Commit graph

3500 commits

Author SHA1 Message Date
Andrew Scott
9f479ae964 feat(core): Update Testability to use PendingTasks for stability indicator
Since angular@12181b9, zone stability
contributes to the PendingTasks. There is now a single source of truth for application stability
tracked in PendingTasks. This change makes protractor's whenStable compatible with zoneless.
The `Router` and `HttpClient` also contribute to stability using the
`PendingTasks` injectable. There will likely be more updates in the
future to have more features contribute to stableness in a zoneless
compatible way.

This update uses PendingTasks for stability by default when ZoneJS is not present or
can be enabled with an option when ZoneJS is present (but otherwise ignored with ZoneJS).

fixes #68180
2026-04-20 13:08:43 -07:00
Andrew Scott
17d10f7a99 fix(router): set default paramsInheritanceStrategy to 'always'
Set the default value of paramsInheritanceStrategy to 'always'. This change ensures that route parameters are inherited from parent routes by default, which is the behavior most users expect. It simplifies routing configuration for the majority of use cases.

This change aligns Angular with other popular routing systems where child routes automatically have access to parent parameters:
- React Router: useParams() includes parent params.
- Vue Router: $route.params includes parent params.
- Next.js: params are passed to nested layouts and pages.
- TanStack Router: useParams() includes parent params with full type safety.

BREAKING CHANGE: paramsInheritanceStrategy now defaults to 'always'

The default value of paramsInheritanceStrategy has been changed from 'emptyOnly' to 'always'. This means that route parameters are inherited from all parent routes by default. To restore the previous behavior, set paramsInheritanceStrategy to 'emptyOnly' in your router configuration.
2026-04-17 14:27:43 -07:00
Matthieu Riegler
4e331062e8 feat(core): allow synchronous values for stream Resources
In order for resources to allow caching in SSR context (eg in the TransferState), resource need to be able to set their value synchronously.

If the resource value is not set synchronously, the resource will be in in a "loading" state which is responsible for destroying the server-hydrated resolved DOM.
2026-04-16 00:13:04 +03:00
Doug Parker
75f2cb8f56 feat(core): implement Angular DI graph in-page AI tool
This creates a new `angular:di-graph` in-page tool which returns the entire dependency injection graph for the application.

We use the following rough algorithm for discovering all element injectors:
1. Find all root `LView` objects by querying for `[ng-version]`.
2. Walk all the transitive `LView` descendants of the roots.
3. Filter these `LView` objects to just directives.
4. Find the injector for a given directive and walk up its ancestors to find all element injectors.

Discovering environment injectors works mostly the same way, just following the environment injector graph instead.

This approach has a few known limitations which are out of scope for the moment:
1. Any given component typically has both an element injector *and* an environment injector. The relationship of "component -> environment injector" is not expressed in the result as of now, meaning the AI doesn't really have any insight into _which_ environment injector is being used for a particular component, though the injector will be one of the returned values.
2. The implementation does not support MFE use cases of multiple applications on the page at the same time.
3. The performance is not ideal, as we walk `LView` descendants twice and walk up the injector tree for every directive, repeatedly covering the same scope (ideally we'd just walk up every *leaf* directive, which would cover the same result for less effort). However for a debug tool, this is likely fine for now and we can optimize later if/when it becomes necessary.

I did consider reusing more of the existing implementation in `global_utils` which exists to support Angular DevTools (we are already using some of it), however the existing support in `@angular/core` is actually fairly limited, returning very primitive data structures and relying on Angular DevTools to do the heavier lifting of collapsing the code into a usable graph representation. There's a potential path in the future to converge these implementations and potentially have `global_utils` use some of this code instead, but I will leave that for a future cleanup effort.
2026-04-14 18:35:51 +03:00
Doug Parker
de03e83980 refactor(core): add walkLViewDirectives
This walks all transitive descendant directives via the `LView` structure of the given input. This is a generic utility, but useful for finding all components in a tree to look for their associated `Injector` objects.

One known limitation is that this does not cover child components of i18n messages as that was more complicated than I wanted to get into right now.
2026-04-14 18:35:51 +03:00
Jaime Burgos
2f5ab541ea
feat(core): enhance profiling with documentation URLs
Enhances the Chrome DevTools performance profiling integration by adding links to relevant Angular documentation for lifecycle hooks and profiler events.
2026-04-13 22:37:11 +03:00
Matthieu Riegler
f9b74e90e3 refactor(core): simplifying the ComponentFactory usage
The `ComponentFactory` has been removed from the public API in #68055.
This commit continues the cleanup and also removes `ModuleWithComponentFactories` from the public API.
2026-04-13 22:24:18 +03:00
Matthieu Riegler
df9eed4ff1 refactor(core): remove ComponentFactoryResolver usages
This API was deprecated for a longtime, and was remove by #68055 from the public API.

We do have alternatives to this old API, so we can entirely remove it to spare some bytes
2026-04-13 16:00:03 +03:00
Doug Parker
0c1cc6a89d refactor(core): add registerAiTools function
This will centrally manage all the AI tools supported by Angular out of the box.
2026-04-13 14:12:48 +03:00
Doug Parker
5f5428dfc0 refactor(core): implement Angular signal graph tool
This provides an `angular:signal_graph` in-page tool which exposes the signal graph from the component rendered for a particular DOM element. It leverages the algorithm defined for Angular DevTools, which essentially means it takes the effects registered on the components injector and walks transitive dependencies to find all signals referenced by the component in an effect or the template.
2026-04-13 14:12:48 +03:00
Matthieu Riegler
70368ea94d refactor(http): Make BrowserXhr/XhrFactory tree-shakable
3bc095d made the `FetchBackend` the default, we shouldn't load anything Xhr related by default anymroe.
2026-04-13 13:56:03 +03:00
Jessica Janiuk
3c7641151c fix(core): escape forward slashes in transfer state to prevent crawler indexing
This commit escapes forward slashes in the transfer state JSON output as \u002F to prevent search engine crawlers from aggressively indexing relative paths inside the inline script tag. It also updates related unit and integration tests across core and platform-server.

Fixes #65310
2026-04-13 13:54:55 +03:00
Doug Parker
cdda51a3b2 feat(core): support bootstrapping Angular applications underneath shadow roots
This is a minimal implmentation which just focuses on registering parent shadow roots in `SharedStylesHost` correctly.

We don't currently reference count usage of host values, meaning that as soon as we call `removeHost`, all styles are removed from it, even if other components relied on them. Therefore there is no good way to know whether styles are still needed or not, leaving us with the choice of either leaking them longer than necessary or destroying them while another component still needs them. The compromise I'm using here is to delete styles when destroying a component under a shadow root (based on the assumption that only one component will exist per shadow root) and to leave styles when destroying a component in the main document (based on the assumption that dialogs being destroyed should not impact the main application).

Neither assumption is totally safe to make, but we're hoping this is a viable balance for the moment. In the future we should look into lifting these restrictions to better support those use cases while properly reference counting usage of hosts in `SharedStylesHost`.

I also added some small tests to confirm that SSR styles are not duplicated, as an earlier implementation accidentally duplicated them. This should ensure we don't repeat that mistake.
2026-04-10 21:44:08 +03:00
Doug Parker
df1f5d4394 refactor(core): move SharedStylesHost interface into @angular/core with a dedicated InjectionToken
This allows code in `@angular/core` to inject and use `SharedStylesHost`, even though the implementation is defined in `@angular/platform-browser`.
2026-04-10 21:44:08 +03:00
Jessica Janiuk
68628dd45b feat(platform-browser): make incremental hydration default behavior
This commit updates provideClientHydration to automatically enable incremental hydration by default. It also introduces a new withNoIncrementalHydration feature for opting out, adds conflict safety checks, and includes a schematic migration.
2026-04-09 18:53:13 +03:00
Angular Robot
8633f15613 build: update cross-repo angular dependencies
See associated pull request for more information.
2026-04-09 14:13:51 +03:00
Matthieu Riegler
a0aa8304cd feat(core): bootstrap via ApplicationRef with config
This is to align the shape of the method with `createComponent`

BREAKING CHANGE:The second arguement of appRef.bootstrap does not accept `any` anymore. Make sure the element you pass is not nullable.

fixes #67946
2026-04-07 12:48:53 -07:00
splincode
77f1ca08e4 fix(core): handle missing serialized container hydration data
Simplify the hydration regression test by removing conditional early-return branches and relying on direct Jasmine expectations while keeping strict typing and OnPush configuration.
2026-04-07 11:22:03 -07:00
Matthieu Riegler
b1f5181ffd refactor(core): remove ComponentFactoryResolver & ComponentFactory from the api surface""
Those APIs date back to pre-ivy times and are long deprecated.

BREAKING CHANGE: `ComponentFactoryResolver` and `ComponentFactory` are no longer available. Pass the component class directly to APIs that previously required a factory, such as `ViewContainerRef.createComponent` or use the standalone `createComponent` function.
2026-04-07 09:30:25 -07:00
Andrew Scott
ecae525970 Revert "refactor(core): remove ComponentFactoryResolver & ComponentFactory from the api surface"
This reverts commit 9d76ac8229.
g3 cleanup not complete
2026-04-06 09:24:11 -07:00
Kristiyan Kostadinov
9c55fcb3e6 feat(core): de-duplicate host directives
With host directives we can end up in a situation where the same directive applies multiple times to the same element, potentially with conflicting configurations. The runtime isn't set up for a directive to apply more than once so historically we were throwing an error when we detect duplicates.

This ended up limiting the usefulness of host directives to library authors, because it meant that host directives couldn't be reused as much as authors wanted. To address the issue, these changes introduce logic in the compiler and runtime that will de-duplicate host directives with the following logic:

1. If a directive matches once in the template and more than once as a host directive, the host directive matches will be discarded and only the template match will apply. The mental model is that a host directive match represents `Partial<YourDirective>` while a template match represents the full `YourDirective`.
2. If a directive matches multiple times as a host directive, we merge the input/output mappings from all the instances into a single one. If we detect a case where an input/output is exposed under multiple names during the merging process, both the compiler and the runtime will produce an error.

Fixes #57846.
2026-04-03 09:44:39 -07:00
Matthieu Riegler
9d76ac8229 refactor(core): remove ComponentFactoryResolver & ComponentFactory from the api surface
Those APIs date back to pre-ivy times and are long deprecated.

BREAKING CHANGE: `ComponentFactoryResolver` and `ComponentFactory` are no longer available. Pass the component class directly to APIs that previously required a factory, such as `ViewContainerRef.createComponent` or use the standalone `createComponentFunction`.
2026-04-02 16:00:57 -07:00
Jessica Janiuk
30f63fc1c2 refactor(core): address review comments on NG0750 error message
This commit addresses review comments from AndrewKushnir regarding conditional formatting of error messages and updating tests.
2026-04-02 14:55:42 -07:00
Jessica Janiuk
8218d2e34a refactor(core): Add more detail to NG0750 error message
This adds a bit more context to the NG0750 error message to provide details about which module failed to load when executing the dependencyResolverFn. This can help with debugging a failed lazy load in a defer block.
2026-04-02 14:55:42 -07:00
SkyZeroZx
c15e3a005d test(core): refactors test to use timeout utility
Replaces direct `setTimeout` wrapped in a Promise with the `timeout` helper from `@angular/private/testing`
2026-04-01 20:46:00 +02:00
Angular Robot
436c5df488 build: update cross-repo angular dependencies to v22.0.0-next.4
See associated pull request for more information.
2026-04-01 18:31:00 +02:00
Alan Agius
e84e35cdd6 fix(core): prevent binding unsafe attributes on SVG animation elements (#67797)
SVG animation elements (`animate` and `set`) can be used to animate sensitive attributes like `href` or `xlink:href`. Binding to these animation attributes (like `to`, `from`, or `values`) with a sensitive target creates an XSS vector.

This change mitigates this risk by:
1. Classifying `to`, `from`, and `values` on `<animate>` and `<set>` elements as `ATTRIBUTE_NO_BINDING` in the DOM security schema to prevent standard dynamic bindings.
2. Adding runtime validations in `ɵɵvalidateAttribute` to verify that `attributeName` is not a sensitive attribute (such as `href` or `xlink:href`) when processed by a set of `SECURITY_SENSITIVE_ATTRIBUTE_NAMES`. If it is, a runtime error `UNSAFE_ATTRIBUTE_BINDING` is thrown.
3. Adding regression tests in `integration_spec.ts` to ensure unsafe bindings throw an error while safe ones pass correctly.

PR Close #67797
2026-04-01 11:43:58 +02:00
Alan Agius
028e1d3ce0 fix(core): treat object[data] as resource URL context (#67797)
Previously, the `data` attribute of the `<object>` tag was being sanitized as a regular URL instead of a `ResourceURL`, which is security-sensitive.
This commit updates the runtime sanitization logic to correctly identify `object[data]` as a `ResourceURL` context. Additionally, the sanitizer lookup logic has been refactored to use a more efficient lookup map (`RESOURCE_MAP`) instead of multiple `Set` lookups, providing better performance and maintainability.

Added tests to verify the correct sanitization of `object[data]` and its behavior with trusted values.

PR Close #67797
2026-04-01 11:43:58 +02:00
Alan Agius
08d36599d7 fix(compiler): register SVG animation attributes in URL security context (#67797)
This change is a security hardening measure to prevent potentially unsafe attribute value manipulation through SVG animations. By mapping `animate|to`, `animate|from`, `animate|values`, and `set|to` to the `SecurityContext.URL`,  Angular will now automatically sanitize these attributes.

PR Close #67797
2026-04-01 11:43:58 +02:00
Doug Parker
7ba8929504 test: fix flakiness in image-directive e2e tests
Fixes race conditions where intermediate layout renders caused the browser to emit 'largest-contentful-paint' events or 'load' events that led to inconsistent console logs. Updated tests to correctly wait for elements to stabilize and properly filter expected log messages.
2026-04-01 08:40:42 +02:00
Angular Robot
34e1d49b75 build: update cross-repo angular dependencies
See associated pull request for more information.
2026-03-27 14:01:21 +01:00
Alan Agius
b40d11eec4 build: consolidate domino bundling in platform-server
Move the domino bundling logic and related shims into a centralized third_party directory within packages/platform-server. This avoids duplication of the bundling logic and ensures consistent shimming across the platform-server package and its entry points.

Following a conversation with OSS licensing, this change also includes the domino LICENSE file in the generated npm package to comply with licensing requirements for bundled third-party code.

```
├── fesm2022
│   ├── init.mjs
│   ├── init.mjs.map
│   ├── platform-server.mjs
│   ├── platform-server.mjs.map
│   ├── _server-chunk.mjs
│   ├── _server-chunk.mjs.map
│   ├── testing.mjs
│   └── testing.mjs.map
├── LICENSE
├── package.json
├── README.md
├── third_party
│   └── domino
│       ├── bundled-domino.d.ts
│       ├── bundled-domino.mjs
│       ├── bundled-domino.mjs.map
│       └── LICENSE
└── types
    ├── init.d.ts
    ├── platform-server.d.ts
    └── testing.d.ts
```
2026-03-25 13:31:05 -07:00
Alex Rickabaugh
16adbbf423 fix(core): ensure custom controls resolve transitive host directives
Custom controls can be modeled using a set of host directives to alias
and expose value and valueChange (or checked/checkedChange) bindings,
as well as native attributes like disabled.

This commit updates initializeCustomControlStatus to correctly identify
host components using mapped inputs/outputs, even when those inputs are
exposed via transitive host directives. It also updates
customControlHasInput so that the custom control presence check correctly
evaluates the exposed inputs across all applied host directives, caching
the result to optimize performance on hot code paths.
2026-03-25 13:00:46 -07:00
Matthieu Riegler
eae8f7e30b feat(core): Set default Component changeDetection strategy to OnPush
The default change detection strategy is now OnPush.

BREAKING CHANGE: Component with undefined `changeDetection` property are now `OnPush` by default. Specify `changeDetection: ChangeDetectionStrategy.Eager` to keep the previous behavior.
2026-03-24 16:25:02 -07:00
Jessica Janiuk
dfa149dc68 fix(core): fixes a regression with animate.leave and reordering
This fixes a regression bug that resulted in reordered elements not getting properly removed from the DOM. Reused nodes were not being cleared out in this situation.

fixes: #67728
2026-03-19 15:51:57 -07:00
Angular Robot
c9e6263e0e build: update cross-repo angular dependencies
See associated pull request for more information.
2026-03-19 15:04:54 -07:00
Jessica Janiuk
890c97301f Revert "refactor(core): Ensure determineLongestAnimation is run synchronously after style applies"
This reverts commit 318ade062e.
2026-03-18 11:30:35 -06:00
JoostK
523d69a768 fix(core): run linked signal equality check without reactive consumer
This commit ports the changes in #55818 from `computed` to `linkedSignal`,
which duplicates the core logic to recompute the downstream value for an
upstream change.
2026-03-17 13:59:38 -06:00
Matthieu Riegler
69fb1614ef refactor(core): remove checkNoChanges from the public API.
It's an internal API.

BREAKING CHANGE: `ChangeDetectorRef.checkNoChanges` was removed. In tests use `fixture.detectChanges()` instead.
2026-03-17 13:57:43 -06:00
Alex Rickabaugh
c4ce3f345f feat(forms): template & reactive support for FVC
Implement support for `FormUiComponent`s in both Reactive and Template-driven
forms. This allows components that use the new signal-based form control
architecture to be used seamlessly within existing Angular form paradigms.

Key changes:
- Integrated `ɵngControlCreate` and `ɵngControlUpdate` lifecycle hooks into
  `NgModel`, `FormControlDirective`, and `FormControlName`.
- Implemented branching logic to choose between the traditional `ControlValueAccessor` (CVA) path and the new FVC path based on the host element's capabilities.
- Added comprehensive unit tests for FVC integration in both Reactive (`reactive_fvc.spec.ts`) and Template-driven (`template_fvc.spec.ts`) forms, covering:
    - Value synchronization (model -> view and view -> model).
    - Status synchronization (touched, dirty, valid, invalid, pending, required).
    - Error propagation and `parseErrors` support.
    - Fallback behavior to native DOM properties (disabled, required) when FVC inputs are missing.
    - Graceful fallback to CVA when no FVC pattern is detected.
- Refined `NgModel` to correctly handle `required` validation via its existing `RequiredValidator` directive while supporting FVC for other properties.
2026-03-17 13:18:26 -06:00
Alex Rickabaugh
b2f08574e8 refactor(forms): base implementation of custom control binding in NgControl
Update `NgControl` to support binding to custom controls via the new `ngControlCreate` and
`ngControlUpdate` lifecycle hooks. This will allow Reactive and Template-driven forms to integrate
with components that use the new `FormValueControl` (FVC) binding convention.

Key changes:
- Implement synchronization of control state between `FormControl` and custom controls.
- Add support for `parseErrors` signals from custom controls, integrating them into the Reactive
  Forms validation loop via a dynamic validator.
- Convert Reactive Forms errors into `ReactiveValidationError` objects for consumption by custom
  controls.
- Update `NgModel`, `FormControlDirective`, and `FormControlName` to provide necessary dependencies
  (`Injector`, `Renderer2`) to `NgControl`.
- Rename `setUpControl` to `setUpControlValueAccessor` to clarify its role in the traditional
  CVA path.
2026-03-17 13:18:26 -06:00
Alex Rickabaugh
d1576ee92b refactor(forms): introduce signal for required validator status
Introduces an internal signal that tracks whether `Validators.required` is in the set of validators
for an `AbstractControl`. This signal is updated whenever the validators are changed.
2026-03-17 13:18:26 -06:00
hawkgs
264f3510a7 refactor(core): abstract control flow discovery utilities (#66167)
Create a universal mechanism for adding and managing control flow discovery utilities. Those utilities are intended to be consumed by third parties via the `ng` global interface.

PR Close #66167
2026-03-16 14:17:25 -07:00
Max Millien
dc0446552a fix(core): clean up dehydrated views during HMR component replacement
During HMR, `recreateLView()` destroys the old LView and removes its
DOM nodes, but never cleans up dehydrated view DOM nodes stored in
`LContainer[DEHYDRATED_VIEWS]`. These are SSR-rendered DOM nodes
preserved by Angular's hydration system. When the new view renders,
both the old dehydrated DOM and the new DOM coexist, causing visible
duplication (e.g. `<app-shell>` header/footer appearing twice).

Call `cleanupLView` from the hydration cleanup module after
`destroyLView` and before `removeViewFromDOM` to remove any remaining
dehydrated DOM nodes before the replacement view is rendered.

Fixes #66503
2026-03-16 10:04:06 -06:00
Angular Robot
ada150c693 build: update cross-repo angular dependencies
See associated pull request for more information.
2026-03-13 16:26:41 -06:00
Jessica Janiuk
318ade062e refactor(core): Ensure determineLongestAnimation is run synchronously after style applies
This adds a setTimeout, which guarantees that we call getAnimations one frame after a reflow is finished. This means getAnimations will return data, avoiding needing the expensive fallback of getComputedStyles. It also updates the cleanup to prevent a potential memory leak if the component is destroyed before the timeout runs.
2026-03-13 13:03:11 -06:00
Jessica Janiuk
df659b8d0c feat(core): re-introduce nested leave animations scoped to component boundaries
This commit re-introduces support for nested leave animations with a critical adjustment to prevent cross-component blocking. Wait for nested inner `animate.leave` transitions natively only when they exist within the same component's view or its embedded tracking structures (like `@if` and `@for`).

This resolves the issue where route navigations and parental destruction would excessively stall by traversing down into child component architectures to wait for their distinct leaf animations.

BREAKING CHANGE: Leave animations are no longer limited to the element being removed.

Fixes #67633
2026-03-13 13:01:55 -06:00
Jessica Janiuk
17d8a88ddc refactor(core): Update determineLongestAnimation to account for playback rate
This updates the determineLongestAnimation code to also calculate the playback rate in with the duration, which should also account for timing when testing with playback rates changed in devtools.
2026-03-12 17:36:50 -06:00
Kristiyan Kostadinov
de0eb4c656 fix(core): sanitize translated form attributes
Fixes that we weren't sanitizing the `form` and `formaction` attributes when they're used together with translations.
2026-03-12 11:01:26 -06:00
Jessica Janiuk
999c14eaab fix(core): reverts "feat(core): add support for nested animations"
This reverts commit ea2016a6dc.

This reverts the support for nested animations due to the global scope of how nested animations were gathered.
This caused issues where on route navigations, all child nodes with animations would be queued and run before the navigation would occur.
We'll be revisiting the nested animations with a more tightened scope of when those leave animations will occur.

fixes: #67552
2026-03-12 10:58:03 -06:00