chore(deps): update frontend (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/animations (source)	21.2.14 → 21.2.15
@angular/build	21.2.12 → 21.2.13
@angular/cdk	21.2.12 → 21.2.13
@angular/cli	21.2.12 → 21.2.13
@angular/common (source)	21.2.14 → 21.2.15
@angular/compiler (source)	21.2.14 → 21.2.15
@angular/compiler-cli (source)	21.2.14 → 21.2.15
@angular/core (source)	21.2.14 → 21.2.15
@angular/forms (source)	21.2.14 → 21.2.15
@angular/platform-browser (source)	21.2.14 → 21.2.15
@angular/platform-browser-dynamic (source)	21.2.14 → 21.2.15
@angular/router (source)	21.2.14 → 21.2.15
@sentry/angular (source)	10.54.0 → 10.55.0
@​types/mapbox-gl	3.4.1 → 3.5.0
npm (source)	11.15.0 → 11.16.0

---

Release Notes

angular/angular (@​angular/animations)

v21.2.15

Compare Source

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68925)
eb1cbbf2eb	fix	prevent namespaced SVG <style> elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#​68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#​68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#​68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#​68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

angular/angular-cli (@​angular/build)

v21.2.13

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

angular/components (@​angular/cdk)

v21.2.13

Compare Source

No user facing changes in this release

getsentry/sentry-javascript (@​sentry/angular)

v10.55.0

Compare Source

Important Changes

• feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#​21208)

  The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

• docs(tanstackstart-react): Promote SDK status to beta (#​21175)

  This release promotes the @sentry/tanstackstart-react SDK to beta. For details on how to use it, check out the
  Sentry TanStack Start SDK docs. Please reach out on
  GitHub if you have any feedback or concerns.

• feat(hono): Add shouldHandleError option to sentry() middleware (#​21205)

  The sentry() middleware now accepts a shouldHandleError callback to control which errors are captured and sent to Sentry. By default, 3xx/4xx HTTP errors are ignored and 5xx errors and plain Error objects are captured. Return true from the callback to capture an error, false to suppress it.

  app.use(
    sentry(app, {
      dsn: '__DSN__',
      shouldHandleError(error) {
        const status = (error as { status?: number })?.status;
        // Capture 401/403 in addition to the default 5xx errors
        return status === 401 || status === 403 || typeof status !== 'number' || status >= 500;
      },
    }),
  );

• test(tanstackstart-react): Move initialization to client entry point (#​21161)

  Change the recommended setup for the SDK to do Sentry.init() in the client entry file to capture telemetry that is emitted ahead of page hydration.

• feat(tanstackstart-react): Add distributed tracing (#​21144)

  Server and client traces are now automatically connected, allowing you to see the full request lifecycle from server-side rendering through client-side hydration in a single trace.

• feat(tanstackstart-react): Add server-side route parametrization (#​21147)

  Server transaction names are now parametrized automatically (e.g., GET /users/123 becomes GET /users/$userId), improving transaction grouping in Sentry.

• feat(tanstackstart-react): Show readable server function names in traces (#​21190)

  Server function spans now show human-readable names (e.g., GET /_serverFn/greet instead of GET /_serverFn/a10e70b3...). The tanstackstart.function.hash.sha256 span attribute has been renamed to tanstackstart.function.id.

Other Changes

• feat(core): Migrate request data to dataCollection (#​21071)
• feat(hono): Add warning in Bun for double init (#​21195)
• feat(hono): Instrument main-app inline middleware spans (#​20999)
• feat(metrics): Migrate metrics to use dataCollection instead of sendDefaultPii (#​21078)
• feat(tanstackstart-react): Enable component tracking (#​21149)
• feat(tanstackstart-react): Filter noisy dev transactions (#​21145)
• fix(cloudflare): Use original waitUntil to not create a deadlock (#​21197)
• fix(elysia): Widen accepted Elysia app type to support Elysia options (#​21164)
• fix(tanstackstart-react): Add server-side replayIntegration no-op stub (#​21148)

Internal Changes

• chore(changelog): clarify array attributes impact on beforeSend* callbacks (#​21186)
• chore(ci): Update bugbot instructions (#​21168)
• chore(sentry-cli): Upgrade to 2.58.6 (#​21165)
• chore(size-limit): weekly auto-bump (#​21123)
• feat(deps-dev): Bump @​sveltejs/kit from 2.52.2 to 2.60.1 in /dev-packages/e2e-tests/test-applications/sveltekit-cloudflare-pages (#​21162)
• fix(e2e): Fix astro-6 e2e test build by relaxing astro version range (#​21211)
• meta(agents): Update AI commit attribution guidance (#​21166)
• ref(browser): Extract browser-specific normalize code out of core (#​21172)
• ref(node): Stop custom-handling normalization of Domain/DomainEmitter (#​21182)
• ref(node): Stop using registerSpanErrorInstrumentation() on server (#​21169)
• test(nitro-3): Update e2e tests for h3 route handler tracing (#​21152)
• test(nuxt): Fix flaky test and add note about hydration timing to skill (#​21054)

npm/cli (npm)

v11.16.0

Compare Source

Features

• 4b67f6e #​9416 publish --access=private alias for restricted (#​9416) (@​github-actions[bot], @​reggi, @​Copilot)
• a10c7ca #​9415 Phase 1 of allowScripts opt-in install-script policy (#​9360) (#​9415) (@​owlstronaut, @​JamieMagee)

Bug Fixes

• 1f7869b #​9411 fix typo of fullMetadata (@​owlstronaut)
• cde03ba #​9390 config: pause progress spinner during interactive editor spawn (#​9388) (@​github-actions[bot], @​Zelys-DFKH, @​claude)

Documentation

• c5e9d73 #​9390 Document npm_old_version and npm_new_version environment variables (#​9389) (@​github-actions[bot], @​36degrees)

Dependencies

• cdd7bbc #​9421 undici@6.26.0
• fde87c9 #​9421 sigstore@4.1.1
• 2779793 #​9421 lru-cache@11.5.1
• dea702d #​9421 @sigstore/verify@3.1.1
• 4eab03f #​9421 @sigstore/core@3.2.1
• 74c7323 #​9421 @npmcli/agent@4.0.2
• edc4ab3 #​9421 semver@7.8.1
• 5f6ce33 #​9421 make-fetch-happen@15.0.6

Chores

• bd04976 #​9421 dev dependency updates (@​owlstronaut)
• aeceb23 #​9407 sanitize newlines in flags table default and type values (#​9407) (@​reggi, @​Copilot)
• workspace: @npmcli/arborist@9.7.0
• workspace: @npmcli/config@10.10.0
• workspace: libnpmdiff@8.1.9
• workspace: libnpmexec@10.2.9
• workspace: libnpmfund@7.0.23
• workspace: libnpmpack@9.1.9
• workspace: libnpmversion@8.0.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.