Skip to content

chore(deps-dev): bump @angular/compiler, @angular/build, @angular/common, @angular/core, @angular/platform-browser, @angular/compiler-cli, @angular/forms, @angular/platform-browser-dynamic, @angular/router and ng-packagr#335

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4ee39d2a89
Open

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps @angular/compiler, @angular/build, @angular/common, @angular/core, @angular/platform-browser, @angular/compiler-cli, @angular/forms, @angular/platform-browser-dynamic, @angular/router and ng-packagr. These dependencies needed to be updated together.
Updates @angular/compiler from 21.2.11 to 22.0.1

Release notes

Sourced from @​angular/compiler's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • 4645850 refactor(compiler): Remove 80 char limit on AbstractEmitterVisitor
  • 1ee224c fix(compiler): disallow i18n event attributes
  • 5946c18 fix(compiler): sanitize href/xlink:href attributes of any element of the ...
  • 393b84c fix(compiler): sanitize two-way properties
  • 3d9ca2f fix(compiler-cli): bind switch exhaustive check expressions
  • a56f1cd fix(compiler): more robust logic to check if regex can be optimized
  • 2891f7e fix(compiler): move projection attributes into constants
  • 94d520f fix(compiler): prevent namespaced SVG <style> elements from being stripped
  • d9c38e5 docs: fix typos in source code comments
  • a08e4fb fix(core): normalize tag names in runtime i18n attribute security context loo...
  • Additional commits viewable in compare view

Updates @angular/build from 21.2.9 to 22.0.1

Release notes

Sourced from @​angular/build's releases.

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

Commit Description
feat - be60a63b7 add migrate-karma-to-vitest update migration
feat - 43505066e add migration to add istanbul-lib-instrument
feat - b2f7a038b conditionally install istanbul coverage provider for Vitest migration
feat - d227e6985 migrate fake async to Vitest fake timers
feat - d2aa9ede5 migrate fakeAsync's flush behavior when used in beforeEach
feat - f98cc82eb rely on strict template default in generated workspaces
feat - c9f408153 set up fake timers in beforeEach instead of beforeAll
feat - de630c2fc stabilize refactor-jasmine-vitest schematic
feat - 8d0805dd1 update TSConfig globals during karma to vitest migration
fix - 470e1f937 add istanbul-lib-instrument to application/library generator dependencies
fix - dc1238e5a add trusted-proxy-headers migration
fix - 6572a6944 default components to OnPush change detection
fix - aed407db8 defer karma config deletion in Karma to Vitest migration
fix - 4fbc60891 preserve Jasmine stub-by-default semantics for bare spies
fix - b3d838dfd replace deprecated ChangeDetectionStrategy.Default with Eager
fix - a7ac8e5f0 support spy call arguments migration in refactor-jasmine-vitest
fix - 7fb59eaa6 use service decorator in ng generate

@​angular/cli

Commit Description
feat - 58c0978f6 add support for Node.js 26.0.0
fix - a5c7c0b5f reflect new minimum supported Node version in ng.js

... (truncated)

Changelog

Sourced from @​angular/build's changelog.

22.0.1 (2026-06-10)

@​angular/cli

Commit Type Description
b54e9a549 fix do not sort migrations of the same version alphabetically
d33311612 fix fallback to local package.json for schematic detection on first run
918102a93 fix isolate temporary package installation from parent pnpm workspace
b048b5f4a fix remove forceAuth and unscoped credential parsing
277934035 fix validate registry option is a valid URL in ng add
4510dae02 perf optimize update schematic registry query counts by fetching package metadata lazily

@​schematics/angular

Commit Type Description
c80012294 fix fix browserMode option mapping in refactor-jasmine-vitest
a9b6bd904 fix safely comment out multiline statements in refactor-jasmine-vitest
12199df00 fix use null objects and callbacks in karma-to-vitest migration

@​angular/build

Commit Type Description
89d1be979 fix allow disabling Vitest isolation from builder
d45b84be9 fix exclude JSON imports from Vite dependency optimization
e3cab4ddd fix prevent concurrent stylesheet bundling esbuild context leaks
bd413b0eb fix restrict application builder output paths to output directory

22.0.0 (2026-06-03)

Breaking Changes

  • Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.
  • The @angular-devkit/architect-cli package is no longer available. The architect CLI tool has been moved to the @angular-devkit/architect package.
  • The experimental @angular-devkit/build-angular:jest and @angular-devkit/build-angular:web-test-runner builders have been removed.

@​angular/build

  • The @angular/build:dev-server (ng serve) now assigns the highest priority to the PORT environment variable. This value will override any port configurations specified in angular.json or via the --port command-line flag. This includes the default port 4200.
  • istanbul-lib-instrument is now an optional peer dependency. Projects using karma with code coverage enabled will need to ensure that istanbul-lib-instrument is installed. Note: ng update will automatically add this dependency during the update process.

... (truncated)

Commits
  • 5a64af9 release: cut the v22.0.1 release
  • b54e9a5 fix(@​angular/cli): do not sort migrations of the same version alphabetically
  • b048b5f fix(@​angular/cli): remove forceAuth and unscoped credential parsing
  • 3275b45 test(@​angular/cli): remove unscoped authentication test cases from registry t...
  • da81e55 build: update cross-repo angular dependencies
  • 56ac348 build: lock file maintenance
  • 12199df fix(@​schematics/angular): use null objects and callbacks in karma-to-vitest m...
  • 918102a fix(@​angular/cli): isolate temporary package installation from parent pnpm wo...
  • e9b106e build: update cross-repo angular dependencies
  • e3cab4d fix(@​angular/build): prevent concurrent stylesheet bundling esbuild context l...
  • Additional commits viewable in compare view

Updates @angular/common from 21.2.11 to 22.0.1

Release notes

Sourced from @​angular/common's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • 2dd65d2 fix(http): pass down the reportUploadProgress and reportDownloadProgress ...
  • 1bd5a56 docs: deprecate XHR support for server-side rendering in HTTP docs and recomm...
  • 3c2892c fix(common): prevent prototype pollution in formatDateTime
  • c4b5fa3 fix(common): escape CSS string-terminating characters in escapeCssUrl
  • 4254eb4 fix(http): preserve empty referrer option in HttpRequest
  • 167bd4c fix(http): Rejects non-HTTP(S) URLs in JSONP requests
  • dfff57e fix(common): Limits date format string length
  • 1d87c49 fix(common): use cryptographically secure SHA-256 for transfer cache key gene...
  • ffb06c0 fix(http): ensure query parameters are inserted before URL fragments
  • 4795b35 fix(common): only strip a literal /index.html suffix from URLs
  • Additional commits viewable in compare view

Updates @angular/core from 21.2.11 to 22.0.1

Release notes

Sourced from @​angular/core's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Description has been truncated

Commit Type Description

@dependabot
chore(deps-dev): bump @angular/compiler, @angular/build, @angular/com…
9d0ea61 
…mon, @angular/core, @angular/platform-browser, @angular/compiler-cli, @angular/forms, @angular/platform-browser-dynamic, @angular/router and ng-packagr

Bumps [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler), [@angular/build](https://github.com/angular/angular-cli), [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common), [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core), [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser), [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli), [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms), [@angular/platform-browser-dynamic](https://github.com/angular/angular/tree/HEAD/packages/platform-browser-dynamic), [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) and [ng-packagr](https://github.com/ng-packagr/ng-packagr). These dependencies needed to be updated together.

Updates `@angular/compiler` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/compiler)

Updates `@angular/build` from 21.2.9 to 22.0.1
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@v21.2.9...v22.0.1)

Updates `@angular/common` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/common)

Updates `@angular/core` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/core)

Updates `@angular/platform-browser` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/platform-browser)

Updates `@angular/compiler-cli` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/compiler-cli)

Updates `@angular/forms` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/forms)

Updates `@angular/platform-browser-dynamic` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/platform-browser-dynamic)

Updates `@angular/router` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/router)

Updates `ng-packagr` from 21.2.3 to 22.0.0
- [Release notes](https://github.com/ng-packagr/ng-packagr/releases)
- [Changelog](https://github.com/ng-packagr/ng-packagr/blob/main/CHANGELOG.md)
- [Commits](ng-packagr/ng-packagr@21.2.3...22.0.0)

---
updated-dependencies:
- dependency-name: "@angular/compiler"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/build"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/common"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/core"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/platform-browser"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/compiler-cli"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/forms"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/platform-browser-dynamic"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/router"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: ng-packagr
  dependency-version: 22.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
This was referenced Jun 15, 2026
Closed
Closed
@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​angular/​platform-browser-dynamic@​21.2.11 ⏵ 22.0.11001006998100
Updated@​angular/​platform-browser@​21.2.11 ⏵ 22.0.1771007598100
Updated@​angular/​compiler-cli@​21.2.11 ⏵ 22.0.180 +11007798100
Updated@​angular/​router@​21.2.11 ⏵ 22.0.179 +110077 +198100
Updated@​angular/​forms@​21.2.11 ⏵ 22.0.18010077 +198100
Updated@​angular/​build@​21.2.9 ⏵ 22.0.18110078 +198100
Updated@​angular/​compiler@​21.2.11 ⏵ 22.0.181 +1100 +378 +198100
Updated@​angular/​core@​21.2.11 ⏵ 22.0.181100 +1979 +198100
Updated@​angular/​common@​21.2.11 ⏵ 22.0.1100100 +407998100
Updatedng-packagr@​21.2.3 ⏵ 22.0.098 +110010096100

View full report

@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @angular/build is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/build@22.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/build@22.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm lmdb is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/build@22.0.1npm/lmdb@3.5.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lmdb@3.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm fast-wrap-ansi

Location: Package overview

From: package-lock.jsonnpm/@angular/build@22.0.1npm/fast-wrap-ansi@0.2.2

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants