chore(deps): bump @angular/platform-server from 17.3.12 to 19.2.22

[dependabot]

Bumps @angular/platform-server from 17.3.12 to 19.2.22.

Release notes

Sourced from @​angular/platform-server's releases.

19.2.22

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally (#68469)
	validate security-sensitive attributes in i18n bindings (#68469)

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	ensure origin has a trailing slash when parsing url (#68469)

19.2.21

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

19.2.22 (2026-05-12)

core

Commit	Type	Description
83a640516f	fix	disallow event attribute bindings in host bindings unconditionally (#68469)
24a0103a98	fix	validate security-sensitive attributes in i18n bindings (#68469)

platform-server

Commit	Type	Description
8569db8875	fix	add allowedHosts option to renderModule and renderApplication
837a710217	fix	ensure origin has a trailing slash when parsing url (#68469)

20.3.21 (2026-05-12)

platform-server

Commit	Type	Description
f584840e2e	fix	add allowedHosts option to renderModule and renderApplication

22.0.0-next.12 (2026-05-08)

core

Commit	Type	Description
8ebae1de33	fix	allow service with factory on abstract classes
6f525245cd	fix	disallow event attribute bindings in host bindings unconditionally

migrations

Commit	Type	Description
0f2160c410	fix	remove compiler import from safe optional chaining migration

platform-server

Commit	Type	Description
a451a1d66e	fix	add allowedHosts option to renderModule and renderApplication

22.0.0-next.11 (2026-05-06)

Breaking Changes

forms

• min and max validation rules no longer support string values. Bound values must be numbers or null.

Deprecations

http

• The reportProgress option is deprecated please use reportUploadProgress & reportDownloadProgress instead.

... (truncated)

Commits

• 8569db8 fix(platform-server): add allowedHosts option to renderModule and `render...
• 837a710 fix(platform-server): ensure origin has a trailing slash when parsing url (#6...
• f3a5bfb fix(platform-server): prevent SSRF bypasses via protocol-relative and backsla...
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 8edafd0 perf(platform-server): speed up resolution of base (#61392)
• 899cb4a refactor: add explicit types for exports relying on inferred call return type...
• 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
• a6f0d5b fix(platform-server): less aggressive ngServerMode cleanup (#61106)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
This is a major-version upgrade of @angular/platform-server in SSR e2e/snippet apps, which can introduce runtime/build incompatibilities with the rest of the Angular 17 dependency set despite being dependency-only changes.

Overview
Updates the Angular 17 SSR e2e and snippet workspaces to depend on @angular/platform-server ^19.2.22 (from ^17.3.0).

Refreshes yarn.lock to drop the 17.3.12 resolution and add the 19.2.22 resolution, updating the workspace dependency graph to match.

^{Reviewed by Cursor Bugbot for commit 329d13f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 329d13f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 329d13f. Configure here.}

[cursor]

Incompatible Angular major version mismatch breaks SSR

High Severity

@angular/platform-server is bumped to ^19.2.22 while all other Angular packages remain at ^17.3.0. The resolved @angular/platform-server@19.2.22 has exact peer dependencies on @angular/common@19.2.22, @angular/compiler@19.2.22, @angular/core@19.2.22, and @angular/platform-browser@19.2.22. Angular packages must all be the same version — mixing v19 with v17 will cause unmet peer dependency errors and runtime failures during server-side rendering.

Additional Locations (1)

• packages/sdks/snippets/angular-17-ssr/package.json#L21-L22

 

^{Reviewed by Cursor Bugbot for commit 329d13f. Configure here.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 329d13f

Command	Status	Duration	Result
nx test @e2e/angular-17-ssr	❌ Failed	1m 58s	View ↗
nx test @snippet/angular-17-ssr	❌ Failed	2m 2s	View ↗
nx test @e2e/qwik-city	✅ Succeeded	8m 49s	View ↗
nx test @e2e/nextjs-sdk-next-app	✅ Succeeded	8m 25s	View ↗
nx test @e2e/angular-17	✅ Succeeded	7m 41s	View ↗
nx test @e2e/nuxt	✅ Succeeded	7m 8s	View ↗
nx test @e2e/angular-19-ssr	✅ Succeeded	6m 38s	View ↗
nx test @e2e/react-sdk-next-15-app	✅ Succeeded	6m 29s	View ↗
Additional runs (38)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-19 22:31:52 UTC