fix: Upgrade Angular packages to resolve all Snyk vulnerabilities

[devin-ai-integration]

Summary

Upgrades all Angular packages to their latest 21.2.x patch releases to resolve 16 SCA vulnerabilities identified by Snyk, including 2 critical (SSRF), 9 high (ReDoS, uncaught exceptions, missing auth, data amplification), and 5 medium/low severity issues.

Version changes:

• @angular/animations, common, compiler, core, forms, platform-browser, platform-browser-dynamic, router: 21.1.1 → 21.2.9
• @angular/core: 21.2.4 → 21.2.9
• @angular/build, cli: 21.1.1 → 21.2.7 (latest available for these packages)
• @angular/compiler-cli: 21.1.1 → 21.2.9

These upgrades transitively fix vulnerable versions of undici, vite, ajv, picomatch, @schematics/angular, and @modelcontextprotocol/sdk.

Not addressed in this PR:

• SAST findings (hardcoded test credentials in spec/e2e files) — these are low severity and in test code only
• Unmanaged C/C++ finding (cockpit-project/cockpit) — system-level dependency, not controllable via npm

Review & Testing Checklist for Human

• Verify Angular version compatibility: @angular/build and @angular/cli are at 21.2.7 while runtime packages are at 21.2.9. Confirm this version split does not cause build or runtime issues in your environment.
• Check package-lock.json addition: The repo previously used bun.lock. Verify this new package-lock.json doesn't conflict with your team's package manager workflow (npm vs bun).
• Run the app locally (npm start or bun start) and verify it loads and functions correctly — the build succeeded in CI but a manual smoke test is recommended.
• Run Snyk scan to confirm all SCA vulnerabilities are resolved post-merge.

Notes

• npm install reports 0 vulnerabilities after the upgrade.
• ng build completes successfully with the upgraded packages.
• Prettier formatting check passes with no changes needed.

Link to Devin session: https://app.devin.ai/sessions/301f0711f6844c3ca0959ed872c143be
Requested by: @SachetCognition

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Testing Results: Angular Package Upgrade Verification

Ran the app locally against dev server at localhost:4200 with upgraded Angular 21.2.x packages. All tests passed.

Test 1: Home page loads with articles and tags — PASSED

Home page renders correctly with Conduit banner, "Global Feed" tab active, multiple articles with authors/dates/tags, and "Popular Tags" sidebar populated from the API.

Test 2: Client-side routing and lazy loading — PASSED

Tag filtering at /tag/javascript	Login page lazy-loaded at /login

All navigations were client-side (no full page reloads). Lazy-loaded components loaded correctly.

Test 3: No Angular framework errors in console — PASSED

Console shows only "Angular is running in development mode" — no errors, no chunk loading failures. Angular version confirmed as 21.2.9 via ng-version attribute.

Build & Scan Verification

Check	Result
npm install	0 vulnerabilities
ng build (production)	Success in 7.4s
ng serve (dev)	Success in 3.3s
prettier --check	All files pass
Snyk SCA re-scan	0 npm vulnerabilities

Devin session