build(deps): Bump the angular-stack group across 1 directory with 5 updates

[dependabot]

Bumps the angular-stack group with 5 updates in the / directory:

Package	From	To
@angular/common	21.2.14	21.2.15
@angular/compiler	21.2.14	21.2.15
@angular/core	21.2.14	21.2.15
@angular-devkit/build-angular	21.2.12	21.2.13
@angular/cli	21.2.12	21.2.13

Updates @angular/common from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/common's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/common's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• 582a417 fix(http): exclude withCredentials requests from transfer cache
• 5c6d6df fix(http): skip TransferCache for cookie-bearing requests by default
• 300f61f fix(common): sanitize placeholder
• 7f4ac78 fix(common): add upper bounds for digitsInfo
• See full diff in compare view

Updates @angular/compiler from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/compiler's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/compiler's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• eb1cbbf fix(compiler): prevent namespaced SVG <style> elements from being stripped
• 29ceeff docs: fix typos in source code comments
• 782e015 fix(compiler): strip namespaced SVG script elements during template compilati...
• ff12fe5 fix(core): normalize tag names in runtime i18n attribute security context loo...
• 0b07f47 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
• cc1378d fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
• daaf329 fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
• See full diff in compare view

Updates @angular/core from 21.2.14 to 21.2.15

Release notes

Sourced from @​angular/core's releases.

21.2.15

common

Commit	Description
	add upper bounds for digitsInfo
	sanitize placeholder

compiler

Commit	Description
	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
	prevent namespaced SVG elements from being stripped
	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Description
	normalize tag names in runtime i18n attribute security context lookup (#68925)
	sanitize meta selectors
	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
	synchronize core sanitization schema with compiler (#68925)

http

Commit	Description
	exclude withCredentials requests from transfer cache
	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Description
	prevent SSRF bypasses via backslash URLs in HttpClient
	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Description
	Preserves explicit 'credentials: omit' in asset requests
	Preserves HTTP cache mode in asset group requests

Changelog

Sourced from @​angular/core's changelog.

21.2.15 (2026-05-28)

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#68925)
eb1cbbf2eb	fix	prevent namespaced SVG elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

19.2.24 (2026-05-28)

compiler

Commit	Type	Description
6ea6379123	fix	prevent namespaced SVG elements from being stripped

20.3.23 (2026-05-28)

compiler

... (truncated)

Commits

• 29ceeff docs: fix typos in source code comments
• 251c8f2 test(core): remove obsolete SVG script sanitization translation test (#68925)
• dada86e fix(core): synchronize core sanitization schema with compiler (#68925)
• 782e015 fix(compiler): strip namespaced SVG script elements during template compilati...
• ff12fe5 fix(core): normalize tag names in runtime i18n attribute security context loo...
• 0b07f47 fix(compiler): normalize tag names with custom namespaces in DomElementSchema...
• cc1378d fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a element...
• daaf329 fix(core): support prefix-insensitive DOM schema lookups and compile-time i18...
• See full diff in compare view

Updates @angular-devkit/build-angular from 21.2.12 to 21.2.13

Release notes

Sourced from @​angular-devkit/build-angular's releases.

21.2.13

@​angular-devkit/build-angular

Commit	Description
	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Description
	assert that asset input paths are within workspace root

Changelog

Sourced from @​angular-devkit/build-angular's changelog.

21.2.13 (2026-05-27)

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

22.0.0-rc.1 (2026-05-21)

@​schematics/angular

Commit	Type	Description
a7ac8e5f0	fix	support spy call arguments migration in refactor-jasmine-vitest

@​angular/build

Commit	Type	Description
327cc2414	fix	assert that asset input paths are within workspace root
93d352798	fix	ignore virtual esbuild paths with (disabled):

Commits

• 287e4e8 release: cut the v21.2.13 release
• 3c6d26a fix(@​angular-devkit/build-angular): remove unconditional CORS wildcard from w...
• 2b3e955 fix(@​angular/build): assert that asset input paths are within workspace root
• See full diff in compare view

Updates @angular/cli from 21.2.12 to 21.2.13

Release notes

Sourced from @​angular/cli's releases.

21.2.13

@​angular-devkit/build-angular

Commit	Description
	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Description
	assert that asset input paths are within workspace root

Changelog

Sourced from @​angular/cli's changelog.

21.2.13 (2026-05-27)

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

22.0.0-rc.1 (2026-05-21)

@​schematics/angular

Commit	Type	Description
a7ac8e5f0	fix	support spy call arguments migration in refactor-jasmine-vitest

@​angular/build

Commit	Type	Description
327cc2414	fix	assert that asset input paths are within workspace root
93d352798	fix	ignore virtual esbuild paths with (disabled):

Commits

• 287e4e8 release: cut the v21.2.13 release
• 3c6d26a fix(@​angular-devkit/build-angular): remove unconditional CORS wildcard from w...
• 2b3e955 fix(@​angular/build): assert that asset input paths are within workspace root
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions