[Snyk] Upgrade zone.js from 0.11.8 to 0.16.0

[snyk-io]

Snyk has created this PR to upgrade zone.js from 0.11.8 to 0.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 18 versions ahead of your current version.

• The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ADOBECSSTOOLS-6096077	42	No Known Exploit
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	42	No Known Exploit
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	42	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ADOBECSSTOOLS-5871286	42	No Known Exploit
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	42	Proof of Concept
	Denial of Service (DoS) SNYK-JS-HTTPPROXYMIDDLEWARE-8229906	42	Proof of Concept
	Uncontrolled Recursion SNYK-JS-NODEFORGE-14125745	42	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	42	Proof of Concept
	Sandbox Bypass SNYK-JS-WEBPACK-3358798	42	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	42	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	42	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	42	No Known Exploit
	Always-Incorrect Control Flow Implementation SNYK-JS-HTTPPROXYMIDDLEWARE-9691387	42	No Known Exploit
	Improper Check for Unusual or Exceptional Conditions SNYK-JS-HTTPPROXYMIDDLEWARE-9691389	42	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	42	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	42	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	42	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	42	No Known Exploit
	Interpretation Conflict SNYK-JS-NODEFORGE-14114940	42	No Known Exploit
	Integer Overflow or Wraparound SNYK-JS-NODEFORGE-14125097	42	No Known Exploit
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	42	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	42	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	42	Proof of Concept
	Improper Input Validation SNYK-JS-POSTCSS-5926692	42	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-15268416	42	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	42	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	42	No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

Release notes

Package name: zone.js

• 0.16.0 - 2025-11-19
• 0.15.1 - 2025-05-22
• 0.15.0 - 2024-08-21
• 0.14.10 - 2024-08-05
• 0.14.8 - 2024-07-17
• 0.14.7 - 2024-06-06
• 0.14.6 - 2024-05-17
• 0.14.5 - 2024-04-30
• 0.14.4 - 2024-02-13
• 0.14.3 - 2024-01-09
• 0.14.2 - 2023-11-03
• 0.14.1 - 2023-10-26
• 0.14.0 - 2023-09-18
• 0.13.3 - 2023-09-12
• 0.13.2 - 2023-09-11
• 0.13.1 - 2023-06-12
• 0.13.0 - 2023-03-06
• 0.12.0 - 2022-11-07
• 0.11.8 - 2022-08-12

from zone.js GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[snyk-io]

This is a significant upgrade for zone.js that includes several breaking changes, requiring code and configuration updates.

High-Impact Changes:

• Import Paths (v0.14.0): Deep and legacy import paths such as zone.js/dist/zone or zone.js/bundles/zone-testing.js are no longer allowed. You must update your code to use the top-level imports.

  Recommendation: Change your imports to the following format:

  import 'zone.js';  
  import 'zone.js/testing';  

Medium-Impact Changes:

• Browser Support (v0.16.0): Support for Internet Explorer and non-Chromium Edge has been completely removed.
• Testing Behavior (v0.15.0): The fakeAsync testing utility will now automatically flush pending timers by default. This may affect existing tests. You can opt-out by passing {flush: false}.
• Error Handling (v0.11.2): zone.js no longer suppresses errors from Object.defineProperty. This may cause previously hidden errors in your application to surface.

Source: zone.js CHANGELOG

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.