fix(deps): update all dependencies

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@angular/build	^21.2.9 → ^22.0.0			devDependencies	major
@angular/cli	^21.2.9 → ^22.0.0			devDependencies	major
@angular/common (source)	^21.2.0 → ^22.0.0			dependencies	major
@angular/compiler (source)	^21.2.0 → ^22.0.0			dependencies	major
@angular/compiler-cli (source)	^21.2.0 → ^22.0.0			devDependencies	major
@angular/core (source)	^21.2.0 → ^22.0.0			dependencies	major
@angular/forms (source)	^21.2.0 → ^22.0.0			dependencies	major
@angular/platform-browser (source)	^21.2.0 → ^22.0.0			dependencies	major
@angular/router (source)	^21.2.0 → ^22.0.0			dependencies	major
@babel/preset-env (source)	7.29.5 → 7.29.7			devDependencies	patch
SQLAlchemy (changelog)	==2.0.49 → ==2.0.50				patch
actions/checkout	v4 → v6			action	major
actions/setup-python	v5 → v6			action	major
aiohappyeyeballs (changelog)	==2.6.1 → ==2.6.2				patch
aiohttp	==3.13.5 → ==3.14.1				minor
apache-beam	==2.71.0 → ==2.74.0				minor
bigframes (source, changelog)	==2.39.0 → ==2.42.0				minor
cachetools (changelog)	==7.1.1 → ==7.1.4				patch
certifi	==2026.4.22 → ==2026.5.20				minor
click (changelog)	==8.3.3 → ==8.4.1				minor
cryptography (changelog)	==48.0.0 → ==49.0.0				major
db-dtypes (source)	==1.6.0 → ==1.7.0				minor
distlib	==0.4.0 → ==0.4.3				patch
dorny/paths-filter	v3 → v4			action	major
esbuild	^0.20.0 → ^0.28.0			devDependencies	minor
filelock	==3.29.0 → ==3.29.4				patch
google-api-core	==2.30.3 → ==2.31.0				minor
google-auth (source)	==2.50.0 → ==2.54.0				minor
google-auth (source)	==2.52.0 → ==2.54.0				minor
google-cloud-bigquery-storage (source)	==2.38.0 → ==2.39.0				minor
google-cloud-bigtable (source)	==2.35.0 → ==2.38.0				minor
google-cloud-core (source)	==2.5.1 → ==2.6.0				minor
google-cloud-core (source)	==2.5.0 → ==2.6.0				minor
google-cloud-monitoring (source)	==2.29.0 → ==2.31.0				minor
google-cloud-spanner (source)	==3.65.0 → ==3.68.0				minor
google-cloud-spanner (source)	==3.66.0 → ==3.68.0				minor
google-cloud-testutils (source)	==1.8.0 → ==1.9.0				minor
google-cloud-testutils (source)	==1.7.0 → ==1.9.0				minor
googleapis-common-protos (source)	==1.74.0 → ==1.75.0				minor
greenlet (changelog)	==3.5.0 → ==3.5.1				patch
grpcio	==1.80.0 → ==1.81.1				minor
grpcio-status	==1.80.0 → ==1.81.1				minor
idna (changelog)	==3.13 → ==3.18				minor
idna (changelog)	==3.15 → ==3.18				minor
ipython	==9.13.0 → ==9.14.1				minor
jsdom	^28.0.0 → ^29.0.0			devDependencies	major
npm (source)	11.7.0 → 11.17.0			packageManager	minor
opentelemetry-api	==1.41.1 → ==1.42.1				minor
opentelemetry-sdk	==1.41.1 → ==1.42.1				minor
pandas	==2.3.3 → ==3.0.3				major
pip (changelog)	==26.1.1 → ==26.1.2				patch
platformdirs (changelog)	==4.9.6 → ==4.10.0				minor
polars (changelog)	==1.40.1 → ==1.41.2				minor
prettier (source)	3.8.3 → 3.8.4			devDependencies	patch
proto-plus	==1.27.2 → ==1.28.0				minor
protobuf	==7.34.1 → ==7.35.1				minor
pytest (changelog)	==9.0.3 → ==9.1.0				minor
pytest-asyncio (changelog)	==1.3.0 → ==1.4.0				minor
python	3.10 → 3.14			uses-with	minor
python	3.12 → 3.14			uses-with	minor
requests (changelog)	==2.33.1 → ==2.34.2				minor
ruff (source, changelog)	==0.15.12 → ==0.15.17				patch
rules_cc	0.1.1 → 0.2.19			http_archive	minor
tqdm (changelog)	==4.67.3 → ==4.68.2				minor
typescript (source)	~5.9.2 → ~6.0.0			devDependencies	major
virtualenv	==21.3.1 → ==21.5.0				minor
vitest (source)	4.1.5 → 4.1.9			devDependencies	patch
wrapt (changelog)	==2.1.2 → ==2.2.1				minor
yarl	==1.23.0 → ==1.24.2				minor
zipp	==3.23.1 → ==4.1.0				major

