build: update cross-repo angular dependencies (22.0.x)

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@angular-devkit/build-angular	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular-devkit/core	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular-devkit/schematics	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/build	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/cli	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/common (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/compiler (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/compiler-cli (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/core (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/forms (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/localize	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/ng-dev	2c36222 → a450a24					devDependencies	digest
@angular/platform-browser (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/platform-browser-dynamic (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/platform-server (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/router (source)	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@angular/ssr	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
@schematics/angular	22.0.0-rc.0 → 22.0.0-rc.2					pnpm.catalog.default	patch
devinfra	eaa9aaa → 9ee8a68					git_override	digest
rules_angular	045f984 → c898ddb					git_override	digest
rules_browsers	bf27ea4 → 45441c7					git_override	digest
rules_sass	846437d → 4443f2a					git_override	digest

🔡 If you wish to disable git hash updates, add ":disableDigestUpdates" to the extends array in your config.

---

• If you want to rebase/retry this PR, check this box

---

Release Notes

angular/angular-cli (@​angular-devkit/build-angular)

v22.0.0-rc.2

Compare Source

@​angular-devkit/build-angular

Commit	Type	Description
c0f7bd833	fix	remove unconditional CORS wildcard from webpack dev-server

v22.0.0-rc.1

Compare Source

@​schematics/angular

Commit	Type	Description
a7ac8e5f0	fix	support spy call arguments migration in refactor-jasmine-vitest

@​angular/build

Commit	Type	Description
327cc2414	fix	assert that asset input paths are within workspace root
93d352798	fix	ignore virtual esbuild paths with (disabled):

angular/angular (@​angular/common)

v22.0.0-rc.2

Compare Source

common

Commit	Type	Description
ae2cb00398	fix	add upper bounds for digitsInfo
7d1fbc170a	fix	sanitize placeholder

compiler

Commit	Type	Description
ab9154ab75	fix	normalize tag names with custom namespaces in DomElementSchemaRegistry (#​68868)
94d520fb67	fix	prevent namespaced SVG <style> elements from being stripped
6ff620a033	fix	sanitize dynamic href and xlink:href bindings on SVG a elements (#​68868)

core

Commit	Type	Description
61a48e99aa	fix	do not register dom triggers when defer blocks are in manual mode
a08e4fb93c	fix	normalize tag names in runtime i18n attribute security context lookup (#​68868)
b20f0fe078	fix	prevent rxResource from leaking a subscription
0d9a245345	fix	sanitize meta selectors

forms

Commit	Type	Description
3b4ef1e2ff	perf	avoid redundant invalidations in parser errors signal

http

Commit	Type	Description
618c850282	fix	exclude withCredentials requests from transfer cache
f7b3ed8db2	fix	Introduce a max buffer size for fetch requests on SSR
e6cfaf5672	fix	prevent httpResource from leaking a subscription
86390f2be4	fix	skip TransferCache for cookie-bearing requests by default

platform-server

Commit	Type	Description
28338a1ca4	fix	prevent SSRF bypasses via backslash URLs in HttpClient
95522526e4	fix	secure location and document initialization against SSRF and path hijack

service-worker

Commit	Type	Description
a02797d045	fix	Preserves explicit 'credentials: omit' in asset requests
d0c4951a9b	fix	Preserves HTTP cache mode in asset group requests

v22.0.0-rc.1

Compare Source

Breaking Changes

router

• The return type for TitleStrategy.getResolvedTitleForRoute
  was previously 'any' while the actual return type could only be either string
  or undefined. The return type now reflects the possible values correctly.
  Code that reads the value may need to be adjusted.

  (cherry picked from commit ad37f52)

compiler

Commit	Type	Description
b2b8dea732	fix	strip namespaced SVG script elements during template compilation

core

Commit	Type	Description
38aca8fe79	fix	do not insert todo when migrating void @​Output
1e0330d854	fix	makes resource URL sanitizer lookup case-insensitive
3f6abfb167	fix	reject script element as a dynamic component host
88d138ccc8	fix	support prefix-insensitive DOM schema lookups and compile-time i18n attribute validation
bfe6f6c2a5	fix	synchronize core sanitization schema with compiler
1f71ebd788	fix	visit ICU expressions in signal migration schematics

forms

Commit	Type	Description
07a9358157	perf	avoid spurious recomputation in FormField.parseErrors

router

Commit	Type	Description
3e7117d690	fix	Add strict typing on 'getResolvedTitleForRoute'
3e5ab7b470	fix	skip scroll-to-top on initial navigation when hydrating

[ok7sai]

This PR was merged into the repository. The changes were merged into the following branches:

• 22.0.x: 5ba22b6