Skip to content

chore(deps): update dependency @angular/core to v20.3.17 [security]#10203

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-core-vulnerability
Mar 1, 2026
Merged

chore(deps): update dependency @angular/core to v20.3.17 [security]#10203
renovate[bot] merged 1 commit intomainfrom
renovate/npm-angular-core-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 1, 2026

This PR contains the following updates:

Package Change Age Confidence
@angular/core (source) 20.3.1620.3.17 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-27970

A Cross-site Scripting (XSS) vulnerability has been identified in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript.

Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user.

If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript.

Impact

When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to:

  • Credential Exfiltration: Stealing sensitive user data stored in page memory, LocalStorage, IndexedDB, or cookies available to JS and sending them to an attacker controlled server.
  • Page Vandalism: Mutating the page to read or act differently than intended by the developer.

Attach Preconditions

  • The attacker must compromise the translation file (xliff, xtb, etc.).
  • Unlike most XSS vulnerabilities, this one is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client.
  • The victim application must use Angular i18n.
  • The victim application must use one or more ICU messages.
  • The victim application must render an ICU message.
  • The victim application must not defend against XSS via a safe Content-Security Policy (CSP) or Trusted Types.

Patches

  • 21.2.0
  • 21.1.6
  • 20.3.17
  • 19.2.19

Workarounds

Until the patch is applied, developers should consider:

  • Reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application.
  • Enabling strict CSP controls to block unauthorized JavaScript from executing on the page.
  • Enabling Trusted Types to enforce proper HTML sanitization.

References

Release Notes

angular/angular (@​angular/core)

v20.3.17

Compare Source

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204)

core
Commit Type Description
7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 1, 2026
@changeset-bot
Copy link

changeset-bot bot commented Mar 1, 2026

⚠️ No Changeset found

Latest commit: a927890

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nx-cloud
Copy link

nx-cloud bot commented Mar 1, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit a927890

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 4m 48s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 2s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-01 18:17:09 UTC

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 1, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/npm-angular-core-vulnerability

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 1, 2026

More templates

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/TanStack/query/@tanstack/angular-query-experimental@10203

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/eslint-plugin-query@10203

@tanstack/preact-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/preact-query@10203

@tanstack/preact-query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/preact-query-devtools@10203

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-async-storage-persister@10203

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-broadcast-client-experimental@10203

@tanstack/query-core

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-core@10203

@tanstack/query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-devtools@10203

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-persist-client-core@10203

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/TanStack/query/@tanstack/query-sync-storage-persister@10203

@tanstack/react-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/react-query@10203

@tanstack/react-query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/react-query-devtools@10203

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/TanStack/query/@tanstack/react-query-next-experimental@10203

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/TanStack/query/@tanstack/react-query-persist-client@10203

@tanstack/solid-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/solid-query@10203

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/solid-query-devtools@10203

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/TanStack/query/@tanstack/solid-query-persist-client@10203

@tanstack/svelte-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/svelte-query@10203

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/svelte-query-devtools@10203

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/TanStack/query/@tanstack/svelte-query-persist-client@10203

@tanstack/vue-query

npm i https://pkg.pr.new/TanStack/query/@tanstack/vue-query@10203

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/TanStack/query/@tanstack/vue-query-devtools@10203

commit: 680f04d

@github-actions
Copy link
Contributor

github-actions bot commented Mar 1, 2026

size-limit report 📦

Path Size
react full 11.92 KB (0%)
react minimal 8.95 KB (0%)

@renovate renovate bot merged commit df928be into main Mar 1, 2026
6 checks passed
@renovate renovate bot deleted the renovate/npm-angular-core-vulnerability branch March 1, 2026 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants