 4, 2025
Notes
- Full package name(s) and version(s):
@neverendingsupport/angular-animations@12.2.17-angular-12.3.3@neverendingsupport/angular-bazel@12.2.17-angular-12.3.3@neverendingsupport/angular-common@12.2.17-angular-12.3.3@neverendingsupport/angular-compiler@12.2.17-angular-12.3.3@neverendingsupport/angular-compiler-cli@12.2.17-angular-12.3.3@neverendingsupport/angular-core@12.2.17-angular-12.3.3@neverendingsupport/angular-elements@12.2.17-angular-12.3.3@neverendingsupport/angular-forms@12.2.17-angular-12.3.3@neverendingsupport/angular-language-service@12.2.17-angular-12.3.3@neverendingsupport/angular-localize@12.2.17-angular-12.3.3@neverendingsupport/angular-platform-browser@12.2.17-angular-12.3.3@neverendingsupport/angular-platform-browser-dynamic@12.2.17-angular-12.3.3@neverendingsupport/angular-platform-server@12.2.17-angular-12.3.3@neverendingsupport/angular-router@12.2.17-angular-12.3.3@neverendingsupport/angular-service-worker@12.2.17-angular-12.3.3@neverendingsupport/angular-upgrade@12.2.17-angular-12.3.3
Security Fixes
- common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
- This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).
v12.3.2 - June 16, 2025
Notes
- This release contains no functional changes from NES v12.3.1.
- This release implements a new package naming scheme for the Angular packages. More information about the change can be found in the NES Decoupled Namespace Specification.
- Full package name(s) and version(s):
@neverendingsupport/angular-animations@12.2.17-angular-12.3.2@neverendingsupport/angular-bazel@12.2.17-angular-12.3.2@neverendingsupport/angular-common@12.2.17-angular-12.3.2@neverendingsupport/angular-compiler@12.2.17-angular-12.3.2@neverendingsupport/angular-compiler-cli@12.2.17-angular-12.3.2@neverendingsupport/angular-core@12.2.17-angular-12.3.2@neverendingsupport/angular-elements@12.2.17-angular-12.3.2@neverendingsupport/angular-forms@12.2.17-angular-12.3.2@neverendingsupport/angular-language-service@12.2.17-angular-12.3.2@neverendingsupport/angular-localize@12.2.17-angular-12.3.2@neverendingsupport/angular-platform-browser@12.2.17-angular-12.3.2@neverendingsupport/angular-platform-browser-dynamic@12.2.17-angular-12.3.2@neverendingsupport/angular-platform-server@12.2.17-angular-12.3.2@neverendingsupport/angular-router@12.2.17-angular-12.3.2@neverendingsupport/angular-service-worker@12.2.17-angular-12.3.2@neverendingsupport/angular-upgrade@12.2.17-angular-12.3.2
v12.3.1 - January 30, 2025
Notes
- Full Version:
12.2.17-{PACKAGE_NAME}-12.3.1
Security Fixes
- upgrade: Address Trusted Types violations in
@angular/upgrade.
v12.2.20 - January 30, 2025
Notes
- This release contains no functional changes from NES v12.2.19.
- This release contains only metadata fixes and improvements: Updated peer dependency versions.
- Full Version:
12.2.17-{PACKAGE_NAME}-12.2.20
v12.2.19 - January 30, 2025
Notes
- This release contains no functional changes from NES v12.2.18.
- This release contains only metadata fixes and improvements: Updated peer dependency versions.
- Full Version:
12.2.19-{PACKAGE_NAME}
v12.2.18 - February 8, 2024
Notes
- Full Version:
12.2.18-{PACKAGE_NAME}
Security Fixes
- compiler: Do not unquote CSS values.
- core:
- Do not use
Functionconstructors in development mode to avoid CSP violations. - Set style property value to empty string instead of an invalid value.
- Do not use
Angular CLI
12.2.22 (NES) - September 2025
Notes
- Full package names and versions
@neverendingsupport/angular-cli@12.2.18-angular-cli-12.2.22@neverendingsupport/angular-pwa@12.2.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-architect@0.1202.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-architect-cli@0.1202.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-build-angular@12.2.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-build-optimizer@0.1202.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-build-webpack@0.1202.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-core@12.2.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-schematics@12.2.18-angular-cli-12.2.22@neverendingsupport/angular-devkit-schematics-cli@12.2.18-angular-cli-12.2.22@neverendingsupport/ngtools-webpack@12.2.18-angular-cli-12.2.22
Bug Fixes
- Fixed build issues: updated peer dependency version numbers
12.2.21 (NES) - June 5, 2025
Notes
- This release contains no functional changes from 12.2.20.
- Full package names and versions
@neverendingsupport/angular-cli@12.2.18-angular-cli-12.2.21@neverendingsupport/angular-pwa@12.2.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-architect@0.1202.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-architect-cli@0.1202.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-build-angular@12.2.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-build-optimizer@0.1202.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-build-webpack@0.1202.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-core@12.2.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-schematics@12.2.18-angular-cli-12.2.21@neverendingsupport/angular-devkit-schematics-cli@12.2.18-angular-cli-12.2.21@neverendingsupport/ngtools-webpack@12.2.18-angular-cli-12.2.21
12.2.20 (NES) - February 28, 2025
Security
- Bumped
loader-utilsto v2.0.4 to address CVE-2022-37601.
12.2.19 (NES) - February 26, 2025
Notes
- This is the initial release of the NES Angular CLI 12.2.x series.