chore(deps): update dependency @angular/core to v21.1.6 [security] (#431)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
| [@angular/core](https://redirect.github.com/angular/angular)
([source](https://redirect.github.com/angular/angular/tree/HEAD/packages/core))
| [`21.1.4` →
`21.1.6`](https://renovatebot.com/diffs/npm/@angular%2fcore/21.1.4/21.1.6)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@angular%2fcore/21.1.6?slim=true)
|
![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@angular%2fcore/21.1.6?slim=true)
|
![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@angular%2fcore/21.1.4/21.1.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@angular%2fcore/21.1.4/21.1.6?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27970](https://redirect.github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv)

A [Cross-site Scripting
(XSS)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS)
vulnerability has been identified in the Angular internationalization
(i18n) pipeline. In ICU messages (International Components for Unicode),
HTML from translated content was not properly sanitized and could
execute arbitrary JavaScript.

Angular i18n typically involves three steps, extracting all messages
from an application in the source language, sending the messages to be
translated, and then merging their translations back into the final
source code. Translations are frequently handled by contracts with
specific partner companies, and involve sending the source messages to a
separate contractor before receiving final translations for display to
the end user.

If the returned translations have malicious content, it could be
rendered into the application and execute arbitrary JavaScript.

### Impact
When successfully exploited, this vulnerability allows for execution of
attacker controlled JavaScript in the application origin. Depending on
the nature of the application being exploited this could lead to:

- **Credential Exfiltration**: Stealing sensitive user data stored in
page memory, LocalStorage, IndexedDB, or cookies available to JS and
sending them to an attacker controlled server.
- **Page Vandalism:** Mutating the page to read or act differently than
intended by the developer.

### Attach Preconditions

- **The attacker must compromise the translation file (xliff, xtb,
etc.).**
- Unlike most XSS vulnerabilities, this one is not exploitable by
arbitrary users. An attacker must first compromise an application's
translation file before they can escalate privileges into the Angular
application client.
- The victim application must use Angular i18n.
- The victim application must use one or more ICU messages.
- The victim application must render an ICU message.
- The victim application must not defend against XSS via a safe
[Content-Security Policy
(CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) or
[Trusted
Types](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API).

### Patches
- 21.2.0
- 21.1.6
- 20.3.17
- 19.2.19

### Workarounds
Until the patch is applied, developers should consider:

- **Reviewing and verifying translated content** received from untrusted
third parties before incorporating it in an Angular application.
- **Enabling strict CSP controls** to block unauthorized JavaScript from
executing on the page.
- [**Enabling Trusted
Types**](https://angular.dev/best-practices/security#enforcing-trusted-types)
to enforce proper HTML sanitization.

### References

- [Fix](https://redirect.github.com/angular/angular/pull/67183)

---

### Release Notes

<details>
<summary>angular/angular (@&#8203;angular/core)</summary>

###
[`v21.1.6`](https://redirect.github.com/angular/angular/blob/HEAD/CHANGELOG.md#2116-2026-02-25)

[Compare
Source](https://redirect.github.com/angular/angular/compare/v21.1.5...v21.1.6)

#### Breaking Changes

##### core

- Angular now only applies known attributes from HTML in translated ICU
content. Unknown attributes are dropped and not rendered.

(cherry picked from commit
[`306f367`](https://redirect.github.com/angular/angular/commit/306f367899dfc2e04238fecd3455547b5d54075d))

##### common

| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ------------------------------------------- |
|
[31d3d56496](https://redirect.github.com/angular/angular/commit/31d3d564961b701bda96d94731fbed72c01975fa)
| fix | fix LCP image detection with duplicate URLs |

##### compiler-cli

| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ------------------------------------------------------- |
|
[24b578ce90](https://redirect.github.com/angular/angular/commit/24b578ce90ed50022f62584671aef01d4c5dd7b2)
| fix | detect uninvoked functions in defer trigger expressions |

##### core

| Commit | Type | Description |
|
------------------------------------------------------------------------------------------------
| ---- | ------------------------------------------------------------ |
|
[b858309532](https://redirect.github.com/angular/angular/commit/b85830953281ff3a1a77bbfe69019d352d509c93)
| fix | block creation of sensitive URI attributes from ICU messages |

<!-- CHANGELOG SPLIT MARKER -->

###
[`v21.1.5`](https://redirect.github.com/angular/angular/blob/HEAD/CHANGELOG.md#2115-2026-02-18)

[Compare
Source](https://redirect.github.com/angular/angular/compare/v21.1.4...v21.1.5)

No user facing changes in this release

<!-- CHANGELOG SPLIT MARKER -->

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/mnahkies/openapi-code-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

pnpm-lock.yaml

@@ -31,6 +31,8 @@ minimumReleaseAgeExclude:
   - ajv@8.18.0
   # Renovate security update: koa@3.1.2
   - koa@3.1.2
+  # Renovate security update: @angular/core@21.1.6
+  - "@angular/core@21.1.6"
 
 nodeOptions: ${NODE_OPTIONS:- } --experimental-vm-modules