A Routine Patch, Not a Headline Event
On July 9, 2026, the Angular team shipped v22.0.6, a compiler-only patch release. The single fix of note corrects how the compiler generates Type Check Blocks (TCBs) — the internal representation Angular's compiler builds to type-check templates — for safe function calls using optional chaining. It is a narrow fix: no new features, no breaking changes, one commit of consequence in the changelog. But the release cadence itself is a data point for anyone tracking how framework maintenance shows up in security and reliability metrics.
Compiler Correctness Has Downstream Consumers
One dimension worth noting: Angular's compiler output also feeds IDE language services and AI coding assistants that consume the same type information. A compiler edge-case fix like this one has downstream consumers beyond the developer — though WebPulse has no data measuring that specific downstream impact.
The CVE Ledger Behind the Release Cadence
Framework security is usually read after the fact, through CVE counts. Angular's NVD record under its current CPE identifier is comparatively thin — six tracked CVEs total. This reflects both the framework's architecture and a narrower NVD product-tagging scope than ecosystem-wide counts like those accumulated by WordPress's plugin registry. None are rated critical or high: five medium and one low, with an average CVSS score of 5.3. Cross-site scripting (CWE-79) accounts for six of the underlying weakness classifications; server-side request forgery (CWE-918) accounts for one — some CVEs carry multiple CWE classifications, so classification counts can exceed the CVE total. None of Angular's six CVEs appear in the CISA Known Exploited Vulnerabilities catalog.
Where Angular Actually Shows Up
WebPulse detects Angular through HTML and HTTP signatures across two independent samples, and the two disagree in a way worth stating plainly rather than averaging away. In WebPulse's scan of the Tranco top 100,000 sites — a curated, higher-traffic sample — Angular accounted for 4.2% of detected frameworks (1,479 of 35,542). In a broader Common Crawl-derived sample of more than 2.1 million framework detections, Angular's share drops to 1.0% (22,447 sites). The gap is consistent with Angular's traditional lean toward enterprise dashboards, internal tools, and authenticated applications — software that shows up less in open web crawls than in curated traffic samples. WebPulse's signature-based detection also has a structural limit worth naming: some Angular applications render primarily through client-side JavaScript execution that a static HTML/HTTP scan will not always surface, so both figures should be read as detected-framework counts within their respective samples, not a claim on total Angular deployment.
What Budget-Signers Should Read Here
WebPulse's scoring engine weights AI-Readiness at 15% of a framework's composite score, alongside security, performance, and ecosystem health — treating how cleanly a framework's tooling surfaces to automated consumers as a first-class dimension rather than an afterthought. These are two independent data points, not a proven correlation: a framework shipping regular compiler patches, and that same framework carrying a thin, low-severity CVE record. For teams evaluating framework risk in 2026, neither metric alone settles the question. Together, they describe a maintenance profile worth accounting for.


