@angular/build 19.0.0-next.9 → 19.0.0-rc.0

package/src/tools/vite/plugins/setup-middlewares-plugin.js

@@ -38,9 +38,10 @@ function createAngularSetupMiddlewaresPlugin(options) {
         name: 'vite:angular-setup-middlewares',
         enforce: 'pre',
         configureServer(server) {
-            const { indexHtmlTransformer, outputFiles, extensionMiddleware, assets, usedComponentStyles, ssrMode, } = options;
+            const { indexHtmlTransformer, outputFiles, extensionMiddleware, assets, usedComponentStyles, templateUpdates, ssrMode, } = options;
             // Headers, assets and resources get handled first
             server.middlewares.use((0, middlewares_1.createAngularHeadersMiddleware)(server));
+            server.middlewares.use((0, middlewares_1.createAngularComponentMiddleware)(templateUpdates));
             server.middlewares.use((0, middlewares_1.createAngularAssetsMiddleware)(server, assets, outputFiles, usedComponentStyles));
             extensionMiddleware?.forEach((middleware) => server.middlewares.use(middleware));
             // Returning a function, installs middleware after the main transform middleware but

package/src/tools/vite/utils.d.ts

@@ -7,6 +7,7 @@
  */
 export type AngularMemoryOutputFiles = Map<string, {
     contents: Uint8Array;
+    hash: string;
     servable: boolean;
 }>;
 export declare function pathnameWithoutBasePath(url: string, basePath: string): string;

package/src/typings.d.ts

@@ -6,7 +6,7 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
-// The `bundled_critters` causes issues with module mappings in Bazel,
+// The `bundled_beasties` causes issues with module mappings in Bazel,
 // leading to unexpected behavior with esbuild. Specifically, the problem occurs
 // when esbuild resolves to a different module or version than expected, due to
 // how Bazel handles module mappings.

package/src/utils/environment-options.js

@@ -83,6 +83,6 @@ exports.useJSONBuildLogs = isPresent(buildLogsJsonVariable) && isEnabled(buildLo
 const optimizeChunksVariable = process.env['NG_BUILD_OPTIMIZE_CHUNKS'];
 exports.shouldOptimizeChunks = isPresent(optimizeChunksVariable) && isEnabled(optimizeChunksVariable);
 const hmrComponentStylesVariable = process.env['NG_HMR_CSTYLES'];
-exports.useComponentStyleHmr = isPresent(hmrComponentStylesVariable) && isEnabled(hmrComponentStylesVariable);
+exports.useComponentStyleHmr = !isPresent(hmrComponentStylesVariable) || !isDisabled(hmrComponentStylesVariable);
 const partialSsrBuildVariable = process.env['NG_BUILD_PARTIAL_SSR'];
 exports.usePartialSsrBuild = isPresent(partialSsrBuildVariable) && isEnabled(partialSsrBuildVariable);

package/src/utils/index-file/auto-csp.d.ts

@@ -0,0 +1,23 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+/**
+ * Calculates a CSP compatible hash of an inline script.
+ * @param scriptText Text between opening and closing script tag. Has to
+ *     include whitespaces and newlines!
+ * @returns The hash of the text formatted appropriately for CSP.
+ */
+export declare function hashTextContent(scriptText: string): string;
+/**
+ * Finds all `<script>` tags and creates a dynamic script loading block for consecutive `<script>` with `src` attributes.
+ * Hashes all scripts, both inline and generated dynamic script loading blocks.
+ * Inserts a `<meta>` tag at the end of the `<head>` of the document with the generated hash-based CSP.
+ *
+ * @param html Markup that should be processed.
+ * @returns The transformed HTML that contains the `<meta>` tag CSP and dynamic loader scripts.
+ */
+export declare function autoCsp(html: string, unsafeEval?: boolean): Promise<string>;

