HeroDevs
Visit Angular NES Home Page

Angular 14

Comprehensive release notes and changelog for Angular 14, including security patches, bug fixes, and feature updates across all supported versions.

5 Patched Vulnerabilities
VEX Statements

Angular

v14.3.10 - March 10, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-bazel@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-common@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-compiler@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-compiler-cli@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-core@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-elements@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-forms@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-language-service@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-localize@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-platform-browser@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-platform-browser-dynamic@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-platform-server@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-router@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-service-worker@14.3.0-angular-14.3.10
    • @neverendingsupport/angular-upgrade@14.3.0-angular-14.3.10

Security Fixes

  • core: Block creation of sensitive URI attributes from ICU messages.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-27970).

Breaking Changes

core
  • Block creation of sensitive URI attributes from ICU messages:
    Translators can no longer introduce URI attributes—attribute values are blocked to avoid malicious links, and sanitization now relies on an allowlist of known attributes (still sanitizing URI ones). Translated ICU content keeps only recognized attributes and drops everything else.

v14.3.9 - January 29, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-bazel@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-common@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-compiler@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-compiler-cli@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-core@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-elements@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-forms@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-language-service@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-localize@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-platform-browser@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-platform-browser-dynamic@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-platform-server@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-router@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-service-worker@14.3.0-angular-14.3.9
    • @neverendingsupport/angular-upgrade@14.3.0-angular-14.3.9

Security Fixes

  • core: Sanitize sensitive attributes on SVG script elements.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).

v14.3.8 - December 15, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-bazel@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-common@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-compiler@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-compiler-cli@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-core@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-elements@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-forms@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-language-service@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-localize@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-platform-browser@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-platform-browser-dynamic@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-platform-server@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-router@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-service-worker@14.3.0-angular-14.3.8
    • @neverendingsupport/angular-upgrade@14.3.0-angular-14.3.8

Security Fixes

  • compiler: Prevent stored XSS via SVG animation attributeName and MathML/SVG URLs.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).

v14.3.7 - December 3, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-bazel@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-common@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-compiler@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-compiler-cli@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-core@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-elements@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-forms@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-language-service@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-localize@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-platform-browser@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-platform-browser-dynamic@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-platform-server@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-router@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-service-worker@14.3.0-angular-14.3.7
    • @neverendingsupport/angular-upgrade@14.3.0-angular-14.3.7

Security Fixes

  • common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).
  • core: Introduce BootstrapContext for improved server bootstrapping.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

Breaking Changes

core
  • Introduce BootstrapContext for improved server bootstrapping:
    The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector and avoid potential exposure of sensitive data from other sessions.
    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively, when running in a server environment.
    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

v14.3.6 - June 17, 2025

Notes

  • This release contains no functional changes from NES v14.3.5.
  • This release implements a new package naming scheme for the Angular packages. More information about the change can be found in the NES Decoupled Namespace Specification.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-bazel@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-common@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-compiler@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-compiler-cli@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-core@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-elements@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-forms@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-language-service@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-localize@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-platform-browser@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-platform-browser-dynamic@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-platform-server@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-router@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-service-worker@14.3.0-angular-14.3.6
    • @neverendingsupport/angular-upgrade@14.3.0-angular-14.3.6

v14.3.5 - January 31, 2025

Notes

  • This release contains no functional changes from NES v14.3.4.
  • This release contains only metadata fixes and improvements: Updated licensing information.
  • Full Version: 14.3.0-{PACKAGE_NAME}-14.3.5

v14.3.4 - January 28, 2025

Notes

  • This release contains no functional changes from NES v14.3.3.
  • This release contains only build-related fixes and improvements.
  • Full Version: 14.3.0-{PACKAGE_NAME}-14.3.4

v14.3.3 - January 28, 2025

Notes

  • This release contains no functional changes from NES v14.3.2.
  • This release contains only metadata fixes and improvements: Updated peer dependency versions.
  • Full Version: 14.3.0-{PACKAGE_NAME}-14.3.3

v14.3.2 - January 28, 2025

Notes

  • This release contains no functional changes from NES v14.3.1.
  • This release contains only metadata fixes and improvements: Updated peer dependency versions.
  • Full Version: 14.3.2-{PACKAGE_NAME}

v14.3.1 - February 12, 2024

Notes

  • Full Version: 14.3.1-{PACKAGE_NAME}

Security Fixes

  • compiler: Do not unquote CSS values.
  • core: Set style property value to empty string instead of an invalid value.

Angular CLI

14.2.17 - September, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-cli@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-create@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-pwa@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-architect@0.1402.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-architect-cli@0.1402.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-build-angular@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-build-webpack@0.1402.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-core@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-schematics@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/angular-devkit-schematics-cli@14.2.13-angular-cli-14.2.17
    • @neverendingsupport/ngtools-webpack@14.2.13-angular-cli-14.2.17

Bug Fixes

  • Fixed build issues: updated peer dependency version numbers.

14.2.16 - June 5, 2025

Notes

  • This release contains no functional changes from NES v14.2.15.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-cli@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-create@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-pwa@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-architect@0.1402.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-architect-cli@0.1402.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-build-angular@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-build-webpack@0.1402.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-core@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-schematics@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/angular-devkit-schematics-cli@14.2.13-angular-cli-14.2.16
    • @neverendingsupport/ngtools-webpack@14.2.13-angular-cli-14.2.16

14.2.15 - February 10, 2025

Notes

  • Added @ngtools/webpack, @angular/pwa, @angular-devkit/architect-cli, and @angular-devkit/schematics-cli packages.
  • Full Version: 14.2.13-{PACKAGE_NAME}-14.2.15