Bump the npm_and_yarn group across 1 directory with 33 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@angular/common	14.2.10	21.2.9
@angular/compiler	14.2.10	21.2.9
@angular/core	14.2.10	21.2.9
@tootallnate/once	2.0.0	removed
cookie	0.4.2	0.7.2
socket.io	4.5.3	4.8.3
flatted	3.2.7	3.4.2
follow-redirects	1.15.2	1.16.0
minimatch	3.1.2	3.1.5
lodash	4.17.21	4.18.1
picomatch	2.3.1	2.3.2

Updates @angular/common from 14.2.10 to 21.2.9

Release notes

Sourced from @​angular/common's releases.

21.2.9

core

Commit	Description
	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Description
	add CSP nonce support to JsonpClientBackend
	Don't on Passthru outside of reactive context

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Description
	normalize multiple leading slashes in URL parser

21.2.8

compiler

Commit	Description
	handle nested brackets in host object bindings

compiler-cli

Commit	Description
	error for type parameter declarations

core

Commit	Description
	handle missing serialized container hydration data
	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Description
	get quick info at local var location to align with TS semantics and support type narrowing

21.2.7

compiler

Commit	Description
	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Description
	prevent recursive scope checks for invalid NgModule imports

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.9 (2026-04-15)

core

Commit	Type	Description
f603d4714f	fix	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

platform-server

Commit	Type	Description
e0b5078cf2	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Type	Description
684e9fd53d	fix	normalize multiple leading slashes in URL parser

22.0.0-next.7 (2026-04-08)

Breaking Changes

core

• The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
• • TypeScript versions older than 6.0 are no longer supported.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

platform-browser

• This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.

router

• The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

compiler

Commit	Type	Description
2ce0e98f79	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
7f9450219f	feat	Adds warning for prefetch without main defer trigger
ab061a7610	fix	error for type parameter declarations
9218140348	fix	resolve TCB mapping failure for safe property reads with as any

core

Commit	Type	Description
a0aa8304cd	feat	bootstrap via ApplicationRef with config
9c55fcb3e6	feat	de-duplicate host directives
8fe025f514	feat	drop support for TypeScript 5.9
77f1ca08e4	fix	handle missing serialized container hydration data

... (truncated)

Commits

• 540536c fix(http): add CSP nonce support to JsonpClientBackend
• 8102331 test(http): disable XSRF and mock location in HttpClient tests to avoid Domin...
• 13f050d test: construct local Date objects to fix timezone flakiness
• d0cf299 test: remove unsupported timezone from formatDate tests
• b4ab6ba fix(common): avoid redundant image fetch on destroy with auto sizes
• adda6c5 build: update aspect_rules_js to 3.0.2
• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• 76431ed Revert "fix(http): correctly cache blob responses in transfer cache (#67002)"
• 277ade9 fix(http): correctly cache blob responses in transfer cache (#67002)
• aeb9b81 refactor(http): Improves base64 encoding/decoding with feature detection (#67...
• Additional commits viewable in compare view

Updates @angular/compiler from 14.2.10 to 21.2.9

Release notes

Sourced from @​angular/compiler's releases.

21.2.9

core

Commit	Description
	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Description
	add CSP nonce support to JsonpClientBackend
	Don't on Passthru outside of reactive context

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Description
	normalize multiple leading slashes in URL parser

21.2.8

compiler

Commit	Description
	handle nested brackets in host object bindings

compiler-cli

Commit	Description
	error for type parameter declarations

core

Commit	Description
	handle missing serialized container hydration data
	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Description
	get quick info at local var location to align with TS semantics and support type narrowing

21.2.7

compiler

Commit	Description
	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Description
	prevent recursive scope checks for invalid NgModule imports

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.2.9 (2026-04-15)

core

Commit	Type	Description
f603d4714f	fix	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

platform-server

Commit	Type	Description
e0b5078cf2	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Type	Description
684e9fd53d	fix	normalize multiple leading slashes in URL parser

22.0.0-next.7 (2026-04-08)

Breaking Changes

core

• The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
• • TypeScript versions older than 6.0 are no longer supported.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

platform-browser

• This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.

router

• The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

compiler

Commit	Type	Description
2ce0e98f79	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
7f9450219f	feat	Adds warning for prefetch without main defer trigger
ab061a7610	fix	error for type parameter declarations
9218140348	fix	resolve TCB mapping failure for safe property reads with as any

core

Commit	Type	Description
a0aa8304cd	feat	bootstrap via ApplicationRef with config
9c55fcb3e6	feat	de-duplicate host directives
8fe025f514	feat	drop support for TypeScript 5.9
77f1ca08e4	fix	handle missing serialized container hydration data

... (truncated)

Commits

• a4f3120 refactor(compiler): require a reference in DirectiveMeta
• de533fe refactor(compiler-cli): move ClassPropertyMapping into compiler
• ea1e34c refactor(compiler): move matchSource into base metadata
• e40d378 fix(compiler): handle nested brackets in host object bindings
• d04ddd7 fix(core): prevent binding unsafe attributes on SVG animation elements (#67797)
• fea25d1 fix(compiler): register SVG animation attributes in URL security context (#67...
• 880a57d fix(compiler): prevent shimCssText from adding extra blank lines per CSS comment
• 23ea431 fix(compiler): parse named HTML entities containing digits
• 334ae10 fix(compiler): ensure generated code compiles
• ed2d324 fix(compiler): disallow translations of iframe src
• Additional commits viewable in compare view

Updates @angular/core from 14.2.10 to 21.2.9

Release notes

Sourced from @​angular/core's releases.

21.2.9

core

Commit	Description
	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Description
	add CSP nonce support to JsonpClientBackend
	Don't on Passthru outside of reactive context

platform-server

Commit	Description
	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Description
	normalize multiple leading slashes in URL parser

21.2.8

compiler

Commit	Description
	handle nested brackets in host object bindings

compiler-cli

Commit	Description
	error for type parameter declarations

core

Commit	Description
	handle missing serialized container hydration data
	remove obsolete iOS cursor pointer hack in event delegation

language-service

Commit	Description
	get quick info at local var location to align with TS semantics and support type narrowing

21.2.7

compiler

Commit	Description
	register SVG animation attributes in URL security context (#67797)

compiler-cli

Commit	Description
	prevent recursive scope checks for invalid NgModule imports

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.9 (2026-04-15)

core

Commit	Type	Description
f603d4714f	fix	escape forward slashes in transfer state to prevent crawler indexing

http

Commit	Type	Description
540536c386	fix	add CSP nonce support to JsonpClientBackend
63a857b874	fix	Don't on Passthru outside of reactive context

platform-server

Commit	Type	Description
e0b5078cf2	fix	prevent SSRF bypasses via protocol-relative and backslash URLs

router

Commit	Type	Description
684e9fd53d	fix	normalize multiple leading slashes in URL parser

22.0.0-next.7 (2026-04-08)

Breaking Changes

core

• The second arguement of appRef.bootstrap does not accept any anymore. Make sure the element you pass is not nullable.
• • TypeScript versions older than 6.0 are no longer supported.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponentFunction.
• ComponentFactoryResolver and ComponentFactory are no longer available. Pass the component class directly to APIs that previously required a factory, such as ViewContainerRef.createComponent or use the standalone createComponent function.

platform-browser

• This removes styles when they appear to no longer be used by an associated host. However other DOM on the page may still be affected by those styles if not leveraging ViewEncapsulation.Emulated or if those styles are used by elements outside of Angular, potentially causing other DOM to appear unstyled.

router

• The currentSnapshot parameter in CanMatchFn and the canMatch method of the CanMatch interface is now required. While this was already the behavior of the Router at runtime, existing class implementations of CanMatch must now include the third argument to satisfy the interface.

compiler

Commit	Type	Description
2ce0e98f79	fix	handle nested brackets in host object bindings

compiler-cli

Commit	Type	Description
7f9450219f	feat	Adds warning for prefetch without main defer trigger
ab061a7610	fix	error for type parameter declarations
9218140348	fix	resolve TCB mapping failure for safe property reads with as any

core

Commit	Type	Description
a0aa8304cd	feat	bootstrap via ApplicationRef with config
9c55fcb3e6	feat	de-duplicate host directives
8fe025f514	feat	drop support for TypeScript 5.9
77f1ca08e4	fix	handle missing serialized container hydration data

... (truncated)

Commits

• 17cae6a docs: fix bootstraping link
• f603d47 fix(core): escape forward slashes in transfer state to prevent crawler indexing
• 05d9b97 build: update cross-repo angular dependencies
• d4c8a9a refactor(compiler-cli): decouple SymbolBuilder from BoundTarget and minimize ...
• 057cc6d fix(core): remove obsolete iOS cursor pointer hack in event delegation
• c9f8f3a test(core): add missing import of ChangeDetectionStrategy in query_spec
• 910dcb6 refactor(compiler-cli): decouple TemplateSymbolBuilder from ts.TypeChecker
• 82192de fix(core): handle missing serialized container hydration data
• 2ae0912 refactor(core): address review comments on NG0750 error message
• e583f4c refactor(core): Add more detail to NG0750 error message
• Additional commits viewable in compare view

Updates @babel/traverse from 7.20.1 to 7.29.0

Release notes

Sourced from @​babel/traverse's releases.

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

... (truncated)

Commits

• aa8394e v7.29.0
• 84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
• 229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
• d7f4008 v7.28.6
• 905bc22 fix: lint errors in main branch (#17612)
• a03e2b6 fix: path.evaluate correctly returns confident (#17584)
• aac2c37 chore: Use Gulpfile.mts (#17579)
• 65c4a6b [Babel 8] fix: Improve traverse types (#17574)
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/traverse since your current version.

Removes @tootallnate/once

Updates body-parser from 1.20.1 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

• Remove redundant depth check by @​blakeembrey in expressjs/body-parser#538
• ci: add support for Node.js v23 by @​Phillip9587 in expressjs/body-parser#553
• ci: restore CI for 1.x branch by @​bjohansebas in expressjs/body-parser#665
• deps: qs@^6.14.0 by @​bjohansebas in expressjs/body-parser#664
• deps: use tilde notation and update certain dependencies by @​Phillip9587 in expressjs/body-parser#668
• chore: remove SECURITY.md by @​Phillip9587 in expressjs/body-parser#669
• ci: add CodeQL (SAST) by @​Phillip9587 in expressjs/body-parser#670
• Release: 1.20.4 by @​UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

Commits

• 7db202c 1.20.4 (#672)
• d8f8adb ci: add CodeQL (SAST) (#670)
• 6d133c1 chore: remove SECURITY.md (#669)
• fcd1535 deps: use tilde notation and update certain dependencies (#668)
• ec5fa29 deps: qs@~6.14.0 (#664)
• ffb95c1 ci: restore CI for 1.x branch (#665)
• 48a5f07 ci: add support for Node.js v23 (#553)
• f20f6ad Remove redundant depth check (#538)
• 1752951 1.20.3
• 39744cf chore: linter (#534)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.4.2 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commi...

  Description has been truncated