build(deps): bump @angular/common from 19.2.20 to 21.2.9

[dependabot]

Bumps @angular/common from 19.2.20 to 21.2.9.

Release notes

Sourced from @​angular/common's releases.

21.2.9

core

Commit	Description
	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Description
	add CSP nonce support to JsonpClientBackend
	Don't on Passthru outside of reactive context

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Description
	normalize multiple leading slashes in URL parser

21.2.8

compiler

Commit	Description
	handle nested brackets in host object bindings

compiler-cli

Commit	Description
	error for type parameter declarations

core

Commit	Description
	handle missing serialized container hydration data
	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Description
	get quick info at local var location to align with TS semantics and support type narrowing

21.2.7

compiler

Commit	Description
	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Description
	prevent recursive scope checks for invalid NgModule imports

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.9 (2026-04-15)

core

Commit	Type	Description
f603d4714f	fix	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

platform-server

Commit	Type	Description
e0b5078cf2	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Type	Description
684e9fd53d	fix	normalize multiple leading slashes in URL parser

22.0.0-next.7 (2026-04-08)

Breaking Changes

core

• The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
• • TypeScript versions older than 6.0 are no longer supported.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

platform-browser

• This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.

router

• The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

compiler

Commit	Type	Description
2ce0e98f79	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
7f9450219f	feat	Adds warning for prefetch without main defer trigger
ab061a7610	fix	error for type parameter declarations
9218140348	fix	resolve TCB mapping failure for safe property reads with as any

core

Commit	Type	Description
a0aa8304cd	feat	bootstrap via ApplicationRef with config
9c55fcb3e6	feat	de-duplicate host directives
8fe025f514	feat	drop support for TypeScript 5.9
77f1ca08e4	fix	handle missing serialized container hydration data

... (truncated)

Commits

• 540536c fix(http): add CSP nonce support to JsonpClientBackend
• 8102331 test(http): disable XSRF and mock location in HttpClient tests to avoid Domin...
• 13f050d test: construct local Date objects to fix timezone flakiness
• d0cf299 test: remove unsupported timezone from formatDate tests
• b4ab6ba fix(common): avoid redundant image fetch on destroy with auto sizes
• adda6c5 build: update aspect_rules_js to 3.0.2
• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• 76431ed Revert "fix(http): correctly cache blob responses in transfer cache (#67002)"
• 277ade9 fix(http): correctly cache blob responses in transfer cache (#67002)
• aeb9b81 refactor(http): Improves base64 encoding/decoding with feature detection (#67...
• Additional commits viewable in compare view

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@angular/common	21.2.9	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 2 badge detected: InProgress Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found License 🟢 10 license file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 35 contributing companies or organizations Vulnerabilities ⚠️ 0 75 existing vulnerabilities detected

Scanned Files

• package-lock.json