chore(deps): update npm packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/animations (source)	21.2.11 → 21.2.12
@angular/build	21.2.9 → 21.2.10
@angular/cdk	21.2.9 → 21.2.10
@angular/common (source)	21.2.11 → 21.2.12
@angular/compiler (source)	21.2.11 → 21.2.12
@angular/compiler-cli (source)	21.2.11 → 21.2.12
@angular/core (source)	21.2.11 → 21.2.12
@angular/forms (source)	21.2.11 → 21.2.12
@angular/material	21.2.9 → 21.2.10
@angular/platform-browser (source)	21.2.11 → 21.2.12
@angular/platform-browser-dynamic (source)	21.2.11 → 21.2.12
@angular/router (source)	21.2.11 → 21.2.12
@sanity/types (source)	5.23.0 → 5.24.0
postcss (source)	8.5.13 → 8.5.14
posthog-js (source)	1.372.5 → 1.372.10
vite (source)	8.0.10 → 8.0.11
zone.js (source, changelog)	0.16.1 → 0.16.2

---

Release Notes

angular/angular (@​angular/animations)

v21.2.12

Compare Source

core

Commit	Type	Description
fe13bb669d	fix	allow explicit read generic with signal input transforms
3430251fef	fix	i18n flags leaking on errors
1aeebbe304	fix	respect ngSkipHydration on components with projectable nodes in LContainers
9e38ed7d57	fix	sanitizer typings
7a05a9a71a	fix	validate security-sensitive attributes in i18n bindings
c37f6ca42f	fix	visit ng-let expression value in signal migration schematics

forms

Commit	Type	Description
03ad53863b	fix	prohibit concurrent submits in signal forms

angular/angular-cli (@​angular/build)

v21.2.10

Compare Source

@​angular/cli

Commit	Type	Description
bb8611913	fix	restrict MCP workspace access to allowed client roots during resolution

angular/components (@​angular/cdk)

v21.2.10

Compare Source

aria

Commit	Type	Description
48973661e	fix	menu: do not set default aria-label (#​33202)

sanity-io/sanity (@​sanity/types)

v5.24.0

Compare Source

Sanity Studio v5.24.0

This release includes various improvements and bug fixes.

For the complete changelog with all details, please visit:
www.sanity.io/changelog/studio-NS4yMy4w

Install or upgrade Sanity Studio

To upgrade to this version, run:

npm install sanity@latest

To initiate a new Sanity Studio project or learn more about upgrading, please refer to our comprehensive guide on Installing and Upgrading Sanity Studio.

📓 Full changelog

Author	Message	Commit
@​jordanl17	feat(core): make document action keys extensible via declaration merging (#​12768)	eebdb17
@​bjoerge	chore: replace pnpx with pnpm and add pkg-pr-new dependency (#​12783)	3d66c1f
@​bjoerge	chore(turbo): remove unused env var (#​12781)	f8111fc
@​bjoerge	chore(ci): use pnpm whoami instead of npm whoami (#​12780)	2308d14
@​RitaDias	test: add tests for createCallbackResolver (#​12779)	5625f37
squiggler-app[bot]	fix(deps): update dependency @​sanity/cli to ^6.5.0 (#​12778)	f3d306c
@​bjoerge	fix: restore workspace hidden property (#​12775)	8f4e6b0
@​pedrobonamin	fix(core): add version into documentEvents observable (#​12772)	b511ef9
@​bjoerge	chore(ci): switch to package build for lefthook (#​12767)	838e355
@​bjoerge	chore: remove pre-commit husky hook (#​12766)	752aaf6
@​bjoerge	chore: replace husky + lint staged with lefthook (#​12755)	fcbdbdb
@​bjoerge	chore: upgrade pnpm to 11.0.0 (#​12759)	50a185b
@​bjoerge	chore(ci): drop node 20 from test matrix (#​12760)	8bc9911
squiggler-app[bot]	chore(deps): update dependency @​tanstack/react-virtual to ^3.13.24 (#​12657)	c4954c5
@​jordanl17	chore: adding telemetry to track when feedback dialog is opened and closed (#​12749)	6b16652
@​pedrobonamin	fix(core): reset calendar focused date when setting to current time (#​12753)	ff8a7d4
@​pedrobonamin	chore(core): cleanup decision parameters schema (#​12751)	aa8980b

postcss/postcss (postcss)

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

PostHog/posthog-js (posthog-js)

v1.372.10

Compare Source

1.372.10

Patch Changes

• #​3544 d120042 Thanks @​ksvat! - fix: stop session recording before destroying sessionManager in opt_out_capturing() with cookieless_mode: "on_reject". Previously, queued/throttled rrweb events (e.g. mousemove) could fire after the sessionManager was set to undefined and throw [SessionRecording] must be started with a valid sessionManager. Also adds a defensive early-return in onRRwebEmit so any remaining late events bail out instead of throwing.
  (2026-05-07)

• #​3542 94a5ba0 Thanks @​TueHaulund! - Preserve <style> textContent when the browser's CSSOM serialization would
  emit empty longhands from var() inside a shorthand. When a stylesheet has
  e.g. padding: var(--p); padding-bottom: var(--pb);, browsers store the
  shorthand's longhands with empty token lists per the CSS Custom Properties
  spec, and CSSStyleRule.cssText re-emits them as padding-top: ; padding-right: ; padding-left: ;. The previous behavior replaced the
  <style> text with that corrupted output, silently dropping layout rules
  on replay. We now detect the empty-longhand pattern and keep the original
  textContent in that case. Affects users of any CSS-in-JS framework that
  combines var() with shorthands (Chakra UI v3, Panda CSS, Emotion, etc.).
  Same class of bug as rrweb-io/rrweb#1667. (2026-05-07)

• Updated dependencies []:

  • @​posthog/types@​1.372.10
  • @​posthog/core@​1.28.4

v1.372.9

Compare Source

1.372.9

Patch Changes

• #​3537 026e09d Thanks @​TueHaulund! - Pull in the canvas-manager fix from @posthog/rrweb 0.0.61: skip canvas
  snapshots while the WebGL context is lost so transparent bitmaps don't
  poison the worker's fingerprint dedup map and silently kill canvas
  recording for the rest of the session. Also wraps getCanvas() in
  try/catch so DOM/shadow-root traversal errors can't cancel the rAF
  loop. See PR #​3527 for context. (2026-05-05)
• Updated dependencies []:
  • @​posthog/types@​1.372.9
  • @​posthog/core@​1.28.3

v1.372.8

Compare Source

1.372.8

Patch Changes

• #​3515 255b273 Thanks @​marandaneto! - Gate survey translation logs behind SDK debug logging to avoid production console spam.
  (2026-05-04)
• Updated dependencies [220cd61, 255b273]:
  • @​posthog/core@​1.28.2
  • @​posthog/types@​1.372.8

v1.372.7

Compare Source

1.372.7

Patch Changes

• Updated dependencies [8aee3d5]:
  • @​posthog/core@​1.28.1
  • @​posthog/types@​1.372.7

v1.372.6

Compare Source

1.372.6

Patch Changes

• #​3492 cf56753 Thanks @​lucasheriques! - Add translated survey rendering support in React Native and share survey translation logic through @posthog/core.
  (2026-05-01)
• Updated dependencies [cf56753, 04db756]:
  • @​posthog/core@​1.28.0
  • @​posthog/types@​1.372.6

vitejs/vite (vite)

v8.0.11

Compare Source

Features

• update rolldown to 1.0.0-rc.18 (#​22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#​22334) (672c962)
• deps: update all non-major dependencies (#​22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#​22306) (30028f9)
• make separate object instance for each environment (#​22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#​22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#​22325) (2151f70)
• mention native config loader in CLI options (#​22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#​22333) (3b51e05)
• deps: update rolldown-related dependencies (#​22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#​22316) (86aee62)

Code Refactoring

• devtools integration (#​22312) (3c8bf06)
• remove unnecessary async (#​22296) (b31fd35)
• show direct path type in bad character warning (#​22339) (0c162e9)

Tests

• create-vite: use short help alias (#​22389) (994ab66)

angular/angular (zone.js)

v0.16.2

Compare Source

• feat(zone.js): support vitest patching in zone.js/testing (#​68395) (62c6e3b), closes #​68395 #​68395
• fix(zone.js): allow draining microtasks in Promise.then (through flag) (fc6a7ee), closes angular#45273 angular#44446 angular#55590 angular#51328

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 10am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​angular/​platform-browser-dynamic@​21.2.11 ⏵ 21.2.12			+1	+1
	npm/​@​sanity/​types@​5.23.0 ⏵ 5.24.0
	npm/​posthog-js@​1.372.5 ⏵ 1.372.10	-22		-2	+1
	npm/​@​angular/​compiler@​21.2.11 ⏵ 21.2.12
	npm/​@​angular/​core@​21.2.11 ⏵ 21.2.12	+1		+1
	npm/​@​angular/​platform-browser@​21.2.11 ⏵ 21.2.12
	npm/​@​angular/​animations@​21.2.11 ⏵ 21.2.12
	npm/​@​angular/​compiler-cli@​21.2.11 ⏵ 21.2.12	+1
	npm/​@​angular/​forms@​21.2.11 ⏵ 21.2.12	+1		+1
	npm/​@​angular/​router@​21.2.11 ⏵ 21.2.12
	npm/​@​angular/​build@​21.2.9 ⏵ 21.2.10
	npm/​@​angular/​cdk@​21.2.9 ⏵ 21.2.10
	npm/​@​angular/​common@​21.2.11 ⏵ 21.2.12
	npm/​@​angular/​material@​21.2.9 ⏵ 21.2.10				+1
	npm/​postcss@​8.5.13 ⏵ 8.5.14
	npm/​vite@​8.0.10 ⏵ 8.0.11			+1
	npm/​zone.js@​0.16.1 ⏵ 0.16.2			+1

View full report