chore(deps): bump @angular/platform-server from 17.3.12 to 19.2.25

[dependabot]

Bumps @angular/platform-server from 17.3.12 to 19.2.25.

Release notes

Sourced from @​angular/platform-server's releases.

19.2.25

platform-server

Commit	Description
	throw on suspicious URLs and restrict protocol-relative URLs
	update domino to latest version

19.2.24

compiler

Commit	Description
	prevent namespaced SVG elements from being stripped

19.2.23

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry
	sanitize dynamic href and xlink:href bindings on SVG a elements
	strip namespaced SVG script elements during template compilation

core

Commit	Description
	reject script element as a dynamic component host
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation
	synchronize core sanitization schema with compiler
	wrap i18n dynamic element property updates in active index states

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	normalize path parsing in ServerPlatformLocation
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	preserve redirect policy on reconstructed asset requests
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

19.2.25 (2026-06-02)

platform-server

Commit	Type	Description
e2fb854d55	fix	throw on suspicious URLs and restrict protocol-relative URLs
0a8befb493	fix	update domino to latest version

20.3.24 (2026-06-02)

platform-server

Commit	Type	Description
6ca433e56b	fix	throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f	fix	update domino to latest version

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

... (truncated)

Commits

• e2fb854 fix(platform-server): throw on suspicious URLs and restrict protocol-relative...
• a0193fa refactor(platform-server): extract parseUrl regex and add comments for URL pa...
• c75f60e fix(platform-server): secure location and document initialization against SSR...
• e8d35f9 Revert "revert: revert all changes until fdc1b48f32e52da7684583811a6a3090f641...
• 4747fe2 revert: revert all changes until fdc1b48f32e52da7684583811a6a3090f6418d5e
• d187e8a fix(platform-server): normalize path parsing in ServerPlatformLocation
• 8569db8 fix(platform-server): add allowedHosts option to renderModule and `render...
• 837a710 fix(platform-server): ensure origin has a trailing slash when parsing url (#6...
• f3a5bfb fix(platform-server): prevent SSRF bypasses via protocol-relative and backsla...
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Cross-major @angular/platform-server on Angular 17 apps may cause peer dependency or SSR runtime issues; scope is limited to SDK e2e/snippet fixtures, not production apps.

Overview
Bumps @angular/platform-server from ^17.3.0 (resolved 17.3.12) to ^19.2.25 in the Angular 17 SSR e2e and snippet workspaces, with matching yarn.lock entries (replacing the ^17.3.0 resolution and adding 19.2.25).

Other Angular packages in those apps remain on ^17.3.0, so only the server-rendering package is pulled two major versions ahead—typically to pick up platform-server security fixes (e.g. SSR URL/SSRF hardening) without upgrading the full Angular 17 stack.

^{Reviewed by Cursor Bugbot for commit 5667199. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5667199

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5667199. Configure here.}

[cursor]

Mismatched Angular platform-server version

High Severity

This change pins @angular/platform-server to ^19.2.25 while the Angular 17 SSR workspaces still depend on @angular/core, @angular/common, @angular/compiler, and @angular/platform-browser at ^17.3.0, plus @angular/ssr at ^17.3.8 and Angular 17 build tooling. @angular/platform-server 19.2.25 requires those peers at 19.2.25, so the stack is not a supported Angular combination and can fail install, build, or SSR at runtime.

Additional Locations (1)

• packages/sdks/snippets/angular-17-ssr/package.json#L21-L22

 

^{Reviewed by Cursor Bugbot for commit 5667199. Configure here.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 5667199

Command	Status	Duration	Result
nx test @e2e/angular-17-ssr	❌ Failed	1m 13s	View ↗
nx test @snippet/angular-17-ssr	❌ Failed	1m 43s	View ↗
nx test @e2e/react-sdk-next-pages	✅ Succeeded	5m 4s	View ↗
nx test @e2e/nuxt	✅ Succeeded	5m 42s	View ↗
nx test @e2e/angular-19-ssr	✅ Succeeded	5m 37s	View ↗
nx test @e2e/react-native-74	✅ Succeeded	4m 55s	View ↗
nx test @e2e/react-sdk-next-14-app	✅ Succeeded	5m 19s	View ↗
nx test @e2e/vue	✅ Succeeded	4m 39s	View ↗
Additional runs (38)	✅ Succeeded	...	View ↗

💡 Dealing with memory or CPU issues? See memory and CPU details with the resource usage add-on ↗.

---

☁️ Nx Cloud last updated this comment at 2026-06-15 18:37:26 UTC