chore: resolve open dependabot security alerts

[jonathannorris]

Summary

Resolves the open critical Dependabot alerts for vitest in the Angular integration test workspace.

• Bumped vitest ^2.1.9 -> ^4.1.0 to fix the critical Vitest UI server arbitrary file read/exec vulnerability (GHSA-5xrq-8626-4rwp / CVE-2026-47429, alerts fix: container copy command #40 and chore(main): release 0.1.5 #41). Resolves to 4.1.8.
• Raised the angular-integration Node engine floor from >=18 to >=22.22.3: vitest 4 requires Node 22, and 22.22.3 is the patch version where the Angular directive test suite became stable.
• Bumped @analogjs/vitest-angular ^1.11.0 -> ^2.6.0 since the 1.x line only supports vitest ^1 || ^2; 2.6.0 supports vitest 4 and keeps Angular 19 / Vite 6 compatibility.
• Added a ws ^8.21.0 override to avoid reintroducing GHSA-58qx-3vcg-4xpx via the refreshed jsdom transitive tree (npm audit reports 0 vulnerabilities after).
• Fixed call order in generated ngOnChanges() overrides: _featureFlagValue must be assigned before super.ngOnChanges() because the base class's onFlagValue reads _featureFlagValue to compute isValueMatch; calling super first left the value unset, causing the else template to never render.

Verification

• npm install clean, npm audit reports 0 vulnerabilities.
• Angular integration suite passes locally: 4 files, 58 tests green on vitest 4.1.8 (generated client built via openfeature generate angular).
• go build ./... and go test ./... pass.

[gemini-code-assist]

Code Review

This pull request upgrades @analogjs/vitest-angular to ^2.6.0 and vitest to ^4.1.0 in the Angular integration test package, along with adding a ws override. However, these upgraded dependencies require a higher Node.js version than the currently specified >=18 in the engines field. It is recommended to update the minimum Node.js version requirement to at least >=20 to prevent installation warnings or runtime failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

Updates the Angular integration-test workspace dependencies to address Dependabot security alerts, primarily by upgrading Vitest and related tooling and pinning a safe ws version via overrides.

Changes:

• Upgraded vitest to ^4.1.0 and @analogjs/vitest-angular to ^2.6.0 in the Angular integration workspace.
• Added a ws override (^8.21.0) to avoid reintroducing a known vulnerable transitive version.
• Raised the Angular integration workspace Node engine requirement from >=18 to >=22 (per diff).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
test/angular-integration/package.json	Bumps Vitest + Angular Vitest adapter versions, adds ws override, and updates Node engine floor.
test/angular-integration/package-lock.json	Regenerates lockfile to reflect upgraded dependencies (Vitest 4.x tree, new transitive deps, updated engines).

Files not reviewed (1)

• test/angular-integration/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 37a7895f-2ba0-4851-a3f2-e60c66484abc

📥 Commits

Reviewing files that changed from the base of the PR and between 0ea64f6 and 81d77ad.

⛔ Files ignored due to path filters (1)

• test/angular-integration/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• test/angular-integration/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• test/angular-integration/package.json

---

📝 Walkthrough

Walkthrough

The Angular directive template is updated to assign _featureFlagValue before calling super.ngOnChanges(), reversing the prior order. The golden test file reflects this change across four directives. Additionally, Angular, Vitest, esbuild, and related package versions are bumped in both integration test environments, and the oapi-codegen version in the generated Go client header is updated.

Changes

Angular ngOnChanges ordering fix

Layer / File(s)	Summary
ngOnChanges reorder in template and golden test data internal/generators/angular/angular.tmpl, internal/cmd/testdata/success_angular.golden	Template now assigns _featureFlagValue from the directive input before calling super.ngOnChanges(). Golden file reflects this reordering in all four non-boolean structural directives (DiscountPercentage, GreetingMessage, ThemeCustomization, UsernameMaxLength).

Dependency and tooling version bumps

Layer / File(s)	Summary
Test package.json updates and generated file header bump test/angular-integration/package.json, test/nodejs-integration/package.json, internal/api/client/sync_client.gen.go	Angular integration bumps @angular/* to 19.2.25, @analogjs/vitest-angular to ^2.6.0, vitest to ^4.1.0, esbuild to ^0.28.1, adds a ws ^8.21.0 override, and raises Node.js engine requirement to >=22.22.3. Node.js integration pins esbuild to ^0.28.1 via a new overrides block. Generated Go client header references oapi-codegen v2.7.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: resolve open dependabot security alerts' clearly and concisely summarizes the main objective of the pull request, which is addressing Dependabot security vulnerabilities.
Description check	✅ Passed	The description is highly detailed and directly related to the changeset, explaining the Dependabot security fixes, dependency version bumps, and a code generation bug fix with verification details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Copilot reviewed 4 out of 7 changed files in this pull request and generated 2 comments.

Files not reviewed (3)

• internal/api/client/sync_client.gen.go: Generated file
• test/angular-integration/package-lock.json: Generated file
• test/nodejs-integration/package-lock.json: Generated file