Skip to content

chore: update to Angular 19#750

Merged
yogeshchoudhary147 merged 10 commits intomainfrom
chore/upgrade-angular-19
Jan 5, 2026
Merged

chore: update to Angular 19#750
yogeshchoudhary147 merged 10 commits intomainfrom
chore/upgrade-angular-19

Conversation

@yogeshchoudhary147
Copy link
Contributor

@yogeshchoudhary147 yogeshchoudhary147 commented Dec 24, 2025
edited
Loading

Angular 19 Development Environment Update

Updates the development and testing environment to Angular 19.2.17 to address Snyk-reported vulnerabilities and maintain compatibility with actively supported Angular versions.

Background

Snyk reported two high-severity vulnerabilities in Angular 18.2.13:

  • CVE-2025-66035 (CVSS 7.7) - Insertion of Sensitive Information Into Sent Data in @angular/common
  • CVE-2025-66412 (CVSS 8.4) - Cross-site Scripting (XSS) in @angular/compiler

These vulnerabilities are fixed in Angular 19.2.17+. Additionally, Angular 18 has reached end-of-life per Google's support policy.

Changes

  • Development dependencies: Angular 18.2.13 → 19.2.17
  • TypeScript: 5.5.x → 5.8.3
  • Playground app: Added standalone: false to components for Angular 19 compatibility
  • ESLint: Disabled prefer-standalone rule in playground

SDK Impact

No changes to the distributed SDK package:

  • Peer dependencies remain >=13 (backward compatible)
  • SDK API unchanged
  • No breaking changes for consumers

Security Note

The distributed @auth0/auth0-angular package does not bundle Angular (it's a peer dependency). Users must upgrade their own Angular version to 19.2.17+ to address the CVE vulnerabilities. This PR updates our development and testing environment to Angular 19.

Testing

This update ensures the SDK is tested and verified with Angular 19, maintaining Auth0's policy of supporting actively maintained Angular versions.

@yogeshchoudhary147
chore: upgrade to Angular 19.2.17
d41193c 
- Update all @angular/* packages to 19.2.17
- Update @angular/cli and @Angular-devkit to 19.2.19
- Update @angular-eslint packages to 19.0.0
- Update ng-packagr to 19.2.2
- Update zone.js to 0.15.1
- Update TypeScript to 5.8.3

This upgrade addresses Snyk security vulnerabilities:
- @angular/common@18.2.13 → @angular/common@19.2.17
- @angular/compiler@18.2.13 → @angular/compiler@19.2.17

Skipped optional migrations:
- use-application-builder (deferred for separate PR)
- provide-initializer (deferred for separate PR)

All tests passing. No breaking changes for library consumers.
@yogeshchoudhary147 yogeshchoudhary147 requested a review from a team as a code owner December 24, 2025 04:38
@yogeshchoudhary147
chore: regenerate package-lock.json for Angular 19
1f4ce61
@yogeshchoudhary147
refactor: convert components to standalone (Angular 19 default)
b748c62
@yogeshchoudhary147
refactor: migrate to standalone components and fix imports
b8b0c2d 
- Convert AppComponent and test components to standalone
- Add required imports (NgIf, AsyncPipe, UpperCasePipe, etc.)
- Update test configuration to import standalone components
- Fix all linting errors related to standalone components
@yogeshchoudhary147
fix: move standalone components from declarations to imports
9c71b96 
- Move all standalone components to imports array in AppModule
- Move LazyModuleComponent to imports in LazyModuleModule
- Empty declarations arrays since all components are now standalone
@yogeshchoudhary147
fix: add RouterOutlet import to ChildRouteComponent
286b64a
@yogeshchoudhary147 yogeshchoudhary147 changed the title chore: Upgrade to Angular 19.2.17 chore: Upgrade to Angular 19.2.17 and migrate to standalone components Dec 24, 2025
@yogeshchoudhary147 yogeshchoudhary147 changed the title chore: Upgrade to Angular 19.2.17 and migrate to standalone components chore: upgrade to Angular 19 (BREAKING CHANGE) Dec 24, 2025
@gyaneshgouraw-okta
Copy link
Contributor

gyaneshgouraw-okta commented Dec 24, 2025

@yogeshchoudhary147 We should update MIGRATION_GUIDE for changes made in this PR.

@yogeshchoudhary147 yogeshchoudhary147 marked this pull request as draft December 24, 2025 07:38
@yogeshchoudhary147 yogeshchoudhary147 changed the title chore: upgrade to Angular 19 (BREAKING CHANGE) chore: update to Angular 19 Dec 26, 2025
@yogeshchoudhary147 yogeshchoudhary147 marked this pull request as ready for review December 26, 2025 11:59
frederikprijck
frederikprijck reviewed Jan 5, 2026
View reviewed changes
README.md Outdated

### Angular 19 Security Update

**v2.5.0** requires Angular 19.2.17+ and addresses two high-severity vulnerabilities (CVE-2025-66035, CVE-2025-66412). Angular 18 is no longer supported as it has reached end-of-life.
Copy link
Member

@frederikprijck frederikprijck Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v2.5.0 requires Angular 19.2.17+

This is not true.

We have 2 package.json files. For our shipped SDK, we only have peerDependencies on Angular: https://github.com/auth0/auth0-angular/blob/chore/upgrade-angular-19/projects/auth0-angular/package.json#L28-L32

@yogeshchoudhary147
docs: add Angular 19 security notice
e2712be 
Note CVE fixes in v2.5.0 and recommend upgrading to Angular 19
@yogeshchoudhary147 yogeshchoudhary147 merged commit 52aa2f0 into main Jan 5, 2026
9 checks passed
@yogeshchoudhary147 yogeshchoudhary147 deleted the chore/upgrade-angular-19 branch January 5, 2026 12:42
This was referenced Jan 5, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frederikprijck frederikprijck frederikprijck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yogeshchoudhary147 @gyaneshgouraw-okta @frederikprijck