Bump the npm_and_yarn group across 2 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /docs directory: astro, diff and mdast-util-to-hast.
Bumps the npm_and_yarn group with 2 updates in the /examples/vite-angular directory: @angular/common and @angular/compiler.

Updates astro from 5.13.5 to 5.15.9

Changelog

Sourced from astro's changelog.

5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

5.15.7

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates devalue from 5.3.2 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

• b7b6339 v5.2.2
• b5377ab Update package version to 5.2.1
• 7801789 Backport kpdecker/jsdiff#649
• 042a837 Backport kpdecker/jsdiff#647
• See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

Commits

• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• 589625c chore: update publish tag to 1.x
• b4dce71 chore: update ci
• 0a4a115 chore: add test:types script
• c934599 chore: update ci
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

• 174795b 13.2.1
• 3d05b3a Update Node in Actions
• ab3a795 Fix support for spaces in class names
• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps
• b54955d Add .tsbuildinfo to .gitignore
• See full diff in compare view

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.15 (2026-02-19)

Features

• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)

Bug Fixes

• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#21642) (e54e25f)
• dev: prevent concurrent server restarts (#21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#21652) (e240df2)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#21632) (235140b)
• use tsconfig cache for oxc transform in dev (#21643) (57ff177)

Miscellaneous Chores

• deps: remove fdir and @rollup/plugin-commonjs (#21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#21097) (44b5bdf)

8.0.0-beta.14 (2026-02-12)

Features

• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)

Bug Fixes

• clear tsconfig cache only when tsconfig.json is cached (#21622) (50c9675)
• deps: update all non-major dependencies (#21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#21612) (db2ecc7)

Miscellaneous Chores

• fix broken link for future deprecations (#21603) (25f4501)
• update customResolver deprecation message to mention enforce: 'pre' (#21576) (2ce34d5)

Code Refactoring

• enable some native plugins even with enable native plugin false (#21608) (5a4f692)
• use rolldown/utils (#21577) (e56103f)
• use internal devtools config (#21609) (9aea20f)
• use parseEnv (#21586) (f859d2c)
• wasm: remove native wasm helper plugin usage (#21566) (71a86be)

Tests

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

Updates @angular/common from 17.3.12 to 21.1.5

Release notes

Sourced from @​angular/common's releases.

21.1.5

No user facing changes in this release

21.1.4

compiler

Commit	Description
	add geolocation element to schema

core

Commit	Description
	capture animation dependencies eagerly to avoid destroyed injector
	Fix flakey test due to document injection

forms

Commit	Description
	support signal-based schemas in validateStandardSchema

http

Commit	Description
	correctly parse ArrayBuffer and Blob in transfer cache

21.1.3

core

Commit	Description
	linkedSignal.update should propagate errors
	export DirectiveWithBindings
	hold constructors weakly in DepsTracker cache
	prevent element duplication with dynamic components

forms

Commit	Description
	Resolves debounce promise on abort in debounceForDuration

localize

Commit	Description
	add support for unit-test builder in ng-add schematic

router

Commit	Description
	limit UrlParser recursion depth to prevent stack overflow
	Use .bind to avoid holding other closures in memory

21.1.2

forms

Commit	Description
	only touch visible, interactive fields on submit

language-service

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.1.5 (2026-02-18)

No user facing changes in this release

21.2.0-next.3 (2026-02-11)

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
11834a4274	fix	add geolocation element to schema

compiler-cli

Commit	Type	Description
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
ea2016a6dc	feat	add support for nested animations
bd2868e915	fix	capture animation dependencies eagerly to avoid destroyed injector
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
e53c8abaf9	fix	Fix flakey test due to document injection

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
24c0c5a180	feat	support signal-based schemas in validateStandardSchema
adfb83146b	fix	simplify design of parse errors

http

Commit	Type	Description
cb1163e5e5	fix	correctly parse ArrayBuffer and Blob in transfer cache

21.1.4 (2026-02-11)

compiler

Commit	Type	Description
caab23dfe6	fix	add geolocation element to schema

core

Commit	Type	Description

... (truncated)

Commits

• 58eba77 refactor(core): remove outdated TODO comments referencing TypeScript 2.1
• 55b501a refactor(common): improve image directive typings
• 6c14e3a build: update Jasmine to 6.0.0
• 19542a3 test(common): remove zone-based testing utilities
• 3905015 fix(http): correctly parse ArrayBuffer and Blob in transfer cache
• 6f5c233 refactor(common): extract argument assertion
• 7242da2 docs: reword docs on standalone.
• 6601f06 test(common): enables zoneless change detection in tests
• 3954dc2 refactor(http): remove redundant providedIn: 'root' in XSRF_HEADER_NAME
• 03e2b36 refactor(core): update error message links to versioned docs (#66374)
• Additional commits viewable in compare view

Updates @angular/compiler from 17.3.12 to 21.1.5

Release notes

Sourced from @​angular/compiler's releases.

21.1.5

No user facing changes in this release

21.1.4

compiler

Commit	Description
	add geolocation element to schema

core

Commit	Description
	capture animation dependencies eagerly to avoid destroyed injector
	Fix flakey test due to document injection

forms

Commit	Description
	support signal-based schemas in validateStandardSchema

http

Commit	Description
	correctly parse ArrayBuffer and Blob in transfer cache

21.1.3

core

Commit	Description
	linkedSignal.update should propagate errors
	export DirectiveWithBindings
	hold constructors weakly in DepsTracker cache
	prevent element duplication with dynamic components

forms

Commit	Description
	Resolves debounce promise on abort in debounceForDuration

localize

Commit	Description
	add support for unit-test builder in ng-add schematic

router

Commit	Description
	limit UrlParser recursion depth to prevent stack overflow
	Use .bind to avoid holding other closures in memory

21.1.2

forms

Commit	Description
	only touch visible, interactive fields on submit

language-service

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.1.5 (2026-02-18)

No user facing changes in this release

21.2.0-next.3 (2026-02-11)

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
11834a4274	fix	add geolocation element to schema

compiler-cli

Commit	Type	Description
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
ea2016a6dc	feat	add support for nested animations
bd2868e915	fix	capture animation dependencies eagerly to avoid destroyed injector
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
e53c8abaf9	fix	Fix flakey test due to document injection

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
24c0c5a180	feat	support signal-based schemas in validateStandardSchema
adfb83146b	fix	simplify design of parse errors

http

Commit	Type	Description
cb1163e5e5	fix	correctly parse ArrayBuffer and Blob in transfer cache

21.1.4 (2026-02-11)

compiler

Commit	Type	Description
caab23dfe6	fix	add geolocation element to schema

core

Commit	Type	Description

... (truncated)

Commits

• 6c14e3a build: update Jasmine to 6.0.0
• caab23d fix(compiler): add geolocation element to schema
• 3f0fbaa refactor(compiler): remove zone-based testing utilities
• 0729181 test(compiler): remove zone-based testing utilities
• ea70b00 refactor(compiler): remove unused symbols
• ded654d build: initial test of TypeScript 6
• 5326333 fix(forms): Ensure the control instruction comes after the other bindings
• 29f074a fix(forms): Rename signal form [field] to [formField]
• 0875dea refactor(compiler): switch Binary.isAssignmentOperation to type guard function
• 83bac5a refactor(compiler): tighten Unary.operator type
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.