Change8

v20.3.25

📦 angularView on GitHub →
🐛 11 fixes1 deprecations🔧 1 symbols

Summary

This release focuses on numerous bug fixes across common, compiler, core, http, platform-server, and service-worker modules, including security hardening and transfer cache improvements. XHR support in platform-server is deprecated in favor of fetch APIs.

Migration Steps

  1. If using XHR support in `@angular/platform-server`, migrate to using standard `fetch` APIs.

🐛 Bug Fixes

  • Date format string length is now limited in common.
  • Transfer cache is skipped for uncacheable HTTP traffic in common.
  • Cryptographically secure SHA-256 is used for transfer cache key generation in common.
  • Two-way properties are sanitized in compiler.
  • TransferState restoration is hardened against DOM clobbering in core.
  • Lowercase SVG animation attribute names are validated in core.
  • Empty referrer option is preserved in HttpRequest in http.
  • JSONP requests now reject non-HTTP(S) URLs in http.
  • Transfer cache is skipped for fetch credentialed requests in http.
  • Platform location origin validation is hardened during SSR in platform-server.
  • Sensitive headers are stripped on cross-origin redirects in service-worker.

Affected Symbols

ServerXhr

⚡ Deprecations

  • XHR support in `@angular/platform-server` is deprecated. Use standard `fetch` APIs instead.