Bump the npm_and_yarn group across 2 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the /src/ui directory:

Package	From	To
angular	1.4.14	1.8.3
angular-sanitize	1.4.14	1.8.3
jquery	2.2.4	4.0.0
lodash	4.2.1	4.18.1
moment	2.11.2	2.30.1

Bumps the npm_and_yarn group with 1 update in the /build/kubegrunt directory: grunt.

Updates angular from 1.4.14 to 1.8.3

Changelog

Sourced from angular's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates angular-sanitize from 1.4.14 to 1.8.3

Changelog

Sourced from angular-sanitize's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates jquery from 2.2.4 to 4.0.0

Release notes

Sourced from jquery's releases.

Release 4.0.0

Changelog

https://blog.jquery.com/2026/01/17/jquery-4-0-0/

Ajax

• Don't treat array data as binary (992a1911)
• Allow processData: true even for binary data (ce264e07)
• Support binary data (including FormData) (a7ed9a7b)
• Support headers for script transport even when cross-domain (#5142, 6d136443)
• Support null as success functions in jQuery.get (#4989, 74978b7e)
• Don't auto-execute scripts unless dataType provided (#4822, 025da4dd)
• Make responseJSON work for erroneous same-domain JSONP requests (68b4ec59)
• Execute JSONP error script responses (#4771, a1e619b0)
• Avoid CSP errors in the script transport for async requests (#3969, 07a8e4a1)
• Drop the json to jsonp auto-promotion logic (#1799, #3376, e7b3bc48)
• Overwrite s.contentType with content-type header value, if any (#4119, 7fb90a6b)
• Deprecate AJAX event aliases, inline event/alias into deprecated (23d53928)
• Do not execute scripts for unsuccessful HTTP responses (#4250, 50871a5a)
• Simplify jQuery.ajaxSettings.xhr (#1967, abdc89ac)

Attributes

• Make .attr( name, false ) remove for all non-ARIA attrs (#5388, 063831b6)
• Shave off a couple of bytes (b40a4807)
• Don't stringify attributes in the setter (#4948, 4250b628)
• Drop the toggleClass(boolean|undefined) signature (#3388, a4421101)
• Refactor val(): don't strip carriage return, isolate IE workarounds (ff281991)
• Don't set the type attr hook at all outside of IE (9e66fe9a)

CSS

• Fix dimensions of table <col> elements (#5628, eca2a564)
• Drop the cache in finalPropName (640d5825)
• Tests: Fix tests & support tests under CSS Zoom (#5489, 071f6dba)
• Fix reliableTrDimensions support test for initially hidden iframes (b1e66a5f)
• Selector: Align with 3.x, remove the outer selector.js wrapper (53cf7244)
• Make the reliableTrDimensions support test work with Bootstrap CSS (#5270, 65b85031)
• Make offsetHeight( true ), etc. include negative margins (#3982, bce13b72)
• Return undefined for whitespace-only CSS variable values (#5120) (7eb00196)
• Don’t trim whitespace of undefined custom property (#5105, ed306c02)
• Skip falsy values in addClass( array ), compress code (#4998, a338b407)
• Justify use of rtrim on CSS property values (655c0ed5)
• Trim whitespace surrounding CSS Custom Properties values (#4926, efadfe99)
• Include show, hide & toggle methods in the jQuery slim build (297d18dd)
• Remove the opacity CSS hook (865469f5)
• Workaround buggy getComputedStyle on table rows in IE/Edge (#4490, 26415e08)
• Don't automatically add "px" to properties with a few exceptions (#2795, 00a9c2e5)

... (truncated)

Commits

• 4f2fae0 Release: 4.0.0
• c838cfb Release: remove dist files from main branch
• 9752519 Release: 4.0.0-rc.2
• c128d5d Release: Update AUTHORS.txt
• 5fe9c29 Build: De-dupe three authors via mailmap
• afdd032 Build: Post beta browser tests errors to jquery/dev on Matrix
• 546a1eb Build: Bump the github-actions group with 4 updates
• ec738b3 Build: Fix Chrome beta tests
• c28c26a Build: Add periodic tests on beta versions of browsers
• f513413 Build: Bump the github-actions group with 2 updates
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by timmywil, a new releaser for jquery since your current version.

Updates lodash from 4.2.1 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates moment from 2.11.2 to 2.30.1

Changelog

Sourced from moment's changelog.

2.30.1

• Release Dec 27, 2023
• Revert moment/moment#5827, because it's breaking a lot of TS code.

2.30.0 Full changelog

• Release Dec 26, 2023

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

• Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

• Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

• Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

... (truncated)

Commits

• 485d9a7 Build 2.30.1
• e048b09 Bump version to 2.30.1
• f9f2d58 Update changelog for 2.30.1
• a52ffb2 Revert "Merge pull request #5827 from BobZombie:feature/fix_d.ts"
• ddd6809 Build 2.30.0
• be64d00 Bump version to 2.30.0
• ad41179 Update changelog for 2.30.0
• 63fe479 [misc] Make code ES6 compatible
• 0f0195f Revert "Merge pull request #5599 from Alanscut:issue_4985"
• 15b82f5 Revert "Merge pull request #5597 from Alanscut:issue-5596"
• Additional commits viewable in compare view

Updates grunt from 0.4.5 to 1.6.2

Release notes

Sourced from grunt's releases.

v1.6.1

• Changelog updates 72f6f03
• Merge pull request #1755 from gruntjs/rm-dep 8d4c183
• Add recursive 1c7d483
• Merge pull request #1756 from gruntjs/downgrade-glob 2d4fd38
• Downgrade glob 902db7c
• Fix syntax 494f243
• remove mkdirp b01389e
• remove dep on rimraf and mkdirp 0072510

gruntjs/grunt@v1.6.0...v1.6.1

v1.6.0

• Merge pull request #1750 from gruntjs/dep-update-jan28 2805dc3
• README updates 3f1e423
• Bump to 16 8fd096d
• Update more deps 42c5f95
• Bump eslint and node version 1d88050

gruntjs/grunt@v1.5.3...v1.6.0

v1.5.3

• Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
• Patch up race condition in symlink copying. 58016ff
• Merge pull request #1746 from JamieSlome/patch-1 0749e1d
• Create SECURITY.md 69b7c50

gruntjs/grunt@v1.5.2...v1.5.3

v1.5.2

• Update Changelog 7f15fd5
• Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
• Clean up link handling 433f91b

gruntjs/grunt@v1.5.1...v1.5.2

v1.5.1

• Merge pull request #1742 from gruntjs/update-symlink-test ad22608
• Fix symlink test 0652305

gruntjs/grunt@v1.5.0...v1.5.1

v1.5.0

• Updated changelog b2b2c2b
• Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
• Update testing matrix 47d32de
• More updates 2e9161c
• Remove console log 04b960e
• Update dependencies, tests... aad3d45
• Merge pull request #1736 from justlep/main fdc7056

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.6.2 date: 2026-04-14 changes: - Update minimatch to 3.1.5. (PR: gruntjs/grunt#1796) - Update nopt to 5.0.0. (PR: gruntjs/grunt#1778) v1.6.1 date: 2023-01-31 changes: - Downgrades to glob 7 for Windows compatability - Removes mkdirp and rimraf in favour of node.js APIs. v1.6.0 date: 2023-01-28 changes: - Requires node.js 16+. - template.date now uses dateformat ~4.6.2. - other dependency updates such as glob, rimraf, etc. v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: gulpjs/liftoff@e7a969d. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0.

... (truncated)

Commits

• f49016e 1.6.2
• 662e097 Update minimatch to 3.1.5 to fix CVEs
• a29fd18 CI: add Node.js 24 to version matrix
• f757c4f Update links
• b5aa834 Merge pull request #1792 from UlisesGascon/security-md
• 8d2dea2 docs: refresh security policy
• aa15bdc Merge pull request #1786 from stscoundrel/ci-node-22
• ee5b2a3 Merge pull request #1787 from gruntjs/add-commercial-support
• c0e2b42 Readme updates re: support
• c4f037d CI: update GH actions V3 -> V4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by krinkle, a new releaser for grunt since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}