Skip to content

Bump the npm_and_yarn group across 1 directory with 13 updates#1192

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/angular-app/npm_and_yarn-a360f76cfb
Open

Bump the npm_and_yarn group across 1 directory with 13 updates#1192
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/angular-app/npm_and_yarn-a360f76cfb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 7 updates in the /angular-app directory:

Package From To
@angular/common 20.3.2 20.3.14
@angular/compiler 20.3.2 20.3.16
@angular/core 20.3.2 20.3.18
@modelcontextprotocol/sdk 1.17.3 1.26.0
immutable 5.1.3 5.1.5
picomatch 4.0.3 4.0.4
postcss 8.5.6 8.5.13

Updates @angular/common from 20.3.2 to 20.3.14

Release notes

Sourced from @​angular/common's releases.

20.3.14

http

Commit Description
fix - 0276479e7d prevent XSRF token leakage to protocol-relative URLs

20.3.13

No release notes provided.

20.3.12

No release notes provided.

20.3.11

common

Commit Description
fix - 5047849a4a remove placeholder image listeners once view is removed

compiler

Commit Description
fix - f9d0818087 support arbitrary nesting in :host-context()
fix - 106b9040df support commas in :host() argument
fix - 9419ea348a support complex selectors in :nth-child()
fix - 036c5d2a07 support one additional level of nesting in :host()

core

Commit Description
fix - dcdd1bcdbb skip leave animations on view swaps

20.3.10

compiler-cli

Commit Description
fix - 840db59dc1 make required inputs diagnostic less noisy

migrations

Commit Description
fix - a45e6b2b66 Prevent removal of templates referenced with preceding whitespace characters

20.3.9

No release notes provided.

20.3.8

common

Commit Description
feat - 020f17694b Blocks IPv6 localhost from preconnect checks

core

Commit Description

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

20.3.14 (2025-11-25)

http

Commit Type Description
0276479e7d fix prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit Type Description
39c577bc36 fix do not type check native controls with ControlValueAccessor
8d3a89a477 fix escape angular control flow in jsdoc
bc34083d34 fix ignore non-existent files

core

Commit Type Description
0ea1e07174 fix apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c fix debug data causing memory leak for root effects
a55482fca3 fix notify profiler events in case of errors
49ad7c6508 fix use injected DOCUMENT for CSP_NONCE
cc1ec09931 perf avoid repeat searches for field directive

forms

Commit Type Description
7d5c7cf99a feat add DI option for classes on Field directive
8acf5d2756 fix allow dynamic type bindings on signal form controls
de5fca94c5 fix run reset as untracked

http

Commit Type Description
3240d856d9 fix prevent XSRF token leakage to protocol-relative URLs

migrations

Commit Type Description

... (truncated)

Commits
  • 0276479 fix(http): prevent XSRF token leakage to protocol-relative URLs
  • a8c577d docs: add reference to Built-in Pipes in multiple pipe files
  • 8922cae Revert "refactor(http): migrate XSRF classes to use inject() function"
  • 5047849 fix(common): remove placeholder image listeners once view is removed
  • 4c66fe4 refactor(core): mark VERSION as @__PURE__ for better tree-shaking
  • 2ad6b72 refactor(http): migrate XSRF classes to use inject() function
  • ee578d3 build: format md files
  • 744cd5c refactor(http): simplifies destruction tracking using destroyed property
  • 5ce9d88 docs: Adds guide links to HTTP API docs for better discoverability
  • 020f176 feat(common): Blocks IPv6 localhost from preconnect checks
  • Additional commits viewable in compare view

Updates @angular/compiler from 20.3.2 to 20.3.16

Release notes

Sourced from @​angular/compiler's releases.

20.3.16

core

Commit Description
fix - c2c2b4aaa8 sanitize sensitive attributes on SVG script elements

20.3.15

compiler

Commit Description
fix - d1ca8ae043 prevent XSS via SVG animation attributeName and MathML/SVG URLs

20.3.14

http

Commit Description
fix - 0276479e7d prevent XSRF token leakage to protocol-relative URLs

20.3.13

No release notes provided.

20.3.12

No release notes provided.

20.3.11

common

Commit Description
fix - 5047849a4a remove placeholder image listeners once view is removed

compiler

Commit Description
fix - f9d0818087 support arbitrary nesting in :host-context()
fix - 106b9040df support commas in :host() argument
fix - 9419ea348a support complex selectors in :nth-child()
fix - 036c5d2a07 support one additional level of nesting in :host()

core

Commit Description
fix - dcdd1bcdbb skip leave animations on view swaps

20.3.10

compiler-cli

Commit Description
fix - 840db59dc1 make required inputs diagnostic less noisy

migrations

Commit Description
fix - a45e6b2b66 Prevent removal of templates referenced with preceding whitespace characters

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

20.3.16 (2026-01-07)

core

Commit Type Description
c2c2b4aaa8 fix sanitize sensitive attributes on SVG script elements

19.2.18 (2026-01-07)

core

Commit Type Description
26cdc53d9c fix sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit Type Description
8e808740c9 fix better types for a few expression AST nodes
63b1cdcf70 fix produce accurate span for typeof and void expressions
3c3ae0cb64 fix provide location information for literal map keys
523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit Type Description
4d9c4567ed fix ensure component import diagnostics are reported within the imports expression
cd405685af fix fix up spelling of diagnostic
778460fcca fix support qualified names in typeof type references

core

Commit Type Description
7c74674eb0 fix avoid leaking view data in animations
0edbee4550 fix explicitly cast signal node value to String
f9c29572d2 fix sanitize sensitive attributes on SVG script elements

forms

Commit Type Description
e3fba182f9 feat add [formField] directive
561772b152 fix allow custom controls to require dirty input
f0fb1d8581 fix allow custom controls to require hidden input
ec110f170b fix allow custom controls to require pending input
ae1dc16bb0 fix clean up abort listener after timeout
9748b0d5da fix support custom controls with non signal-based models
6bd22df987 fix Support readonly arrays in signal forms

router

| Commit | Type | Description |

... (truncated)

Commits
  • c2c2b4a fix(core): sanitize sensitive attributes on SVG script elements
  • d1ca8ae fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
  • f689269 Revert "fix(compiler): support one additional level of nesting in :host()"
  • 7b2e6ca Revert "fix(compiler): support arbitrary nesting in :host-context()"
  • 6036eef Revert "fix(compiler): support commas in :host() argument"
  • a44658b Revert "fix(compiler): support complex selectors in :nth-child()"
  • 9419ea3 fix(compiler): support complex selectors in :nth-child()
  • 2531863 test(compiler): add test for :host:has(> .foo)
  • 106b904 fix(compiler): support commas in :host() argument
  • f9d0818 fix(compiler): support arbitrary nesting in :host-context()
  • Additional commits viewable in compare view

Updates @angular/core from 20.3.2 to 20.3.18

Release notes

Sourced from @​angular/core's releases.

20.3.18

compiler

Commit Description
fix - 02fbf08890 disallow translations of iframe src

core

Commit Description
fix - 72126f9a08 sanitize translated attribute bindings with interpolations
fix - 626bc8bc20 sanitize translated form attributes

20.3.17

core

Commit Description
fix - 7f9de3c118 block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

  • Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

    (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

20.3.16

core

Commit Description
fix - c2c2b4aaa8 sanitize sensitive attributes on SVG script elements

20.3.15

compiler

Commit Description
fix - d1ca8ae043 prevent XSS via SVG animation attributeName and MathML/SVG URLs

20.3.14

http

Commit Description
fix - 0276479e7d prevent XSRF token leakage to protocol-relative URLs

20.3.13

No release notes provided.

20.3.12

No release notes provided.

20.3.11

common

Commit Description

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

20.3.18 (2026-03-12)

compiler

Commit Type Description
02fbf08890 fix disallow translations of iframe src

core

Commit Type Description
72126f9a08 fix sanitize translated attribute bindings with interpolations
626bc8bc20 fix sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit Type Description
78dea55351 fix disallow translations of iframe src

core

Commit Type Description
999c14eaab fix reverts "feat(core): add support for nested animations"
de0eb4c656 fix sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit Type Description
ed2d324f9c fix disallow translations of iframe src

core

Commit Type Description
abbd8797bb fix reverts "feat(core): add support for nested animations"
d1dcd16c5b fix sanitize translated form attributes

22.0.0-next.2 (2026-03-11)

Breaking Changes

core

  • createNgModuleRef was removed, use createNgModule instead

core

Commit Type Description
b918beda32 feat allow debouncing signals

... (truncated)

Commits
  • 626bc8b fix(core): sanitize translated form attributes
  • 72126f9 fix(core): sanitize translated attribute bindings with interpolations
  • 7f9de3c fix(core): block creation of sensitive URI attributes from ICU messages
  • c2c2b4a fix(core): sanitize sensitive attributes on SVG script elements
  • d1ca8ae fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
  • 820bb39 Revert "refactor(core): let the profiler handle asymmetric events leniently"
  • 2dccdcd Revert "fix(core): notify profiler events in case of errors"
  • a966ff1 refactor(core): let the profiler handle asymmetric events leniently
  • 52cf658 fix(core): notify profiler events in case of errors
  • daae263 docs: Adds links to relevant guides for APIs in core package
  • Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.17.3 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

... (truncated)

Commits
  • fe9c07b chore: bump version to 1.26.0 (#1479)
  • 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
  • a05be17 Merge commit from fork
  • 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
  • aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
  • 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
  • 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
  • 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
  • b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
  • a0c9b13 fix: README badges links destinations (#907)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates tar from 6.2.1 to 7.5.13

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates glob from 10.4.5 to 13.0.6

Changelog

Sourced from glob's changelog.

changeglob

13

  • Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
  • Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

  • Drop support for node before v20

10.4

  • Add includeChildMatches: false option
  • Export the Ignore class

10.3

  • Add --default -p flag to provide a default pattern
  • exclude symbolic links to directories when follow and nodir are both set

10.2

  • Add glob cli

10.1

  • Return '.' instead of the empty string '' when the current working directory is returned as a match.
  • Add posix: true option to return / delimited paths, even on

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates immutable from 5.1.3 to 5.1.5

Release notes

Sourced from immutable's releases.

v5.1.5

What's Changed

Full Changelog: immutable-js/immutable-js@v5.1.4...v5.1.5

v5.1.4

What's Changed

Documentation

Internal

New Contributors

Full Changelog: immutable-js/immutable-js@v5.1.3...v5.1.4

Changelog

Sourced from immutable's changelog.

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Documentation

Internal

Commits
  • b37b855 5.1.5
  • 16b3313 Merge commit from fork
  • fd2ef49 fix new proto key injection
  • 6734b7b fix Prototype Pollution in mergeDeep, toJS, etc.
  • 6f772de Merge pull request #2175 from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0
  • 5f3dc61 Bump rollup from 4.34.8 to 4.59.0
  • 049a594 Merge pull request #2173 from immutable-js/dependabot/npm_and_yarn/lodash-4.1...
  • 2481a77 Merge pull request #2172 from mrazauskas/update-tstyche
  • eb04779 Bump lodash from 4.17.21 to 4.17.23
  • b973bf3 format
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.


Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Updates minimatch from 9.0.5 to 10.2.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

  • Add braceExpandMax option

10.1

  • Add magicalBraces option for escape
  • Fix makeRe when partial: true is set.
  • Fix makeRe when pattern ends in a final ** path part.

10.0

  • Require node 20 or 22 and higher

9.0

  • No default export, only named exports.

8.0

  • Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
  • Bump required Node.js version

7.4

  • Add escape() method
  • Add unescape() method
  • Add Minimatch.hasMagic() method

7.3

  • Add support for posix character classes in a unicode-aware way.

7.2

  • Add windowsNoMagicRoot option

7.1

  • Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

Updates postcss from 8.5.6 to 8.5.13

Release notes

Sourced from

@dependabot
Bump the npm_and_yarn group across 1 directory with 13 updates
d3ec21f 
Bumps the npm_and_yarn group with 7 updates in the /angular-app directory:

| Package | From | To |
| --- | --- | --- |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `20.3.2` | `20.3.14` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `20.3.2` | `20.3.16` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `20.3.2` | `20.3.18` |
| [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.17.3` | `1.26.0` |
| [immutable](https://github.com/immutable-js/immutable-js) | `5.1.3` | `5.1.5` |
| [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.13` |



Updates `@angular/common` from 20.3.2 to 20.3.14
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/20.3.14/packages/common)

Updates `@angular/compiler` from 20.3.2 to 20.3.16
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.16/packages/compiler)

Updates `@angular/core` from 20.3.2 to 20.3.18
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v20.3.18/packages/core)

Updates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.17.3...v1.26.0)

Updates `tar` from 6.2.1 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.13)

Updates `glob` from 10.4.5 to 13.0.6
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v13.0.6)

Updates `immutable` from 5.1.3 to 5.1.5
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@v5.1.3...v5.1.5)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `minimatch` from 9.0.5 to 10.2.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v10.2.5)

Updates `postcss` from 8.5.6 to 8.5.13
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.13)

Updates `qs` from 6.14.0 to 6.15.1
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.0...v6.15.1)

Updates `rollup` from 4.52.3 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.52.3...v4.59.0)

Updates `vite` from 7.1.5 to 7.3.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

---
updated-dependencies:
- dependency-name: "@angular/common"
  dependency-version: 20.3.14
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@angular/compiler"
  dependency-version: 20.3.16
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@angular/core"
  dependency-version: 20.3.18
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.26.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 13.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: immutable
  dependency-version: 5.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 10.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants