build(deps): bump the npm_and_yarn group across 6 directories with 13 updates by dependabot[bot] · Pull Request #267 · Coveros/codeveros

dependabot · 2026-03-10T23:55:05Z

Bumps the npm_and_yarn group with 3 updates in the /services/auth-service/nodejs directory: minimatch, koa and qs.
Bumps the npm_and_yarn group with 2 updates in the /services/gateway/nodejs directory: minimatch and qs.
Bumps the npm_and_yarn group with 3 updates in the /services/training-service/nodejs directory: minimatch, koa and qs.
Bumps the npm_and_yarn group with 9 updates in the /services/ui/angular directory:

Package	From	To
minimatch	`3.1.2`	`3.1.5`
qs	`6.14.0`	`6.14.2`
@angular/compiler	`20.3.15`	`20.3.16`
@angular/core	`20.3.15`	`20.3.17`
@modelcontextprotocol/sdk	`1.24.0`	`1.26.0`
axios	`1.13.2`	`1.13.6`
basic-ftp	`5.0.5`	`5.2.0`
immutable	`3.8.2`	`3.8.3`
immutable	`5.1.4`	`5.1.5`
lodash	`4.17.21`	`4.17.23`

Bumps the npm_and_yarn group with 6 updates in the /services/ui/react directory:

Package	From	To
minimatch	`3.1.2`	`3.1.5`
axios	`1.13.2`	`1.13.6`
immutable	`3.8.2`	`3.8.3`
lodash	`4.17.21`	`4.17.23`
rollup	`4.53.3`	`4.59.0`
react-router	`7.10.1`	`7.12.0`

Bumps the npm_and_yarn group with 3 updates in the /services/user-service/nodejs directory: minimatch, koa and qs.

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates koa from 3.1.1 to 3.1.2

Release notes

Sourced from koa's releases.

v3.1.2

What's Changed

fix: typo in troubleshooting.md by @WuMingDao in koajs/koa#1916

build(deps-dev): bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in koajs/koa#1921

build(deps): bump http-errors from 2.0.0 to 2.0.1 by @dependabot[bot] in koajs/koa#1919

build(deps): bump mime-types from 3.0.1 to 3.0.2 by @dependabot[bot] in koajs/koa#1918

docs: use correct term "Server-Sent Events" in guide by @jtr860830 in koajs/koa#1920

build(deps): bump content-disposition from 0.5.4 to 1.0.1 by @dependabot[bot] in koajs/koa#1917

build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 by @dependabot[bot] in koajs/koa#1922

fix(security): Host Header Injection via ctx.hostname by @killagu GHSA-7gcc-r8m5-44qm

New Contributors

@WuMingDao made their first contribution in koajs/koa#1916

@jtr860830 made their first contribution in koajs/koa#1920

Full Changelog: koajs/koa@v3.1.1...v3.1.2

Commits

c5a52e0 3.1.2
55ab9ba Merge commit from fork
fecd464 build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1922)
d2066cf build(deps): bump content-disposition from 0.5.4 to 1.0.1 (#1917)
8694a06 docs: use correct term "Server-Sent Events" in guide (#1920)
096682b build(deps): bump mime-types from 3.0.1 to 3.0.2 (#1918)
8215c2e build(deps): bump http-errors from 2.0.0 to 2.0.1 (#1919)
cfe5ec6 build(deps-dev): bump qs from 6.14.0 to 6.14.1 (#1921)
0a6afa5 fix: typo in troubleshooting.md (#1916)
See full diff in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates koa from 3.1.1 to 3.1.2

Release notes

Sourced from koa's releases.

v3.1.2

What's Changed

fix: typo in troubleshooting.md by @WuMingDao in koajs/koa#1916

build(deps-dev): bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in koajs/koa#1921

build(deps): bump http-errors from 2.0.0 to 2.0.1 by @dependabot[bot] in koajs/koa#1919

build(deps): bump mime-types from 3.0.1 to 3.0.2 by @dependabot[bot] in koajs/koa#1918

docs: use correct term "Server-Sent Events" in guide by @jtr860830 in koajs/koa#1920

build(deps): bump content-disposition from 0.5.4 to 1.0.1 by @dependabot[bot] in koajs/koa#1917

build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 by @dependabot[bot] in koajs/koa#1922

fix(security): Host Header Injection via ctx.hostname by @killagu GHSA-7gcc-r8m5-44qm

New Contributors

@WuMingDao made their first contribution in koajs/koa#1916

@jtr860830 made their first contribution in koajs/koa#1920

Full Changelog: koajs/koa@v3.1.1...v3.1.2

Commits

c5a52e0 3.1.2
55ab9ba Merge commit from fork
fecd464 build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1922)
d2066cf build(deps): bump content-disposition from 0.5.4 to 1.0.1 (#1917)
8694a06 docs: use correct term "Server-Sent Events" in guide (#1920)
096682b build(deps): bump mime-types from 3.0.1 to 3.0.2 (#1918)
8215c2e build(deps): bump http-errors from 2.0.0 to 2.0.1 (#1919)
cfe5ec6 build(deps-dev): bump qs from 6.14.0 to 6.14.1 (#1921)
0a6afa5 fix: typo in troubleshooting.md (#1916)
See full diff in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates @angular/compiler from 20.3.15 to 20.3.16

Release notes

Sourced from @angular/compiler's releases.

20.3.16

core

Commit Description

sanitize sensitive attributes on SVG script elements

Changelog

Sourced from @angular/compiler's changelog.

20.3.16 (2026-01-07)

core

Commit Type Description

c2c2b4aaa8 fix sanitize sensitive attributes on SVG script elements

19.2.18 (2026-01-07)

core

Commit Type Description

26cdc53d9c fix sanitize sensitive attributes on SVG script elements

21.0.7 (2026-01-07)

compiler

Commit Type Description

8e808740c9 fix better types for a few expression AST nodes

63b1cdcf70 fix produce accurate span for typeof and void expressions

3c3ae0cb64 fix provide location information for literal map keys

523dbaf1c3 fix stop ThisReceiver inheritance from ImplicitReceiver

compiler-cli

Commit Type Description

4d9c4567ed fix ensure component import diagnostics are reported within the imports expression

cd405685af fix fix up spelling of diagnostic

778460fcca fix support qualified names in typeof type references

core

Commit Type Description

7c74674eb0 fix avoid leaking view data in animations

0edbee4550 fix explicitly cast signal node value to String

f9c29572d2 fix sanitize sensitive attributes on SVG script elements

forms

Commit Type Description

e3fba182f9 feat add [formField] directive

561772b152 fix allow custom controls to require dirty input

f0fb1d8581 fix allow custom controls to require hidden input

ec110f170b fix allow custom controls to require pending input

ae1dc16bb0 fix clean up abort listener after timeout

9748b0d5da fix support custom controls with non signal-based models

6bd22df987 fix Support readonly arrays in signal forms

router

| Commit | Type | Description |

... (truncated)

Commits

c2c2b4a fix(core): sanitize sensitive attributes on SVG script elements
See full diff in compare view

Updates @angular/core from 20.3.15 to 20.3.17

Release notes

Sourced from @angular/core's releases.

20.3.17

core

Commit Description

block creation of sensitive URI attributes from ICU messages

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

20.3.16

core

Commit Description

sanitize sensitive attributes on SVG script elements

Changelog

Sourced from @angular/core's changelog.

20.3.17 (2026-02-25)

Breaking Changes

core

Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit Type Description

7f9de3c118 fix block creation of sensitive URI attributes from ICU messages

21.2.0 (2026-02-25)

common

Commit Type Description

18003a33bb feat add an 'outlet' injector option for ngTemplateOutlet

8bbe6dc46c feat Add Location strategies to manage trailing slash on write

51cc914807 feat support height in ImageLoaderConfig and built-in loaders

compiler

Commit Type Description

72534e2a34 feat Add support for the instanceof binary operator

95b3f37d4a feat Exhaustive checks for switch blocks

04ba09a8d9 feat support AstVisitor.visitEmptyExpr()

ce80136e7b fix optimize away unnecessary restore/reset view calls

3242a61bae fix variable counter visiting some expressions twice

compiler-cli

Commit Type Description

473dd3e1cb fix attach source spans to object literal keys in TCB

a904d9f77b fix support nested component declaration

2ea6dfc6c9 fix update diagnostic to flag no-op arrow functions in listeners

core

Commit Type Description

8d5210c9fe feat add ChangeDetectionStrategy.Eager alias for Default

92d2498910 feat add host node to DeferBlockData (#66546)

ea2016a6dc feat add support for nested animations

81cabc1477 feat add support for TypeScript 6

1ba9b7ac50 feat resource composition via snapshots

d9923b72a2 feat support arrow functions in expressions

a7e8abbb7e fix correctly handle SkipSelf when resolving from embedded view injector

0806ee3826 fix prevent animated element duplication with dynamic components in zoneless mode

ed78fa05c7 fix Remove note to skip arrow functions in best practices

forms

Commit Type Description

... (truncated)

Commits

7f9de3c fix(core): block creation of sensitive URI attributes from ICU messages
c2c2b4a fix(core): sanitize sensitive attributes on SVG script elements
See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.24.0 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in modelcontextprotocol/typescript-sdk#1319

fix: README badges links destinations by @antonpk1 in modelcontextprotocol/typescript-sdk#907

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

@antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

spec types - backwards compatibility changes by @KKonstantinov in modelcontextprotocol/typescript-sdk#1306

chore: bump version for patch fix by @felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

list changed handlers on client constructor by @mattzcarey in modelcontextprotocol/typescript-sdk#1206

Role - moved from inline to reusable type by @KKonstantinov in modelcontextprotocol/typescript-sdk#1221

fix: use versioned npm tag for non-main branch releases by @pcarleton in modelcontextprotocol/typescript-sdk#1236

No automatic completion support unless needed - Revisited yet again by @cliffhall in modelcontextprotocol/typescript-sdk#1237

fix: Support updating output schema by @vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

fe9c07b chore: bump version to 1.26.0 (#1479)
4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
a05be17 Merge commit from fork
50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
6aba065 chore: bump v1.25.3 for backport fixes (#1412)
6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
a0c9b13 fix: README badges links destinations (#907)
Additional commits viewable in compare view

Updates axios from 1.13.2 to 1.13.6

Release notes

Sourced from axios's releases.

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

Breaking Changes: None identified in this release.

Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @moh3n9595 for the initial implementation. (#5764)

Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

Environment Compatibility:

Fixed module exports for React Native and Browserify environments. (#7386)

Added safe FormData detection for the WeChat Mini Program environment. (#7324)

Error Handling:

AxiosError.message is now correctly enumerable. (#7392)

AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

Dependencies: Updated the development_dependencies group (5 updates). (#7432)

Infrastructure: Migrated @rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)

Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

@Gudahtt (#7386)

@ybbus (#7392)

@Shiwaangee (#7324)

@skrtheboss (#7403)

@Janaka66 (#7427)

@moh3n9595 (#5764)

@digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

...
Description has been truncated

… updates Bumps the npm_and_yarn group with 3 updates in the /services/auth-service/nodejs directory: [minimatch](https://github.com/isaacs/minimatch), [koa](https://github.com/koajs/koa) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 2 updates in the /services/gateway/nodejs directory: [minimatch](https://github.com/isaacs/minimatch) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 3 updates in the /services/training-service/nodejs directory: [minimatch](https://github.com/isaacs/minimatch), [koa](https://github.com/koajs/koa) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 9 updates in the /services/ui/angular directory: | Package | From | To | | --- | --- | --- | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [qs](https://github.com/ljharb/qs) | `6.14.0` | `6.14.2` | | [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `20.3.15` | `20.3.16` | | [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `20.3.15` | `20.3.17` | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.24.0` | `1.26.0` | | [axios](https://github.com/axios/axios) | `1.13.2` | `1.13.6` | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.0.5` | `5.2.0` | | [immutable](https://github.com/immutable-js/immutable-js) | `3.8.2` | `3.8.3` | | [immutable](https://github.com/immutable-js/immutable-js) | `5.1.4` | `5.1.5` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | Bumps the npm_and_yarn group with 6 updates in the /services/ui/react directory: | Package | From | To | | --- | --- | --- | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [axios](https://github.com/axios/axios) | `1.13.2` | `1.13.6` | | [immutable](https://github.com/immutable-js/immutable-js) | `3.8.2` | `3.8.3` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [rollup](https://github.com/rollup/rollup) | `4.53.3` | `4.59.0` | | [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) | `7.10.1` | `7.12.0` | Bumps the npm_and_yarn group with 3 updates in the /services/user-service/nodejs directory: [minimatch](https://github.com/isaacs/minimatch), [koa](https://github.com/koajs/koa) and [qs](https://github.com/ljharb/qs). Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `koa` from 3.1.1 to 3.1.2 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@v3.1.1...v3.1.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `koa` from 3.1.1 to 3.1.2 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@v3.1.1...v3.1.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `qs` from 6.14.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `@angular/compiler` from 20.3.15 to 20.3.16 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.16/packages/compiler) Updates `@angular/core` from 20.3.15 to 20.3.17 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v20.3.17/packages/core) Updates `@modelcontextprotocol/sdk` from 1.24.0 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.24.0...v1.26.0) Updates `axios` from 1.13.2 to 1.13.6 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.2...v1.13.6) Updates `basic-ftp` from 5.0.5 to 5.2.0 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.0.5...v5.2.0) Updates `tar` from 6.2.1 to 7.5.11 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.2.1...v7.5.11) Updates `immutable` from 3.8.2 to 3.8.3 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v3.8.2...v3.8.3) Updates `immutable` from 5.1.4 to 5.1.5 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v3.8.2...v3.8.3) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `axios` from 1.13.2 to 1.13.6 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.2...v1.13.6) Updates `immutable` from 3.8.2 to 3.8.3 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v3.8.2...v3.8.3) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `rollup` from 4.53.3 to 4.59.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.3...v4.59.0) Updates `react-router` from 7.10.1 to 7.12.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `koa` from 3.1.1 to 3.1.2 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@v3.1.1...v3.1.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: koa dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: koa dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@angular/compiler" dependency-version: 20.3.16 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 20.3.17 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: basic-ftp dependency-version: 5.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 3.8.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 5.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.6 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 3.8.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: react-router dependency-version: 7.12.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: koa dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-03-13T21:04:07Z

Superseded by #268.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 10, 2026

dependabot bot mentioned this pull request Mar 10, 2026

build(deps): bump the npm_and_yarn group across 6 directories with 13 updates #266

Closed

github-actions bot added services ui user-service gateway auth-service training-service angular react labels Mar 10, 2026

dependabot bot closed this Mar 13, 2026

dependabot bot deleted the dependabot/npm_and_yarn/services/auth-service/nodejs/npm_and_yarn-8a5e9b08fe branch March 13, 2026 21:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 6 directories with 13 updates#267

build(deps): bump the npm_and_yarn group across 6 directories with 13 updates#267
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/services/auth-service/nodejs/npm_and_yarn-8a5e9b08fe

dependabot bot commented on behalf of github Mar 10, 2026

Uh oh!

dependabot bot commented on behalf of github Mar 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Commit	Type	Description
8e808740c9	fix	better types for a few expression AST nodes
63b1cdcf70	fix	produce accurate span for typeof and void expressions
3c3ae0cb64	fix	provide location information for literal map keys
523dbaf1c3	fix	stop ThisReceiver inheritance from ImplicitReceiver

Commit	Type	Description
4d9c4567ed	fix	ensure component import diagnostics are reported within the `imports` expression
cd405685af	fix	fix up spelling of diagnostic
778460fcca	fix	support qualified names in `typeof` type references

Commit	Type	Description
7c74674eb0	fix	avoid leaking view data in animations
0edbee4550	fix	explicitly cast signal node value to String
f9c29572d2	fix	sanitize sensitive attributes on SVG script elements

Commit	Type	Description
e3fba182f9	feat	add `[formField]` directive
561772b152	fix	allow custom controls to require `dirty` input
f0fb1d8581	fix	allow custom controls to require `hidden` input
ec110f170b	fix	allow custom controls to require `pending` input
ae1dc16bb0	fix	clean up abort listener after timeout
9748b0d5da	fix	support custom controls with non signal-based models
6bd22df987	fix	Support readonly arrays in signal forms

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

Commit	Type	Description
72534e2a34	feat	Add support for the `instanceof` binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support `AstVisitor.visitEmptyExpr()`
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

Conversation

dependabot bot commented on behalf of github Mar 10, 2026

v3.1.2

What's Changed

New Contributors

6.15.0

6.14.2

6.14.1

6.15.0

6.14.2

6.14.1

v3.1.2

What's Changed

New Contributors

6.15.0

6.14.2

6.14.1

6.15.0

6.14.2

6.14.1

20.3.16

core

20.3.16 (2026-01-07)

core

19.2.18 (2026-01-07)

core

21.0.7 (2026-01-07)

compiler

compiler-cli

core

forms

router

20.3.17

core

Breaking Changes

core

20.3.16

core

20.3.17 (2026-02-25)

Breaking Changes

core

core

21.2.0 (2026-02-25)

common

compiler

compiler-cli

core

forms

v1.26.0

What's Changed

New Contributors

v1.25.3

What's Changed

v1.25.2

What's Changed

New Contributors

1.25.1

What's Changed

1.25.0

What's Changed

v1.13.6

⚠️ Important Changes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Uh oh!

dependabot bot commented on behalf of github Mar 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development