chore(deps): bump the npm_and_yarn group across 4 directories with 5 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the npm_and_yarn group with 4 updates in the / directory: picomatch, @angular/core, flatted and yauzl.
Bumps the npm_and_yarn group with 1 update in the /e2e/global-setup directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /e2e/global-teardown directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /e2e/native-esm directory: picomatch and tar.

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates @angular/core from 21.2.1 to 21.2.4

Release notes

Sourced from @​angular/core's releases.

21.2.4

compiler

Commit	Description
	disallow translations of iframe src

core

Commit	Description
	reverts "feat(core): add support for nested animations"
	sanitize translated form attributes

VSCode Extension: 21.2.3

This release contains internal refactorings only.

21.2.3

core

Commit	Description
	ensure definitions compile
	include signal debug names in their toString() representation
	sanitize translated attribute bindings with interpolations

VSCode Extension: 21.2.2

• fix(extension): bundle TypeScript 5.9 internally (da57d1af73)

21.2.2

compiler

Commit	Description
	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Description
	always parenthesize object literals in TCB
	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Description
	add 'blur' option to debounce rule

Changelog

Sourced from @​angular/core's changelog.

21.2.4 (2026-03-12)

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

22.0.0-next.2 (2026-03-11)

Breaking Changes

core

• createNgModuleRef was removed, use createNgModule instead

core

Commit	Type	Description
b918beda32	feat	allow debouncing signals
f9ede9ec98	fix	ensure definitions compile
b401c18674	fix	include signal debug names in their toString() representation
8630319f74	fix	sanitize translated attribute bindings with interpolations
36936872c9	refactor	remove createNgModuleRef

forms

Commit	Type	Description
3e7ce0dafc	fix	restrict SignalFormsConfig to a readonly API

language-service

Commit	Type	Description
5a6d88626b	feat	add angular template inlay hints support

21.2.3 (2026-03-11)

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

21.2.2 (2026-03-09)

... (truncated)

Commits

• d1dcd16 fix(core): sanitize translated form attributes
• abbd879 fix(core): reverts "feat(core): add support for nested animations"
• 7907e98 test: remove duplicate tests
• 21b1c3b fix(core): include signal debug names in their toString() representation
• 6c73aac refactor(common): Removes unused generic type parameters from KeyValueDiffers
• c98eab7 refactor(core): remove old resource params
• 7513558 docs: combine multiple documentation improvements into one PR
• 575f302 refactor(core): interface cleanup
• 224e60e fix(core): sanitize translated attribute bindings with interpolations
• 09638ec docs(core): clarify provideZoneChangeDetection usage in v21+
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates yauzl from 3.2.0 to 3.2.1

Commits

• c469521 version 3.2.1
• 00c561b fix bounds checking logic on NtfsTimestamp
• 277b294 comment
• de292f2 streamed zip file test
• e00f139 truncate long test file names for eCryptfs compatibility
• d98e052 fix name of Info-ZIP
• a8951a2 update readme
• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 4.0.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates tar from 7.5.10 to 7.5.13

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

✅ Deploy Preview for jestjs ready!

Name	Link
🔨 Latest commit	d31ef9b
🔍 Latest deploy log	https://app.netlify.com/projects/jestjs/deploys/69c45506453f0200080cd995
😎 Deploy Preview	https://deploy-preview-16007--jestjs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[pkg-pr-new]

Open in StackBlitz

babel-jest

npm i https://pkg.pr.new/babel-jest@16007

babel-plugin-jest-hoist

npm i https://pkg.pr.new/babel-plugin-jest-hoist@16007

babel-preset-jest

npm i https://pkg.pr.new/babel-preset-jest@16007

create-jest

npm i https://pkg.pr.new/create-jest@16007

@jest/diff-sequences

npm i https://pkg.pr.new/@jest/diff-sequences@16007

expect

npm i https://pkg.pr.new/expect@16007

@jest/expect-utils

npm i https://pkg.pr.new/@jest/expect-utils@16007

jest

npm i https://pkg.pr.new/jest@16007

jest-changed-files

npm i https://pkg.pr.new/jest-changed-files@16007

jest-circus

npm i https://pkg.pr.new/jest-circus@16007

jest-cli

npm i https://pkg.pr.new/jest-cli@16007

jest-config

npm i https://pkg.pr.new/jest-config@16007

@jest/console

npm i https://pkg.pr.new/@jest/console@16007

@jest/core

npm i https://pkg.pr.new/@jest/core@16007

@jest/create-cache-key-function

npm i https://pkg.pr.new/@jest/create-cache-key-function@16007

jest-diff

npm i https://pkg.pr.new/jest-diff@16007

jest-docblock

npm i https://pkg.pr.new/jest-docblock@16007

jest-each

npm i https://pkg.pr.new/jest-each@16007

@jest/environment

npm i https://pkg.pr.new/@jest/environment@16007

jest-environment-jsdom

npm i https://pkg.pr.new/jest-environment-jsdom@16007

@jest/environment-jsdom-abstract

npm i https://pkg.pr.new/@jest/environment-jsdom-abstract@16007

jest-environment-node

npm i https://pkg.pr.new/jest-environment-node@16007

@jest/expect

npm i https://pkg.pr.new/@jest/expect@16007

@jest/fake-timers

npm i https://pkg.pr.new/@jest/fake-timers@16007

@jest/get-type

npm i https://pkg.pr.new/@jest/get-type@16007

@jest/globals

npm i https://pkg.pr.new/@jest/globals@16007

jest-haste-map

npm i https://pkg.pr.new/jest-haste-map@16007

jest-jasmine2

npm i https://pkg.pr.new/jest-jasmine2@16007

jest-leak-detector

npm i https://pkg.pr.new/jest-leak-detector@16007

jest-matcher-utils

npm i https://pkg.pr.new/jest-matcher-utils@16007

jest-message-util

npm i https://pkg.pr.new/jest-message-util@16007

jest-mock

npm i https://pkg.pr.new/jest-mock@16007

@jest/pattern

npm i https://pkg.pr.new/@jest/pattern@16007

jest-phabricator

npm i https://pkg.pr.new/jest-phabricator@16007

jest-regex-util

npm i https://pkg.pr.new/jest-regex-util@16007

@jest/reporters

npm i https://pkg.pr.new/@jest/reporters@16007

jest-resolve

npm i https://pkg.pr.new/jest-resolve@16007

jest-resolve-dependencies

npm i https://pkg.pr.new/jest-resolve-dependencies@16007

jest-runner

npm i https://pkg.pr.new/jest-runner@16007

jest-runtime

npm i https://pkg.pr.new/jest-runtime@16007

@jest/schemas

npm i https://pkg.pr.new/@jest/schemas@16007

jest-snapshot

npm i https://pkg.pr.new/jest-snapshot@16007

@jest/snapshot-utils

npm i https://pkg.pr.new/@jest/snapshot-utils@16007

@jest/source-map

npm i https://pkg.pr.new/@jest/source-map@16007

@jest/test-result

npm i https://pkg.pr.new/@jest/test-result@16007

@jest/test-sequencer

npm i https://pkg.pr.new/@jest/test-sequencer@16007

@jest/transform

npm i https://pkg.pr.new/@jest/transform@16007

@jest/types

npm i https://pkg.pr.new/@jest/types@16007

jest-util

npm i https://pkg.pr.new/jest-util@16007

jest-validate

npm i https://pkg.pr.new/jest-validate@16007

jest-watcher

npm i https://pkg.pr.new/jest-watcher@16007

jest-worker

npm i https://pkg.pr.new/jest-worker@16007

pretty-format

npm i https://pkg.pr.new/pretty-format@16007

commit: d31ef9b