build(deps): bump the npm_and_yarn group across 2 directories with 33 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
@angular/common	11.0.3	19.2.16
@angular/core	11.0.3	21.2.6
js-yaml	4.1.0	4.1.1
js-yaml	3.13.1	3.14.2
@babel/traverse	7.17.9	7.29.0
@tootallnate/once	1.1.2	removed
minimatch	3.0.4	3.1.5
lodash	4.17.21	4.17.23
picomatch	2.3.1	2.3.2

Bumps the npm_and_yarn group with 9 updates in the /tests/test-angular-project directory:

Package	From	To
@angular/common	11.0.5	19.2.16
@angular/core	11.0.5	21.2.6
js-yaml	3.14.0	3.14.2
braces	3.0.2	3.0.3
form-data	2.3.3	removed
minimatch	3.0.4	3.1.5
minimist	1.2.5	1.2.8
@angular/compiler	11.0.5	21.2.6
find-exec	1.0.1	1.0.3

Updates @angular/common from 11.0.3 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

18.2.14

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63640)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Updates @angular/core from 11.0.3 to 21.2.6

Release notes

Sourced from @​angular/core's releases.

21.2.6

common

Commit	Description
	avoid redundant image fetch on destroy with auto sizes

compiler

Commit	Description
	prevent shimCssText from adding extra blank lines per CSS comment

core

Commit	Description
	fixes a regression with animate.leave and reordering

migrations

Commit	Description
	inject migration not work in multi-project workspace with option path

21.2.5

compiler

Commit	Description
	ensure generated code compiles
	parse named HTML entities containing digits

compiler-cli

Commit	Description
	escape template literal in TCB
	generic types not filled out correctly in type check block

core

Commit	Description
	clean up dehydrated views during HMR component replacement
	run linked signal equality check without reactive consumer

migrations

Commit	Description
	prevent trailing comma syntax errors after removing NgStyle

service-worker

Commit	Description
	preserve redirect policy on reconstructed asset requests

21.2.4

compiler

Commit	Description
	disallow translations of iframe src

core

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.6 (2026-03-25)

common

Commit	Type	Description
b4ab6ba2e8	fix	avoid redundant image fetch on destroy with auto sizes

compiler

Commit	Type	Description
880a57d4b3	fix	prevent shimCssText from adding extra blank lines per CSS comment

core

Commit	Type	Description
ad0156e056	fix	fixes a regression with animate.leave and reordering

migrations

Commit	Type	Description
73d6b01b47	fix	inject migration not work in multi-project workspace with option path

22.0.0-next.4 (2026-03-18)

Breaking Changes

core

• Leave animations are no longer limited to the element being removed.
• ChangeDetectorRef.checkNoChanges was removed. In tests use fixture.detectChanges() instead.

compiler

Commit	Type	Description
412788fac9	fix	ensure generated code compiles
75560ce43d	fix	parse named HTML entities containing digits
d99ab0e040	fix	stop generating unused field

compiler-cli

Commit	Type	Description
2bd708fb6b	fix	escape template literal in TCB
9769560da7	fix	generic types not filled out correctly in type check block
7a0d6b8df2	fix	transform dropping exclamationToken from properties

core

Commit	Type	Description
df659b8d0c	feat	re-introduce nested leave animations scoped to component boundaries
dc3131c639	feat	TestBed.getFixture -> TestBed.getLastFixture and update implementation
dc0446552a	fix	clean up dehydrated views during HMR component replacement
523d69a768	fix	run linked signal equality check without reactive consumer
69fb1614ef	refactor	remove checkNoChanges from the public API.

forms

Commit	Type	Description
3983080236	feat	support ngNoCva as an opt-out for ControlValueAccessors

... (truncated)

Commits

• c157916 build: consolidate domino bundling in platform-server
• 9be5e2c docs: fix typo in Input decorator
• a21be36 refactor: prepare for required changeDetection prop on G3.
• 831746e docs: Add callout about the Component interface.
• ad0156e fix(core): fixes a regression with animate.leave and reordering
• 73d6b01 fix(migrations): inject migration not work in multi-project workspace with op...
• 3838554 build: update cross-repo angular dependencies to v21.2.3
• 851ef77 Revert "refactor(core): Ensure determineLongestAnimation is run synchronously...
• 076d41c fix(migrations): prevent trailing comma syntax errors after removing NgStyle
• a8f80c1 refactor(core): declare explicit reactive node prototypes types
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates js-yaml from 3.13.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @babel/traverse from 7.17.9 to 7.29.0

Release notes

Sourced from @​babel/traverse's releases.

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

... (truncated)

Commits

• aa8394e v7.29.0
• 84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
• 229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
• d7f4008 v7.28.6
• 905bc22 fix: lint errors in main branch (#17612)
• a03e2b6 fix: path.evaluate correctly returns confident (#17584)
• aac2c37 chore: Use Gulpfile.mts (#17579)
• 65c4a6b [Babel 8] fix: Improve traverse types (#17574)
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/traverse since your current version.

Removes @tootallnate/once

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates json5 from 2.2.1 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays
• edde30a Readme: slight tweak to intro
• 97286f8 Improve example in readme
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates @angular/common from 11.0.5 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

18.2.14

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63640)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Updates @angular/core from 11.0.5 to 21.2.6

Release notes

Sourced from @​angular/core's releases.

21.2.6

common

Commit	Description
	avoid redundant image fetch on destroy with auto sizes

compiler

Commit	Description
	prevent shimCssText from adding extra blank lines per CSS comment

core

Commit	Description
	fixes a regression with animate.leave and reordering

migrations

Commit	Description
	inject migration not work in multi-project workspace with option path

21.2.5

compiler

Commit	Description
	ensure generated code compiles
	parse named HTML entities containing digits

compiler-cli

Commit	Description
	escape template literal in TCB
	generic types not filled out correctly in type check block

core

Commit	Description
	clean up dehydrated views during HMR component replacement
	run linked signal equality check without reactive consumer

migrations

Commit	Description
	prevent trailing comma syntax errors after removing NgStyle

service-worker

Commit	Description
	preserve redirect policy on reconstructed asset requests

21.2.4

compiler

Commit	Description
	disallow translations of iframe src

core

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.6 (2026-03-25)

common

Commit	Type	Description
b4ab6ba2e8	fix	avoid redundant image fetch on destroy with auto sizes

compiler

Commit	Type	Description
880a57d4b3	fix	p... Description has been truncated