---

Release Notes

angular/angular-cli (@​angular/build)

v22.0.1

Compare Source

@​angular/cli

Commit	Type	Description
b54e9a549	fix	do not sort migrations of the same version alphabetically
d33311612	fix	fallback to local package.json for schematic detection on first run
918102a93	fix	isolate temporary package installation from parent pnpm workspace
b048b5f4a	fix	remove forceAuth and unscoped credential parsing
277934035	fix	validate registry option is a valid URL in ng add
4510dae02	perf	optimize update schematic registry query counts by fetching package metadata lazily

@​schematics/angular

Commit	Type	Description
c80012294	fix	fix browserMode option mapping in refactor-jasmine-vitest
a9b6bd904	fix	safely comment out multiline statements in refactor-jasmine-vitest
12199df00	fix	use null objects and callbacks in karma-to-vitest migration

@​angular/build

Commit	Type	Description
89d1be979	fix	allow disabling Vitest isolation from builder
d45b84be9	fix	exclude JSON imports from Vite dependency optimization
e3cab4ddd	fix	prevent concurrent stylesheet bundling esbuild context leaks
bd413b0eb	fix	restrict application builder output paths to output directory

v22.0.0

Compare Source

@​angular/cli

Commit	Type	Description
f05343a42	fix	expand package groups for newly added peer dependencies in update schematic

@​schematics/angular

Commit	Type	Description
4fbc60891	fix	preserve Jasmine stub-by-default semantics for bare spies

@​angular/build

Commit	Type	Description
418abd825	fix	prevent esbuild service child process leakage

@​angular/ssr

Commit	Type	Description
8471ba634	fix	support server-side rendering configuration options

v21.2.15

Compare Source

@​angular/cli

Commit	Type	Description
42ac0ed0f	fix	remove forceAuth and unscoped credential parsing
c7a7f1955	fix	support registry metadata fetching under bun package manager

v21.2.14

Compare Source

@​angular/cli

Commit	Type	Description
aed448748	fix	expand package groups for newly added peer dependencies in update schematic

@​angular/build

Commit	Type	Description
d46c082fb	fix	prevent esbuild service child process leakage

v21.2.13

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

v21.2.12

Compare Source

@​angular/build

Commit	Type	Description
cbad57579	fix	ignore virtual esbuild paths with (disabled):

v21.2.11

Compare Source

@​angular/cli

Commit	Type	Description
bbd63b7a5	fix	robustly parse npm manifest from array

@​angular/ssr

Commit	Type	Description
eafe1a719	fix	allow all hosts in common engine rendering options to prevent validation errors
7a116a80d	fix	remove stateful flag from URL_PARAMETER_REGEXP

v21.2.10

Compare Source

@​angular/cli

Commit	Type	Description
bb8611913	fix	restrict MCP workspace access to allowed client roots during resolution

angular/angular (@​angular/common)

v22.0.1

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.
  (cherry picked from commit 8446e46)

common

Commit	Type	Description
c4b5fa3c92	fix	escape CSS string-terminating characters in escapeCssUrl
dfff57ede9	fix	Limits date format string length
3c2892c8df	fix	prevent prototype pollution in formatDateTime
1d87c49f6e	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
1ee224ca30	fix	disallow i18n event attributes
a56f1cdf8f	fix	more robust logic to check if regex can be optimized
5946c18275	fix	sanitize href/xlink:href attributes of any element of the MathML namespace
393b84caf8	fix	sanitize two-way properties

compiler-cli

Commit	Type	Description
3d9ca2f173	fix	bind switch exhaustive check expressions

core

Commit	Type	Description
669146b0e7	fix	disable WebMCP during SSR
562a566ead	fix	Handle synchronous errors in PendingTasks.run function
fa546f382d	fix	harden TransferState restoration against DOM clobbering
29fdb98684	fix	prevent dangling prevConsumer reference from leaking destroyed views (#​68681)
cdcea80327	fix	require WebMCP tool descriptions
4289c4c840	fix	update comment for Default change detection
3dd433b39a	fix	use Object.hasOwn to handle null-prototype objects in toStylingKeyValueArray
045bb736b3	fix	validate lowercase SVG animation attribute names

forms

Commit	Type	Description
11836a670a	fix	delay mcp reading the form model by a tick
85d2d100e3	fix	harden FormGroup control lookups against prototype shadowing
e51ad374ea	fix	remove animationstart listener on component destroy to prevent memory leak
55b7b5a6b6	fix	set additionalProperties: false on generated WebMCP form

http

Commit	Type	Description
ffb06c0514	fix	ensure query parameters are inserted before URL fragments
2dd65d21e6	fix	pass down the reportUploadProgress and reportDownloadProgress on post/patch requests
4254eb416c	fix	preserve empty referrer option in HttpRequest
167bd4c162	fix	Rejects non-HTTP(S) URLs in JSONP requests

language-service

Commit	Type	Description
43a0e28729	fix	prevent external template inlay hints from appearing in TS files

platform-server

Commit	Type	Description
ed48ca7f51	fix	harden platform location origin validation during SSR
1881ede3a7	refactor	deprecate ServerXhr

router

Commit	Type	Description
43edc8410f	fix	use native URL object for navigation boundary and comparison

service-worker

Commit	Type	Description
cf97b1f828	fix	Strips sensitive headers on cross-origin redirects

v22.0.0

Compare Source

common

Commit	Type	Description
4795b35d5b	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
2891f7e787	fix	move projection attributes into constants

core

Commit	Type	Description
e3e25b5a53	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

migrations

Commit	Type	Description
9d9855a415	fix	Make the safe optional chaining idempotent

platform-server

Commit	Type	Description
7b9130931d	fix	throw on suspicious URLs and restrict protocol-relative URLs

v21.2.17

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#​69269)

http

Commit	Type	Description
[bcb1b7ea25](https://redirect.github.com/angular/angular/commit/bcb1b7ea2575b

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates several dependencies across multiple packages, including bigframes, rules_cc, google-auth, requests, and pandas. A compatibility issue was identified in the BigQuery Storage sample requirements, where the version marker for pandas 3.0.3 needs to be updated to Python 3.10 or higher to prevent installation failures on Python 3.9.

[gemini-code-assist]

Pandas 3.0.0 and later versions require Python 3.10 or higher. The current environment marker python_version >= '3.9' will cause installation failures on Python 3.9. Since other dependencies updated in this pull request (such as google-cloud-core v2.6.0) are also dropping support for Python 3.9, this marker should be updated to reflect the new minimum requirement.

pandas==3.0.3; python_version >= '3.10'