Angular bypassSecurityTrust methods create XSS vulnerability

A huge thank you to the team for delivering a successful legacy upgrade from Angular 8 to Angular 21. It’s been a significant piece of work modernising a long-standing application, and the effort and attention to detail throughout has been outstanding. Also, yes we did use Claude to help along the way, it played a useful role in supporting analysis and migration decisions during the project. We’ve published a write-up on the journey here: https://lnkd.in/dgmmcnQw And a special mention to “Kill It with Fire” by Marianne Bellotti, which I was reading just before we kicked off the project. It’s a great perspective on the realities of maintaining and evolving aging systems. https://lnkd.in/dJdvcu-D

I found a bug in my own logger that had been there since day one. A single typo — `fileProecssing` instead of `fileProcessing` — meant the queue processor was never properly re-armed after completing a batch. The fix was one word. The impact was that every benchmark I had ever run was measured against a crippled version of my own software. After fixing it (1.0.2), I kept going. Switched the serializer from string concatenation to an array join pattern (1.0.3). The result: ✅ Up to 62% less memory at 1M logs ✅ Up to 23% less CPU across the board ✅ Throughput maintained or improved Sometimes the best performance optimization is just fixing what was broken. Silo v1.0.3 is live now on npm — a zero-dependency, self-hosted, privacy-first Node.js logging library. npm install @flowrdesk/silo #nodejs #javascript #opensource #logging #flowrdesk

If you’ve started using #Angular Signal Forms, you may have run into this already. Checking for specific validation errors isn’t as straightforward as it used to be. - Indexes break as errors come and go - .find() works, but gets repetitive quickly The underlying issue is that the errors() array isn’t necessarily stable, which makes it a poor fit for UIs where each validation rule matters individually (like a password checklist). Angular 22 introduces a new getError() API that fixes this cleanly. I put together a quick walkthrough showing the problem and how this improves things in real-world scenarios 👇 https://lnkd.in/gReVR3Gj

Authentication: Backend - one method 😁, Frontend - [at least] two files with code and logic (.tsx and xxxSlice.ts) but Backend is more valuable 😁

🔄 Just updated my Angular Signal Forms deep dive with Angular 22 features. → debounce('blur') → reloadValidation() → Inline debounce for validateAsync and validateHttp → FieldState.getError('kind') → number | null on <input type="text">  → ngNoCva → FVC template & reactive interop → Lazy field instantiation optimization The post covers the full Signal Forms API from scratch — form creation, validation (sync, async, tree, Zod), schemas, arrays, custom controls, FormRoot submission, SignalFormControl bridge, and now all the Angular 22 additions. 📖 Read it here: https://lnkd.in/dBQTjDGy #angular #signalforms #angular22

One of the most underrated features in Angular's router: canMatch. Most developers reach for canActivate when they need to protect a route, and that works fine. But canActivate still matches the route: it just blocks you from entering it. If you want different components to render on the same path depending on the user's role, you're stuck adding redirect logic on top. canMatch changes that. It lets Angular skip a route entirely if the condition isn't met, and keep looking for the next one that fits. So you can define two routes with the same path (like, one for admins, one for regular users) and Angular will quietly give you the right component without a single redirect. It's a small shift in mental model, but it makes role-based routing much cleaner.

⚡ Signals & reactivity — Rethink state management; Zone.js-based change detection is deprecated in favour of signal() and computed(). 🖥️ Standalone components — NgModules are no longer the default; migrate to standalone + bootstrapApplication(). ⚠️ Removed APIs — ComponentFactoryResolver, old router guards, and legacy TestBed APIs are gone. Run ng update early. 🔀 New control flow — Replace *ngIf / *ngFor with @if / @for. CLI schematics automate most of it. 📦 Library compatibility — Verify all third-party deps support v21 before upgrading; this is the most common blocker. 🛠️ Node.js & TypeScript — Angular 21 requires Node 20+ and TypeScript 5.x. Update your CI pipeline accordingly.

One of the useful additions in ES2024 is the new toSorted() array method. Before this, JavaScript developers mainly relied on .sort(), which sorts an array in place. The key difference? sort() mutates the original array toSorted() returns a new sorted array and leaves the original untouched This makes toSorted() especially useful when working with immutable state patterns, such as in React or modern frontend architectures.

In Modern Angular, one can achieve reactivity in an application through signals that tell Angular exactly what changed and where. Do you know the Signal primitives: => signal(val): A reactive value you can read and write. => computed(() => ...): A read-only value derived from other signals. It only recalculates when its dependencies change. => effect(() => ...): A function that runs whenever the signals inside it change (useful for logging or manual DOM hits). Signal vs. Computed:

You must have come across Injection Tokens in your Angular journey. But do you really know their true power? In this blog, with a simple LOGGER example, we’ll understand the meaning and true power that lies in Injection Tokens. Read more on Medium 👇 #Angular #DependencyInjection #DesignPatterns #Frontend #WebDevelopment #JavaScript