chore(deps): bump @angular/core from 19.2.4 to 19.2.19

[dependabot]

Bumps @angular/core from 19.2.4 to 19.2.19.

Release notes

Sourced from @​angular/core's releases.

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

19.2.19 (2026-02-25)

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit	Type	Description
747548721d	fix	block creation of sensitive URI attributes from ICU messages

20.3.17 (2026-02-25)

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit	Type	Description
7f9de3c118	fix	block creation of sensitive URI attributes from ICU messages

21.2.0 (2026-02-25)

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
72534e2a34	feat	Add support for the instanceof binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support AstVisitor.visitEmptyExpr()
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

compiler-cli

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

... (truncated)

Commits

• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• 73d3e00 build: fix failing test (#61683)
• 9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
• 2ae69f7 refactor: ensure tsurge migrations have clear ownership of files (#61612)
• c101a3a refactor: clean-up deduplication workaround from migrations (#61421) (#61612)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
v0-open-in-v0-0w	Error		Mar 1, 2026 9:58pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​angular/​core@​19.2.4 ⏵ 19.2.19	-18	+22	+1	+2	+20

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Dynamic code execution: npm lodash Eval Type: Function Location: Package overview From: ? → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm tsup Eval Type: Function Location: Package overview From: pnpm-lock.yaml → npm/tsup@8.4.0 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsup@8.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @angular/core URLs: http://www.unixpapa.com/js/mouse.html, http://goo.gl/2VoGnB., http://goo.gl/6pEO1z., https://github.com/microsoft/TypeScript/issues/30024, https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/trusted-types/index.d.ts, https://en.wikipedia.org/wiki/Flyweight_pattern, https://w3c.github.io/webcomponents/spec/shadow/, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/find, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/reduce, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/forEach, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/some, https://hackmd.io/@mhevery/rJUJsvv9H, https://www.w3.org/TR/DOM-Level-3-Events-key/#named-key-attribute-values, https://en.wikipedia.org/wiki/Idempotence, https://angular.dev/license, https://g.co/ng/security, https://rxjs.dev/api/index/class/Subject, dataProvider.data, http://www.w3.org/2000/svg, http://www.w3.org/1998/MathML/, https://web.dev/strict-csp/, https://someUrl.com/api/user, https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss, https://angular.io/guide/i18n, window.ng, https://github.com/angular/angular/pull/55456., https://github.com/angular/angular/pull/30719, https://github.com/angular/angular-cli/blob/0b0961c9c233a825b6e4bb59ab7f0790f9b14676/packages/angular_devkit/schematics/src/tree/host-tree.ts#L131, https://effectivetypescript.com/2024/03/24/flownodes/., https://whatpr.org/html/10919/browsing-the-web.html#url-and-history-update-steps, https://whatpr.org/html/10919/nav-history-apis.html#update-the-navigation-api-entries-for-a-same-document-navigation, https://whatpr.org/html/10919/browsing-the-web.html#apply-the-traverse-history-step, https://html.spec.whatwg.org/multipage/nav-history-apis.html#navigate-event-firing, https://whatpr.org/html/10919/nav-history-apis.html#dom-navigateevent-intercept, https://whatpr.org/html/10919/nav-history-apis.html#dom-navigateevent-scroll, https://whatpr.org/html/10919/nav-history-apis.html#dom-navigationprecommitcontroller-redirect, https://whatpr.org/html/10919/nav-history-apis.html#inner-navigate-event-firing-algorithm, https://github.com/microsoft/TypeScript/blob/294a5a7d784a5a95a8048ee990400979a6bc3a1c/src/compiler/commandLineParser.ts#L2806, https://angular.dev/reference/migrations/standalone, https://angular.dev/reference/migrations/route-lazy-loading, https://docs.oasis-open.org/xliff/v1.2/os/xliff-core.html, https://docs.oasis-open.org/xliff/v1.2/xliff-profile-html/xliff-profile-html-1.2.html, https://docs.oasis-open.org/xliff/xliff-core/v2.0/os/xliff-core-v2.0-os.html, https://github.com/angular/angular/blob/d4b423690210872b5c32a322a6090beda30b05a3/packages/core/src/compiler/compiler_facade_interface.ts#L197-L199, https://angular.dev/errors, https://docs.google.com/document/d/1dOWoSDvOY9ozlMmyCnxoFLEzGgHmTFVRAOVdVU-bxlI/edit?tab=t.0#heading=h.5n3k516r57g5, https://github.com/microsoft/TypeScript/issues/38485, module.id, https://github.com/microsoft/TypeScript/pull/58398, https://github.com/angular/angular-cli/pull/14473, node.name, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function#instance_properties, https://angular.dev/guide/templates/two-way-binding, https://angular.dev/tools/cli/template-typecheck Location: Package overview From: examples/angular/auto-refetching/package.json → npm/@angular/core@19.2.19 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/core@19.2.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @vitest/mocker URLs: https://vitest.dev/api/vi.html#vi-mock Location: Package overview From: pnpm-lock.yaml → npm/@vitest/mocker@3.1.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/mocker@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm fdir with module fs Module: fs Location: Package overview From: pnpm-lock.yaml → npm/fdir@6.4.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fdir@6.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm lodash URLs: https://travis-ci.org/lodash-archive/lodash-cli Location: Package overview From: ? → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm lodash URLs: _.map, _.at, _.gt, _.lt, https://bugs.webkit.org/show_bug.cgi?id=156034, _.rest, _.property, http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero, http://ecma-international.org/ecma-262/7.0/#sec-ecmascript-function-objects-call-thisargument-argumentslist, https://mdn.io/Array/slice, https://en.wikipedia.org/wiki/Empty_set, https://en.wikipedia.org/wiki/Vacuous_truth, https://mdn.io/Structured_clone_algorithm, https://mdn.io/Number/isFinite, http://ecma-international.org/ecma-262/7.0/#sec-tolength, http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types, https://mths.be/he, https://mathiasbynens.be/notes/ambiguous-ampersands, http://wonko.com/post/html-escaping, http://requirejs.org/docs/errors.html#mismatch, https://css-tricks.com/debouncing-throttling-explained-examples/, https://lodash.com/, https://npms.io/search?q=ponyfill., http://ecma-international.org/ecma-262/7.0/#sec-patterns, http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols, https://mathiasbynens.be/notes/javascript-unicode, http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/, http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring, https://en.wikipedia.org/wiki/Exponentiation_by_squaring, https://mdn.io/clearTimeout, https://github.com/jashkenas/underscore/pull/1247, https://bugs.chromium.org/p/v8/issues/detail?id=90, https://es5.github.io/#x13.2.2, https://mdn.io/round#Examples, http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring, http://ecma-international.org/ecma-262/7.0/#sec-object.keys, https://bugs.chromium.org/p/v8/issues/detail?id=2070, https://mdn.io/setTimeout, https://mdn.io/Array/reverse, https://mdn.io/iteration_protocols#iterator, https://en.wikipedia.org/wiki/Fisher-Yates_shuffle, http://peter.michaux.ca/articles/lazy-function-definition-pattern, http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object, https://mdn.io/rest_parameters, http://www.ecma-international.org/ecma-262/7.0/#sec-function.prototype.apply, https://mdn.io/spread_operator, https://mdn.io/Number/isInteger, https://mdn.io/Number/isNaN, https://mdn.io/isNaN, https://www.npmjs.com/package/babel-polyfill, https://mdn.io/Number/isSafeInteger, http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger, https://mdn.io/Object/assign, https://en.wikipedia.org/wiki/Letter_case#Special_case_styles, https://es5.github.io/#x15.1.2.2, https://mdn.io/String/replace, https://en.wikipedia.org/wiki/Snake_case, https://mdn.io/String/split, https://en.wikipedia.org/wiki/Letter_case#Stylistic_or_specialised_usage, http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl, https://lodash.com/custom-builds, https://developer.chrome.com/extensions/sandboxingEval, https://github.com/olado/doT, https://mdn.io/toLowerCase, https://mdn.io/toUpperCase Location: Package overview From: ? → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm lodash is 100.0% likely to have a medium risk anomaly Notes: This is a legitimate template compiler implementation that uses dynamic code generation (Function constructor) and optional 'with' scope. It is not malicious by intent in the provided fragment, but it exposes typical high-risk behaviors: arbitrary code execution via evaluate delimiters, potential XSS from unescaped interpolation, and broader attack surface if untrusted templates or imports are used. Use only with trusted templates or ensure strict delimiter/escaping policies. No evidence of backdoor, exfiltration, or obfuscated malicious payloads found in the provided code. Confidence: 1.00 Severity: 0.60 From: ? → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm tsup URLs: tsup-report.api.md, https://github.com/rich-harris/magic-string Location: Package overview From: pnpm-lock.yaml → npm/tsup@8.4.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsup@8.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm tsup with module fs Module: fs Location: Package overview From: pnpm-lock.yaml → npm/tsup@8.4.0 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsup@8.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Looks like @angular/core is up-to-date now, so this is no longer needed.