Bump the npm_and_yarn group across 2 directories with 20 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /bin/Debug/net8.0/my-app directory: @angular/common, @angular/platform-server, cookie and ws.
Bumps the npm_and_yarn group with 4 updates in the /wwwroot directory: @angular/common, @angular/platform-server, cookie and ws.

Updates @angular/common from 17.1.3 to 21.0.1

Release notes

Sourced from @​angular/common's releases.

21.0.1

compiler-cli

Commit	Description
	do not type check native controls with ControlValueAccessor
	escape angular control flow in jsdoc
	ignore non-existent files

core

Commit	Description
	apply bootstrap-options migration to platformBrowserDynamic
	debug data causing memory leak for root effects
	notify profiler events in case of errors
	use injected DOCUMENT for CSP_NONCE
	avoid repeat searches for field directive

forms

Commit	Description
	add DI option for classes on Field directive
	allow dynamic type bindings on signal form controls
	run reset as untracked

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Description
	detect structural ngTemplateOutlet and ngComponentOutlet

VSCode Extension: 21.0.0

• fix(language-service): address potential memory leak during project creation (89095946cf)
• fix(language-server): fix directory renaming on Windows (3f7111a9c3)

21.0.0

common

Commit	Description
	Add experimental support for the Navigation API (#63406)
	Support of optional keys for the KeyValue pipe (#48814)
	update to cldr 47 (#64032)
	properly type ngComponentOutlet (#64561)
	improve typing of ngComponentOutletContent (#63674)
	removengModuleFactory input of NgComponentOutlet (#62838)

compiler

Commit	Description
	don't choke on unbalanced parens in declaration block

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls
de5fca94c5	fix	run reset as untracked

http

Commit	Type	Description
3240d856d9	fix	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Type	Description
f394215b14	fix	detect structural ngTemplateOutlet and ngComponentOutlet

21.0.0 (2025-11-19)

Blog post "Announcing Angular v21".

Breaking Changes

... (truncated)

Commits

• 3240d85 fix(http): prevent XSRF token leakage to protocol-relative URLs
• 6de8926 refactor(core): add debug name to resource (#64172)
• 00ffe91 refactor(common): removes unused NgModuleFactory config in NgComponentOutlet
• 8765b66 docs: add reference to Built-in Pipes in multiple pipe files
• ab98e71 fix(common): remove placeholder image listeners once view is removed
• 8ab0847 refactor(core): mark VERSION as @__PURE__ for better tree-shaking
• 650af71 refactor(http): migrate XSRF classes to use inject() function
• 3bed9f0 build: format md files
• a3c2fe8 Revert "refactor(common): Removes unused imports to clean up dependencies"
• 6d3e0f1 refactor(common): Removes unused imports to clean up dependencies
• Additional commits viewable in compare view

Updates @angular/platform-server from 17.1.3 to 21.0.1

Release notes

Sourced from @​angular/platform-server's releases.

21.0.1

compiler-cli

Commit	Description
	do not type check native controls with ControlValueAccessor
	escape angular control flow in jsdoc
	ignore non-existent files

core

Commit	Description
	apply bootstrap-options migration to platformBrowserDynamic
	debug data causing memory leak for root effects
	notify profiler events in case of errors
	use injected DOCUMENT for CSP_NONCE
	avoid repeat searches for field directive

forms

Commit	Description
	add DI option for classes on Field directive
	allow dynamic type bindings on signal form controls
	run reset as untracked

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Description
	detect structural ngTemplateOutlet and ngComponentOutlet

VSCode Extension: 21.0.0

• fix(language-service): address potential memory leak during project creation (89095946cf)
• fix(language-server): fix directory renaming on Windows (3f7111a9c3)

21.0.0

common

Commit	Description
	Add experimental support for the Navigation API (#63406)
	Support of optional keys for the KeyValue pipe (#48814)
	update to cldr 47 (#64032)
	properly type ngComponentOutlet (#64561)
	improve typing of ngComponentOutletContent (#63674)
	removengModuleFactory input of NgComponentOutlet (#62838)

compiler

Commit	Description
	don't choke on unbalanced parens in declaration block

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls
de5fca94c5	fix	run reset as untracked

http

Commit	Type	Description
3240d856d9	fix	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Type	Description
f394215b14	fix	detect structural ngTemplateOutlet and ngComponentOutlet

21.0.0 (2025-11-19)

Blog post "Announcing Angular v21".

Breaking Changes

... (truncated)

Commits

• 908b5a4 refactor: replace getDocument() with inject(DOCUMENT)
• 8ab0847 refactor(core): mark VERSION as @__PURE__ for better tree-shaking
• 3bed9f0 build: format md files
• 1b5e2c8 refactor(platform-server): remove redundant providedIn: 'root' from injecti...
• 062a696 refactor(platform-server): use URL constructor for robust parsing (#64494)
• dd2f53b refactor(core): warning when hydration trigger is used without hydration b...
• ad23764 feat(core): support IntersectionObserver options in viewport triggers (#64130)
• f5b50ec refactor: clean up explicit standalone flags from tests (#63963)
• f008045 fix(core): do not rename ARIA property bindings to attributes (#63925)
• 0d028e0 refactor(platform-browser): Remove zonejs compatibility detector (#63847)
• Additional commits viewable in compare view

Updates @angular/platform-server from 17.1.3 to 21.0.1

Release notes

Sourced from @​angular/platform-server's releases.

21.0.1

compiler-cli

Commit	Description
	do not type check native controls with ControlValueAccessor
	escape angular control flow in jsdoc
	ignore non-existent files

core

Commit	Description
	apply bootstrap-options migration to platformBrowserDynamic
	debug data causing memory leak for root effects
	notify profiler events in case of errors
	use injected DOCUMENT for CSP_NONCE
	avoid repeat searches for field directive

forms

Commit	Description
	add DI option for classes on Field directive
	allow dynamic type bindings on signal form controls
	run reset as untracked

http

Commit	Description
	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Description
	detect structural ngTemplateOutlet and ngComponentOutlet

VSCode Extension: 21.0.0

• fix(language-service): address potential memory leak during project creation (89095946cf)
• fix(language-server): fix directory renaming on Windows (3f7111a9c3)

21.0.0

common

Commit	Description
	Add experimental support for the Navigation API (#63406)
	Support of optional keys for the KeyValue pipe (#48814)
	update to cldr 47 (#64032)
	properly type ngComponentOutlet (#64561)
	improve typing of ngComponentOutletContent (#63674)
	removengModuleFactory input of NgComponentOutlet (#62838)

compiler

Commit	Description
	don't choke on unbalanced parens in declaration block

... (truncated)

Changelog

Sourced from @​angular/platform-server's changelog.

21.0.1 (2025-11-25)

compiler-cli

Commit	Type	Description
39c577bc36	fix	do not type check native controls with ControlValueAccessor
8d3a89a477	fix	escape angular control flow in jsdoc
bc34083d34	fix	ignore non-existent files

core

Commit	Type	Description
0ea1e07174	fix	apply bootstrap-options migration to platformBrowserDynamic
70507b8c1c	fix	debug data causing memory leak for root effects
a55482fca3	fix	notify profiler events in case of errors
49ad7c6508	fix	use injected DOCUMENT for CSP_NONCE
cc1ec09931	perf	avoid repeat searches for field directive

forms

Commit	Type	Description
7d5c7cf99a	feat	add DI option for classes on Field directive
8acf5d2756	fix	allow dynamic type bindings on signal form controls
de5fca94c5	fix	run reset as untracked

http

Commit	Type	Description
3240d856d9	fix	prevent XSRF token leakage to protocol-relative URLs

migrations

Commit	Type	Description
f394215b14	fix	detect structural ngTemplateOutlet and ngComponentOutlet

21.0.0 (2025-11-19)

Blog post "Announcing Angular v21".

Breaking Changes

... (truncated)

Commits

• 908b5a4 refactor: replace getDocument() with inject(DOCUMENT)
• 8ab0847 refactor(core): mark VERSION as @__PURE__ for better tree-shaking
• 3bed9f0 build: format md files
• 1b5e2c8 refactor(platform-server): remove redundant providedIn: 'root' from injecti...
• 062a696 refactor(platform-server): use URL constructor for robust parsing (#64494)
• dd2f53b refactor(core): warning when hydration trigger is used without hydration b...
• ad23764 feat(core): support IntersectionObserver options in viewport triggers (#64130)
• f5b50ec refactor: clean up explicit standalone flags from tests (#63963)
• f008045 fix(core): do not rename ARIA property bindings to attributes (#63925)
• 0d028e0 refactor(platform-browser): Remove zonejs compatibility detector (#63847)
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates body-parser from 1.20.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: qs@6.12.3 (#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.4.2 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

Commits

• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• d6f39b0 Fix tests for old node
• 6bb701f Remove failing scorecard
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates js-yaml from 3.14.1 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/...

  Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml