chore(deps): bump the npm_and_yarn group across 9 directories with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the /samples/js-angular/genkit-app directory:

Package	From	To
@angular/common	19.2.0	19.2.16
@angular/compiler	19.2.0	19.2.18
@angular/core	19.2.0	19.2.20
brace-expansion	1.1.11	1.1.12
brace-expansion	2.0.1	2.0.2
tar	6.2.1	7.5.12
flatted	3.3.2	3.4.2
node-forge	1.3.1	1.3.3
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2

Bumps the npm_and_yarn group with 7 updates in the /samples/js-chatbot directory:

Package	From	To
brace-expansion	2.0.1	2.0.2
esbuild	0.23.1	0.27.4
glob	10.4.5	10.5.0
tmp	0.0.33	removed
js-yaml	4.1.0	4.1.1
qs	6.13.0	6.14.2
@trpc/server	10.45.0	10.45.4

Bumps the npm_and_yarn group with 7 updates in the /samples/js-chatbot/genkit-app directory:

Package	From	To
@angular/common	18.2.13	21.2.5
@angular/compiler	18.2.13	21.2.5
@angular/core	18.2.13	21.2.5
brace-expansion	1.1.11	1.1.12
brace-expansion	2.0.1	2.0.2
tar	6.2.1	7.5.12
flatted	3.3.2	3.4.2
qs	6.13.0	6.14.2

Bumps the npm_and_yarn group with 9 updates in the /samples/js-chatbot/server directory:

Package	From	To
esbuild	0.23.1	0.27.4
glob	10.4.5	10.5.0
js-yaml	4.1.0	4.1.1
node-forge	1.3.1	1.3.3
@trpc/server	10.45.2	10.45.4
form-data	2.5.2	2.5.5
axios	1.13.1	1.13.6
jws	4.0.0	4.0.1
jws	3.2.2	3.2.3
@modelcontextprotocol/sdk	1.21.0	1.27.1

Bumps the npm_and_yarn group with 7 updates in the /samples/js-coffee-shop directory:

Package	From	To
glob	10.4.5	10.5.0
glob	11.0.3	11.1.0
js-yaml	4.1.0	4.1.1
node-forge	1.3.1	1.3.3
@trpc/server	10.45.2	10.45.4
axios	1.12.2	1.13.6
jws	4.0.0	4.0.1
jws	3.2.2	3.2.3
@modelcontextprotocol/sdk	1.20.0	1.27.1

Bumps the npm_and_yarn group with 9 updates in the /samples/js-menu directory:

Package	From	To
brace-expansion	2.0.1	2.0.2
esbuild	0.23.1	0.27.4
glob	10.4.5	10.5.0
glob	11.0.1	11.1.0
js-yaml	4.1.0	4.1.1
node-forge	1.3.1	1.3.3
qs	6.13.0	6.14.2
@trpc/server	10.45.0	10.45.4
form-data	2.5.2	2.5.5
jws	4.0.0	4.0.1
jws	3.2.2	3.2.3

Bumps the npm_and_yarn group with 8 updates in the /samples/js-prompts directory:

Package	From	To
brace-expansion	2.0.1	2.0.2
esbuild	0.23.1	0.27.4
glob	10.4.5	10.5.0
tmp	0.0.33	removed
js-yaml	4.1.0	4.1.1
qs	6.13.0	6.14.2
@trpc/server	10.45.0	10.45.4
jws	4.0.0	4.0.1

Bumps the npm_and_yarn group with 8 updates in the /samples/js-schoolAgent directory:

Package	From	To
brace-expansion	2.0.1	2.0.2
esbuild	0.23.1	0.27.4
glob	10.4.5	10.5.0
glob	11.0.1	11.1.0
tmp	0.0.33	removed
js-yaml	4.1.0	4.1.1
qs	6.13.0	6.14.2
@trpc/server	10.45.0	10.45.4
jws	4.0.0	4.0.1

Bumps the npm_and_yarn group with 2 updates in the /tests directory: brace-expansion and js-yaml.

Updates @angular/common from 19.2.0 to 19.2.16

Release notes

Sourced from @​angular/common's releases.

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @​angular/common's changelog.

19.2.16 (2025-11-26)

http

Commit	Type	Description
05fe6686a9	fix	prevent XSRF token leakage to protocol-relative URLs

20.3.14 (2025-11-25)

http

Commit	Type	Description
0276479e7d	fix	prevent XSRF token leakage to protocol-relative URLs

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls

... (truncated)

Commits

• 05fe668 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 12e2302 build: update common's locales to use rules_js (#61630)
• 9701047 test(common): Add circular deps test to 19.2.x (#61651)
• 2c876b4 fix(common): avoid injecting ApplicationRef in FetchBackend (#61649)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 2b1b14f fix(core): cleanup rxResource abort listener (#58306)
• 126efc9 fix(common): cancel reader when app is destroyed (#61528)
• efda872 fix(common): prevent reading chunks if app is destroyed (#61354)
• c43fd3a build: migrate common to use rules_js based toolchain (#61434)
• 185b780 build: migrate packages/core/schematics to ts_project (#61420)
• Additional commits viewable in compare view

Updates @angular/compiler from 19.2.0 to 19.2.18

Release notes

Sourced from @​angular/compiler's releases.

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

  const bootstrap = () => bootstrapApplication(AppComponent, config);

  After:

  const bootstrap = (context: BootstrapContext) =>
    bootstrapApplication(AppComponent, config, context);

  A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

  In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

For more information please see: GHSA-68x2-mx4q-78m7

Changelog

Sourced from @​angular/compiler's changelog.

19.2.18 (2026-01-07)

core

Commit	Type	Description
26cdc53d9c	fix	sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the imports expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in typeof type references

core

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

forms

Commit	Type	Description
e3fba182f9	feat	add [formField] directive
561772b152	fix	allow custom controls to require dirty input
f0fb1d8581	fix	allow custom controls to require hidden input
ec110f170b	fix	allow custom controls to require pending input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

router

Commit	Type	Description
41cd4a6af8	fix	Fix RouterLink href not updating with queryParamsHandling
5e9e09aee0	fix	handle errors from view transition updateCallbackDone promise

21.0.6 (2025-12-17)

Breaking Changes (affecting only experimental features)

... (truncated)

Commits

• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 24bab55 fix(compiler): lexer support for template literals in object literals (#61601)
• fc2483e refactor(compiler): avoid duplication between FactoryTarget type (#61571)
• 8e54b57 build: move private testing helpers outside platform-browser/testing (#61571)
• 44bb328 fix(compiler): avoid conflicts between HMR code and local symbols (#61550)
• 1007079 build: update compiler-cli to not be stamped when used for the compiler in ng...
• 0d025c5 build: support new ng_project rule (#61336)
• 899cb4a refactor: add explicit types for exports relying on inferred call return type...
• 1312eb1 build: remove irrelevant madge circular deps tests (#61209)
• Additional commits viewable in compare view

Updates @angular/core from 19.2.0 to 19.2.20

Release notes

Sourced from @​angular/core's releases.

19.2.20

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

19.2.19

core

Commit	Description
	block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

19.2.18

core

Commit	Description
	sanitize sensitive attributes on SVG script elements

19.2.17

compiler

Commit	Description
	prevent XSS via SVG animation attributeName and MathML/SVG URLs

19.2.16

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

19.2.15

core

Commit	Description
	introduce BootstrapContext for improved server bootstrapping (#63639)

Breaking Changes

core

• The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

  Before:

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit	Type	Description
5be912eb55	fix	disallow translations of iframe src

core

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit	Type	Description
02fbf08890	fix	disallow translations of iframe src

core

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit	Type	Description
78dea55351	fix	disallow translations of iframe src

core

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description

... (truncated)

Commits

• 621c707 fix(core): sanitize translated form attributes
• b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
• 7475487 fix(core): block creation of sensitive URI attributes from ICU messages
• 26cdc53 fix(core): sanitize sensitive attributes on SVG script elements
• 7c42e2e fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
• 70d0639 fix(core): introduce BootstrapContext for improved server bootstrapping (#6...
• 73d3e00 build: fix failing test (#61683)
• 9e1cd49 fix(migrations): preserve comments when removing unused imports (#61674)
• a6d5479 build: migrate platform-server to rules_js (#61619)
• 2a26944 build: migrate platform-browser and platform-browser-dynamic package to use r...
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates tar from 6.2.1 to 7.5.12

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates flatted from 3.3.2 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates esbuild from 0.23.1 to 0.27.4

Details

<...

Description has been truncated

---

Summary by cubic

Upgrade dependencies across sample apps to modern, secure versions. Highlights include Angular 21 for the samples/js-chatbot/genkit-app, build tool upgrades, and multiple security patches.

• Dependencies

  • Angular
    • samples/js-chatbot/genkit-app: @angular/* → 21.2.x with @angular/cli/@angular-devkit → 21.2.3, ngx-markdown → 21.1.0.
    • samples/js-angular/genkit-app: @angular/common → 19.2.16, @angular/compiler → 19.2.18, @angular/core → 19.2.20, @angular/cli → 21.2.3.
  • Build tools: esbuild → 0.27.4, glob → 10.5.0/11.1.0, tar → 7.5.12.
  • Security: node-forge → 1.3.3 (ASN.1 fixes), on-headers → 1.1.0 (CVE fix), qs → 6.14.2, js-yaml → 4.1.1, brace-expansion → 1.1.12/2.0.2, flatted → 3.4.2.
  • Server/runtime libs: @modelcontextprotocol/sdk → 1.27.1 (adds hono, @hono/node-server, jose, json-schema-typed), axios → 1.13.6, @trpc/server → 10.45.4, form-data → 2.5.5, jws → 4.0.1/3.2.3.
  • Dev tooling: genkit-cli → 1.30.1 (where used), tsx → 4.21.0.
  • Cleanup: removed tmp in sample apps where present; updated test lockfile (brace-expansion, js-yaml).

• Migration

  • samples/js-chatbot/genkit-app: Angular 21 requires Node 18+. Use local CLI (npx ng) or install @angular/cli@21. Run npm ci and rebuild; update any project-specific Angular schematics if prompted.
  • samples/js-angular/genkit-app: Local CLI is 21.2.x while app deps stay on Angular 19.2.x. Use the workspace CLI (npx ng) to avoid global CLI mismatches; run npm ci and verify builds.

^{Written for commit d5a6c58. Summary will update on new commits.}

[cubic-dev-ai]

4 issues found across 15 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="samples/js-angular/genkit-app/package.json">

<violation number="1" location="samples/js-angular/genkit-app/package.json:30">
P1: `@angular/cli` is bumped to major 21 while `@angular/core` remains major 19. Angular requires CLI and core majors to match, so this introduces an unsupported toolchain combination.</violation>
</file>

<file name="samples/js-chatbot/genkit-app/package.json">

<violation number="1" location="samples/js-chatbot/genkit-app/package.json:17">
P1: Angular 21 requires `zone.js` `~0.15.0 || ~0.16.0`, but the project remains on `~0.14.3`. This peer mismatch can cause install/runtime issues.</violation>

<violation number="2" location="samples/js-chatbot/genkit-app/package.json:17">
P1: Angular core was upgraded to v21, but `@angular/material`/`@angular/cdk` remain on v18 and only support Angular 18/19. This will produce peer dependency conflicts and can break install/build.</violation>

<violation number="3" location="samples/js-chatbot/genkit-app/package.json:34">
P0: `@angular/compiler-cli`/`build-angular` 21.x require TypeScript >=5.9, but this project is still pinned to `~5.4.2`. The updated dependency set will fail peer dependency checks and likely break Angular compilation.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P0: @angular/compiler-cli/build-angular 21.x require TypeScript >=5.9, but this project is still pinned to ~5.4.2. The updated dependency set will fail peer dependency checks and likely break Angular compilation.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/js-chatbot/genkit-app/package.json, line 34:

<comment>`@angular/compiler-cli`/`build-angular` 21.x require TypeScript >=5.9, but this project is still pinned to `~5.4.2`. The updated dependency set will fail peer dependency checks and likely break Angular compilation.</comment>

<file context>
@@ -10,28 +10,28 @@
-    "@angular/compiler-cli": "^18.0.0",
+    "@angular-devkit/build-angular": "^21.2.3",
+    "@angular/cli": "^21.2.3",
+    "@angular/compiler-cli": "^21.2.5",
     "@types/jasmine": "~5.1.0",
     "jasmine-core": "~5.1.0",
</file context>

[cubic-dev-ai]

P1: @angular/cli is bumped to major 21 while @angular/core remains major 19. Angular requires CLI and core majors to match, so this introduces an unsupported toolchain combination.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/js-angular/genkit-app/package.json, line 30:

<comment>`@angular/cli` is bumped to major 21 while `@angular/core` remains major 19. Angular requires CLI and core majors to match, so this introduces an unsupported toolchain combination.</comment>

<file context>
@@ -27,7 +27,7 @@
   "devDependencies": {
     "@angular-devkit/build-angular": "^19.2.1",
-    "@angular/cli": "^19.2.1",
+    "@angular/cli": "^21.2.3",
     "@angular/compiler-cli": "^19.2.0",
     "@types/jasmine": "~5.1.0",
</file context>

Suggested change

	"@angular/cli": "^21.2.3",
	"@angular/cli": "^19.2.1",

[cubic-dev-ai]

P1: Angular 21 requires zone.js ~0.15.0 || ~0.16.0, but the project remains on ~0.14.3. This peer mismatch can cause install/runtime issues.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/js-chatbot/genkit-app/package.json, line 17:

<comment>Angular 21 requires `zone.js` `~0.15.0 || ~0.16.0`, but the project remains on `~0.14.3`. This peer mismatch can cause install/runtime issues.</comment>

<file context>
@@ -10,28 +10,28 @@
-    "@angular/forms": "^18.0.0",
+    "@angular/common": "^21.2.5",
+    "@angular/compiler": "^21.2.5",
+    "@angular/core": "^21.2.5",
+    "@angular/forms": "^21.2.5",
     "@angular/material": "^18.0.1",
</file context>

[cubic-dev-ai]

P1: Angular core was upgraded to v21, but @angular/material/@angular/cdk remain on v18 and only support Angular 18/19. This will produce peer dependency conflicts and can break install/build.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/js-chatbot/genkit-app/package.json, line 17:

<comment>Angular core was upgraded to v21, but `@angular/material`/`@angular/cdk` remain on v18 and only support Angular 18/19. This will produce peer dependency conflicts and can break install/build.</comment>

<file context>
@@ -10,28 +10,28 @@
-    "@angular/forms": "^18.0.0",
+    "@angular/common": "^21.2.5",
+    "@angular/compiler": "^21.2.5",
+    "@angular/core": "^21.2.5",
+    "@angular/forms": "^21.2.5",
     "@angular/material": "^18.0.1",
</file context>