Angular 5

Comprehensive release notes and changelog for Angular 5, including security patches, bug fixes, and feature updates across all supported versions.

4 Patched Vulnerabilities

Angular

Full package name(s) and version(s):
- @neverendingsupport/angular-animations@5.2.11-angular-5.2.18
- @neverendingsupport/angular-common@5.2.11-angular-5.2.18
- @neverendingsupport/angular-compiler@5.2.11-angular-5.2.18
- @neverendingsupport/angular-compiler-cli@5.2.11-angular-5.2.18
- @neverendingsupport/angular-core@5.2.11-angular-5.2.18
- @neverendingsupport/angular-forms@5.2.11-angular-5.2.18
- @neverendingsupport/angular-http@5.2.11-angular-5.2.18
- @neverendingsupport/angular-language-service@5.2.11-angular-5.2.18
- @neverendingsupport/angular-platform-browser@5.2.11-angular-5.2.18
- @neverendingsupport/angular-platform-browser-dynamic@5.2.11-angular-5.2.18
- @neverendingsupport/angular-platform-server@5.2.11-angular-5.2.18
- @neverendingsupport/angular-platform-webworker@5.2.11-angular-5.2.18
- @neverendingsupport/angular-platform-webworker-dynamic@5.2.11-angular-5.2.18
- @neverendingsupport/angular-router@5.2.11-angular-5.2.18
- @neverendingsupport/angular-service-worker@5.2.11-angular-5.2.18
- @neverendingsupport/angular-upgrade@5.2.11-angular-5.2.18

core: Sanitize sensitive attributes on SVG script elements.
- This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).

Full package name(s) and version(s):
- @neverendingsupport/angular-animations@5.2.11-angular-5.2.17
- @neverendingsupport/angular-common@5.2.11-angular-5.2.17
- @neverendingsupport/angular-compiler@5.2.11-angular-5.2.17
- @neverendingsupport/angular-compiler-cli@5.2.11-angular-5.2.17
- @neverendingsupport/angular-core@5.2.11-angular-5.2.17
- @neverendingsupport/angular-forms@5.2.11-angular-5.2.17
- @neverendingsupport/angular-http@5.2.11-angular-5.2.17
- @neverendingsupport/angular-language-service@5.2.11-angular-5.2.17
- @neverendingsupport/angular-platform-browser@5.2.11-angular-5.2.17
- @neverendingsupport/angular-platform-browser-dynamic@5.2.11-angular-5.2.17
- @neverendingsupport/angular-platform-server@5.2.11-angular-5.2.17
- @neverendingsupport/angular-platform-webworker@5.2.11-angular-5.2.17
- @neverendingsupport/angular-platform-webworker-dynamic@5.2.11-angular-5.2.17
- @neverendingsupport/angular-router@5.2.11-angular-5.2.17
- @neverendingsupport/angular-service-worker@5.2.11-angular-5.2.17
- @neverendingsupport/angular-upgrade@5.2.11-angular-5.2.17

compiler: Prevent stored XSS via SVG animation attributeName and MathML/SVG URLs.
- This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).

Full package name(s) and version(s):
- @neverendingsupport/angular-animations@5.2.11-angular-5.2.16
- @neverendingsupport/angular-common@5.2.11-angular-5.2.16
- @neverendingsupport/angular-compiler@5.2.11-angular-5.2.16
- @neverendingsupport/angular-compiler-cli@5.2.11-angular-5.2.16
- @neverendingsupport/angular-core@5.2.11-angular-5.2.16
- @neverendingsupport/angular-forms@5.2.11-angular-5.2.16
- @neverendingsupport/angular-http@5.2.11-angular-5.2.16
- @neverendingsupport/angular-language-service@5.2.11-angular-5.2.16
- @neverendingsupport/angular-platform-browser@5.2.11-angular-5.2.16
- @neverendingsupport/angular-platform-browser-dynamic@5.2.11-angular-5.2.16
- @neverendingsupport/angular-platform-server@5.2.11-angular-5.2.16
- @neverendingsupport/angular-platform-webworker@5.2.11-angular-5.2.16
- @neverendingsupport/angular-platform-webworker-dynamic@5.2.11-angular-5.2.16
- @neverendingsupport/angular-router@5.2.11-angular-5.2.16
- @neverendingsupport/angular-service-worker@5.2.11-angular-5.2.16
- @neverendingsupport/angular-upgrade@5.2.11-angular-5.2.16

common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
- This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).

This release contains no functional changes from NES v5.2.14.
This release implements a new package naming scheme for the Angular packages. More information about the change can be found in the NES Decoupled Namespace Specification.
Full package name(s) and version(s):
- @neverendingsupport/angular-animations@5.2.11-angular-5.2.15
- @neverendingsupport/angular-common@5.2.11-angular-5.2.15
- @neverendingsupport/angular-compiler@5.2.11-angular-5.2.15
- @neverendingsupport/angular-compiler-cli@5.2.11-angular-5.2.15
- @neverendingsupport/angular-core@5.2.11-angular-5.2.15
- @neverendingsupport/angular-forms@5.2.11-angular-5.2.15
- @neverendingsupport/angular-http@5.2.11-angular-5.2.15
- @neverendingsupport/angular-language-service@5.2.11-angular-5.2.15
- @neverendingsupport/angular-platform-browser@5.2.11-angular-5.2.15
- @neverendingsupport/angular-platform-browser-dynamic@5.2.11-angular-5.2.15
- @neverendingsupport/angular-platform-server@5.2.11-angular-5.2.15
- @neverendingsupport/angular-platform-webworker@5.2.11-angular-5.2.15
- @neverendingsupport/angular-platform-webworker-dynamic@5.2.11-angular-5.2.15
- @neverendingsupport/angular-router@5.2.11-angular-5.2.15
- @neverendingsupport/angular-service-worker@5.2.11-angular-5.2.15
- @neverendingsupport/angular-upgrade@5.2.11-angular-5.2.15

This release contains no functional changes from NES v5.2.13.
This release contains metadata fixes and improvements: Updated licensing information.
Full Version: 5.2.11-{PACKAGE_NAME}-5.2.14

This release contains no functional changes from NES v5.2.12.
This release contains metadata fixes and improvements: Updated package.json files.
Full Version: 5.2.11-{PACKAGE_NAME}-5.2.13

common: Use ContentType: application/json (instead of text/plain) for boolean values with HttpClient request body.
core:
- Ensure sanitizer works if DOMParser returns null body.
- Fix possible XSS vulnerability in development through SSR.
  - This fixes a low-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-4231).
platform-browser: Prevent memory leak of style nodes if shadow DOM encapsulation is used.