chore(deps): update npm packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@angular/animations (source)	21.2.13 → 21.2.14
@angular/build	21.2.11 → 21.2.12
@angular/cdk	21.2.11 → 21.2.12
@angular/common (source)	21.2.13 → 21.2.14
@angular/compiler (source)	21.2.13 → 21.2.14
@angular/compiler-cli (source)	21.2.13 → 21.2.14
@angular/core (source)	21.2.13 → 21.2.14
@angular/forms (source)	21.2.13 → 21.2.14
@angular/material	21.2.11 → 21.2.12
@angular/platform-browser (source)	21.2.13 → 21.2.14
@angular/platform-browser-dynamic (source)	21.2.13 → 21.2.14
@angular/router (source)	21.2.13 → 21.2.14
@sanity/types (source)	5.25.1 → 5.26.0
postcss (source)	8.5.14 → 8.5.15
posthog-js (source)	1.373.4 → 1.375.0
sass	1.99.0 → 1.100.0
tsx (source)	4.22.0 → 4.22.3
vite (source)	8.0.13 → 8.0.14
vitest (source)	4.1.6 → 4.1.7

---

Release Notes

angular/angular (@​angular/animations)

v21.2.14

Compare Source

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

angular/angular-cli (@​angular/build)

v21.2.12

Compare Source

@​angular/build

Commit	Type	Description
cbad57579	fix	ignore virtual esbuild paths with (disabled):

angular/components (@​angular/cdk)

v21.2.12

Compare Source

material

Commit	Type	Description
da87be7646	fix	datepicker: ensure dates don't overflow on a small screen (#​33281)

sanity-io/sanity (@​sanity/types)

v5.26.0

Compare Source

Reverts

• "chore(release): publish v5.26.0" (#​12849) (70545b8)

postcss/postcss (postcss)

v8.5.15

Compare Source

• Fixed declaration parsing performance (by @​homanp).

PostHog/posthog-js (posthog-js)

v1.375.0

Compare Source

1.375.0

Minor Changes

• #​3641 2e1d5f4 Thanks @​dustinbyrne! - Add flag_keys config to restrict browser feature flag remote evaluation to specific flag keys.
  (2026-05-21)

Patch Changes

• Updated dependencies [2e1d5f4]:
  • @​posthog/types@​1.375.0
  • @​posthog/core@​1.29.8

v1.374.4

Compare Source

1.374.4

Patch Changes

• #​3638 87e2145 Thanks @​marandaneto! - Apply tracing headers to matching XMLHttpRequest requests
  (2026-05-21)

• #​3646 4f87827 Thanks @​marandaneto! - Avoid throwing or initializing PostHogProvider when no API key or client is provided
  (2026-05-21)

• #​3645 280832b Thanks @​TueHaulund! - Capture <link rel="stylesheet"> URLs from link.sheet.href and try link.sheet directly for inlining, so recordings survive SPA history.pushState navigations between routes of different path depths (where link.href re-resolves against a new baseURI but link.sheet.href preserves the URL the browser actually fetched).

  Ships the fix landed in #​3635, which only bumped the internal @posthog/rrweb-snapshot package — that package is bundled into posthog-js at build time but is not published to npm on its own, so a posthog-js bump is needed to actually deliver the change. (2026-05-21)

• Updated dependencies []:

  • @​posthog/types@​1.374.4
  • @​posthog/core@​1.29.7

v1.374.3

Compare Source

1.374.3

Patch Changes

• #​3607 557b893 Thanks @​eli-r-ph! - Enable $web_vitals reporting when cookieless mode is enabled
  (2026-05-20)
• Updated dependencies [557b893, a880dbc]:
  • @​posthog/types@​1.374.3
  • @​posthog/core@​1.29.6

v1.374.2

Compare Source

1.374.2

Patch Changes

• #​3550 df91995 Thanks @​TueHaulund! - Preserve session-recording remote config across posthog.reset().

  posthog.reset() was clearing the entire persistence store, which wiped
  $session_recording_remote_config along with user state. On the next session
  rotation triggered by the reset, start('session_id_changed') would early-return
  because the remote config was missing — leaving rrweb torn down and the new
  session opening with no Meta + FullSnapshot until the next periodic 5-minute
  checkout.

  This affected any flow where an app calls posthog.reset() mid-session
  (e.g. on sign-out / sign-in) and was particularly visible on Flutter Web
  recordings that depend on a fresh FullSnapshot to anchor the CanvasKit DOM. (2026-05-18)

• Updated dependencies []:

  • @​posthog/types@​1.374.2
  • @​posthog/core@​1.29.5

v1.374.1

Compare Source

1.374.1

Patch Changes

• #​3627 07a0f5f Thanks @​marandaneto! - Respect transport overrides passed to posthog.capture.
  (2026-05-18)
• Updated dependencies []:
  • @​posthog/types@​1.374.1
  • @​posthog/core@​1.29.4

v1.374.0

Compare Source

1.374.0

Minor Changes

• #​3620 594ea11 Thanks @​pauldambra! - Dead clicks: add a .ph-no-deadclick CSS class (and capture_dead_clicks.css_selector_ignorelist config option) to exclude specific elements from dead-click detection without affecting autocapture, session replay, or heatmaps. Mirrors the existing .ph-no-rageclick pattern.
  (2026-05-18)

Patch Changes

• #​3621 3c0a09f Thanks @​pauldambra! - Dead clicks: a click on an <a> (or any element inside an <a>, including across shadow DOM) is no longer flagged as a dead click — the browser navigates / downloads / opens a new window and we can't observe that. Reuses autocapture's existing DOM walker for the ancestor walk. Direct clicks on <button>, <input>, <select>, <textarea>, <label>, and <form> (previously all skipped) are now eligible for dead-click detection: if their JS handler ran, the existing mutation / scroll / selection observers see the effect; if it didn't, dead-click correctly surfaces the bug. A broken <button> with no handler, or an <svg> icon inside one, will now flag — which is exactly the dead-click case we want to catch.
  (2026-05-18)
• Updated dependencies [594ea11]:
  • @​posthog/types@​1.374.0
  • @​posthog/core@​1.29.3

v1.373.5

Compare Source

1.373.5

Patch Changes

• #​3613 221973e Thanks @​lucasheriques! - Surveys: submit open text questions with Cmd/Ctrl+Enter. The textarea still inserts a newline on plain Enter (native behaviour), matching the convention used by Slack, GitHub, Discord, and ChatGPT for multi-line inputs. Single-line "Other:" inputs continue to submit on plain Enter as before.
  (2026-05-15)
• Updated dependencies []:
  • @​posthog/types@​1.373.5
  • @​posthog/core@​1.29.2

sass/dart-sass (sass)

v1.100.0

Compare Source

• Writing two compound selectors adjacent to one another without any whitespace
  between them, such as [class]a, is now deprecated. This was always an error
  in CSS and Sass only supported it by mistake.

  See the Sass website for
  details.

privatenumber/tsx (tsx)

v4.22.3

Compare Source

v4.22.2

Compare Source

v4.22.1

Compare Source

vitejs/vite (vite)

v8.0.14

Compare Source

Features

• update rolldown to 1.0.2 (#​22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#​22471) (98b8163)
• dev: handle errors when sending messages to vite server (#​22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#​22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#​22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#​22310) (0ae2844)

Tests

• css: sass does not use main field (#​22449) (ebf39a0)

vitest-dev/vitest (vitest)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 10am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​posthog-js@​1.375.0
	npm/​@​angular/​platform-browser-dynamic@​21.2.14
	npm/​@​sanity/​types@​5.26.0
	npm/​@​angular/​core@​21.2.14
	npm/​@​angular/​compiler@​21.2.14
	npm/​@​angular/​platform-browser@​21.2.14
	npm/​@​angular/​animations@​21.2.14
	npm/​@​angular/​compiler-cli@​21.2.14
	npm/​@​angular/​forms@​21.2.14
	npm/​@​angular/​router@​21.2.14
	npm/​@​angular/​build@​21.2.12
	npm/​@​angular/​cdk@​21.2.12
	npm/​vitest@​4.1.7
	npm/​@​angular/​common@​21.2.14
	npm/​@​angular/​material@​21.2.12
	npm/​tsx@​4.22.3
	npm/​postcss@​8.5.15
	npm/​vite@​8.0.14
	npm/​sass@​1.100.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @angular/build is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/playground/package.json → npm/@angular/build@21.2.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/build@21.2.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/angular-compiler/benchmarks/typedb-web/package.json → npm/posthog-js@1.375.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.375.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: napi/angular-compiler/benchmarks/typedb-web/package.json → npm/posthog-js@1.375.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.375.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report