HeroDevs
Visit Angular NES Home Page

Angular 18

Comprehensive release notes and changelog for Angular 18, including security patches, bug fixes, and feature updates across all supported versions.

5 Patched Vulnerabilities
VEX Statements

Angular

v18.2.18 - January 8, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.18

Security Fixes

  • core: Sanitize sensitive attributes on SVG script elements.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).

v18.2.17 - December 9, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.17

Security Fixes

  • compiler: Prevent stored XSS via SVG animation attributeName and MathML/SVG URLs.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).

v18.2.16 - December 2, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.16

Security Fixes

  • common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).

v18.2.15 - September 18, 2025

Notes

  • This release contains no functional change from the OSS Angular v18.2.14.
  • This release mainlines OSS v18.2.14 into NES v18.2.15.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.15

Security Fixes

  • core: Introduce BootstrapContext for improved server bootstrapping.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

Breaking Changes

core
  • Introduce BootstrapContext for improved server bootstrapping:
    The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector and avoid potential exposure of sensitive data from other sessions.
    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively, when running in a server environment.
    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

v18.2.14 - July 11, 2025

Notes

  • This release contains no functional change from the OSS Angular v18.2.13.
  • This release mainlines OSS v18.2.13 into NES v18.2.14.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-common@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-compiler@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-compiler-cli@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-core@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-elements@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-forms@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-language-service@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-localize@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-browser@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-server@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-router@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-service-worker@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-upgrade@18.2.13-angular-18.2.14

Angular CLI

18.2.23 (NES) - October, 2025

Notes

  • This release contains no functional change from the OSS Angular CLI v18.2.21.
  • This release mainlines OSS v18.2.21 into NES v18.2.23.
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-cli@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-create@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-pwa@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-ssr@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-architect@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-build-angular@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-core@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-schematics@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/ngtools-webpack@18.2.21-angular-cli-18.2.23

Breaking Changes

@angular/ssr
  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

18.2.22 (NES) - August, 2025

Notes

  • Fixed build issues: updated peer dependency version numbers
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-cli@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-create@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-pwa@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-ssr@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-architect@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-build-angular@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-core@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-schematics@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/ngtools-webpack@18.2.20-angular-cli-18.2.22

18.2.21 (NES) - July, 2025

Notes

  • This release contains no functional change from the OSS Angular CLI v18.2.20.
  • This release mainlines OSS v18.2.20 into NES v18.2.21.
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-cli@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-create@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-pwa@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-ssr@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-architect@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-build-angular@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-core@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-schematics@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/ngtools-webpack@18.2.20-angular-cli-18.2.21