8000 Comparing 20.3.13...v20.3.19 · angular/angular-cli · GitHub
[go: up one dir, main page]
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: angular/angular-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 20.3.13
Choose a base ref
...
head repository: angular/angular-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v20.3.19
Choose a head ref
  • 17 commits
  • 55 files changed
  • 5 contributors

Commits on Jan 7, 2026

  1. ci: force ipv4 resolutions first in Node.js 

    Backport of #32042
    @hybrist
    hybrist committed Jan 7, 2026
    Configuration menu
    Copy the full SHA
    66140c8 View commit details
    Browse the repository at this point in the history

  2. fix(@angular/cli): update dependency @modelcontextprotocol/sdk to v1.… 

    …25.2

This is a port of PR #32227 to the 20.3.x branch.
    @hybrist
    hybrist committed Jan 7, 2026
    Configuration menu
    Copy the full SHA
    ff36649 View commit details
    Browse the repository at this point in the history

  3. release: cut the v20.3.14 release

    @hybrist
    hybrist committed Jan 7, 2026
    Configuration menu
    Copy the full SHA
    4963d9c View commit details
    Browse the repository at this point in the history

Commits on Jan 12, 2026

  1. fix(@angular-devkit/build-angular): update webpack to version 5.104.1 

    This fixes a performance regression. See: #31350 (comment)
    @alan-agius4
    alan-agius4 committed Jan 12, 2026
    Configuration menu
    Copy the full SHA
    ffc72cb View commit details
    Browse the repository at this point in the history

Commits on Jan 21, 2026

  1. fix(@angular/cli): update pacote to v21.0.4 

    Addresses GHSA-8qq5-rm4j-mr97
    @clydin
    clydin committed Jan 21, 2026
    Configuration menu
    Copy the full SHA
    795d654 View commit details
    Browse the repository at this point in the history

  2. release: cut the v20.3.15 release

    @clydin
    clydin committed Jan 21, 2026
    Configuration menu
    Copy the full SHA
    279b1ad View commit details
    Browse the repository at this point in the history

Commits on Feb 9, 2026

  1. fix(@angular/cli): update dependency @modelcontextprotocol/sdk to v1.… 

    …26.0

Fixes GHSA-345p-7cg4-v4c7
    @alan-agius4
    alan-agius4 committed Feb 9, 2026
    Configuration menu
    Copy the full SHA
    656888a View commit details
    Browse the repository at this point in the history

  2. build: update webpack to v5.105.0

    @clydin
    clydin committed Feb 9, 2026
    Configuration menu
    Copy the full SHA
    0f02aca View commit details
    Browse the repository at this point in the history

  3. release: cut the v20.3.16 release

    @clydin
    clydin committed Feb 9, 2026
    Configuration menu
    Copy the full SHA
    750f037 View commit details
    Browse the repository at this point in the history

Commits on Feb 23, 2026

  1. fix(@angular/ssr): validate host headers to prevent header-based SSRF 

    This change introduces strict validation for `Host`, `X-Forwarded-Host`, `X-Forwarded-Proto`, and `X-Forwarded-Port` headers in the Angular SSR request handling pipeline, including `CommonEngine` and `AngularAppEngine`.
    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    67582a9 View commit details
    Browse the repository at this point in the history

  2. fix(@angular/ssr): prevent open redirect via X-Forwarded-Prefix header 

    This change addresses a security vulnerability where `joinUrlParts()` in
`packages/angular/ssr/src/utils/url.ts` only stripped one leading slash from
URL parts.

When the `X-Forwarded-Prefix` header contains multiple leading slashes (e.g.,
`///evil.com`), the function previously produced a protocol-relative URL
(e.g., `//evil.com/home`). If the application issues a redirect (e.g., via
a generic redirect route), the browser interprets this 'Location' header
as an external redirect to `https://evil.com/home`.

This vulnerability poses a significant risk as open redirects can be used in
phishing attacks. Additionally, since the redirect response may lack
`Cache-Control` headers, intermediate CDNs could cache the poisoned redirect,
serving it to other users.

This commit fixes the issue by:
1. Updating `joinUrlParts` to internally strip *all* leading and trailing slashes
   from URL segments, preventing the formation of protocol-relative URLs from
   malicious input.
2. Adding strict validation for the `X-Forwarded-Prefix` header to immediately
   reject requests with values starting with multiple slashest pusfh: (`//`) or backslashes (`\\`).

Closes #32501
    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    8700e18 View commit details
    Browse the repository at this point in the history

  3. release: cut the v20.3.17 release

    @alan-agius4
    alan-agius4 committed Feb 23, 2026
    Configuration menu
    Copy the full SHA
    c0d1626 View commit details
    Browse the repository at this point in the history

Commits on Feb 26, 2026

  1. fix(@angular/build): update rollup to 4.59.0 

    This fixes GHSA-mw96-cpmx-2vgc

Closes #32592
    @alan-agius4
    alan-agius4 committed Feb 26, 2026
    Configuration menu
    Copy the full SHA
    f668e27 View commit details
    Browse the repository at this point in the history

  2. fix(@angular-devkit/core): update ajv to 8.18.0 

    This fixes GHSA-2g4f-4pwh-qvx6

Closes #32592
    @alan-agius4
    alan-agius4 committed Feb 26, 2026
    Configuration menu
    Copy the full SHA
    39596d5 View commit details
    Browse the repository at this point in the history

  3. release: cut the v20.3.18 release

    @dgp1130
    dgp1130 committed Feb 26, 2026
    Configuration menu
    Copy the full SHA
    05b3511 View commit details
    Browse the repository at this point in the history

Commits on Mar 3, 2026

  1. fix(@angular-devkit/build-angular): update copy-webpack-plugin to v14… 

    ….0.0
    @clydin
    clydin c 90AC ommitted Mar 3, 2026
    Configuration menu
    Copy the full SHA
    0299b4d View commit details
    Browse the repository at this point in the history

Commits on Mar 4, 2026

  1. release: cut the v20.3.19 release

    @clydin
    clydin committed Mar 4, 2026
    Configuration menu
    Copy the full SHA
    93a6f36 View commit details
    Browse the repository at this point in the history
Loading
0