Bump the npm_and_yarn group across 2 directories with 14 updates by dependabot[bot] · Pull Request #173 · EduIDE/scorpio

dependabot · 2026-03-06T12:37:52Z

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the npm_and_yarn group with 4 updates in the / directory: markdown-it, minimatch, qs and underscore.
Bumps the npm_and_yarn group with 12 updates in the /webview directory:

Package	From	To
markdown-it	`14.1.0`	`14.1.1`
minimatch	`3.1.2`	`3.1.5`
glob	`10.4.5`	`10.5.0`
js-yaml	`4.1.0`	`4.1.1`
tmp	`0.0.33`	`removed`
@angular/common	`19.0.5`	`19.2.16`
@angular/compiler	`19.0.5`	`19.2.18`
@angular/core	`19.0.5`	`19.2.19`
dompurify	`3.2.3`	`3.3.2`
@babel/helpers	`7.26.0`	`7.28.6`
tar	`6.2.1`	`7.5.10`
immutable	`5.0.3`	`5.1.5`

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @ltduc147 for report.

Commits

b4a9b65 14.1.1 released
4b4bbca Fixed perf regression in linkify-it wrapper
d2782d8 Add supplementary example-driven documentation (#1092)
See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates underscore from 1.13.7 to 1.13.8

Commits

9374840 Merge branch 'release/1.13.8'
309ad7e Re-generate annotated sources and minified codemaps
a1ac1d3 Add links to diff and docs in 1.13.8 change log entry
b579595 Mention CVE-2026-27601 in comments and documentation (#3011)
45ea015 Revert obfuscations from 42823bb.
4a4019e Update minified bundles
1ccfdd0 Add preliminary release notes for 1.13.8
42823bb Temporarily obfuscate comments
a6e23ae Make _.isEqual nonrecursive
f2b5164 Add regression test against stack overflow in _.isEqual
Additional commits viewable in compare view

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @ltduc147 for report.

Commits

b4a9b65 14.1.1 released
4b4bbca Fixed perf regression in linkify-it wrapper
d2782d8 Add supplementary example-driven documentation (#1092)
See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

56774ef 10.5.0
1e4e297 bin: Do not expose filenames to shell expansion
See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Removes tmp

Updates @angular/common from 19.0.5 to 19.2.16

Release notes

Sourced from @angular/common's releases.

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit Description

introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit Type Description

05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit Type Description

0276479e7d fix prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit Type Description

39c577bc36 fix do not type check native controls with ControlValueAccessor

8d3a89a477 fix escape angular control flow in jsdoc

bc34083d34 fix ignore non-existent files

core

Commit Type Description

0ea1e07174 fix apply bootstrap-options migration to platformBrowserDynamic

70507b8c1c fix debug data causing memory leak for root effects

a55482fca3 fix notify profiler events in case of errors

49ad7c6508 fix use injected DOCUMENT for CSP_NONCE

cc1ec09931 perf avoid repeat searches for field directive

forms

Commit Type Description

7d5c7cf99a feat add DI option for classes on Field directive

8acf5d2756 fix allow dynamic type bindings on signal form controls

... (truncated)

Commits

05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
12e2302 build: update common's locales to use rules_js (#61630)
9701047 test(common): Add circular deps test to 19.2.x (#61651)
2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
2b1b14f fix(core): cleanup rxResource abort listener (#58306)
126efc9 fix(common): cancel reader when app is destroyed (#61528)
efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
c43fd3a build: migrate common to use rules_js based toolchain (#61434)
185b780 build: migrate packages/core/schematics to ts_project (#61420)
Additional commits viewable in compare view

Updates @angular/compiler from 19.0.5 to 19.2.18

Release notes

Sourced from @angular/compiler's releases.

19.2.18

core

Commit Description

sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit Description

prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit Description

introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.
For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @angular/compiler's changelog.

19.2.18 (2026-01-07)

core

Commit Type Description

26cdc53d9c fix sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit Type Description

8e808740c9 fix better types for a few expression AST nodes

63b1cdcf70 fix produce accurate span for typeof and void expressions

3c3ae0cb64 fix provide location information for literal map keys

523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit Type Description

4d9c4567ed fix ensure component import diagnostics are reported within the imports expression

cd405685af fix fix up spelling of diagnostic

778460fcca fix support qualified names in typeof type references

core

Commit Type Description

7c74674eb0 fix avoid leaking view data in animations

0edbee4550 fix explicitly cast signal node value to String

f9c29572d2 fix sanitize sensitive attributes on SVG script elements

forms

Commit Type Description

e3fba182f9 feat add [formField] directive

561772b152 fix allow custom controls to require dirty input

f0fb1d8581 fix allow custom controls to require hidden input

ec110f170b fix allow custom controls to require pending input

ae1dc16bb0 fix clean up abort listener after timeout

9748b0d5da fix support custom controls with non signal-based models

6bd22df987 fix Support readonly arrays in signal forms

router

Commit Type Description

41cd4a6af8 fix Fix RouterLink href not updating with queryParamsHandling

5e9e09aee0 fix handle errors from view transition updateCallbackDone promise

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

... (truncated)

Commits

26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
24bab55 fix(compiler): lexer support for template literals in object literals (#61601)
fc2483e refactor(compiler): avoid duplication between FactoryTarget type (#61571)
8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
44bb328 fix(compiler): avoid conflicts between HMR code and local symbols (#61550)
1007079 build: update compiler-cli to not be stamped when used for the compiler in ng...
0d025c5 build: support new ng_project rule (#61336)
899cb4a refactor: add explicit types for exports relying on inferred call return type...
1312eb1 build: remove irrelevant madge circular deps tests (#61209)
Additional commits viewable in compare view

Updates @angular/core from 19.0.5 to 19.2.19

Release notes

Sourced from @angular/core's releases.

19.2.19

core

Commit Description

block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit Description

sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit Description

prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit Description

introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core
The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

Before:
const bootstrap = () => bootstrapApplication(AppComponent, config);
After:
const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);
A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

... (truncated)

Changelog

Sourced from @angular/core's changelog.

19.2.19 (2026-02-25)

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit Type Description

747548721d fix block creation of sensitive URI attributes from ICU messages

20.3.17 (2026-02-25)

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit Type Description

7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

21.2.0 (2026-02-25)

common

Commit Type Description

18003a33bb feat add an 'outlet' injector option for ngTemplateOutlet

8bbe6dc46c feat Add Location strategies to manage trailing slash on write

51cc914807 feat support height in ImageLoaderConfig and built-in loaders

compiler

Commit Type Description

72534e2a34 feat Add support for the instanceof binary operator

95b3f37d4a feat Exhaustive checks for switch blocks

04ba09a8d9 feat support AstVisitor.visitEmptyExpr()

ce80136e7b fix optimize away unnecessary restore/reset view calls

3242a61bae fix variable counter visiting some expressions twice

compiler-cli

Commit Type Description

473dd3e1cb fix attach source spans to object literal keys in TCB

a904d9f77b fix support nested component declaration

2ea6dfc6c9 fix update diagnostic to flag no-op arrow functions in listeners

core

... (truncated)

Commits

7475487 fix(core): block creation of sensitive URI attributes from ICU messages
26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
73d3e00 build: fix failing test (#61683)
9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
a6d5479 build: migrate platform-server to rules_js (#61619)
2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
2ae69f7 refactor: ensure tsurge migrations have clear ownership of files (#61612)
c101a3a refactor: clean-up deduplication workaround from migrations (#61421) (#61612)
Additional commits viewable in compare view

Updates dompurify from 3.2.3 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

DOMPurify 3.3.1

Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @MariusRumpf

Updated the ESM import syntax to be more correct, thanks @binhpv

DOMPurify 3.3.0

Added the SVG mask-type attribute to default allow-list, thanks @prasadrajandran

Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @nelstrom

Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @Wim-Valgaeren

DOMPurify 3.2.7

Added new attributes and elements to default allow-list, thanks @elrion018

Added tagName parameter to custom element attributeNameCheck, thanks @nelstrom

Added better check for animated href attributes, thanks @llamakko

Updated and improved the bundled types, thanks @ssi02014

Updated several tests to better align with new browser encoding behaviors

Improved the handling of potentially risky content inside CDATA elements, thanks @securityMB & @terjanq

Improved the regular expression for raw-text elements to cover textareas, thanks @securityMB & @terjanq

DOMPurify 3.2.6

Fixed several typos and removed clutter from our documentation, thanks @Rotzbua

Added matrix: as an allowed URI scheme, thanks @kleinesfilmroellchen

Added better config hardening against prototype pollution, thanks @EffectRenan

Added better handling of attribute removal, thanks @michalnieruchalski-tiugo

Added better configuration for aggressive mXSS scrubbing behavior, thanks @BryanValverdeU

Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

Added a check to the mXSS detection regex to be more strict, thanks @masatokinugawa

Added ESM type imports in source, removes patch function, thanks @donmccurdy

Added script to verify various TypeScript configurations, thanks @reduckted

Added more modern browsers to the Karma launchers list

Added Node 23.x to tested runtimes, removed Node 17.x

Fixed the generation of source maps, thanks @reduckted

Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @hhk-png

Fixed a few typos in the README file

DOMPurify 3.2.4

Fixed a conditional and config dependent mXSS-style bypass reported by @nsysean

Added a new feature to allow specific hook removal, thanks @davecardwell

Added purify.js and purify.min.js to exports, thanks @Aetherinox

Added better logic in case no window object is president, thanks @yehuya

Updated some dependencies called out by dependabot

... (truncated)

Commits

5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
e8c95f4 fix: Fixed the broken package-lock.json
9636037 Update package-lock.json
5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
6fc446a Merge pull request #1175 from cure53/main
3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
9863f41 chore: Preparing 3.3.1 release
b4e0295 chore: Preparing 3.3.0 release
077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
Additional commits viewable in compare view

Updates @babel/helpers from 7.26.0 to 7.28.6

Release notes

Sourced from @babel/helpers's releases.

v7.28.6 (2026-01-12)

Thanks @kadhirash and @kolvian for your first PRs!

🐛 Bug Fix

babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types

#17589 Improve Unicode handling in code-frame tokenizer (@JLHwung)

babel-plugin-transform-regenerator

#17556 fix: transform-regenerator correctly handles scope (@liuxingbaoyu)

babel-plugin-transform-react-jsx

#17538 fix: Keep jsx comments (@liuxingbaoyu)

💅 Polish

babel-core, babel-standalone

#17606 Polish(standalone): improve message on invalid preset/plugin (@JLHwung)

🏠 Internal

babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex

#17580 Allow Babel 8 in compatible Babel 7 plugins (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-react-jsx

#17555 perf: Use lighter traversal for jsx __source,__self (@liuxingbaoyu)

Committers: 7

Babel Bot (@babel-bot)

Eliot Pontarelli (@kolvian)

Huáng Jùnliàng (@JLHwung)

Kadhirash Sivakumar (@kadhirash)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

v7.28.5 (2025-10-23)

Thank you @CO0Ki3, @Olexandr88, and @youthfulhps for your first PRs!

👓 Spec Compliance

babel-parser

#17446 Allow Runtime Errors for Function Call Assignment Targets (@liuxingbaoyu)

babel-helper-validator-identifier

#17501 fix: update identifier to unicode 17 (@fisker)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private

#17534 Allow mixing private destructuring and rest (@CO0Ki3)

babel-parser

#17521 Improve @babel/parser error typing (@JLHwung)

#17491 fix: improve ts-only declaration parsing (@JLHwung)

babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Commits

d7f4008 v7.28.6
99dcba5 chore: enable some ts-eslint rules (#17592)
c1b55f6 Use eslint.config.mts (#17573)
35055e3 v7.28.4
18d88b8 Improve @babel/core typings (#17471)
ef155f5 v7.28.3
741cbd2 chore: fix various typos across codebase (#17476)
cac0ff4 v7.28.2
f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
baa4cb8 v7.27.6
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @babel/helpers since your current version.

Updates tar from 6.2.1 to 7.5.10

Changelog

Sourced from tar's changelog.

Changelog

7.5

Added zstd compression support.

Consistent TOCTOU behavior in sync t.list

Only read from ustar block if not specified in Pax

Fix sync tar.list when file size reduces while reading

Sanitize absolute linkpaths properly

Prevent writing hardlink entries to the archive ahead of their file target

7.4

Deprecate onentry in favor of onReadEntry for clarity.

7.3

Add onWriteEntry option

7.2

DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

Update minipass to v7.1.0

Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

Drop support for node <18

Rewrite in TypeScript, provi...
Description has been truncated

Bumps the npm_and_yarn group with 4 updates in the / directory: [markdown-it](https://github.com/markdown-it/markdown-it), [minimatch](https://github.com/isaacs/minimatch), [qs](https://github.com/ljharb/qs) and [underscore](https://github.com/jashkenas/underscore). Bumps the npm_and_yarn group with 12 updates in the /webview directory: | Package | From | To | | --- | --- | --- | | [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [tmp](https://github.com/raszi/node-tmp) | `0.0.33` | `removed` | | [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `19.0.5` | `19.2.16` | | [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `19.0.5` | `19.2.18` | | [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `19.0.5` | `19.2.19` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.2.3` | `3.3.2` | | [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.26.0` | `7.28.6` | | [tar](https://github.com/isaacs/node-tar) | `6.2.1` | `7.5.10` | | [immutable](https://github.com/immutable-js/immutable-js) | `5.0.3` | `5.1.5` | Updates `markdown-it` from 14.1.0 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@14.1.0...14.1.1) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `qs` from 6.14.1 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.15.0) Updates `underscore` from 1.13.7 to 1.13.8 - [Commits](jashkenas/underscore@1.13.7...1.13.8) Updates `markdown-it` from 14.1.0 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@14.1.0...14.1.1) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `glob` from 10.4.5 to 10.5.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Removes `tmp` Updates `@angular/common` from 19.0.5 to 19.2.16 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/19.2.16/packages/common) Updates `@angular/compiler` from 19.0.5 to 19.2.18 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.18/packages/compiler) Updates `@angular/core` from 19.0.5 to 19.2.19 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.19/packages/core) Updates `dompurify` from 3.2.3 to 3.3.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.2.3...3.3.2) Updates `@babel/helpers` from 7.26.0 to 7.28.6 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.28.6/packages/babel-helpers) Updates `tar` from 6.2.1 to 7.5.10 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.2.1...v7.5.10) Updates `immutable` from 5.0.3 to 5.1.5 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v5.0.3...v5.1.5) --- updated-dependencies: - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: underscore dependency-version: 1.13.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@angular/common" dependency-version: 19.2.16 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@angular/compiler" dependency-version: 19.2.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 19.2.19 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@babel/helpers" dependency-version: 7.28.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.10 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 5.1.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

Updates all dependencies from open renovate/dependabot PRs (#154, #155, #157, #158, #159, #160, #162, #163, #164, #165, #173) into a single consolidated update: Root package (extension): - markdown-it: ^14.1.0 → ^14.1.1 (security fix) - @types/assert: ^1.5.10 → ^1.5.11 - @types/webpack-env: ^1.18.5 → ^1.18.8 - @vscode/test-web: ^0.0.62 → ^0.0.80 - eslint: ^9.12.0 → ^9.39.3 Webview package: - dompurify: ^3.1.7 → ^3.2.4 (security fix) - markdown-it: ^14.1.0 → ^14.1.1 (security fix) - rxjs: ~7.8.1 → ~7.8.2 - bootstrap: ^5.3.3 → ^5.3.8 - @vscode/markdown-it-katex: ^1.1.0 → ^1.1.2 - @types/katex: ^0.16.7 → ^0.16.8 Also migrates ESLint config from legacy .eslintrc.json to the new flat config format (eslint.config.js) required by ESLint v9, and removes the deprecated @typescript-eslint/semi rule (removed in @typescript-eslint v8). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…160, #162, #163, #164, #165, #173) (#175) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

dependabot · 2026-03-06T12:55:36Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 6, 2026

github-actions bot assigned dependabot[bot] Mar 6, 2026

Mtze mentioned this pull request Mar 6, 2026

chore: consolidate dependency updates (#154, #155, #157, #158, #159, #160, #162, #163, #164, #165, #173) #175

Merged

4 tasks

Mtze added a commit that referenced this pull request Mar 6, 2026

chore: consolidate dependency updates (#154, #155, #157, #158, #159, #…

efa5e14

…160, #162, #163, #164, #165, #173) (#175) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Mtze closed this Mar 6, 2026

dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-145194b7fe branch March 6, 2026 12:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 14 updates#173

Bump the npm_and_yarn group across 2 directories with 14 updates#173
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-145194b7fe

dependabot bot commented on behalf of github Mar 6, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Mar 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to `platformBrowserDynamic`
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected `DOCUMENT` for `CSP_NONCE`
cc1ec09931	perf	avoid repeat searches for field directive

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on `Field` directive
8acf5d2756	fix	allow dynamic `type` bindings on signal form controls

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the `imports` expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in `typeof` type references

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

Commit	Type	Description
e3fba182f9	feat	add `[formField]` directive
561772b152	fix	allow custom controls to require `dirty` input
f0fb1d8581	fix	allow custom controls to require `hidden` input
ec110f170b	fix	allow custom controls to require `pending` input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with `queryParamsHandling`
5e9e09aee0	fix	handle errors from view transition `updateCallbackDone` promise

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

Commit	Type	Description
72534e2a34	feat	Add support for the `instanceof` binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support `AstVisitor.visitEmptyExpr()`
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

Conversation

dependabot bot commented on behalf of github Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

[14.1.1] - 2026-01-11

Security

6.15.0

6.14.2

[14.1.1] - 2026-01-11

Security

[4.1.1] - 2025-11-12

Security

19.2.16

http

19.2.15

core

Breaking Changes

core

19.2.16 (2025-11-26)

http

20.3.14 (2025-11-25)

http

21.0.1 (2025-11-25)

compiler-cli

core

forms

19.2.18

core

19.2.17

compiler

19.2.16

http

19.2.15

core

Breaking Changes

core

19.2.18 (2026-01-07)

core

21.0.7 (2026-01-07)

compiler

compiler-cli

core

forms

router

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

19.2.19

core

Breaking Changes

core

19.2.18

core

19.2.17

compiler

19.2.16

http

19.2.15

core

Breaking Changes

core

19.2.19 (2026-02-25)

Breaking Changes

core

core

20.3.17 (2026-02-25)

Breaking Changes

core

core

21.2.0 (2026-02-25)

common

compiler

compiler-cli

core

DOMPurify 3.3.2

DOMPurify 3.3.1

DOMPurify 3.3.0

DOMPurify 3.2.7

DOMPurify 3.2.6

DOMPurify 3.2.5

DOMPurify 3.2.4

v7.28.6 (2026-01-12)

dependabot bot commented on behalf of github Mar 6, 2026 •

edited

Loading