@angular/build 20.3.16 → 20.3.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular/build",
-  "version": "20.3.16",
+  "version": "20.3.18",
   "description": "Official build system for Angular",
   "keywords": [
     "Angular CLI",
@@ -23,7 +23,7 @@
   "builders": "builders.json",
   "dependencies": {
     "@ampproject/remapping": "2.3.0",
-    "@angular-devkit/architect": "0.2003.16",
+    "@angular-devkit/architect": "0.2003.18",
     "@babel/core": "7.28.3",
     "@babel/helper-annotate-as-pure": "7.27.3",
     "@babel/helper-split-export-declaration": "7.24.7",
@@ -41,7 +41,7 @@
     "parse5-html-rewriting-stream": "8.0.0",
     "picomatch": "4.0.3",
     "piscina": "5.1.3",
-    "rollup": "4.52.3",
+    "rollup": "4.59.0",
     "sass": "1.90.0",
     "semver": "7.7.2",
     "source-map-support": "0.5.21",
@@ -60,7 +60,7 @@
     "@angular/platform-browser": "^20.0.0",
     "@angular/platform-server": "^20.0.0",
     "@angular/service-worker": "^20.0.0",
-    "@angular/ssr": "^20.3.16",
+    "@angular/ssr": "^20.3.18",
     "karma": "^6.4.0",
     "less": "^4.2.0",
     "ng-packagr": "^20.0.0",

package/src/builders/application/execute-build.js

@@ -60,7 +60,7 @@ const i18n_1 = require("./i18n");
 const setup_bundling_1 = require("./setup-bundling");
 // eslint-disable-next-line max-lines-per-function
 async function executeBuild(options, context, rebuildState) {
-    const { projectRoot, workspaceRoot, i18nOptions, optimizationOptions, assets, cacheOptions, serverEntryPoint, baseHref, ssrOptions, verbose, colors, jsonLogs, } = options;
+    const { projectRoot, workspaceRoot, i18nOptions, optimizationOptions, assets, cacheOptions, serverEntryPoint, baseHref, ssrOptions, verbose, colors, jsonLogs, security, } = options;
     // TODO: Consider integrating into watch mode. Would require full rebuild on target changes.
     const browsers = (0, supported_browsers_1.getSupportedBrowsers)(projectRoot, context.logger);
     // Load active translations if inlining
@@ -216,7 +216,7 @@ async function executeBuild(options, context, rebuildState) {
     }
     // Create server app engine manifest
     if (serverEntryPoint) {
-        executionResult.addOutputFile(manifest_1.SERVER_APP_ENGINE_MANIFEST_FILENAME, (0, manifest_1.generateAngularServerAppEngineManifest)(i18nOptions, baseHref), bundler_context_1.BuildOutputFileType.ServerRoot);
+        executionResult.addOutputFile(manifest_1.SERVER_APP_ENGINE_MANIFEST_FILENAME, (0, manifest_1.generateAngularServerAppEngineManifest)(i18nOptions, security.allowedHosts, baseHref), bundler_context_1.BuildOutputFileType.ServerRoot);
     }
     // Perform i18n translation inlining if enabled
     if (i18nOptions.shouldInline) {

package/src/builders/application/options.d.ts

@@ -197,6 +197,7 @@ export declare function normalizeOptions(context: BuilderContext, projectName: s
     externalRuntimeStyles: boolean | undefined;
     instrumentForCoverage: ((filename: string) => boolean) | undefined;
     security: {
+        allowedHosts: string[];
         autoCsp: {
             unsafeEval: boolean;
         } | undefined;

package/src/builders/application/options.js

@@ -247,8 +247,9 @@ async function normalizeOptions(context, projectName, options, extensions) {
             throw new Error('The "index" option cannot be set to false when enabling "ssr", "prerender" or "app-shell".');
         }
     }
-    const autoCsp = options.security?.autoCsp;
+    const { autoCsp, allowedHosts = [] } = options.security ?? {};
     const security = {
+        allowedHosts,
         autoCsp: autoCsp
             ? {
                 unsafeEval: autoCsp === true ? false : !!autoCsp.unsafeEval,

package/src/builders/application/schema.d.ts

@@ -496,6 +496,12 @@ export type ScriptClass = {
  * Security features to protect against XSS and other common attacks
  */
 export type Security = {
+    /**
+     * A list of hostnames that are allowed to access the server-side application. For more
+     * information, see
+     * https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.
+     */
+    allowedHosts?: string[];
     /**
      * Enables automatic generation of a hash-based Strict Content Security Policy
      * (https://web.dev/articles/strict-csp#choose-hash) based on scripts in index.html. Will

package/src/builders/application/schema.json

@@ -52,6 +52,14 @@
       "type": "object",
       "additionalProperties": false,
       "properties": {
+        "allowedHosts": {
+          "description": "A list of hostnames that are allowed to access the server-side application. For more information, see https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.",
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "type": "string"
+          }
+        },
         "autoCsp": {
           "description": "Enables automatic generation of a hash-based Strict Content Security Policy (https://web.dev/articles/strict-csp#choose-hash) based on scripts in index.html. Will default to true once we are out of experimental/preview phases.",
           "default": false,

package/src/builders/dev-server/vite-server.js

@@ -84,7 +84,14 @@ async function* serveWithVite(serverOptions, builderName, builderAction, context
         browserOptions.ssr ||= true;
     }
     // Disable auto CSP.
+    const allowedHosts = Array.isArray(serverOptions.allowedHosts)
+        ? [...serverOptions.allowedHosts]
+        : [];
+    // Always allow the dev server host
+    allowedHosts.push(serverOptions.host);
     browserOptions.security = {
+        allowedHosts,
+        // Disable auto CSP.
         autoCsp: false,
     };
     // Disable JSON build stats.

package/src/utils/normalize-cache.js

@@ -10,7 +10,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeCacheOptions = normalizeCacheOptions;
 const node_path_1 = require("node:path");
 /** Version placeholder is replaced during the build process with actual package version */
-const VERSION = '20.3.16';
+const VERSION = '20.3.18';
 function hasCacheMetadata(value) {
     return (!!value &&
         typeof value === 'object' &&

package/src/utils/server-rendering/manifest.d.ts

@@ -19,10 +19,11 @@ export declare const SERVER_APP_ENGINE_MANIFEST_FILENAME = "angular-app-engine-m
  *
  * @param i18nOptions - The internationalization options for the application build. This
  * includes settings for inlining locales and determining the output structure.
+ * @param allowedHosts - A list of hosts that are allowed to access the server-side application.
  * @param baseHref - The base HREF for the application. This is used to set the base URL
  * for all relative URLs in the application.
  */
-export declare function generateAngularServerAppEngineManifest(i18nOptions: NormalizedApplicationBuildOptions['i18nOptions'], baseHref: string | undefined): string;
+export declare function generateAngularServerAppEngineManifest(i18nOptions: NormalizedApplicationBuildOptions['i18nOptions'], allowedHosts: string[], baseHref: string | undefined): string;
 /**
  * Generates the server manifest for the standard Node.js environment.
  *

package/src/utils/server-rendering/manifest.js

@@ -45,10 +45,11 @@ function escapeUnsafeChars(str) {
  *
  * @param i18nOptions - The internationalization options for the application build. This
  * includes settings for inlining locales and determining the output structure.
+ * @param allowedHosts - A list of hosts that are allowed to access the server-side application.
  * @param baseHref - The base HREF for the application. This is used to set the base URL
  * for all relative URLs in the application.
  */
-function generateAngularServerAppEngineManifest(i18nOptions, baseHref) {
+function generateAngularServerAppEngineManifest(i18nOptions, allowedHosts, baseHref) {
     const entryPoints = {};
     const supportedLocales = {};
     if (i18nOptions.shouldInline && !i18nOptions.flatOutput) {
@@ -71,6 +72,7 @@ function generateAngularServerAppEngineManifest(i18nOptions, baseHref) {
     const manifestContent = `
 export default {
   basePath: '${basePath}',
+  allowedHosts: ${JSON.stringify(allowedHosts, undefined, 2)},
   supportedLocales: ${JSON.stringify(supportedLocales, undefined, 2)},
   entryPoints: {
     ${Object.entries(entryPoints)

package/src/utils/server-rendering/prerender.js

@@ -126,6 +126,9 @@ async function renderPages(baseHref, sourcemap, serializableRouteTreeNode, maxTh
             hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
+        env: {
+            'NG_ALLOWED_HOSTS': 'localhost',
+        },
     });
     try {
         const renderingPromises = [];
@@ -205,6 +208,9 @@ async function getAllRoutes(workspaceRoot, baseHref, outputFilesForWorker, asset
             hasSsrEntry: !!outputFilesForWorker['server.mjs'],
         },
         execArgv: workerExecArgv,
+        env: {
+            'NG_ALLOWED_HOSTS': 'localhost',
+        },
     });
     try {
         const { serializedRouteTree, appShellRoute, errors } = await renderWorker.run({});