Bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: tar and qs.

Updates tar from 6.2.1 to 7.5.7

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• e9a1ddb fix: do not prevent valid linkpaths within archive
• 911c886 7.5.4
• 3b1abfa normalize out unicode ligatures
• a43478c remove some unused files
• 970c58f update deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

🤖 Claude Code Review

I'll perform a comprehensive code review of this pull request diff, which appears to be a dependency update for the Angular CLI from version 19.2.12 to 21.1.4, along with its associated dependencies.

Code Review - Angular CLI Version Bump

Code Quality

✅ Code follows our style guide

This is a package-lock.json dependency update file - no code style concerns apply.

✅ No commented-out code

No commented-out code present.

✅ Meaningful variable names

Not applicable - this is a dependency lockfile.

✅ DRY principle followed

Not applicable.

✅ Identify Defects

CRITICAL ISSUE DETECTED:

• Major version jump: The PR upgrades @angular/cli from ~19.2.12 to ~21.1.4 - this is a 2 major version jump (19 → 21). This is a significant change that could introduce breaking changes.
• Node version requirements change: The new Angular CLI 21.1.4 requires node ^20.19.0 || ^22.12.0 || >=24.0.0 (line 656-657), while the old version 19.2.x required node ^18.19.1 || ^20.11.1 || >=22.0.0. This means Node 18 is no longer supported.
• Dependency misalignment: The @angular/cli is being bumped to v21, but the Angular core packages (@angular/core, @angular/common, etc.) remain at v19.2.18. This is a critical mismatch that could cause runtime errors and build failures.
• Breaking changes not documented: The PR description doesn't mention what breaking changes to expect or what testing has been done.

⚠️ Project memory claude configuration

The ./.claude/CLAUDE.md file should be checked to ensure it doesn't contain environment-specific configurations. Since this file is not in the diff, I cannot verify this.

Testing

❌ Unit tests for new functions

Not applicable - this is a dependency update. However, all existing tests should be verified to ensure they still pass with the new CLI version.

❌ Integration tests for new endpoints

Not applicable.

❌ Edge cases covered

Not applicable, but comprehensive testing of the build and test pipelines is required.

❌ Test coverage > 80%

Cannot determine from this diff, but existing test coverage should not decrease.

Documentation

⚠️ Readme updated if needed

The PR doesn't show README updates. Consider adding:

• Migration notes for developers
• Updated Node.js version requirements
• Any CLI command changes

❌ API docs updated

Not applicable.

❌ Inline comments for complex logic

Not applicable.

❌ CHANGELOG.md updated

CRITICAL: The CHANGELOG.md should be updated to document:

• Angular CLI upgrade from 19 → 21
• New Node.js version requirements
• Breaking changes
• Migration steps

⚠️ Markdown files should follow the CommonMark specification

The PR doesn't include markdown file changes, so cannot verify.

Security

✅ No hardcoded credentials

No credentials detected in the diff.

✅ Input validation implemented

Not applicable.

✅ Proper error handling

Not applicable.

✅ No sensitive data in logs

Not applicable.

✅ Flag any checked in license files (.lic)

Good: No license files or files containing AQAAAD strings are present in this diff.

---

Summary of Issues

Critical Issues

1. Dependency Version Mismatch (package.json:81):

   • @angular/cli is being upgraded to 21.1.4
   • All other Angular packages remain at 19.2.18
   • This mismatch will likely cause build failures and runtime errors
   • Recommendation: Either downgrade CLI to 19.2.x OR upgrade all Angular packages to v21.x simultaneously

2. Node.js Version Requirement Change:

   • New requirement: node ^20.19.0 || ^22.12.0 || >=24.0.0
   • Node 18 is no longer supported
   • Recommendation: Update CI/CD configurations, documentation, and notify developers

3. Missing CHANGELOG.md Update:

   • No changelog entry documenting this major change
   • Recommendation: Add changelog entry documenting the upgrade and breaking changes

4. Missing Testing Evidence:

   • No evidence that tests pass with the new version
   • Recommendation: Run full test suite and include results in PR description

Warnings

1. Major Version Jump: Upgrading 2 major versions (19 → 21) is risky without intermediate steps
2. No Migration Guide: Developers need guidance on what might break and how to fix it

Recommendations

1. DO NOT MERGE until Angular core packages are aligned with CLI version
2. Update all @angular/* packages to v21.x in the same PR
3. Update Node.js version in:
   • CI/CD pipeline configurations
   • Docker files
   • README.md
   • Developer documentation
4. Run comprehensive testing:
   • npm install
   • npm run build
   • npm run test
   • Manual testing of development server
5. Update CHANGELOG.md with migration notes
6. Consider creating a migration guide document

---

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

This PR upgrades @angular/cli from ~19.2.12 to ~21.1.4 in package.json and reflects the corresponding package-lock.json changes.

---

Code Quality

✅ No commented-out code - The changes are dependency version updates only.

✅ Meaningful variable names - Not applicable.

✅ DRY principle - Not applicable.

❌ Identify Defects — Version Mismatch (Critical)

package.json line 81: @angular/cli is bumped to ~21.1.4, but the Angular framework itself remains at v19:

• @angular-devkit/build-angular: ^19.2.12
• @angular/compiler-cli: ^19.2.18
• ng-packagr: ^19.2.2

Angular CLI v21 ships with its own @angular-devkit/schematics@21.1.4, @schematics/angular@21.1.4, and @angular-devkit/architect@0.2101.4, but the project's build pipeline still uses Angular 19 tooling. This creates a major version mismatch between the CLI tooling layer (v21) and the build/compile layer (v19). Angular's compatibility policy generally requires these to be at the same major version. This combination is likely to cause build failures or unexpected behavior.

❌ Identify Defects — Node.js Minimum Version Change (Breaking)

Angular CLI v21 requires node: "^20.19.0 || ^22.12.0 || >=24.0.0", dropping support for Node 18 and Node 20 versions below 20.19.0. The previous requirement was ^18.19.1 || ^20.11.1 || >=22.0.0. This is a breaking change for developers or CI pipelines on those older Node versions. The README does not document a Node.js version requirement, so this goes undocumented.

⚠️ New Transitive Dependencies

Angular CLI v21 introduces significant new transitive dependencies not present before:

• algoliasearch@5.46.2 and 14 @algolia/* packages (CLI documentation search)
• @modelcontextprotocol/sdk@1.26.0 (AI tooling integration for the CLI)
• hono@4.11.9, @hono/node-server@1.19.9 (web framework)
• express@5.2.1 (a newer major version than the express used elsewhere in the project)
• jose@6.1.3, zod@4.3.5, eventsource@3.0.7

These are devDependencies, so they won't ship in the final library bundle. However, they increase the install footprint considerably and add attack surface to the development environment.

---

Testing

✅ No new application code — No unit or integration test changes are required for a dependency bump alone.

⚠️ Test validity after upgrade unclear — Given the CLI/framework version mismatch noted above, the existing test suite should be run and confirmed passing before merging.

---

Documentation

❌ CHANGELOG.md not updated

The existing CHANGELOG.md has entries for every previous major/minor change (e.g., 9.0.0, 8.0.0). This CLI upgrade warrants at minimum a note in the changelog, especially given the Node.js requirement change.

❌ README.md not updated

The README does not specify a Node.js version. With Angular CLI v21 now requiring ^20.19.0 || ^22.12.0 || >=24.0.0, this prerequisite should be documented explicitly.

---

Security

✅ No hardcoded credentials

✅ No sensitive data

✅ No license files (.lic)

⚠️ @modelcontextprotocol/sdk adds server-side dependencies

The MCP SDK pulls in express@5, cors, express-rate-limit, and jose (JWT handling). While these are dev-only, ensure your supply chain scanning covers transitive devDependencies, as these packages handle network requests and cryptographic operations during CLI use.

---

Summary

Severity	Issue
Critical	Angular CLI v21 + Angular framework v19 version mismatch — likely build-breaking
Breaking	Node.js minimum version bumped to ^20.19.0 / ^22.12.0; undocumented
Required	CHANGELOG.md not updated
Required	README.md should document new Node.js requirements
Info	Large number of new transitive devDependencies added via CLI v21

The core issue is that upgrading @angular/cli to v21 in isolation, without also upgrading the Angular framework packages (@angular-devkit/build-angular, @angular/compiler-cli, ng-packagr) to v21, creates an unsupported configuration. If the intent is to use Angular CLI v21's features, the Angular framework should be upgraded to v21 as well. If the intent is a targeted minor upgrade, staying within the v19 line (~19.2.x) would be the appropriate approach.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

This PR updates @angular/cli from ~19.2.12 to ~21.1.4 in package.json and regenerates package-lock.json accordingly.

---

Code Quality

❌ Critical Defect: Angular CLI/Framework Version Mismatch

package.json line 81 bumps @angular/cli to ~21.1.4, while all Angular framework packages remain at ^19.2.x:

• @angular/core, @angular/common, @angular/router, etc. — all ^19.2.18
• @angular/cdk, @angular/material — ^19.2.x
• @angular/build — 19.2.19

Angular CLI and the Angular framework are designed to share the same major version. Using CLI v21 with an Angular v19 project is an unsupported configuration and will likely cause build failures or unexpected behavior. The Angular CLI version should remain at ~19.x.x to match the installed framework, or the Angular framework packages should be upgraded to v21 as well.

❌ Node.js Version Requirement Change (Breaking)

@angular/cli@21.1.4 requires Node ^20.19.0 || ^22.12.0 || >=24.0.0 (visible in package-lock.json at the @angular/cli entry and all its v21 sub-dependencies). The current Angular 19 packages support ^18.19.1 || ^20.11.1 || >=22.0.0. Any CI/CD pipeline or developer environment running Node 18 or Node 20.x < 20.19.0 will fail.

⚠️ Significant Dependency Surface Increase

The CLI v21 transitively introduces several new heavy production/build-tool packages not present before:

• algoliasearch@5.46.2 + all @algolia/* clients — analytics/search tooling used by CLI's package discovery
• @modelcontextprotocol/sdk@1.26.0 — MCP server support in Angular CLI (AI tooling)
• hono@4.11.9, @hono/node-server@1.19.9 — HTTP framework (MCP dependency)
• express@5.2.1, express-rate-limit@8.2.1 — via MCP SDK
• jose@6.1.3 — JWT library (via MCP SDK)
• zod@4.3.5, zod-to-json-schema@3.25.1

All are dev: true so they don't ship in the application bundle, but they do substantially increase the CI install size and attack surface in the development environment.

✅ No commented-out code — lock file only

✅ No hardcoded credentials or license files

---

Testing

✅ N/A — dependency-only change; no application logic modified

---

Documentation

❌ CHANGELOG.md not updated

A change to a core dev toolchain dependency of this scope should have a CHANGELOG entry. The current latest entry is [9.0.0] - 2025-05-15. If this is intended to be part of an upcoming release, it should be documented.

❌ README not updated

The README does not specify Node.js version requirements. Given that @angular/cli@21 raises the minimum Node requirement to 20.19.0, the README (and any CI configuration files not shown in this diff) should be updated accordingly.

---

Security

✅ No hardcoded credentials

✅ No .lic files

⚠️ Transitive dependency express@5.2.1 is pulled in via @modelcontextprotocol/sdk. Express 5 is a relatively new major release. While it is a dev dependency only, teams should be aware it is present in the local development environment.

---

Summary

Severity	Issue
❌ Critical	@angular/cli@21 is incompatible with Angular framework @19.x. The CLI major version must match the framework major version.
❌ Breaking	Node.js minimum version silently raised from >=18.19.1 to >=20.19.0 with no documentation update.
❌ Missing	CHANGELOG.md not updated.
⚠️ Warning	Large number of new transitive dev dependencies introduced (Algolia, MCP SDK, Hono, Express 5, Jose, Zod).

Recommendation: Either revert @angular/cli to ~19.2.x, or perform a full Angular 21 upgrade across all @angular/* packages in a coordinated manner with appropriate CHANGELOG and README updates.

Automated code review analyzing defects and coding standards

[arawinters]

Closing: this PR bumps @angular/cli from v19 to v21, which is a major version jump while all other Angular packages remain at v19. This should only be done as part of a coordinated Angular major version upgrade.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml