Bump the npm_and_yarn group across 1 directory with 13 updates

[dependabot]

Bumps the npm_and_yarn group with 13 updates in the / directory:

Package	From	To
@angular/common	18.2.14	19.2.16
@angular/compiler	18.2.14	19.2.18
@angular/core	18.2.14	19.2.20
@angular/ssr	18.2.21	19.2.21
axios	1.12.2	1.15.0
flatted	3.3.3	3.4.2
immutable	4.3.7	4.3.8
js-yaml	4.1.0	4.1.1
lodash	4.17.21	4.18.1
minimatch	3.1.2	3.1.5
node-forge	1.3.1	1.4.0
picomatch	2.3.1	2.3.2
vite	5.4.20	5.4.21

Updates @angular/common from 18.2.14 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Updates @angular/compiler from 18.2.14 to 19.2.18

Release notes

Sourced from @​angular/compiler's releases.

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @​angular/compiler's changelog.

19.2.18 (2026-01-07)

core

Commit	Type	Description
26cdc53d9c	fix	sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the imports expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in typeof type references

core

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

forms

Commit	Type	Description
e3fba182f9	feat	add [formField] directive
561772b152	fix	allow custom controls to require dirty input
f0fb1d8581	fix	allow custom controls to require hidden input
ec110f170b	fix	allow custom controls to require pending input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

router

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0	fix	handle errors from view transition updateCallbackDone promise

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

... (truncated)

Commits

• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 24bab55 fix(compiler): lexer support for template literals in object literals (#61601)
• fc2483e refactor(compiler): avoid duplication between FactoryTarget type (#61571)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 44bb328 fix(compiler): avoid conflicts between HMR code and local symbols (#61550)
• 1007079 build: update compiler-cli to not be stamped when used for the compiler in ng...
• 0d025c5 build: support new ng_project rule (#61336)
• 899cb4a refactor: add explicit types for exports relying on inferred call return type...
• 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
• Additional commits viewable in compare view

Updates @angular/core from 18.2.14 to 19.2.20

Release notes

Sourced from @​angular/core's releases.

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit	Type	Description
02fbf08890	fix	disallow translations of iframe src

core

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit	Type	Description
78dea55351	fix	disallow translations of iframe src

core

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description

... (truncated)

Commits

• 621c707 fix(core): sanitize translated form attributes
• b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• 73d3e00 build: fix failing test (#61683)
• 9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
• Additional commits viewable in compare view

Updates @angular/ssr from 18.2.21 to 19.2.21

Release notes

Sourced from @​angular/ssr's releases.

19.2.21

@​angular/ssr

Commit	Description
	prevent open redirect via X-Forwarded-Prefix header
	validate host headers to prevent header-based SSRF

19.2.20

@​angular-devkit/build-angular

Commit	Description
	update webpack to 5.105.0

19.2.19

@​angular/build

Commit	Description
	update vite to v6.4.1

19.2.18

@​angular/ssr

Commit	Description
	prevent malicious URL from overriding host

19.2.17

@​angular/build

Commit	Description
	update vite to 6.3.6

19.2.16

@​angular-devkit/build-angular

Commit	Description
	avoid extra tick in SSR builds

@​angular/build

Commit	Description
	avoid extra tick in SSR dev-server builds

@​angular/ssr

Commit	Description
	introduce BootstrapContext for isolated server-side rendering

Breaking Changes

@​angular/ssr

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

... (truncated)

Changelog

Sourced from @​angular/ssr's changelog.

19.2.21 (2026-02-23)

@​angular/ssr

Commit	Type	Description
288e22816	fix	prevent open redirect via X-Forwarded-Prefix header
2a72d7483	fix	validate host headers to prevent header-based SSRF

19.2.20 (2026-02-13)

@​angular-devkit/build-angular

Commit	Type	Description
0e5421ba7	fix	update webpack to 5.105.0

21.1.4 (2026-02-11)

@​angular/build

Commit	Type	Description
7a9dd6b47	fix	correctly resolve absolute setup file paths in Vitest

20.3.16 (2026-02-09)

@​angular/cli

Commit	Type	Description
656888a25	fix	update dependency @​modelcontextprotocol/sdk to v1.26.0

21.1.3 (2026-02-05)

... (truncated)

Commits

• 4d9442a release: cut the v19.2.21 release
• 288e228 fix(@​angular/ssr): prevent open redirect via X-Forwarded-Prefix header
• 2a72d74 fix(@​angular/ssr): validate host headers to prevent header-based SSRF
• 747393c release: cut the v19.2.20 release
• d37b749 build: update pnpm to 10.15.0
• 0e5421b fix(@​angular-devkit/build-angular): update webpack to 5.105.0
• 399c3ec release: cut the v19.2.19 release
• 4d8ea27 fix(@​angular/build): update vite to v6.4.1
• 8590f19 release: cut the v19.2.18 release
• 9136a5d fix(@​angular/ssr): prevent malicious URL from overriding host
• Additional commits viewable in compare view

Updates axios from 1.12.2 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates immutable from 4.3.7 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.c...

Description has been truncated