chore: resolve open dependabot security alerts

[jonathannorris]

Summary

Resolves the open critical Dependabot alerts for vitest in the Angular integration test workspace.

• Bumped vitest ^2.1.9 -> ^4.1.0 to fix the critical Vitest UI server arbitrary file read/exec vulnerability (GHSA-5xrq-8626-4rwp / CVE-2026-47429, alerts fix: container copy command #40 and chore(main): release 0.1.5 #41). Resolves to 4.1.8.
• Raised the angular-integration Node engine floor from >=18 to >=22.22.3: vitest 4 requires Node 22, and 22.22.3 is the patch version where the Angular directive test suite became stable.
• Bumped @analogjs/vitest-angular ^1.11.0 -> ^2.6.0 since the 1.x line only supports vitest ^1 || ^2; 2.6.0 supports vitest 4 and keeps Angular 19 / Vite 6 compatibility.
• Added a ws ^8.21.0 override to avoid reintroducing GHSA-58qx-3vcg-4xpx via the refreshed jsdom transitive tree (npm audit reports 0 vulnerabilities after).
• Fixed call order in generated ngOnChanges() overrides: _featureFlagValue must be assigned before super.ngOnChanges() because the base class's onFlagValue reads _featureFlagValue to compute isValueMatch; calling super first left the value unset, causing the else template to never render.

Verification

• npm install clean, npm audit reports 0 vulnerabilities.
• Angular integration suite passes locally: 4 files, 58 tests green on vitest 4.1.8 (generated client built via openfeature generate angular).
• go build ./... and go test ./... pass.

[gemini-code-assist]

Code Review

This pull request upgrades @analogjs/vitest-angular to ^2.6.0 and vitest to ^4.1.0 in the Angular integration test package, along with adding a ws override. However, these upgraded dependencies require a higher Node.js version than the currently specified >=18 in the engines field. It is recommended to update the minimum Node.js version requirement to at least >=20 to prevent installation warnings or runtime failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

Updates the Angular integration-test workspace dependencies to address Dependabot security alerts, primarily by upgrading Vitest and related tooling and pinning a safe ws version via overrides.

Changes:

• Upgraded vitest to ^4.1.0 and @analogjs/vitest-angular to ^2.6.0 in the Angular integration workspace.
• Added a ws override (^8.21.0) to avoid reintroducing a known vulnerable transitive version.
• Raised the Angular integration workspace Node engine requirement from >=18 to >=22 (per diff).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
test/angular-integration/package.json	Bumps Vitest + Angular Vitest adapter versions, adds ws override, and updates Node engine floor.
test/angular-integration/package-lock.json	Regenerates lockfile to reflect upgraded dependencies (Vitest 4.x tree, new transitive deps, updated engines).

Files not reviewed (1)

• test/angular-integration/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.