⬆️ Bump the npm-security-updates group across 1 directory with 30 updates by dependabot[bot] · Pull Request #9 · servrox/ionic4-device-motion

dependabot · 2026-05-15T21:16:25Z

Bumps the npm-security-updates group with 16 updates in the / directory:

Package	From	To
@angular/common	`7.2.14`	`19.2.16`
@angular/core	`7.2.14`	`19.2.20`
@angular/compiler	`7.2.14`	`19.2.18`
@babel/traverse	`7.4.4`	`7.29.0`
body-parser	`1.18.3`	`1.20.5`
express	`4.16.4`	`4.22.2`
browserify-sign	`4.0.4`	`4.2.5`
cipher-base	`1.0.4`	`1.0.7`
cookie	`0.3.1`	`0.7.2`
follow-redirects	`1.7.0`	`1.16.0`
minimist	`0.0.8`	`1.2.8`
gh-pages	`0.12.0`	`6.3.0`
handlebars	`4.1.2`	`4.7.9`
ip	`1.1.5`	`removed`
js-yaml	`3.13.1`	`3.14.2`
lodash	`4.17.11`	`4.18.1`

Updates @angular/common from 7.2.14 to 19.2.16

Release notes

Sourced from @angular/common's releases.

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

Changelog

Sourced from @angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit Type Description

05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit Type Description

0276479e7d fix prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit Type Description

39c577bc36 fix do not type check native controls with ControlValueAccessor

8d3a89a477 fix escape angular control flow in jsdoc

bc34083d34 fix ignore non-existent files

core

Commit Type Description

0ea1e07174 fix apply bootstrap-options migration to platformBrowserDynamic

70507b8c1c fix debug data causing memory leak for root effects

a55482fca3 fix notify profiler events in case of errors

49ad7c6508 fix use injected DOCUMENT for CSP_NONCE

cc1ec09931 perf avoid repeat searches for field directive

forms

Commit Type Description

7d5c7cf99a feat add DI option for classes on Field directive

8acf5d2756 fix allow dynamic type bindings on signal form controls

... (truncated)

Commits

05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
12e2302 build: update common's locales to use rules_js (#61630)
9701047 test(common): Add circular deps test to 19.2.x (#61651)
2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
2b1b14f fix(core): cleanup rxResource abort listener (#58306)
126efc9 fix(common): cancel reader when app is destroyed (#61528)
efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
c43fd3a build: migrate common to use rules_js based toolchain (#61434)
185b780 build: migrate packages/core/schematics to ts_project (#61420)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @angular/common since your current version.

Updates @angular/core from 7.2.14 to 19.2.20

Release notes

Sourced from @angular/core's releases.

19.2.20

compiler

Commit Description

disallow translations of iframe src

core

Commit Description

sanitize translated attribute bindings with interpolations

sanitize translated form attributes

19.2.19

core

Commit Description

block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit Description

sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit Description

prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

Changelog

Sourced from @angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit Type Description

5be912eb55 fix disallow translations of iframe src

core

Commit Type Description

b89b0a83a4 fix sanitize translated attribute bindings with interpolations

621c7071ad fix sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit Type Description

02fbf08890 fix disallow translations of iframe src

core

Commit Type Description

72126f9a08 fix sanitize translated attribute bindings with interpolations

626bc8bc20 fix sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit Type Description

78dea55351 fix disallow translations of iframe src

core

Commit Type Description

999c14eaab fix reverts "feat(core): add support for nested animations"

de0eb4c656 fix sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit Type Description

ed2d324f9c fix disallow translations of iframe src

core

Commit Type Description

... (truncated)

Commits

621c707 fix(core): sanitize translated form attributes
b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
7475487 fix(core): block creation of sensitive URI attributes from ICU messages
26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
73d3e00 build: fix failing test (#61683)
9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
a6d5479 build: migrate platform-server to rules_js (#61619)
2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @angular/core since your current version.

Updates @angular/compiler from 7.2.14 to 19.2.18

Release notes

Sourced from @angular/compiler's releases.

19.2.18

core

Commit Description

sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit Description

prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit Description

prevent XSRF token leakage to protocol-relative URLs

Changelog

Sourced from @angular/compiler's changelog.

19.2.18 (2026-01-07)

core

Commit Type Description

26cdc53d9c fix sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit Type Description

8e808740c9 fix better types for a few expression AST nodes

63b1cdcf70 fix produce accurate span for typeof and void expressions

3c3ae0cb64 fix provide location information for literal map keys

523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit Type Description

4d9c4567ed fix ensure component import diagnostics are reported within the imports expression

cd405685af fix fix up spelling of diagnostic

778460fcca fix support qualified names in typeof type references

core

Commit Type Description

7c74674eb0 fix avoid leaking view data in animations

0edbee4550 fix explicitly cast signal node value to String

f9c29572d2 fix sanitize sensitive attributes on SVG script elements

forms

Commit Type Description

e3fba182f9 feat add [formField] directive

561772b152 fix allow custom controls to require dirty input

f0fb1d8581 fix allow custom controls to require hidden input

ec110f170b fix allow custom controls to require pending input

ae1dc16bb0 fix clean up abort listener after timeout

9748b0d5da fix support custom controls with non signal-based models

6bd22df987 fix Support readonly arrays in signal forms

router

Commit Type Description

41cd4a6af8 fix Fix RouterLink href not updating with queryParamsHandling

5e9e09aee0 fix handle errors from view transition updateCallbackDone promise

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

... (truncated)

Commits

26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
24bab55 fix(compiler): lexer support for template literals in object literals (#61601)
fc2483e refactor(compiler): avoid duplication between FactoryTarget type (#61571)
8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
44bb328 fix(compiler): avoid conflicts between HMR code and local symbols (#61550)
1007079 build: update compiler-cli to not be stamped when used for the compiler in ng...
0d025c5 build: support new ng_project rule (#61336)
899cb4a refactor: add explicit types for exports relying on inferred call return type...
1312eb1 build: remove irrelevant madge circular deps tests (#61209)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for @angular/compiler since your current version.

Updates @babel/traverse from 7.4.4 to 7.29.0

Release notes

Sourced from @babel/traverse's releases.

v7.29.0 (2026-01-31)

Thanks @simbahax for your first PR!

🚀 New Feature

babel-types

#17750 [7.x backport] Add attributes import declaration builder (@JLHwung)

babel-standalone

#17663 [7.x backport] feat(standalone): export async transform (@JLHwung)

#17725 [7.x backport] feat: read standalone targets from data-targets (@JLHwung)

🐛 Bug Fix

babel-parser

#17765 fix(parser): correctly parse type assertions in extends clause (@nicolo-ribaudo)

#17723 [7.x backport] fix(parser): improve super type argument parsing (@JLHwung)

babel-traverse

#17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@simbahax)

babel-plugin-transform-block-scoping, babel-traverse

#17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@magic-akari)

🏃‍♀️ Performance

babel-generator, babel-runtime-corejs3

#17642 [Babel 7] Improve generator performance (@liuxingbaoyu)

Committers: 6

David (@simbahax)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

v7.28.6 (2026-01-12)

Thanks @kadhirash and @kolvian for your first PRs!

🐛 Bug Fix

babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types

#17589 Improve Unicode handling in code-frame tokenizer (@JLHwung)

babel-plugin-transform-regenerator

#17556 fix: transform-regenerator correctly handles scope (@liuxingbaoyu)

babel-plugin-transform-react-jsx

#17538 fix: Keep jsx comments (@liuxingbaoyu)

💅 Polish

babel-core, babel-standalone

#17606 Polish(standalone): improve message on invalid preset/plugin (@JLHwung)

🏠 Internal

babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex

#17580 Allow Babel 8 in compatible Babel 7 plugins (@nicolo-ribaudo)

... (truncated)

Commits

aa8394e v7.29.0
84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
d7f4008 v7.28.6
905bc22 fix: lint errors in main branch (#17612)
a03e2b6 fix: path.evaluate correctly returns confident (#17584)
aac2c37 chore: Use Gulpfile.mts (#17579)
65c4a6b [Babel 8] fix: Improve traverse types (#17574)
99dcba5 chore: enable some ts-eslint rules (#17592)
c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @babel/traverse since your current version.

Updates body-parser from 1.18.3 to 1.20.5

Release notes

Sourced from body-parser's releases.

v1.20.5

What's Changed

The reason for this release is a fix to the extended urlencoded parser returning objects instead of arrays for large array inputs (> 100) on qs@6.14.2+. (expressjs/body-parser#716)

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#692

fix: correct off-by-one error in parameterCount by @abhu85 in expressjs/body-parser#716

deps(qs): bump qs to 6.15.1 by @jonchurch in expressjs/body-parser#722

Release: 1.20.5 by @jonchurch in expressjs/body-parser#721

New Contributors

@abhu85 made their first contribution in expressjs/body-parser#716

Special thanks to triager @krzysdz for keeping this on our radar and effectively triaging the specific issue!

Full Changelog: expressjs/body-parser@1.20.4...1.20.5

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.5 / 2026-04-24

refactor(json): simplify strict mode error string construction

fix: extended urlencoded parsing of arrays with >100 elements (#716)

deps: qs@~6.15.1

1.20.4 / 2025-12-01

deps: qs@~6.14.0

deps: use tilde notation for dependencies

deps: http-errors@~2.0.1

deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

1.20.1 / 2022-10-06

deps: qs@6.11.0

perf: remove unnecessary object clone

1.20.0 / 2022-04-02

Fix error message for json parse whitespace in strict

Fix internal error when inflated body exceeds limit

Prevent loss of async hooks context

Prevent hanging when request already read

deps: depd@2.0.0

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: http-errors@2.0.0

deps: depd@2.0.0

deps: statuses@2.0.1

deps: on-finished@2.4.1

deps: qs@6.10.3

... (truncated)

Commits

0defdbe release(patch): 1.20.5
cd0e7a0 deps(qs): bump qs to 6.15.1
6f24d7e fix: correct off-by-one error in parameterCount (#716)
b849bd5 deps: qs@~6.14.1 (#690)
2c55e2f refactor(json): simplify strict mode error string construction (#692)
7db202c 1.20.4 (#672)
d8f8adb ci: add CodeQL (SAST) (#670)
6d133c1 chore: remove SECURITY.md (#669)
fcd1535 deps: use tilde notation and update certain dependencies (#668)
ec5fa29 deps: qs@~6.14.0 (#664)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for body-parser since your current version.

Updates express from 4.16.4 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)

This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.

deps: qs@~6.15.1

deps: body-parser@~1.20.5

New Contributors

@suuuuuuminnnnnn made their first contribution in expressjs/express#7021

@SAY-5 made their first contribution in expressjs/express#7181

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)

This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.

deps: qs@~6.15.1

deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

... (truncated)

Commits

df0abc9 4.22.2
836d366 4.x update qs to 6.15.1, body-parser 1.20.5 (#7224)
8d09bfe fix: restore array parsing for req.query repeated keys (#7181)
d39e8ad deps: body-parser@~1.20.4 (#7021)
efe85d9 deps: qs@^6.14.1 (#6972)
f62378e 📝 add note to history
12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates browserify-sign from 4.0.4 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

[Tests] clean up tests and convert console info skips to tape skips 37b083c

[Fix] restore node 0.10 support faade86

[Deps] update parse-asn1 5a0f159

[actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

[actions] split out node 10-20, and 20+ 17920d9

[meta] remove files field 6d5b280

[Deps] update bn.js, browserify-rsa, elliptic 31be0c2

[Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982

[Tests] replace aud with npm audit d44b24d

[Dev Deps] add missing peer dep ab975f4

[Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

[patch] widen support to 0.12 9247adf

[patch] drop minimum node support to v1 4d0ee49

[Dev Deps] update aud, npmignore, tape 87f3a35

[actions] remove redundant finisher 37a4758

[Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12

[Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)

[Deps] update elliptic fb261ce

[Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

[Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

Only apps should have lockfiles 09a8995

[eslint] switch to eslint 83fe463

[meta] add npmignore and auto-changelog 4418183

[meta] fix package.json indentation 9ac5a5e

[Tests] migrate from travis to github actions d845d85

[Fix] sign: throw on unsupported padding scheme 8767739

[Fix] properly check the upper bound for DSA signatures

…ates Bumps the npm-security-updates group with 16 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `7.2.14` | `19.2.16` | | [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `7.2.14` | `19.2.20` | | [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `7.2.14` | `19.2.18` | | [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) | `7.4.4` | `7.29.0` | | [body-parser](https://github.com/expressjs/body-parser) | `1.18.3` | `1.20.5` | | [express](https://github.com/expressjs/express) | `4.16.4` | `4.22.2` | | [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.0.4` | `4.2.5` | | [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` | | [cookie](https://github.com/jshttp/cookie) | `0.3.1` | `0.7.2` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.7.0` | `1.16.0` | | [minimist](https://github.com/minimistjs/minimist) | `0.0.8` | `1.2.8` | | [gh-pages](https://github.com/tschaub/gh-pages) | `0.12.0` | `6.3.0` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.1.2` | `4.7.9` | | [ip](https://github.com/indutny/node-ip) | `1.1.5` | `removed` | | [js-yaml](https://github.com/nodeca/js-yaml) | `3.13.1` | `3.14.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.11` | `4.18.1` | Updates `@angular/common` from 7.2.14 to 19.2.16 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/19.2.16/packages/common) Updates `@angular/core` from 7.2.14 to 19.2.20 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) Updates `@angular/compiler` from 7.2.14 to 19.2.18 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.18/packages/compiler) Updates `@babel/traverse` from 7.4.4 to 7.29.0 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.0/packages/babel-traverse) Updates `body-parser` from 1.18.3 to 1.20.5 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/1.20.5/HISTORY.md) - [Commits](expressjs/body-parser@1.18.3...1.20.5) Updates `express` from 4.16.4 to 4.22.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md) - [Commits](expressjs/express@4.16.4...v4.22.2) Updates `browserify-sign` from 4.0.4 to 4.2.5 - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.0.4...v4.2.5) Updates `cipher-base` from 1.0.4 to 1.0.7 - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.7) Updates `cookie` from 0.3.1 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.3.1...v0.7.2) Updates `elliptic` from 6.4.1 to 6.6.1 - [Commits](indutny/elliptic@v6.4.1...v6.6.1) Updates `ws` from 3.3.3 to 6.2.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@3.3.3...6.2.1) Updates `express` from 4.16.4 to 4.22.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md) - [Commits](expressjs/express@4.16.4...v4.22.2) Updates `flatted` from 2.0.0 to 3.4.2 - [Commits](WebReflection/flatted@v2.0.0...v3.4.2) Updates `follow-redirects` from 1.7.0 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.7.0...v1.16.0) Updates `minimist` from 0.0.8 to 1.2.8 - [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md) - [Commits](minimistjs/minimist@v0.0.8...v1.2.8) Updates `gh-pages` from 0.12.0 to 6.3.0 - [Release notes](https://github.com/tschaub/gh-pages/releases) - [Changelog](https://github.com/tschaub/gh-pages/blob/main/changelog.md) - [Commits](tschaub/gh-pages@v0.12.0...v6.3.0) Updates `handlebars` from 4.1.2 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.1.2...v4.7.9) Removes `ip` Updates `js-yaml` from 3.13.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.13.1...3.14.2) Updates `lodash` from 4.17.11 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.11...4.18.1) Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `postcss` from 7.0.14 to 8.5.12 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@7.0.14...8.5.12) Updates `qs` from 1.2.2 to 6.5.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v1.2.2...v6.5.2) Updates `send` from 0.16.2 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.16.2...0.19.2) Updates `serialize-javascript` from 1.7.0 to 7.0.5 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v1.7.0...v7.0.5) Updates `serve-static` from 1.13.2 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.13.2...v1.16.3) Updates `socket.io` from 2.1.1 to 4.8.3 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/2.1.1...socket.io@4.8.3) Updates `socket.io-parser` from 3.2.0 to 4.2.6 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/commits/socket.io-parser@4.2.6) Updates `tree-kill` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/pkrumins/node-tree-kill/releases) - [Commits](pkrumins/node-tree-kill@v1.2.1...v1.2.2) Updates `webpack-dev-middleware` from 3.4.0 to 7.4.5 - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-middleware@v3.4.0...v7.4.5) Updates `webpack-dev-server` from 3.1.14 to 5.2.3 - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v3.1.14...v5.2.3) --- updated-dependencies: - dependency-name: "@angular/common" dependency-version: 19.2.16 dependency-type: direct:production dependency-group: npm-security-updates - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:production dependency-group: npm-security-updates - dependency-name: "@angular/compiler" dependency-version: 19.2.18 dependency-type: direct:development dependency-group: npm-security-updates - dependency-name: "@babel/traverse" dependency-version: 7.29.0 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: body-parser dependency-version: 1.20.5 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: express dependency-version: 4.22.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: browserify-sign dependency-version: 4.2.5 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: cipher-base dependency-version: 1.0.7 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: elliptic dependency-version: 6.6.1 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: ws dependency-version: 6.2.1 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: express dependency-version: 4.22.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: minimist dependency-version: 1.2.8 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: gh-pages dependency-version: 6.3.0 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: ip dependency-version: dependency-type: indirect dependency-group: npm-security-updates - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: postcss dependency-version: 8.5.12 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: qs dependency-version: 6.5.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: socket.io dependency-version: 4.8.3 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: socket.io-parser dependency-version: 4.2.6 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: tree-kill dependency-version: 1.2.2 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: webpack-dev-middleware dependency-version: 7.4.5 dependency-type: indirect dependency-group: npm-security-updates - dependency-name: webpack-dev-server dependency-version: 5.2.3 dependency-type: indirect dependency-group: npm-security-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-15T21:16:26Z

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot Bot added the dependencies label May 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

⬆️ Bump the npm-security-updates group across 1 directory with 30 updates#9

⬆️ Bump the npm-security-updates group across 1 directory with 30 updates#9
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm-security-updates-3b22efd36c

dependabot Bot commented on behalf of github May 15, 2026

Uh oh!

dependabot Bot commented on behalf of github May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to `platformBrowserDynamic`
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected `DOCUMENT` for `CSP_NONCE`
cc1ec09931	perf	avoid repeat searches for field directive

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on `Field` directive
8acf5d2756	fix	allow dynamic `type` bindings on signal form controls

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the `imports` expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in `typeof` type references

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

Commit	Type	Description
e3fba182f9	feat	add `[formField]` directive
561772b152	fix	allow custom controls to require `dirty` input
f0fb1d8581	fix	allow custom controls to require `hidden` input
ec110f170b	fix	allow custom controls to require `pending` input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with `queryParamsHandling`
5e9e09aee0	fix	handle errors from view transition `updateCallbackDone` promise

Conversation

dependabot Bot commented on behalf of github May 15, 2026

19.2.16

http

19.2.16 (2025-11-26)

http

20.3.14 (2025-11-25)

http

21.0.1 (2025-11-25)

compiler-cli

core

forms

19.2.20

compiler

core

19.2.19

core

Breaking Changes

core

19.2.18

core

19.2.17

compiler

19.2.16

http

19.2.20 (2026-03-12)

compiler

core

20.3.18 (2026-03-12)

compiler

core

22.0.0-next.3 (2026-03-12)

compiler

core

21.2.4 (2026-03-12)

compiler

core

19.2.18

core

19.2.17

compiler

19.2.16

http

19.2.18 (2026-01-07)

core

21.0.7 (2026-01-07)

compiler

compiler-cli

core

forms

router

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

v7.29.0 (2026-01-31)

🚀 New Feature

🐛 Bug Fix

🏃‍♀️ Performance

Committers: 6

v7.28.6 (2026-01-12)

🐛 Bug Fix

💅 Polish

🏠 Internal

v1.20.5

What's Changed

New Contributors

1.20.4

What's Changed

1.20.3

What's Changed

Important

Other changes

1.20.5 / 2026-04-24

1.20.4 / 2025-12-01

1.20.3 / 2024-09-10

1.20.2 / 2023-02-21

1.20.1 / 2022-10-06

1.20.0 / 2022-04-02

v4.22.2

What's Changed

New Contributors