Bump the npm_and_yarn group across 1 directory with 27 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
@angular/common	4.3.2	19.2.16
@angular/core	4.3.2	10.2.5
karma	1.7.0	6.4.4
bl	1.2.2	1.2.3
decode-uri-component	0.2.0	0.2.2
dot-prop	4.2.0	4.2.1
ini	1.3.5	1.3.8
jszip	3.1.5	3.10.1
mixin-deep	1.3.1	1.3.2
set-value	2.0.0	2.0.1
thenify	3.3.0	3.3.1
yargs-parser	16.1.0	removed

Updates @angular/common from 4.3.2 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

19.2.14

compiler

Commit	Description
	lexer support for template literals in object literals (#61601)

migrations

Commit	Description
	preserve comments when removing unused imports (#61674)

19.2.13

common

Commit	Description
	avoid injecting ApplicationRef in FetchBackend (#61649)

service-worker

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

21.1.0-next.0 (2025-11-25)

platform-browser

Commit	Type	Description
ec9dc94cee	feat	add context to createApplication
ab67988d2e	feat	resolve JIT resources in createApplication

router

Commit	Type	Description
a03c82564d	feat	Add scroll behavior controls on router navigation
c25d749d85	feat	Execute RunGuardsAndResolvers function in injection context
c84d372778	feat	Support wildcard params with segments trailing (#64737)

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

| Commit | Type | Description |

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @​angular/common since your current version.

Updates @angular/core from 4.3.2 to 10.2.5

Changelog

Sourced from @​angular/core's changelog.

10.2.5 (2021-04-14)

Bug Fixes

• compiler-cli: show a more specific error for Ivy NgModules (#41534) (#41598) (f630f33)
• core: fix possible XSS attack in development through SSR (#40525) (ba8da74)

10.2.4 (2020-12-17)

Bug Fixes

• core: fix possible XSS attack in development through SSR. (#40152) (0b8e3d5)
• core: set ngDevMode to false when calling enableProdMode() (#40160) (90570c0)

10.2.3 (2020-11-09)

Bug Fixes

• compiler: ensure that i18n message-parts have the correct source-span (#39589) (e67a331)
• compiler: skipping leading whitespace should not break placeholder source-spans (#39589) (2b684b7), closes #39195
• compiler-cli: avoid duplicate diagnostics about unknown pipes (#39517) (861e4fa)
• compiler-cli: do not drop non-Angular decorators when downleveling (#39577) (1c6cf8a), closes #39574

10.2.2 (2020-11-04)

Bug Fixes

• compiler-cli: report missing pipes when fullTemplateTypeCheck is disabled (#39320) (71d0063), closes #38195
• core: markDirty() should only mark flags when really scheduling tick. (#39316) (8c82106), closes #39296
• router: Ensure all outlets are used when commands have a prefix (#39456) (85d5242)

Performance Improvements

• core: do not recurse into modules that have already been registered (#39514) (812355c), closes #39487

... (truncated)

Commits

• ba8da74 fix(core): fix possible XSS attack in development through SSR (#40525)
• 90570c0 fix(core): set ngDevMode to false when calling enableProdMode() (#40160)
• 0b8e3d5 fix(core): fix possible XSS attack in development through SSR. (#40152)
• 1aee8b3 refactor(compiler): store the fullStart location on ParseSourceSpans (#39...
• 812355c perf(core): do not recurse into modules that have already been registered (#3...
• 8f36c21 refactor(router): Small refactor of createUrlTree and extra tests (#39456)
• 90acb91 docs: tView.preOrderHooks and tView.preOrderCheckHooks docs update (#39497)
• 8c82106 fix(core): markDirty() should only mark flags when really scheduling tick. (#...
• 0b37249 docs(core): update a typo in the comment of ngZoneEventCoalescing (#39423)
• 3b779a1 docs: fix typo in initializeInputAndOutputAliases docstring (#39438)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @​angular/core since your current version.

Updates karma from 1.7.0 to 6.4.4

Release notes

Sourced from karma's releases.

v6.4.4

6.4.4 (2024-07-29)

v6.4.3

6.4.3 (2024-02-24)

Bug Fixes

• add build commits for patch release (d7f2d69)

v6.4.2

6.4.2 (2023-04-21)

Bug Fixes

• few typos (c6a4271)

v6.4.1

6.4.1 (2022-09-19)

Bug Fixes

• pass integrity value (63d86be)

v6.4.0

6.4.0 (2022-06-14)

Features

• support SRI verification of link tags (dc51a2e)
• support SRI verification of script tags (6a54b1c)

v6.3.20

6.3.20 (2022-05-13)

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #3730

v6.3.19

6.3.19 (2022-04-19)

Bug Fixes

... (truncated)

Changelog

Sourced from karma's changelog.

6.4.4 (2024-07-29)

6.4.3 (2024-02-24)

Bug Fixes

• add build commits for patch release (d7f2d69)

6.4.2 (2023-04-21)

Bug Fixes

• few typos (c6a4271)

6.4.1 (2022-09-19)

Bug Fixes

• pass integrity value (63d86be)

6.4.0 (2022-06-14)

Features

• support SRI verification of link tags (dc51a2e)
• support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

• client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

... (truncated)

Commits

• 84f85e7 chore(release): 6.4.4 [skip ci]
• a4d1284 build(deps-dev): bump ws from 6.2.1 to 6.2.3
• d8cf806 chore(release): 6.4.3 [skip ci]
• d7f2d69 fix: add build commits for patch release
• 85a2eeb build(deps-dev): bump decode-uri-component from 0.2.0 to 0.2.2
• 0bffce2 build(deps): updated socket.io version to fix security issues with socket.io-...
• 86667ab build(deps): bump follow-redirects from 1.11.0 to 1.15.4
• 450fdfd docs: Add deprecation notice to Karma README
• 9de3c00 chore(release): 6.4.2 [skip ci]
• c6a4271 fix: few typos
• Additional commits viewable in compare view

Updates braces from 0.1.5 to 1.8.5

Changelog

Sourced from braces's changelog.

[1.8.5] - 2016-05-21

• Refactor (#10)

[1.8.4] - 2016-04-20

• fixes jonschlinkert/micromatch#66

[1.8.0] - 2015-03-18

• adds exponent examples, tests
• fixes the first example in jonschlinkert/micromatch#38

[1.6.0] - 2015-01-30

• optimizations, bash mode:
• improve path escaping

[1.5.0] - 2015-01-28

• Merge pull request #5 from eush77/lib-files

[1.4.0] - 2015-01-24

• add extglob tests
• externalize exponent function
• better whitespace handling

[1.3.0] - 2015-01-24

• make regex patterns explicity

[1.1.0] - 2015-01-11

• don't create a match group with makeRe

[1.0.0] - 2014-12-23

• Merge commit '97b05f5544f8348736a8efaecf5c32bbe3e2ad6e'
• support empty brace syntax
• better bash coverage
• better support for regex strings

[0.1.4] - 2014-11-14

• improve recognition of bad args, recognize mismatched argument types
• support escaping
• remove pathname-expansion
• support whitespace in patterns

... (truncated)

Commits

• See full diff in compare view

Updates bl from 1.2.2 to 1.2.3

Commits

• d69edfd 1.2.3
• 847473a test all branches
• 0bd87ec Fix unintialized memory access
• dc097f3 test newer versions of Node
• See full diff in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates dot-prop from 4.2.0 to 4.2.1

Release notes

Sourced from dot-prop's releases.

v4.2.1

• Backport sindresorhus/dot-prop@3039c8c to the v4.x release line.

Commits

• c914124 feat: patch 4.2.0 with fixes for CVE-2020-8116
• See full diff in compare view

Updates cookie from 0.3.1 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

0.4.2

• pref: read value only when assigning in parse
• pref: remove unnecessary regexp in parse

0.4.1

• Fix maxAge option to reject invalid values

0.4.0

• Add SameSite=None support

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates follow-redirects from 1.7.0 to 1.15.11

Commits

• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• e4e55c7 Release version 1.15.9 of the npm package.
• 31a1abf Attempt much more gentle detection.
• d2aaa97 Fix url field.
• 62558f0 Release version 1.15.8 of the npm package.
• a8d1cee Return subtlety.
• Additional commits viewable in compare view

Updates fsevents from 1.2.9 to 2.3.3

Release notes

Sourced from fsevents's releases.

Release v2.3.3

Released to npm as v2.3.3

Release v2.3.2

Released to npm as v2.3.2

Release v2.3.1

Released to npm as v2.3.1

Release contains universal binary for x86 & amd64 (m1) chips

Release v2.2.2

Released to npm as v2.2.2

Universal Binary Support x86-64 & amd64(m1)

Release v2.2.0

Electron Enabled (no static functions/variables)

Release v1.2.3

No release notes provided.

Release v2.1.2

No release notes provided.

2.1.0

Latest stable release

Release NAPI v2.0.6

Include essential files only.

Release NAPI v2.0.5

No release notes provided.

Release NAPI v2.0.4

No release notes provided.

Release NAPI v2.0.3

Moved NAPI version out of experimental.

NAPI release

No release notes provided.

deprecated

Fixing the API for chokidar since it was calling FSEvents as a constructor

deprecated

We have upgraded to N-API. For that reason we have also dropped support for node < 6.

For that reason, we have made this a major version bump so dependents have to opt in. The actual API remains entirely the same, so if you are depending on fsevents, it should be as simple as changing the version number in your package.json.

... (truncated)

Commits

• 2db891e Release v2.3.3
• 8ec87bf Update nodejs.yml (#392)
• c20c3af readme
• 63709df Merge pull request #384 from aleksanb/subdirs
• a77340f Handle MustScanSubDirs for large projects
• 66be519 Update README.md (#371)
• 2f2a858 Update README.md (#364)
• a7f5d00 Release v2.3.2
• fab136a fix: issue #355 (#356)
• 328ae39 Release v2.3.1
• Additional commits viewable in compare view

Updates ini from 1.3.5 to 1.3.8

Commits

• a2c5da8 1.3.8
• af5c6bb Do not use Object.create(null)
• 8b648a1 don't test where our devdeps don't even work
• c74c8af 1.3.7
• 024b8b5 update deps, add linting
• 032fbaf Use Object.create(null) to avoid default object property hazards
• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• See full diff in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

Updates minimist from 0.0.8 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Updates http-proxy from 1.17.0 to 1.18.1

Changelog

Sourced from http-proxy's changelog.

v1.18.1 - 2020-05-17

Merged

• Skip sending the proxyReq event when the expect header is present [#1447](https://github.com/http-party/node-http-proxy/issues/1447)
• Remove node6 support, add node12 to build [#1397](https://github.com/http-party/node-http-proxy/issues/1397)

1.18.0 - 2019-09-18

Merged

• Added in auto-changelog module set to keepachangelog format [#1373](https://github.com/http-party/node-http-proxy/issues/1373)
• fix 'Modify Response' readme section to avoid unnecessary array copying [#1300](https://github.com/http-party/node-http-proxy/issues/1300)
• Fix incorrect target name for reverse proxy example [#1135](https://github.com/http-party/node-http-proxy/issues/1135)
• Fix modify response middleware example [#1139](https://github.com/http-party/node-http-proxy/issues/1139)
• [dist] Update dependency async to v3 [#1359](https://github.com/http-party/node-http-proxy/issues/1359)
• Fix path to local http-proxy in examples. [#1072](https://github.com/http-party/node-http-proxy/issues/1072)
• fix reverse-proxy example require path [#1067](https://github.com/http-party/node-http-proxy/issues/1067)
• Update README.md [#970](https://github.com/http-party/node-http-proxy/issues/970)
• [dist] Update dependency request to ~2.88.0 [SECURITY] [#1357](https://github.com/http-party/node-http-proxy/issues/1357)
• [dist] Update dependency eventemitter3 to v4 [#1365](https://github.com/http-party/node-http-proxy/issues/1365)
• [dist] Update dependency colors to v1 [#1360](https://github.com/http-party/node-http-proxy/issues/1360)
• [dist] Update all non-major dependencies [#1356](https://github.com/http-party/node-http-proxy/issues/1356)
• [dist] Update dependency agentkeepalive to v4 [#1358](https://github.com/http-party/node-http-proxy/issues/1358)
• [dist] Update dependency nyc to v14 [#1367](https://github.com/http-party/node-http-proxy/issues/1367)
• [dist] Update dependency concat-stream to v2 [#1363](https://github.com/http-party/node-http-proxy/issues/1363)
• x-forwarded-host overwrite for mutli level proxies [#1267](https://github.com/http-party/node-http-proxy/issues/1267)
• [refactor doc] Complete rename to http-party org. [#1362](https://github.com/http-party/node-http-proxy/issues/1362)
• Highlight correct lines for createProxyServer [#1117](https://github.com/http-party/node-http-proxy/issues/1117)
• Fix docs for rewrite options - 201 also handled [#1147](https://github.com/http-party/node-http-proxy/issues/1147)
• Update .nyc_output [#1339](https://github.com/http-party/node-http-proxy/issues/1339)
• Configure Renovate [#1355](https://github.com/http-party/node-http-proxy/issues/1355)
• [examples] Restream body before proxying, support for Content-Type of application/x-www-form-urlencoded [#1264](https://github.com/http-party/node-http-proxy/issues/1264)

Commits

• [dist] New test fixtures. 7e4a0e5
• [dist] End of an era. a9b09cc
• [dist] Version bump. 1.18.0 9bbe486
• [fix] Latest versions. 59c4403
• [fix test] Update tests. dd1d08b
• [dist] Update dependency ws to v3 [SECURITY] b00911c
• [dist] .gitattributes all the things. fc93520
• [dist] Regenerate package-lock.json. 16d4f8a

Commits

• 9b96cd7 1.18.1
• 335aeeb Skip sending the proxyReq event when the expect header is present (#1447)
• dba3966 Remove node6 support, add node12 to build (#1397)
• 9bbe486 [dist] Version bump. 1.18.0
• 6e4bef4 Added in auto-changelog module set to keepachangelog format (#1373)
• d056241 fix 'Modify Response' readme section to avoid unnecessary array copying (#1300)
• 244303b Fix incorrect target name for reverse proxy example (#1135)
• b4028ba Fix modify response middleware example (#1139)
• 77a9815 [dist] Update dependency async to v3 (#1359)
• c662f9e Fix path to local http-proxy in examples. (#1072)
• Additional commits viewable in compare view

Updates jszip from 3.1.5 to 3.10.1

Changelog

Sourced from jszip's changelog.

v3.10.1 2022-08-02

• Add sponsorship files.
  • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
• Consolidate metadata types and expose OnUpdateCallback #851 and #852
• use const instead var in example from README.markdown #828
• Switch manual download link to HTTPS #839

Internals:

• Replace jshint with eslint #842
• Add performance tests #834

v3.10.0 2022-05-20

• Change setimmediate dependency to more efficient one. Fixes Stuk/jszip#617 (see #829)
• Update types of currentFile metadata to include null (see #826)

v3.9.1 2022-04-06

• Fix recursive definition of InputFileFormat introduced in 3.9.0.

v3.9.0 2022-04-04

• Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #752)
• Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #722)
• Add types for generateInternalStream (see #774...

  Description has been truncated