chore(deps): bump the npm_and_yarn group across 4 directories with 16 updates by dependabot[bot] · Pull Request #4 · vejja/sentry-javascript

dependabot · 2026-06-20T20:35:19Z

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
@angular/compiler	`10.2.5`	`20.3.25`
@angular/core	`10.2.5`	`20.3.25`
next	`10.1.3`	`15.5.18`
@babel/plugin-transform-modules-systemjs	`7.13.8`	`7.29.7`
follow-redirects	`1.14.8`	`1.16.0`
handlebars	`4.7.7`	`4.7.9`
immutable	`4.0.0`	`4.3.8`
picomatch	`2.2.2`	`2.3.2`
protobufjs	`6.11.3`	`6.11.6`
shell-quote	`1.7.2`	`1.8.4`
socket.io-parser	`3.3.2`	`3.3.5`
underscore	`1.12.1`	`1.13.8`

Bumps the npm_and_yarn group with 2 updates in the /packages/angular directory: @angular/compiler and @angular/core.
Bumps the npm_and_yarn group with 2 updates in the /scenarios/browser directory: lodash and ws.
Bumps the npm_and_yarn group with 1 update in the /scenarios/browser/nextjs-client directory: next.

Updates @angular/compiler from 10.2.5 to 20.3.25

Release notes

Sourced from @angular/compiler's releases.

20.3.25

common

Commit Description

Limits date format string length

skip transfer cache for uncacheable HTTP traffic

use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description

sanitize two-way properties

core

Commit Description

harden TransferState restoration against DOM clobbering

validate lowercase SVG animation attribute names (#69270)

http

Commit Description

preserve empty referrer option in HttpRequest

Rejects non-HTTP(S) URLs in JSONP requests

skip transfer cache for fetch credentialed requests

platform-server

Commit Description

harden platform location origin validation during SSR

deprecate ServerXhr (#69256)

service-worker

Commit Description

Strips sensitive headers on cross-origin redirects

Deprecations

platform-server

XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

20.3.24

platform-server

Commit Description

throw on suspicious URLs and restrict protocol-relative URLs

update domino to latest version

20.3.23

compiler

Commit Description

prevent namespaced SVG elements from being stripped

20.3.22

common

... (truncated)

Changelog

Sourced from @angular/compiler's changelog.

20.3.25 (2026-06-10)

Deprecations

platform-server

XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit Type Description

9f443bc24c fix Limits date format string length

566ad05f20 fix skip transfer cache for uncacheable HTTP traffic

1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description

a68ec702a0 fix sanitize two-way properties

core

Commit Type Description

768a349e6e fix harden TransferState restoration against DOM clobbering

ca48b4728d fix validate lowercase SVG animation attribute names (#69270)

http

Commit Type Description

06be298267 fix preserve empty referrer option in HttpRequest

fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests

e2ef1ce72a fix skip transfer cache for fetch credentialed requests

platform-server

Commit Type Description

49368c1859 fix harden platform location origin validation during SSR

d55c94ad81 refactor deprecate ServerXhr (#69256)

service-worker

Commit Type Description

d65a5f457b fix Strips sensitive headers on cross-origin redirects

22.0.0 (2026-06-03)

Blog post "Announcing Angular v22".

Breaking Changes

compiler

This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.

data prefixed attribute no-longer bind inputs nor outputs.

The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.

in variables will throw in template expressions.

compiler-cli

... (truncated)

Commits

a68ec70 fix(compiler): sanitize two-way properties
d40acc6 fix(compiler): prevent namespaced SVG <style> elements from being stripped
7ae6381 test(compiler-cli): align ngtsc sanitization expectations with modern DOM sch...
36200bd test(core): update spec files to match 20.3.x limits and actual contexts (#68...
823b37f test(compiler): remove obsolete schema_extractor import (#68926)
e345a58 fix(core): normalize tag names in runtime i18n attribute security context loo...
8f35b18 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
64a89e9 fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
6404edf fix(compiler): strip namespaced SVG script elements during template compilati...
dc631ef fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
Additional commits viewable in compare view

Updates @angular/core from 10.2.5 to 20.3.25

Release notes

Sourced from @angular/core's releases.

20.3.25

common

Commit Description

Limits date format string length

skip transfer cache for uncacheable HTTP traffic

use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Description

sanitize two-way properties

core

Commit Description

harden TransferState restoration against DOM clobbering

validate lowercase SVG animation attribute names (#69270)

http

Commit Description

preserve empty referrer option in HttpRequest

Rejects non-HTTP(S) URLs in JSONP requests

skip transfer cache for fetch credentialed requests

platform-server

Commit Description

harden platform location origin validation during SSR

deprecate ServerXhr (#69256)

service-worker

Commit Description

Strips sensitive headers on cross-origin redirects

Deprecations

platform-server

XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

20.3.24

platform-server

Commit Description

throw on suspicious URLs and restrict protocol-relative URLs

update domino to latest version

20.3.23

compiler

Commit Description

prevent namespaced SVG elements from being stripped

20.3.22

common

... (truncated)

Changelog

Sourced from @angular/core's changelog.

20.3.25 (2026-06-10)

Deprecations

platform-server

XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit Type Description

9f443bc24c fix Limits date format string length

566ad05f20 fix skip transfer cache for uncacheable HTTP traffic

1a62130a6b fix use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit Type Description

a68ec702a0 fix sanitize two-way properties

core

Commit Type Description

768a349e6e fix harden TransferState restoration against DOM clobbering

ca48b4728d fix validate lowercase SVG animation attribute names (#69270)

http

Commit Type Description

06be298267 fix preserve empty referrer option in HttpRequest

fa940e1f4d fix Rejects non-HTTP(S) URLs in JSONP requests

e2ef1ce72a fix skip transfer cache for fetch credentialed requests

platform-server

Commit Type Description

49368c1859 fix harden platform location origin validation during SSR

d55c94ad81 refactor deprecate ServerXhr (#69256)

service-worker

Commit Type Description

d65a5f457b fix Strips sensitive headers on cross-origin redirects

22.0.0 (2026-06-03)

Blog post "Announcing Angular v22".

Breaking Changes

compiler

This change will trigger the nullishCoalescingNotNullable and optionalChainNotNullable diagnostics on exisiting projects. You might want to disable those 2 diagnotiscs in your tsconfig temporarily.

data prefixed attribute no-longer bind inputs nor outputs.

The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.

in variables will throw in template expressions.

compiler-cli

... (truncated)

Commits

ca48b47 fix(core): validate lowercase SVG animation attribute names (#69270)
1a62130 fix(common): use cryptographically secure SHA-256 for transfer cache key gene...
49368c1 fix(platform-server): harden platform location origin validation during SSR
566ad05 fix(common): skip transfer cache for uncacheable HTTP traffic
768a349 fix(core): harden TransferState restoration against DOM clobbering
7ae6381 test(compiler-cli): align ngtsc sanitization expectations with modern DOM sch...
6595409 test(core): update golden symbols and host bindings sanitization spec (#68926)
d86e4e7 fix(core): reject script element as a dynamic component host (#68926)
b8f1f72 test(core): remove obsolete blockquote cite host binding tests (#68926)
36200bd test(core): update spec files to match 20.3.x limits and actual contexts (#68...
Additional commits viewable in compare view

Updates next from 10.1.3 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates @babel/plugin-transform-modules-systemjs from 7.13.8 to 7.29.7

Release notes

Sourced from @babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

babel-generator

#18014 Catchup source map position in preserveFormat (@nicolo-ribaudo)

babel-core

#18001 [7.x packport]Improve input source map handling (@JLHwung)

babel-core, babel-generator

#17998 Preserve original identifier names from input sourcemaps (#17992) (@Andarist)

Committers: 3

Huáng Jùnliàng (@JLHwung)

Mateusz Burzyński (@Andarist)

Nicolò Ribaudo (@nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

babel-preset-env

Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

babel-plugin-transform-modules-systemjs

#17974 [7.x backport]fix(systemjs): improve module string name support (@JLHwung)

Committers: 1

Huáng Jùnliàng (@JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

babel-parser

#17923 Support flow extends bound (@JLHwung)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#17931 fix(decorators): replace super within all removed static elements (@JLHwung)

babel-register

#17915 Fix thread synchronization issues in @babel/register (@liuxingbaoyu)

babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

#17788 Add bugfix plugin for Safari array rest destructuring bug (@JLHwung)

💅 Polish

babel-parser

... (truncated)

Commits

4fba754 v7.29.7
a458f66 v7.29.4
32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
aa8394e v7.29.0
0053db6 Update polyfill packages (#17727)
61647ae v7.28.5
a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
eebd3a0 v7.27.1
317e332 Enforce node protocol import (#17207)
fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @babel/plugin-transform-modules-systemjs since your current version.

Updates apollo-server-core from 3.6.7 to 3.13.0

Commits

f93284e Release
4745ebe Rename option from disableValidation to dangerouslyDisableValidation
11f5981 Add disableValidation option to apollo-server-core
ea2e2c3 Release
1dd45b8 get CI passing
d38b43b Merge pull request from GHSA-j5g3-5c8r-7qfx
fac578a Release
8554050 Update protobuf (version-3) (#7412)
6247d96 Release
538151b Release
Additional commits viewable in compare view

Updates follow-redirects from 1.14.8 to 1.16.0

Commits

0c23a22 Release version 1.16.0 of the npm package.
844c4d3 Add sensitiveHeaders option.
5e8b8d0 ci: add Node.js 24.x to the CI matrix
7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
86dc1f8 Sanitizing input.
21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
Additional commits viewable in compare view

Updates handlebars from 4.7.7 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

GHSA-2w6w-674q-4c4q

GHSA-3mfm-83xf-c92r

GHSA-xhpv-hc6g-r9c6

GHSA-xjpj-3mr7-gcpf

GHSA-9cx6-37pm-9jff

GHSA-2qvq-rjwj-gvw9

GHSA-7rx3-28cr-v5wh

GHSA-442j-39wm-28r2

Commits

v4.7.8

Make library compatible with workers (#1894) - 3d3796c

Don't rely on Node.js global object (#1776) - 2954e7e

Fix compiling of each block params in strict mode (#1855) - 30dbf04

Fix rollup warning when importing Handlebars as ESM - 03d387b

Fix bundler issue with webpack 5 (#1862) - c6c6bbb

Use https instead of git for mustache submodule - 88ac068

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

Commits

v4.7.8 - July 27th, 2023

Make library compatible with workers (#1894) - 3d3796c

Don't rely on Node.js global object (#1776) - 2954e7e

Fix compiling of each block params in strict mode (#1855) - 30dbf04

Fix rollup warning when importing Handlebars as ESM - 03d387b

Fix bundler issue with webpack 5 (#1862) - c6c6bbb

Use https instead of git for mustache submodule - 88ac068

Commits

Commits

dce542c v4.7.9
8a41389 Update release notes
68d8df5 Fix security issues
b2a0831 Fix browser tests
9f98c16 Fix release script
45443b4 Revert "Improve partial indenting performance"
8841a5f Fix CI errors with linting
e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
e914d60 Improve rendering performance
7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.

Updates immutable from 4.0.0 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v4.3.7

What's Changed

Fix issue with slice negative of filtered sequence by @jdeniau in immutable-js/immutable-js#2006

Full Changelog: immutable-js/immutable-js@v4.3.6...v4.3.7

v4.3.6

What's Changed

Fix Repeat().equals(undefined) incorrectly returning true by @butchler in immutable-js/immutable-js#1994

Internals

change youtube image by @jdeniau in immutable-js/immutable-js#1973

Upgrade eslint and ignore no-constructor-return rule for actual constructors by @jdeniau in immutable-js/immutable-js#1974

upgrate documentation website to next 14 by @jdeniau in immutable-js/immutable-js#1975

start migrating to nextjs app router by @jdeniau in immutable-js/immutable-js#1976

upgrade next sitemap by @jdeniau in immutable-js/immutable-js#1978

New Contributors

@butchler made their first contribution in immutable-js/immutable-js#1994

Full Changelog: immutable-js/immutable-js@v4.3.5...v4.3.6

v4.3.5

What's Changed

Fix Set.fromKeys types with Map constructor in TS 5.0 by @jdeniau in immutable-js/immutable-js#1971

upgrade to TS 5.1 by @jdeniau in immutable-js/immutable-js#1972

fix dist-stats command by @jdeniau in immutable-js/immutable-js#1964

fix Read the Docs link on readme by @joshding in immutable-js/immutable-js#1970

New Contributors

@joshding made their first contribution in immutable-js/immutable-js#1970

Full Changelog: immutable-js/immutable-js@v4.3.4...v4.3.5

4.3.4

What's Changed

Rollback toJS type due to circular reference error by @jdeniau in immutable-js/immutable-js#1958

Full Changelog: immutable-js/immutable-js@v4.3.3...v4.3.4

v4.3.3

What's Changed

[typescript] manage to handle toJS circular reference. #1932 by @jdeniau

... (truncated)

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

fix(IndexedCollection): has(index) on a lazy Seq of unknown size now checks index existence instead of searching for a value equal to the index

[TypeScript]: reduce/reduceRight without an initial value now infer the result type from the collection's values when the reducer returns a value (e.g. list.reduce((a, b) => a + b) infers number), matching Array#reduce. Previously an explicit type argument was required.

5.1.6

fix(reverseFactory): read reversedSequence.size in __iterator instead of this #2196

5.1.5

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Migrate some files to TS by @jdeniau in immutable-js/immutable-js#2125

Iterator.ts

PairSorting.ts

toJS.ts

Math.ts

Hash.ts

Extract CollectionHelperMethods and convert to TS by @jdeniau in immutable-js/immutable-js#2131

Use npm trusted publishing only to avoid token stealing.

Documentation

Fix/a11y issues by @lyannel in immutable-js/immutable-js#2136

Doc add Map.get signature update by @borracciaBlu in immutable-js/immutable-js#2138

fix(doc):minor-issues#2132 by @JayMeDotDot in immutable-js/immutable-js#2133

Fix algolia search by @jdeniau in immutable-js/immutable-js#2135

Typo in OrderedMap by @jdeniau in immutable-js/immutable-js#2144

Internal

chore: Sort all imports and activate eslint import rule by @jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

fix: allow readonly map entry constructor by @septs in immutable-js/immutable-js#2123

... (truncated)

Commits

485cbe0 4.3.8
6ed4eb6 Merge commit from fork
94bcd3c fix new proto key injection
faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
37ca417 release 4.3.7 (#2007)
23daf26 Fix issue with slice negative of filtered sequence (#2006)
493afba release 4.3.6 (#1997)
be3cb9a Fix Repeat(<value>).equals(undefined) incorrectly returning true (#1994)
d7664bf generate sitemap in path that will be deployed
f8327b1 upgrade next sitemap (#1978)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.

Updates picomatch from 2.2.2 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (

… updates Bumps the npm_and_yarn group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `10.2.5` | `20.3.25` | | [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `10.2.5` | `20.3.25` | | [next](https://github.com/vercel/next.js) | `10.1.3` | `15.5.18` | | [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.13.8` | `7.29.7` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.14.8` | `1.16.0` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.7` | `4.7.9` | | [immutable](https://github.com/immutable-js/immutable-js) | `4.0.0` | `4.3.8` | | [picomatch](https://github.com/micromatch/picomatch) | `2.2.2` | `2.3.2` | | [protobufjs](https://github.com/protobufjs/protobuf.js) | `6.11.3` | `6.11.6` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.7.2` | `1.8.4` | | [socket.io-parser](https://github.com/socketio/socket.io) | `3.3.2` | `3.3.5` | | [underscore](https://github.com/jashkenas/underscore) | `1.12.1` | `1.13.8` | Bumps the npm_and_yarn group with 2 updates in the /packages/angular directory: [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) and [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core). Bumps the npm_and_yarn group with 2 updates in the /scenarios/browser directory: [lodash](https://github.com/lodash/lodash) and [ws](https://github.com/websockets/ws). Bumps the npm_and_yarn group with 1 update in the /scenarios/browser/nextjs-client directory: [next](https://github.com/vercel/next.js). Updates `@angular/compiler` from 10.2.5 to 20.3.25 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/compiler) Updates `@angular/core` from 10.2.5 to 20.3.25 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/core) Updates `next` from 10.1.3 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v10.1.3...v15.5.18) Updates `@babel/plugin-transform-modules-systemjs` from 7.13.8 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs) Updates `apollo-server-core` from 3.6.7 to 3.13.0 - [Release notes](https://github.com/apollographql/apollo-server/releases) - [Commits](https://github.com/apollographql/apollo-server/commits/apollo-server-core@3.13.0/packages/apollo-server-core) Updates `follow-redirects` from 1.14.8 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.14.8...v1.16.0) Updates `handlebars` from 4.7.7 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.7...v4.7.9) Updates `immutable` from 4.0.0 to 4.3.8 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v4.0.0...v4.3.8) Updates `picomatch` from 2.2.2 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.2.2...2.3.2) Updates `protobufjs` from 6.11.3 to 6.11.6 - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@v6.11.3...v6.11.6) Updates `shell-quote` from 1.7.2 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.7.2...v1.8.4) Updates `socket.io-parser` from 3.3.2 to 3.3.5 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/socket.io-parser@3.3.5/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/commits/socket.io-parser@3.3.5) Updates `underscore` from 1.12.1 to 1.13.8 - [Commits](jashkenas/underscore@1.12.1...1.13.8) Updates `uuid` from 3.3.2 to 3.4.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v3.3.2...v3.4.0) Updates `@angular/compiler` from 10.2.5 to 22.0.2 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/compiler) Updates `@angular/core` from 10.2.5 to 22.0.2 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.25/packages/core) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `ws` from 7.5.5 to 7.5.11 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@7.5.5...7.5.11) Updates `next` from 12.3.7 to 16.2.9 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v10.1.3...v15.5.18) --- updated-dependencies: - dependency-name: "@angular/compiler" dependency-version: 20.3.25 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 20.3.25 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: apollo-server-core dependency-version: 3.13.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 4.3.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: protobufjs dependency-version: 6.11.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: socket.io-parser dependency-version: 3.3.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: underscore dependency-version: 1.13.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 3.4.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@angular/compiler" dependency-version: 22.0.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 22.0.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 7.5.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.9 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 4 directories with 16 updates#4

chore(deps): bump the npm_and_yarn group across 4 directories with 16 updates#4
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-5e50bcef03

dependabot Bot commented on behalf of github Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Commit	Description
	Limits date format string length
	skip transfer cache for uncacheable HTTP traffic
	use cryptographically secure SHA-256 for transfer cache key generation

Commit	Description
	harden TransferState restoration against DOM clobbering
	validate lowercase SVG animation attribute names (#69270)

Commit	Description
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests
	skip transfer cache for fetch credentialed requests

Commit	Description
	harden platform location origin validation during SSR
	deprecate ServerXhr (#69256)

Commit	Description
	throw on suspicious URLs and restrict protocol-relative URLs
	update domino to latest version

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

Commit	Type	Description
768a349e6e	fix	harden TransferState restoration against DOM clobbering
ca48b4728d	fix	validate lowercase SVG animation attribute names (#69270)

Commit	Type	Description
06be298267	fix	preserve empty referrer option in HttpRequest
fa940e1f4d	fix	Rejects non-HTTP(S) URLs in JSONP requests
e2ef1ce72a	fix	skip transfer cache for fetch credentialed requests

Commit	Type	Description
49368c1859	fix	harden platform location origin validation during SSR
d55c94ad81	refactor	deprecate ServerXhr (#69256)

Conversation

dependabot Bot commented on behalf of github Jun 20, 2026

20.3.25

common

compiler

core

http

platform-server

service-worker

Deprecations

platform-server

20.3.24

platform-server

20.3.23

compiler

20.3.22

common

20.3.25 (2026-06-10)

Deprecations

platform-server

common

compiler

core

http

platform-server

service-worker

22.0.0 (2026-06-03)

Breaking Changes

compiler

compiler-cli

20.3.25

common

compiler

core

http

platform-server

service-worker

Deprecations

platform-server

20.3.24

platform-server

20.3.23

compiler

20.3.22

common

20.3.25 (2026-06-10)

Deprecations

platform-server

common

compiler

core

http

platform-server

service-worker

22.0.0 (2026-06-03)

Breaking Changes

compiler

compiler-cli

v15.5.18

v15.5.16

v15.5.15

v7.29.7 (2026-05-25)

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

v7.29.4 (2026-05-05)

🐛 Bug Fix

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

v4.7.9

v4.7.8

v4.7.9 - March 26th, 2026

v4.7.8 - July 27th, 2023

v4.3.8

v4.3.7