Bump semver, npm, @angular-devkit/build-angular and @angular/cli

[dependabot]

Bumps semver to 5.7.0 and updates ancestor dependencies semver, npm, @angular-devkit/build-angular and @angular/cli. These dependencies need to be updated together.

Updates semver from 5.7.0 to 5.7.0

Commits

• See full diff in compare view

Updates semver from 5.5.0 to 5.7.2

Commits

• See full diff in compare view

Updates npm from 6.5.0 to 11.9.0

Release notes

Sourced from npm's releases.

v11.9.0

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

... (truncated)

Changelog

Sourced from npm's changelog.

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

• 8f599df #8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #8919 dev dependency updates (@​wraithgar)

... (truncated)

Commits

• 417daa7 chore: release 11.9.0
• 332c9f3 deps: glob@13.0.1
• eca02c7 deps: minimatch@10.1.2 @​isaacs/brace-expansion@​5.0.1
• 2242f25 fix(webauth): improve error messages around webauth in non-TTY (#8952)
• b3f8475 deps: minipass-fetch@5.0.1
• 4a82a8f chore: dev dependency updates
• 924171b deps: is-cidr@6.0.2
• 4404002 deps: ci-info@4.4.0
• b65af73 deps: lru-cache@11.2.5
• 164c355 deps: tar@7.5.7
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gar, a new releaser for npm since your current version.

Updates @angular-devkit/build-angular from 0.800.1 to 21.1.2

Release notes

Sourced from @​angular-devkit/build-angular's releases.

21.1.2

@​angular-devkit/schematics-cli

Commit	Description
	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular-devkit/architect

Commit	Description
	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular/build

Commit	Description
	loosen Vitest dependency checks when runnerConfig is used
	support merging coverage thresholds with Vitest runnerConfig

21.1.1

@​schematics/angular

Commit	Description
	correct vscode MCP configuration for new projects
	remove special characters from jasmine-vitest report filename

@​angular/cli

Commit	Description
	Remove nonexistent link from MCP response

@​angular/build

Commit	Description
	allow application assets in workspace root
	prevent incorrect catch binding removal in downleveled for-await
	update undici to v7.18.2

21.1.0

@​schematics/angular

Commit	Description
	add browserMode option to jasmine-vitest schematic
	generate detailed migration report for refactor-jasmine-vitest
	add MCP configuration file to new workspaces

@​angular/cli

Commit	Description
	add 'test' and 'e2e' MCP tools
	Add "all" as an experimental tool group
	Add MCP tools for building and running devservers
	add signal forms lessons
	correctly handle yarn classic tag manifest fetching
	correctly spawn package managers on Windows in new abstraction
	enhance list_projects MCP tool file system traversal and symlink handling
	handle array output from npm view in manifest parser

... (truncated)

Changelog

Sourced from @​angular-devkit/build-angular's changelog.

21.1.2 (2026-01-28)

@​angular-devkit/schematics-cli

Commit	Type	Description
e7458c81d	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular-devkit/architect

Commit	Type	Description
d66f1fe64	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular/build

Commit	Type	Description
80911af67	fix	loosen Vitest dependency checks when runnerConfig is used
2d30639d3	fix	support merging coverage thresholds with Vitest runnerConfig

21.1.1 (2026-01-21)

@​angular/cli

Commit	Type	Description
151b69587	fix	Remove nonexistent link from MCP response

@​schematics/angular

Commit	Type	Description
9da6d8fa7	fix	correct vscode MCP configuration for new projects
361758c75	fix	remove special characters from jasmine-vitest report filename

@​angular/build

Commit	Type	Description
1b7e3307a	fix	allow application assets in workspace root
d1e596dc5	fix	prevent incorrect catch binding removal in downleveled for-await
98ef0981a	fix	update undici to v7.18.2

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @​angular-devkit/build-angular since your current version.

Updates @angular/cli from 8.0.1 to 21.1.2

Release notes

Sourced from @​angular/cli's releases.

21.1.2

@​angular-devkit/schematics-cli

Commit	Description
	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular-devkit/architect

Commit	Description
	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular/build

Commit	Description
	loosen Vitest dependency checks when runnerConfig is used
	support merging coverage thresholds with Vitest runnerConfig

21.1.1

@​schematics/angular

Commit	Description
	correct vscode MCP configuration for new projects
	remove special characters from jasmine-vitest report filename

@​angular/cli

Commit	Description
	Remove nonexistent link from MCP response

@​angular/build

Commit	Description
	allow application assets in workspace root
	prevent incorrect catch binding removal in downleveled for-await
	update undici to v7.18.2

21.1.0

@​schematics/angular

Commit	Description
	add browserMode option to jasmine-vitest schematic
	generate detailed migration report for refactor-jasmine-vitest
	add MCP configuration file to new workspaces

@​angular/cli

Commit	Description
	add 'test' and 'e2e' MCP tools
	Add "all" as an experimental tool group
	Add MCP tools for building and running devservers
	add signal forms lessons
	correctly handle yarn classic tag manifest fetching
	correctly spawn package managers on Windows in new abstraction
	enhance list_projects MCP tool file system traversal and symlink handling
	handle array output from npm view in manifest parser

... (truncated)

Changelog

Sourced from @​angular/cli's changelog.

21.1.2 (2026-01-28)

@​angular-devkit/schematics-cli

Commit	Type	Description
e7458c81d	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular-devkit/architect

Commit	Type	Description
d66f1fe64	fix	Add boolean type inference for 'true' and 'false' string values in argument parsing

@​angular/build

Commit	Type	Description
80911af67	fix	loosen Vitest dependency checks when runnerConfig is used
2d30639d3	fix	support merging coverage thresholds with Vitest runnerConfig

21.1.1 (2026-01-21)

@​angular/cli

Commit	Type	Description
151b69587	fix	Remove nonexistent link from MCP response

@​schematics/angular

Commit	Type	Description
9da6d8fa7	fix	correct vscode MCP configuration for new projects
361758c75	fix	remove special characters from jasmine-vitest report filename

@​angular/build

Commit	Type	Description
1b7e3307a	fix	allow application assets in workspace root
d1e596dc5	fix	prevent incorrect catch binding removal in downleveled for-await
98ef0981a	fix	update undici to v7.18.2

... (truncated)

Commits

• 702d717 release: cut the v21.1.2 release
• d66f1fe fix(@​angular-devkit/architect): Add boolean type inference for 'true' and 'fa...
• e7458c8 fix(@​angular-devkit/schematics-cli): Add boolean type inference for 'true' an...
• e974e40 build: lock file maintenance
• 2d30639 fix(@​angular/build): support merging coverage thresholds with Vitest runnerCo...
• 80911af fix(@​angular/build): loosen Vitest dependency checks when runnerConfig is used
• 7cf1d3b build: update cross-repo angular dependencies
• 165e7d6 build: update all github actions
• 8e7f86b build: update bazel dependencies
• 3206b8b build: update cross-repo angular dependencies
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @​angular/cli since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.