chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
@angular/core	19.2.18	19.2.20
minimatch	3.1.2	3.1.5
minimatch	9.0.5	9.0.9
tar	6.2.1	7.5.11
gh-pages	3.2.3	6.3.0
immutable	5.1.4	5.1.5
qs	6.14.1	6.14.2
serialize-javascript	6.0.2	removed

Updates @angular/core from 19.2.18 to 19.2.20

Release notes

Sourced from @​angular/core's releases.

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

Changelog

Sourced from @​angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit	Type	Description
02fbf08890	fix	disallow translations of iframe src

core

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit	Type	Description
78dea55351	fix	disallow translations of iframe src

core

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description

... (truncated)

Commits

• 621c707 fix(core): sanitize translated form attributes
• b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.11

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates gh-pages from 3.2.3 to 6.3.0

Release notes

Sourced from gh-pages's releases.

v6.3.0

What's Changed

• Bump chai from 4.3.10 to 4.5.0 by @​dependabot in tschaub/gh-pages#584
• Bump mocha from 10.7.3 to 10.8.2 by @​dependabot in tschaub/gh-pages#583
• Bump mocha from 10.8.2 to 11.0.1 by @​dependabot in tschaub/gh-pages#590
• Bump eslint-config-tschaub from 14.1.2 to 15.1.0 by @​dependabot in tschaub/gh-pages#587
• Bump commander from 11.1.0 to 13.0.0 by @​dependabot in tschaub/gh-pages#591
• Support filenames starting with - by @​sherlockdoyle in tschaub/gh-pages#593

New Contributors

• @​sherlockdoyle made their first contribution in tschaub/gh-pages#593

Full Changelog: tschaub/gh-pages@v6.2.0...v6.3.0

v6.2.0

What's Changed

• fix: update instruction for next.js by @​multivoltage in tschaub/gh-pages#541
• Bump mocha from 10.2.0 to 10.3.0 by @​dependabot in tschaub/gh-pages#545
• Bump eslint from 8.56.0 to 8.57.0 by @​dependabot in tschaub/gh-pages#548
• Bump tmp from 0.2.1 to 0.2.3 by @​dependabot in tschaub/gh-pages#549
• Bump mocha from 10.3.0 to 10.4.0 by @​dependabot in tschaub/gh-pages#550
• Bump dir-compare from 4.2.0 to 5.0.0 by @​dependabot in tschaub/gh-pages#555
• Bump sinon from 17.0.1 to 17.0.2 by @​dependabot in tschaub/gh-pages#557
• Bump sinon from 17.0.2 to 18.0.0 by @​dependabot in tschaub/gh-pages#561
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in tschaub/gh-pages#563
• Bump mocha from 10.4.0 to 10.6.0 by @​dependabot in tschaub/gh-pages#569
• Bump mocha from 10.6.0 to 10.7.0 by @​dependabot in tschaub/gh-pages#571
• Bump mocha from 10.7.0 to 10.7.3 by @​dependabot in tschaub/gh-pages#573
• Bump async from 3.2.5 to 3.2.6 by @​dependabot in tschaub/gh-pages#576
• Bump eslint from 8.57.0 to 8.57.1 by @​dependabot in tschaub/gh-pages#579
• Bump sinon from 18.0.0 to 19.0.2 by @​dependabot in tschaub/gh-pages#578
• Update globby by @​tschaub in tschaub/gh-pages#581

New Contributors

• @​multivoltage made their first contribution in tschaub/gh-pages#541

Full Changelog: tschaub/gh-pages@v6.1.1...v6.2.0

v6.1.1

Fixes

• fix: Add missing cname option not passed to the config by @​WillBAnders in tschaub/gh-pages#535

Dependency Updates

• Bump eslint from 8.53.0 to 8.55.0 by @​dependabot in tschaub/gh-pages#538
• Bump fs-extra from 11.1.1 to 11.2.0 by @​dependabot in tschaub/gh-pages#537
• Bump eslint from 8.55.0 to 8.56.0 by @​dependabot in tschaub/gh-pages#539

New Contributors

• @​WillBAnders made their first contribution in tschaub/gh-pages#535

... (truncated)

Changelog

Sourced from gh-pages's changelog.

v6.3.0

This relesae includes a fix for filenames starting with - and a number of dependency updates. See below for details.

• #593 - Handle filenames starting with a dash (@​sherlockdoyle)
• #591 - Bump commander from 11.1.0 to 13.0.0 (@​tschaub)
• #587 - Bump eslint-config-tschaub from 14.1.2 to 15.1.0 (@​tschaub)
• #590 - Bump mocha from 10.8.2 to 11.0.1 (@​tschaub)
• #583 - Bump mocha from 10.7.3 to 10.8.2 (@​tschaub)
• #584 - Bump chai from 4.3.10 to 4.5.0 (@​tschaub)

v6.2.0

Assorted dependency updates and a documentation change.

• #581 - Update globby (@​tschaub)
• #578 - Bump sinon from 18.0.0 to 19.0.2 (@​tschaub)
• #579 - Bump eslint from 8.57.0 to 8.57.1 (@​tschaub)
• #576 - Bump async from 3.2.5 to 3.2.6 (@​tschaub)
• #573 - Bump mocha from 10.7.0 to 10.7.3 (@​tschaub)
• #571 - Bump mocha from 10.6.0 to 10.7.0 (@​tschaub)
• #569 - Bump mocha from 10.4.0 to 10.6.0 (@​tschaub)
• #563 - Bump braces from 3.0.2 to 3.0.3 (@​tschaub)
• #561 - Bump sinon from 17.0.2 to 18.0.0 (@​tschaub)
• #557 - Bump sinon from 17.0.1 to 17.0.2 (@​tschaub)
• #555 - Bump dir-compare from 4.2.0 to 5.0.0 (@​tschaub)
• #550 - Bump mocha from 10.3.0 to 10.4.0 (@​tschaub)
• #549 - Bump tmp from 0.2.1 to 0.2.3 (@​tschaub)
• #548 - Bump eslint from 8.56.0 to 8.57.0 (@​tschaub)
• #545 - Bump mocha from 10.2.0 to 10.3.0 (@​tschaub)
• #541 - fix: update instruction for next.js (@​multivoltage)

v6.1.1

This release fixes an issue with the --cname option.

• #535 - fix: Add missing cname option not passed to the config (@​WillBAnders)
• #539 - Bump eslint from 8.55.0 to 8.56.0 (@​tschaub)

v6.1.0

This release adds support for --nojekyll and --cname options.

• #531 - Bump sinon from 15.2.0 to 17.0.1 (@​tschaub)
• #529 - Bump async from 3.2.4 to 3.2.5 (@​tschaub)
• #524 - Bump commander from 11.0.0 to 11.1.0 (@​tschaub)
• #530 - Bump eslint from 8.49.0 to 8.53.0 (@​tschaub)
• #520 - Bump chai from 4.3.8 to 4.3.10 (@​tschaub)
• #527 - Bump actions/setup-node from 3 to 4 (@​tschaub)
• #533 - Add --nojekyll and --cname options (@​tschaub)

... (truncated)

Commits

• ed6cd8e 6.3.0
• 7bfced0 Log changes
• fe4756c Merge pull request #593 from sherlockdoyle/fix-592
• 7e44de2 fixes #592
• b3478f0 Merge pull request #591 from tschaub/dependabot/npm_and_yarn/commander-13.0.0
• 1208c2e Remove extra argument
• fbf8432 Bump commander from 11.1.0 to 13.0.0
• 4be5ff0 Merge pull request #587 from tschaub/dependabot/npm_and_yarn/eslint-config-ts...
• b18ebf0 Updates to work with ESLint 9
• b7862ca Bump eslint-config-tschaub from 14.1.2 to 15.1.0
• Additional commits viewable in compare view

Updates immutable from 5.1.4 to 5.1.5

Release notes

Sourced from immutable's releases.

v5.1.5

What's Changed

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
• Upgrade devtools and use immutable version by @​jdeniau in immutable-js/immutable-js#2158

Full Changelog: immutable-js/immutable-js@v5.1.4...v5.1.5

Changelog

Sourced from immutable's changelog.

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Commits

• b37b855 5.1.5
• 16b3313 Merge commit from fork
• fd2ef49 fix new proto key injection
• 6734b7b fix Prototype Pollution in mergeDeep, toJS, etc.
• 6f772de Merge pull request #2175 from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0
• 5f3dc61 Bump rollup from 4.34.8 to 4.59.0
• 049a594 Merge pull request #2173 from immutable-js/dependabot/npm_and_yarn/lodash-4.1...
• 2481a77 Merge pull request #2172 from mrazauskas/update-tstyche
• eb04779 Bump lodash from 4.17.21 to 4.17.23
• b973bf3 format
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Removes serialize-javascript

Updates webpack from 5.98.0 to 5.105.2

Release notes

Sourced from webpack's releases.

v5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

v5.105.1

Patch Changes

• Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @​xiaoxiaojx in #20424)

• Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @​hai-x in #20433)

• Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @​hai-x in #20433)

v5.105.0

Minor Changes

• Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

• Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

• Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

• Support import.defer() for context modules. (by @​ahabhgk in #20399)

• Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

• Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

• Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

• Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

• Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

• Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

• Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

• Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

• Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

• Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

• Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

• Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

5.105.1

Patch Changes

• Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @​xiaoxiaojx in #20424)

• Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @​hai-x in #20433)

• Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @​hai-x in #20433)

5.105.0

Minor Changes

• Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

• Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

• Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

• Support import.defer() for context modules. (by @​ahabhgk in #20399)

• Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

• Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

• Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

• Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

• Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

• Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

• Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

• Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

• Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

• Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

... (truncated)

Commits

• 0756c7e chore(release): new release (#20441)
• ff28476 chore(deps): bump CodSpeedHQ/action in the dependencies group (#20442)
• 4d3ed66 ci: discord using curl
• 004550a ci: discord fix
• 44bf97b ci: emulate release for discord using other approach
• 9c71a09 ci: emulate release for discord
• 02d3bc9 ci: allow to run release announcement
• 6c62c28 ci: fix discord
• 900219d fix: type regression (#20440)
• 8e50ef2 chore(release): new release (#20429)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Copilot]

Pull request overview

This PR updates frontend build/runtime dependencies (primarily Angular and related tooling) via a Dependabot “npm_and_yarn” group bump.

Changes:

• Bumps @angular/core to ^19.2.20.
• Updates Angular toolchain packages (@angular/cli, @angular-devkit/build-angular) and @angular/compiler versions.
• Bumps angular-cli-ghpages to ^3.0.2.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.