Bump the npm_and_yarn group across 4 directories with 32 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /Open-ILS/src/eg2 directory:

Package	From	To
@angular/common	18.2.13	21.1.1
@angular/compiler	18.2.13	21.1.1
form-data	4.0.2	4.0.5
js-yaml	4.1.0	4.1.1
lodash	4.17.21	4.17.23
tar	6.2.1	7.5.7
tar-fs	3.0.9	3.1.1

Bumps the npm_and_yarn group with 2 updates in the /Open-ILS/src/eg2/eslint directory: js-yaml and vite.
Bumps the npm_and_yarn group with 10 updates in the /Open-ILS/web/js/ui/default/staff directory:

Package	From	To
bootstrap	3.4.1	5.0.0
moment	2.29.1	2.30.1
moment-timezone	0.5.33	0.5.35
karma	1.7.1	6.4.4
loader-utils	1.4.0	1.4.2
async	2.6.3	2.6.4
body-parser	1.20.0	1.20.4
follow-redirects	1.15.1	1.15.11
json5	1.0.1	1.0.2
angular	1.6.10	1.8.3

Bumps the npm_and_yarn group with 5 updates in the /Open-ILS/web/opac/deps directory:

Package	From	To
bootstrap	4.6.2	5.0.0
ws	8.13.0	8.19.0
form-data	4.0.0	4.0.5
js-yaml	4.1.0	4.1.1
tough-cookie	4.1.2	4.1.4

Updates @angular/common from 18.2.13 to 21.1.1

Release notes

Sourced from @​angular/common's releases.

21.1.1

compiler-cli

Commit	Description
	drop .tsx extension for generated relative imports

core

Commit	Description
	handle Set in class bindings

forms

Commit	Description
	Ability to manually register a form field binding in signal forms
	fix control value syncing on touch

VSCode Extension: 21.1.1

• fix(vscode-extension): add syntax highlighting for arrow functions (a649fc8f57)
• fix(vscode-extension): add syntax highlighting for spread/rest expressions (8f16846dd9)

VSCode Extension: 21.1.0

21.1.0 (2026-01-12)

• fix(vscode-extension): convert enum member kind in completions correctly (50674f8c28)

21.1.0

common

Commit	Description
	Add custom transformations for Cloudflare and Cloudinary image loaders
	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Description
	Add support for multiple swich cases matching
	Support empty cases

core

Commit	Description
	Add stability debugging utility
	support rest arguments in function calls
	support spread elements in array literals
	support spread expressions in object literals
	Microtask scheduling should be used after any application synchronization
	return StaticProvider for providePlatformInitializer

forms

Commit	Description
	allow focusing bound control from field state

platform-browser

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.1.1 (2026-01-21)

compiler-cli

Commit	Type	Description
0e1f1ed573	fix	drop .tsx extension for generated relative imports

core

Commit	Type	Description
05adfcf8f2	fix	handle Set in class bindings

forms

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch

21.1.0 (2026-01-14)

Deprecations

upgrade

• VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.

common

Commit	Type	Description
d8790972be	feat	Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af	feat	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Type	Description
640693da8e	feat	Add support for multiple swich cases matching
0ad3adc7c6	fix	Support empty cases

core

Commit	Type	Description
99ad18a4ee	feat	Add stability debugging utility
a0dfa5fa86	feat	support rest arguments in function calls
6e18fa8bc9	feat	support spread elements in array literals
e407280ab5	feat	support spread expressions in object literals
06be8034bb	fix	Microtask scheduling should be used after any application synchronization
b4f584cf42	fix	return StaticProvider for providePlatformInitializer

forms

Commit	Type	Description
1ea5c97703	feat	allow focusing bound control from field state

platform-browser

Commit	Type	Description
ec9dc94cee	feat	add context to createApplication
ab67988d2e	feat	resolve JIT resources in createApplication

... (truncated)

Commits

• 3954dc2 refactor(http): remove redundant providedIn: 'root' in XSRF_HEADER_NAME
• 03e2b36 refactor(core): update error message links to versioned docs (#66374)
• 74af7d8 refactor(core): Use the provided Document value rather than global in FakeNav...
• a2b9429 Revert "feat(router): add trailingSlash config option"
• 12fccc5 feat(router): add trailingSlash config option
• 3dfdb71 docs: add docs for transform property in built-in loaders
• dd58c4b refactor(common): Add token to indicate whether precommit handler is supported
• a6b8cb6 feat(common): support custom transformations in ImageKit and Imgix loaders
• d879097 feat(common): Add custom transformations for Cloudflare and Cloudinary image ...
• 6270bba ci: reformat files
• Additional commits viewable in compare view

Updates @angular/compiler from 18.2.13 to 21.1.1

Release notes

Sourced from @​angular/compiler's releases.

21.1.1

compiler-cli

Commit	Description
	drop .tsx extension for generated relative imports

core

Commit	Description
	handle Set in class bindings

forms

Commit	Description
	Ability to manually register a form field binding in signal forms
	fix control value syncing on touch

VSCode Extension: 21.1.1

• fix(vscode-extension): add syntax highlighting for arrow functions (a649fc8f57)
• fix(vscode-extension): add syntax highlighting for spread/rest expressions (8f16846dd9)

VSCode Extension: 21.1.0

21.1.0 (2026-01-12)

• fix(vscode-extension): convert enum member kind in completions correctly (50674f8c28)

21.1.0

common

Commit	Description
	Add custom transformations for Cloudflare and Cloudinary image loaders
	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Description
	Add support for multiple swich cases matching
	Support empty cases

core

Commit	Description
	Add stability debugging utility
	support rest arguments in function calls
	support spread elements in array literals
	support spread expressions in object literals
	Microtask scheduling should be used after any application synchronization
	return StaticProvider for providePlatformInitializer

forms

Commit	Description
	allow focusing bound control from field state

platform-browser

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular/compiler's changelog.

21.1.1 (2026-01-21)

compiler-cli

Commit	Type	Description
0e1f1ed573	fix	drop .tsx extension for generated relative imports

core

Commit	Type	Description
05adfcf8f2	fix	handle Set in class bindings

forms

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch

21.1.0 (2026-01-14)

Deprecations

upgrade

• VERSION from @angular/upgrade is deprecated. Please use the entry from @angular/upgrade/static instead.

common

Commit	Type	Description
d8790972be	feat	Add custom transformations for Cloudflare and Cloudinary image loaders
a6b8cb68af	feat	support custom transformations in ImageKit and Imgix loaders

compiler

Commit	Type	Description
640693da8e	feat	Add support for multiple swich cases matching
0ad3adc7c6	fix	Support empty cases

core

Commit	Type	Description
99ad18a4ee	feat	Add stability debugging utility
a0dfa5fa86	feat	support rest arguments in function calls
6e18fa8bc9	feat	support spread elements in array literals
e407280ab5	feat	support spread expressions in object literals
06be8034bb	fix	Microtask scheduling should be used after any application synchronization
b4f584cf42	fix	return StaticProvider for providePlatformInitializer

forms

Commit	Type	Description
1ea5c97703	feat	allow focusing bound control from field state

platform-browser

Commit	Type	Description
ec9dc94cee	feat	add context to createApplication
ab67988d2e	feat	resolve JIT resources in createApplication

... (truncated)

Commits

• ea70b00 refactor(compiler): remove unused symbols
• ded654d build: initial test of TypeScript 6
• 5326333 fix(forms): Ensure the control instruction comes after the other bindings
• 29f074a fix(forms): Rename signal form [field] to [formField]
• 0875dea refactor(compiler): switch Binary.isAssignmentOperation to type guard function
• 83bac5a refactor(compiler): tighten Unary.operator type
• e01dcae refactor: _ParseAST.isAssignmentOperator to type guard
• 4cdf4d5 refactor(compiler): tighten Binary.operation type
• 0ad3adc fix(compiler): Support empty cases
• 4dc5ae5 refactor(core): remove unused instruction parameter
• Additional commits viewable in compare view

Updates form-data from 4.0.2 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Commits

• 68ff7dd v4.0.5
• 5822467 [Dev Deps] update @ljharb/eslint-config, eslint
• 76d0dee [Fix] set Symbol.toStringTag in the proper place
• 16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 41996f5 v4.0.4
• 316c82b [meta] actually ensure the readme backup isn’t published
• 2300ca1 [meta] fix readme capitalization
• 811f682 [meta] add auto-changelog
• 5e34080 [Tests] fix linting errors
• 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates serialize-javascript from 6.0.0 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

• fix: serialize URL string contents to prevent XSS (#173) f27d65d
• Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
• docs: update readme with URL support (#146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Bump mocha from 9.0.1 to 9.0.2 by @​dependabot in yahoo/serialize-javascript#126
• Bump mocha from 9.0.2 to 9.0.3 by @​dependabot in yahoo/serialize-javascript#127
• Bump path-parse from 1.0.6 to 1.0.7 by @​dependabot in yahoo/serialize-javascript#129
• Bump mocha from 9.0.3 to 9.1.0 by @​dependabot in yahoo/serialize-javascript#130
• Bump mocha from 9.1.0 to 9.1.1 by @​dependabot in yahoo/serialize-javascript#131
• Bump mocha from 9.1.1 to 9.1.2 by @​dependabot in yahoo/serialize-javascript#132
• Bump mocha from 9.1.2 to 9.1.3 by @​dependabot in yahoo/serialize-javascript#133
• Bump mocha from 9.1.3 to 9.1.4 by @​dependabot in yahoo/serialize-javascript#137
• Bump mocha from 9.1.4 to 9.2.0 by @​dependabot in yahoo/serialize-javascript#138
• Bump chai from 4.3.4 to 4.3.6 by @​dependabot in yahoo/serialize-javascript#140
• Bump ansi-regex from 5.0.0 to 5.0.1 by @​dependabot in yahoo/serialize-javascript#141
• Bump mocha from 9.2.0 to 9.2.2 by @​dependabot in yahoo/serialize-javascript#143
• Bump minimist from 1.2.5 to 1.2.6 by @​dependabot in yahoo/serialize-javascript#144
• Bump mocha from 9.2.2 to 10.0.0 by @​dependabot in yahoo/serialize-javascript#145
• Bump mocha from 10.0.0 to 10.1.0 by @​dependabot in yahoo/serialize-javascript#149
• Bump chai from 4.3.6 to 4.3.7 by @​dependabot in yahoo/serialize-javascript#150
• ci: test.yml - actions bump by @​piwysocki in yahoo/serialize-javascript#151
• Bump minimatch from 3.0.4 to 3.1.2 by @​dependabot in yahoo/serialize-javascript#152
• Bump mocha from 10.1.0 to 10.2.0 by @​dependabot in yahoo/serialize-javascript#153
• Bump json5 from 2.1.3 to 2.2.3 by @​dependabot in yahoo/serialize-javascript#155
• Fix serialization issue for 0n. by @​momocow in yahoo/serialize-javascript#156
• Release v6.0.1 by @​okuryu in yahoo/serialize-javascript#157

New Contributors

• @​piwysocki made their first contribution in yahoo/serialize-javascript#151
• @​momocow made their first contribution in yahoo/serialize-javascript#156

Full Changelog: yahoo/serialize-javascript@v6.0.0...v6.0.1

Commits

• b71ec23 6.0.2
• f27d65d fix: serialize URL string contents to prevent XSS (#173)
• 02499c0 Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171)
• 0d88527 docs: update readme with URL support (#146)
• e2a3a91 chore: update node version and lock file
• 5a1fa64 fix typo (#164)
• 7139f92 Release v6.0.1 (#157)
• 7e23ae8 Fix serialization issue for 0n. (#156)
• 343abd9 Bump json5 from 2.1.3 to 2.2.3 (#155)
• 38d0e70 Bump mocha from 10.1.0 to 10.2.0 (#153)
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates qs from 6.13.0 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore