@angular/build 20.3.15 → 20.3.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular/build",
-  "version": "20.3.15",
+  "version": "20.3.17",
   "description": "Official build system for Angular",
   "keywords": [
     "Angular CLI",
@@ -23,7 +23,7 @@
   "builders": "builders.json",
   "dependencies": {
     "@ampproject/remapping": "2.3.0",
-    "@angular-devkit/architect": "0.2003.15",
+    "@angular-devkit/architect": "0.2003.17",
     "@babel/core": "7.28.3",
     "@babel/helper-annotate-as-pure": "7.27.3",
     "@babel/helper-split-export-declaration": "7.24.7",
@@ -60,7 +60,7 @@
     "@angular/platform-browser": "^20.0.0",
     "@angular/platform-server": "^20.0.0",
     "@angular/service-worker": "^20.0.0",
-    "@angular/ssr": "^20.3.15",
+    "@angular/ssr": "^20.3.17",
     "karma": "^6.4.0",
     "less": "^4.2.0",
     "ng-packagr": "^20.0.0",

package/src/builders/application/execute-build.js

@@ -60,7 +60,7 @@ const i18n_1 = require("./i18n");
 const setup_bundling_1 = require("./setup-bundling");
 // eslint-disable-next-line max-lines-per-function
 async function executeBuild(options, context, rebuildState) {
-    const { projectRoot, workspaceRoot, i18nOptions, optimizationOptions, assets, cacheOptions, serverEntryPoint, baseHref, ssrOptions, verbose, colors, jsonLogs, } = options;
+    const { projectRoot, workspaceRoot, i18nOptions, optimizationOptions, assets, cacheOptions, serverEntryPoint, baseHref, ssrOptions, verbose, colors, jsonLogs, security, } = options;
     // TODO: Consider integrating into watch mode. Would require full rebuild on target changes.
     const browsers = (0, supported_browsers_1.getSupportedBrowsers)(projectRoot, context.logger);
     // Load active translations if inlining
@@ -216,7 +216,7 @@ async function executeBuild(options, context, rebuildState) {
     }
     // Create server app engine manifest
     if (serverEntryPoint) {
-        executionResult.addOutputFile(manifest_1.SERVER_APP_ENGINE_MANIFEST_FILENAME, (0, manifest_1.generateAngularServerAppEngineManifest)(i18nOptions, baseHref), bundler_context_1.BuildOutputFileType.ServerRoot);
+        executionResult.addOutputFile(manifest_1.SERVER_APP_ENGINE_MANIFEST_FILENAME, (0, manifest_1.generateAngularServerAppEngineManifest)(i18nOptions, security.allowedHosts, baseHref), bundler_context_1.BuildOutputFileType.ServerRoot);
     }
     // Perform i18n translation inlining if enabled
     if (i18nOptions.shouldInline) {

package/src/builders/application/options.d.ts

@@ -197,6 +197,7 @@ export declare function normalizeOptions(context: BuilderContext, projectName: s
     externalRuntimeStyles: boolean | undefined;
     instrumentForCoverage: ((filename: string) => boolean) | undefined;
     security: {
+        allowedHosts: string[];
         autoCsp: {
             unsafeEval: boolean;
         } | undefined;

package/src/builders/application/options.js

@@ -247,8 +247,9 @@ async function normalizeOptions(context, projectName, options, extensions) {
             throw new Error('The "index" option cannot be set to false when enabling "ssr", "prerender" or "app-shell".');
         }
     }
-    const autoCsp = options.security?.autoCsp;
+    const { autoCsp, allowedHosts = [] } = options.security ?? {};
     const security = {
+        allowedHosts,
         autoCsp: autoCsp
             ? {
                 unsafeEval: autoCsp === true ? false : !!autoCsp.unsafeEval,

package/src/builders/application/schema.d.ts

@@ -496,6 +496,12 @@ export type ScriptClass = {
  * Security features to protect against XSS and other common attacks
  */
 export type Security = {
+    /**
+     * A list of hostnames that are allowed to access the server-side application. For more
+     * information, see
+     * https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.
+     */
+    allowedHosts?: string[];
     /**
      * Enables automatic generation of a hash-based Strict Content Security Policy
      * (https://web.dev/articles/strict-csp#choose-hash) based on scripts in index.html. Will

package/src/builders/application/schema.json

@@ -52,6 +52,14 @@
       "type": "object",
       "additionalProperties": false,
       "properties": {
+        "allowedHosts": {
+          "description": "A list of hostnames that are allowed to access the server-side application. For more information, see https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.",
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "type": "string"
+          }
+        },
         "autoCsp": {
           "description": "Enables automatic generation of a hash-based Strict Content Security Policy (https://web.dev/articles/strict-csp#choose-hash) based on scripts in index.html. Will default to true once we are out of experimental/preview phases.",
           "default": false,

package/src/builders/dev-server/vite-server.js

@@ -84,7 +84,14 @@ async function* serveWithVite(serverOptions, builderName, builderAction, context
         browserOptions.ssr ||= true;
     }
     // Disable auto CSP.
+    const allowedHosts = Array.isArray(serverOptions.allowedHosts)
+        ? [...serverOptions.allowedHosts]
+        : [];
+    // Always allow the dev server host
+    allowedHosts.push(serverOptions.host);
     browserOptions.security = {
+        allowedHosts,
+        // Disable auto CSP.
         autoCsp: false,
     };
     // Disable JSON build stats.

package/src/utils/normalize-cache.js

@@ -10,7 +10,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeCacheOptions = normalizeCacheOptions;
 const node_path_1 = require("node:path");
 /** Version placeholder is replaced during the build process with actual package version */
-const VERSION = '20.3.15';
+const VERSION = '20.3.17';
 function hasCacheMetadata(value) {
     return (!!value &&
         typeof value === 'object' &&

package/src/utils/server-rendering/manifest.d.ts

@@ -19,10 +19,11 @@ export declare const SERVER_APP_ENGINE_MANIFEST_FILENAME = "angular-app-engine-m
  *
  * @param i18nOptions - The internationalization options for the application build. This
  * includes settings for inlining locales and determining the output structure.
+ * @param allowedHosts - A list of hosts that are allowed to access the server-side application.
  * @param baseHref - The base HREF for the application. This is used to set the base URL
  * for all relative URLs in the application.
  */
-export declare function generateAngularServerAppEngineManifest(i18nOptions: NormalizedApplicationBuildOptions['i18nOptions'], baseHref: string | undefined): string;
+export declare function generateAngularServerAppEngineManifest(i18nOptions: NormalizedApplicationBuildOptions['i18nOptions'], allowedHosts: string[], baseHref: string | undefined): string;
 /**
  * Generates the server manifest for the standard Node.js environment.
  *

package/src/utils/server-rendering/manifest.js

@@ -45,10 +45,11 @@ function escapeUnsafeChars(str) {
  *
  * @param i18nOptions - The internationalization options for the application build. This
  * includes settings for inlining locales and determining the output structure.
+ * @param allowedHosts - A list of hosts that are allowed to access the server-side application.
  * @param baseHref - The base HREF for the application. This is used to set the base URL
  * for all relative URLs in the application.
  */
-function generateAngularServerAppEngineManifest(i18nOptions, baseHref) {
+function generateAngularServerAppEngineManifest(i18nOptions, allowedHosts, baseHref) {
     const entryPoints = {};
     const supportedLocales = {};
     if (i18nOptions.shouldInline && !i18nOptions.flatOutput) {
@@ -71,6 +72,7 @@ function generateAngularServerAppEngineManifest(i18nOptions, baseHref) {
     const manifestContent = `
 export default {
   basePath: '${basePath}',
+  allowedHosts: ${JSON.stringify(allowedHosts, undefined, 2)},
   supportedLocales: ${JSON.stringify(supportedLocales, undefined, 2)},
   entryPoints: {
     ${Object.entries(entryPoints)

package/src/utils/server-rendering/prerender.js

@@ -126,6 +126,9 @@ async function renderPages(baseHref, sourcemap, serializableRouteTreeNode, maxTh
             hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
+        env: {
+            'NG_ALLOWED_HOSTS': 'localhost',
+        },
     });
     try {
         const renderingPromises = [];
@@ -205,6 +208,9 @@ async function getAllRoutes(workspaceRoot, baseHref, outputFilesForWorker, asset
             hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
+        env: {
+            'NG_ALLOWED_HOSTS': 'localhost',
+        },
     });
     try {
         const { serializedRouteTree, appShellRoute, errors } = await renderWorker.run({});

package/src/tools/esbuild/esbuild-definitions.d.ts

@@ -1,46 +0,0 @@
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.dev/license
- */
-import type { OutputFile } from 'esbuild';
-export declare const SERVER_APP_MANIFEST_FILENAME = "angular-app-manifest.mjs";
-export declare const SERVER_APP_ENGINE_MANIFEST_FILENAME = "angular-app-engine-manifest.mjs";
-export interface BuildOutputAsset {
-    source: string;
-    destination: string;
-}
-export interface InitialFileRecord {
-    entrypoint: boolean;
-    name?: string;
-    type: 'script' | 'style';
-    external?: boolean;
-    serverFile: boolean;
-    depth: number;
-}
-export declare enum BuildOutputFileType {
-    Browser = 0,
-    Media = 1,
-    ServerApplication = 2,
-    ServerRoot = 3,
-    Root = 4
-}
-export interface BuildOutputFile extends OutputFile {
-    type: BuildOutputFileType;
-    readonly size: number;
-    clone: () => BuildOutputFile;
-}
-export type PrerenderedRoutesRecord = Record<string, {
-    headers?: Record<string, string>;
-}>;
-/**
- * A set of server-generated dependencies that are treated as external.
- *
- * These dependencies are marked as external because they are produced by a
- * separate bundling process and are not included in the primary bundle. This
- * ensures that these generated files are resolved from an external source rather
- * than being part of the main bundle.
- */
-export declare const SERVER_GENERATED_EXTERNALS: Set<string>;

package/src/tools/esbuild/esbuild-definitions.js

@@ -1,33 +0,0 @@
-"use strict";
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.dev/license
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SERVER_GENERATED_EXTERNALS = exports.BuildOutputFileType = exports.SERVER_APP_ENGINE_MANIFEST_FILENAME = exports.SERVER_APP_MANIFEST_FILENAME = void 0;
-exports.SERVER_APP_MANIFEST_FILENAME = 'angular-app-manifest.mjs';
-exports.SERVER_APP_ENGINE_MANIFEST_FILENAME = 'angular-app-engine-manifest.mjs';
-var BuildOutputFileType;
-(function (BuildOutputFileType) {
-    BuildOutputFileType[BuildOutputFileType["Browser"] = 0] = "Browser";
-    BuildOutputFileType[BuildOutputFileType["Media"] = 1] = "Media";
-    BuildOutputFileType[BuildOutputFileType["ServerApplication"] = 2] = "ServerApplication";
-    BuildOutputFileType[BuildOutputFileType["ServerRoot"] = 3] = "ServerRoot";
-    BuildOutputFileType[BuildOutputFileType["Root"] = 4] = "Root";
-})(BuildOutputFileType || (exports.BuildOutputFileType = BuildOutputFileType = {}));
-/**
- * A set of server-generated dependencies that are treated as external.
- *
- * These dependencies are marked as external because they are produced by a
- * separate bundling process and are not included in the primary bundle. This
- * ensures that these generated files are resolved from an external source rather
- * than being part of the main bundle.
- */
-exports.SERVER_GENERATED_EXTERNALS = new Set([
-    './polyfills.server.mjs',
-    './' + exports.SERVER_APP_MANIFEST_FILENAME,
-    './' + exports.SERVER_APP_ENGINE_MANIFEST_FILENAME,
-]);

package/src/tools/esbuild/file-utils.d.ts

@@ -1,12 +0,0 @@
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.dev/license
- */
-import type { OutputFile } from 'esbuild';
-import type { BuildOutputFile } from './esbuild-definitions';
-import { BuildOutputFileType } from './esbuild-definitions';
-export declare function createOutputFile(path: string, data: string | Uint8Array, type: BuildOutputFileType): BuildOutputFile;
-export declare function convertOutputFile(file: OutputFile, type: BuildOutputFileType): BuildOutputFile;

package/src/tools/esbuild/file-utils.js

@@ -1,103 +0,0 @@
-"use strict";
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.dev/license
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createOutputFile = createOutputFile;
-exports.convertOutputFile = convertOutputFile;
-const node_crypto_1 = require("node:crypto");
-function createOutputFile(path, data, type) {
-    if (typeof data === 'string') {
-        let cachedContents = null;
-        let cachedText = data;
-        let cachedHash = null;
-        return {
-            path,
-            type,
-            get contents() {
-                cachedContents ??= new TextEncoder().encode(data);
-                return cachedContents;
-            },
-            set contents(value) {
-                cachedContents = value;
-                cachedText = null;
-            },
-            get text() {
-                cachedText ??= new TextDecoder('utf-8').decode(this.contents);
-                return cachedText;
-            },
-            get size() {
-                return this.contents.byteLength;
-            },
-            get hash() {
-                cachedHash ??= (0, node_crypto_1.createHash)('sha256')
-                    .update(cachedText ?? this.contents)
-                    .digest('hex');
-                return cachedHash;
-            },
-            clone() {
-                return createOutputFile(this.path, cachedText ?? this.contents, this.type);
-            },
-        };
-    }
-    else {
-        let cachedContents = data;
-        let cachedText = null;
-        let cachedHash = null;
-        return {
-            get contents() {
-                return cachedContents;
-            },
-            set contents(value) {
-                cachedContents = value;
-                cachedText = null;
-            },
-            path,
-            type,
-            get size() {
-                return this.contents.byteLength;
-            },
-            get text() {
-                cachedText ??= new TextDecoder('utf-8').decode(this.contents);
-                return cachedText;
-            },
-            get hash() {
-                cachedHash ??= (0, node_crypto_1.createHash)('sha256').update(this.contents).digest('hex');
-                return cachedHash;
-            },
-            clone() {
-                return createOutputFile(this.path, this.contents, this.type);
-            },
-        };
-    }
-}
-function convertOutputFile(file, type) {
-    let { contents: cachedContents } = file;
-    let cachedText = null;
-    return {
-        get contents() {
-            return cachedContents;
-        },
-        set contents(value) {
-            cachedContents = value;
-            cachedText = null;
-        },
-        hash: file.hash,
-        path: file.path,
-        type,
-        get size() {
-            return this.contents.byteLength;
-        },
-        get text() {
-            cachedText ??= new TextDecoder('utf-8').decode(this.contents);
-            return cachedText;
-        },
-        clone() {
-            return convertOutputFile(this, this.type);
-        },
-    };
-}