package/src/utils/index-file/auto-csp.js

@@ -0,0 +1,283 @@
+"use strict";
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashTextContent = hashTextContent;
+exports.autoCsp = autoCsp;
+const crypto = __importStar(require("node:crypto"));
+const html_rewriting_stream_1 = require("./html-rewriting-stream");
+/**
+ * The hash function to use for hash directives to use in the CSP.
+ */
+const HASH_FUNCTION = 'sha256';
+/**
+ * Get the specified attribute or return undefined if the tag doesn't have that attribute.
+ *
+ * @param tag StartTag of the <script>
+ * @returns
+ */
+function getScriptAttributeValue(tag, attrName) {
+    return tag.attrs.find((attr) => attr.name === attrName)?.value;
+}
+/**
+ * Checks whether a particular string is a MIME type associated with JavaScript, according to
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/MIME_types#textjavascript
+ *
+ * @param mimeType a string that may be a MIME type
+ * @returns whether the string is a MIME type that is associated with JavaScript
+ */
+function isJavascriptMimeType(mimeType) {
+    return mimeType.split(';')[0] === 'text/javascript';
+}
+/**
+ * Which of the type attributes on the script tag we should try passing along
+ * based on https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script/type
+ * @param scriptType the `type` attribute on the `<script>` tag under question
+ * @returns whether to add the script tag to the dynamically loaded script tag
+ */
+function shouldDynamicallyLoadScriptTagBasedOnType(scriptType) {
+    return (scriptType === undefined ||
+        scriptType === '' ||
+        scriptType === 'module' ||
+        isJavascriptMimeType(scriptType));
+}
+/**
+ * Calculates a CSP compatible hash of an inline script.
+ * @param scriptText Text between opening and closing script tag. Has to
+ *     include whitespaces and newlines!
+ * @returns The hash of the text formatted appropriately for CSP.
+ */
+function hashTextContent(scriptText) {
+    const hash = crypto.createHash(HASH_FUNCTION).update(scriptText, 'utf-8').digest('base64');
+    return `'${HASH_FUNCTION}-${hash}'`;
+}
+/**
+ * Finds all `<script>` tags and creates a dynamic script loading block for consecutive `<script>` with `src` attributes.
+ * Hashes all scripts, both inline and generated dynamic script loading blocks.
+ * Inserts a `<meta>` tag at the end of the `<head>` of the document with the generated hash-based CSP.
+ *
+ * @param html Markup that should be processed.
+ * @returns The transformed HTML that contains the `<meta>` tag CSP and dynamic loader scripts.
+ */
+async function autoCsp(html, unsafeEval = false) {
+    const { rewriter, transformedContent } = await (0, html_rewriting_stream_1.htmlRewritingStream)(html);
+    let openedScriptTag = undefined;
+    let scriptContent = [];
+    const hashes = [];
+    /**
+     * Generates the dynamic loading script and puts it in the rewriter and adds the hash of the dynamic
+     * loader script to the collection of hashes to add to the <meta> tag CSP.
+     */
+    function emitLoaderScript() {
+        const loaderScript = createLoaderScript(scriptContent);
+        hashes.push(hashTextContent(loaderScript));
+        rewriter.emitRaw(`<script>${loaderScript}</script>`);
+        scriptContent = [];
+    }
+    rewriter.on('startTag', (tag, html) => {
+        if (tag.tagName === 'script') {
+            openedScriptTag = tag;
+            const src = getScriptAttributeValue(tag, 'src');
+            if (src) {
+                // If there are any interesting attributes, note them down.
+                const scriptType = getScriptAttributeValue(tag, 'type');
+                if (shouldDynamicallyLoadScriptTagBasedOnType(scriptType)) {
+                    scriptContent.push({
+                        src: src,
+                        type: scriptType,
+                        async: getScriptAttributeValue(tag, 'async') !== undefined,
+                        defer: getScriptAttributeValue(tag, 'defer') !== undefined,
+                    });
+                    return; // Skip writing my script tag until we've read it all.
+                }
+            }
+        }
+        // We are encountering the first start tag that's not <script src="..."> after a string of
+        // consecutive <script src="...">. <script> tags without a src attribute will also end a chain
+        // of src attributes that can be loaded in a single loader script, so those will end up here.
+        //
+        // The first place when we can determine this to be the case is
+        // during the first opening tag that's not <script src="...">, where we need to insert the
+        // dynamic loader script before continuing on with writing the rest of the tags.
+        // (One edge case is where there are no more opening tags after the last <script src="..."> is
+        // closed, but this case is handled below with the final </body> tag.)
+        if (scriptContent.length > 0) {
+            emitLoaderScript();
+        }
+        rewriter.emitStartTag(tag);
+    });
+    rewriter.on('text', (tag, html) => {
+        if (openedScriptTag && !getScriptAttributeValue(openedScriptTag, 'src')) {
+            hashes.push(hashTextContent(html));
+        }
+        rewriter.emitText(tag);
+    });
+    rewriter.on('endTag', (tag, html) => {
+        if (openedScriptTag && tag.tagName === 'script') {
+            const src = getScriptAttributeValue(openedScriptTag, 'src');
+            const scriptType = getScriptAttributeValue(openedScriptTag, 'type');
+            openedScriptTag = undefined;
+            // Return early to avoid writing the closing </script> tag if it's a part of the
+            // dynamic loader script.
+            if (src && shouldDynamicallyLoadScriptTagBasedOnType(scriptType)) {
+                return;
+            }
+        }
+        if (tag.tagName === 'body' || tag.tagName === 'html') {
+            // Write the loader script if a string of <script>s were the last opening tag of the document.
+            if (scriptContent.length > 0) {
+                emitLoaderScript();
+            }
+        }
+        rewriter.emitEndTag(tag);
+    });
+    const rewritten = await transformedContent();
+    // Second pass to add the header
+    const secondPass = await (0, html_rewriting_stream_1.htmlRewritingStream)(rewritten);
+    secondPass.rewriter.on('startTag', (tag, _) => {
+        secondPass.rewriter.emitStartTag(tag);
+        if (tag.tagName === 'head') {
+            // See what hashes we came up with!
+            secondPass.rewriter.emitRaw(`<meta http-equiv="Content-Security-Policy" content="${getStrictCsp(hashes, {
+                enableBrowserFallbacks: true,
+                enableTrustedTypes: false,
+                enableUnsafeEval: unsafeEval,
+            })}">`);
+        }
+    });
+    return secondPass.transformedContent();
+}
+/**
+ * Returns a strict Content Security Policy for mitigating XSS.
+ * For more details read csp.withgoogle.com.
+ * If you modify this CSP, make sure it has not become trivially bypassable by
+ * checking the policy using csp-evaluator.withgoogle.com.
+ *
+ * @param hashes A list of sha-256 hashes of trusted inline scripts.
+ * @param enableTrustedTypes If Trusted Types should be enabled for scripts.
+ * @param enableBrowserFallbacks If fallbacks for older browsers should be
+ *   added. This is will not weaken the policy as modern browsers will ignore
+ *   the fallbacks.
+ * @param enableUnsafeEval If you cannot remove all uses of eval(), you can
+ *   still set a strict CSP, but you will have to use the 'unsafe-eval'
+ *   keyword which will make your policy slightly less secure.
+ */
+function getStrictCsp(hashes, 
+// default CSP options
+cspOptions = {
+    enableBrowserFallbacks: true,
+    enableTrustedTypes: false,
+    enableUnsafeEval: false,
+}) {
+    hashes = hashes || [];
+    const strictCspTemplate = {
+        // 'strict-dynamic' allows hashed scripts to create new scripts.
+        'script-src': [`'strict-dynamic'`, ...hashes],
+        // Restricts `object-src` to disable dangerous plugins like Flash.
+        'object-src': [`'none'`],
+        // Restricts `base-uri` to block the injection of `<base>` tags. This
+        // prevents attackers from changing the locations of scripts loaded from
+        // relative URLs.
+        'base-uri': [`'self'`],
+    };
+    // Adds fallbacks for browsers not compatible to CSP3 and CSP2.
+    // These fallbacks are ignored by modern browsers in presence of hashes,
+    // and 'strict-dynamic'.
+    if (cspOptions.enableBrowserFallbacks) {
+        // Fallback for Safari. All modern browsers supporting strict-dynamic will
+        // ignore the 'https:' fallback.
+        strictCspTemplate['script-src'].push('https:');
+        // 'unsafe-inline' is only ignored in presence of a hash or nonce.
+        if (hashes.length > 0) {
+            strictCspTemplate['script-src'].push(`'unsafe-inline'`);
+        }
+    }
+    // If enabled, dangerous DOM sinks will only accept typed objects instead of
+    // strings.
+    if (cspOptions.enableTrustedTypes) {
+        strictCspTemplate['require-trusted-types-for'] = ['script'];
+    }
+    // If enabled, `eval()`-calls will be allowed, making the policy slightly
+    // less secure.
+    if (cspOptions.enableUnsafeEval) {
+        strictCspTemplate['script-src'].push(`'unsafe-eval'`);
+    }
+    return Object.entries(strictCspTemplate)
+        .map(([directive, values]) => {
+        return `${directive} ${values.join(' ')};`;
+    })
+        .join('');
+}
+/**
+ * Returns JS code for dynamically loading sourced (external) scripts.
+ * @param srcList A list of paths for scripts that should be loaded.
+ */
+function createLoaderScript(srcList, enableTrustedTypes = false) {
+    if (!srcList.length) {
+        throw new Error('Cannot create a loader script with no scripts to load.');
+    }
+    const srcListFormatted = srcList
+        .map((s) => {
+        // URI encoding means value can't escape string, JS, or HTML context.
+        const srcAttr = encodeURI(s.src).replaceAll("'", "\\'");
+        // Can only be 'module' or a JS MIME type or an empty string.
+        const typeAttr = s.type ? "'" + s.type + "'" : undefined;
+        const asyncAttr = s.async ? 'true' : 'false';
+        const deferAttr = s.defer ? 'true' : 'false';
+        return `['${srcAttr}', ${typeAttr}, ${asyncAttr}, ${deferAttr}]`;
+    })
+        .join();
+    return enableTrustedTypes
+        ? `
+  var scripts = [${srcListFormatted}];
+  var policy = self.trustedTypes && self.trustedTypes.createPolicy ?
+    self.trustedTypes.createPolicy('angular#auto-csp', {createScriptURL: function(u) {
+      return scripts.includes(u) ? u : null;
+    }}) : { createScriptURL: function(u) { return u; } };
+  scripts.forEach(function(scriptUrl) {
+    var s = document.createElement('script');
+    s.src = policy.createScriptURL(scriptUrl[0]);
+    s.type = scriptUrl[1];
+    s.async = !!scriptUrl[2];
+    s.defer = !!scriptUrl[3];
+    document.body.appendChild(s);
+  });\n`
+        : `
+  var scripts = [${srcListFormatted}];
+  scripts.forEach(function(scriptUrl) {
+    var s = document.createElement('script');
+    s.src = scriptUrl[0];
+    s.type = scriptUrl[1];
+    s.async = !!scriptUrl[2];
+    s.defer = !!scriptUrl[3];
+    document.body.appendChild(s);
+  });\n`;
+}

package/src/utils/index-file/html-rewriting-stream.d.ts

@@ -5,7 +5,11 @@
  * Use of this source code is governed by an MIT-style license that can be
  * found in the LICENSE file at https://angular.dev/license
  */
+import type { RewritingStream } from 'parse5-html-rewriting-stream';
+export type StartTag = Parameters<RewritingStream['emitStartTag']>[0];
+export type EndTag = Parameters<RewritingStream['emitEndTag']>[0];
+export type { RewritingStream };
 export declare function htmlRewritingStream(content: string): Promise<{
-    rewriter: import('parse5-html-rewriting-stream').RewritingStream;
+    rewriter: RewritingStream;
     transformedContent: () => Promise<string>;
 }>;

package/src/utils/index-file/index-html-generator.d.ts

@@ -20,6 +20,9 @@ export interface IndexHtmlGeneratorProcessOptions {
         as?: string;
     }[];
 }
+export interface AutoCspOptions {
+    unsafeEval: boolean;
+}
 export interface IndexHtmlGeneratorOptions {
     indexPath: string;
     deployUrl?: string;
@@ -31,6 +34,7 @@ export interface IndexHtmlGeneratorOptions {
     cache?: NormalizedCachedOptions;
     imageDomains?: string[];
     generateDedicatedSSRContent?: boolean;
+    autoCsp?: AutoCspOptions;
 }
 export type IndexHtmlTransform = (content: string) => Promise<string>;
 export interface IndexHtmlPluginTransformResult {

package/src/utils/index-file/index-html-generator.js

@@ -12,6 +12,7 @@ const promises_1 = require("node:fs/promises");
 const node_path_1 = require("node:path");
 const add_event_dispatch_contract_1 = require("./add-event-dispatch-contract");
 const augment_index_html_1 = require("./augment-index-html");
+const auto_csp_1 = require("./auto-csp");
 const inline_critical_css_1 = require("./inline-critical-css");
 const inline_fonts_1 = require("./inline-fonts");
 const ngcm_attribute_1 = require("./ngcm-attribute");
@@ -39,6 +40,13 @@ class IndexHtmlGenerator {
             this.csrPlugins.push(addNgcmAttributePlugin());
             this.ssrPlugins.push(addEventDispatchContractPlugin(), addNoncePlugin());
         }
+        // Auto-CSP (as the last step)
+        if (options.autoCsp) {
+            if (options.generateDedicatedSSRContent) {
+                throw new Error('Cannot set both SSR and auto-CSP at the same time.');
+            }
+            this.csrPlugins.push(autoCspPlugin(options.autoCsp.unsafeEval));
+        }
     }
     async process(options) {
         let content = await this.readIndex(this.options.indexPath);
@@ -130,6 +138,9 @@ function inlineCriticalCssPlugin(generator) {
 function addNoncePlugin() {
     return (html) => (0, nonce_1.addNonce)(html);
 }
+function autoCspPlugin(unsafeEval) {
+    return (html) => (0, auto_csp_1.autoCsp)(html, unsafeEval);
+}
 function postTransformPlugin({ options }) {
     return async (html) => (options.postTransform ? options.postTransform(html) : html);
 }

package/src/utils/index-file/inline-critical-css.js

@@ -11,14 +11,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.InlineCriticalCssProcessor = void 0;
-const critters_1 = __importDefault(require("critters"));
+const beasties_1 = __importDefault(require("beasties"));
 const promises_1 = require("node:fs/promises");
 /**
- * Pattern used to extract the media query set by Critters in an `onload` handler.
+ * Pattern used to extract the media query set by Beasties in an `onload` handler.
  */
 const MEDIA_SET_HANDLER_PATTERN = /^this\.media=["'](.*)["'];?$/;
 /**
- * Name of the attribute used to save the Critters media query so it can be re-assigned on load.
+ * Name of the attribute used to save the Beasties media query so it can be re-assigned on load.
  */
 const CSP_MEDIA_ATTR = 'ngCspMedia';
 /**
@@ -60,12 +60,11 @@ const LINK_LOAD_SCRIPT_CONTENT = `
   };
 
   documentElement.addEventListener('load', listener, true);
-})();
-`.trim();
-class CrittersBase extends critters_1.default {
+})();`;
+class BeastiesBase extends beasties_1.default {
 }
 /* eslint-enable @typescript-eslint/no-unsafe-declaration-merging */
-class CrittersExtended extends CrittersBase {
+class BeastiesExtended extends BeastiesBase {
     optionsExtended;
     warnings = [];
     errors = [];
@@ -98,7 +97,7 @@ class CrittersExtended extends CrittersBase {
         return readAsset ? readAsset(path) : (0, promises_1.readFile)(path, 'utf-8');
     }
     /**
-     * Override of the Critters `embedLinkedStylesheet` method
+     * Override of the Beasties `embedLinkedStylesheet` method
      * that makes it work with Angular's CSP APIs.
      */
     async embedLinkedStylesheet(link, document) {
@@ -115,17 +114,17 @@ class CrittersExtended extends CrittersBase {
         const returnValue = await super.embedLinkedStylesheet(link, document);
         const cspNonce = this.findCspNonce(document);
         if (cspNonce) {
-            const crittersMedia = link.getAttribute('onload')?.match(MEDIA_SET_HANDLER_PATTERN);
-            if (crittersMedia) {
-                // If there's a Critters-generated `onload` handler and the file has an Angular CSP nonce,
+            const beastiesMedia = link.getAttribute('onload')?.match(MEDIA_SET_HANDLER_PATTERN);
+            if (beastiesMedia) {
+                // If there's a Beasties-generated `onload` handler and the file has an Angular CSP nonce,
                 // we have to remove the handler, because it's incompatible with CSP. We save the value
                 // in a different attribute and we generate a script tag with the nonce that uses
                 // `addEventListener` to apply the media query instead.
                 link.removeAttribute('onload');
-                link.setAttribute(CSP_MEDIA_ATTR, crittersMedia[1]);
+                link.setAttribute(CSP_MEDIA_ATTR, beastiesMedia[1]);
                 this.conditionallyInsertCspLoadingScript(document, cspNonce, link);
             }
-            // Ideally we would hook in at the time Critters inserts the `style` tags, but there isn't
+            // Ideally we would hook in at the time Beasties inserts the `style` tags, but there isn't
             // a way of doing that at the moment so we fall back to doing it any time a `link` tag is
             // inserted. We mitigate it by only iterating the direct children of the `<head>` which
             // should be pretty shallow.
@@ -145,7 +144,7 @@ class CrittersExtended extends CrittersBase {
             // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
             return this.documentNonces.get(document);
         }
-        // HTML attribute are case-insensitive, but the parser used by Critters is case-sensitive.
+        // HTML attribute are case-insensitive, but the parser used by Beasties is case-sensitive.
         const nonceElement = document.querySelector('[ngCspNonce], [ngcspnonce]');
         const cspNonce = nonceElement?.getAttribute('ngCspNonce') || nonceElement?.getAttribute('ngcspnonce') || null;
         this.documentNonces.set(document, cspNonce);
@@ -174,15 +173,15 @@ class InlineCriticalCssProcessor {
         this.options = options;
     }
     async process(html, options) {
-        const critters = new CrittersExtended({ ...this.options, ...options });
-        const content = await critters.process(html);
+        const beasties = new BeastiesExtended({ ...this.options, ...options });
+        const content = await beasties.process(html);
         return {
             // Clean up value from value less attributes.
             // This is caused because parse5 always requires attributes to have a string value.
             // nomodule="" defer="" -> nomodule defer.
             content: content.replace(/(\s(?:defer|nomodule))=""/g, '$1'),
-            errors: critters.errors,
-            warnings: critters.warnings,
+            errors: beasties.errors,
+            warnings: beasties.warnings,
         };
     }
 }

package/src/utils/normalize-cache.js

@@ -10,7 +10,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeCacheOptions = normalizeCacheOptions;
 const node_path_1 = require("node:path");
 /** Version placeholder is replaced during the build process with actual package version */
-const VERSION = '19.0.0-next.9';
+const VERSION = '19.0.0-rc.0';
 function hasCacheMetadata(value) {
     return (!!value &&
         typeof value === 'object' &&

package/src/utils/server-rendering/launch-server.js

@@ -24,21 +24,21 @@ exports.DEFAULT_URL = new URL('http://ng-localhost/');
  * @returns A promise that resolves to the URL of the running server.
  */
 async function launchServer() {
-    const { default: handler } = await (0, load_esm_from_memory_1.loadEsmModuleFromMemory)('./server.mjs');
+    const { reqHandler } = await (0, load_esm_from_memory_1.loadEsmModuleFromMemory)('./server.mjs');
     const { createWebRequestFromNodeRequest, writeResponseToNodeResponse } = await (0, load_esm_1.loadEsmModule)('@angular/ssr/node');
-    if (!(0, utils_1.isSsrNodeRequestHandler)(handler) && !(0, utils_1.isSsrRequestHandler)(handler)) {
+    if (!(0, utils_1.isSsrNodeRequestHandler)(reqHandler) && !(0, utils_1.isSsrRequestHandler)(reqHandler)) {
         return exports.DEFAULT_URL;
     }
     const server = (0, node_http_1.createServer)((req, res) => {
         (async () => {
             // handle request
-            if ((0, utils_1.isSsrNodeRequestHandler)(handler)) {
-                await handler(req, res, (e) => {
+            if ((0, utils_1.isSsrNodeRequestHandler)(reqHandler)) {
+                await reqHandler(req, res, (e) => {
                     throw e;
                 });
             }
             else {
-                const webRes = await handler(createWebRequestFromNodeRequest(req));
+                const webRes = await reqHandler(createWebRequestFromNodeRequest(req));
                 if (webRes) {
                     await writeResponseToNodeResponse(webRes, res);
                 }

package/src/utils/server-rendering/load-esm-from-memory.d.ts

@@ -19,7 +19,7 @@ interface MainServerBundleExports {
  * Represents the exports available from the server bundle.
  */
 interface ServerBundleExports {
-    default: unknown;
+    reqHandler?: unknown;
 }
 export declare function loadEsmModuleFromMemory(path: './main.server.mjs'): Promise<MainServerBundleExports>;
 export declare function loadEsmModuleFromMemory(path: './server.mjs'): Promise<ServerBundleExports>;

package/src/utils/server-rendering/manifest.d.ts

@@ -7,7 +7,7 @@
  */
 import { NormalizedApplicationBuildOptions } from '../../builders/application/options';
 import type { BuildOutputFile } from '../../tools/esbuild/bundler-context';
-import { PrerenderedRoutesRecord } from '../../tools/esbuild/bundler-execution-result';
+import type { PrerenderedRoutesRecord } from '../../tools/esbuild/bundler-execution-result';
 export declare const SERVER_APP_MANIFEST_FILENAME = "angular-app-manifest.mjs";
 export declare const SERVER_APP_ENGINE_MANIFEST_FILENAME = "angular-app-engine-manifest.mjs";
 /**

package/src/utils/server-rendering/prerender.js

@@ -120,7 +120,7 @@ async function renderPages(baseHref, sourcemap, serializableRouteTreeNode, maxTh
             outputFiles: outputFilesForWorker,
             assetFiles: assetFilesForWorker,
             outputMode,
-            hasSsrEntry: !!outputFilesForWorker['/server.mjs'],
+            hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
     });
@@ -197,7 +197,7 @@ async function getAllRoutes(workspaceRoot, baseHref, outputFilesForWorker, asset
             outputFiles: outputFilesForWorker,
             assetFiles: assetFilesForWorker,
             outputMode,
-            hasSsrEntry: !!outputFilesForWorker['/server.mjs'],
+            hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
     });
@@ -208,7 +208,9 @@ async function getAllRoutes(workspaceRoot, baseHref, outputFilesForWorker, asset
     catch (err) {
         (0, error_1.assertIsError)(err);
         return {
-            errors: [`An error occurred while extracting routes.\n\n${err.stack}`],
+            errors: [
+                `An error occurred while extracting routes.\n\n${err.stack ?? err.message ?? err.code ?? err}`,
+            ],
             serializedRouteTree: [],
         };
     }

package/src/utils/supported-browsers.js

@@ -19,6 +19,7 @@ function getSupportedBrowsers(projectRoot, logger) {
         'last 2 Edge major versions',
         'last 2 Safari major versions',
         'last 2 iOS major versions',
+        'last 2 Android major versions',
         'Firefox ESR',
     ];
     // Get browsers from config or default.