Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

18.2.14

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63640)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>

... (truncated)

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for @​angular/common since your current version.

Sourced from @​angular/compiler's releases.

21.2.8

compiler

Commit	Description
	handle nested brackets in host object bindings

compiler-cli

Commit	Description
	error for type parameter declarations

core

Commit	Description
	handle missing serialized container hydration data
	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Description
	get quick info at local var location to align with TS semantics and support type narrowing

21.2.7

compiler

Commit	Description
	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Description
	prevent recursive scope checks for invalid NgModule imports

core

Commit	Description
	prevent binding unsafe attributes on SVG animation elements (#67797)
	resolve component import by exact specifier in route lazy-loading schematic
	treat object[data] as resource URL context (#67797)

localize

Commit	Description
	validate locale in getOutputPathFn to prevent path traversal

router

Commit	Description
	pass outlet context to split to fix empty path named outlets

21.2.6

common

Commit	Description
	avoid redundant image fetch on destroy with auto sizes

compiler

| Commit | Description |

... (truncated)

Sourced from @​angular/compiler's changelog.

21.2.8 (2026-04-08)

compiler

Commit	Type	Description
e40d378f3e	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
2c6781071f	fix	error for type parameter declarations

core

Commit	Type	Description
82192deda9	fix	handle missing serialized container hydration data
057cc6d09d	fix	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Type	Description
7797671257	fix	get quick info at local var location to align with TS semantics and support type narrowing

22.0.0-next.6 (2026-04-01)

compiler

Commit	Type	Description
08d36599d7	fix	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Type	Description
fcd0bb0db8	fix	prevent recursive scope checks for invalid NgModule imports

core

Commit	Type	Description
e84e35cdd6	fix	prevent binding unsafe attributes on SVG animation elements (#67797)
8fa6617352	fix	resolve component import by exact specifier in route lazy-loading schematic
028e1d3ce0	fix	treat object[data] as resource URL context (#67797)

localize

Commit	Type	Description
7871093822	fix	validate locale in getOutputPathFn to prevent path traversal

migrations

Commit	Type	Description
682aaf943f	feat	add strictTemplates to tsconfig during ng update

router

Commit	Type	Description
daa9b2a9d6	fix	pass outlet context to split to fix empty path named outlets

... (truncated)

• a4f3120 refactor(compiler): require a reference in DirectiveMeta
• de533fe refactor(compiler-cli): move ClassPropertyMapping into compiler
• ea1e34c refactor(compiler): move matchSource into base metadata
• e40d378 fix(compiler): handle nested brackets in host object bindings
• d04ddd7 fix(core): prevent binding unsafe attributes on SVG animation elements (#67797)
• fea25d1 fix(compiler): register SVG animation attributes in URL security context (#67...
• 880a57d fix(compiler): prevent shimCssText from adding extra blank lines per CSS comment
• 23ea431 fix(compiler): parse named HTML entities containing digits
• 334ae10 fix(compiler): ensure generated code compiles
• ed2d324 fix(compiler): disallow translations of iframe src
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for @​angular/compiler since your current version.

Sourced from @​angular/core's releases.

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

... (truncated)

Sourced from @​angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit	Type	Description
02fbf08890	fix	disallow translations of iframe src

core

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit	Type	Description
78dea55351	fix	disallow translations of iframe src

core

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description

... (truncated)

• 621c707 fix(core): sanitize translated form attributes
• b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• 73d3e00 build: fix failing test (#61683)
• 9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for @​angular/core since your current version.

Sourced from babel-traverse's changelog.

6.26.0 (2017-08-16)

Backports for some folks (also other's when we accidently merged PRs from both 6.x/master) Lesson learned: just use master and backport on another branch.

👓 Spec Compliancy

• babel-core, babel-generator, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-traverse, babel-types
  • #6081 Flow opaque type 6.x backport. (@​jbrown215)

🚀 New Feature

• babel-cli
  • #5796 Allow --inspect-brk option to be used with babel-node [6.x backport]. (@​noinkling)

🐛 Bug Fix

• babel-plugin-transform-es2015-modules-commonjs
  • #5811 Fix 5768. (@​joshwnj)
  • #5469 Fix commonjs exports with destructuring.. (@​yavorsky)
• babel-types
  • #5693 Hoist toSequenceExpression's convert helper. (@​jridgewell)

📝 Documentation

• babel-plugin-transform-class-properties
  • #6005 FIX access to the prototype of an instance. (@​shuaibird)
• babel-plugin-transform-runtime
  • #5857 Fix typos in README.md. (@​danny-andrews)
• babel-plugin-transform-regenerator
  • #5852 Fix babel-plugin-transform-regenerator README. (@​k15a)
• Other
  • #5788 Add a section on troubleshooting [skip ci]. (@​peey)
  • #5755 Fix broken tables in README.md. (@​u9lyfish)
• babel-generator, babel-plugin-transform-es2015-arrow-functions, babel-plugin-transform-es2015-modules-commonjs, babel-plugin-transform-es2015-spread, babel-plugin-transform-runtime, babel-register
  • #5613 Backport doc changes. (@​xtuc)

🏠 Internal

• babel-traverse
  • #5965 Remove unused functions from renamer.js.. (@​mcav)
  • #5363 Increase the code coverage for traverse evaluation. (@​ssuman)
• Other
  • #5938 Remove codecov node package and use bash uploader. (@​existentialism)

Committers: 19

• Artem Yavorsky (yavorsky)
• Brian Ng (existentialism)
• Danny Andrews (danny-andrews)
• Henry Zhu (hzoo)
• Jeffrey Wear (wearhere)
• Jordan Brown (jbrown215)
• Josh Johnston (joshwnj)
• Justin Ridgewell (jridgewell)
• Konstantin Pschera (k15a)

... (truncated)

• cee4cde v6.26.0
• aa33099 update changelog
• 5749276 update deps
• 7b30f77 Merge pull request #6111 from modosc/update-regenerator
• f4716dc Backport #6031 (#6112)
• d375d80 6.26.0 changelog [skip ci]
• 98824e7 backport the fix #6052 [skip ci]
• c28465e Flow opaque type 6.x backport (#6081)
• 2dba910 Merge branch '6.x'
• 4d51052 FIX access to the prototype of an instance (#6005)
• Additional commits viewable in compare view

Sourced from adm-zip's changelog.

0.4.16 / 2020-06-23

• Updated mocha version to fix vulnerability (cthackers)
• Update project version (cthackers)
• fix: throw real exception objects on error (Matthew Sainsbury)
• Version number incremented (Saqib M)
• Update zipFile.js (Saqib M)
• Update README.md with the latest URLs (Takuya Noguchi)
• Update Node.js version to use in CI tests (Takuya Noguchi)
• process.versions is null when the library is used in browser (Emiliano Necciari)

0.4.14 / 2020-02-06

• Version increment for npm publish (cthackers)
• Iterate over entries without storing their metadata (Pierre Lehnen)
• Add partial support for zip64 (larger number of entries) (Pierre Lehnen)
• Escape $ sign for regex in addLocalFolder() (William)
• fix accent filename (mart_-)
• Removed improperly raised error while decompressing empty file asynchronously. (Nicolas Leclerc)
• fix: CRC is unexpectedly changed after zip is re-created (teppeis)

0.4.13 / 2018-10-18

• Add async version of addLocalFile Use open and readFile instead of existsSync and readFileSync. There are still some sync functions left in the Utils.findFiles call, but the impact is minimal compared to the readFileSync. (Maigret Aurelien)
• Fix jsdoc typings for functions. (Leon Aves)
• fixed Utils.FileSystem overwriting 'fs' module even when 'original-fs' is broken (Tom Wallroth)
• fix race-condition crash when extracting data and extracted files are (re)moved (Tom Wallroth)
• Fix: bad buffer.alloc for .toBuffer in async mode (Colin GILLE)
• Add a full license text to the distribution (Honza Javorek)
• Rename MIT-LICENSE.txt to LICENSE (Standa Opichal)
• fix bug when filename or path contains multi-byte characters (warbaby)
• bump version to 0.4.12 (Marsette Vona)
• change default compression method for added files back to DEFLATED from STORED (revert #139) (Marsette Vona)
• remove JSDeflater() and JSInflater() in favor of zlib.deflateRawSync() and zlib.inflateRawSync() respectively (Marsette Vona)
• Fix (Mirko Tebaldi)
• 0.4.12 - Created a test to check Twizzeld's issue on Issue #237. (was not able to replicate his issue) (cjacobs)
• Fix Buffer.alloc bug #234 (keyesdav)
• 0.4.12 - Fix additional issue with extractEntryTo improperly handling directory children. (cjacobs)
• 0.4.12 - Fix #237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #237, add tests, update travis node versions. (cjacobs)
• add tests for CRC fixes (Kevin Tjiam)
• compare calculated CRC with loaded CRC (Kevin Tjiam)
• handle errors in callback from getDataAsync (Kevin Tjiam)

0.4.11 / 2018-05-13

• Version bump (cthackers)
• Fixed #176 (cthackers)

... (truncated)

• 9d2eb0b Updated mocha version to fix vulnerability
• 9bb5fb9 Update project version
• 10a8c1c Merge pull request #250 from opichals/patch-1
• c87b983 Merge pull request #279 from willjouo/master
• de614ea Merge pull request #308 from tnir/copyedit-docs-with-https
• b94b8e5 Merge pull request #307 from tnir/update-nodejs-for-testing
• ff355f5 Merge pull request #313 from mattsains/master
• a13f520 Merge pull request #312 from saqibmushtaq/master
• 79c21ff fix: throw real exception objects on error
• 235e7bf Version number incremented
• Additional commits viewable in compare view

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape