build(deps-dev): bump the angular-stack group with 9 updates

[dependabot]

Bumps the angular-stack group with 9 updates:

Package	From	To
@angular/build	21.2.12	21.2.13
@angular/cdk	21.2.12	21.2.13
@angular/cli	21.2.12	21.2.13
@angular/common	21.2.14	21.2.15
@angular/compiler	21.2.14	21.2.15
@angular/compiler-cli	21.2.14	21.2.15
@angular/core	21.2.14	21.2.15
@angular/platform-browser	21.2.14	21.2.15
@angular/platform-browser-dynamic	21.2.14	21.2.15

Updates @angular/build from 21.2.12 to 21.2.13

Release notes

Sourced from @​angular/build's releases.

21.2.13

@​angular-devkit/build-angular

Commit	Description
	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Description
	assert that asset input paths are within workspace root

Changelog

Sourced from @​angular/build's changelog.

21.2.13 (2026-05-27)

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

22.0.0-rc.1 (2026-05-21)

@​schematics/angular

Commit	Type	Description
a7ac8e5f0	fix	support spy call arguments migration in refactor-jasmine-vitest

@​angular/build

Commit	Type	Description
327cc2414	fix	assert that asset input paths are within workspace root
93d352798	fix	ignore virtual esbuild paths with (disabled):

Commits

• 287e4e8 release: cut the v21.2.13 release
• 3c6d26a fix(@​angular-devkit/build-angular): remove unconditional CORS wildcard from w...
• 2b3e955 fix(@​angular/build): assert that asset input paths are within workspace root
• See full diff in compare view

Updates @angular/cdk from 21.2.12 to 21.2.13

Release notes

Sourced from @​angular/cdk's releases.

21.2.13

No user facing changes in this release

Changelog

Sourced from @​angular/cdk's changelog.

21.2.13 "21-2-13" (2026-05-27)

No user facing changes in this release

22.0.0-rc.1 "metal-monkey" (2026-05-20)

aria

Commit	Type	Description
ce1d9a7286	fix	menu: allow menu item role override (#33264)
196b7064db	fix	menu: defer menu item focus in case menus in cdk overlay (#33258)
6443b79f9a	fix	menu: unable to set softDisabled (#33265)

cdk

Commit	Type	Description
4c298970ed	fix	scrolling: make it easier to provide custom scrollable (#33269)

material

Commit	Type	Description
f2f62675e1	fix	datepicker: ensure dates don't overflow on a small screen (#33281)
f1a435508a	fix	sidenav: handle mixed sidenav and drawer (#33274)
a4d92c5fcb	fix	sidenav: more robust reset logic for inert attribute (#33257)

Commits

• 7828452 release: cut the v21.2.13 release
• See full diff in compare view

Updates @angular/cli from 21.2.12 to 21.2.13

Release notes

Sourced from @​angular/cli's releases.

21.2.13

@​angular-devkit/build-angular

Commit	Description
	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Description
	assert that asset input paths are within workspace root

Changelog

Sourced from @​angular/cli's changelog.

21.2.13 (2026-05-27)

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

22.0.0-rc.1 (2026-05-21)

@​schematics/angular

Commit	Type	Description
a7ac8e5f0	fix	support spy call arguments migration in refactor-jasmine-vitest

@​angular/build

Commit	Type	Description
327cc2414	fix	assert that asset input paths are within workspace root
93d352798	fix	ignore virtual esbuild paths with (disabled):

Commits

• 287e4e8 release: cut the v21.2.13 release
• 3c6d26a fix(@​angular-devkit/build-angular): remove unconditional CORS wildcard from w...
• 2b3e955 fix(@​angular/build): assert that asset input paths are within workspace root
• See full diff in compare view

Updates @angular/common from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/common's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/common's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• 582a417 fix(http): exclude withCredentials requests from transfer cache
• 5c6d6df fix(http): skip TransferCache for cookie-bearing requests by default
• 300f61f fix(common): sanitize placeholder
• 7f4ac78 fix(common): add upper bounds for digitsInfo
• See full diff in compare view

Updates @angular/compiler from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/compiler's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/compiler's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• eb1cbbf fix(compiler): prevent namespaced SVG <style> elements from being stripped
• 29ceeff docs: fix typos in source code comments
• 782e015 fix(compiler): strip namespaced SVG script elements during template compilati...
• ff12fe5 fix(core): normalize tag names in runtime i18n attribute security context loo...
• 0b07f47 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
• cc1378d fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
• daaf329 fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
• See full diff in compare view

Updates @angular/compiler-cli from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/compiler-cli's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/compiler-cli's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• 29ceeff docs: fix typos in source code comments
• See full diff in compare view

Updates @angular/core from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/core's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/core's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• 29ceeff docs: fix typos in source code comments
• 251c8f2 test(core): remove obsolete SVG script sanitization translation test (#68925)
• dada86e fix(core): synchronize core sanitization schema with compiler (#68925)
• 782e015 fix(compiler): strip namespaced SVG script elements during template compilati...
• ff12fe5 fix(core): normalize tag names in runtime i18n attribute security context loo...
• 0b07f47 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
• cc1378d fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
• daaf329 fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
• See full diff in compare view

Updates @angular/platform-browser from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/platform-browser's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description