Skip to content

Comments

Bump the npm_and_yarn group across 1 directory with 3 updates#837

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-352e8e2929
Closed

Bump the npm_and_yarn group across 1 directory with 3 updates#837
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-352e8e2929

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 19, 2026

Bumps the npm_and_yarn group with 3 updates in the / directory: tar, qs and webpack.

Updates tar from 6.2.1 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions
Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates webpack from 5.98.0 to 5.105.0

Release notes

Sourced from webpack's releases.

v5.105.0

Minor Changes

  • Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

  • Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

  • Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

  • Support import.defer() for context modules. (by @​ahabhgk in #20399)

  • Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

  • Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

  • Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

  • Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

  • Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

  • Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

  • Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

  • Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

  • Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

  • Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

  • Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

  • Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

  • Fixed import.meta.env.xxx behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by @​xiaoxiaojx in #20289)

  • Improved parsing error reporting by adding a link to the loader documentation. (by @​gaurav10gg in #20244)

  • Fix typescript types. (by @​alexander-akait in #20305)

  • Add declaration for unused harmony import specifier. (by @​hai-x in #20286)

  • Fix compressibility of modules while retaining portability. (by @​dmichon-msft in #20287)

  • Optimize source map generation: only include ignoreList property when it has content, avoiding empty arrays in source maps. (by @​xiaoxiaojx in #20319)

  • Preserve star exports for dependencies in ECMA module output. (by @​hai-x in #20293)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.0

Minor Changes

  • Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

  • Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

  • Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

  • Support import.defer() for context modules. (by @​ahabhgk in #20399)

  • Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

  • Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

  • Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

  • Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

  • Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

  • Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

  • Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

  • Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

  • Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

  • Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

  • Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

  • Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

  • Fixed import.meta.env.xxx behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by @​xiaoxiaojx in #20289)

  • Improved parsing error reporting by adding a link to the loader documentation. (by @​gaurav10gg in #20244)

  • Fix typescript types. (by @​alexander-akait in #20305)

  • Add declaration for unused harmony import specifier. (by @​hai-x in #20286)

  • Fix compressibility of modules while retaining portability. (by @​dmichon-msft in #20287)

  • Optimize source map generation: only include ignoreList property when it has content, avoiding empty arrays in source maps. (by @​xiaoxiaojx in #20319)

... (truncated)

Commits
  • 1486f9a chore(release): new release
  • 1a517f6 feat: added the tsconfig option for the resolver options (#20400)
  • 7b3b0f7 feat: support import.defer() for context modules
  • c4a6a92 refactor: more types and increase types coverage
  • 5ecc58d feat: consider asset module as side-effect-free (#20352)
  • cce0f69 test: avoid comma operator in BinaryMiddleware test (#20398)
  • cd4793d feat: support import specifier guard (#20320)
  • fe48655 docs: update examples (#20397)
  • de107f8 fix(VirtualUrlPlugin): set resourceData.context to avoid invalid fallback (#2...
  • a656ab1 test: add self-import test case for dynamic import (#20389)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 3 updates
f74e501 
Bumps the npm_and_yarn group with 3 updates in the / directory: [tar](https://github.com/isaacs/node-tar), [qs](https://github.com/ljharb/qs) and [webpack](https://github.com/webpack/webpack).


Updates `tar` from 6.2.1 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.9)

Updates `qs` from 6.14.1 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.14.2)

Updates `webpack` from 5.98.0 to 5.105.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.98.0...v5.105.0)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.105.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner February 19, 2026 20:43
@dependabot dependabot bot added dependencies Change requested in dependencies javascript Pull requests that update Javascript code labels Feb 19, 2026
@github-actions
Copy link

github-actions bot commented Feb 19, 2026

🤖 Claude Code Review

PR Code Review

This PR updates two devDependencies in package.json:

  • @angular-devkit/build-angular: ^19.2.12^19.2.20
  • @angular/cli: ~19.2.12~21.1.4

Code Quality

Style guide — No application code changes; package.json formatting is standard.

No commented-out code — None present.

Meaningful variable names — N/A.

DRY principle — N/A.

Defects / Logic errors — Two significant concerns:

  1. Major version mismatch between @angular/cli and @angular-devkit/build-angular:
    @angular/cli is jumped from v19 to v21 (skipping v20), while @angular-devkit/build-angular stays at v19. In the Angular ecosystem these tools are typically kept at compatible major versions. This mismatch means ng generate, ng add, schematics, and migrations from the CLI will use v21 schematics (@schematics/angular@21.1.4) against a v19 project configuration. This is a risky and unusual configuration that could produce unexpected behavior.

  2. Node.js version requirement escalation (undocumented):
    @angular/cli@21 requires node: "^20.19.0 || ^22.12.0 || >=24.0.0", a more restrictive set than v19's "^18.19.1 || ^20.11.1 || >=22.0.0". The project has no engines field in package.json to communicate this constraint change to developers or CI systems. Node 18 and Node 20.0–20.18 are now silently incompatible.

  3. Heavy new transitive dependencies added via @angular/cli@21 (package-lock.json lines ~505–731):

    • @modelcontextprotocol/sdk@1.26.0 — pulls in express@5.x, hono@4.12.0, jose@6.1.3, zod@4.3.5, eventsource, cors, express-rate-limit, etc. These are substantial server-side runtime libraries added to a dev tool dependency tree. While they are devDependencies, they expand the attack surface of the dev toolchain considerably.
    • algoliasearch@5.46.2 — search client added as a CLI dependency (used for ng new template search).

No .claude/CLAUDE.md found — no project-level memory configuration to review.

Testing

Unit/integration tests — N/A for a pure dependency update.

⚠️ Edge cases — The version mismatch noted above should be validated by running ng generate, ng build, and ng test locally before merging to confirm no regressions.

Documentation

CHANGELOG.md not updatedCHANGELOG.md exists and follows Keep-a-Changelog format, but this PR adds no entry documenting the @angular/cli major version bump (v19 → v21) and the updated minimum Node.js requirement. A notable toolchain change of this magnitude warrants a changelog entry.

README — Likely does not need updating for a devDependency bump.

Inline comments — N/A.

Security

No hardcoded credentials — None found.

No .lic files — None present.

No sensitive data in logs — N/A.

⚠️ Expanded transitive dependency surface — The addition of @modelcontextprotocol/sdk (and its chain of express, hono, jose, zod, eventsource-parser, etc.) significantly expands the dev dependency tree. While these are devDependencies and not shipped in the library output, they do run in developer environments and CI. The introduction of an MCP server framework, a JWT library, and a full web framework as indirect dependencies of the Angular CLI warrants awareness.

Summary

Item Status
Style guide
No commented-out code
No defects
CHANGELOG updated
No hardcoded credentials
No .lic files

Recommended actions before merging:

  1. Either align @angular/cli and @angular-devkit/build-angular to the same major version (both v21 or both stay at v19), or explicitly document why this mismatch is intentional and validated.
  2. Add an engines field to package.json reflecting the new minimum Node.js requirement (^20.19.0 || ^22.12.0 || >=24.0.0).
  3. Add a CHANGELOG.md entry noting the CLI version bump and updated Node.js requirements.
  4. Run the full test suite and key ng commands (ng build, ng test, ng generate component) against this dependency set before merging.

Automated code review analyzing defects and coding standards

@arawinters
Copy link
Contributor

arawinters commented Feb 23, 2026

unaligned angular package update. closing

@arawinters arawinters closed this Feb 23, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 23, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-352e8e2929 branch February 23, 2026 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@arawinters arawinters

Labels

dependencies Change requested in dependencies javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arawinters