HeroDevs
Visit Angular NES Home Page

Angular 17

Comprehensive release notes and changelog for Angular 17, including security patches, bug fixes, and feature updates across all supported versions.

5 Patched Vulnerabilities
VEX Statements

Angular

v17.3.18 - January 8, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-common@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-compiler@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-compiler-cli@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-core@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-elements@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-forms@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-language-service@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-localize@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-platform-browser@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-platform-browser-dynamic@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-platform-server@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-router@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-service-worker@17.3.12-angular-17.3.18
    • @neverendingsupport/angular-upgrade@17.3.12-angular-17.3.18

Security Fixes

  • core: Sanitize sensitive attributes on SVG script elements.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).

v17.3.17 - December 11, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-common@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-compiler@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-compiler-cli@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-core@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-elements@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-forms@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-language-service@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-localize@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-platform-browser@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-platform-browser-dynamic@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-platform-server@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-router@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-service-worker@17.3.12-angular-17.3.17
    • @neverendingsupport/angular-upgrade@17.3.12-angular-17.3.17

Security Fixes

  • compiler: Prevent stored XSS via SVG animation attributeName and MathML/SVG URLs.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).

v17.3.16 - December 2, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-common@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-compiler@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-compiler-cli@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-core@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-elements@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-forms@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-language-service@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-localize@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-platform-browser@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-platform-browser-dynamic@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-platform-server@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-router@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-service-worker@17.3.12-angular-17.3.16
    • @neverendingsupport/angular-upgrade@17.3.12-angular-17.3.16

Security Fixes

  • common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).

v17.3.15 - September 30, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-common@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-compiler@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-compiler-cli@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-core@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-elements@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-forms@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-language-service@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-localize@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-platform-browser@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-platform-browser-dynamic@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-platform-server@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-router@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-service-worker@17.3.12-angular-17.3.15
    • @neverendingsupport/angular-upgrade@17.3.12-angular-17.3.15

Security Fixes

  • core: Introduce BootstrapContext for improved server bootstrapping.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

Breaking Changes

core
  • Introduce BootstrapContext for improved server bootstrapping:
    The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector and avoid potential exposure of sensitive data from other sessions.
    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively, when running in a server environment.
    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

v17.3.14 - June 16, 2025

Notes

  • This release contains no functional changes from NES v17.3.13.
  • This release contains only build-related fixes and improvements.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-common@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-compiler@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-compiler-cli@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-core@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-elements@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-forms@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-language-service@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-localize@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-platform-browser@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-platform-browser-dynamic@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-platform-server@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-router@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-service-worker@17.3.12-angular-17.3.14
    • @neverendingsupport/angular-upgrade@17.3.12-angular-17.3.14

v17.3.13 - February 27, 2025

Notes

  • This release contains no functional change from the OSS Angular v17.3.12.
  • This release mainlines OSS v17.3.12 into NES v17.3.13.

Angular CLI

17.3.20 (NES) - October, 2025

Notes

  • Full package names and versions:
    • @neverendingsupport/angular-cli@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-create@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-pwa@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-ssr@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-architect@0.1703.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-architect-cli@0.1703.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-build-angular@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-build-webpack@0.1703.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-core@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-schematics@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/angular-devkit-schematics-cli@17.3.17-angular-cli-17.3.20
    • @neverendingsupport/ngtools-webpack@17.3.17-angular-cli-17.3.20

Breaking Changes

@angular/ssr
  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

17.3.19 (NES) - September, 2025

Notes

  • Full package names and versions:
    • @neverendingsupport/angular-cli@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-create@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-pwa@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-ssr@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-architect@0.1703.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-architect-cli@0.1703.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-build-angular@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-build-webpack@0.1703.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-core@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-schematics@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/angular-devkit-schematics-cli@17.3.17-angular-cli-17.3.19
    • @neverendingsupport/ngtools-webpack@17.3.17-angular-cli-17.3.19

Bug Fixes

  • Fixed build issues: updated peer dependency version numbers

17.3.18 (NES) - June, 2025

Notes

  • This release brings in upstream changes from @angular/cli since the last NES release.
  • Full package names and versions:
    • @neverendingsupport/angular-cli@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-create@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-pwa@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-ssr@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-architect@0.1703.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-architect-cli@0.1703.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-build-angular@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-build-webpack@0.1703.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-core@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-schematics@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/angular-devkit-schematics-cli@17.3.17-angular-cli-17.3.18
    • @neverendingsupport/ngtools-webpack@17.3.17-angular-cli-17.3.18

17.3.13 (NES) - February, 2025

Notes

  • This is the initial release of the NES Angular CLI 17.3.x series.