Skip to content

chore(deps): complete Angular 22 upgrade#339

Open
NeoScript wants to merge 2 commits into
Cordobo:mainfrom
NeoScript:feat/angular-22-support
Open

chore(deps): complete Angular 22 upgrade#339
NeoScript wants to merge 2 commits into
Cordobo:mainfrom
NeoScript:feat/angular-22-support

Conversation

@NeoScript

Copy link
Copy Markdown

Summary

Completes the Angular 22 upgrade started in #335. That Dependabot PR bumped the @angular/* framework packages and ng-packagr to v22 but left several peers on v21, so npm ci failed with ERESOLVE — Angular 22 requires TypeScript >=6.0 <6.1 while the PR kept typescript@~5.9.2.

Changes

package.json

Package Before After Reason
typescript ~5.9.2 ~6.0.3 ng22 / @angular/build / ng-packagr peer require TS 6.0 — the actual blocker
typescript-eslint 8.46.4 8.61.0 8.46.4 caps TS at <6.0.0; 8.61.0 allows <6.1.0
angular-eslint 21.0.1 22.0.0 needs @angular/cli >= 22
@angular/cli ^21.0.7 ^22.0.2 required by angular-eslint 22
@angular/cdk ^21.0.7 ^22.0.2 peer @angular/core ^22
@angular/material ^21.0.1 ^22.0.2 peer @angular/core ^22
peerDependencies.@angular/core < 22.0.0 < 23.0.0 allow consumers to use the library on Angular 22

tsconfig.json

  • Removed deprecated baseUrl (TS 6.0 throws TS5101) and made paths targets relative (./dist/...) so module resolution works without it.

Verification (local)

  • npm install resolves cleanly (was ERESOLVE)
  • npm run ci:build:lib — library builds
  • npm run ci:build:app — demo app builds (only pre-existing budget/CommonJS warnings)
  • npm run lint — all files pass

Notes

  • Version choices respect the repo's .npmrc min-release-age=7 gate (avoided versions newer than ~7 days), hence @angular/cli@22.0.2 and typescript-eslint@8.61.0 rather than the absolute latest.
  • npm test has 2 failing demo-app tests (No provider found for ActivatedRoute). This is pre-existing on main (the spec doesn't provide a router while app.ts injects ActivatedRoute), unrelated to this upgrade, and not run by any CI workflow.

🤖 Generated with Claude Code

dependabot Bot and others added 2 commits June 15, 2026 22:14
…mon, @angular/core, @angular/platform-browser, @angular/compiler-cli, @angular/forms, @angular/platform-browser-dynamic, @angular/router and ng-packagr

Bumps [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler), [@angular/build](https://github.com/angular/angular-cli), [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common), [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core), [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser), [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli), [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms), [@angular/platform-browser-dynamic](https://github.com/angular/angular/tree/HEAD/packages/platform-browser-dynamic), [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) and [ng-packagr](https://github.com/ng-packagr/ng-packagr). These dependencies needed to be updated together.

Updates `@angular/compiler` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/compiler)

Updates `@angular/build` from 21.2.9 to 22.0.1
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@v21.2.9...v22.0.1)

Updates `@angular/common` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/common)

Updates `@angular/core` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/core)

Updates `@angular/platform-browser` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/platform-browser)

Updates `@angular/compiler-cli` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/compiler-cli)

Updates `@angular/forms` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/forms)

Updates `@angular/platform-browser-dynamic` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/platform-browser-dynamic)

Updates `@angular/router` from 21.2.11 to 22.0.1
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v22.0.1/packages/router)

Updates `ng-packagr` from 21.2.3 to 22.0.0
- [Release notes](https://github.com/ng-packagr/ng-packagr/releases)
- [Changelog](https://github.com/ng-packagr/ng-packagr/blob/main/CHANGELOG.md)
- [Commits](ng-packagr/ng-packagr@21.2.3...22.0.0)

---
updated-dependencies:
- dependency-name: "@angular/compiler"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/build"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/common"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/core"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/platform-browser"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/compiler-cli"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/forms"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/platform-browser-dynamic"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: "@angular/router"
  dependency-version: 22.0.1
  dependency-type: direct:development
- dependency-name: ng-packagr
  dependency-version: 22.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Dependabot PR Cordobo#335 bumped the @angular/* framework packages and
ng-packagr to v22 but left peers that must move in lockstep, so
`npm ci` failed with ERESOLVE (Angular 22 requires TypeScript >=6.0).

- typescript ~5.9.2 -> ~6.0.3 (ng22/@angular/build/ng-packagr peer)
- typescript-eslint 8.46.4 -> 8.61.0 (allows TS <6.1.0)
- angular-eslint 21.0.1 -> 22.0.0 (needs @angular/cli >=22)
- @angular/cli ^21.0.7 -> ^22.0.2
- @angular/cdk ^21.0.7 -> ^22.0.2
- @angular/material ^21.0.1 -> ^22.0.2
- peerDependencies.@angular/core widened to < 23.0.0

tsconfig.json: drop deprecated `baseUrl` (TS5101 under TS 6.0) and
make `paths` targets relative so resolution works without it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@socket-security

Copy link
Copy Markdown
Contributor

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @angular/build is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/build@22.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/build@22.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @schematics/angular is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/cli@22.0.3npm/@schematics/angular@22.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@schematics/angular@22.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/typescript-eslint@8.61.0npm/@typescript-eslint/eslint-plugin@8.61.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/eslint@9.39.4npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm lmdb is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@angular/build@22.0.3npm/lmdb@3.5.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lmdb@3.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @angular/platform-browser-dynamic

Reason: @angular/platform-browser-dynamic is deprecated. Use @angular/platform-browser instead.

From: package-lock.jsonnpm/@angular/platform-browser-dynamic@22.0.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/platform-browser-dynamic@22.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm fast-wrap-ansi

Location: Package overview

From: package-lock.jsonnpm/@angular/cli@22.0.3npm/@angular/build@22.0.3npm/fast-wrap-ansi@0.2.2

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@NeoScript
NeoScript marked this pull request as ready for review June 25, 2026 19:12
@NeoScript NeoScript mentioned this pull request Jun 30, 2026
1 task
@NeoScript

Copy link
Copy Markdown
Author

I can address the warnings if that would help get this release out quicker

marekdon

This comment was marked as duplicate.

Comment thread package.json
@@ -1,3 +1,3 @@
{
"name": "angularx-qrcode",
"version": "21.0.5",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please bump version

Comment thread package.json
"@angular/forms": "^22.0.1",
"@angular/material": "^22.0.2",
"@angular/platform-browser": "^22.0.1",
"@angular/platform-browser-dynamic": "^22.0.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be removed, as platform browser is being used

Comment thread tsconfig.json
"angularx-qrcode": ["dist/angularx-qrcode/angularx-qrcode", "dist/angularx-qrcode"]
"angularx-qrcode": ["./dist/angularx-qrcode/angularx-qrcode", "./dist/angularx-qrcode"]
},
"strict": true,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove - it defaults to true from typescript 6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants