Skip to content

chore(deps): bump the npm_and_yarn group across 8 directories with 3 updates#568

Open
dependabot[bot] wants to merge 1 commit into
dmzfrom
dependabot/npm_and_yarn/examples/basic-nextjs/npm_and_yarn-ff8f2bf248
Open

chore(deps): bump the npm_and_yarn group across 8 directories with 3 updates#568
dependabot[bot] wants to merge 1 commit into
dmzfrom
dependabot/npm_and_yarn/examples/basic-nextjs/npm_and_yarn-ff8f2bf248

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the /examples/basic-nextjs directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /examples/basic-nextjs-pages-router directory: esbuild.
Bumps the npm_and_yarn group with 2 updates in the /examples/basic-spa directory: @angular/core and @angular/platform-server.
Bumps the npm_and_yarn group with 1 update in the /examples/basic-spa/angular directory: @angular/platform-server.
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-article-starter directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-location-finder directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-product-listing directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-skate-park directory: esbuild.

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Commits

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Commits

Updates @angular/core from 20.3.18 to 20.3.25

Release notes

Sourced from @​angular/core's releases.

20.3.25

common

Commit Description
fix - 9f443bc24c Limits date format string length
fix - 566ad05f20 skip transfer cache for uncacheable HTTP traffic
fix - 1a62130a6b use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description
fix - a68ec702a0 sanitize two-way properties

core

Commit Description
fix - 768a349e6e harden TransferState restoration against DOM clobbering
fix - ca48b4728d validate lowercase SVG animation attribute names (#69270)

http

Commit Description
fix - 06be298267 preserve empty referrer option in HttpRequest
fix - fa940e1f4d Rejects non-HTTP(S) URLs in JSONP requests
fix - e2ef1ce72a skip transfer cache for fetch credentialed requests

platform-server

Commit Description
fix - 49368c1859 harden platform location origin validation during SSR
refactor - d55c94ad81 deprecate ServerXhr (#69256)

service-worker

Commit Description
fix - d65a5f457b Strips sensitive headers on cross-origin redirects

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

20.3.24

platform-server

Commit Description
fix - 6ca433e56b throw on suspicious URLs and restrict protocol-relative URLs
fix - 8680b5152f update domino to latest version

20.3.23

compiler

Commit Description
fix - d40acc6431 prevent namespaced SVG elements from being stripped

20.3.22

common

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

20.3.25 (2026-06-10)

Deprecations

platform-server

  • XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit Type Description
9f443bc24c fix Limits date format string length
566ad05f20 fix skip transfer cache for uncacheable HTTP traffic
1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description
a68ec702a0 fix sanitize two-way properties

core

Commit Type Description
768a349e6e fix harden TransferState restoration against DOM clobbering
ca48b4728d fix validate lowercase SVG animation attribute names (#69270)

http

Commit Type Description
06be298267 fix preserve empty referrer option in HttpRequest
fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a fix skip transfer cache for fetch credentialed requests

platform-server

Commit Type Description
49368c1859 fix harden platform location origin validation during SSR
d55c94ad81 refactor deprecate ServerXhr (#69256)

service-worker

Commit Type Description
d65a5f457b fix Strips sensitive headers on cross-origin redirects

22.0.0 (2026-06-03)

Blog post "Announcing Angular v22".

Breaking Changes

compiler

  • This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.
  • data prefixed attribute no-longer bind inputs nor outputs.
  • The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.
  • in variables will throw in template expressions.

compiler-cli

... (truncated)

Commits
  • ca48b47 fix(core): validate lowercase SVG animation attribute names (#69270)
  • 1a62130 fix(common): use cryptographically secure SHA-256 for transfer cache key gene...
  • 49368c1 fix(platform-server): harden platform location origin validation during SSR
  • 566ad05 fix(common): skip transfer cache for uncacheable HTTP traffic
  • 768a349 fix(core): harden TransferState restoration against DOM clobbering
  • 7ae6381 test(compiler-cli): align ngtsc sanitization expectations with modern DOM sch...
  • 6595409 test(core): update golden symbols and host bindings sanitization spec (#68926)
  • d86e4e7 fix(core): reject script element as a dynamic component host (#68926)
  • b8f1f72 test(core): remove obsolete blockquote cite host binding tests (#68926)
  • 36200bd test(core): update spec files to match 20.3.x limits and actual contexts (#68...
  • Additional commits viewable in compare view

Updates @angular/platform-server from 20.3.21 to 20.3.24

Release notes

Sourced from @​angular/platform-server's releases.

20.3.24

platform-server

Commit Description
fix - 6ca433e56b throw on suspicious URLs and restrict protocol-relative URLs
fix - 8680b5152f update domino to latest version

20.3.23

compiler

Commit Description
fix - d40acc6431 prevent namespaced SVG elements from being stripped

20.3.22

common

Commit Description
fix - 3d135ce59b add upper bounds for digitsInfo
fix - 39a4b4cc8e sanitize placeholder

compiler

Commit Description
fix - 8f35b182b1 normalize tag names with custom namespaces in DomElementSchemaRegistry (#68926)
fix - 64a89e917a sanitize dynamic href and xlink:href bindings on SVG a elements (#68926)
fix - 6404edfe0a strip namespaced SVG script elements during template compilation (#68926)

core

Commit Description
fix - e345a58069 normalize tag names in runtime i18n attribute security context lookup (#68926)
fix - d86e4e7b2a reject script element as a dynamic component host (#68926)
fix - af04936045 sanitize meta selectors
fix - dc631efa96 support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68926)
fix - 909ef047b3 synchronize core sanitization schema with compiler (#68926)

http

Commit Description
fix - de7b2a62e7 exclude withCredentials requests from transfer cache
fix - 4233188d8e skip TransferCache for cookie-bearing requests by default

platform-server

Commit Description
fix - 49a60f6045 secure location and document initialization against SSRF and path hijack

service-worker

Commit Description
fix - 5fdfd8a998 preserve redirect policy on reconstructed asset requests
fix - 83b022f2d0 Preserves explicit 'credentials: omit' in asset requests
fix - e617fa06eb Preserves HTTP cache mode in asset group requests
Changelog

Sourced from @​angular/platform-server's changelog.

20.3.24 (2026-06-02)

platform-server

Commit Type Description
6ca433e56b fix throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f fix update domino to latest version

21.2.15 (2026-05-28)

common

Commit Type Description
7f4ac78994 fix add upper bounds for digitsInfo
300f61feb3 fix sanitize placeholder

compiler

Commit Type Description
0b07f47bd6 fix normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb fix prevent namespaced SVG elements from being stripped
cc1378d54b fix sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e fix strip namespaced SVG script elements during template compilation (#68925)

core

Commit Type Description
ff12fe55ac fix normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97 fix sanitize meta selectors
daaf32937f fix support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d fix synchronize core sanitization schema with compiler (#68925)

http

Commit Type Description
582a417bd2 fix exclude withCredentials requests from transfer cache
5c6d6df34b fix skip TransferCache for cookie-bearing requests by default

platform-server

Commit Type Description
37e8aadf87 fix prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e fix secure location and document initialization against SSRF and path hijack

service-worker

Commit Type Description
b8bd49341d fix Preserves explicit 'credentials: omit' in asset requests
ca32fc1000 fix Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

... (truncated)

Commits
  • 6ca433e fix(platform-server): throw on suspicious URLs and restrict protocol-relative...
  • c99d9f0 refactor(platform-server): extract parseUrl regex and add comments for URL pa...
  • 49a60f6 fix(platform-server): secure location and document initialization against SSR...
  • See full diff in compare view

Updates @angular/platform-server from 20.3.23 to 20.3.24

Release notes

Sourced from @​angular/platform-server's releases.

20.3.24

platform-server

Commit Description
fix - 6ca433e56b throw on suspicious URLs and restrict protocol-relative URLs
fix - 8680b5152f update domino to latest version

20.3.23

compiler

Commit Description
fix - d40acc6431 prevent namespaced SVG elements from being stripped

20.3.22

common

Commit Description
fix - 3d135ce59b add upper bounds for digitsInfo
fix - 39a4b4cc8e sanitize placeholder

compiler

Commit Description
fix - 8f35b182b1 normalize tag names with custom namespaces in DomElementSchemaRegistry (#68926)
fix - 64a89e917a sanitize dynamic href and xlink:href bindings on SVG a elements (#68926)
fix - 6404edfe0a strip namespaced SVG script elements during template compilation (#68926)

core

Commit Description
fix - e345a58069 normalize tag names in runtime i18n attribute security context lookup (#68926)
fix - d86e4e7b2a reject script element as a dynamic component host (#68926)
fix - af04936045 sanitize meta selectors
fix - dc631efa96 support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68926)
fix - 909ef047b3 synchronize core sanitization schema with compiler (#68926)

http

Commit Description
fix - de7b2a62e7 exclude withCredentials requests from transfer cache
fix - 4233188d8e skip TransferCache for cookie-bearing requests by default

platform-server

Commit Description
fix - 49a60f6045 secure location and document initialization against SSRF and path hijack

service-worker

Commit Description
fix - 5fdfd8a998 preserve redirect policy on reconstructed asset requests
fix - 83b022f2d0 Preserves explicit 'credentials: omit' in asset requests
fix - e617fa06eb Preserves HTTP cache mode in asset group requests
Changelog

Sourced from @​angular/platform-server's changelog.

20.3.24 (2026-06-02)

platform-server

Commit Type Description
6ca433e56b fix throw on suspicious URLs and restrict protocol-relative URLs
8680b5152f fix update domino to latest version

21.2.15 (2026-05-28)

common

Commit Type Description
7f4ac78994 fix add upper bounds for digitsInfo
300f61feb3 fix sanitize placeholder

compiler

Commit Type Description
0b07f47bd6 fix normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb fix prevent namespaced SVG elements from being stripped
cc1378d54b fix sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e fix strip namespaced SVG script elements during template compilation (#68925)

core

Commit Type Description
ff12fe55ac fix normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97 fix sanitize meta selectors
daaf32937f fix support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d fix synchronize core sanitization schema with compiler (#68925)

http

Commit Type Description
582a417bd2 fix exclude withCredentials requests from transfer cache
5c6d6df34b fix skip TransferCache for cookie-bearing requests by default

platform-server

Commit Type Description
37e8aadf87 fix prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e fix secure location and document initialization against SSRF and path hijack

service-worker

Commit Type Description
b8bd49341d fix Preserves explicit 'credentials: omit' in asset requests
ca32fc1000 fix Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

... (truncated)

Commits
  • 6ca433e fix(platform-server): throw on suspicious URLs and restrict protocol-relative...
  • c99d9f0 refactor(platform-server): extract parseUrl regex and add comments for URL pa...
  • 49a60f6 fix(platform-server): secure location and document initialization against SSR...
  • See full diff in compare view

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations i...

    Description has been truncated

…updates

Bumps the npm_and_yarn group with 1 update in the /examples/basic-nextjs directory: [esbuild](https://github.com/evanw/esbuild).
Bumps the npm_and_yarn group with 1 update in the /examples/basic-nextjs-pages-router directory: [esbuild](https://github.com/evanw/esbuild).
Bumps the npm_and_yarn group with 2 updates in the /examples/basic-spa directory: [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) and [@angular/platform-server](https://github.com/angular/angular/tree/HEAD/packages/platform-server).
Bumps the npm_and_yarn group with 1 update in the /examples/basic-spa/angular directory: [@angular/platform-server](https://github.com/angular/angular/tree/HEAD/packages/platform-server).
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-article-starter directory: [esbuild](https://github.com/evanw/esbuild).
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-location-finder directory: [esbuild](https://github.com/evanw/esbuild).
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-product-listing directory: [esbuild](https://github.com/evanw/esbuild).
Bumps the npm_and_yarn group with 1 update in the /examples/kit-nextjs-skate-park directory: [esbuild](https://github.com/evanw/esbuild).


Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `@angular/core` from 20.3.18 to 20.3.25
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/core)

Updates `@angular/platform-server` from 20.3.21 to 20.3.24
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.24/packages/platform-server)

Updates `@angular/platform-server` from 20.3.23 to 20.3.24
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.24/packages/platform-server)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@angular/core"
  dependency-version: 20.3.25
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@angular/platform-server"
  dependency-version: 20.3.24
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@angular/platform-server"
  dependency-version: 20.3.24
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
xmcloud-starter-js Ready Ready Preview, Comment Jun 15, 2026 6:30pm

Request Review

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from main to dmz June 16, 2026 05:20
@dependabot @github

dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from dmz to main June 18, 2026 08:38
@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from main to dmz June 18, 2026 08:39
@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from dmz to main June 25, 2026 05:49
@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/examples/basic-nextjs/npm_and_yarn-ff8f2bf248 branch June 30, 2026 05:44
@sc-chathumikaalwis sc-chathumikaalwis restored the dependabot/npm_and_yarn/examples/basic-nextjs/npm_and_yarn-ff8f2bf248 branch June 30, 2026 05:45
@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from main to dmz June 30, 2026 05:45
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from dmz to main July 3, 2026 05:00
@sc-chathumikaalwis sc-chathumikaalwis changed the base branch from main to dmz July 3, 2026 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant