Skip to content

chore(deps): bump the npm-security-updates group across 1 directory with 5 updates#49

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-security-updates-0e7633c329
Open

chore(deps): bump the npm-security-updates group across 1 directory with 5 updates#49
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-security-updates-0e7633c329

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-security-updates group with 4 updates in the / directory: @angular/common, @angular/compiler, @angular/core and tar.

Updates @angular/common from 19.2.24 to 22.0.2

Release notes

Sourced from @​angular/common's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • 6867f77 fix(http): distinguish repeated transfer cache params
  • 6c1f3e9 fix(common): skip transfer cache for uncacheable HTTP traffic (#69316)
  • 7ef1399 fix(http): skip transfer cache for fetch credentialed requests (#69316)
  • 94ea403 fix(common): escape anchor fragment in shadow DOM name selector
  • 2dd65d2 fix(http): pass down the reportUploadProgress and reportDownloadProgress ...
  • 1bd5a56 docs: deprecate XHR support for server-side rendering in HTTP docs and recomm...
  • 3c2892c fix(common): prevent prototype pollution in formatDateTime
  • c4b5fa3 fix(common): escape CSS string-terminating characters in escapeCssUrl
  • 4254eb4 fix(http): preserve empty referrer option in HttpRequest
  • 167bd4c fix(http): Rejects non-HTTP(S) URLs in JSONP requests
  • Additional commits viewable in compare view

Updates @angular/compiler from 19.2.24 to 22.0.2

Release notes

Sourced from @​angular/compiler's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • 74f2b91 refactor(compiler): correct TcbInvalidReferenceOp initializer
  • b32ee7c fix(core): treat iframe credentialless as security-sensitive
  • f309727 refactor(compiler): Collect in-element comments
  • 6f11719 fix(compiler): restrict possible event handler check to property names longer...
  • 8bb3947 refactor: optimize dom security schema lookups
  • 4645850 refactor(compiler): Remove 80 char limit on AbstractEmitterVisitor
  • 1ee224c fix(compiler): disallow i18n event attributes
  • 5946c18 fix(compiler): sanitize href/xlink:href attributes of any element of the ...
  • 393b84c fix(compiler): sanitize two-way properties
  • 3d9ca2f fix(compiler-cli): bind switch exhaustive check expressions
  • Additional commits viewable in compare view

Updates @angular/core from 19.2.24 to 22.0.2

Release notes

Sourced from @​angular/core's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • 152601e refactor(core): add childSignalProp to ReactiveNodeKind
  • 59dea13 fix(core): guard against DOM clobbering in declareExperimentalWebMcpTool
  • 81cb457 refactor(router): Add handling for ActivatedRoute-scoped injector
  • f902d1d perf(core): detect existing signal dependency without checking all producer l...
  • e17e8d5 fix(core): escape overlapping comment delimiters in escapeCommentText
  • 0f1cfe3 build: update cross-repo angular dependencies to v22.0.2
  • b32ee7c fix(core): treat iframe credentialless as security-sensitive
  • 93d0a5f fix(core): prevent unsubscribe during emit from throwing off other listeners
  • 528a34f fix(core): avoid caching missing locale data
  • 6f11719 fix(compiler): restrict possible event handler check to property names longer...
  • Additional commits viewable in compare view

Updates @babel/core from 7.26.9 to 7.29.0

Release notes

Sourced from @​babel/core's releases.

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

  • babel-types
  • babel-standalone

🐛 Bug Fix

  • babel-parser
  • babel-traverse
    • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
  • babel-plugin-transform-block-scoping, babel-traverse
    • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

Committers: 6

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

  • babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • babel-plugin-transform-regenerator
  • babel-plugin-transform-react-jsx

💅 Polish

  • babel-core, babel-standalone

🏠 Internal

  • babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/core since your current version.


Removes tar

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm-security-updates group across 1 directory w…
096526d 
…ith 5 updates

Bumps the npm-security-updates group with 4 updates in the / directory: [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common), [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler), [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) and [tar](https://github.com/isaacs/node-tar).


Updates `@angular/common` from 19.2.24 to 22.0.2
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.2/packages/common)

Updates `@angular/compiler` from 19.2.24 to 22.0.2
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.2/packages/compiler)

Updates `@angular/core` from 19.2.24 to 22.0.2
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.2/packages/core)

Updates `@babel/core` from 7.26.9 to 7.29.0
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.0/packages/babel-core)

Removes `tar`

---
updated-dependencies:
- dependency-name: "@angular/common"
  dependency-version: 22.0.2
  dependency-type: direct:development
  dependency-group: npm-security-updates
- dependency-name: "@angular/compiler"
  dependency-version: 22.0.2
  dependency-type: direct:development
  dependency-group: npm-security-updates
- dependency-name: "@angular/core"
  dependency-version: 22.0.2
  dependency-type: direct:development
  dependency-group: npm-security-updates
- dependency-name: "@babel/core"
  dependency-version: 7.29.0
  dependency-type: indirect
  dependency-group: npm-security-updates
- dependency-name: tar
  dependency-version:
  dependency-type: indirect
  dependency-group: npm-security-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants