Bump the npm_and_yarn group across 1 directory with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /webapp directory: @angular/core, @angular/service-worker, hono and tmp.

Updates @angular/core from 20.3.21 to 22.0.1

Release notes

Sourced from @​angular/core's releases.

22.0.1

common

Commit	Description
	escape CSS string-terminating characters in escapeCssUrl
	Limits date format string length
	prevent prototype pollution in formatDateTime
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	disallow i18n event attributes
	more robust logic to check if regex can be optimized
	sanitize href/xlink:href attributes of any element of the MathML namespace
	sanitize two-way properties

compiler-cli

Commit	Description
	bind switch exhaustive check expressions

core

Commit	Description
	disable WebMCP during SSR
	Handle synchronous errors in PendingTasks.run function
	harden TransferState restoration against DOM clobbering
	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
	require WebMCP tool descriptions
	update comment for Default change detection
	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
	validate lowercase SVG animation attribute names

forms

Commit	Description
	delay mcp reading the form model by a tick
	harden FormGroup control lookups against prototype shadowing
	remove animationstart listener on component destroy to prevent memory leak
	set additionalProperties: false on generated WebMCP form

http

Commit	Description
	ensure query parameters are inserted before URL fragments
	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Description
	prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits

• 4b0c3b8 refactor(core): Update registerNgModuleType to support codegen typechecking
• dbf64c8 test(core): fix AI tools test flake
• 045bb73 fix(core): validate lowercase SVG animation attribute names
• 1ee224c fix(compiler): disallow i18n event attributes
• 5946c18 fix(compiler): sanitize href/xlink:href attributes of any element of the ...
• b1f02eb refactor(core): add internal utility
• 85d2d10 fix(forms): harden FormGroup control lookups against prototype shadowing
• 6e3d51d refactor(migrations): Improve safeNavigationMigration heuristic
• 01ea640 refactor(core): Fix DirectiveDefinition interface to allow abstract classes
• a704b08 docs: add Signal Forms and v22 guidance to AI best-practices and llms.txt
• Additional commits viewable in compare view

Updates @angular/service-worker from 20.3.21 to 22.0.1

Release notes

Sourced from @​angular/service-worker's releases.

22.0.1

common

Commit	Description
	escape CSS string-terminating characters in escapeCssUrl
	Limits date format string length
	prevent prototype pollution in formatDateTime
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	disallow i18n event attributes
	more robust logic to check if regex can be optimized
	sanitize href/xlink:href attributes of any element of the MathML namespace
	sanitize two-way properties

compiler-cli

Commit	Description
	bind switch exhaustive check expressions

core

Commit	Description
	disable WebMCP during SSR
	Handle synchronous errors in PendingTasks.run function
	harden TransferState restoration against DOM clobbering
	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
	require WebMCP tool descriptions
	update comment for Default change detection
	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
	validate lowercase SVG animation attribute names

forms

Commit	Description
	delay mcp reading the form model by a tick
	harden FormGroup control lookups against prototype shadowing
	remove animationstart listener on component destroy to prevent memory leak
	set additionalProperties: false on generated WebMCP form

http

Commit	Description
	ensure query parameters are inserted before URL fragments
	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Description
	prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/service-worker's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits

• cf97b1f fix(service-worker): Strips sensitive headers on cross-origin redirects
• d0c4951 fix(service-worker): Preserves HTTP cache mode in asset group requests
• a02797d fix(service-worker): Preserves explicit 'credentials: omit' in asset requests
• a97d5ec build: update minimum supported Node.js versions
• b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
• 836094c fix(service-worker): resolve TS 6.0 compatibility for messageerror listener
• 57a07d0 refactor(service-worker): remove unnecessary cast in mock redirect check
• 07abfbc fix(service-worker): preserve redirect policy on reconstructed asset requests
• 806c9aa build: update rules_angular dependency commit hash.
• d550bf7 build: update minimum supported Node.js versions
• Additional commits viewable in compare view

Updates @angular/service-worker from 20.3.21 to 22.0.1

Release notes

Sourced from @​angular/service-worker's releases.

22.0.1

common

Commit	Description
	escape CSS string-terminating characters in escapeCssUrl
	Limits date format string length
	prevent prototype pollution in formatDateTime
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	disallow i18n event attributes
	more robust logic to check if regex can be optimized
	sanitize href/xlink:href attributes of any element of the MathML namespace
	sanitize two-way properties

compiler-cli

Commit	Description
	bind switch exhaustive check expressions

core

Commit	Description
	disable WebMCP during SSR
	Handle synchronous errors in PendingTasks.run function
	harden TransferState restoration against DOM clobbering
	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
	require WebMCP tool descriptions
	update comment for Default change detection
	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
	validate lowercase SVG animation attribute names

forms

Commit	Description
	delay mcp reading the form model by a tick
	harden FormGroup control lookups against prototype shadowing
	remove animationstart listener on component destroy to prevent memory leak
	set additionalProperties: false on generated WebMCP form

http

Commit	Description
	ensure query parameters are inserted before URL fragments
	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Description
	prevent external template inlay hints from appearing in TS files

platform-server

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/service-worker's changelog.

22.0.1 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead. (cherry picked from commit 8446e46f8bc33bd4419fa7f6106b8d117ca2e099)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

| Commit | Type | Description |

... (truncated)

Commits

• cf97b1f fix(service-worker): Strips sensitive headers on cross-origin redirects
• d0c4951 fix(service-worker): Preserves HTTP cache mode in asset group requests
• a02797d fix(service-worker): Preserves explicit 'credentials: omit' in asset requests
• a97d5ec build: update minimum supported Node.js versions
• b8d3f36 feat(compiler-cli): add support for Node.js 26.0.0
• 836094c fix(service-worker): resolve TS 6.0 compatibility for messageerror listener
• 57a07d0 refactor(service-worker): remove unnecessary cast in mock redirect check
• 07abfbc fix(service-worker): preserve redirect policy on reconstructed asset requests
• 806c9aa build: update rules_angular dependency commit hash.
• d550bf7 build: update minimum supported Node.js versions
• Additional commits viewable in compare view

Updates esbuild from 0.27.7 to 0.27.3

Changelog

Sourced from esbuild's changelog.

0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  __publicField(this, "x", x);
  __publicField(this, "y", 2);
  }
  }

0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

... (truncated)

Commits

• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• b791ac3 fix #4370: preserve url fragments in data URLs
• 51e5456 add a failing test for #4370
• Additional commits viewable in compare view

Updates hono from 4.12.19 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

• docs(contribution): simplifyAI Usage Policy by @​yusukebe in honojs/hono#4972
• chore: remove @​types/glob by @​rtritto in honojs/hono#4978
• fix(bearer-auth): mention verifyToken in missing-options error message by @​tan7vir in honojs/hono#4987
• refactor(language): Test/improve tests on languages middleware by @​iNeoO in honojs/hono#4980
• fix(utils/ipaddr): expand "::" to eight zero groups by @​youcefzemmar in honojs/hono#4973
• fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @​Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982
• refactor(timing): Test/add test for middleware timing by @​iNeoO in honojs/hono#4991
• fix(utils/ipaddr): render the unspecified address binary as "::" by @​sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

• fce483e 4.12.25
• 751ba41 Merge commit from fork
• f0b094d Merge commit from fork
• fa5f9bf Merge commit from fork
• 3892a6c Merge commit from fork
• 74c2cf8 test(aws-lambda): update integration tests (#5012)
• 7ae7cba Merge commit from fork
• 1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
• 5fdde5a 4.12.24
• c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
• Additional commits viewable in compare view

Updates shell-quote from 1.8.3 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

Details

<...

Description has been truncated

[dependabot]

Superseded by #297.