Bump the npm_and_yarn group across 4 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /docs.openc3.com directory: ajv, svgo and webpack.
Bumps the npm_and_yarn group with 1 update in the /openc3-cosmos-init/plugins/packages/openc3-vue-common directory: dompurify.
Bumps the npm_and_yarn group with 1 update in the /openc3/templates/tool_angular directory: @angular/common.
Bumps the npm_and_yarn group with 1 update in the /openc3/templates/tool_svelte directory: svelte.

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates svgo from 3.3.2 to 3.3.3

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

• bbab162 deps: upgrade to sax v1.5.0
• See full diff in compare view

Updates webpack from 5.103.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

v5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

• Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

• Fix some types. (by @​alexander-akait in #20412)

• Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

• Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

• Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

• Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

• Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

v5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

• Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

• Fix some types. (by @​alexander-akait in #20412)

• Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

• Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

• Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

• Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

• Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

... (truncated)

Commits

• 27c13b4 chore(release): new release (#20550)
• 9b2f41e chore: bump terser plugin (#20569)
• eafe060 fix: narrow the export presence guard detection (#20561)
• 75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
• afa607d refactor: remove unused code (#20562)
• 4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
• f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
• 9d76fff refactor: add Module.getSourceBasicTypes for basic JS type detection (#20546)
• a3d7839 fix: types for multi stats (#20556)
• b8e9b05 fix: update enhanced-resolve to support new features for tsconfig.json (#...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Updates dompurify from 3.3.1 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• See full diff in compare view

Updates @angular/common from 18.2.14 to 21.2.1

Release notes

Sourced from @​angular/common's releases.

VSCode Extension: 21.2.1

• perf(language-service): use lightweight project warmup for Angular analysis (d2137928e8)

21.2.1

core

Commit	Description
	adds transfer cache to httpResource to fix hydration
	prevent child animation elements from being orphaned
	Prevent removal of elements during drag and drop

http

Commit	Description
	correctly cache blob responses in transfer cache (#67002)

VSCode Extension: 21.2.0

• fix(vscode-extension): Highlight function calls with optional chaining (4f8d3995f0)
• feat(language-service): add linked editing ranges for HTML tag synchronization (8c21866f49)
• fix(vscode-extension): support highlighting for class bindings with brackets (01ed57f297)
• feat(language-service): add JSON schema for angularCompilerOptions (496967e7b1)
• fix(language-service): Detect local project version on creation (8a7cbd4668)
• feat(language-server): Support client-side file watching via onDidChangeWatchedFiles (6fb39d9b62)
• feat(language-server): Add completions and hover info for inline styles (ebc90c26f5)
• feat(language-server): Add quick info for inline styles (573aadef7e)
• feat(language-server): Add folding range support for inline styles (26fd0839c3)

21.2.0

common

Commit	Description
	add an 'outlet' injector option for ngTemplateOutlet
	Add Location strategies to manage trailing slash on write
	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Description
	Add support for the instanceof binary operator
	Exhaustive checks for switch blocks
	support AstVisitor.visitEmptyExpr()
	optimize away unnecessary restore/reset view calls
	variable counter visiting some expressions twice

compiler-cli

Commit	Description
	attach source spans to object literal keys in TCB
	support nested component declaration
	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Description

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.1 (2026-03-04)

core

Commit	Type	Description
e2e9a9a531	fix	adds transfer cache to httpResource to fix hydration
b4ec3cc4e4	fix	prevent child animation elements from being orphaned
e923d88398	fix	Prevent removal of elements during drag and drop

http

Commit	Type	Description
277ade97ac	fix	correctly cache blob responses in transfer cache (#67002)

19.2.19 (2026-02-25)

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit	Type	Description
747548721d	fix	block creation of sensitive URI attributes from ICU messages

20.3.17 (2026-02-25)

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 03da204b6daa5e4583e0d0968c2107390bbd8235)

core

Commit	Type	Description
7f9de3c118	fix	block creation of sensitive URI attributes from ICU messages

21.2.0 (2026-02-25)

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

... (truncated)

Commits

• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• 76431ed Revert "fix(http): correctly cache blob responses in transfer cache (#67002)"
• 277ade9 fix(http): correctly cache blob responses in transfer cache (#67002)
• aeb9b81 refactor(http): Improves base64 encoding/decoding with feature detection (#67...
• ecf0bb4 test(http): refactors HTTP client tests to use TestBed and providers
• e2e9a9a fix(core): adds transfer cache to httpResource to fix hydration
• 70e4c7f refactor(common): log a warning when a KeyValuePipe receives a signal
• 2eeeabb fix(common): fix LCP image detection with duplicate URLs
• 3c4deaa refactor(common): log a warning when a JsonPipe receives a signal
• a8aab64 refactor(core): remove outdated TODO comments referencing TypeScript 2.1
• Additional commits viewable in compare view

Updates svelte from 4.2.20 to 5.53.7

Release notes

Sourced from svelte's releases.

svelte@5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

• perf: optimize CSS selector pruning (#17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#17844)

• fix: preserve each items that are needed by pending batches (#17819)

svelte@5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

• fix: skip redundant batch.apply (#17816)

• chore: null out current_batch before committing branches (#17809)

svelte@5.53.5

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

svelte@5.53.4

Patch Changes

• fix: set server context after async transformError (#17799)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

• perf: optimize CSS selector pruning (#17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#17844)

• fix: preserve each items that are needed by pending batches (#17819)

5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

• fix: skip redundant batch.apply (#17816)

• chore: null out current_batch before committing branches (#17809)

5.53.5

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

5.53.4

... (truncated)

Commits

• 25a1c53 Version Packages (#17842)
• b7bc130 fix: preserve original boundary errors when keyed each rows are removed durin...
• 0965028 perf: optimize CSS selector pruning (#17846)
• 32111f9 perf: avoid O(n²) name scanning in scope generate/unique (#17844)
• 2f12b60 chore: avoid reschedule during branch commit (#17837)
• 00dc13d chore: highlight effect in tree (#17835)
• 86ec210 fix: correctly add __svelte_meta after else-if chains (#17830)
• 7717ba0 fix: preserve each items that are needed by pending batches (#17819)
• 791d5e3 perf: cache element interactivity and source line splitting (#17839)
• 4aa3777 chore: better log_effect_tree (#17833)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​faster@​3.9.2
	@​docusaurus/​module-type-aliases@​3.9.2
	@​docusaurus/​preset-classic@​3.9.2
	@​docusaurus/​types@​3.9.2
	@​docusaurus/​plugin-client-redirects@​3.9.2
	@​docusaurus/​core@​3.9.2
	@​docusaurus/​theme-common@​3.9.2
	lunr@​2.3.9
	@​docusaurus/​plugin-content-docs@​3.9.2
	docusaurus-lunr-search@​3.6.0
	@​mdx-js/​react@​3.1.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: docs.openc3.com/pnpm-lock.yaml → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: docs.openc3.com/pnpm-lock.yaml → npm/@docusaurus/preset-classic@3.9.2 → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm lunr-languages is 95.0% likely obfuscated Confidence: 0.95 Location: Package overview From: docs.openc3.com/pnpm-lock.yaml → npm/docusaurus-lunr-search@3.6.0 → npm/lunr-languages@1.14.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lunr-languages@1.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm lunr-languages is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: docs.openc3.com/pnpm-lock.yaml → npm/docusaurus-lunr-search@3.6.0 → npm/lunr-languages@1.14.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lunr-languages@1.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml