From 6774882630556619512ca0fbea7f5b5c575fa15f Mon Sep 17 00:00:00 2001
From: Alan Agius <17563226+alan-agius4@users.noreply.github.com>
Date: Tue, 16 Jun 2026 08:43:17 +0000
Subject: [PATCH] fix(@angular/cli): update pacote to 21.5.1

Update pacote to 21.5.1 to address https://github.com/advisories/GHSA-w4pp-8pjf-rmxw

Fixes #33376
---
 packages/angular/cli/package.json |  2 +-
 pnpm-lock.yaml                    | 23 +++++++++++++++--------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/packages/angular/cli/package.json b/packages/angular/cli/package.json
index 3668dbef400a..add9993f93c2 100644
--- a/packages/angular/cli/package.json
+++ b/packages/angular/cli/package.json
@@ -35,7 +35,7 @@
     "jsonc-parser": "3.3.1",
     "listr2": "9.0.1",
     "npm-package-arg": "13.0.0",
-    "pacote": "21.0.4",
+    "pacote": "21.5.1",
     "resolve": "1.22.10",
     "semver": "7.7.2",
     "yargs": "18.0.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 0a4490b43567..13f5d779013d 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -496,8 +496,8 @@ importers:
         specifier: 13.0.0
         version: 13.0.0
       pacote:
-        specifier: 21.0.4
-        version: 21.0.4
+        specifier: 21.5.1
+        version: 21.5.1
       resolve:
         specifier: 1.22.10
         version: 1.22.10
@@ -2394,6 +2394,10 @@ packages:
   '@firebase/webchannel-wrapper@1.0.5':
     resolution: {integrity: sha512-+uGNN7rkfn41HLO0vekTFhTxk61eKa8mTpRGLO0QSqlQdKvIoGAvLp3ppdVIWbTGYJWM6Kp0iN+PjMIOcnVqTw==}
 
+  '@gar/promise-retry@1.0.3':
+    resolution: {integrity: sha512-GmzA9ckNokPypTg10pgpeHNQe7ph+iIKKmhKu3Ob9ANkswreCx7R3cKmY781K8QK3AqVL3xVh9A42JvIAbkkSA==}
+    engines: {node: ^20.17.0 || >=22.9.0}
+
   '@glideapps/ts-necessities@2.2.3':
     resolution: {integrity: sha512-gXi0awOZLHk3TbW55GZLCPP6O+y/b5X1pBXKBVckFONSwF1z1E5ND2BGJsghQFah+pW7pkkyFb2VhUQI2qhL5w==}
 
@@ -7563,8 +7567,8 @@ packages:
   package-json-from-dist@1.0.1:
     resolution: {integrity: sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==}
 
-  pacote@21.0.4:
-    resolution: {integrity: sha512-RplP/pDW0NNNDh3pnaoIWYPvNenS7UqMbXyvMqJczosiFWTeGGwJC2NQBLqKf4rGLFfwCOnntw1aEp9Jiqm1MA==}
+  pacote@21.5.1:
+    resolution: {integrity: sha512-KvcJ9iy3crysCsgqc4+PknH/w6jkrp8JN36mpZBPwNaDRwTfMZD37YzRazNstiZUOhuF5pno9f78n9mEJBavwg==}
     engines: {node: ^20.17.0 || >=22.9.0}
     hasBin: true
 
@@ -8624,6 +8628,7 @@ packages:
   tar@7.5.4:
     resolution: {integrity: sha512-AN04xbWGrSTDmVwlI4/GTlIIwMFk/XEv7uL8aa57zuvRy6s4hdBed+lVq2fAZ89XDa7Us3ANXcE3Tvqvja1kTA==}
     engines: {node: '>=18'}
+    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   teeny-request@10.1.0:
     resolution: {integrity: sha512-3ZnLvgWF29jikg1sAQ1g0o+lr5JX6sVgYvfUJazn7ZjJroDBUTWp44/+cFVX0bULjv4vci+rBD+oGVAkWqhUbw==}
@@ -11079,6 +11084,8 @@ snapshots:
 
   '@firebase/webchannel-wrapper@1.0.5': {}
 
+  '@gar/promise-retry@1.0.3': {}
+
   '@glideapps/ts-necessities@2.2.3': {}
 
   '@google-cloud/common@6.0.0(supports-color@10.2.2)':
@@ -15592,7 +15599,7 @@ snapshots:
 
   ignore-walk@8.0.0:
     dependencies:
-      minimatch: 10.0.3
+      minimatch: 10.1.1
 
   ignore@5.3.2: {}
 
@@ -16984,8 +16991,9 @@ snapshots:
 
   package-json-from-dist@1.0.1: {}
 
-  pacote@21.0.4:
+  pacote@21.5.1:
     dependencies:
+      '@gar/promise-retry': 1.0.3
       '@npmcli/git': 7.0.1
       '@npmcli/installed-package-contents': 4.0.0
       '@npmcli/package-json': 7.0.4
@@ -16999,10 +17007,9 @@ snapshots:
       npm-pick-manifest: 11.0.3
       npm-registry-fetch: 19.1.1
       proc-log: 6.1.0
-      promise-retry: 2.0.1
       sigstore: 4.1.0
       ssri: 13.0.0
-      tar: 7.5.1
+      tar: 7.5.4
     transitivePeerDependencies:
       - supports-color