chore(deps): bump @angular/platform-server from 17.3.12 to 19.2.21

[dependabot]

Bumps @angular/platform-server from 17.3.12 to 19.2.21.

Release notes

Sourced from @​angular/platform-server's releases.

19.2.21

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

19.2.21 (2026-04-15)

platform-server

Commit	Type	Description
f3a5bfb949	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

20.3.19 (2026-04-15)

platform-server

Commit	Type	Description
303d4cd580	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

22.0.0-next.8 (2026-04-15)

Breaking Changes

compiler

• This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.

compiler

Commit	Type	Description
47fcbc4704	feat	allow safe navigation to correctly narrow down nullables
2c5aabb9da	fix	don't escape dollar sign in literal expression

compiler-cli

Commit	Type	Description
e5f96c2d88	fix	animation events not type checked properly when bound through HostListener decorator

core

Commit	Type	Description
4e331062e8	feat	allow synchronous values for stream Resources
2f5ab541ea	feat	enhance profiling with documentation URLs
75f2cb8f56	feat	implement Angular DI graph in-page AI tool
8ce9cc4f6b	feat	register AI runtime debugging tools
cdda51a3b2	feat	support bootstrapping Angular applications underneath shadow roots
3c7641151c	fix	escape forward slashes in transfer state to prevent crawler indexing

forms

Commit	Type	Description
f9f24fc669	feat	shim legacy NG_VALIDATORS into parseErrors for CVA mode (#67943)
72d3ace03c	fix	use controlValue in NgControl for CVA interop (#67943)

http

Commit	Type	Description
39e382a756	fix	add CSP nonce support to JsonpClientBackend

... (truncated)

Commits

• f3a5bfb fix(platform-server): prevent SSRF bypasses via protocol-relative and backsla...
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 8edafd0 perf(platform-server): speed up resolution of base (#61392)
• 899cb4a refactor: add explicit types for exports relying on inferred call return type...
• 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
• a6f0d5b fix(platform-server): less aggressive ngServerMode cleanup (#61106)
• 2e140a1 fix(core): prevent stash listener conflicts [patch] (#61063)
• f4b5977 refactor(platform-server): switching to relative imports within the `platform...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Major-version upgrade of a core SSR dependency; could introduce runtime/peer-dependency mismatches or SSR behavior changes in the Angular 17 SSR samples.

Overview
Updates the Angular 17 SSR example projects (e2e/angular-17-ssr and snippets/angular-17-ssr) to use @angular/platform-server ^19.2.21 instead of ^17.3.0.

Regenerates yarn.lock accordingly, removing the 17.3.12 lock entry and adding a 19.2.21 entry plus updated workspace dependency resolutions.

^{Reviewed by Cursor Bugbot for commit 68dabaa. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 68dabaa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 68dabaa. Configure here.}

[cursor]

Major version mismatch across Angular peer dependencies

High Severity

@angular/platform-server is bumped to ^19.2.21 while all other @angular/* packages remain at ^17.3.0. The yarn.lock confirms that @angular/platform-server@19.2.21 requires peer dependencies @angular/common, @angular/compiler, @angular/core, and @angular/platform-browser all at exactly 19.2.21. Angular packages are not cross-compatible across major versions, so this will cause install warnings and likely runtime failures during SSR.

Additional Locations (1)

• packages/sdks/snippets/angular-17-ssr/package.json#L21-L22

 

^{Reviewed by Cursor Bugbot for commit 68dabaa. Configure here.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 68dabaa

Command	Status	Duration	Result
nx test @e2e/angular-17-ssr	❌ Failed	2m 10s	View ↗
nx test @snippet/angular-17-ssr	❌ Failed	2m 6s	View ↗
nx test @e2e/qwik-city	✅ Succeeded	8m 59s	View ↗
nx test @e2e/nextjs-sdk-next-app	✅ Succeeded	8m 22s	View ↗
nx test @e2e/angular-17	✅ Succeeded	7m 43s	View ↗
nx test @e2e/nuxt	✅ Succeeded	7m 18s	View ↗
nx test @e2e/react-sdk-next-15-app	✅ Succeeded	6m 37s	View ↗
nx test @e2e/react-sdk-next-14-app	✅ Succeeded	6m 24s	View ↗
Additional runs (38)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-17 00:28:01 UTC