Angular 1.6.0 released

December 9th, 2016

AngularJS 1.6.0 – rainbow-tsunami

Release Announcement

Continuing our development and support of Angular 1, we are announcing the next significant release, 1.6.0, which has been in development since May this year.

In this release we have added a number of useful features that should improve the developer experience and we have tightened up the security of Angular 1 even further. We have also removed a handful of deprecated features that makes the codebase easier to maintain and in many cases improves performance.

New Features

Here are the most significant new features available in 1.6.0. Check out the changelog for more detail.

Inheriting ngModelOptions

When defining model options using the ngModelOptions directive, you can now choose to inherit options from ancestor ngModelOptions directives. This means that developers can centralise common model options rather than repeating themselves across all their HTML.

You can see examples of what you can do with this new feature in Todd Motto’s recent blog post.

Alignment with jQuery 3

jQuery 3 was released in June this year and contains some changes that left our own jqLite implementation out of sync. In this release we have changed jqLite so that it matches the behaviour of jQuery 3.

Controller binding pre-assignment

We no longer pre-assign bindings onto instances of directive controllers before calling their constructors. This behaviour was not in keeping with how JavaScript object instantiation works and also prevented developers from using native JavaScript classes where available.

Now all directive controllers should use $onInit to initialize their state, where the bindings are guaranteed to be ready. This is also closer to the semantic of Angular 2 components.

Todd Motto has written about how to handle this change in a recent blog post.

Support for non-string select options

With improved support for non-string values in option elements, you can now render most select option use cases using ngRepeat and ngValue, rather than having to resort to ngOptions.

In other words, as shown in this Plunker, rather than this:

ng-options="x as disable when !x.enabled for x in $ctrl.options">
<option value="">Empty Option</option>

you can now write:

<select ng-model="$ctrl.value">
<option ng-value="null">Empty Option</option>
ng-repeat="x in $ctrl.options"

This results in clearer Angular 1 templates and is more in keeping with how it is done in Angular 2.

Better support for range inputs

In Angular 1.5.x (from 1.5.10 and later) you need to manually opt-in to this support since the behaviour of native range inputs required a change to how ngModel handled updates to the value:

Angular 1.6 now fully supports <input type=range ng-model="..."> by default without having to opt-in.

  • It requires the model to be a number, and will set the model to a number.
  • It only supports setting minimum and maximum values via the min/max attributes.
  • It follows the browser behavior of never allowing an invalid value: when the browser converts an invalid value to a valid value, the the model is set to this new valid value.

Security Improvements

There have been a number of commits that have improved or clarified the security of Angular 1 applications. Here are some of the highlights.

Mozilla Addons

Due to some strengthening work we have done to make it more difficult to autobootstrap Angular in browser extensions, all versions of Angular from 1.5.9/1.6.0 onwards are now whitelisted as safe to use in Mozilla Addons.

Expression sandbox removal

In this version of Angular we have removed the Angular expression sandbox feature. Some developers were incorrectly using this in an attempt to prevent XSS attacks to their templates. To make it clear that this should not be relied upon in this way we have made the decision to remove it completely. A more detailed write up of the background, the decision and whether you need to do anything can be found in our previous blog post.


JSONP is now secured by the $sce service, in the same way that other significant resources are in Angular 1. JSONP URLs must now be whitelisted or explicitly trusted before Angular will allow a request to the end point. Further the syntax for JSONP URLs is now more secure, by disallowing the JSON_CALLBACK from the URL template and requiring that the callback is provided via the jsonpCallbackParam config param for requests.

Other Changes

There are over 70 significant commits between 1.5 and 1.6. You can find a detailed list of all the changes, including bug fixes and performance improvements in our changelog.

Migrating from 1.5 to 1.6

While there are a number of breaking changes between 1.5 and 1.6, many only affect very rare corner cases. There are a few significant changes that you should be aware of and we have a comprehensive migration guide to ensure that your migration goes smoothly.

Previous Version Support

We believe that Angular 1.6 is now the best Angular 1 version out there and that you should update your applications to use it.

We continue to support Angular 1.2 with security patches as it is the last version of Angular to support Internet Explorer 8 and from now on Angular 1.5 will receive serious bug fixes and security patches.

Angular 1.6 will get regular non-breaking change releases over the next six months, and we will be aiming for the release of Angular 1.7 containing any necessary breaking changes by Summer 2017.

Thank you

As always the work on Angular 1 is a major collaborative effort between people both within and outside the Angular team. We hope that it continues to provide the solid application development platform that you have been relying on for over 7 years!