Bump the npm_and_yarn group across 3 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /docs.openc3.com directory: ajv, svgo and webpack.
Bumps the npm_and_yarn group with 1 update in the /openc3/templates/tool_angular directory: @angular/common.
Bumps the npm_and_yarn group with 1 update in the /openc3/templates/tool_svelte directory: svelte.

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates svgo from 3.3.2 to 3.3.3

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

• bbab162 deps: upgrade to sax v1.5.0
• See full diff in compare view

Updates webpack from 5.103.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

v5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

• Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

• Fix some types. (by @​alexander-akait in #20412)

• Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

• Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

• Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

• Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

• Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

v5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

• Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

• Fix some types. (by @​alexander-akait in #20412)

• Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

• Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

• Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

• Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

• Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

... (truncated)

Commits

• 27c13b4 chore(release): new release (#20550)
• 9b2f41e chore: bump terser plugin (#20569)
• eafe060 fix: narrow the export presence guard detection (#20561)
• 75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
• afa607d refactor: remove unused code (#20562)
• 4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
• f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
• 9d76fff refactor: add Module.getSourceBasicTypes for basic JS type detection (#20546)
• a3d7839 fix: types for multi stats (#20556)
• b8e9b05 fix: update enhanced-resolve to support new features for tsconfig.json (#...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates @angular/common from 18.2.14 to 21.2.2

Release notes

Sourced from @​angular/common's releases.

VSCode Extension: 21.2.2

• fix(extension): bundle TypeScript 5.9 internally (da57d1af73)

21.2.2

compiler

Commit	Description
	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Description
	always parenthesize object literals in TCB
	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Description
	add 'blur' option to debounce rule

VSCode Extension: 21.2.1

• perf(language-service): use lightweight project warmup for Angular analysis (d2137928e8)

21.2.1

core

Commit	Description
	adds transfer cache to httpResource to fix hydration
	prevent child animation elements from being orphaned
	Prevent removal of elements during drag and drop

http

Commit	Description
	correctly cache blob responses in transfer cache (#67002)

VSCode Extension: 21.2.0

• fix(vscode-extension): Highlight function calls with optional chaining (4f8d3995f0)
• feat(language-service): add linked editing ranges for HTML tag synchronization (8c21866f49)
• fix(vscode-extension): support highlighting for class bindings with brackets (01ed57f297)
• feat(language-service): add JSON schema for angularCompilerOptions (496967e7b1)
• fix(language-service): Detect local project version on creation (8a7cbd4668)
• feat(language-server): Support client-side file watching via onDidChangeWatchedFiles (6fb39d9b62)
• feat(language-server): Add completions and hover info for inline styles (ebc90c26f5)
• feat(language-server): Add quick info for inline styles (573aadef7e)
• feat(language-server): Add folding range support for inline styles (26fd0839c3)

21.2.0

common

Commit	Description
	add an 'outlet' injector option for ngTemplateOutlet
	Add Location strategies to manage trailing slash on write

... (truncated)

Changelog

Sourced from @​angular/common's changelog.

21.2.2 (2026-03-09)

compiler

Commit	Type	Description
1df1697c6e	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
670d1660c4	feat	add 'blur' option to debounce rule

22.0.0-next.1 (2026-03-05)

compiler

Commit	Type	Description
72a17afaf3	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
dc4cf649b6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
c767d678cf	feat	add 'blur' option to debounce rule

migrations

Commit	Type	Description
f01901d766	fix	avoid generating invalid code in ChangeDetectionStrategy.Eager migration

22.0.0-next.0 (2026-03-04)

Breaking Changes

• Node.js v20 is no longer supported. The minimum supported Node.js versions are now v22.22.0 and v24.13.1.

compiler

• data prefixed attribute no-longer bind inputs nor outputs.
• The compiler will throw when there a when inputs, outputs or model are binding to the same input/outputs.
• in variables will throw in template expressions.

core

• change AnimationCallbackEvent.animationComplete signature

http

... (truncated)

Commits

• 93c6dc6 Revert "refactor(http): Improves base64 encoding/decoding with feature detect...
• 76431ed Revert "fix(http): correctly cache blob responses in transfer cache (#67002)"
• 277ade9 fix(http): correctly cache blob responses in transfer cache (#67002)
• aeb9b81 refactor(http): Improves base64 encoding/decoding with feature detection (#67...
• ecf0bb4 test(http): refactors HTTP client tests to use TestBed and providers
• e2e9a9a fix(core): adds transfer cache to httpResource to fix hydration
• 70e4c7f refactor(common): log a warning when a KeyValuePipe receives a signal
• 2eeeabb fix(common): fix LCP image detection with duplicate URLs
• 3c4deaa refactor(common): log a warning when a JsonPipe receives a signal
• a8aab64 refactor(core): remove outdated TODO comments referencing TypeScript 2.1
• Additional commits viewable in compare view

Updates svelte from 4.2.20 to 5.53.8

Release notes

Sourced from svelte's releases.

svelte@5.53.8

Patch Changes

• fix: {@html} no longer duplicates content inside contenteditable elements (#17853)

• fix: don't access inert block effects (#17882)

• fix: handle asnyc updates within pending boundary (#17873)

• perf: avoid re-traversing the effect tree after $: assignments (#17848)

• chore: simplify scheduling logic (#17805)

svelte@5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

• perf: optimize CSS selector pruning (#17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#17844)

• fix: preserve each items that are needed by pending batches (#17819)

svelte@5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

• fix: skip redundant batch.apply (#17816)

• chore: null out current_batch before committing branches (#17809)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.8

Patch Changes

• fix: {@html} no longer duplicates content inside contenteditable elements (#17853)

• fix: don't access inert block effects (#17882)

• fix: handle asnyc updates within pending boundary (#17873)

• perf: avoid re-traversing the effect tree after $: assignments (#17848)

• chore: simplify scheduling logic (#17805)

5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

• perf: optimize CSS selector pruning (#17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#17844)

• fix: preserve each items that are needed by pending batches (#17819)

5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

... (truncated)

Commits

• d2b3470 Version Packages (#17854)
• 1892988 fix: don't access inert block effects (#17882)
• 1304208 fix: set deferreds on initial suspense, too (#17884)
• 6fb7b4d chore: refactor scheduling (#17805)
• 2deebde fix: handle asnyc updates within pending boundary (#17873)
• 0206a20 fix: clean up externally-added DOM nodes in {@​html} on re-render (#17853)
• 3df2645 chore: deactivate batch after async derived resolves (#17865)
• 2a1f5ad perf: avoid re-traversing the effect tree after $: assignments (#17848)
• 7dc864d Revert "fix: skip derived re-evaluation inside inert effect blocks" (#17869)
• aed3605 chore: robustify flatten (#17864)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rollup-plugin-terser@​7.0.2
	jest@​29.7.0
	single-spa-svelte@​2.1.1
	@​smui/​menu@​7.0.0
	babel-jest@​29.7.0
	@​babel/​preset-env@​7.29.0
	@​smui/​list@​7.0.0
	svelte-jester@​5.0.0
	@​angular/​common@​21.2.2
	@​babel/​core@​7.29.0
	svelte-portal@​2.2.1
	sirv-cli@​2.0.2
	rollup-plugin-livereload@​2.0.5
	@​smui/​button@​7.0.0
	@​smui/​card@​7.0.0
	smui-theme@​7.0.0
	concurrently@​9.2.1
	rollup-plugin-postcss@​4.0.2
	@​rollup/​plugin-node-resolve@​15.3.1
	rollup-plugin-svelte@​7.2.3
	svelte@​5.53.8
	rollup@​4.22.4 ⏵ 4.59.0		+16
	@​testing-library/​jest-dom@​6.9.1
	prettier@​3.8.1
	@​smui/​common@​7.0.0
	prettier-plugin-svelte@​3.5.1
	@​rollup/​plugin-commonjs@​28.0.9
	axios@​1.13.6
	@​testing-library/​svelte@​5.3.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm svelte is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: openc3/templates/tool_svelte/package.json → npm/svelte@5.53.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.53.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte2tsx is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@smui/common@7.0.0 → npm/@smui/list@7.0.0 → npm/@smui/menu@7.0.0 → npm/@smui/button@7.0.0 → npm/@smui/card@7.0.0 → npm/svelte2tsx@0.7.52 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte2tsx@0.7.52. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml