From 22b36f803ef31de6fd47623e96d4520ce90e7d00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 13:21:47 -0700 Subject: [PATCH 01/19] Bump actions/create-github-app-token from 2.1.4 to 3.2.0 (#2842) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.1.4 to 3.2.0.
Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

Bug Fixes

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

Features

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

... (truncated)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

Bug Fixes

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/create-github-app-token&package-manager=github_actions&previous-version=2.1.4&new-version=3.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/gemini-cli.yml | 2 +- .github/workflows/gemini-issue-automated-triage.yml | 2 +- .github/workflows/gemini-issue-scheduled-triage.yml | 2 +- .github/workflows/gemini-pr-review.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gemini-cli.yml b/.github/workflows/gemini-cli.yml index ed4e1fdfa..b4feae184 100644 --- a/.github/workflows/gemini-cli.yml +++ b/.github/workflows/gemini-cli.yml @@ -91,7 +91,7 @@ jobs: id: 'generate_token' if: |- ${{ vars.APP_ID }} - uses: 'actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42' # ratchet:actions/create-github-app-token@v2 + uses: 'actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1' # ratchet:actions/create-github-app-token@v2 with: app-id: '${{ vars.APP_ID }}' private-key: '${{ secrets.APP_PRIVATE_KEY }}' diff --git a/.github/workflows/gemini-issue-automated-triage.yml b/.github/workflows/gemini-issue-automated-triage.yml index c76997958..9bc4ec054 100644 --- a/.github/workflows/gemini-issue-automated-triage.yml +++ b/.github/workflows/gemini-issue-automated-triage.yml @@ -50,7 +50,7 @@ jobs: id: 'generate_token' if: |- ${{ vars.APP_ID }} - uses: 'actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42' # ratchet:actions/create-github-app-token@v2 + uses: 'actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1' # ratchet:actions/create-github-app-token@v2 with: app-id: '${{ vars.APP_ID }}' private-key: '${{ secrets.APP_PRIVATE_KEY }}' diff --git a/.github/workflows/gemini-issue-scheduled-triage.yml b/.github/workflows/gemini-issue-scheduled-triage.yml index 10f002378..2856ce4d2 100644 --- a/.github/workflows/gemini-issue-scheduled-triage.yml +++ b/.github/workflows/gemini-issue-scheduled-triage.yml @@ -32,7 +32,7 @@ jobs: id: 'generate_token' if: |- ${{ vars.APP_ID }} - uses: 'actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42' # ratchet:actions/create-github-app-token@v2 + uses: 'actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1' # ratchet:actions/create-github-app-token@v2 with: app-id: '${{ vars.APP_ID }}' private-key: '${{ secrets.APP_PRIVATE_KEY }}' diff --git a/.github/workflows/gemini-pr-review.yml b/.github/workflows/gemini-pr-review.yml index 0405735b1..e9ae2a48d 100644 --- a/.github/workflows/gemini-pr-review.yml +++ b/.github/workflows/gemini-pr-review.yml @@ -72,7 +72,7 @@ jobs: id: 'generate_token' if: |- ${{ vars.APP_ID }} - uses: 'actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42' # ratchet:actions/create-github-app-token@v2 + uses: 'actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1' # ratchet:actions/create-github-app-token@v2 with: app-id: '${{ vars.APP_ID }}' private-key: '${{ secrets.APP_PRIVATE_KEY }}' From 7f2fc7028d3f8ea385695b242d3e38afa0fc0f1d Mon Sep 17 00:00:00 2001 From: Eric Windmill Date: Mon, 18 May 2026 10:51:37 -0700 Subject: [PATCH 02/19] refactor: remove outdated package directories from dependabot config (#2844) --- .github/dependabot.yaml | 187 +----------------- .../flutter_module/lib/main.dart | 15 +- .../flutter_module/lib/main.dart | 2 - .../flutter_module/pubspec.yaml | 2 +- testing_app/lib/screens/home.dart | 1 - 5 files changed, 10 insertions(+), 197 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index c6445bea5..6e545fe97 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -17,24 +17,12 @@ updates: update-types: ["version-update:semver-minor", "version-update:semver-patch"] labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "add_to_app/android_view/flutter_module_using_plugin/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "add_to_app/books/flutter_module_books/" schedule: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "add_to_app/fullscreen/flutter_module/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "add_to_app/multiple_flutters/multiple_flutters_module/" schedule: @@ -77,30 +65,6 @@ updates: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "code_sharing/client/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "code_sharing/server/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "code_sharing/shared/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "deeplink_store_example/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "desktop_photo_search/fluent_ui/" schedule: @@ -113,126 +77,24 @@ updates: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/context_menus/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin/example/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin_macos/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin_platform_interface/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin_web/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/federated_plugin/federated_plugin_windows/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/material_3_demo/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/pedometer/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/pedometer/example/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/varfont_shader_puzzle/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "experimental/web_dashboard/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "flutter_maps_firestore/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "form_app/" schedule: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "game_template/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "google_maps/" schedule: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "infinite_list/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "ios_app_clip/" schedule: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "isolate_example/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "jsonexample/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "material_3_demo/" schedule: @@ -245,12 +107,6 @@ updates: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "place_tracker/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "platform_channels/" schedule: @@ -269,18 +125,6 @@ updates: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "provider_counter/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "provider_shopper/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "simple_sdf/" schedule: @@ -293,42 +137,12 @@ updates: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "simplistic_calculator/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "simplistic_editor/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "testing_app/" schedule: interval: "daily" labels: - "autosubmit" - - package-ecosystem: "pub" - directory: "veggieseasons/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "web/_tool/" - schedule: - interval: "daily" - labels: - - "autosubmit" - - package-ecosystem: "pub" - directory: "web/samples_index/" - schedule: - interval: "daily" - labels: - - "autosubmit" - package-ecosystem: "pub" directory: "web_embedding/element_embedding_demo/" schedule: @@ -341,3 +155,4 @@ updates: interval: "daily" labels: - "autosubmit" + diff --git a/add_to_app/ios_content_resizing/flutter_module/lib/main.dart b/add_to_app/ios_content_resizing/flutter_module/lib/main.dart index 97834ef24..24ef27fdb 100644 --- a/add_to_app/ios_content_resizing/flutter_module/lib/main.dart +++ b/add_to_app/ios_content_resizing/flutter_module/lib/main.dart @@ -33,20 +33,21 @@ class _ResizeAppState extends State { mainAxisSize: MainAxisSize.min, children: [ for (int i = 0; i < _listSize; i++) - Container(color: HSVColor.fromAHSV(1, (10.0 * i), 1, 1).toColor(), height: 50, width: 200, + Container( + color: HSVColor.fromAHSV(1, (10.0 * i), 1, 1).toColor(), + height: 50, + width: 200, child: Center( child: Text( 'Flutter Widget $i', style: const TextStyle(fontSize: 16, color: Colors.black), ), - )), - TextButton( - onPressed: _addToList, - child: Text('Listception!'), - ) + ), + ), + TextButton(onPressed: _addToList, child: Text('Listception!')), ], ), ), ); } -} \ No newline at end of file +} diff --git a/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/lib/main.dart b/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/lib/main.dart index 875600586..15cfcbaf6 100644 --- a/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/lib/main.dart +++ b/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/lib/main.dart @@ -26,7 +26,6 @@ class _MyAppState extends State { @override Widget build(BuildContext context) { - return Center( heightFactor: 1, child: Directionality( @@ -46,7 +45,6 @@ class _MyAppState extends State { child: Text("Add to list"), ), ), - ], ), ), diff --git a/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/pubspec.yaml b/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/pubspec.yaml index 2c00a2cb1..e6b38a31d 100644 --- a/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/pubspec.yaml +++ b/add_to_app/ios_content_resizing/ios_content_resizing/flutter_module/pubspec.yaml @@ -13,7 +13,7 @@ dependencies: dev_dependencies: analysis_defaults: - path: ../../../analysis_defaults + path: ../../../../analysis_defaults flutter_test: sdk: flutter flutter_driver: diff --git a/testing_app/lib/screens/home.dart b/testing_app/lib/screens/home.dart index 2eac461db..c013a3b98 100644 --- a/testing_app/lib/screens/home.dart +++ b/testing_app/lib/screens/home.dart @@ -30,7 +30,6 @@ class HomePage extends StatelessWidget { ), body: ListView.builder( itemCount: 100, - cacheExtent: 20.0, controller: ScrollController(), padding: const EdgeInsets.symmetric(vertical: 16), itemBuilder: (context, index) => ItemTile(index), From 8fbf213817675357ef5a47f16589adb95cda1b4f Mon Sep 17 00:00:00 2001 From: gaaclarke <30870216+gaaclarke@users.noreply.github.com> Date: Mon, 18 May 2026 11:15:05 -0700 Subject: [PATCH 03/19] Updated fragment shader sample to use uniform-by-name accessor (#2736) Do not land until the following are on stable: - https://github.com/flutter/flutter/pull/176728 - https://github.com/flutter/flutter/pull/176980 If you need help, consider asking for advice on the #hackers-devrel channel on [Discord]. --- simple_shader/lib/main.dart | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/simple_shader/lib/main.dart b/simple_shader/lib/main.dart index dea7caa88..037eb69b4 100644 --- a/simple_shader/lib/main.dart +++ b/simple_shader/lib/main.dart @@ -44,13 +44,15 @@ class MyHomePage extends StatelessWidget { } class ShaderPainter extends CustomPainter { - ShaderPainter({required this.shader}); - ui.FragmentShader shader; + ShaderPainter({required this.shader}) + : _resolution = shader.getUniformVec2('resolution'); + + final ui.FragmentShader shader; + final ui.UniformVec2Slot _resolution; @override void paint(Canvas canvas, Size size) { - shader.setFloat(0, size.width); - shader.setFloat(1, size.height); + _resolution.set(size.width, size.height); final paint = Paint()..shader = shader; canvas.drawRect(Rect.fromLTWH(0, 0, size.width, size.height), paint); From bf6cdc150ca0bd2ce80cfb5e2868eabdbdcdea59 Mon Sep 17 00:00:00 2001 From: Andy Wolff Date: Mon, 18 May 2026 11:37:03 -0700 Subject: [PATCH 04/19] Update simple_sdf sample to use uniform-by-name accessor (#2843) The newer, more convenient method `getUniformVec2` is now available on stable, so let's use that in the `simple_sdf` sample ## Pre-launch Checklist - [x] I read the [Flutter Style Guide] _recently_, and have followed its advice. - [x] I signed the [CLA]. - [x] I read the [Contributors Guide]. - [ ] I have added sample code updates to the [changelog]. - [x] I updated/added relevant documentation (doc comments with `///`). [Flutter Style Guide]: https://github.com/flutter/flutter/blob/master/docs/contributing/Style-guide-for-Flutter-repo.md [CLA]: https://cla.developers.google.com/ [Discord]: https://github.com/flutter/flutter/blob/master/docs/contributing/Chat.md [Contributors Guide]: https://github.com/flutter/samples/blob/main/CONTRIBUTING.md [changelog]: ../CHANGELOG.md --- simple_sdf/lib/main.dart | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/simple_sdf/lib/main.dart b/simple_sdf/lib/main.dart index 214c68783..3d5ec85f9 100644 --- a/simple_sdf/lib/main.dart +++ b/simple_sdf/lib/main.dart @@ -44,13 +44,15 @@ class MyHomePage extends StatelessWidget { } class ShaderPainter extends CustomPainter { - ShaderPainter({required this.shader}); - ui.FragmentShader shader; + ShaderPainter({required this.shader}) + : _resolution = shader.getUniformVec2('resolution'); + + final ui.FragmentShader shader; + final ui.UniformVec2Slot _resolution; @override void paint(Canvas canvas, Size size) { - shader.setFloat(0, size.width); - shader.setFloat(1, size.height); + _resolution.set(size.width, size.height); final paint = Paint()..shader = shader; canvas.drawRect(Rect.fromLTWH(0, 0, size.width, size.height), paint); From 125f8c5857d59d0c957a943bc439d2ebb5aec7c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 06:42:06 +0000 Subject: [PATCH 05/19] Bump @angular/cdk from 21.2.14 to 22.0.0 in /web_embedding/ng-flutter (#2848) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/cdk](https://github.com/angular/components) from 21.2.14 to 22.0.0.
Release notes

Sourced from @​angular/cdk's releases.

22.0.0

aria

Commit Description
feat - d91f46b4c accordion: introduce accordion harness (#33046)
feat - e3d84f2e0 combobox: add test harnesses (#33194)
feat - 0ca47b4a0 combobox: migrate simple-combobox directly into primary entrypoints (#33206)
feat - 6ec07bc0c grid: add test harnesses (#33081)
feat - 1885d3534 listbox: introduce listbox harness (#33064)
feat - 75fae5275 menu: introduce menu harness (#33067)
feat - c25e6252e tabs: add test harnesses (#33079)
feat - a49508bac toolbar: add test harnesses (#33068)
feat - 30f223972 tree: add test harnesses (#33066)
fix - 91a4932f6 combobox: increases autocomplete demo's placeholder text c… (#33084)
fix - 218a77cf9 combobox: separates placeholder prefixes (#33163)
fix - ce1d9a728 menu: allow menu item role override (#33264)
fix - 196b7064d menu: defer menu item focus in case menus in cdk overlay (#33258)
fix - 6443b79f9 menu: unable to set softDisabled (#33265)

cdk

Commit Description
feat - 1a5d5d101 dialog: add the ability to pass bindings
feat - 24115c021 portal: add directives support to ComponentPortal (#33142)
fix - 7426334c5 a11y: breaking changes for v22
fix - 81c6bbd89 drag-drop: breaking changes for v22
fix - ffb23f6f8 menu: breaking changes for v22
fix - 4c298970e scrolling: make it easier to provide custom scrollable (#33269)
fix - aa42b7798 table: expose rendered rows (#33304)

material

Commit Description
feat - 867ba993b bottom-sheet: add the ability to pass bindings
feat - b4a89d599 button: Add support for showing a progress indicator inside the button (#32698)
feat - a46b0a1d4 core: add mixins for Material Design typography (#32959)
feat - bf3596b53 dialog: add the ability to pass bindings
feat - 85c16fe4b tabs: add support for separate tab animation durations (#32869)
fix - 440cb1606 autocomplete: remove modal workaround
fix - 21f8bbbf2 badge: allow badge defaults to be configured (#33312)
fix - 07c2d002d core: address sass compiler warnings (#33040)
fix - add8f16c0 list: breaking changes for v22
fix - 31904510b menu: close menu when cleared from trigger (#33306)
fix - 9d73c98b5 menu: missing panelClass getter (#33191)
fix - 348c3c89d select: remove modal workaround
fix - f1a435508 sidenav: handle mixed sidenav and drawer (#33274)
fix - c31619852 sidenav: mark content as inert while open
fix - a4d92c5fc sidenav: more robust reset logic for inert attribute (#33257)
fix - c2f1c5b03 sidenav: query not resolving
fix - 75718e4fb sort: breaking changes for v22
fix - 6ed6218c4 tabs: incorrect animation variable name (#32941)

google-maps

... (truncated)

Changelog

Sourced from @​angular/cdk's changelog.

22.0.0 "aurostibite-ambulance" (2026-06-03)

Breaking Changes

aria

  • The legacy combobox and autocomplete implementations have been removed. Use the new standalone combobox instead.

    • feat(aria/combobox): promote simple-combobox to stable un-prefixed combobox
    • Relocates public, private, and example directories to clean combobox entry points.
    • Renames internal layout symbols, selectors, and uppercase tokens (SIMPLE_COMBOBOX_POPUP -> COMBOBOX_POPUP).
    • Establishes full documentation extraction parity with the json_api Bazel rule target.
    • Standardizes the accompanying toolbar component showcase into the clean aria-toolbar path.
    • Re-routes dev-app navigation links and migrates public API golden records.
  • SimpleCombobox has been promoted to Combobox. All simple-combobox prefixed symbols, selectors, and tokens have been renamed to use the combobox prefix.

    • refactor(aria/combobox): relocate and restructure autocomplete and toolbar examples Relocate the autocomplete examples to src/components-examples/aria/autocomplete and toolbar examples to src/components-examples/aria/toolbar.
    • Restore naming continuity with the historical codebase by stripping redundant prefixes from example filenames and component selectors.
    • Sync dev-app preview routing layout paths and strict Bazel target dependency links.

cdk

    • CDK_DESCRIBEDBY_HOST_ATTRIBUTE has been removed.
    • CDK_DESCRIBEDBY_ID_PREFIX has been removed.
    • The injector parameter of the ConfigurableFocusTrap and FocusTrap constructors is now required.
    • The boolean parameter of ConfigurableFocusTrapFactory.create has been replaced with a config object.
    • MESSAGES_CONTAINER_ID has been removed.
    • The event parameter of DropListRef.drop is now required.
    • ContextMenuTracker has been renamed to MenuTracker.

material

    • MatListOption.checkboxPosition has been removed. use togglePosition instead.
    • MatListOptionCheckboxPosition has been renamed to MatListOptionTogglePosition.
    • ArrowViewState has been removed.
    • ArrowViewStateTransition has been removed.

multiple

    • A bunch of constructors that with rest arguments have been removed. If you were extending Material/CDK components, you may have to update your super calls accordingly.
  • Renames the values input/model to value in Combobox, Listbox, Tree, Menu, Toolbar, and Select. Users must update their templates to use the value property instead of values.

    • refactor(multiple): update api goldens

google-maps

Commit Type Description
e44ff8318 feat Add support for the gmp-click event (#33147)
b8201edee fix deprecate heatmap layer (#33208)

material

Commit Type Description
867ba993b feat bottom-sheet: add the ability to pass bindings
b4a89d599 feat button: Add support for showing a progress indicator inside the button (#32698)
a46b0a1d4 feat core: add mixins for Material Design typography (#32959)
bf3596b53 feat dialog: add the ability to pass bindings
85c16fe4b feat tabs: add support for separate tab animation durations (#32869)
440cb1606 fix autocomplete: remove modal workaround

... (truncated)

Commits
  • 85e1545 release: cut the v22.0.0 release
  • da5c575 build: attempt to address flaky test (#33332)
  • daa6d8d release: cut the v22.0.0-rc.3 release
  • 47c0525 build: prevent docs site from rendering Aria examples under Material (#33324)
  • 21f8bbb fix(material/badge): allow badge defaults to be configured (#33312)
  • 8c8d1a1 docs(material/bottom-sheet): update panelClass comment (#33321)
  • 8339e2f build: update dev-infra actions to 649c3afeaa46674507b9625537e49de54a695e2b (...
  • 10935f0 refactor(multiple): migrate tests to use whenStable (#33317)
  • 9750685 build: update bazel dependencies (#33256)
  • 5ba22b6 build: update cross-repo angular dependencies (#33270)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/cdk&package-manager=npm_and_yarn&previous-version=21.2.14&new-version=22.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index ae9112762..f4f7bb025 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -12,7 +12,7 @@ "private": true, "dependencies": { "@angular/animations": "^21.1.1", - "@angular/cdk": "^21.1.2", + "@angular/cdk": "^22.0.0", "@angular/common": "^21.1.1", "@angular/compiler": "^21.1.0", "@angular/core": "^21.2.0", From 5766971b6e4765abba99653321c95130010dcecc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 06:43:58 +0000 Subject: [PATCH 06/19] Bump @angular/forms from 21.2.16 to 22.0.0 in /web_embedding/ng-flutter (#2847) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) from 21.2.16 to 22.0.0.
Release notes

Sourced from @​angular/forms's releases.

VSCode Extension: 22.0.0

Breaking Changes

The extension now bundles TypeScript version 6.0, which itself includes breaking changes, including new defaults such as strict being true. You will need to explicitly set "strict": false in your tsconfig.json. Alternatively, the extension supports configuring the tsdk in the same way as the built in TS/JS extension.

Fixes and features

  • fix(language-service): Add support for @Input with transforms (dc9c72da9b)
  • feat(language-service): add Document Symbols support for Angular templates (cfd0f9950c)
  • feat(language-service): add angular template inlay hints support (5a6d88626b)
  • feat(language-service): Add support for idle timeout in defer blocks (c6f98c723c)

22.0.0

compiler

Commit Description
feat - 47fcbc4704 allow safe navigation to correctly narrow down nullables
feat - 2896c93cc1 Angular expressions with optional chaining returns undefined
feat - e850643b1b Support comments in html element.
fix - 96be4f429b abstract emitter producing incorrect code for dynamic imports
fix - 488d962bc7 Don't bind inputs/outputs for data- attributes
fix - 2c5aabb9da don't escape dollar sign in literal expression
fix - c7aef8ec5d enforce parentheses containing arguments for :host-context
fix - b225a5d902 invalid type checking code if field name needs to be quoted
fix - ab9154ab75 normalize tag names with custom namespaces in DomElementSchemaRegistry (#68868)
fix - 8a1533c9ad preserve leading commas in animation definitions
fix - 194f723f66 remove dedicated support for legacy shadow DOM selectors
fix - 4c25a42e98 remove deprecated shadow CSS encapsulation polyfills
fix - 6ff620a033 sanitize dynamic href and xlink:href bindings on SVG a elements (#68868)
fix - 7dc1017e51 simplify handling of colon host with a selector list
fix - d99ab0e040 stop generating unused field
fix - 03db2aefaa throw on duplicate input/outputs
fix - 786ef8261f throw on invalid in expressions
fix - ccb7d427e4 type check invalid for loops

compiler-cli

Commit Description
feat - b8d3f36ed9 add support for Node.js 26.0.0
feat - 7f9450219f Adds warning for prefetch without main defer trigger
feat - 2eae497a04 support external TCBs with copied content in specific mode
fix - e5f96c2d88 animation events not type checked properly when bound through HostListener decorator
fix - 9218140348 resolve TCB mapping failure for safe property reads with as any
fix - 7a0d6b8df2 transform dropping exclamationToken from properties
refactor - ca67828ee2 introduce NG8023 compile-time diagnostic for duplicate selectors

core

Commit Description
feat - 17d3ea44e2 add IdleRequestOptions support to IdleService
feat - 3b0ae5fef0 add provideWebMcpTools

... (truncated)

Changelog

Sourced from @​angular/forms's changelog.

22.0.0 (2026-06-03)

Blog post "Announcing Angular v22".

Breaking Changes

compiler

  • This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.
  • data prefixed attribute no-longer bind inputs nor outputs.
  • The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.
  • in variables will throw in template expressions.

compiler-cli

  • Elements with multiple matching selectors will now throw at compile time.

core

  • The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
    • TypeScript versions older than 6.0 are no longer supported.
  • Leave animations are no longer limited to the element being removed.
  • Component with undefined changeDetection property are now OnPush by default. Specify changeDetection: ChangeDetectionStrategy.Eager to keep the previous behavior.
  • change AnimationCallbackEvent.animationComplete signature
  • ChangeDetectorRef.checkNoChanges was removed. In tests use fixture.detectChanges() instead.
  • createNgModuleRef was removed, use createNgModule instead
  • ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
  • ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

forms

  • min and max validation rules no longer support string values. Bound values must be numbers or null.

http

  • Use the HttpXhrBackend with provideHttpClient(withXhr) if you want to keep supporting upload progress reports.

platform-browser

  • This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.
  • Hammer.js integration has been removed. Use your own implementation.

router

  • The return type for TitleStrategy.getResolvedTitleForRoute was previously 'any' while the actual return type could only be either string or undefined. The return type now reflects the possible values correctly. Code that reads the value may need to be adjusted.

    (cherry picked from commit ad37f52c1212164c51ffcc533067af05c2c33c89)

  • The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

  • paramsInheritanceStrategy now defaults to 'always'

    The default value of paramsInheritanceStrategy has been changed from 'emptyOnly' to 'always'. This means that route parameters are inherited from all parent routes by default. To restore the previous behavior, set paramsInheritanceStrategy to 'emptyOnly' in your router configuration.

  • provideRoutes() has been removed. Use provideRouter() or ROUTES as multi token if necessary.

upgrade

  • Deprecated getAngularLib/setAngularLib have been removed use getAngularJSGlobal/setAngularJSGlobal instead.

Deprecations

http

  • withFetch is now deprecated, it can be safely removed.
  • The reportProgress option is deprecated please use reportUploadProgress & reportDownloadProgress instead.

compiler

... (truncated)

Commits
  • e81c7e8 refactor(forms): type built-in getError results
  • eb600aa refactor(forms): mark date and limit signal forms APIs public
  • a97d5ec build: update minimum supported Node.js versions
  • 3b4ef1e perf(forms): avoid redundant invalidations in parser errors signal
  • 16cf84d docs: document FormBuilder.group() controlsConfig value shapes
  • 07a9358 perf(forms): avoid spurious recomputation in FormField.parseErrors
  • da82f24 refactor(forms): add provideExperimentalWebMcpForms
  • ad717df refactor(core): use the @Service decorator where possible.
  • 043055f refactor(forms): support when consistently for maxDate and minDate validators
  • 0806b2f refactor(forms): use overloads and JSDoc for deprecations
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/forms&package-manager=npm_and_yarn&previous-version=21.2.16&new-version=22.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index f4f7bb025..a77219fb5 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -16,7 +16,7 @@ "@angular/common": "^21.1.1", "@angular/compiler": "^21.1.0", "@angular/core": "^21.2.0", - "@angular/forms": "^21.1.0", + "@angular/forms": "^22.0.0", "@angular/material": "^21.1.1", "@angular/platform-browser": "^21.2.0", "@angular/platform-browser-dynamic": "^21.1.2", From 8df115f2a75ee3e2e1cb60e13201b52a66a6bcfe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 06:44:01 +0000 Subject: [PATCH 07/19] Bump @angular/platform-browser-dynamic from 21.2.16 to 22.0.0 in /web_embedding/ng-flutter (#2849) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/platform-browser-dynamic](https://github.com/angular/angular/tree/HEAD/packages/platform-browser-dynamic) from 21.2.16 to 22.0.0.
Release notes

Sourced from @​angular/platform-browser-dynamic's releases.

VSCode Extension: 22.0.0

Breaking Changes

The extension now bundles TypeScript version 6.0, which itself includes breaking changes, including new defaults such as strict being true. You will need to explicitly set "strict": false in your tsconfig.json. Alternatively, the extension supports configuring the tsdk in the same way as the built in TS/JS extension.

Fixes and features

  • fix(language-service): Add support for @Input with transforms (dc9c72da9b)
  • feat(language-service): add Document Symbols support for Angular templates (cfd0f9950c)
  • feat(language-service): add angular template inlay hints support (5a6d88626b)
  • feat(language-service): Add support for idle timeout in defer blocks (c6f98c723c)

22.0.0

compiler

Commit Description
feat - 47fcbc4704 allow safe navigation to correctly narrow down nullables
feat - 2896c93cc1 Angular expressions with optional chaining returns undefined
feat - e850643b1b Support comments in html element.
fix - 96be4f429b abstract emitter producing incorrect code for dynamic imports
fix - 488d962bc7 Don't bind inputs/outputs for data- attributes
fix - 2c5aabb9da don't escape dollar sign in literal expression
fix - c7aef8ec5d enforce parentheses containing arguments for :host-context
fix - b225a5d902 invalid type checking code if field name needs to be quoted
fix - ab9154ab75 normalize tag names with custom namespaces in DomElementSchemaRegistry (#68868)
fix - 8a1533c9ad preserve leading commas in animation definitions
fix - 194f723f66 remove dedicated support for legacy shadow DOM selectors
fix - 4c25a42e98 remove deprecated shadow CSS encapsulation polyfills
fix - 6ff620a033 sanitize dynamic href and xlink:href bindings on SVG a elements (#68868)
fix - 7dc1017e51 simplify handling of colon host with a selector list
fix - d99ab0e040 stop generating unused field
fix - 03db2aefaa throw on duplicate input/outputs
fix - 786ef8261f throw on invalid in expressions
fix - ccb7d427e4 type check invalid for loops

compiler-cli

Commit Description
feat - b8d3f36ed9 add support for Node.js 26.0.0
feat - 7f9450219f Adds warning for prefetch without main defer trigger
feat - 2eae497a04 support external TCBs with copied content in specific mode
fix - e5f96c2d88 animation events not type checked properly when bound through HostListener decorator
fix - 9218140348 resolve TCB mapping failure for safe property reads with as any
fix - 7a0d6b8df2 transform dropping exclamationToken from properties
refactor - ca67828ee2 introduce NG8023 compile-time diagnostic for duplicate selectors

core

Commit Description
feat - 17d3ea44e2 add IdleRequestOptions support to IdleService
feat - 3b0ae5fef0 add provideWebMcpTools

... (truncated)

Changelog

Sourced from @​angular/platform-browser-dynamic's changelog.

22.0.0 (2026-06-03)

Blog post "Announcing Angular v22".

Breaking Changes

compiler

  • This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.
  • data prefixed attribute no-longer bind inputs nor outputs.
  • The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.
  • in variables will throw in template expressions.

compiler-cli

  • Elements with multiple matching selectors will now throw at compile time.

core

  • The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
    • TypeScript versions older than 6.0 are no longer supported.
  • Leave animations are no longer limited to the element being removed.
  • Component with undefined changeDetection property are now OnPush by default. Specify changeDetection: ChangeDetectionStrategy.Eager to keep the previous behavior.
  • change AnimationCallbackEvent.animationComplete signature
  • ChangeDetectorRef.checkNoChanges was removed. In tests use fixture.detectChanges() instead.
  • createNgModuleRef was removed, use createNgModule instead
  • ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
  • ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

forms

  • min and max validation rules no longer support string values. Bound values must be numbers or null.

http

  • Use the HttpXhrBackend with provideHttpClient(withXhr) if you want to keep supporting upload progress reports.

platform-browser

  • This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.
  • Hammer.js integration has been removed. Use your own implementation.

router

  • The return type for TitleStrategy.getResolvedTitleForRoute was previously 'any' while the actual return type could only be either string or undefined. The return type now reflects the possible values correctly. Code that reads the value may need to be adjusted.

    (cherry picked from commit ad37f52c1212164c51ffcc533067af05c2c33c89)

  • The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

  • paramsInheritanceStrategy now defaults to 'always'

    The default value of paramsInheritanceStrategy has been changed from 'emptyOnly' to 'always'. This means that route parameters are inherited from all parent routes by default. To restore the previous behavior, set paramsInheritanceStrategy to 'emptyOnly' in your router configuration.

  • provideRoutes() has been removed. Use provideRouter() or ROUTES as multi token if necessary.

upgrade

  • Deprecated getAngularLib/setAngularLib have been removed use getAngularJSGlobal/setAngularJSGlobal instead.

Deprecations

http

  • withFetch is now deprecated, it can be safely removed.
  • The reportProgress option is deprecated please use reportUploadProgress & reportDownloadProgress instead.

compiler

... (truncated)

Commits
  • a97d5ec build: update minimum supported Node.js versions
  • b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
  • 4ad3a1f refactor(core): Don't throw when there are not async metadata
  • 7f3f3d7 ci: remove remainings of saucelabs tests
  • d550bf7 build: update minimum supported Node.js versions
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/platform-browser-dynamic&package-manager=npm_and_yarn&previous-version=21.2.16&new-version=22.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index a77219fb5..8e3e16888 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -19,7 +19,7 @@ "@angular/forms": "^22.0.0", "@angular/material": "^21.1.1", "@angular/platform-browser": "^21.2.0", - "@angular/platform-browser-dynamic": "^21.1.2", + "@angular/platform-browser-dynamic": "^22.0.0", "@angular/router": "^21.1.0", "rxjs": "~7.8.1", "tslib": "^2.6.2", From b40c2efa4f1f44d85e9b54b5d4de3dcb530b319b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 06:42:38 +0000 Subject: [PATCH 08/19] Bump @angular/platform-browser from 21.2.17 to 22.0.1 in /web_embedding/ng-flutter (#2857) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) from 21.2.17 to 22.0.1.
Release notes

Sourced from @​angular/platform-browser's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/platform-browser's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • d9c38e5 docs: fix typos in source code comments
  • a97d5ec build: update minimum supported Node.js versions
  • 0d9a245 fix(core): sanitize meta selectors
  • ad717df refactor(core): use the @Service decorator where possible.
  • 5a7c1e6 feat(core): add ability to cache resources for SSR
  • b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
  • 4ad3a1f refactor(core): Don't throw when there are not async metadata
  • 7f3f3d7 ci: remove remainings of saucelabs tests
  • 9f479ae feat(core): Update Testability to use PendingTasks for stability indicator
  • 0454d4c refactor(core): deprecate withIncrementalHydration
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/platform-browser&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 8e3e16888..7356aeed4 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -18,7 +18,7 @@ "@angular/core": "^21.2.0", "@angular/forms": "^22.0.0", "@angular/material": "^21.1.1", - "@angular/platform-browser": "^21.2.0", + "@angular/platform-browser": "^22.0.1", "@angular/platform-browser-dynamic": "^22.0.0", "@angular/router": "^21.1.0", "rxjs": "~7.8.1", From a177301972cd962063073952481764f02c36d008 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 06:43:49 +0000 Subject: [PATCH 09/19] Bump @angular/router from 21.2.17 to 22.0.1 in /web_embedding/ng-flutter (#2854) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) from 21.2.17 to 22.0.1.
Release notes

Sourced from @​angular/router's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/router's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • 43edc84 fix(router): use native URL object for navigation boundary and comparison
  • 76a8c87 refactor(core): Split the ng global into internal and external objects
  • a97d5ec build: update minimum supported Node.js versions
  • 3e5ab7b fix(router): skip scroll-to-top on initial navigation when hydrating
  • 3e7117d fix(router): Add strict typing on 'getResolvedTitleForRoute'
  • e9d1c7e refactor(router): Move target RouterState creation before 'blocking' stage
  • ad717df refactor(core): use the @Service decorator where possible.
  • b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
  • 8a7f955 docs: correct "Angular JS" to "AngularJS"
  • c84642a feat(router): add unmatchedInputBehavior option to componentInputBinding
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/router&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 7356aeed4..ec730362b 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -20,7 +20,7 @@ "@angular/material": "^21.1.1", "@angular/platform-browser": "^22.0.1", "@angular/platform-browser-dynamic": "^22.0.0", - "@angular/router": "^21.1.0", + "@angular/router": "^22.0.1", "rxjs": "~7.8.1", "tslib": "^2.6.2", "zone.js": "~0.15.0" From 8cea3171eb20f80bb3f16636ff1c803763cd773c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 06:43:51 +0000 Subject: [PATCH 10/19] Bump @angular/compiler-cli from 21.2.17 to 22.0.1 in /web_embedding/ng-flutter (#2855) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) from 21.2.17 to 22.0.1.
Release notes

Sourced from @​angular/compiler-cli's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/compiler-cli's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • 4b0c3b8 refactor(core): Update registerNgModuleType to support codegen typechecking
  • 01ea640 refactor(core): Fix DirectiveDefinition interface to allow abstract classes
  • 393b84c fix(compiler): sanitize two-way properties
  • 3d9ca2f fix(compiler-cli): bind switch exhaustive check expressions
  • a56f1cd fix(compiler): more robust logic to check if regex can be optimized
  • 2891f7e fix(compiler): move projection attributes into constants
  • d9c38e5 docs: fix typos in source code comments
  • a97d5ec build: update minimum supported Node.js versions
  • 2200b4a refactor(compiler): add support for compiling NgModules under isolatedDeclara...
  • b2b8dea fix(compiler): strip namespaced SVG script elements during template compilation
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/compiler-cli&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index ec730362b..15dd296ed 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -28,7 +28,7 @@ "devDependencies": { "@angular-devkit/build-angular": "^21.1.2", "@angular/cli": "~21.1.1", - "@angular/compiler-cli": "^21.2.0", + "@angular/compiler-cli": "^22.0.1", "@types/jasmine": "~6.0.0", "jasmine-core": "~6.0.0", "karma": "~6.4.2", From 80069cd27276d718f2be6e26d3b6b2bb627f5873 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 06:44:45 +0000 Subject: [PATCH 11/19] Bump @angular-devkit/build-angular from 21.2.14 to 22.0.1 in /web_embedding/ng-flutter (#2853) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 21.2.14 to 22.0.1.
Release notes

Sourced from @​angular-devkit/build-angular's releases.

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

Commit Description
feat - be60a63b7 add migrate-karma-to-vitest update migration
feat - 43505066e add migration to add istanbul-lib-instrument
feat - b2f7a038b conditionally install istanbul coverage provider for Vitest migration
feat - d227e6985 migrate fake async to Vitest fake timers
feat - d2aa9ede5 migrate fakeAsync's flush behavior when used in beforeEach
feat - f98cc82eb rely on strict template default in generated workspaces
feat - c9f408153 set up fake timers in beforeEach instead of beforeAll
feat - de630c2fc stabilize refactor-jasmine-vitest schematic
feat - 8d0805dd1 update TSConfig globals during karma to vitest migration
fix - 470e1f937 add istanbul-lib-instrument to application/library generator dependencies
fix - dc1238e5a add trusted-proxy-headers migration
fix - 6572a6944 default components to OnPush change detection
fix - aed407db8 defer karma config deletion in Karma to Vitest migration
fix - 4fbc60891 preserve Jasmine stub-by-default semantics for bare spies
fix - b3d838dfd replace deprecated ChangeDetectionStrategy.Default with Eager
fix - a7ac8e5f0 support spy call arguments migration in refactor-jasmine-vitest
fix - 7fb59eaa6 use service decorator in ng generate

@​angular/cli

Commit Description
feat - 58c0978f6 add support for Node.js 26.0.0
fix - a5c7c0b5f reflect new minimum supported Node version in ng.js

... (truncated)

Changelog

Sourced from @​angular-devkit/build-angular's changelog.

22.0.1 (2026-06-10)

@​angular/cli

Commit Type Description
b54e9a549 fix do not sort migrations of the same version alphabetically
d33311612 fix fallback to local package.json for schematic detection on first run
918102a93 fix isolate temporary package installation from parent pnpm workspace
b048b5f4a fix remove forceAuth and unscoped credential parsing
277934035 fix validate registry option is a valid URL in ng add
4510dae02 perf optimize update schematic registry query counts by fetching package metadata lazily

@​schematics/angular

Commit Type Description
c80012294 fix fix browserMode option mapping in refactor-jasmine-vitest
a9b6bd904 fix safely comment out multiline statements in refactor-jasmine-vitest
12199df00 fix use null objects and callbacks in karma-to-vitest migration

@​angular/build

Commit Type Description
89d1be979 fix allow disabling Vitest isolation from builder
d45b84be9 fix exclude JSON imports from Vite dependency optimization
e3cab4ddd fix prevent concurrent stylesheet bundling esbuild context leaks
bd413b0eb fix restrict application builder output paths to output directory

22.0.0 (2026-06-03)

Breaking Changes

  • Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.
  • The @angular-devkit/architect-cli package is no longer available. The architect CLI tool has been moved to the @angular-devkit/architect package.
  • The experimental @angular-devkit/build-angular:jest and @angular-devkit/build-angular:web-test-runner builders have been removed.

@​angular/build

  • The @angular/build:dev-server (ng serve) now assigns the highest priority to the PORT environment variable. This value will override any port configurations specified in angular.json or via the --port command-line flag. This includes the default port 4200.
  • istanbul-lib-instrument is now an optional peer dependency. Projects using karma with code coverage enabled will need to ensure that istanbul-lib-instrument is installed. Note: ng update will automatically add this dependency during the update process.

... (truncated)

Commits
  • 5a64af9 release: cut the v22.0.1 release
  • b54e9a5 fix(@​angular/cli): do not sort migrations of the same version alphabetically
  • b048b5f fix(@​angular/cli): remove forceAuth and unscoped credential parsing
  • 3275b45 test(@​angular/cli): remove unscoped authentication test cases from registry t...
  • da81e55 build: update cross-repo angular dependencies
  • 56ac348 build: lock file maintenance
  • 12199df fix(@​schematics/angular): use null objects and callbacks in karma-to-vitest m...
  • 918102a fix(@​angular/cli): isolate temporary package installation from parent pnpm wo...
  • e9b106e build: update cross-repo angular dependencies
  • e3cab4d fix(@​angular/build): prevent concurrent stylesheet bundling esbuild context l...
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular-devkit/build-angular&package-manager=npm_and_yarn&previous-version=21.2.14&new-version=22.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 15dd296ed..163d67ddf 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -26,7 +26,7 @@ "zone.js": "~0.15.0" }, "devDependencies": { - "@angular-devkit/build-angular": "^21.1.2", + "@angular-devkit/build-angular": "^22.0.1", "@angular/cli": "~21.1.1", "@angular/compiler-cli": "^22.0.1", "@types/jasmine": "~6.0.0", From 35833ec756aaebfc9c230c97cecf9dd93bf7812e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 06:47:04 +0000 Subject: [PATCH 12/19] Bump @angular/common from 21.2.17 to 22.0.1 in /web_embedding/ng-flutter (#2856) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) from 21.2.17 to 22.0.1.
Release notes

Sourced from @​angular/common's releases.

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

Commit Description
fix - 669146b0e7 disable WebMCP during SSR
fix - 562a566ead Handle synchronous errors in PendingTasks.run function
fix - fa546f382d harden TransferState restoration against DOM clobbering
fix - 29fdb98684 prevent dangling prevConsumer reference from leaking destroyed views (#68681)
fix - cdcea80327 require WebMCP tool descriptions
fix - 4289c4c840 update comment for Default change detection
fix - 3dd433b39a use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
fix - 045bb736b3 validate lowercase SVG animation attribute names

forms

Commit Description
fix - 11836a670a delay mcp reading the form model by a tick
fix - 85d2d100e3 harden FormGroup control lookups against prototype shadowing
fix - e51ad374ea remove animationstart listener on component destroy to prevent memory leak
fix - 55b7b5a6b6 set additionalProperties: false on generated WebMCP form

http

Commit Description
fix - ffb06c0514 ensure query parameters are inserted before URL fragments
fix - 2dd65d21e6 pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
fix - 4254eb416c preserve empty referrer option in HttpRequest
fix - 167bd4c162 Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit Description
fix - 43a0e28729 prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit Type Description
c4b5fa3c92 fix escape CSS string-terminating characters in escapeCssUrl
dfff57ede9 fix Limits date format string length
3c2892c8df fix prevent prototype pollution in formatDateTime
1d87c49f6e fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
1ee224ca30 fix disallow i18n event attributes
a56f1cdf8f fix more robust logic to check if regex can be optimized
5946c18275 fix sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8 fix sanitize two-way properties

compiler-cli

Commit Type Description
3d9ca2f173 fix bind switch exhaustive check expressions

core

Commit Type Description
669146b0e7 fix disable WebMCP during SSR
562a566ead fix Handle synchronous errors in PendingTasks.run function
fa546f382d fix harden TransferState restoration against DOM clobbering
29fdb98684 fix prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327 fix require WebMCP tool descriptions
4289c4c840 fix update comment for Default change detection
3dd433b39a fix use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3 fix validate lowercase SVG animation attribute names

forms

Commit Type Description
11836a670a fix delay mcp reading the form model by a tick
85d2d100e3 fix harden FormGroup control lookups against prototype shadowing
e51ad374ea fix remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6 fix set additionalProperties: false on generated WebMCP form

http

Commit Type Description
ffb06c0514 fix ensure query parameters are inserted before URL fragments
2dd65d21e6 fix pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c fix preserve empty referrer option in HttpRequest
167bd4c162 fix Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits
  • 2dd65d2 fix(http): pass down the reportUploadProgress and reportDownloadProgress ...
  • 1bd5a56 docs: deprecate XHR support for server-side rendering in HTTP docs and recomm...
  • 3c2892c fix(common): prevent prototype pollution in formatDateTime
  • c4b5fa3 fix(common): escape CSS string-terminating characters in escapeCssUrl
  • 4254eb4 fix(http): preserve empty referrer option in HttpRequest
  • 167bd4c fix(http): Rejects non-HTTP(S) URLs in JSONP requests
  • dfff57e fix(common): Limits date format string length
  • 1d87c49 fix(common): use cryptographically secure SHA-256 for transfer cache key gene...
  • ffb06c0 fix(http): ensure query parameters are inserted before URL fragments
  • 4795b35 fix(common): only strip a literal /index.html suffix from URLs
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/common&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 163d67ddf..288dae4b6 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -13,7 +13,7 @@ "dependencies": { "@angular/animations": "^21.1.1", "@angular/cdk": "^22.0.0", - "@angular/common": "^21.1.1", + "@angular/common": "^22.0.1", "@angular/compiler": "^21.1.0", "@angular/core": "^21.2.0", "@angular/forms": "^22.0.0", From 86a98461b611ebd2d30ade868c588d70d6404a16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 16:04:32 +0200 Subject: [PATCH 13/19] Bump actions/setup-java from 5.2.0 to 5.3.0 (#2858) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/setup-java](https://github.com/actions/setup-java) from 5.2.0 to 5.3.0.
Release notes

Sourced from actions/setup-java's releases.

v5.3.0

What's Changed

New Contributors

Full Changelog: https://github.com/actions/setup-java/compare/v5...v5.3.0

Commits
  • ad2b381 Bump @​vercel/ncc from 0.38.1 to 0.44.0 (#1018)
  • b24df5b Make the Adoptopenjdk package type look at the Temurin repo first for latest ...
  • 43120bc Implement pagination with link headers for Adoptium based apis (#1014)
  • ad9d6a6 Bump @​types/node from 24.1.0 to 25.9.3 (#950)
  • 039af37 Bump picomatch, @​types/jest, jest, jest-circus and ts-jest (#1016)
  • 1756ab6 Bump eslint-config-prettier from 8.10.0 to 10.1.8 (#881)
  • 662bb59 Bump @​typescript-eslint/eslint-plugin from 8.35.1 to 8.46.2 (#952)
  • 1071fc1 fix: resolve npm audit vulnerabilities in fast-xml-builder and fast-xml-parse...
  • 576b821 Merge pull request #674 from gdams/alpine
  • 307d3a2 update readme for ubuntu sudo java_home behavior (#1013)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-java&package-manager=github_actions&previous-version=5.2.0&new-version=5.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-android.yml | 2 +- .github/workflows/build-ios.yml | 2 +- .github/workflows/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index e88b2a3fd..045b5e036 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -20,7 +20,7 @@ jobs: if: github.repository == 'flutter/samples' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 + - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' java-version: '17' diff --git a/.github/workflows/build-ios.yml b/.github/workflows/build-ios.yml index 91e222a7b..2468423a5 100644 --- a/.github/workflows/build-ios.yml +++ b/.github/workflows/build-ios.yml @@ -23,7 +23,7 @@ jobs: fail-fast: false steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 + - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' java-version: '17' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 689aa71fa..a10d3cfcf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,7 @@ jobs: os: [ubuntu-latest, macos-latest] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 + - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' java-version: '17' From b12d3d565ddb22a670185a06cd77d7514a93c2f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 16:17:02 +0200 Subject: [PATCH 14/19] Bump actions/checkout from 6.0.2 to 6.0.3 (#2846) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-android.yml | 2 +- .github/workflows/build-ios.yml | 2 +- .github/workflows/gemini-cli.yml | 4 ++-- .github/workflows/gemini-issue-automated-triage.yml | 2 +- .github/workflows/gemini-issue-scheduled-triage.yml | 2 +- .github/workflows/gemini-pr-review.yml | 2 +- .github/workflows/main.yml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index 045b5e036..5eec9f6ab 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'flutter/samples' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' diff --git a/.github/workflows/build-ios.yml b/.github/workflows/build-ios.yml index 2468423a5..ce59d6f27 100644 --- a/.github/workflows/build-ios.yml +++ b/.github/workflows/build-ios.yml @@ -22,7 +22,7 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' diff --git a/.github/workflows/gemini-cli.yml b/.github/workflows/gemini-cli.yml index b4feae184..8f8b1c23a 100644 --- a/.github/workflows/gemini-cli.yml +++ b/.github/workflows/gemini-cli.yml @@ -144,7 +144,7 @@ jobs: - name: 'Checkout PR branch' if: |- ${{ steps.get_context.outputs.is_pr == 'true' }} - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v4 + uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # ratchet:actions/checkout@v4 with: token: '${{ steps.generate_token.outputs.token || secrets.GITHUB_TOKEN }}' repository: '${{ github.repository }}' @@ -154,7 +154,7 @@ jobs: - name: 'Checkout main branch' if: |- ${{ steps.get_context.outputs.is_pr == 'false' }} - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v4 + uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # ratchet:actions/checkout@v4 with: token: '${{ steps.generate_token.outputs.token || secrets.GITHUB_TOKEN }}' repository: '${{ github.repository }}' diff --git a/.github/workflows/gemini-issue-automated-triage.yml b/.github/workflows/gemini-issue-automated-triage.yml index 9bc4ec054..c122f78b5 100644 --- a/.github/workflows/gemini-issue-automated-triage.yml +++ b/.github/workflows/gemini-issue-automated-triage.yml @@ -44,7 +44,7 @@ jobs: steps: - name: 'Checkout repository' - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v4 + uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # ratchet:actions/checkout@v4 - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/gemini-issue-scheduled-triage.yml b/.github/workflows/gemini-issue-scheduled-triage.yml index 2856ce4d2..bda1b89e6 100644 --- a/.github/workflows/gemini-issue-scheduled-triage.yml +++ b/.github/workflows/gemini-issue-scheduled-triage.yml @@ -26,7 +26,7 @@ jobs: steps: - name: 'Checkout repository' - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v4 + uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # ratchet:actions/checkout@v4 - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/gemini-pr-review.yml b/.github/workflows/gemini-pr-review.yml index e9ae2a48d..d8412354c 100644 --- a/.github/workflows/gemini-pr-review.yml +++ b/.github/workflows/gemini-pr-review.yml @@ -66,7 +66,7 @@ jobs: steps: - name: 'Checkout PR code' - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v4 + uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # ratchet:actions/checkout@v4 - name: 'Generate GitHub App Token' id: 'generate_token' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a10d3cfcf..80c849059 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,7 +27,7 @@ jobs: flutter_version: [stable] os: [ubuntu-latest, macos-latest] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 with: distribution: 'zulu' From cd36ddc330abb635893ab2266037a0bea6c65795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:40:46 +0000 Subject: [PATCH 15/19] Bump @angular/cli from 21.1.5 to 22.0.2 in /web_embedding/ng-flutter (#2862) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/cli](https://github.com/angular/angular-cli) from 21.1.5 to 22.0.2.
Release notes

Sourced from @​angular/cli's releases.

22.0.2

@​angular/cli

Commit Description
fix - 136fc2714 support registry metadata fetching under bun package manager
perf - 2653dd5c7 implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Description
perf - 0b4a48add implement semaphore backpressure throttling in JavaScriptTransformer

@​angular/ssr

Commit Description
fix - d996a27e9 avoid caching non-SSG page lookups
fix - 285a34e42 correct grammar in console warning for redirected location headers
fix - c8088a536 prioritize options over environment variables in AngularNodeAppEngine

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

Commit Description
feat - be60a63b7 add migrate-karma-to-vitest update migration
feat - 43505066e add migration to add istanbul-lib-instrument
feat - b2f7a038b conditionally install istanbul coverage provider for Vitest migration
feat - d227e6985 migrate fake async to Vitest fake timers
feat - d2aa9ede5 migrate fakeAsync's flush behavior when used in beforeEach

... (truncated)

Changelog

Sourced from @​angular/cli's changelog.

22.0.2 (2026-06-17)

@​angular/cli

Commit Type Description
136fc2714 fix support registry metadata fetching under bun package manager
2653dd5c7 perf implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Type Description
0b4a48add perf implement semaphore backpressure throttling in JavaScriptTransformer

@​angular/ssr

Commit Type Description
d996a27e9 fix avoid caching non-SSG page lookups
285a34e42 fix correct grammar in console warning for redirected location headers
c8088a536 fix prioritize options over environment variables in AngularNodeAppEngine

22.1.0-next.0 (2026-06-11)

Deprecations

@​angular-devkit/core

  • stringToFileBuffer and fileBufferToString are deprecated. Use standard Web APIs (TextEncoder and TextDecoder) instead.

    Internal usages within the repository have been removed and replaced with standard Web APIs. The public API golden file for @angular-devkit/core has been updated to reflect the deprecations.

@​schematics/angular

Commit Type Description
89d7f59cd feat update ai-config to include Angular MCP server config

@​angular/cli

Commit Type Description
7932caaf9 fix robustly parse npm manifest from array

@​angular-devkit/core

... (truncated)

Commits
  • aab6c10 release: cut the v22.0.2 release
  • 376e4dc build: update cross-repo angular dependencies
  • d996a27 fix(@​angular/ssr): avoid caching non-SSG page lookups
  • 5714bfc build: update pnpm to v10.34.3
  • f26011a build: lock file maintenance
  • 2879ed9 build: update bazel dependencies
  • 092bb2e build: update dependency pacote to v21.5.1
  • d3e8951 build: update dependency esbuild-wasm to v0.28.1
  • 0f777a8 build: update dependency esbuild to v0.28.1
  • 385909c refactor: move eslint disable comment to top of file
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/cli&package-manager=npm_and_yarn&previous-version=21.1.5&new-version=22.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 288dae4b6..34d7f764b 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -27,7 +27,7 @@ }, "devDependencies": { "@angular-devkit/build-angular": "^22.0.1", - "@angular/cli": "~21.1.1", + "@angular/cli": "~22.0.2", "@angular/compiler-cli": "^22.0.1", "@types/jasmine": "~6.0.0", "jasmine-core": "~6.0.0", From d890bebfca96944d2ba41373b021a27b4afde422 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:42:02 +0000 Subject: [PATCH 16/19] Bump @angular/compiler from 21.2.17 to 22.0.2 in /web_embedding/ng-flutter (#2861) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) from 21.2.17 to 22.0.2.
Release notes

Sourced from @​angular/compiler's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • 74f2b91 refactor(compiler): correct TcbInvalidReferenceOp initializer
  • b32ee7c fix(core): treat iframe credentialless as security-sensitive
  • f309727 refactor(compiler): Collect in-element comments
  • 6f11719 fix(compiler): restrict possible event handler check to property names longer...
  • 8bb3947 refactor: optimize dom security schema lookups
  • 4645850 refactor(compiler): Remove 80 char limit on AbstractEmitterVisitor
  • 1ee224c fix(compiler): disallow i18n event attributes
  • 5946c18 fix(compiler): sanitize href/xlink:href attributes of any element of the ...
  • 393b84c fix(compiler): sanitize two-way properties
  • 3d9ca2f fix(compiler-cli): bind switch exhaustive check expressions
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/compiler&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 34d7f764b..71889a024 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -14,7 +14,7 @@ "@angular/animations": "^21.1.1", "@angular/cdk": "^22.0.0", "@angular/common": "^22.0.1", - "@angular/compiler": "^21.1.0", + "@angular/compiler": "^22.0.2", "@angular/core": "^21.2.0", "@angular/forms": "^22.0.0", "@angular/material": "^21.1.1", From 0f4c6632f01220712fe9d7c2c0c110d30e76c952 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:42:04 +0000 Subject: [PATCH 17/19] Bump @angular/animations from 21.2.17 to 22.0.2 in /web_embedding/ng-flutter (#2860) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/animations](https://github.com/angular/angular/tree/HEAD/packages/animations) from 21.2.17 to 22.0.2.
Release notes

Sourced from @​angular/animations's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/animations's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • a97d5ec build: update minimum supported Node.js versions
  • ad717df refactor(core): use the @Service decorator where possible.
  • b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
  • 6672192 test: remove duplicate tests (#67518)
  • d550bf7 build: update minimum supported Node.js versions
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/animations&package-manager=npm_and_yarn&previous-version=21.2.17&new-version=22.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 71889a024..0ac633480 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -11,7 +11,7 @@ }, "private": true, "dependencies": { - "@angular/animations": "^21.1.1", + "@angular/animations": "^22.0.2", "@angular/cdk": "^22.0.0", "@angular/common": "^22.0.1", "@angular/compiler": "^22.0.2", From ecc4df1bdc2a8311aac3d61351a8e528b6f0ee41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:53:23 +0000 Subject: [PATCH 18/19] Bump @angular/material from 21.2.14 to 22.0.2 in /web_embedding/ng-flutter (#2863) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/material](https://github.com/angular/components) from 21.2.14 to 22.0.2.
Release notes

Sourced from @​angular/material's releases.

22.0.2

material

Commit Description
fix - fb4478bff3 bottom-sheet: ensure animation event comes from container
fix - e4f7f3498b chips: correct focus management on chip destruction (#33329)
fix - 766b7aceee chips: wrong padding when chip only has edit icon (#33407)
fix - ebca801ee5 grid-list: always validate colspan
fix - 30942bcd36 stepper: validate animation durations

cdk

Commit Description
fix - e8f3419060 layout: avoid CSS injection attacks in media matcher
fix - 9dc2b2b2ed platform: account for composedPath error during event replay (#33409)

multiple

Commit Description
fix - 2995797ded improve dark theme visibility in menu, overlay, and portal examples (#33367)

22.0.1

youtube-player

Commit Description
fix - d75a22d69 avoid errors with clobbered variables
fix - fe0a96ce6 validate ID before attaching them to placeholder

material

Commit Description
fix - d7a8cb963 dialog: ignore clicks on aria-disabled close buttons (#33373)
fix - bde3c7621 timepicker: do not allow intervals less than a second (#33354)

cdk

Commit Description
fix - 629aea403 a11y: avoid prototype conflicts in id generator (#33356)
fix - 49aeb676c clipboard: avoid infinite attempt loop (#33366)

aria

Commit Description
fix - 7581b0592 combobox: avoid error for synthetic events (#33360)
fix - 1c4706155 combobox: prevent re-dispatching keyboard event on control target change (#33362)
fix - 96e9ce10c tree: recursive textDirection getter (#33337)

22.0.0

aria

Commit Description
feat - d91f46b4c accordion: introduce accordion harness (#33046)
feat - e3d84f2e0 combobox: add test harnesses (#33194)
feat - 0ca47b4a0 combobox: migrate simple-combobox directly into primary entrypoints (#33206)
feat - 6ec07bc0c grid: add test harnesses (#33081)

... (truncated)

Changelog

Sourced from @​angular/material's changelog.

22.0.2 "plastic lion" (2026-06-17)

cdk

Commit Type Description
e8f3419060 fix layout: avoid CSS injection attacks in media matcher
9dc2b2b2ed fix platform: account for composedPath error during event replay (#33409)

material

Commit Type Description
fb4478bff3 fix bottom-sheet: ensure animation event comes from container
e4f7f3498b fix chips: correct focus management on chip destruction (#33329)
766b7aceee fix chips: wrong padding when chip only has edit icon (#33407)
ebca801ee5 fix grid-list: always validate colspan
30942bcd36 fix stepper: validate animation durations

multiple

Commit Type Description
2995797ded fix improve dark theme visibility in menu, overlay, and portal examples (#33367)

22.1.0-next.0 "argon-pineapple" (2026-06-10)

No user facing changes in this release

22.0.1 "argon-apple" (2026-06-10)

aria

Commit Type Description
7581b0592 fix combobox: avoid error for synthetic events (#33360)
1c4706155 fix combobox: prevent re-dispatching keyboard event on control target change (#33362)
96e9ce10c fix tree: recursive textDirection getter (#33337)

cdk

Commit Type Description
629aea403 fix a11y: avoid prototype conflicts in id generator (#33356)
49aeb676c fix clipboard: avoid infinite attempt loop (#33366)

material

Commit Type Description
d7a8cb963 fix dialog: ignore clicks on aria-disabled close buttons (#33373)
bde3c7621 fix timepicker: do not allow intervals less than a second (#33354)

youtube-player

Commit Type Description
d75a22d69 fix avoid errors with clobbered variables
fe0a96ce6 fix validate ID before attaching them to placeholder

... (truncated)

Commits
  • 9b9d0ea release: cut the v22.0.2 release
  • 7b54e95 build: update cross-repo angular dependencies (#33398)
  • b77a829 docs(google-maps): Document the behavior of using the clusterClick output in ...
  • 605f200 build: update pnpm to v10.34.3 (#33392)
  • 0309150 build: lock file maintenance (#33406)
  • 9dc2b2b fix(cdk/platform): account for composedPath error during event replay (#33409)
  • 766b7ac fix(material/chips): wrong padding when chip only has edit icon (#33407)
  • f7170b9 build: fix build failure (#33408)
  • e4f7f34 fix(material/chips): correct focus management on chip destruction (#33329)
  • 9ad7964 build: update review config (#33394)
  • Additional commits viewable in compare view

--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 0ac633480..852bbb0bf 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -17,7 +17,7 @@ "@angular/compiler": "^22.0.2", "@angular/core": "^21.2.0", "@angular/forms": "^22.0.0", - "@angular/material": "^21.1.1", + "@angular/material": "^22.0.2", "@angular/platform-browser": "^22.0.1", "@angular/platform-browser-dynamic": "^22.0.0", "@angular/router": "^22.0.1", From 07909dd07e28bc79a6d14ad38ff117bc8e7f04bf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:53:26 +0000 Subject: [PATCH 19/19] Bump @angular/core from 21.2.17 to 22.0.2 in /web_embedding/ng-flutter (#2859) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) from 21.2.17 to 22.0.2.
Release notes

Sourced from @​angular/core's releases.

22.0.2

common

Commit Description
fix - 94ea403563 escape anchor fragment in shadow DOM name selector
fix - 6c1f3e9d49 skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Description
fix - 6f1171991a restrict possible event handler check to property names longer than 2 characters

core

Commit Description
fix - 528a34f766 avoid caching missing locale data
fix - e17e8d5422 escape overlapping comment delimiters in escapeCommentText
fix - 59dea13f80 guard against DOM clobbering in declareExperimentalWebMcpTool
fix - 3a48abc15c preserve leave animation for sibling instances sharing a TNode
fix - 93d0a5f95c prevent unsubscribe during emit from throwing off other listeners
fix - b32ee7ceb3 treat iframe credentialless as security-sensitive
perf - f902d1d35e detect existing signal dependency without checking all producer links

http

Commit Description
fix - 6867f77ec7 distinguish repeated transfer cache params
fix - 7ef1399068 skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Description
fix - 15314c1736 migration skip any target are not build or test

22.0.1

common

Commit Description
fix - c4b5fa3c92 escape CSS string-terminating characters in escapeCssUrl
fix - dfff57ede9 Limits date format string length
fix - 3c2892c8df prevent prototype pollution in formatDateTime
fix - 1d87c49f6e use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - 1ee224ca30 disallow i18n event attributes
fix - a56f1cdf8f more robust logic to check if regex can be optimized
fix - 5946c18275 sanitize href/xlink:href attributes of any element of the MathML namespace
fix - 393b84caf8 sanitize two-way properties

compiler-cli

Commit Description
fix - 3d9ca2f173 bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

22.0.2 (2026-06-17)

common

Commit Type Description
94ea403563 fix escape anchor fragment in shadow DOM name selector
6c1f3e9d49 fix skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit Type Description
6f1171991a fix restrict possible event handler check to property names longer than 2 characters

core

Commit Type Description
528a34f766 fix avoid caching missing locale data
e17e8d5422 fix escape overlapping comment delimiters in escapeCommentText
59dea13f80 fix guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c fix preserve leave animation for sibling instances sharing a TNode
93d0a5f95c fix prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3 fix treat iframe credentialless as security-sensitive
f902d1d35e perf detect existing signal dependency without checking all producer links

http

Commit Type Description
6867f77ec7 fix distinguish repeated transfer cache params
7ef1399068 fix skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit Type Description
15314c1736 fix migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

  • HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit Type Description
1ad6824d0d fix skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit Type Description
25c744c4d0 fix support foreign components defined outside top-level scope

compiler-cli

Commit Type Description
aeb55c8bc1 fix allow passing uninvoked signals as foreign component props
7c60a98b3c fix support import aliases in foreignImports (#68674)

... (truncated)

Commits
  • 152601e refactor(core): add childSignalProp to ReactiveNodeKind
  • 59dea13 fix(core): guard against DOM clobbering in declareExperimentalWebMcpTool
  • 81cb457 refactor(router): Add handling for ActivatedRoute-scoped injector
  • f902d1d perf(core): detect existing signal dependency without checking all producer l...
  • e17e8d5 fix(core): escape overlapping comment delimiters in escapeCommentText
  • 0f1cfe3 build: update cross-repo angular dependencies to v22.0.2
  • b32ee7c fix(core): treat iframe credentialless as security-sensitive
  • 93d0a5f fix(core): prevent unsubscribe during emit from throwing off other listeners
  • 528a34f fix(core): avoid caching missing locale data
  • 6f11719 fix(compiler): restrict possible event handler check to property names longer...
  • Additional commits viewable in compare view

--- web_embedding/ng-flutter/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_embedding/ng-flutter/package.json b/web_embedding/ng-flutter/package.json index 852bbb0bf..f42e6436b 100644 --- a/web_embedding/ng-flutter/package.json +++ b/web_embedding/ng-flutter/package.json @@ -15,7 +15,7 @@ "@angular/cdk": "^22.0.0", "@angular/common": "^22.0.1", "@angular/compiler": "^22.0.2", - "@angular/core": "^21.2.0", + "@angular/core": "^22.0.2", "@angular/forms": "^22.0.0", "@angular/material": "^22.0.2", "@angular/platform-browser": "^22.0.1",