Skip to content

Bump tar, @angular-devkit/build-angular, @angular-eslint/schematics, @angular/cli and ng-packagr#810

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-f7e558cf3d
Open

Bump tar, @angular-devkit/build-angular, @angular-eslint/schematics, @angular/cli and ng-packagr#810
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-f7e558cf3d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps tar to 7.5.16 and updates ancestor dependencies tar, @angular-devkit/build-angular, @angular-eslint/schematics, @angular/cli and ng-packagr. These dependencies need to be updated together.

Updates tar from 6.2.0 to 7.5.16

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
  • cf21338 7.5.16
  • 21a8220 do not apply PAX header fields to meta entries
  • 52632cf update project deps
  • 302f51f fix inconsequential typo in PENDINGLINKS symbol name
  • 55dbb99 remove some uses of mutate-fs
  • 87cc309 7.5.15
  • 7aef486 fix: regression in pending links detection
  • 6244eb3 7.5.14
  • 9704d8c stricter protection against hardlinks preempting their targets
  • 700734f update workflows and deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @angular-devkit/build-angular from 14.2.13 to 21.2.16

Release notes

Sourced from @​angular-devkit/build-angular's releases.

21.2.16

@​angular/cli

Commit Description
fix - 77c9047ac update pacote to 21.5.1

@​angular/ssr

Commit Description
fix - d052e97da prioritize options over environment variables in AngularNodeAppEngine

21.2.15

@​angular/cli

Commit Description
fix - 42ac0ed0f remove forceAuth and unscoped credential parsing
fix - c7a7f1955 support registry metadata fetching under bun package manager

21.2.14

@​angular/cli

Commit Description
fix - aed448748 expand package groups for newly added peer dependencies in update schematic

@​angular/build

Commit Description
fix - d46c082fb prevent esbuild service child process leakage

21.2.13

@​angular-devkit/build-angular

Commit Description
fix - 3c6d26a31 remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit Description
fix - 2b3e95517 assert that asset input paths are within workspace root

21.2.12

@​angular/build

Commit Description
fix - cbad57579 ignore virtual esbuild paths with (disabled):

21.2.11

@​angular/cli

Commit Description
fix - bbd63b7a5 robustly parse npm manifest from array

@​angular/ssr

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular-devkit/build-angular's changelog.

21.2.16 (2026-06-17)

@​angular/cli

Commit Type Description
77c9047ac fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
d052e97da fix prioritize options over environment variables in AngularNodeAppEngine

20.3.29 (2026-06-17)

@​angular/cli

Commit Type Description
5f7c0328c fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
a75d78e68 fix prioritize options over environment variables in AngularNodeAppEngine

22.0.2 (2026-06-17)

@​angular/cli

Commit Type Description
136fc2714 fix support registry metadata fetching under bun package manager
2653dd5c7 perf implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Type Description
0b4a48add perf implement semaphore backpressure throttling in JavaScriptTransformer

... (truncated)

Commits
  • 1efc647 release: cut the v21.2.16 release
  • 14459e2 build: update dependency webpack-dev-server to 5.2.5
  • 77c9047 fix(@​angular/cli): update pacote to 21.5.1
  • d052e97 fix(@​angular/ssr): prioritize options over environment variables in AngularNo...
  • d318ddd release: cut the v21.2.15 release
  • c7a7f19 fix(@​angular/cli): support registry metadata fetching under bun package manager
  • bdc3d2f test(@​angular/cli): ignore engines in version-specifier E2E test when using yarn
  • 42ac0ed fix(@​angular/cli): remove forceAuth and unscoped credential parsing
  • 2c25333 test(@​angular/cli): remove unscoped authentication test cases from registry t...
  • 4488398 release: cut the v21.2.14 release
  • Additional commits viewable in compare view

Updates @angular-eslint/schematics from 14.4.0 to 22.0.0

Release notes

Sourced from @​angular-eslint/schematics's releases.

v22.0.0

22.0.0 (2026-06-07)

As always we recommend that you update your existing workspaces by using ng update as we provide some helpful schematics to help migrate your workspaces to the latest and greatest. Running the following will update Angular, the Angular CLI and angular-eslint together:

ng update @angular/core @angular/cli angular-eslint

🚀 Features

  • ⚠️ update to Angular 22 + TS 6, drop node 20 (96592269)
  • ⚠️ drop support for eslint v8 and legacy eslintrc config format (#3056)
  • support the Angular v22 @​Service decorator (#3057)
  • builder: add suppressionsLocation option (#3034)
  • ⚠️ eslint-plugin: [prefer-on-push-component-change-detection] flag only opting out of OnPush, make recommended (#3058)
  • ⚠️ eslint-plugin: remove deprecated no-conflicting-lifecycle rule (#3060)
  • template-parser: traverse v22 arrow function, spread and tagged-template expression nodes (#3059)

🩹 Fixes

  • update dependency @​angular/compiler to v21.2.12 (#3030)

⚠️ Breaking Changes

  • eslint-plugin: remove deprecated no-conflicting-lifecycle rule (#3060)
  • eslint-plugin: [prefer-on-push-component-change-detection] flag only opting out of OnPush, make recommended (#3058) prefer-on-push-component-change-detection no longer reports components that omit changeDetection (omission now means OnPush in v22); it now only reports components that opt out of OnPush via ChangeDetectionStrategy.Eager or the deprecated ChangeDetectionStrategy.Default. The rule is also now part of the recommended config, so projects extending it may see new reports — notably on components the Angular v22 migration set to Eager. The suggestion message id suggestAddChangeDetectionOnPush has been renamed to suggestChangeToOnPush.
  • drop support for eslint v8 and legacy eslintrc config format (#3056)
  • update to Angular 22 + TS 6, drop node 20 (96592269)

❤️ Thank You

v21.4.0

21.4.0 (2026-05-13)

🚀 Features

  • builder: add apply-suppressions option (#2974)
  • eslint-plugin-template: [cyclomatic-complexity] add variant option (#2976)

🩹 Fixes

  • update typescript-eslint packages to v8.57.0 (#2955)
  • update dependency @​angular/compiler to v21.2.6 (#2961)
  • update dependency eslint to v10.1.0 (#2983)
  • update dependency @​angular/compiler to v21.2.8 (#2996)

... (truncated)

Changelog

Sourced from @​angular-eslint/schematics's changelog.

22.0.0 (2026-06-07)

🚀 Features

  • ⚠️ drop support for eslint v8 and legacy eslintrc config format (#3056)

⚠️ Breaking Changes

  • drop support for eslint v8 and legacy eslintrc config format (#3056)

❤️ Thank You

21.4.0 (2026-05-13)

🩹 Fixes

  • schematics: sync application schema with upstream @​schematics/angular (#3027)

❤️ Thank You

21.3.1 (2026-03-17)

This was a version bump only for schematics to align it with other projects, there were no code changes.

21.3.0 (2026-03-05)

🚀 Features

  • add support for ESLint v10 (#2903)

❤️ Thank You

  • Jason Weinzierl

21.2.0 (2026-01-29)

This was a version bump only for schematics to align it with other projects, there were no code changes.

21.1.0 (2025-12-08)

🩹 Fixes

  • reference @​angular/cli peer in addition to direct dependencies (#2820)

❤️ Thank You

... (truncated)

Commits
  • 7ee4556 chore(release): publish 22.0.0
  • 526640f feat!: drop support for eslint v8 and legacy eslintrc config format (#3056)
  • 0a774c7 chore(release): publish 21.4.0
  • 7a48a63 fix(schematics): sync application schema with upstream @​schematics/angular (#...
  • 8f2afdc chore(release): publish 21.3.1
  • a959e4d chore(release): publish 21.3.0
  • 3ef7fb1 feat: add support for ESLint v10 (#2903)
  • 6fa321d chore(release): publish 21.2.0
  • 4fa7889 chore(release): publish 21.1.0
  • e7bb47b fix: reference @​angular/cli peer in addition to direct dependencies (#2820)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​angular-eslint/schematics since your current version.


Updates @angular/cli from 14.2.13 to 22.0.3

Release notes

Sourced from @​angular/cli's releases.

22.0.3

@​schematics/angular

Commit Description
fix - 0eddea898 remove default workspace vscode mcp.json configuration

22.0.2

@​angular/cli

Commit Description
fix - 136fc2714 support registry metadata fetching under bun package manager
perf - 2653dd5c7 implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Description
perf - 0b4a48add implement semaphore backpressure throttling in JavaScriptTransformer

@​angular/ssr

Commit Description
fix - d996a27e9 avoid caching non-SSG page lookups
fix - 285a34e42 correct grammar in console warning for redirected location headers
fix - c8088a536 prioritize options over environment variables in AngularNodeAppEngine

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/cli's changelog.

22.0.3 (2026-06-18)

@​schematics/angular

Commit Type Description
0eddea898 fix remove default workspace vscode mcp.json configuration

21.2.16 (2026-06-17)

@​angular/cli

Commit Type Description
77c9047ac fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
d052e97da fix prioritize options over environment variables in AngularNodeAppEngine

20.3.29 (2026-06-17)

@​angular/cli

Commit Type Description
5f7c0328c fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
a75d78e68 fix prioritize options over environment variables in AngularNodeAppEngine

22.0.2 (2026-06-17)

... (truncated)

Commits
  • b30b9d3 release: cut the v22.0.3 release
  • bc97bb3 build: update dependency vite to v7.3.5
  • 0eddea8 fix(@​schematics/angular): remove default workspace vscode mcp.json configuration
  • 08f9959 refactor(@​angular/cli): promote experimental MCP tools to stable
  • aab6c10 release: cut the v22.0.2 release
  • 376e4dc build: update cross-repo angular dependencies
  • d996a27 fix(@​angular/ssr): avoid caching non-SSG page lookups
  • 5714bfc build: update pnpm to v10.34.3
  • f26011a build: lock file maintenance
  • 2879ed9 build: update bazel dependencies
  • Additional commits viewable in compare view

Updates ng-packagr from 14.2.2 to 22.0.0

Release notes

Sourced from ng-packagr's releases.

22.0.0

⚠ BREAKING CHANGES

  • ng-packagr: TypeScript versions older than 6.0 are no longer supported.
  • Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.

Features

  • update @​angular/compiler-cli peer dependency to support Angular v22 (1fd8eb1)
  • support Node.js 26 (4360fea)
  • ng-packagr: drop support for TypeScript 5.9 (b59e280)

Bug Fixes

  • ng-packagr: invalidate angularDiagnosticCache for html changes (e7d8e38)
  • ng-packagr: handle package.json files with export subpaths (89e195d)
  • ensure dts sourcemaps point to original ts files (28424e2)
  • allow TypeScript 6 peer dependency (fdb49da)
  • update minimum supported Node.js versions (f7e5ef5)

22.0.0-next.5

Bug Fixes

  • ng-packagr: handle package.json files with export subpaths (89e195d)

22.0.0-next.4

Features

22.0.0-next.3

⚠ BREAKING CHANGES

  • ng-packagr: TypeScript versions older than 6.0 are no longer supported.

Features

  • ng-packagr: drop support for TypeScript 5.9 (b59e280)

Bug Fixes

  • ng-packagr: resolve imports with TS extensions in rollup (804c04b), closes #3281

22.0.0-next.2

Features

... (truncated)

Changelog

Sourced from ng-packagr's changelog.

22.0.0 (2026-06-03)

⚠ BREAKING CHANGES

  • ng-packagr: TypeScript versions older than 6.0 are no longer supported.
  • Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.

Features

  • update @​angular/compiler-cli peer dependency to support Angular v22 (1fd8eb1)
  • support Node.js 26 (4360fea)
  • ng-packagr: drop support for TypeScript 5.9 (b59e280)

Bug Fixes

  • ng-packagr: invalidate angularDiagnosticCache for html changes (e7d8e38)
  • ng-packagr: handle package.json files with export subpaths (89e195d)
  • ensure dts sourcemaps point to original ts files (28424e2)
  • allow TypeScript 6 peer dependency (fdb49da)
  • update minimum supported Node.js versions (f7e5ef5)

22.0.0-rc.0 (2026-05-18)

22.0.0-next.5 (2026-05-18)

Bug Fixes

  • ng-packagr: handle package.json files with export subpaths (89e195d)

22.0.0-next.4 (2026-05-07)

Features

21.2.3 (2026-04-16)

Bug Fixes

  • ng-packagr: resolve imports with TS extensions in rollup (5629808), closes #3281

22.0.0-next.3 (2026-04-16)

⚠ BREAKING CHANGES

  • ng-packagr: * TypeScript versions older than 6.0 are no longer supported.

