HeroDevs
Visit Angular NES Home Page

Angular 19

Comprehensive release notes and changelog for Angular 19, including security patches, bug fixes, and feature updates across all supported versions.

7 Patched Vulnerabilities
VEX Statements

Angular Core

v19.2.22 - April 21, 2026

Notes

  • This release contains no functional change from the OSS Angular v19.2.21.
  • This release mainlines OSS v19.2.21 into NES v19.2.22.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-common@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-compiler@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-compiler-cli@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-core@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-elements@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-forms@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-language-service@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-localize@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-platform-browser@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-platform-browser-dynamic@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-platform-server@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-router@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-service-worker@19.2.21-angular-19.2.22
    • @neverendingsupport/angular-upgrade@19.2.21-angular-19.2.22

Security Fixes

  • platform-server: Prevent SSRF bypasses via protocol-relative and backslash URLs.
    • This fixes a high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-41423).

v19.2.21 - March 27, 2026

Notes

  • This release contains no functional change from the OSS Angular v19.2.20.
  • This release mainlines OSS v19.2.20 into NES v19.2.21.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-common@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-compiler@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-compiler-cli@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-core@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-elements@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-forms@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-language-service@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-localize@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-platform-browser@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-platform-browser-dynamic@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-platform-server@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-router@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-service-worker@19.2.20-angular-19.2.21
    • @neverendingsupport/angular-upgrade@19.2.20-angular-19.2.21

Security Fixes

  • core: Sanitize translated form attributes and attribute bindings with interpolations.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-32635).
  • compiler: Disallow translations of src attributes in iframes.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-32635).

v19.2.20 - March 13, 2026

Notes

  • This release contains no functional change from the OSS Angular v19.2.19.
  • This release mainlines OSS v19.2.19 into NES v19.2.20.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-common@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-compiler@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-compiler-cli@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-core@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-elements@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-forms@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-language-service@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-localize@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-platform-browser@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-platform-browser-dynamic@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-platform-server@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-router@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-service-worker@19.2.19-angular-19.2.20
    • @neverendingsupport/angular-upgrade@19.2.19-angular-19.2.20

Security Fixes

  • core: Block creation of sensitive URI attributes from ICU messages.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-27970).

Breaking Changes

core
  • Block creation of sensitive URI attributes from ICU messages:
    Translators can no longer introduce URI attributes—attribute values are blocked to avoid malicious links, and sanitization now relies on an allowlist of known attributes (still sanitizing URI ones). Translated ICU content keeps only recognized attributes and drops everything else.

v19.2.19 - January 27, 2026

Notes

  • This release contains no functional change from the OSS Angular v19.2.18.
  • This release mainlines OSS v19.2.18 into NES v19.2.19.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-common@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-compiler@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-compiler-cli@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-core@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-elements@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-forms@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-language-service@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-localize@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-platform-browser@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-platform-browser-dynamic@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-platform-server@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-router@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-service-worker@19.2.18-angular-19.2.19
    • @neverendingsupport/angular-upgrade@19.2.18-angular-19.2.19

Angular CLI

v19.2.25 - April 22, 2026

Notes

  • This release contains no functional change from the OSS Angular CLI v19.2.24.
  • This release mainlines OSS v19.2.24 into NES v19.2.25.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-build@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-cli@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-create@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-pwa@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-ssr@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-architect@0.1902.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-architect-cli@0.1902.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-build-angular@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-build-webpack@0.1902.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-core@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-schematics@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/angular-devkit-schematics-cli@19.2.24-angular-cli-19.2.25
    • @neverendingsupport/ngtools-webpack@19.2.24-angular-cli-19.2.25

Security Fixes

  • picomatch: Every instance of picomatch was updated to v4.0.4 to address CVE-2026-33671.

v19.2.23 - March 27, 2026

Notes

  • This release contains no functional change from the OSS Angular CLI v19.2.22.
  • This release mainlines OSS v19.2.22 into NES v19.2.23.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-build@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-cli@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-create@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-pwa@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-ssr@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-architect@0.1902.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-architect-cli@0.1902.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-build-angular@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-build-webpack@0.1902.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-core@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-schematics@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/angular-devkit-schematics-cli@19.2.22-angular-cli-19.2.23
    • @neverendingsupport/ngtools-webpack@19.2.22-angular-cli-19.2.23

Security Fixes

  • ssr: Prevent open redirect via X-Forwarded-Prefix header.
    • This fixes a medium-severity Open Redirect vulnerability (CVE-2026-27738).
  • ssr: Validate host headers to prevent header-based SSRF.
    • This fixes a critical-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-27739).

v19.2.20 - January 29, 2026

Notes

  • This release contains no functional change from the OSS Angular CLI v19.2.19.
  • This release mainlines OSS v19.2.19 into NES v19.2.20.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-build@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-cli@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-create@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-pwa@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-ssr@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-architect@0.1902.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-architect-cli@0.1902.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-build-angular@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-build-webpack@0.1902.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-core@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-schematics@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/angular-devkit-schematics-cli@19.2.19-angular-cli-19.2.20
    • @neverendingsupport/ngtools-webpack@19.2.19-angular-cli-19.2.20