chore(deps): bump the npm_and_yarn group across 4 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /examples/chat/frontend-angular directory: @angular/common, @angular/compiler, @angular/core and hono.
Bumps the npm_and_yarn group with 1 update in the /examples/chat/frontend-svelte directory: vite.
Bumps the npm_and_yarn group with 4 updates in the /examples/voice/frontend-angular directory: @angular/common, @angular/compiler, @angular/core and hono.
Bumps the npm_and_yarn group with 1 update in the /examples/voice/frontend-svelte directory: vite.

Updates @angular/common from 21.2.13 to 22.0.2

Release notes

Sourced from @​angular/common's releases.

22.0.2

common

Commit	Description
	escape anchor fragment in shadow DOM name selector
	skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit	Description
	restrict possible event handler check to property names longer than 2 characters

core

Commit	Description
	avoid caching missing locale data
	escape overlapping comment delimiters in escapeCommentText
	guard against DOM clobbering in declareExperimentalWebMcpTool
	preserve leave animation for sibling instances sharing a TNode
	prevent unsubscribe during emit from throwing off other listeners
	treat iframe credentialless as security-sensitive
	detect existing signal dependency without checking all producer links

http

Commit	Description
	distinguish repeated transfer cache params
	skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit	Description
	migration skip any target are not build or test

22.0.1

common

Commit	Description
	escape CSS string-terminating characters in escapeCssUrl
	Limits date format string length
	prevent prototype pollution in formatDateTime
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	disallow i18n event attributes
	more robust logic to check if regex can be optimized
	sanitize href/xlink:href attributes of any element of the MathML namespace
	sanitize two-way properties

compiler-cli

Commit	Description
	bind switch exhaustive check expressions

core

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

22.0.2 (2026-06-17)

common

Commit	Type	Description
94ea403563	fix	escape anchor fragment in shadow DOM name selector
6c1f3e9d49	fix	skip transfer cache for uncacheable HTTP traffic (#69316)

compiler

Commit	Type	Description
6f1171991a	fix	restrict possible event handler check to property names longer than 2 characters

core

Commit	Type	Description
528a34f766	fix	avoid caching missing locale data
e17e8d5422	fix	escape overlapping comment delimiters in escapeCommentText
59dea13f80	fix	guard against DOM clobbering in declareExperimentalWebMcpTool
3a48abc15c	fix	preserve leave animation for sibling instances sharing a TNode
93d0a5f95c	fix	prevent unsubscribe during emit from throwing off other listeners
b32ee7ceb3	fix	treat iframe credentialless as security-sensitive
f902d1d35e	perf	detect existing signal dependency without checking all producer links

http

Commit	Type	Description
6867f77ec7	fix	distinguish repeated transfer cache params
7ef1399068	fix	skip transfer cache for fetch credentialed requests (#69316)

migrations

Commit	Type	Description
15314c1736	fix	migration skip any target are not build or test

22.1.0-next.0 (2026-06-10)

Deprecations

http

• HttpClient.jsonp, HttpClientJsonpModule, and related JSONP classes/functions are deprecated. Use standard HTTP requests instead.

common

Commit	Type	Description
1ad6824d0d	fix	skip transfer cache for uncacheable HTTP traffic (#69017)

compiler

Commit	Type	Description
25c744c4d0	fix	support foreign components defined outside top-level scope

compiler-cli

Commit	Type	Description
aeb55c8bc1	fix	allow passing uninvoked signals as foreign component props
7c60a98b3c	fix	support import aliases in foreignImports (#68674)

... (truncated)

Commits

• 6867f77 fix(http): distinguish repeated transfer cache params
• 6c1f3e9 fix(common): skip transfer cache for uncacheable HTTP traffic (#69316)
• 7ef1399 fix(http): skip transfer cache for fetch credentialed requests (#69316)
• 94ea403 fix(common): escape anchor fragment in shadow DOM name selector
• 2dd65d2 fix(http): pass down the reportUploadProgress and reportDownloadProgress ...
• 1bd5a56 docs: deprecate XHR support for server-side rendering in HTTP docs and recomm...
• 3c2892c fix(common): prevent prototype pollution in formatDateTime
• c4b5fa3 fix(common): escape CSS string-terminating characters in escapeCssUrl
• 4254eb4 fix(http): preserve empty referrer option in HttpRequest
• 167bd4c fix(http): Rejects non-HTTP(S) URLs in JSONP requests
• Additional commits viewable in compare view

Updates @angular/compiler from 21.2.13 to 21.2.17

Release notes

Sourced from @​angular/compiler's releases.

21.2.17

common

Commit	Description
	Limits date format string length
	skip transfer cache for uncacheable HTTP traffic
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	sanitize two-way properties

core

Commit	Description
	harden TransferState restoration against DOM clobbering
	validate lowercase SVG animation attribute names (#69269)

http

Commit	Description
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests
	skip transfer cache for fetch credentialed requests

platform-server

Commit	Description
	harden platform location origin validation during SSR
	deprecate ServerXhr (#69255)

service-worker

Commit	Description
	Strips sensitive headers on cross-origin redirects

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

21.2.16

common

Commit	Description
	only strip a literal /index.html suffix from URLs

compiler

Commit	Description
	move projection attributes into constants

core

Commit	Description
	harden inherit definition feature against polluted prototypes
	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.2.17 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

20.3.25 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

| Commit | Type | Description |

... (truncated)

Commits

• dc9c996 fix(compiler): sanitize two-way properties
• ae1c8a1 fix(compiler): move projection attributes into constants
• eb1cbbf fix(compiler): prevent namespaced SVG <style> elements from being stripped
• 29ceeff docs: fix typos in source code comments
• 782e015 fix(compiler): strip namespaced SVG script elements during template compilati...
• ff12fe5 fix(core): normalize tag names in runtime i18n attribute security context loo...
• 0b07f47 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
• cc1378d fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
• daaf329 fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
• 68282df fix(compiler): strip namespaced SVG script elements during template compilation
• Additional commits viewable in compare view

Updates @angular/core from 21.2.13 to 21.2.17

Release notes

Sourced from @​angular/core's releases.

21.2.17

common

Commit	Description
	Limits date format string length
	skip transfer cache for uncacheable HTTP traffic
	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Description
	sanitize two-way properties

core

Commit	Description
	harden TransferState restoration against DOM clobbering
	validate lowercase SVG animation attribute names (#69269)

http

Commit	Description
	preserve empty referrer option in HttpRequest
	Rejects non-HTTP(S) URLs in JSONP requests
	skip transfer cache for fetch credentialed requests

platform-server

Commit	Description
	harden platform location origin validation during SSR
	deprecate ServerXhr (#69255)

service-worker

Commit	Description
	Strips sensitive headers on cross-origin redirects

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

21.2.16

common

Commit	Description
	only strip a literal /index.html suffix from URLs

compiler

Commit	Description
	move projection attributes into constants

core

Commit	Description
	harden inherit definition feature against polluted prototypes
	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.17 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

20.3.25 (2026-06-10)

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
9f443bc24c	fix	Limits date format string length
566ad05f20	fix	skip transfer cache for uncacheable HTTP traffic
1a62130a6b	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

| Commit | Type | Description |

... (truncated)

Commits

• 88832c8 fix(core): validate lowercase SVG animation attribute names (#69269)
• 3551074 fix(platform-server): harden platform location origin validation during SSR
• bc55749 fix(common): use cryptographically secure SHA-256 for transfer cache key gene...
• d846326 fix(common): skip transfer cache for uncacheable HTTP traffic
• e245d40 fix(http): skip transfer cache for fetch credentialed requests
• 1523061 fix(core): harden TransferState restoration against DOM clobbering
• 736c4ab refactor(core): fix broken unit test.
• 3fd6897 fix(core): harden inherit definition feature against polluted prototypes
• 7e38336 fix(core): use Object.create(null) for LOCALE_DATA as a hardening measure
• 29ceeff docs: fix typos in source code comments
• Additional commits viewable in compare view

Updates esbuild from 0.27.3 to 0.27.7

Release notes

Sourced from esbuild's releases.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  __publicField(this, "x", x);
  __publicField(this, "y", 2);
  }
  }

v0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  __publicField(this, "x", x);
  __publicField(this, "y", 2);
  }
  }

0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

... (truncated)

Commits

• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• 9785e14 publish 0.27.6 to npm
• b169d8c Revert "update go 1.25.7 => 1.26.1"
• 7ac8762 run make update-compat-table
• 8b5ff53 remove an incorrect else
• e955268 fix #4421: lower generated class fields if needed
• a5a2500 ci: move make test-old-ts
• b71e7ac omit go's buildvcs for more reproducible builds
• 7406b09 organize make platform-all output in Makefile
• Additional commits viewable in compare view

Updates hono from 4.12.23 to 4.12.26

Release notes

Sourced from hono's releases.

v4.12.26

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in honojs/hono#5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in honojs/hono#5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in honojs/hono#5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

• docs(contribution): simplifyAI Usage Policy by @​yusukebe in honojs/hono#4972
• chore: remove @​types/glob by @​rtritto in honojs/hono#4978
• fix(bearer-auth): mention verifyToken in missing-options error message by @​tan7vir in honojs/hono#4987
• refactor(language): Test/improve tests on languages middleware by @​iNeoO in honojs/hono#4980
• fix(utils/ipaddr): expand "::" to eight zero groups by @​youcefzemmar in honojs/hono#4973
• fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @​Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982
• refactor(timing): Test/add test for middleware timing by @​iNeoO in honojs/hono#4991
• fix(utils/ipaddr): render the unspecified address binary as "::" by @​sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

Commits

• 27b7992 4.12.26
• d29982c chore: replace arg and glob with Bun native APIs in build script
• 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
• c574cf1 ci: publish to npm from CI with OIDC trusted publishing (#5028)
• e50df01 fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding (#5...
• fce483e 4.12.25
• 751ba41 Merge commit from fork
• f0b094d Merge commit from fork
• fa5f9bf Merge commit from fork
• 3892a6c Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates vite from 7.3.2 to 7.3.5

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() re...

  Description has been truncated

[dependabot]

Superseded by #333.