View all Blog Posts
Products
Mar 16, 2026

Angular Version History: Every Release Date, Support Window, and End-of-Life Date from AngularJS to Angular 22

A complete reference for every Angular release timeline — and what end-of-life means for the enterprise teams still running older versions in production.

Give me the TL;DR
Angular Version History: Every Release Date, Support Window, and End-of-Life Date from AngularJS to Angular 22
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

Angular has been one of the most widely adopted frontend frameworks in the world since AngularJS launched in 2010. Today, over 1.2 million live websites still run AngularJS alone, and modern Angular (versions 2 through 22) powers hundreds of thousands more. Every six months, Google ships a new major version, and every 18 months, an older one loses official support.

For engineering leaders managing enterprise applications, tracking which Angular versions are still supported (and which are silently accumulating unpatched vulnerabilities) is a constant challenge. This guide provides the definitive reference for every Angular release, its support timeline, and what happens after end-of-life.

How Angular's Support Policy Works

Google follows a consistent lifecycle for every major Angular release:

  • Active Support (6 months): Regular updates, bug fixes, new minor features, and security patches.
  • Long-Term Support / LTS (12 months): Only critical bug fixes and security patches. No new features.
  • End of Life (EOL): No further updates of any kind. No security patches. No compatibility fixes.

That gives each major version an 18-month total support window. With new majors shipping roughly every six months, there are typically two to three supported versions at any time, and a growing list of unsupported ones accumulating risk.

Starting with Angular 2 in 2016, Angular has never skipped this cadence (with the exception of version 3, which was never released due to a router package version conflict). This predictability is a strength for planning purposes, but it also means versions fall out of support quickly. An enterprise team that adopted Angular 14 in mid-2022, for example, lost official support by late 2023.

Complete Angular Version Timeline

The table below covers every major Angular release from AngularJS through Angular 21, with release dates, EOL dates, and current support status.

*AngularJS 1.8.3 was the final open-source release. Google ended all official support on December 31, 2021, though this last patch shipped in April 2022 to close out the project.

AngularJS was a JavaScript-based MVC framework built for single-page applications. It introduced two-way data binding, dependency injection, and directives to the web development world. Despite being officially deprecated for over four years, AngularJS still powers an enormous number of production applications. npm download data shows weekly downloads only dropped from roughly 639,000 in December 2021 to around 419,000 by early 2025, a decline of just 33%.

Since reaching EOL, multiple vulnerabilities have been disclosed in AngularJS, including CVE-2022-25844 (ReDoS), CVE-2022-25869 (XSS), CVE-2024-8372, and CVE-2024-8373 (content spoofing). The open-source project receives no patches for any of them.

Modern Angular (Angular 2+)

Note: Angular version 3 was never released. The Angular router package was already at version 3.x, so the team jumped from Angular 2 to Angular 4 to align version numbers across packages.

Versions Reaching EOL Next: What to Watch

Angular 19: EOL May 19, 2026

Angular 19 is currently in its LTS window and will lose all official support on May 19, 2026, coinciding with the expected release of Angular 22. Teams running Angular 19 in production have roughly two months to either upgrade to Angular 20 or 21 (or 22 when available), or adopt a commercial extended support solution.

Angular 19 is particularly notable because it shipped just before three significant CVEs were disclosed across the Angular platform in late 2025:

  • CVE-2025-59052 (CVSS 7.1): A race condition in Angular's SSR pipeline that could leak request-scoped data between concurrent requests.
  • CVE-2025-66035 (CVSS 7.7): An information exposure flaw where Angular's HttpClient could leak XSRF tokens via protocol-relative URLs.
  • CVE-2025-66412 (CVSS High): A stored XSS vulnerability in the Angular template compiler related to SVG and MathML attribute sanitization.

Patched versions exist for Angular 19 (19.2.17+), 20 (20.3.15+), and 21 (21.0.2+). Organizations running Angular 18 and below will not receive official patches for these vulnerabilities.

Angular 20: LTS Until November 2026

Angular 20 marked a significant milestone by stabilizing the Signals API, graduating effect(), linkedSignal(), and toSignal() to production-ready status. It also deprecated provideZoneChangeDetection(), signaling that the framework is moving away from Zone.js. Teams that adopted Angular 20 have until late November 2026 before they need to move.

Looking Ahead: Angular 22 (Expected ~May 2026)

Based on Angular's consistent six-month cadence, Angular 22 is expected around May 2026. The Angular roadmap and community signals point to several likely focus areas:

  • Selectorless components: A feature aimed at simplifying component consumption by removing the need to define and remember string selectors. Components would be imported directly into templates, improving refactorability and type safety.
  • Stable Signal Forms: Angular 21 introduced Signal Forms as experimental. Angular 22 is expected to mature this API significantly, moving it closer to (or reaching) stable status and positioning it as the recommended approach for form management.
  • OnPush as default: Angular is likely to make ChangeDetectionStrategy.OnPush the default for new components, aligning with the zoneless, signals-first architecture.
  • TypeScript 5.9 support: Bringing the latest TypeScript features and type-checking improvements to Angular projects.
  • Enhanced AI tooling: Continued investment in the Angular MCP Server and AI-assisted development workflows introduced in Angular 21.

When Angular 22 ships, Angular 20 will transition from active support to LTS, and Angular 19 will reach end-of-life (May 19, 2026).

The AngularJS-to-Angular Transition: A Story Still Unfolding

When Google announced Angular 2 in 2016, it was a complete rewrite: different language (TypeScript instead of JavaScript), different architecture (components instead of controllers), and no backward compatibility. The migration path was effectively a full application rewrite.

This decision created a lasting divide. Many organizations that had invested heavily in AngularJS chose to stay rather than rebuild. Four years after AngularJS reached EOL, the data confirms what many suspected: the migration simply never happened for a huge number of teams.

With over 1.2 million live websites still on AngularJS and roughly 419,000 weekly npm downloads as of early 2025, AngularJS remains one of the most widely deployed end-of-life frameworks on the internet. These are not abandoned hobby projects. They are enterprise applications, internal tools, and customer-facing platforms that continue to serve business-critical functions while running on software that receives no security updates.

What Happens After End of Life

When an Angular version reaches EOL, three things stop immediately:

  1. Security patches stop. New CVEs disclosed against EOL versions go unpatched. The three CVEs from late 2025 (SSR data leakage, XSRF token exposure, and stored XSS) affect every version of Angular, but only versions 19, 20, and 21 received official fixes.

  2. Browser compatibility breaks. Chrome, Safari, Edge, and Firefox ship updates on their own schedules. EOL Angular versions are not tested or updated to handle browser changes, leading to gradual degradation.

  3. Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act all require organizations to maintain supported software. Running an EOL framework is an audit finding, and in regulated industries, it can block deployments or business deals.

The challenge is compounded by Angular's sequential upgrade requirement. You cannot jump from Angular 12 to Angular 21. You must upgrade through each major version in sequence. For organizations multiple versions behind, this can mean dozens of migration steps, months of engineering work, and significant regression testing. Migrating from Angular 13 to 16 alone requires 65 distinct migration steps according to HeroDevs' analysis.

Options for EOL Angular Versions

Organizations running end-of-life Angular have three paths:

1. Upgrade to a Supported Version

The best long-term strategy for most teams. Angular's official update guide (update.angular.dev) provides tooling and migration paths for sequential upgrades. The investment is front-loaded, but it puts you back on the supported track with access to the latest features, performance improvements, and security patches.

Considerations: The effort scales with how far behind you are. If you are on Angular 14 or later, the migration is manageable. If you are on AngularJS or Angular 9, you are looking at a significant rewrite.

2. Migrate to a Different Framework

Some organizations use an Angular EOL event as the catalyst for a full platform shift to React, Vue, or another framework. This makes sense if a ground-up redesign is already planned, but it is the most expensive and time-consuming option. It is rarely justified solely by an EOL date.

3. Adopt Commercial Extended Support

For organizations that cannot migrate immediately, commercial extended support provides continued security patches, browser compatibility updates, and compliance coverage for EOL Angular versions.

HeroDevs Never-Ending Support (NES) for Angular provides secure drop-in replacements for Angular versions 4 through 18. NES for Angular is built by core Angular contributors, including Miško Hevery (creator of AngularJS and Angular), and delivers backported security patches for vulnerabilities like CVE-2025-66412, CVE-2025-66035, and CVE-2025-59052 across all supported EOL versions.

HeroDevs NES for AngularJS covers AngularJS 1.4.x, 1.5.x, and 1.8.x, with patches for CVE-2022-25844, CVE-2022-25869, CVE-2024-8372, CVE-2024-8373, and other vulnerabilities discovered since EOL. HeroDevs has found and fixed more AngularJS CVEs than any other organization.

NES works as a drop-in replacement: update your package.json, point to the HeroDevs registry, and rebuild. No code changes required. NES also includes SLAs for compliance with SOC 2, FedRAMP, PCI, and HIPAA requirements.

Quick Reference: Is My Angular Version Supported?

Taking Action

Angular's 18-month support window and six-month release cadence mean that staying current requires ongoing investment. For teams that can keep pace, the framework continues to deliver substantial improvements: Signals-based reactivity, zoneless change detection, and AI-integrated tooling in Angular 21 represent meaningful advances in both developer experience and runtime performance, and Angular 22 is expected to consolidate these patterns further with selectorless components and stable Signal Forms.

For the many enterprise teams running older versions, the risk is not theoretical. CVEs are actively being disclosed against Angular, browser compatibility is degrading, and compliance requirements are tightening. Whether you choose to upgrade, migrate, or adopt extended support, the worst option is doing nothing.

If your organization is running an end-of-life version of Angular or AngularJS, contact HeroDevs to evaluate your options and get protected in minutes.

This post is maintained by HeroDevs and will be updated as new Angular versions are released and older versions reach end-of-life. Last updated: February 2026.

FAQ

How long does Google officially support each Angular version?Each major Angular release gets 18 months of total support: 6 months of active support with regular updates, bug fixes, and new features, followed by 12 months of LTS during which only critical bug fixes and security patches are issued. After that, the version reaches end of life and receives no further updates of any kind.

Which Angular versions are currently supported?As of early 2026, Angular 21 is in active support, Angular 20 has transitioned to LTS (until approximately November 2026), and Angular 19 is in LTS until May 19, 2026. Angular 18 and all earlier versions have reached end of life.

Why was Angular version 3 never released?The Angular router package was already at version 3.x when Angular 2 shipped. To align version numbers across all packages, the team skipped version 3 entirely and jumped directly from Angular 2 to Angular 4.

What happens when an Angular version reaches end of life?Three things stop immediately: security patches, browser compatibility updates, and official support. New CVEs go unpatched, the framework is no longer tested against browser updates, and running it becomes an audit finding under compliance frameworks like SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act.

Can I jump from an older Angular version directly to the latest?No. Angular requires sequential upgrades through each major version — you cannot skip versions. The further behind you are, the more migration steps are required. HeroDevs' analysis found that migrating from Angular 13 to 16 alone involves 65 distinct migration steps.

What CVEs are currently affecting EOL Angular versions?Three significant CVEs were disclosed in late 2025: CVE-2025-59052 (CVSS 7.1), a race condition in Angular's SSR pipeline that can leak request-scoped data; CVE-2025-66035 (CVSS 7.7), an XSRF token exposure via protocol-relative URLs in HttpClient; and CVE-2025-66412 (High), a stored XSS in the template compiler related to SVG and MathML attribute sanitization. Official patches exist for Angular 19, 20, and 21 only. Angular 18 and below will not receive fixes.

Is AngularJS really still that widely used?Yes. Despite reaching EOL on December 31, 2021, AngularJS still powers over 1.2 million live websites, and npm download data showed roughly 419,000 weekly downloads as of early 2025 — a decline of only about 33% from peak. Many of these are enterprise applications and business-critical platforms that never completed a migration to modern Angular.

What are my options if I'm running an EOL Angular version?You have three paths: upgrade sequentially to a supported version using Angular's official update tooling, migrate to a different framework entirely, or adopt commercial extended support. HeroDevs NES for Angular provides drop-in security patches for Angular versions 4 through 18, and NES for AngularJS covers AngularJS 1.4.x, 1.5.x, and 1.8.x — with no code changes required.

What is NES for Angular and how does it work?NES (Never-Ending Support) for Angular is a commercial extended support solution from HeroDevs that delivers backported security patches for EOL Angular versions. It's built by core Angular contributors including Miško Hevery, the creator of AngularJS and Angular. To use it, you update your package.json and point to the HeroDevs private registry — no code changes, no migration required. NES also includes compliance documentation for SOC 2, FedRAMP, PCI DSS, and HIPAA.

When is Angular 22 expected to release, and what will it include?Angular 22 is expected around May 2026, following the framework's consistent six-month cadence. Anticipated features include selectorless components, stable Signal Forms, OnPush change detection as the default for new components, TypeScript 5.9 support, and continued investment in the Angular MCP Server and AI-assisted development tooling introduced in Angular 21.

Share via:
facebook
LinkedIn
X (twitter)
Table of Contents
Read full article
Author
Greg Allen
Chief Technology Officer
Open Source Insights Delivered Monthly

Related Blog Posts

CVE-2026-32635: Cross-Site Scripting (XSS) in Angular i18n Attribute Bindings
Security
Mar 16, 2026
CVE-2026-32635: Cross-Site Scripting (XSS) in Angular i18n Attribute Bindings
How Angular’s i18n attribute bindings bypass built-in sanitization and expose applications to cross-site scripting attacks.
Is Your OSS Package End of Life? A Practical Guide to Checking Support Status
Security
Mar 16, 2026
Is Your OSS Package End of Life? A Practical Guide to Checking Support Status
EOL information is scattered, inconsistently documented, and often outdated. Here's how to actually find it.
How Can I Protect My Web Application from Apache Struts CVEs?
Security
Mar 13, 2026
How Can I Protect My Web Application from Apache Struts CVEs?
How Can I Protect My Web Application from Apache Struts CVEs?

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.