... (truncated)

Commits
  • e918dc3 release: cut 22.0.0
  • 7f8a814 build: update @​angular/compiler-cli peer dependency range to support version ...
  • e7d8e38 fix(ng-packagr): invalidate angularDiagnosticCache for html changes
  • 7204d85 build: update pnpm workspace configuration and remove redundant pnpm settings
  • 2684271 build: lock file maintenance
  • 15a0f56 build: update dependency node to v24
  • 5827827 build: update @​angular/ng-dev digest to a450a24
  • 3439543 build: update pnpm to v11.4.0
  • efed766 build: update dessant/lock-threads digest to 89ae32b
  • 27ae92e build: update all non-major dependencies to v8.60.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ng-packagr since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump tar, @angular-devkit/build-angular, @angular-eslint/schematics, …
b469393 
…@angular/cli and ng-packagr

Bumps [tar](https://github.com/isaacs/node-tar) to 7.5.16 and updates ancestor dependencies [tar](https://github.com/isaacs/node-tar), [@angular-devkit/build-angular](https://github.com/angular/angular-cli), [@angular-eslint/schematics](https://github.com/angular-eslint/angular-eslint/tree/HEAD/packages/schematics), [@angular/cli](https://github.com/angular/angular-cli) and [ng-packagr](https://github.com/ng-packagr/ng-packagr). These dependencies need to be updated together.


Updates `tar` from 6.2.0 to 7.5.16
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.0...v7.5.16)

Updates `@angular-devkit/build-angular` from 14.2.13 to 21.2.16
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@14.2.13...v21.2.16)

Updates `@angular-eslint/schematics` from 14.4.0 to 22.0.0
- [Release notes](https://github.com/angular-eslint/angular-eslint/releases)
- [Changelog](https://github.com/angular-eslint/angular-eslint/blob/main/packages/schematics/CHANGELOG.md)
- [Commits](https://github.com/angular-eslint/angular-eslint/commits/v22.0.0/packages/schematics)

Updates `@angular/cli` from 14.2.13 to 22.0.3
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@14.2.13...v22.0.3)

Updates `ng-packagr` from 14.2.2 to 22.0.0
- [Release notes](https://github.com/ng-packagr/ng-packagr/releases)
- [Changelog](https://github.com/ng-packagr/ng-packagr/blob/main/CHANGELOG.md)
- [Commits](ng-packagr/ng-packagr@14.2.2...22.0.0)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: indirect
- dependency-name: "@angular-devkit/build-angular"
  dependency-version: 21.2.16
  dependency-type: direct:development
- dependency-name: "@angular-eslint/schematics"
  dependency-version: 22.0.0
  dependency-type: direct:development
- dependency-name: "@angular/cli"
  dependency-version: 22.0.3
  dependency-type: direct:development
- dependency-name: ng-packagr
  dependency-version: 22.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 19, 2026 04:23
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@semgrepcode-auth0

semgrepcode-auth0 Bot commented Jun 19, 2026

Copy link
Copy Markdown

Semgrep found 1 ssc-c8b7a1f2-4d36-4f0a-9e2b-1a5c8d7e6f30 finding:

Risk: Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like /.env::$DATA?raw, or 8.3 short filenames), allowing an attacker to read otherwise-denied files when the dev server is exposed to the network.

Manual Review Advice: A vulnerability from this advisory is reachable if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows

Fix: Upgrade this library to at least version 7.3.5 at angular2-jwt/package-lock.json:667.

Reference(s): GHSA-fx2h-pf6j-xcff

Semgrep found 1 ssc-d17d3487-883b-46a9-bec9-dee3375f7532 finding:

Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry

Fix: Upgrade this library to at least version 0.28.1 at angular2-jwt/package-lock.json:12097.

Reference(s): GHSA-gv7w-rqvm-qjhr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants