chore(deps): bump the npm_and_yarn group across 1 directory with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 22 updates in the / directory:

Package	From	To
rollup	2.67.1	2.80.0
@angular/common	10.2.5	19.2.16
@angular/compiler	10.2.5	19.2.18
@angular/core	10.2.5	19.2.20
playwright	1.17.1	1.55.1
next	10.1.3	15.5.15
apollo-server	3.6.7	3.13.0
@remix-run/node	1.5.1	2.17.2
aws-sdk	2.875.0	2.1693.0
browserstack-local	1.4.8	1.5.13
cipher-base	1.0.4	1.0.7
follow-redirects	1.14.8	1.16.0
handlebars	4.7.7	4.7.9
immutable	4.0.0	4.3.8
jws	4.0.0	4.0.1
pbkdf2	3.1.1	3.1.5
picomatch	2.2.2	2.3.2
protobufjs	6.11.3	6.11.5
sha.js	2.4.11	2.4.12
socket.io-parser	3.3.2	3.3.5
tar-fs	2.1.1	2.1.4
underscore	1.12.1	1.13.8

Updates rollup from 2.67.1 to 2.80.0

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

2.80.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6277)

Pull Requests

• #6277: Validate bundle stays within output dir (@​lukastaegert)

2.79.2

2024-09-26

Bug Fixes

• Resolve CVE-2024-43788 (#5677)

Pull Requests

• #5677: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (@​fabianszabo)

2.79.1

2022-09-22

Bug Fixes

• Avoid massive performance degradation when creating thousands of chunks (#4643)

Pull Requests

• #4639: fix: typo docs and contributors link in CONTRIBUTING.md (@​takurinton)
• #4641: Update type definition of resolveId (@​ivanjonas)
• #4643: Improve performance of chunk naming collision check (@​lukastaegert)

2.79.0

2022-08-31

Features

• Add amd.forceJsExtensionForImports to enforce using .js extensions for relative AMD imports (#4607)

Pull Requests

• #4607: add option to keep extensions for amd (@​wh1tevs)

... (truncated)

Commits

• d17ae15 2.80.0
• d6dee5e Validate bundle stays within output dir (#6277)
• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• 69ff418 2.79.1
• 04dce1b Update changelog
• 159137e fix: typo docs and contributors link in CONTRIBUTING.md (#4639)
• e1392b3 Update type definition of resolveId (#4641)
• 7836357 Improve performance of chunk naming collision check (#4643)
• 71d20c9 Reduce permissions for repl-artefacts.yml workflow (#4630)
• Additional commits viewable in compare view

Updates @angular/common from 10.2.5 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

18.2.14

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63640)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Updates @angular/compiler from 10.2.5 to 19.2.18

Release notes

Sourced from @​angular/compiler's releases.

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

18.2.14

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63640)

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

19.2.18 (2026-01-07)

core

Commit	Type	Description
26cdc53d9c	fix	sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the imports expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in typeof type references

core

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

forms

Commit	Type	Description
e3fba182f9	feat	add [formField] directive
561772b152	fix	allow custom controls to require dirty input
f0fb1d8581	fix	allow custom controls to require hidden input
ec110f170b	fix	allow custom controls to require pending input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

router

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0	fix	handle errors from view transition updateCallbackDone promise

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

... (truncated)

Commits

• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 24bab55 fix(compiler): lexer support for template literals in object literals (#61601)
• fc2483e refactor(compiler): avoid duplication between FactoryTarget type (#61571)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 44bb328 fix(compiler): avoid conflicts between HMR code and local symbols (#61550)
• 1007079 build: update compiler-cli to not be stamped when used for the compiler in ng...
• 0d025c5 build: support new ng_project rule (#61336)
• 899cb4a refactor: add explicit types for exports relying on inferred call return type...
• 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
• Additional commits viewable in compare view

Updates @angular/core from 10.2.5 to 19.2.20

Release notes

Sourced from @​angular/core's releases.

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit	Type	Description
02fbf08890	fix	disallow translations of iframe src

core

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit	Type	Description
78dea55351	fix	disallow translations of iframe src

core

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description

... (truncated)

Commits

• 621c707 fix(core): sanitize translated form attributes
• b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• 73d3e00 build: fix failing test (#61683)
• 9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
• Additional commits viewable in compare view

Updates playwright from 1.17.1 to 1.55.1

Release notes

Sourced from playwright's releases.

v1.55.1

Highlights

microsoft/playwright#37479 - [Bug]: Upgrade Chromium to 140.0.7339.186. microsoft/playwright#37147 - [Regression]: Internal error: step id not found. microsoft/playwright#37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects. microsoft/playwright#37137 - Revert "fix(a11y): track inert elements as hidden". microsoft/playwright#37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.54.2

Highlights

microsoft/playwright#36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error) microsoft/playwright#36828 - [Regression]: Playwright Codegen keeps spamming with selected option microsoft/playwright#36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

... (truncated)

Commits

• ae51df7 chore: mark v1.55.1 (#37530)
• 86dde29 feat(chromium): roll to r1193 (#37529)
• 86328bc chore: do not use -k option (#37532)
• 63799ba cherry-pick(#37214): docs: fix method names in release notes
• 21e29a4 cherry-pick(#37153): fix(html): don't display a chip with empty content with ...
• ba62e6a cherry-pick(#37149): fix(test): attaching in boxed fixture
• 25bb073 cherry-pick(#37137): Revert "fix(a11y): track inert elements as hidden (#36947)"
• f992162 chore: mark v1.55.0 (#37121)
• 4a92ea0 cherry-pick(#37113): docs: add release-notes for v1.55
• aa05507 cherry-pick(#37114): test: move browser._launchServer in child process
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by playwright-bot, a new releaser for playwright since your current version.

Updates next from 10.1.3 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by vercel-release-bot, a new releaser for next since your current version.

Updates apollo-server from 3.6.7 to 3.13.0

Commits

• f93284e Release
• ea2e2c3 Release
• fac578a Release
• 6247d96 Release
• 538151b Release
• f519e1d Release
• 985c079 Release
• 2bf7f66 chore(deps): update all non-major dependencies (main) (#6852)
• f6c5c9f Release
• e6097d6 Release
• Additional commits viewable in compare view

Updates @remix-run/node from 1.5.1 to 2.17.2

Release notes

Sourced from @​remix-run/node's releases.

file-storage-s3 v0.1.0

Minor Changes

• Unreleased

  Initial release of @remix-run/file-storage-s3.

Patch Changes

• Bumped @remix-run/* dependencies:
  • file-storage@0.13.3

Changelog

Sourced from @​remix-run/node's changelog.

v2.17.2

Date: 2025-10-29

Patch Changes

• @remix-run/deno - Validate format of incoming session ids in createFileSessionStorage
• @remix-run/node - Validate format of incoming session ids in createFileSessionStorage

Full Changelog: v2.17.1...v2.17.2

v2.17.1

Date: 2025-09-17

Patch Changes

• remix-serve - Update compression and morgan dependencies to latest versions
• @remix-run/eslint-config - Update deprecation warning with proper link to sample v2 eslint config file
• @remix-run/react - Escape HTML in meta() JSON-LD content

Full Changelog: v2.17.0...v2.17.1

v2.17.0

Date: 2025-07-25

Minor Changes

• create-remix - Redirect users to create-react-router instead of create-remix (#10686, #10688)
  • Remix v2 is in maintenance mode so we don't want new Remix apps to be created

Changes by Package

• create-remix

Full Changelog: v2.16.8...v2.17.0

v2.16.8

Date: 2025-05-29

Patch Changes

• create-remix - Update tar-fs (#10638)

Full Changelog: v2.16.7...v2.16.8

v2.16.7

... (truncated)

Commits

• 3920349 Version 2.17.2
• 64d88de Validate session id in file session storage (#10806)
• 91ef6fe Version 2.17.1
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• 3869e0e chore: Update version for release (#10643)
• 00107c5 chore: Update version for release (pre) (#10642)
• 45df312 chore: Update version for release (#10628)
• f90aa1f chore: Update version for release (pre) (#10627)
• Additional commits viewable in compare view

Updates aws-sdk from 2.875.0 to 2.1693.0

Release notes

Sourced from aws-sdk's releases.

Release v2.1693.0

See changelog for more information.

Release v2.1692.0

See changelog for more information.

Release v2.1691.0

See changelog for more information.

Release v2.1690.0

See changelog for more information.

Release v2.1689.0

See changelog for more information.

Release v2.1688.0

See changelog for more information.

Release v2.1687.0

See changelog for more information.

Release v2.1686.0

See changelog for more information.

Release v2.1685.0

See changelog for more information.

Release v2.1684.0

See changelog for more information.

Release v2.1683.0

See changelog for more information.

Release v2.1682.0

See changelog for more information.

Release v2.1681.0

See changelog for more information.

Release v2.1680.0

See changelog for more information.

Release v2.1679.0

See changelog for more information.

Release v2.1678.0

See changelog for more information.

Release v2.1677.0

See changelog for more information.

... (truncated)

Commits

• 9d3c66e Updates SDK to v2.1693.0
• c039567 test(client-elastictranscoder): remove feature test (#4711)
• f5b1a6f docs: end-of-support (#4706)
• 657d6fe chore: use ssh private key for git sync (#4705)
• c12585b chore: remove regression label management (#4699)
• 966fa6c Updates SDK to v2.1692.0
• 5d0e38a Delete EC2 launch configuration e2e tests (#4685)
• b9ce346 chore: fix issue config (#4683)
• c066681 Update issue template config and disable docs requests (#4682)
• 163a7cf Modified bug issue template to add checkbox to report potential regression. (...
• Additional commits viewable in compare view

Updates apollo-server-core from 3.6.7 to 3.13.0

Commits

• f93284e Release
• 4745ebe Rename option from disableValidation to dangerouslyDisableValidation
• 11f5981 Add disableValidation option to apollo-server-core
• ea2e2c3 Release
• 1dd45b8 get CI passing
• d38b43b Merge pull request from GHSA-j5g3-5c8r-7qfx
• fac578a Release
• 8554050 Update protobuf (version-3) (#7412)
• 6247d96 Release
• 538151b Release
• Additional commits viewable in compare view

Updates browserstack-local from 1.4.8 to 1.5.13

Release notes

Sourced from browserstack-local's releases.

Changed local binary paths to support LocalBinary 7.3. Fixed folder argument.

Changed local binary paths to support LocalBinary 7.3. Fixed folder argument when building browserstack local arguments.

Commits

• fa2dcbc 1.5.13
• dcfaf7b Merge pull request #175 from browserstack/LOC-6635_sdk_binary_compatibility
• e79cd0e Remove debug log
• 4376222 Fix url ref
• 18f9a57 Add Async method to fetch download url for async flow
• 7fd6ce1 1.5.12...

  Description has been truncated