Bump the npm_and_yarn group across 2 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
express-jwt	0.1.3	6.0.0
file-type	16.5.4	22.0.1
jsonwebtoken	0.4.0	9.0.0
libxmljs2	0.33.0	0.37.0
multer	1.4.5-lts.2	2.1.1
sanitize-html	1.4.2	2.17.4
socket.io	3.1.2	4.8.3

Bumps the npm_and_yarn group with 4 updates in the /frontend directory: @angular/common, @angular/compiler, @angular/core and @nguniversal/express-engine.

Updates express-jwt from 0.1.3 to 6.0.0

Commits

• 678f3b0 6.0.0
• 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
• 304a1c5 Made algorithms mandatory
• e9ed6d2 5.3.3
• 8662579 Make clearer sections in the Readme
• d3e86bf Update README.md
• c5d8419 Add a note about OAuth2 bearer tokens
• 888f0e9 Update Readme and use a consistent JS style for code examples
• 6591014 5.3.2
• f4f4d1d fix license field
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by yacine-b, a new releaser for express-jwt since your current version.

Updates file-type from 16.5.4 to 22.0.1

Release notes

Sourced from file-type's releases.

v22.0.1

• Fix: Work around esbuild resolving Node-only imports ce4262f

---

sindresorhus/file-type@v22.0.0...v22.0.1

v22.0.0

Breaking

• Requires Node.js 22

• Dropped Node.js stream.Readable support from fileTypeFromStream() and fileTypeStream()

  • These now only accept a web ReadableStream. Migrate with Readable.toWeb():

  // Before
  import fs from 'node:fs';
  fileTypeFromStream(fs.createReadStream('file.mp4'));
  // After
  import fs from 'node:fs';
  import {Readable} from 'node:stream';
  fileTypeFromStream(Readable.toWeb(fs.createReadStream('file.mp4')));

• Sub-exports (e.g. file-type/core) have been removed. Import everything from file-type directly.

• The ReadableStreamWithFileType type has been removed. Use AnyWebReadableByteStreamWithFileType instead.

• Several MIME types have been corrected or normalized:

  Type	Old MIME	New MIME
  lz	application/x-lzip	application/lzip
  lnk	application/x.ms.shortcut	application/x-ms-shortcut
  Apple Alias	application/x.apple.alias	application/x-ft-apple.alias
  fbx	application/x.autodesk.fbx	application/x-ft-fbx
  Draco	application/vnd.google.draco	application/x-ft-draco

  MIME subtypes prefixed with x-ft- are custom types defined by this package (not IANA-registered).

Improvements

• Added detection for Apple iWork files: .key (Keynote), .pages (Pages), .numbers (Numbers)

Fixes

• Fixed LibreOffice OOXML files being incorrectly detected as ZIP when reading from streams

---

sindresorhus/file-type@v21.3.4...v22.0.0

... (truncated)

Commits

• 3c4b7e0 22.0.1
• ce4262f Fix: Work around esbuild resolving Node-only imports
• 2c54d06 22.0.0
• 0ba6e0b Tweaks
• 0e679c7 Remove sub-exports
• 7079af7 Tweaks
• ec77458 Add support for iWork files (.key, .pages, .numbers)
• d4a975c Fix LibreOffice OOXML files detected as ZIP in streams
• 5de64e2 Normalize MIME types we invented with x-ft- prefix
• 7a60fa9 Require Node.js 22
• Additional commits viewable in compare view

Updates jsonwebtoken from 0.4.0 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

• Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
• Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
• Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
• ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

• Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

8.4.0 - 2018-11-14

New Functionality

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates libxmljs2 from 0.33.0 to 0.37.0

Commits

• 0259421 chore: support node 24
• 478d57d chore: support node 22
• 28c7258 fix: correct prebuild stuff
• 7ef018c NO LONGER MAINTAINED
• 9b42607 fix: correct artifact path to upload
• 0dbbcf2 chore: test prebuild as node-pre-gyp is no longer working
• See full diff in compare view

Install script changes

This version modifies install script that runs during installation. Review the package contents before updating.

Updates multer from 1.4.5-lts.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

... (truncated)

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

2.0.2

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

2.0.1

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

2.0.0

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for multer since your current version.

Updates sanitize-html from 1.4.2 to 2.17.4

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

• sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

• Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

2.17.2 (2026-03-19)

Changes

• Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &[#0000001](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/0000001)) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

2.17.1 (2026-02-18)

Fixes

• Fix unclosed tags (e.g., <hello) returning empty string in escape and recursiveEscape modes. Fixes #706. Thanks to Byeong Hyeon for the fix.

2.17.0 (2025-05-14)

• Add preserveEscapedAttributes, allowing attributes on escaped disallowed tags to be retained. Thanks to Ben Elliot for this new option.

2.16.0 (2025-04-16)

• Add onOpenTag and onCloseTag events to enable advanced filtering to hook into the parser. Thanks to Rimvydas Naktinis.

2.15.0 (2025-03-19)

• Allow keeping tag content when discarding with exclusive filter by returning "excludeTag". Thanks to rChaoz.

2.14.0 (2024-12-18)

• Fix adding text with transformTags in cases where it originally had no text child elements. Thanks to f0x.

2.13.1 (2024-10-03)

• Fix to allow regex in allowedClasses wildcard whitelist. Thanks to anak-dev.

2.13.0 (2024-03-20)

... (truncated)

Commits

• See full diff in compare view

Updates socket.io from 3.1.2 to 4.8.3

Release notes

Sourced from socket.io's releases.

[email protected]

Bug Fixes

• do not throw when calling io.close() on a stopped server (9581f9b)

Dependencies

• engine.io@~6.6.0 (no change)
• ws@~8.18.3 (no change)

[email protected]

There were some minor bug fixes on the server side, which mandate a client bump.

Dependencies

• engine.io-client@~6.6.1 (no change)
• ws@~8.18.3 (diff)

[email protected]

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (719f9eb)

[email protected]

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (9d39f1f)

[email protected]

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

[email protected]

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

[email protected]

The url.parse() function is now deprecated and has been replaced by new URL() (see 8af7019).

Bug Fixes

• call adapter.init() when creating each namespace (f3e1f5e)
• improve io.close() function (#5344) (bb0b480)

... (truncated)

Commits

• 9978574 chore(release): [email protected]
• e9e5bed chore(release): [email protected]
• 9581f9b fix(sio): do not throw when calling io.close() on a stopped server
• 579d43f refactor: remove unused files
• ee9aac3 chore(release): [email protected]
• 968277c chore(release): [email protected]
• 2bf16bd chore(release): [email protected]
• ad61607 docs(eio): fix link in the release notes
• dd71792 chore(release): [email protected]
• bb0b480 fix(sio): improve io.close() function (#5344)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io since your current version.

Updates @angular/common from 15.2.10 to 21.2.13

Release notes

Sourced from @​angular/common's releases.

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

Commit	Description
	let declaration span not including end character

core

Commit	Description
	fix ordering of view queries metadata in JIT mode
	guard against non-object events and avoid listener wrapper identity mismatch
	prevent event replay double-invocation when element hydrates before app stability

platform-server

Commit	Description
	ensure origin has a trailing slash when parsing url

21.2.10

docs

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.13 (2026-05-13)

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

19.2.22 (2026-05-12)

core

Commit	Type	Description
83a640516f	fix	disallow event attribute bindings in host bindings unconditionally (#68469)
24a0103a98	fix	validate security-sensitive attributes in i18n bindings (#68469)

platform-server

Commit	Type	Description
8569db8875	fix	add allowedHosts option to renderModule and renderApplication
837a710217	fix	ensure origin has a trailing slash when parsing url (#68469)

20.3.21 (2026-05-12)

platform-server

Commit	Type	Description
f584840e2e	fix	add allowedHosts option to renderModule and renderApplication

22.0.0-next.12 (2026-05-08)

core

Commit	Type	Description
8ebae1de33	fix	allow service with factory on abstract classes
6f525245cd	fix	disallow event attribute bindings in host bindings unconditionally

migrations

Commit	Type	Description
0f2160c410	fix	remove compiler import from safe optional chaining migration

platform-server

| Commit | Type | Description |

... (truncated)

Commits

• 30cf85f refactor(common): update deprecation message
• 42d57c3 refactor(common): fix viewport tests
• 10ad3c0 fix(common): prevent focus from scrollToAnchor
• 540536c fix(http): add CSP nonce support to JsonpClientBackend
• 8102331 test(http): disable XSRF and mock location in HttpClient tests to avoid Domin...
• 13f050d test: construct local Date objects to fix timezone flakiness
• d0cf299 test: remove unsupported timezone from formatDate tests
• b4ab6ba fix(common): avoid redundant image fetch on destroy with auto sizes
• adda6c5 build: update aspect_rules_js to 3.0.2
• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• Additional commits viewable in compare view

Updates @angular/compiler from 15.2.10 to 21.2.13

Release notes

Sourced from @​angular/compiler's releases.

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

Commit	Description
	let declaration span not including end character

core

Commit	Description
	fix ordering of view queries metadata in JIT mode
	guard against non-object events and avoid listener wrapper identity mismatch
	prevent event replay double-invocation when element hydrates before app stability

platform-server

Commit	Description
	ensure origin has a trailing slash when parsing url

21.2.10

docs

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.2.13 (2026-05-13)

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

19.2.22 (2026-05-12)

core

Commit	Type	Description
83a640516f	fix	disallow event attribute bindings in host bindings unconditionally (#68469)
24a0103a98	fix	validate security-sensitive attributes in i18n bindings (#68469)

platform-server

Commit	Type	Description
8569db8875	fix	add allowedHosts option to renderModule and renderApplication
837a710217	fix	ensure origin has a trailing slash when parsing url (#68469)

20.3.21 (2026-05-12)

platform-server

Commit	Type	Description
f584840e2e	fix	add allowedHosts option to renderModule and renderApplication

22.0.0-next.12 (2026-05-08)

core

Commit	Type	Description
8ebae1de33	fix	allow service with factory on abstract classes
6f525245cd	fix	disallow event attribute bindings in host bindings unconditionally

migrations

Commit	Type	Description
0f2160c410	fix	remove compiler import from safe optional chaining migration

platform-server

| Commit | Type | Description |

... (truncated)

Commits

• baf92da test: remove invalid css that was causing issues with the postcss parser
• 1c6553e fix(core): disallow event attribute bindings in host bindings unconditionally
• 4f5d8a2 fix(compiler): let declaration span not including end character
• a4f3120 refactor(compiler): require a reference in DirectiveMeta
• de533fe refactor(compiler-cli): move ClassPropertyMapping into compiler
• ea1e34c refactor(compiler): move matchSource into base metadata
• e40d378 fix(compiler): handle nested brackets in host object bindings
• d04ddd7 fix(core): prevent binding unsafe attributes on SVG animation elements (#67797)
• fea25d1 fix(compiler): register SVG animation attributes in URL security context (#67...
• 880a57d fix(compiler): prevent shimCssText from adding extra blank lines per CSS comment
• Additional commits viewable in compare view

Updates @angular/core from 15.2.10 to 21.2.13

Release notes

Sourced from @​angular/core's releases.

21.2.13

core

Commit	Description
	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Description
	add allowedHosts option to renderModule and renderApplication
	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

21.2.12

core

Commit	Description
	allow explicit read generic with signal input transforms
	i18n flags leaking on errors
	respect ngSkipHydration on components with projectable nodes in LContainers
	sanitizer typings
	validate security-sensitive attributes in i18n bindings
	visit ng-let expression value in signal migration schematics

forms

Commit	Description
	prohibit concurrent submits in signal forms

21.2.11

common

Commit	Description
	prevent focus from scrollToAnchor

compiler

Commit	Description
	let declaration span not including end character

core

Commit	Description
	fix ordering of view queries metadata in JIT mode
	guard against non-object events and avoid listener wrapper identity mismatch
	prevent event replay double-invocation when element hydrates before app stability

platform-server

Commit	Description
	ensure origin has a trailing slash when parsing url

21.2.10

docs

Commit	Descri... Description has been truncated