Skip to content

Bump tar and @angular/cli#169

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-4ce0e2017b
Open

Bump tar and @angular/cli#169
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-4ce0e2017b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps tar to 7.5.16 and updates ancestor dependency @angular/cli. These dependencies need to be updated together.

Updates tar from 7.5.6 to 7.5.16

Commits
  • cf21338 7.5.16
  • 21a8220 do not apply PAX header fields to meta entries
  • 52632cf update project deps
  • 302f51f fix inconsequential typo in PENDINGLINKS symbol name
  • 55dbb99 remove some uses of mutate-fs
  • 87cc309 7.5.15
  • 7aef486 fix: regression in pending links detection
  • 6244eb3 7.5.14
  • 9704d8c stricter protection against hardlinks preempting their targets
  • 700734f update workflows and deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @angular/cli from 19.2.19 to 22.0.1

Release notes

Sourced from @​angular/cli's releases.

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

Commit Description
feat - be60a63b7 add migrate-karma-to-vitest update migration
feat - 43505066e add migration to add istanbul-lib-instrument
feat - b2f7a038b conditionally install istanbul coverage provider for Vitest migration
feat - d227e6985 migrate fake async to Vitest fake timers
feat - d2aa9ede5 migrate fakeAsync's flush behavior when used in beforeEach
feat - f98cc82eb rely on strict template default in generated workspaces
feat - c9f408153 set up fake timers in beforeEach instead of beforeAll
feat - de630c2fc stabilize refactor-jasmine-vitest schematic
feat - 8d0805dd1 update TSConfig globals during karma to vitest migration
fix - 470e1f937 add istanbul-lib-instrument to application/library generator dependencies
fix - dc1238e5a add trusted-proxy-headers migration
fix - 6572a6944 default components to OnPush change detection
fix - aed407db8 defer karma config deletion in Karma to Vitest migration
fix - 4fbc60891 preserve Jasmine stub-by-default semantics for bare spies
fix - b3d838dfd replace deprecated ChangeDetectionStrategy.Default with Eager
fix - a7ac8e5f0 support spy call arguments migration in refactor-jasmine-vitest
fix - 7fb59eaa6 use service decorator in ng generate

@​angular/cli

Commit Description
feat - 58c0978f6 add support for Node.js 26.0.0
fix - a5c7c0b5f reflect new minimum supported Node version in ng.js

... (truncated)

Changelog

Sourced from @​angular/cli's changelog.

22.0.1 (2026-06-10)

@​angular/cli

Commit Type Description
b54e9a549 fix do not sort migrations of the same version alphabetically
d33311612 fix fallback to local package.json for schematic detection on first run
918102a93 fix isolate temporary package installation from parent pnpm workspace
b048b5f4a fix remove forceAuth and unscoped credential parsing
277934035 fix validate registry option is a valid URL in ng add
4510dae02 perf optimize update schematic registry query counts by fetching package metadata lazily

@​schematics/angular

Commit Type Description
c80012294 fix fix browserMode option mapping in refactor-jasmine-vitest
a9b6bd904 fix safely comment out multiline statements in refactor-jasmine-vitest
12199df00 fix use null objects and callbacks in karma-to-vitest migration

@​angular/build

Commit Type Description
89d1be979 fix allow disabling Vitest isolation from builder
d45b84be9 fix exclude JSON imports from Vite dependency optimization
e3cab4ddd fix prevent concurrent stylesheet bundling esbuild context leaks
bd413b0eb fix restrict application builder output paths to output directory

22.0.0 (2026-06-03)

Breaking Changes

  • Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.
  • The @angular-devkit/architect-cli package is no longer available. The architect CLI tool has been moved to the @angular-devkit/architect package.
  • The experimental @angular-devkit/build-angular:jest and @angular-devkit/build-angular:web-test-runner builders have been removed.

@​angular/build

  • The @angular/build:dev-server (ng serve) now assigns the highest priority to the PORT environment variable. This value will override any port configurations specified in angular.json or via the --port command-line flag. This includes the default port 4200.
  • istanbul-lib-instrument is now an optional peer dependency. Projects using karma with code coverage enabled will need to ensure that istanbul-lib-instrument is installed. Note: ng update will automatically add this dependency during the update process.

... (truncated)

Commits
  • 5a64af9 release: cut the v22.0.1 release
  • b54e9a5 fix(@​angular/cli): do not sort migrations of the same version alphabetically
  • b048b5f fix(@​angular/cli): remove forceAuth and unscoped credential parsing
  • 3275b45 test(@​angular/cli): remove unscoped authentication test cases from registry t...
  • da81e55 build: update cross-repo angular dependencies
  • 56ac348 build: lock file maintenance
  • 12199df fix(@​schematics/angular): use null objects and callbacks in karma-to-vitest m...
  • 918102a fix(@​angular/cli): isolate temporary package installation from parent pnpm wo...
  • e9b106e build: update cross-repo angular dependencies
  • e3cab4d fix(@​angular/build): prevent concurrent stylesheet bundling esbuild context l...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump tar and @angular/cli
b471fac 
Bumps [tar](https://github.com/isaacs/node-tar) to 7.5.16 and updates ancestor dependency [@angular/cli](https://github.com/angular/angular-cli). These dependencies need to be updated together.


Updates `tar` from 7.5.6 to 7.5.16
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.6...v7.5.16)

Updates `@angular/cli` from 19.2.19 to 22.0.1
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@19.2.19...v22.0.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: indirect
- dependency-name: "@angular/cli"
  dependency-version: 22.0.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 15, 2026 18:10
@CLAassistant

CLAassistant commented Jun 15, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions github-actions Bot enabled auto-merge (squash) June 15, 2026 18:10
@sonarqubecloud

sonarqubecloud Bot commented Jun 15, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​angular/​cli@​19.2.19 ⏵ 22.0.179 +310078 +198100

View full report

@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @schematics/angular is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/cli@22.0.1npm/@schematics/angular@22.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@schematics/angular@22.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript

License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

From: package-lock.jsonnpm/@angular/cli@22.0.1npm/typescript@6.0.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant