Bump the npm_and_yarn group across 1 directory with 36 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
@angular/common	12.1.2	21.2.14
@angular/compiler	12.1.2	21.2.14
@angular/core	12.1.2	21.2.14
karma	6.3.4	6.3.16
@tootallnate/once	1.1.2	removed
follow-redirects	1.14.1	1.16.0
lodash	4.17.21	4.18.1
minimatch	3.0.4	3.1.5
moment	2.29.1	2.30.1
picomatch	2.3.0	2.3.2

Updates @angular/common from 12.1.2 to 21.2.14

Release notes

Sourced from @​angular/common's releases.

21.2.14

compiler

Commit	Description
	strip namespaced SVG script elements during template compilation

core

Commit	Description
	do not insert todo when migrating void @​Output
	makes resource URL sanitizer lookup case-insensitive
	reject script element as a dynamic component host
	visit ICU expressions in signal migration schematics

router

Commit	Description
	skip scroll-to-top on initial navigation when hydrating

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.14 (2026-05-20)

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

22.0.0-rc.0 (2026-05-13)

compiler

Commit	Type	Description
c7aef8ec5d	fix	enforce parentheses containing arguments for :host-context
8a1533c9ad	fix	preserve leading commas in animation definitions
194f723f66	fix	remove dedicated support for legacy shadow DOM selectors
4c25a42e98	fix	remove deprecated shadow CSS encapsulation polyfills
7dc1017e51	fix	simplify handling of colon host with a selector list
ccb7d427e4	fix	type check invalid for loops

platform-server

Commit	Type	Description
119a19e604	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.13 (2026-05-13)

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

... (truncated)

Commits

• 30cf85f refactor(common): update deprecation message
• 42d57c3 refactor(common): fix viewport tests
• 10ad3c0 fix(common): prevent focus from scrollToAnchor
• 540536c fix(http): add CSP nonce support to JsonpClientBackend
• 8102331 test(http): disable XSRF and mock location in HttpClient tests to avoid Domin...
• 13f050d test: construct local Date objects to fix timezone flakiness
• d0cf299 test: remove unsupported timezone from formatDate tests
• b4ab6ba fix(common): avoid redundant image fetch on destroy with auto sizes
• adda6c5 build: update aspect_rules_js to 3.0.2
• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• Additional commits viewable in compare view

Updates @angular/compiler from 12.1.2 to 21.2.14

Release notes

Sourced from @​angular/compiler's releases.

21.2.14

compiler

Commit	Description
	strip namespaced SVG script elements during template compilation

core

Commit	Description
	do not insert todo when migrating void @​Output
	makes resource URL sanitizer lookup case-insensitive
	reject script element as a dynamic component host
	visit ICU expressions in signal migration schematics

router

Commit	Description
	skip scroll-to-top on initial navigation when hydrating

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.2.14 (2026-05-20)

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

22.0.0-rc.0 (2026-05-13)

compiler

Commit	Type	Description
c7aef8ec5d	fix	enforce parentheses containing arguments for :host-context
8a1533c9ad	fix	preserve leading commas in animation definitions
194f723f66	fix	remove dedicated support for legacy shadow DOM selectors
4c25a42e98	fix	remove deprecated shadow CSS encapsulation polyfills
7dc1017e51	fix	simplify handling of colon host with a selector list
ccb7d427e4	fix	type check invalid for loops

platform-server

Commit	Type	Description
119a19e604	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.13 (2026-05-13)

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

... (truncated)

Commits

• 68282df fix(compiler): strip namespaced SVG script elements during template compilation
• 6652ec0 refactor(core): align namespaced attribute validation and security schema con...
• baf92da test: remove invalid css that was causing issues with the postcss parser
• 1c6553e fix(core): disallow event attribute bindings in host bindings unconditionally
• 4f5d8a2 fix(compiler): let declaration span not including end character
• a4f3120 refactor(compiler): require a reference in DirectiveMeta
• de533fe refactor(compiler-cli): move ClassPropertyMapping into compiler
• ea1e34c refactor(compiler): move matchSource into base metadata
• e40d378 fix(compiler): handle nested brackets in host object bindings
• d04ddd7 fix(core): prevent binding unsafe attributes on SVG animation elements (#67797)
• Additional commits viewable in compare view

Updates @angular/core from 12.1.2 to 21.2.14

Release notes

Sourced from @​angular/core's releases.

21.2.14

compiler

Commit	Description
	strip namespaced SVG script elements during template compilation

core

Commit	Description
	do not insert todo when migrating void @​Output
	makes resource URL sanitizer lookup case-insensitive
	reject script element as a dynamic component host
	visit ICU expressions in signal migration schematics

router

Commit	Description
	skip scroll-to-top on initial navigation when hydrating

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.14 (2026-05-20)

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

22.0.0-rc.0 (2026-05-13)

compiler

Commit	Type	Description
c7aef8ec5d	fix	enforce parentheses containing arguments for :host-context
8a1533c9ad	fix	preserve leading commas in animation definitions
194f723f66	fix	remove dedicated support for legacy shadow DOM selectors
4c25a42e98	fix	remove deprecated shadow CSS encapsulation polyfills
7dc1017e51	fix	simplify handling of colon host with a selector list
ccb7d427e4	fix	type check invalid for loops

platform-server

Commit	Type	Description
119a19e604	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.13 (2026-05-13)

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

... (truncated)

Commits

• 1d6e71d docs: clarify ngDoCheck invocation behavior with OnPush strategy
• 49113ac fix(core): visit ICU expressions in signal migration schematics
• 68282df fix(compiler): strip namespaced SVG script elements during template compilation
• c0f5227 fix(core): do not insert todo when migrating void @​Output
• 0fb2724 fix(core): reject script element as a dynamic component host
• 6652ec0 refactor(core): align namespaced attribute validation and security schema con...
• 938a7f3 fix(core): makes resource URL sanitizer lookup case-insensitive
• 1c6553e fix(core): disallow event attribute bindings in host bindings unconditionally
• 9e38ed7 fix(core): sanitizer typings
• 3430251 fix(core): i18n flags leaking on errors
• Additional commits viewable in compare view

Updates karma from 6.3.4 to 6.3.16

Release notes

Sourced from karma's releases.

v6.3.16

6.3.16 (2022-02-10)

Bug Fixes

• security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

v6.3.15

6.3.15 (2022-02-05)

Bug Fixes

• helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes karma-runner/karma-coverage#434

v6.3.14

6.3.14 (2022-02-05)

Bug Fixes

• remove string template from client code (91d5acd)
• warn when singleRun and autoWatch are false (69cfc76)
• security: remove XSS vulnerability in returnUrl query param (839578c)

v6.3.13

6.3.13 (2022-01-31)

Bug Fixes

• deps: bump log4js to resolve security issue (5bf2df3), closes #3751

v6.3.12

6.3.12 (2022-01-24)

Bug Fixes

• remove depreciation warning from log4js (41bed33)

v6.3.11

6.3.11 (2022-01-13)

Bug Fixes

• deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

... (truncated)

Changelog

Sourced from karma's changelog.

6.3.16 (2022-02-10)

Bug Fixes

• security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

• helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes karma-runner/karma-coverage#434

6.3.14 (2022-02-05)

Bug Fixes

• remove string template from client code (91d5acd)
• warn when singleRun and autoWatch are false (69cfc76)
• security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

• deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

• remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

• deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

• logger: create parent folders if they are missing (0d24bd9), closes #3734

... (truncated)

Commits

• ab4b328 chore(release): 6.3.16 [skip ci]
• ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
• c1befa0 chore(release): 6.3.15 [skip ci]
• d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
• 653c762 ci: prevent duplicate CI tasks on creating a PR
• c97e562 chore(release): 6.3.14 [skip ci]
• 91d5acd fix: remove string template from client code
• 69cfc76 fix: warn when singleRun and autoWatch are false
• 839578c fix(security): remove XSS vulnerability in returnUrl query param
• db53785 chore(release): 6.3.13 [skip ci]
• Additional commits viewable in compare view

Updates @babel/plugin-transform-modules-systemjs from 7.14.5 to 7.29.7

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• eebd3a0 v7.27.1
• 317e332 Enforce node protocol import (#17207)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Updates @babel/traverse from 7.14.8 to 7.29.7

Release notes

Sourced from @​babel/traverse's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• aa8394e v7.29.0
• 84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
• 229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
• d7f4008 v7.28.6
• 905bc22 fix: lint errors in main branch (#17612)
• a03e2b6 fix: path.evaluate correctly returns confident (#17584)
• aac2c37 chore: Use Gulpfile.mts (#17579)
• 65c4a6b [Babel 8] fix: Improve traverse types (#17574)
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/traverse since your current version.

Removes @tootallnate/once

Updates postcss from 7.0.36 to 8.5.12

Release notes

Sourced from postcss's releases.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
</tr></table> 

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fi...

  Description has been truncated

[netlify]

❌ Deploy Preview for ali-arrow failed.

Name	Link
🔨 Latest commit	a8ab397
🔍 Latest deploy log	https://app.netlify.com/projects/ali-arrow/deploys/6a1562ccbf29ab0007b8bffe

[netlify]

❌ Deploy Preview for ali-arrow-test failed.

Name	Link
🔨 Latest commit	a8ab397
🔍 Latest deploy log	https://app.netlify.com/projects/ali-arrow-test/deploys/6a1562cc5d3cc10008ae0358