Ng-News 26-09 features three topics: the new Signal-based debounced API, the Oxidation compiler benchmark in Analog.js, and AI & Angular.
Angular XSS Advisory
A Cross-Site Scripting (XSS) vulnerability was discovered in Angular. If you use Angular i18n and apply it to HTML attributes, their values are not sanitized. The fix was applied to the supported versions Angular 19, 20, and 21.
Angular security advisory (GitHub)
Ng-Asia with Mark Thompson
Mark Thompson, Angular DevRel, was guest at Ng-Asia hosted by Ilyoskhuja Ikromkhujaev. The session was a mix between presentation and Q&A.
For example, Mark presented his view on how AI will shape the way development will work for us. He doesn't expect a replacement a software developers, but - as many people would agree - a shift in terms of activities/competencies.
He also explained what AI means for future applications, where the UI is highly responsive and can be seen as just another AI tool, instrumented by an LLM. There are libraries that support that use case already, like HashBrown.
Angular Q&A with Mark Thompson
Mark Thompson also hosted the monthly Angular Q&A session. His guest was Alan from the Angular team and the main topic was AI - specifically Angular's MCP server combined with Chrome's MCP server. MCP allows LLMs to perform actions, not just return text. Angular's MCP server provides up-to-date documentation on best practices, can help migrate to zoneless, or act as a tutor. Together with Chrome's MCP server, it allows the LLM to verify its generated code automatically and fix it.
Two answers stood out. First, a nice analogy on how skills and MCP tools differentiate. According to Mark, a tool's execution is more deterministic, whereas a skill is still text, which needs to be processed by the LLM, and could therefore cause non-deterministic, but better or different results, than an MCP tool's author could achieve.
He compared it with playing a piece of music on a guitar. In the case of an MCP tool and if the LLM would be an artist, then the LLM would play a piece always in the same way - without even knowing how or what it is doing.
In the context of a skill, it would learn how to play the guitar and could probably identify certain things that the tool would have oversawn.
For example Mark mentioned, that there could a first part of a piece, which the tool was not aware of, but the skill would cover it.
Second, why is Angular investing so much in AI? According to Mark, if you have a framework without AI support, many developers will say that it is not ready for the future and will switch to others. Given AI's omnipresence, having an AI-ready framework is a reasonable choice.
Timestamp 41:20.
Oxidation Compiler and Analog
As mentioned in a previous episode, there is an experimental Angular compiler, which is developed by Void Zero and is called the Oxidation compiler (Oxc).
The interesting thing is that it is written in Rust, and not in Go, which is the language of choice for the upcoming official TypeScript rewrite.
Brandon Roberts, who is well known in the Angular community, has integrated the Oxidation compiler into Analog.js, the most popular meta-framework for Angular, which supports building Angular with Vite. Brandon posted a benchmark stating that build time with Angular's esbuild dropped from 47 seconds to 1.5 seconds - a roughly 97% improvement.
Angular Roadmap Update
Angular's roadmap got a major update, or one could say a reprioritization. In short, AI is king: topics like a new authoring format, streaming for server-side rendering, or improvements to the TestBed were removed. That does not mean these topics will never be worked on, but they are deprioritized for now.
Angular roadmap change (GitHub commit)
Angular NPM Downloads
If you are a fan of download numbers: despite the results of the State of JavaScript survey, Angular appears to be in a strong position. In May 2025, weekly downloads exceeded 4 million for the first time. In the week of March 9th they were above 5 million - roughly a 25% increase within a year. For reference, Angular passed 3 million weekly downloads in February 2022.
@angular/core | npm trends
Comparing trends for @angular/core 21.2.5 which has 4,369,964 weekly downloads and 100,102 GitHub stars.
npmtrends.com
Debounced API
Fatima Amzil published an article about a new Signal-based function called debounced. Do not confuse it with the debounce function in Signal Forms: that one is limited to Signal Forms and debounces the synchronization of a form field with the underlying model. The new debounced is meant for any Signal - you can use it to debounce a resource's value, a computed, a linkedSignal, or a function that returns a value (which will be automatically tracked). The return value is not another Signal but a resource. debounced is targeted for Angular 22.
Michael Small also contributed a post on Bluesky with a GIF demonstrating the new function.
https://famzil.medium.com/angular-22-the-power-of-debound-and-debounced-apis-c41e33c0a18e
Just landed in the Angular nightly: debouncing signals. Photo of code snippet + link to PR in this thread github.com/angular/angu...
— Michael Small (@michaelsmalldev.bsky.social) 2026-03-09T22:14:51.079Z
Angular Vienna and Code Magazine
In other news, the Angular Vienna meetup took place and the recording of the live stream is available on YouTube. At the meetup, Dmytro Mezhenskyi from Decoded Frontends gave his first public talk. Other speakers were Matthieu Riegler from the Angular team on JavaScript in general and the upcoming changes in Angular due to the TypeScript rewrite in Go, Manfred Steyer on AI in Angular, and Daniel Szendrei on Angular hacks.
Sonu Kapoor published an in-depth article on the evolution of Angular forms in Code Magazine. The article contains almost 15,000 words.
From Template-Driven to Signal-Driven: The Complete Evolution of Angular Forms
Sonu Kapoor's article, "From Template-Driven to Signal-Driven: The Complete Evolution of Angular Forms," provides a comprehensive exploration of Angular's evolving form APIs, tracing their journey ...
codemag.com
Top comments (0)