Change8

v21.2.17

📦 angularView on GitHub →
🐛 11 fixes1 deprecations🔧 1 symbols

Summary

This release focuses heavily on security and stability fixes across multiple packages, including hardening transfer state restoration, improving HTTP request handling, and deprecating XHR support in platform-server.

Migration Steps

  1. When using `@angular/platform-server`, migrate from XHR support to standard `fetch` APIs.

🐛 Bug Fixes

  • Limits date format string length.
  • Skips transfer cache for uncacheable HTTP traffic.
  • Uses cryptographically secure SHA-256 for transfer cache key generation.
  • Sanitizes two-way properties in the compiler.
  • Hardens TransferState restoration against DOM clobbering.
  • Validates lowercase SVG animation attribute names.
  • Preserves empty referrer option in HttpRequest.
  • Rejects non-HTTP(S) URLs in JSONP requests.
  • Skips transfer cache for fetch credentialed requests.
  • Hardens platform location origin validation during SSR.
  • Strips sensitive headers on cross-origin redirects in service-worker.

Affected Symbols

ServerXhr

⚡ Deprecations

  • XHR support in `@angular/platform-server` is deprecated. Use standard `fetch` APIs instead.