Bump undici, @angular-builders/jest and @angular/build in /alcs-frontend

[dependabot]

Bumps undici to 7.28.0 and updates ancestor dependencies undici, @angular-builders/jest and @angular/build. These dependencies need to be updated together.

Updates undici from 7.25.0 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	8cb10f98
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	04201f89
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	3805b8f8
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	85a24055
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	d0574cc4
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	d0574cc4
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	ea8930cf

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits

• f9eba0a Bumped v7.28.0 (#5430)
• a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
• 8cb10f9 websocket: limit the number of fragments in a message
• 04201f8 fix: honor requestTls when proxy is SOCKS5
• fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
• bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
• 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
• 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
• 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
• 85a2405 fix(cache): trim qualified field names
• Additional commits viewable in compare view

Updates @angular-builders/jest from 21.0.3 to 22.0.0

Changelog

Sourced from @​angular-builders/jest's changelog.

22.0.0 (2026-06-10)

Note: Version bump only for package @​angular-builders/jest

22.0.0-beta.1 (2026-06-09)

Note: Version bump only for package @​angular-builders/jest

22.0.0-beta.0 (2026-06-09)

⚠ BREAKING CHANGES

• All packages now require Angular 22.
• User TypeScript config/plugin modules now load via jiti instead of ts-node. Configs are transpiled rather than type-checked (run tsc --noEmit separately if you relied on build-time type-checking); ts-node and tsconfig-paths are no longer dependencies; and the NODE_OPTIONS='--loader ts-node/esm' workaround for ESM apps is no longer needed.
• isolatedModules now defaults to true for faster compilation, which disables cross-file TypeScript type-checking during Jest runs. Set isolatedModules: false in your config to restore the previous behavior.
• Coverage output is now scoped per project: coverageDirectory defaults to <projectRoot>/coverage instead of ./coverage, so projects in a multi-project workspace no longer overwrite each other's reports.

Features

• ng add / ng update schematics for jest, custom-esbuild, custom-webpack (#2267) (062f423), closes #22
• replace ts-node with jiti for loading TypeScript modules (#2287) (0348e06), closes #816
• upgrade builders + examples to Angular 22 (22.0.0-rc.2) (#2264) (9ed7020)

Bug Fixes

• jest: default isolatedModules to true for faster compilation (fixes #1899) (#2191) (acd2d37)
• jest: scope coverage output per-project in multi-project workspaces (fixes #1009) (#2212) (0ac5d6d)

Miscellaneous Chores

• graduate Angular 22 from RC to GA (daec882)

21.0.4 (2026-06-08)

Note: Version bump only for package @​angular-builders/jest

21.0.4-beta.17 (2026-06-07)

Note: Version bump only for package @​angular-builders/jest

21.0.4-beta.16 (2026-06-05)

Reverts

• remove redundant TS2742 builder annotations (#2275, #2278) (#2279) (a2882e5)

21.0.4-beta.15 (2026-06-04)

Bug Fixes

... (truncated)

Commits

• 7cebff9 ci(release): publish
• 6647e73 ci(release): publish
• 49f90e4 docs(changelog): clean up v22 breaking-change sections
• a27c6b0 ci(release): publish
• daec882 chore!: graduate Angular 22 from RC to GA
• 2cb9a56 chore(deps): update bazel-example to Angular CLI 22
• 0348e06 feat!: replace ts-node with jiti for loading TypeScript modules (#2287)
• 0ac5d6d fix(jest)!: scope coverage output per-project in multi-project workspaces (fi...
• acd2d37 fix(jest)!: default isolatedModules to true for faster compilation (fixes #18...
• 062f423 feat: ng add / ng update schematics for jest, custom-esbuild, custom-webpack ...
• Additional commits viewable in compare view

Updates @angular/build from 21.2.8 to 22.0.3

Release notes

Sourced from @​angular/build's releases.

22.0.3

@​schematics/angular

Commit	Description
	remove default workspace vscode mcp.json configuration

22.0.2

@​angular/cli

Commit	Description
	support registry metadata fetching under bun package manager
	implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit	Description
	implement semaphore backpressure throttling in JavaScriptTransformer

@​angular/ssr

Commit	Description
	avoid caching non-SSG page lookups
	correct grammar in console warning for redirected location headers
	prioritize options over environment variables in AngularNodeAppEngine

22.0.1

@​schematics/angular

Commit	Description
	fix browserMode option mapping in refactor-jasmine-vitest
	safely comment out multiline statements in refactor-jasmine-vitest
	use null objects and callbacks in karma-to-vitest migration

@​angular/cli

Commit	Description
	do not sort migrations of the same version alphabetically
	fallback to local package.json for schematic detection on first run
	isolate temporary package installation from parent pnpm workspace
	remove forceAuth and unscoped credential parsing
	validate registry option is a valid URL in ng add
	optimize update schematic registry query counts by fetching package metadata lazily

@​angular/build

Commit	Description
	allow disabling Vitest isolation from builder
	exclude JSON imports from Vite dependency optimization
	prevent concurrent stylesheet bundling esbuild context leaks
	restrict application builder output paths to output directory

22.0.0

@​schematics/angular

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/build's changelog.

22.0.3 (2026-06-18)

@​schematics/angular

Commit	Type	Description
0eddea898	fix	remove default workspace vscode mcp.json configuration

21.2.16 (2026-06-17)

@​angular/cli

Commit	Type	Description
77c9047ac	fix	update pacote to 21.5.1

@​angular/ssr

Commit	Type	Description
d052e97da	fix	prioritize options over environment variables in AngularNodeAppEngine

20.3.29 (2026-06-17)

@​angular/cli

Commit	Type	Description
5f7c0328c	fix	update pacote to 21.5.1

@​angular/ssr

Commit	Type	Description
a75d78e68	fix	prioritize options over environment variables in AngularNodeAppEngine

22.0.2 (2026-06-17)

... (truncated)

Commits

• b30b9d3 release: cut the v22.0.3 release
• bc97bb3 build: update dependency vite to v7.3.5
• 0eddea8 fix(@​schematics/angular): remove default workspace vscode mcp.json configuration
• 08f9959 refactor(@​angular/cli): promote experimental MCP tools to stable
• aab6c10 release: cut the v22.0.2 release
• 376e4dc build: update cross-repo angular dependencies
• d996a27 fix(@​angular/ssr): avoid caching non-SSG page lookups
• 5714bfc build: update pnpm to v10.34.3
• f26011a build: lock file maintenance
• 2879ed9 build: update bazel dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #3032.