build(deps): bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: minimatch, ajv, immutable and lodash.
Bumps the npm_and_yarn group with 1 update in the /packages/cli/templates/angular/ig-ts/projects/empty/files directory: @angular/core.

Updates minimatch from 10.1.1 to 10.2.3

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• ea94840 10.2.3
• 0873fba update deps
• cecaad1 more extglob coalescing for performance
• 11d0df6 limit nested extglob recursion, flatten extglobs
• c3448c4 update assertValidPattern param type to unknown from any
• 0bf499a limit recursion for **, improve perf considerably
• 9f15c58 update deps
• f42b239 10.2.2
• fa2133b update deps
• b9d0153 ci: update action workflows
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates immutable from 3.8.2 to 3.8.3

Release notes

Sourced from immutable's releases.

v3.8.3

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• c407425 bump v3.8.3
• c6ff68a release script on 3.x branch
• a675a66 Merge pull request #2179 from immutable-js/port-patch-for-cve-2026-29063
• 6e2cf1c Port patch for CVE 2026-29063 onto branch 3.x
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates @angular/core from 21.1.6 to 21.2.4

Release notes

Sourced from @​angular/core's releases.

21.2.4

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	reverts "feat(core): add support for nested animations"
	sanitize translated form attributes

VSCode Extension: 21.2.3

This release contains internal refactorings only.

21.2.3

core

Commit	Description
	ensure definitions compile
	include signal debug names in their toString() representation
	sanitize translated attribute bindings with interpolations

VSCode Extension: 21.2.2

• fix(extension): bundle TypeScript 5.9 internally (da57d1af73)

21.2.2

compiler

Commit	Description
	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Description
	always parenthesize object literals in TCB
	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Description
	add 'blur' option to debounce rule

VSCode Extension: 21.2.1

• perf(language-service): use lightweight project warmup for Angular analysis (d2137928e8)

21.2.1

core

Commit	Description
	adds transfer cache to httpResource to fix hydration
	prevent child animation elements from being orphaned
	Prevent removal of elements during drag and drop

... (truncated)

Changelog

Sourced from @​angular/core's changelog.

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

22.0.0-next.2 (2026-03-11)

Breaking Changes

core

• createNgModuleRef was removed, use createNgModule instead

core

Commit	Type	Description
b918beda32	feat	allow debouncing signals
f9ede9ec98	fix	ensure definitions compile
b401c18674	fix	include signal debug names in their toString() representation
8630319f74	fix	sanitize translated attribute bindings with interpolations
36936872c9	refactor	remove createNgModuleRef

forms

Commit	Type	Description
3e7ce0dafc	fix	restrict SignalFormsConfig to a readonly API

language-service

Commit	Type	Description
5a6d88626b	feat	add angular template inlay hints support

21.2.3 (2026-03-11)

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

21.2.2 (2026-03-09)

... (truncated)

Commits

• d1dcd16 fix(core): sanitize translated form attributes
• abbd879 fix(core): reverts "feat(core): add support for nested animations"
• 7907e98 test: remove duplicate tests
• 21b1c3b fix(core): include signal debug names in their toString() representation
• 6c73aac refactor(common): Removes unused generic type parameters from KeyValueDiffers
• c98eab7 refactor(core): remove old resource params
• 7513558 docs: combine multiple documentation improvements into one PR
• 575f302 refactor(core): interface cleanup
• 224e60e fix(core): sanitize translated attribute bindings with interpolations
• 09638ec docs(core): clarify provideZoneChangeDetection usage in v21+
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[coveralls]

coverage: 71.088%. remained the same
when pulling a7e6fe0 on dependabot/npm_and_yarn/npm_and_yarn-df1a9b43bf
into ed4d1dd on master.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.