chore(deps): update npm packages

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/animations (source)	21.2.15 → 21.2.16
@angular/build	21.2.13 → 21.2.14
@angular/cdk	22.0.0-rc.2 → 22.0.0
@angular/cdk	21.2.13 → 21.2.14
@angular/common (source)	21.2.15 → 21.2.16
@angular/common (source)	22.0.0-rc.2 → 22.0.0
@angular/compiler (source)	21.2.15 → 21.2.16
@angular/compiler (source)	22.0.0-rc.2 → 22.0.0
@angular/compiler-cli (source)	21.2.15 → 21.2.16
@angular/compiler-cli (source)	22.0.0-rc.2 → 22.0.0
@angular/core (source)	21.2.15 → 21.2.16
@angular/core (source)	22.0.0-rc.2 → 22.0.0
@angular/forms (source)	21.2.15 → 21.2.16
@angular/forms (source)	22.0.0-rc.2 → 22.0.0
@angular/material	21.2.13 → 21.2.14
@angular/platform-browser (source)	21.2.15 → 21.2.16
@angular/platform-browser (source)	22.0.0-rc.2 → 22.0.0
@angular/platform-browser-dynamic (source)	21.2.15 → 21.2.16
@angular/router (source)	21.2.15 → 21.2.16
@angular/router (source)	22.0.0-rc.2 → 22.0.0
@sanity/types (source)	5.28.0 → 5.30.0
obug	2.1.1 → 2.1.2
posthog-js (source)	1.376.4 → 1.380.1
tsx (source)	4.22.3 → 4.22.4
vite (source)	8.0.14 → 8.0.16
vitest (source)	4.1.7 → 4.1.8

---

Release Notes

angular/angular (@​angular/animations)

v21.2.16

Compare Source

angular/angular-cli (@​angular/build)

v21.2.14

Compare Source

@​angular/cli

Commit	Type	Description
aed448748	fix	expand package groups for newly added peer dependencies in update schematic

@​angular/build

Commit	Type	Description
d46c082fb	fix	prevent esbuild service child process leakage

angular/components (@​angular/cdk)

v22.0.0

Compare Source

Breaking Changes

aria

• The legacy combobox and autocomplete implementations have been removed. Use the new standalone combobox instead.

  • feat(aria/combobox): promote simple-combobox to stable un-prefixed combobox
  • Relocates public, private, and example directories to clean combobox entry points.
  • Renames internal layout symbols, selectors, and uppercase tokens (SIMPLE_COMBOBOX_POPUP -> COMBOBOX_POPUP).
  • Establishes full documentation extraction parity with the json_api Bazel rule target.
  • Standardizes the accompanying toolbar component showcase into the clean aria-toolbar path.
  • Re-routes dev-app navigation links and migrates public API golden records.

• SimpleCombobox has been promoted to Combobox. All simple-combobox prefixed symbols, selectors, and tokens have been renamed to use the combobox prefix.

  • refactor(aria/combobox): relocate and restructure autocomplete and toolbar examples
    Relocate the autocomplete examples to src/components-examples/aria/autocomplete and toolbar examples to src/components-examples/aria/toolbar.
  • Restore naming continuity with the historical codebase by stripping redundant prefixes from example filenames and component selectors.
  • Sync dev-app preview routing layout paths and strict Bazel target dependency links.

cdk

• • CDK_DESCRIBEDBY_HOST_ATTRIBUTE has been removed.
  • CDK_DESCRIBEDBY_ID_PREFIX has been removed.
  • The injector parameter of the ConfigurableFocusTrap and FocusTrap constructors is now required.
  • The boolean parameter of ConfigurableFocusTrapFactory.create has been replaced with a config object.
  • MESSAGES_CONTAINER_ID has been removed.
• • The event parameter of DropListRef.drop is now required.
• • ContextMenuTracker has been renamed to MenuTracker.

material

• • MatListOption.checkboxPosition has been removed. use togglePosition instead.
  • MatListOptionCheckboxPosition has been renamed to MatListOptionTogglePosition.
• • ArrowViewState has been removed.
  • ArrowViewStateTransition has been removed.

multiple

• • A bunch of constructors that with rest arguments have been removed. If you were extending Material/CDK components, you may have to update your super calls accordingly.

• Renames the values input/model to value in Combobox, Listbox, Tree, Menu, Toolbar, and Select. Users must update their templates to use the value property instead of values.

  • refactor(multiple): update api goldens

google-maps

Commit	Type	Description
e44ff8318	feat	Add support for the gmp-click event (#​33147)
b8201edee	fix	deprecate heatmap layer (#​33208)

material

Commit	Type	Description
867ba993b	feat	bottom-sheet: add the ability to pass bindings
b4a89d599	feat	button: Add support for showing a progress indicator inside the button (#​32698)
a46b0a1d4	feat	core: add mixins for Material Design typography (#​32959)
bf3596b53	feat	dialog: add the ability to pass bindings
85c16fe4b	feat	tabs: add support for separate tab animation durations (#​32869)
440cb1606	fix	autocomplete: remove modal workaround
21f8bbbf2	fix	badge: allow badge defaults to be configured (#​33312)
07c2d002d	fix	core: address sass compiler warnings (#​33040)
add8f16c0	fix	list: breaking changes for v22
31904510b	fix	menu: close menu when cleared from trigger (#​33306)
9d73c98b5	fix	menu: missing panelClass getter (#​33191)
348c3c89d	fix	select: remove modal workaround
f1a435508	fix	sidenav: handle mixed sidenav and drawer (#​33274)
c31619852	fix	sidenav: mark content as inert while open
a4d92c5fc	fix	sidenav: more robust reset logic for inert attribute (#​33257)
c2f1c5b03	fix	sidenav: query not resolving
75718e4fb	fix	sort: breaking changes for v22
6ed6218c4	fix	tabs: incorrect animation variable name (#​32941)

cdk

Commit	Type	Description
1a5d5d101	feat	dialog: add the ability to pass bindings
24115c021	feat	portal: add directives support to ComponentPortal (#​33142)
7426334c5	fix	a11y: breaking changes for v22
81c6bbd89	fix	drag-drop: breaking changes for v22
ffb23f6f8	fix	menu: breaking changes for v22
4c298970e	fix	scrolling: make it easier to provide custom scrollable (#​33269)
aa42b7798	fix	table: expose rendered rows (#​33304)

aria

Commit	Type	Description
d91f46b4c	feat	accordion: introduce accordion harness (#​33046)
e3d84f2e0	feat	combobox: add test harnesses (#​33194)
0ca47b4a0	feat	combobox: migrate simple-combobox directly into primary entrypoints (#​33206)
6ec07bc0c	feat	grid: add test harnesses (#​33081)
1885d3534	feat	listbox: introduce listbox harness (#​33064)
75fae5275	feat	menu: introduce menu harness (#​33067)
c25e6252e	feat	tabs: add test harnesses (#​33079)
a49508bac	feat	toolbar: add test harnesses (#​33068)
30f223972	feat	tree: add test harnesses (#​33066)
91a4932f6	fix	combobox: increases autocomplete demo's placeholder text c… (#​33084)
218a77cf9	fix	combobox: separates placeholder prefixes (#​33163)
ce1d9a728	fix	menu: allow menu item role override (#​33264)
196b7064d	fix	menu: defer menu item focus in case menus in cdk overlay (#​33258)
6443b79f9	fix	menu: unable to set softDisabled (#​33265)

multiple

Commit	Type	Description
6cb6b5ee1	fix	make more public APIs readonly (#​33071)
a88904279	fix	prevent form submissions in aria directives (#​33297)
bb4f8ec50	fix	re-export collection util (#​33171)
84f2afd24	fix	remove developer preview tag from aria (#​33232)
ce4c2c0a1	fix	remove empty constructors (#​33048)
936f1148b	fix	use eager change detection
94a50a25f	refactor	rename values to value for signal forms compatibility (#​33012)

v22.0.0-rc.3: 22.0.0-rc.3

Compare Source

material

Commit	Description
	badge: allow badge defaults to be configured (#​33312)
	menu: close menu when cleared from trigger (#​33306)

angular/angular (@​angular/common)

v21.2.16

Compare Source

angular/angular (@​angular/compiler)

v21.2.16

Compare Source

common

Commit	Type	Description
f6d8e642b0	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
ae1c8a1f7a	fix	move projection attributes into constants

core

Commit	Type	Description
3fd6897a67	fix	harden inherit definition feature against polluted prototypes
7e38336dc7	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

Commit	Type	Description
66821c4ed5	fix	throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6	fix	update domino to latest version

sanity-io/sanity (@​sanity/types)

v5.30.0

Compare Source

Sanity Studio v5.30.0

This release includes various improvements and bug fixes.

For the complete changelog with all details, please visit:
www.sanity.io/changelog/studio-NS4yOS4w

Install or upgrade Sanity Studio

To upgrade to this version, run:

npm install sanity@latest

To initiate a new Sanity Studio project or learn more about upgrading, please refer to our comprehensive guide on Installing and Upgrading Sanity Studio.

📓 Full changelog

Author	Message	Commit
@​bjoerge	fix(authStore): resolve dual-mode SSO login loop (#​12933)	2ae1370
@​bjoerge	feat: add vercel routing configuration for auth-test-studio (#​12929)	cf5baeb
squiggler-app[bot]	fix(deps): update dependency @​sanity/cli to ^6.7.1 (#​12928)	df8fc74

v5.29.0

Compare Source

Sanity Studio v5.29.0

This release includes various improvements and bug fixes.

For the complete changelog with all details, please visit:
www.sanity.io/changelog/studio-NS4yOC4w

Install or upgrade Sanity Studio

To upgrade to this version, run:

npm install sanity@latest

To initiate a new Sanity Studio project or learn more about upgrading, please refer to our comprehensive guide on Installing and Upgrading Sanity Studio.

📓 Full changelog

Author	Message	Commit
squiggler-app[bot]	fix(deps): update dependency @​sanity/cli to ^6.7.0 (#​12924)	3fa8dc5
@​bjoerge	fix(core): respect parent array field initialValue over member fields (#​12914)	46f9caa
@​pedrobonamin	fix(structure): memoize incoming refs filter (#​12919)	30f89d5
sieve-sanity[bot]	fix(sanity): surface error when no uploader matches the file (#​12870) (#​12905)	054950f
@​pedrobonamin	chore(e2e): add variants e2e tests and readme (#​12866)	3a2fc8b
@​juice49	fix(sanity): incorrect form auto-focus (#​12878)	8df5ed3
squiggler-app[bot]	chore(deps): dedupe pnpm-lock.yaml (#​12874)	00aa753
@​pedrobonamin	chore(core): add variants conditions autocomplete (#​12858)	07d4dd9
@​pedrobonamin	chore(core): update variants operation store to use system actions (#​12915)	472c314
@​pedrobonamin	feat(core): add variant definition edit form (#​12855)	21c6530
squiggler-app[bot]	chore(deps): update dependency @​sanity/pkg-utils to ^10.5.1 (#​12900)	daf6c35
@​bjoerge	fix(form): revert dataset aclMode check for plain asset previews (#​12913)	34982cf
squiggler-app[bot]	chore(deps): update dependency @​sanity/blueprints to ^0.19.1 (#​12889)	4c3064b
squiggler-app[bot]	chore(deps): update playwright monorepo to v1.60.0 (#​12912)	2273ad6
@​juice49	fix(sanity): restore document form open path from URL (#​12873)	07cda46
@​geball	chore: fix typo (#​12906)	65872fe

sxzz/obug (obug)

v2.1.2

Compare Source

No significant changes

    View changes on GitHub

PostHog/posthog-js (posthog-js)

v1.380.1

Compare Source

1.380.1

Patch Changes

• #​3743 ced0039 Thanks @​robbie-c! - fix(surveys): stop the survey CSS from using :has(.survey-question:empty), which crashes some WebKit builds during text-node style invalidation while a survey renders. The empty-header margin tweak now keys off a JS-set question-header--empty class and a sibling selector instead.
  (2026-06-05)
• Updated dependencies []:
  • @​posthog/types@​1.380.1
  • @​posthog/core@​1.30.8

v1.380.0

Compare Source

1.380.0

Minor Changes

• #​3715 2387084 Thanks @​dustinbyrne! - Promote browser tracing header configuration to the public tracing_headers option while keeping addTracingHeaders and __add_tracing_headers as deprecated aliases.
  (2026-06-04)

Patch Changes

• #​3715 2387084 Thanks @​dustinbyrne! - When using tracing headers, X-POSTHOG-DISTINCT-ID is read at request time instead of when fetch/XHR is patched, ensuring it reflects bootstrap, identify, reset, and other identity changes.
  (2026-06-04)
• Updated dependencies [2387084]:
  • @​posthog/types@​1.380.0
  • @​posthog/core@​1.30.7

v1.379.3

Compare Source

1.379.3

Patch Changes

• #​3741 32de5d2 Thanks @​clr182! - logs: the console-log integration now respects opt_out_capturing() — it checks is_capturing() before emitting, so log events stop on opt-out (and resume on opt-in).
  (2026-06-04)
• Updated dependencies []:
  • @​posthog/types@​1.379.3
  • @​posthog/core@​1.30.6

v1.379.2

Compare Source

1.379.2

Patch Changes

• #​3736 374962a Thanks @​arnohillen! - replay: re-apply scroll positions after fast-forward/seek. Scrolls applied mid-catch-up could clamp to 0 when the target wasn't scrollable yet (e.g. scroll-revealed sheets/modals whose content sits below the fold), leaving the content scrolled out of view on replay. The last scroll per node is now re-applied in the flush stage once layout has settled. posthog-js is bumped too so the rebuilt bundle containing the fix is published.
  (2026-06-03)
• Updated dependencies []:
  • @​posthog/types@​1.379.2
  • @​posthog/core@​1.30.5

v1.379.1

Compare Source

1.379.1

Patch Changes

• #​3570 4a27ced Thanks @​gruessi! - fix(record): release iframe documents and observers on iframe removal — same-origin iframes mounted and unmounted while session recording is active no longer leak their Document, every node serialized into the mirror, or one MutationObserver per mount. Closes eight retainer

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 10am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​angular/​platform-browser-dynamic@​21.2.16
	npm/​@​sanity/​types@​5.30.0
	npm/​@​angular/​platform-browser@​22.0.0
	npm/​@​angular/​platform-browser@​21.2.16
	npm/​@​angular/​animations@​21.2.16
	npm/​@​angular/​compiler-cli@​22.0.0
	npm/​@​angular/​compiler-cli@​21.2.16
	npm/​@​angular/​router@​21.2.16
	npm/​@​angular/​router@​22.0.0
	npm/​@​angular/​forms@​21.2.16
	npm/​@​angular/​forms@​22.0.0
	npm/​@​angular/​build@​21.2.14
	npm/​@​angular/​compiler@​21.2.16
	npm/​@​angular/​compiler@​22.0.0
	npm/​@​angular/​cdk@​21.2.14
	npm/​@​angular/​cdk@​22.0.0
	npm/​@​angular/​core@​21.2.16
	npm/​vitest@​4.1.8
	npm/​@​angular/​core@​22.0.0
	npm/​@​angular/​common@​22.0.0
	npm/​@​angular/​common@​21.2.16
	npm/​@​angular/​material@​21.2.14
	npm/​tsx@​4.22.4
	npm/​posthog-js@​1.380.1
	npm/​vite@​8.0.16
	npm/​obug@​2.1.2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @angular/build is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/playground/package.json → npm/@angular/build@21.2.14 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/build@21.2.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/angular-compiler/benchmarks/typedb-web/package.json → npm/posthog-js@1.380.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.380.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/angular-compiler/benchmarks/typedb-web/package.json → npm/posthog-js@1.380.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.380.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report