Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix: bump undici and @angular/build in /packages/bigframes/bigframes/display/table_widget_angular#17519

Merged
parthea merged 1 commit into
maingoogleapis/google-cloud-python:mainfrom
dependabot/npm_and_yarn/packages/bigframes/bigframes/display/table_widget_angular/multi-f88412453dgoogleapis/google-cloud-python:dependabot/npm_and_yarn/packages/bigframes/bigframes/display/table_widget_angular/multi-f88412453dCopy head branch name to clipboard
Jun 22, 2026
Merged

fix: bump undici and @angular/build in /packages/bigframes/bigframes/display/table_widget_angular#17519
parthea merged 1 commit into
maingoogleapis/google-cloud-python:mainfrom
dependabot/npm_and_yarn/packages/bigframes/bigframes/display/table_widget_angular/multi-f88412453dgoogleapis/google-cloud-python:dependabot/npm_and_yarn/packages/bigframes/bigframes/display/table_widget_angular/multi-f88412453dCopy head branch name to clipboard

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 6.27.0 and updates ancestor dependencies undici and @angular/build. These dependencies need to be updated together.

Updates undici from 6.25.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates undici from 7.24.4 to 7.28.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates @angular/build from 21.2.9 to 22.0.3

Release notes

Sourced from @​angular/build's releases.

22.0.3

@​schematics/angular

Commit Description
fix - 0eddea898 remove default workspace vscode mcp.json configuration

22.0.2

@​angular/cli

Commit Description
fix - 136fc2714 support registry metadata fetching under bun package manager
perf - 2653dd5c7 implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Description
perf - 0b4a48add implement semaphore backpressure throttling in JavaScriptTransformer

@​angular/ssr

Commit Description
fix - d996a27e9 avoid caching non-SSG page lookups
fix - 285a34e42 correct grammar in console warning for redirected location headers
fix - c8088a536 prioritize options over environment variables in AngularNodeAppEngine

22.0.1

@​schematics/angular

Commit Description
fix - c80012294 fix browserMode option mapping in refactor-jasmine-vitest
fix - a9b6bd904 safely comment out multiline statements in refactor-jasmine-vitest
fix - 12199df00 use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit Description
fix - b54e9a549 do not sort migrations of the same version alphabetically
fix - d33311612 fallback to local package.json for schematic detection on first run
fix - 918102a93 isolate temporary package installation from parent pnpm workspace
fix - b048b5f4a remove forceAuth and unscoped credential parsing
fix - 277934035 validate registry option is a valid URL in ng add
perf - 4510dae02 optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit Description
fix - 89d1be979 allow disabling Vitest isolation from builder
fix - d45b84be9 exclude JSON imports from Vite dependency optimization
fix - e3cab4ddd prevent concurrent stylesheet bundling esbuild context leaks
fix - bd413b0eb restrict application builder output paths to output directory

22.0.0

@​schematics/angular

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/build's changelog.

22.0.3 (2026-06-18)

@​schematics/angular

Commit Type Description
0eddea898 fix remove default workspace vscode mcp.json configuration

21.2.16 (2026-06-17)

@​angular/cli

Commit Type Description
77c9047ac fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
d052e97da fix prioritize options over environment variables in AngularNodeAppEngine

20.3.29 (2026-06-17)

@​angular/cli

Commit Type Description
5f7c0328c fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
a75d78e68 fix prioritize options over environment variables in AngularNodeAppEngine

22.0.2 (2026-06-17)

... (truncated)

Commits
  • b30b9d3 release: cut the v22.0.3 release
  • bc97bb3 build: update dependency vite to v7.3.5
  • 0eddea8 fix(@​schematics/angular): remove default workspace vscode mcp.json configuration
  • 08f9959 refactor(@​angular/cli): promote experimental MCP tools to stable
  • aab6c10 release: cut the v22.0.2 release
  • 376e4dc build: update cross-repo angular dependencies
  • d996a27 fix(@​angular/ssr): avoid caching non-SSG page lookups
  • 5714bfc build: update pnpm to v10.34.3
  • f26011a build: lock file maintenance
  • 2879ed9 build: update bazel dependencies
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
fix: bump undici and @angular/build
784e676 
Bumps [undici](https://github.com/nodejs/undici) to 6.27.0 and updates ancestor dependencies [undici](https://github.com/nodejs/undici) and [@angular/build](https://github.com/angular/angular-cli). These dependencies need to be updated together.


Updates `undici` from 6.25.0 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.25.0...v6.27.0)

Updates `undici` from 7.24.4 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.25.0...v6.27.0)

Updates `@angular/build` from 21.2.9 to 22.0.3
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@v21.2.9...v22.0.3)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
- dependency-name: "@angular/build"
  dependency-version: 22.0.3
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot dependabot Bot requested review from a team as code owners June 19, 2026 23:41
@dependabot dependabot Bot requested review from shuoweil and removed request for a team June 19, 2026 23:41
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 19, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 19, 2026
@parthea parthea merged commit 6fc45e3 into main Jun 22, 2026
31 checks passed
@parthea parthea deleted the dependabot/npm_and_yarn/packages/bigframes/bigframes/display/table_widget_angular/multi-f88412453d branch June 22, 2026 15:23
@release-please release-please Bot mentioned this pull request Jun 22, 2026
Merged
chalmerlowe pushed a commit that referenced this pull request Jun 25, 2026
@dependabot @chalmerlowe
fix: bump undici and @angular/build in /packages/bigframes/bigframes/…
2c13b68 
…display/table_widget_angular (#17519)

Bumps [undici](https://github.com/nodejs/undici) to 6.27.0 and updates
ancestor dependencies [undici](https://github.com/nodejs/undici) and
[@angular/build](https://github.com/angular/angular-cli). These
dependencies need to be updated together.

Updates `undici` from 6.25.0 to 6.27.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v6.27.0</h2>
<h1>⚠️ Security Release</h1>
<p>This release line addresses <strong>4 security
advisories</strong>.</p>
<blockquote>
<p><strong>Action required:</strong> Upgrade to <strong>undici
6.27.0</strong> or later.</p>
<pre lang="sh"><code>npm install undici@^6.27.0
</code></pre>
</blockquote>
<blockquote>
<p><strong>Note on patched version:</strong> the v6 fixes shipped in
<strong>v6.27.0</strong>, not <code>6.26.0</code>
— <code>v6.26.0</code> contains only the chunked-EOF fix (<a
href="https://redirect.github.com/nodejs/undici/issues/5308">#5308</a>)
and the version bump, none
of the security fixes below.</p>
</blockquote>
<p>The v6 line is <strong>not</strong> affected by the SOCKS5 advisories
(GHSA-vmh5-mc38-953g,
GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6),
or the
8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).</p>
<h2>Summary</h2>
<table>
<thead>
<tr>
<th>Advisory</th>
<th>CVE</th>
<th>Severity (CVSS)</th>
<th>Fixed in</th>
<th>Fix commit</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td>
<td>CVE-2026-12151</td>
<td>High (7.5)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/b7f252e7"><code>b7f252e7</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td>
<td>CVE-2026-9679</td>
<td>Moderate (5.9)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/25efa447"><code>25efa447</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td>
<td>CVE-2026-11525</td>
<td>Low (3.7)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/25efa447"><code>25efa447</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td>
<td>CVE-2026-6733</td>
<td>Low (3.7)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/f4c31d60"><code>f4c31d60</code></a></td>
</tr>
</tbody>
</table>
<hr />
<h2>High severity</h2>
<h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong>
· CWE-400, CWE-770
<strong>Fix:</strong> <a
href="https://github.com/nodejs/undici/commit/b7f252e7"><code>b7f252e7</code></a>
<em>Backport WebSocket maxPayloadSize fixes</em> (<a
href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>,
backported to v6 in <a
href="https://redirect.github.com/nodejs/undici/pull/5428">#5428</a>)</p>
<p>A malicious WebSocket server can stream a large number of small or
empty
continuation frames. Undici enforced a limit on cumulative payload size
but did
not limit the <em>number</em> of fragments per message, leading to
unbounded memory
growth and denial of service. All releases from 6.17.0 onward are
affected.</p>
<ul>
<li><strong>Affected:</strong> applications using <code>new
WebSocket(...)</code> or <code>WebSocketStream</code>
against untrusted endpoints.</li>
<li><strong>Workaround:</strong> none — upgrade is required.</li>
</ul>
<hr />
<h2>Moderate severity</h2>
<h3>HTTP header injection via Set-Cookie percent-decoding —
CVE-2026-9679</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/551138cbc1742c92242a68216167761075e8a82c"><code>551138c</code></a>
Bumped v6.27.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5431">#5431</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/b7f252e7c0841418fb9d95cd297bdd9fad9d2a53"><code>b7f252e</code></a>
Backport WebSocket maxPayloadSize fixes to v7.x (<a
href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)
(<a
href="https://redirect.github.com/nodejs/undici/issues/5428">#5428</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/25efa447997f74d5881edd144525c3fd7db945a4"><code>25efa44</code></a>
fix(cookies): preserve values and parse SameSite strictly</li>
<li><a
href="https://github.com/nodejs/undici/commit/f4c31d60c42d0385bca6ad602c112706b0695212"><code>f4c31d6</code></a>
fix: guard idle socket validation to skip fresh sockets (<a
href="https://redirect.github.com/nodejs/undici/issues/5400">#5400</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/768beacd331786c6a1ca61dd81938fca041a45b5"><code>768beac</code></a>
Bumped v6.26.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5323">#5323</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/7917b254484132f848fb785afbc398b1cfba389f"><code>7917b25</code></a>
fix: validate EOF for chunked h1 responses (<a
href="https://redirect.github.com/nodejs/undici/issues/5308">#5308</a>)</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v6.25.0...v6.27.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `undici` from 7.24.4 to 7.28.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v6.27.0</h2>
<h1>⚠️ Security Release</h1>
<p>This release line addresses <strong>4 security
advisories</strong>.</p>
<blockquote>
<p><strong>Action required:</strong> Upgrade to <strong>undici
6.27.0</strong> or later.</p>
<pre lang="sh"><code>npm install undici@^6.27.0
</code></pre>
</blockquote>
<blockquote>
<p><strong>Note on patched version:</strong> the v6 fixes shipped in
<strong>v6.27.0</strong>, not <code>6.26.0</code>
— <code>v6.26.0</code> contains only the chunked-EOF fix (<a
href="https://redirect.github.com/nodejs/undici/issues/5308">#5308</a>)
and the version bump, none
of the security fixes below.</p>
</blockquote>
<p>The v6 line is <strong>not</strong> affected by the SOCKS5 advisories
(GHSA-vmh5-mc38-953g,
GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6),
or the
8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).</p>
<h2>Summary</h2>
<table>
<thead>
<tr>
<th>Advisory</th>
<th>CVE</th>
<th>Severity (CVSS)</th>
<th>Fixed in</th>
<th>Fix commit</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td>
<td>CVE-2026-12151</td>
<td>High (7.5)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/b7f252e7"><code>b7f252e7</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td>
<td>CVE-2026-9679</td>
<td>Moderate (5.9)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/25efa447"><code>25efa447</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td>
<td>CVE-2026-11525</td>
<td>Low (3.7)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/25efa447"><code>25efa447</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td>
<td>CVE-2026-6733</td>
<td>Low (3.7)</td>
<td>6.27.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/f4c31d60"><code>f4c31d60</code></a></td>
</tr>
</tbody>
</table>
<hr />
<h2>High severity</h2>
<h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong>
· CWE-400, CWE-770
<strong>Fix:</strong> <a
href="https://github.com/nodejs/undici/commit/b7f252e7"><code>b7f252e7</code></a>
<em>Backport WebSocket maxPayloadSize fixes</em> (<a
href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>,
backported to v6 in <a
href="https://redirect.github.com/nodejs/undici/pull/5428">#5428</a>)</p>
<p>A malicious WebSocket server can stream a large number of small or
empty
continuation frames. Undici enforced a limit on cumulative payload size
but did
not limit the <em>number</em> of fragments per message, leading to
unbounded memory
growth and denial of service. All releases from 6.17.0 onward are
affected.</p>
<ul>
<li><strong>Affected:</strong> applications using <code>new
WebSocket(...)</code> or <code>WebSocketStream</code>
against untrusted endpoints.</li>
<li><strong>Workaround:</strong> none — upgrade is required.</li>
</ul>
<hr />
<h2>Moderate severity</h2>
<h3>HTTP header injection via Set-Cookie percent-decoding —
CVE-2026-9679</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/551138cbc1742c92242a68216167761075e8a82c"><code>551138c</code></a>
Bumped v6.27.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5431">#5431</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/b7f252e7c0841418fb9d95cd297bdd9fad9d2a53"><code>b7f252e</code></a>
Backport WebSocket maxPayloadSize fixes to v7.x (<a
href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)
(<a
href="https://redirect.github.com/nodejs/undici/issues/5428">#5428</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/25efa447997f74d5881edd144525c3fd7db945a4"><code>25efa44</code></a>
fix(cookies): preserve values and parse SameSite strictly</li>
<li><a
href="https://github.com/nodejs/undici/commit/f4c31d60c42d0385bca6ad602c112706b0695212"><code>f4c31d6</code></a>
fix: guard idle socket validation to skip fresh sockets (<a
href="https://redirect.github.com/nodejs/undici/issues/5400">#5400</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/768beacd331786c6a1ca61dd81938fca041a45b5"><code>768beac</code></a>
Bumped v6.26.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5323">#5323</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/7917b254484132f848fb785afbc398b1cfba389f"><code>7917b25</code></a>
fix: validate EOF for chunked h1 responses (<a
href="https://redirect.github.com/nodejs/undici/issues/5308">#5308</a>)</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v6.25.0...v6.27.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `@angular/build` from 21.2.9 to 22.0.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular-cli/releases">@​angular/build's
releases</a>.</em></p>
<blockquote>
<h2>22.0.3</h2>
<h3><code>@​schematics/angular</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/0eddea898d3bf4da8c9c5c27ec2ee79916e8be87"><img
src="https://img.shields.io/badge/0eddea898-fix-green" alt="fix -
0eddea898" /></a></td>
<td>remove default workspace vscode mcp.json configuration</td>
</tr>
</tbody>
</table>
<h2>22.0.2</h2>
<h3><code>@​angular/cli</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/136fc27149af74263ef519007f0a74f9f85c5b4d"><img
src="https://img.shields.io/badge/136fc2714-fix-green" alt="fix -
136fc2714" /></a></td>
<td>support registry metadata fetching under bun package manager</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/2653dd5c7d47149b61bfe6edf4ab1281347e89dd"><img
src="https://img.shields.io/badge/2653dd5c7-perf-orange" alt="perf -
2653dd5c7" /></a></td>
<td>implement semaphore backpressure throttling in PackageManager</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/build</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/0b4a48add9d7218e698af0db974bd597bed8a121"><img
src="https://img.shields.io/badge/0b4a48add-perf-orange" alt="perf -
0b4a48add" /></a></td>
<td>implement semaphore backpressure throttling in
JavaScriptTransformer</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/ssr</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/d996a27e9744b473a7db56f81871731b8bdce585"><img
src="https://img.shields.io/badge/d996a27e9-fix-green" alt="fix -
d996a27e9" /></a></td>
<td>avoid caching non-SSG page lookups</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/285a34e42f1cdc512468de0041b232c7190e7d7e"><img
src="https://img.shields.io/badge/285a34e42-fix-green" alt="fix -
285a34e42" /></a></td>
<td>correct grammar in console warning for redirected location
headers</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/c8088a536c2c747a273e37be682643e1b35e2f75"><img
src="https://img.shields.io/badge/c8088a536-fix-green" alt="fix -
c8088a536" /></a></td>
<td>prioritize options over environment variables in
AngularNodeAppEngine</td>
</tr>
</tbody>
</table>
<h2>22.0.1</h2>
<h3><code>@​schematics/angular</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/c8001229453211b37cd7bb12ed26a2deb9257fd5"><img
src="https://img.shields.io/badge/c80012294-fix-green" alt="fix -
c80012294" /></a></td>
<td>fix browserMode option mapping in refactor-jasmine-vitest</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/a9b6bd9042d6b859c384a6fc782541fca30dfb68"><img
src="https://img.shields.io/badge/a9b6bd904-fix-green" alt="fix -
a9b6bd904" /></a></td>
<td>safely comment out multiline statements in
refactor-jasmine-vitest</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/12199df00f2e3e8436ada13e04799e5825eb3f7b"><img
src="https://img.shields.io/badge/12199df00-fix-green" alt="fix -
12199df00" /></a></td>
<td>use null objects and callbacks in karma-to-vitest migration</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/cli</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/b54e9a549d30871f6017b1db4cf7a4ab5f3e02db"><img
src="https://img.shields.io/badge/b54e9a549-fix-green" alt="fix -
b54e9a549" /></a></td>
<td>do not sort migrations of the same version alphabetically</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/d333116123c7d3d5e87713b7baac048b78f28517"><img
src="https://img.shields.io/badge/d33311612-fix-green" alt="fix -
d33311612" /></a></td>
<td>fallback to local package.json for schematic detection on first
run</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/918102a9373085394c41f10d9f5df3e3c17b263f"><img
src="https://img.shields.io/badge/918102a93-fix-green" alt="fix -
918102a93" /></a></td>
<td>isolate temporary package installation from parent pnpm
workspace</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/b048b5f4a83d7b20095d79654b849808e7d58fdb"><img
src="https://img.shields.io/badge/b048b5f4a-fix-green" alt="fix -
b048b5f4a" /></a></td>
<td>remove forceAuth and unscoped credential parsing</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/277934035138c5af803e8daeebc2313f0a4cb5b3"><img
src="https://img.shields.io/badge/277934035-fix-green" alt="fix -
277934035" /></a></td>
<td>validate registry option is a valid URL in ng add</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/4510dae021ab25bb852eeed6415dbd52cfabfce5"><img
src="https://img.shields.io/badge/4510dae02-perf-orange" alt="perf -
4510dae02" /></a></td>
<td>optimize update schematic registry query counts by fetching package
metadata lazily</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/build</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/89d1be979f388d85e9c428bbf1df4e7fb4036dce"><img
src="https://img.shields.io/badge/89d1be979-fix-green" alt="fix -
89d1be979" /></a></td>
<td>allow disabling Vitest isolation from builder</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/d45b84be9a607e49b391cb216cb6de7eca274931"><img
src="https://img.shields.io/badge/d45b84be9-fix-green" alt="fix -
d45b84be9" /></a></td>
<td>exclude JSON imports from Vite dependency optimization</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/e3cab4dddade2538125e8a2f345f42c95e26aeae"><img
src="https://img.shields.io/badge/e3cab4ddd-fix-green" alt="fix -
e3cab4ddd" /></a></td>
<td>prevent concurrent stylesheet bundling esbuild context leaks</td>
</tr>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/bd413b0eb156184ea432cbb7d4e6d7f6f70813ab"><img
src="https://img.shields.io/badge/bd413b0eb-fix-green" alt="fix -
bd413b0eb" /></a></td>
<td>restrict application builder output paths to output directory</td>
</tr>
</tbody>
</table>
<h2>22.0.0</h2>
<h3><code>@​schematics/angular</code></h3>
<p>| Commit | Description |</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular-cli/blob/main/CHANGELOG.md">@​angular/build's
changelog</a>.</em></p>
<blockquote>
<h1>22.0.3 (2026-06-18)</h1>
<h3><code>@​schematics/angular</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/0eddea898d3bf4da8c9c5c27ec2ee79916e8be87">0eddea898</a></td>
<td>fix</td>
<td>remove default workspace vscode mcp.json configuration</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.2.16 (2026-06-17)</h1>
<h3><code>@​angular/cli</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/77c9047acdf4b69ec6dd399af2dff7278e8014c7">77c9047ac</a></td>
<td>fix</td>
<td>update pacote to 21.5.1</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/ssr</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/d052e97dafe2e85fbc072fd11025c803ebb80ef1">d052e97da</a></td>
<td>fix</td>
<td>prioritize options over environment variables in
AngularNodeAppEngine</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>20.3.29 (2026-06-17)</h1>
<h3><code>@​angular/cli</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/5f7c0328c3fe1a003ade44861d9aac98f485f014">5f7c0328c</a></td>
<td>fix</td>
<td>update pacote to 21.5.1</td>
</tr>
</tbody>
</table>
<h3><code>@​angular/ssr</code></h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/angular/angular-cli/commit/a75d78e681b10436971d8071450b8cfd93b2d72a">a75d78e68</a></td>
<td>fix</td>
<td>prioritize options over environment variables in
AngularNodeAppEngine</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>22.0.2 (2026-06-17)</h1>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/angular/angular-cli/commit/b30b9d3d2e7537f567fcb9567eab88093cf423d1"><code>b30b9d3</code></a>
release: cut the v22.0.3 release</li>
<li><a
href="https://github.com/angular/angular-cli/commit/bc97bb3541c3187ce4c0507b9b75271c77285139"><code>bc97bb3</code></a>
build: update dependency vite to v7.3.5</li>
<li><a
href="https://github.com/angular/angular-cli/commit/0eddea898d3bf4da8c9c5c27ec2ee79916e8be87"><code>0eddea8</code></a>
fix(<code>@​schematics/angular</code>): remove default workspace vscode
mcp.json configuration</li>
<li><a
href="https://github.com/angular/angular-cli/commit/08f9959105da32b66fc25f7190fe4d68463264e1"><code>08f9959</code></a>
refactor(<code>@​angular/cli</code>): promote experimental MCP tools to
stable</li>
<li><a
href="https://github.com/angular/angular-cli/commit/aab6c10b946818724d711ee34a85e50979e7a822"><code>aab6c10</code></a>
release: cut the v22.0.2 release</li>
<li><a
href="https://github.com/angular/angular-cli/commit/376e4dce4290106815315c530ee25ec76eea896c"><code>376e4dc</code></a>
build: update cross-repo angular dependencies</li>
<li><a
href="https://github.com/angular/angular-cli/commit/d996a27e9744b473a7db56f81871731b8bdce585"><code>d996a27</code></a>
fix(<code>@​angular/ssr</code>): avoid caching non-SSG page lookups</li>
<li><a
href="https://github.com/angular/angular-cli/commit/5714bfcbe182c97db47440ce51fe92a89bb34ac7"><code>5714bfc</code></a>
build: update pnpm to v10.34.3</li>
<li><a
href="https://github.com/angular/angular-cli/commit/f26011ae7a3b8ae3449d7ddad4a5d1b6a02de8fe"><code>f26011a</code></a>
build: lock file maintenance</li>
<li><a
href="https://github.com/angular/angular-cli/commit/2879ed9befd87f4cf7f2bbb2206b73a148b22631"><code>2879ed9</code></a>
build: update bazel dependencies</li>
<li>Additional commits viewable in <a
href="https://github.com/angular/angular-cli/compare/v21.2.9...v22.0.3">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/google-cloud-python/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
shuoweil pushed a commit that referenced this pull request Jun 25, 2026
@release-please
chore(main): release bigframes 2.44.0 (#17504)
b9692a1 
🤖 I have created a release *beep* *boop*
---


##
[2.44.0](bigframes-v2.43.0...bigframes-v2.44.0)
(2026-06-25)


### Features

* add date functions to `bigframes.bigquery` module
([#17514](#17514))
([e5d2e35](e5d2e35))
* **bigframes:** add AI TVFs to the pandas bq accessor
([#17402](#17402))
([ee74e31](ee74e31))
* Experimental transpilation of unannotated python callables
([#17419](#17419))
([ea9aad9](ea9aad9))
* support gemini-3.x models in loader and update default model to
gemini-3.5-flash
([#17557](#17557))
([3619b29](3619b29))
* support interactive execution of deferred DataFrames in TableWidget
([#17486](#17486))
([421eebd](421eebd))


### Bug Fixes

* avoid invalid CAST(NULL AS NULL) in SQLGlot compiler
([#17487](#17487))
([3b79caa](3b79caa))
* **bigframes:** world-readable temp zip in create_cloud_function
([#17522](#17522))
([e726878](e726878))
* bump @angular/common, @angular/forms, @angular/platform-browser and
@angular/router in
/packages/bigframes/bigframes/display/table_widget_angular
([#17525](#17525))
([2f893b1](2f893b1))
* bump langsmith from 0.8.0 to 0.8.18 in /packages/bigframes
([#17518](#17518))
([f23063f](f23063f))
* bump msgpack from 1.1.1 to 1.2.1 in /packages/bigframes
([#17520](#17520))
([36b5b7e](36b5b7e))
* bump undici and @angular/build in
/packages/bigframes/bigframes/display/table_widget_angular
([#17519](#17519))
([6fc45e3](6fc45e3))
* handle empty endpoints during cloud function reuse
([#17501](#17501))
([4f5593a](4f5593a))


### Documentation

* ensure that PlotAccessor is included in the API reference
([#17513](#17513))
([6febabf](6febabf))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthea parthea parthea approved these changes
@shuoweil shuoweil Awaiting requested review from shuoweil shuoweil is a code owner automatically assigned from googleapis/bigquery-dataframe-team

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@parthea @yoshi-kokoro
Morty Proxy This is a proxified and sanitized view of the page, visit original site.