Update Fundamental NGX and Angular

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@angular-devkit/build-angular	21.2.7 → 21.2.15			devDependencies	patch	21.2.16
@angular-eslint/builder (source)	^21.3.1 → 21.3.1			devDependencies	pin
@angular/build	^21.2.7 → 21.2.10			devDependencies	pin
@angular/cli	21.2.7 → 21.2.15			devDependencies	patch	21.2.16
@angular/compiler-cli (source)	21.2.12 → 21.2.17			devDependencies	patch
@fundamental-ngx/ui5-webcomponents (source)	^0.59.1 → ^0.59.1 || ^0.62.0			peerDependencies	minor
@fundamental-ngx/ui5-webcomponents (source)	0.59.1 → 0.62.3			peerDependencies	minor
@fundamental-ngx/ui5-webcomponents-fiori (source)	^0.59.1 → ^0.59.1 || ^0.62.0			peerDependencies	minor
@fundamental-ngx/ui5-webcomponents-fiori (source)	0.59.1 → 0.62.3			peerDependencies	minor
ng-packagr	^21.1.0 → 21.2.3			devDependencies	pin
typescript-eslint (source)	^8.33.0 → 8.59.3			devDependencies	pin

---

Release Notes

angular/angular-cli (@​angular-devkit/build-angular)

v21.2.15

Compare Source

@​angular/cli

Commit	Type	Description
42ac0ed0f	fix	remove forceAuth and unscoped credential parsing
c7a7f1955	fix	support registry metadata fetching under bun package manager

v21.2.14

Compare Source

@​angular/cli

Commit	Type	Description
aed448748	fix	expand package groups for newly added peer dependencies in update schematic

@​angular/build

Commit	Type	Description
d46c082fb	fix	prevent esbuild service child process leakage

v21.2.13

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
3c6d26a31	fix	remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit	Type	Description
2b3e95517	fix	assert that asset input paths are within workspace root

v21.2.12

Compare Source

@​angular/build

Commit	Type	Description
cbad57579	fix	ignore virtual esbuild paths with (disabled):

v21.2.11

Compare Source

@​angular/cli

Commit	Type	Description
bbd63b7a5	fix	robustly parse npm manifest from array

@​angular/ssr

Commit	Type	Description
eafe1a719	fix	allow all hosts in common engine rendering options to prevent validation errors
7a116a80d	fix	remove stateful flag from URL_PARAMETER_REGEXP

v21.2.10

Compare Source

@​angular/cli

Commit	Type	Description
bb8611913	fix	restrict MCP workspace access to allowed client roots during resolution

v21.2.9

Compare Source

@​angular/cli

Commit	Type	Description
233deef01	fix	fix broken img ref in ai-tutor
7cea9885c	fix	introduce initial package manager workspace awareness
5b1a5b743	fix	remove standalone true ref in ai tutor

@​schematics/angular

Commit	Type	Description
e7abeb5c7	fix	add missing imports for focus and skip APIs in refactor-jasmine-vitest

@​angular/ssr

Commit	Type	Description
94023f62c	fix	introduce trustProxyHeaders option to safely validate and sanitize proxy headers
5ffe5c309	fix	add support for configuring trusted proxy headers via environment variable
930ada9b7	fix	decode route segments when building and matching route tree
0dc8a440c	fix	use router to normalize URLs for comparison

v21.2.8: 21.2.8

Compare Source

@​angular/cli

Commit	Description
	dynamically resolve project Angular CLI executable inside MCP tools
	ignore EBADF file system errors during MCP project scan
	use headless option in MCP test tool

@​angular-devkit/build-angular

Commit	Description
	ensure route has leading slash in prerender builder
	fix app-shell route format and

@​angular/build

Commit	Description
	use rootDir for HMR component updates path resolution
	validate V8 coverage support for browsers in Vitest

angular/angular (@​angular/compiler-cli)

v21.2.17

Compare Source

Deprecations

platform-server

• XHR support in @angular/platform-server is deprecated. Use standard fetch APIs instead.

common

Commit	Type	Description
86a56dc279	fix	Limits date format string length
d846326b07	fix	skip transfer cache for uncacheable HTTP traffic
bc55749698	fix	use cryptographically secure SHA-256 for transfer cache key generation

compiler

Commit	Type	Description
dc9c99636d	fix	sanitize two-way properties

core

Commit	Type	Description
1523061137	fix	harden TransferState restoration against DOM clobbering
88832c84f8	fix	validate lowercase SVG animation attribute names (#​69269)

http

Commit	Type	Description
bcb1b7ea25	fix	preserve empty referrer option in HttpRequest
a810a319d1	fix	Rejects non-HTTP(S) URLs in JSONP requests
e245d40c4d	fix	skip transfer cache for fetch credentialed requests

platform-server

Commit	Type	Description
35510746b7	fix	harden platform location origin validation during SSR
13fb0afe93	refactor	deprecate ServerXhr (#​69255)

service-worker

Commit	Type	Description
b9d29381bb	fix	Strips sensitive headers on cross-origin redirects

v21.2.16

Compare Source

common

Commit	Type	Description
f6d8e642b0	fix	only strip a literal /index.html suffix from URLs

compiler

Commit	Type	Description
ae1c8a1f7a	fix	move projection attributes into constants

core

Commit	Type	Description
3fd6897a67	fix	harden inherit definition feature against polluted prototypes
7e38336dc7	fix	use Object.create(null) for LOCALE_DATA as a hardening measure

platform-server

Commit	Type	Description
66821c4ed5	fix	throw on suspicious URLs and restrict protocol-relative URLs
d3170031b6	fix	update domino to latest version

v21.2.15

Compare Source

common

Commit	Type	Description
7f4ac78994	fix	add upper bounds for digitsInfo
300f61feb3	fix	sanitize placeholder

compiler

Commit	Type	Description
0b07f47bd6	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68925)
eb1cbbf2eb	fix	prevent namespaced SVG <style> elements from being stripped
cc1378d54b	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#​68925)
782e01594e	fix	strip namespaced SVG script elements during template compilation (#​68925)

core

Commit	Type	Description
ff12fe55ac	fix	normalize tag names in runtime i18n attribute security context lookup (#​68925)
e6fe77cc97	fix	sanitize meta selectors
daaf32937f	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (#​68925)
dada86e43d	fix	synchronize core sanitization schema with compiler (#​68925)

http

Commit	Type	Description
582a417bd2	fix	exclude withCredentials requests from transfer cache
5c6d6df34b	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
37e8aadf87	fix	prevent SSRF bypasses via backslash URLs in HttpClient
72696e244e	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
b8bd49341d	fix	Preserves explicit 'credentials: omit' in asset requests
ca32fc1000	fix	Preserves HTTP cache mode in asset group requests

v21.2.14

Compare Source

compiler

Commit	Type	Description
68282dff9f	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
c0f52272ed	fix	do not insert todo when migrating void @​Output
938a7f3edd	fix	makes resource URL sanitizer lookup case-insensitive
0fb2724194	fix	reject script element as a dynamic component host
49113ac0ef	fix	visit ICU expressions in signal migration schematics

router

Commit	Type	Description
099bf577ee	fix	skip scroll-to-top on initial navigation when hydrating

v21.2.13

Compare Source

core

Commit	Type	Description
1c6553e97d	fix	disallow event attribute bindings in host bindings unconditionally

platform-server

Commit	Type	Description
629905d537	fix	add allowedHosts option to renderModule and renderApplication
0b7192f441	fix	forward BEFORE_APP_SERIALIZED errors to ErrorHandler

SAP/fundamental-ngx (@​fundamental-ngx/ui5-webcomponents)

v0.62.3

Compare Source

Bug Fixes

• core: forward scrollStrategy through fd-menu and fd-inline-help (#​14218) (05f3834)
• core: use a ResizeObserver to update illustration size on tab switch (#​14209) (7f00752)
• platform: [Platform] [fdp-smart-filter-bar] Incorrect filter logic and row selection reset when switching visibility categories (#​14195) (031ed40)
• platform: table with selection reading select all column header … (#​14181) (cffdc3f)

Features

• MCP server evaluation - part 1 (#​14178) (e76cfd2), closes #​14159
• mcp: MCP server evaluation part 2 (#​14208) (e152f69), closes #​1 #​2 #​3 #​4 #​5 #​6 #​6 #​5 -#​7

v0.62.2

Compare Source

Bug Fixes

• btp: center vertically the Side Nav icons with nav button in Overlay Mode (#​14197) (cda1fe8)
• core: adopt fundamental-styles markup and a11y improvements (#​14152) (65bb4b7)
• core: allow disabled state for individual buttons inside a non-disabled segmented button (#​14187) (c9a4f8b)
• core: prevent focus trap in form-input-message-group (#​14196) (0113505)
• core: restore ngModelChange emission in combobox communicateByObject mode (#​14200) (a3637a5)
• core: update L size Illustrated message figcaption max-width (#​14180) (919cb2b)
• platform: improve a11y for Platform Table View Settings dialog (#​14161) (f053e32)
• platform: lookupKey now correctly matches complex objects in fdp-select (#​14193) (25d22ba)

Features

• core: add headingLevel support to grid-list title bar (#​14192) (cf68ea0)
• core: improve MCP server metadata and add usage guide tool (#​14159) (3aa0e9c)

v0.62.1

Compare Source

Bug Fixes

• platform: add missing chevrons to filter dialog in table (#​14172) (ba1638d)

v0.62.0

Compare Source

Bug Fixes

• adopt minor styles changes (#​14155) (85dacfd)
• btp,cdk: migrate tool-header to zoneless and fix Angular 21 focusable list regression (#​14076) (94d2885)
• btp: remove NgZone usage from BTP Splitter (#​14052) (edb029a)
• btp: remove NgZone usage from Navigation List Item (#​14047) (b64a95a)
• btp: remove NgZone usage from navigation-content-start for zoneless compatibility (#​14049) (ff4aed2)
• cdk, core: migrate Toast infrastructure to signals and Web Animations API (#​13965) (79d7bbc)
• cdk, platform: platform icon tab bar does not detect overflow (#​13964) (4b1834b)
• cdk: clicked directive migration to signals (#​13955) (1043d47)
• cdk: migrate LineClampDirective and LineClampTargetDirective to signals (#​13954) (1fde0f9)
• cdk: remove NgZone from autocomplete directive (#​14081) (425f950)
• cdk: remove ngZone from overflow list directive (#​14079) (cd417b0)
• cdk: remove NgZone usage from FdkReadonlyProvider (#​14067) (3abaf05)
• cdk: remove NgZone usage in FdkDisabledProvider (#​14059) (9ea96e4)
• ci: allow .ts files in i18n fork PR validation (#​14062) (617836e)
• ci: harden workflow security against injection and over-permissioning (#​14084) (c138159)
• core, platform: a11y improvements for Toolbar and Table Toolbar (#​14074) (49e8d0d)
• core, platform: adopt latest fund-styles changes (#​14102) (8630423)
• core,cdk: combobox, multi-input, autocomplete bugs (#​14070) (47ae3dd)
• core,platform,btp,cx: migrate remaining Default strategy components to OnPush (#​14071) (d5eda82)
• core,platform: fix list item tabindex (#​14009) (92bf1e2)
• core: a11y fix for Fixed Card Layout (#​14093) (9b2794b)
• core: a11y improvements for Breadcrumb component (#​14129) (d6f9da2)
• core: add a11y improvements for Card component (#​14118) (9b83f54)
• core: add dynamic accessible text to expand/collapse button in dynamic page subheader (#​14033) (50a86c3)
• core: add fix for flickering Inline Help (#​14055) (1b66e46)
• core: add fix for Inline Help focus outline (#​14073) (1b61d92)
• core: bring back more inline help inputs (#​14066) (43e2579)
• core: finish Button migration to signals (#​13986) (a61f670)
• core: fix avatar group accessibility (#​14088) (3aedd69)
• core: fix mobile popover/menu reopen and form-item NG0100 (#​14087) (e330990)
• core: fix overflow functionality for Breadcrumb and Overflow Layout components (#​14014) (b95d35b)
• core: fix the problem with jumping Product Switch items (#​14029) (12260c2)
• core: fix the problem with the missing buttons and indicators in Carousel (#​14028) (097d27e)
• core: items in fd-menu should not be activated on key down (#​14115) (81ebd1a)
• core: match fundamental-styles combobox group styling (#​14150) (4fbe0cb)
• core: migrate TokenComponent to signals (#​13983) (6140313)
• core: prevent NG0600 error and site unresponsiveness (#​13998) (16c4600)
• core: reconfigure multi-combobox data provider when dataSource changes (#​14065) (534e51b)
• core: remove Angular animation dependncy + redesign example cards with density toggle, responsive preview, and keyboard hints (#​14077) (bf27ef1)
• core: remove NgZone dependency from tab-list and tab-panel components (#​14042) (710d342)
• core: remove NgZone from Form Item (#​14045) (e486bfa)
• core: remove NgZone usage from menu segmented-button-option directive for zoneless compatibility (#​14043) (6a1e169)
• core: remove NgZone usage from Segmented Burron (#​14053) (2bf1aaf)
• core: Remove NgZone usage from User Menu Item component (#​14046) (1453a89)
• core: remove outline and event from disabled segmented button (#​14026) (80b6316)
• core: restore missing popover inputs for menu and product-switch (#​13976) (19acac3)
• core: signalify bar component (#​14101) (5d7f2d6)
• core: signalify panel components (#​14109) (274e843)
• core: support both signal and plain property types in MobileMode (#​14069) (a04e0cb)
• docs: update Table and Dynamic Page examples to show heading level configuration (#​14089) (af7e04d)
• i18n: add new translation delivery (#​14034) (00aaae7)
• platform,core: fdp-table-toolbar does not update well when modifying a title (#​14040) (b59a2de)
• platform: allow title template in Platform Table Toolbar (#​13966) (fb028be)
• platform: fdp-table should not read additional info "empty" when there is a button inside a table cell (#​14017) ([3a4553f](https://redirect.github.com/SAP/fundamental-ngx/commit/3a45

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: 8f7ade76-2684-4387-801e-25b04015df67

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @openmfp/webcomponents@0.13.0
npm error Found: @angular/compiler@21.2.12
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"^21.2.0" from the root project
npm error   peerOptional @angular/compiler@"21.2.12" from @angular/core@21.2.12
npm error   node_modules/@angular/core
npm error     peer @angular/core@"^21.2.0" from the root project
npm error     peer @angular/core@"21.2.12" from @angular/animations@21.2.12
npm error     node_modules/@angular/animations
npm error       peer @angular/animations@"^21.2.0" from the root project
npm error       3 more (@angular/platform-browser, ...)
npm error     9 more (@angular/cdk, @angular/common, @angular/elements, ...)
npm error   2 more (@angular/platform-browser-dynamic, @storybook/angular)
npm error
npm error Could not resolve dependency:
npm error dev @angular-devkit/build-angular@"21.2.15" from the root project
npm error
npm error Conflicting peer dependency: @angular/compiler@21.2.17
npm error node_modules/@angular/compiler
npm error   peer @angular/compiler@"21.2.17" from @angular/compiler-cli@21.2.17
npm error   node_modules/@angular/compiler-cli
npm error     dev @angular/compiler-cli@"21.2.17" from the root project
npm error     peer @angular/compiler-cli@"^21.0.0" from @angular-devkit/build-angular@21.2.15
npm error     node_modules/@angular-devkit/build-angular
npm error       dev @angular-devkit/build-angular@"21.2.15" from the root project
npm error     2 more (@angular/localize, ng-packagr)
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-18T21_49_35_692Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-18T21_49_35_692Z-debug-0.log