Fix trusted provenance

[crutchcorn]

This PR:

• Fixes trusted provenance that broke CI today
• Upgrade Angular to 21 to use more trusted deps
• Upgrades TypeScript to 5.9 to support the newer Angular version
• Fixes issues with older TS compat tables
• Upgrade PNPM to 11.3.0 and now includes the SHA
• Makes the changeset file safer with a more trusted dep
• Regenerates the PNPM lockfile

Summary by CodeRabbit

Release Notes

• Documentation

  • Updated Angular framework guides with improved code formatting and layout.

• Chores

  • Updated TypeScript to version 5.9.3 across all examples and packages.
  • Updated Angular framework dependencies in example projects to version 21.2.x.
  • Updated Next.js and Remix dependencies to latest versions.
  • Enhanced TypeScript version coverage testing across form packages.
  • Updated module resolution configuration for improved build compatibility.
  • Updated changelog configuration and workspace dependency management.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6df60bf0-eaa9-4cd4-8825-4de98a8d0711

📥 Commits

Reviewing files that changed from the base of the PR and between c47c93d and 159324b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (49)

• .changeset/config.json
• docs/framework/angular/guides/arrays.md
• docs/framework/angular/guides/form-composition.md
• examples/angular/array/package.json
• examples/angular/array/tsconfig.json
• examples/angular/large-form/package.json
• examples/angular/large-form/tsconfig.json
• examples/angular/simple/package.json
• examples/angular/simple/tsconfig.json
• examples/angular/standard-schema/package.json
• examples/angular/standard-schema/tsconfig.json
• examples/react/expo/package.json
• examples/react/next-server-actions-zod/package.json
• examples/react/next-server-actions/package.json
• examples/react/remix/package.json
• examples/react/tanstack-start/package.json
• examples/react/ui-libraries/package.json
• examples/solid/array/package.json
• examples/solid/devtools/package.json
• examples/solid/large-form/package.json
• examples/solid/simple/package.json
• examples/solid/standard-schema/package.json
• examples/svelte/array/package.json
• examples/svelte/large-form/package.json
• examples/svelte/simple/package.json
• examples/svelte/standard-schema/package.json
• examples/vue/array/package.json
• examples/vue/simple/package.json
• examples/vue/standard-schema/package.json
• package.json
• packages/angular-form/package.json
• packages/form-core/package.json
• packages/form-devtools/package.json
• packages/form-devtools/src/contexts/eventClientContext.tsx
• packages/lit-form/package.json
• packages/preact-form/package.json
• packages/react-form-devtools/package.json
• packages/react-form-devtools/tsconfig.json
• packages/react-form-nextjs/package.json
• packages/react-form-nextjs/tsconfig.json
• packages/react-form-remix/package.json
• packages/react-form-remix/tsconfig.json
• packages/react-form-start/package.json
• packages/react-form-start/tsconfig.json
• packages/react-form/package.json
• packages/react-form/tsconfig.json
• packages/solid-form/package.json
• packages/vue-form/package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

This PR upgrades TypeScript to 5.9.3 across the workspace and examples, updates Angular frameworks from 20.3.x to 21.2.14, bumps Next.js and Remix dependencies, switches changelog generation to the official changesets GitHub plugin, expands TypeScript testing to include 5.9 validation, refines pnpm workspace policies, and optimizes form devtools event handling.

Changes

Tooling and dependency maintenance

Layer / File(s)	Summary
Changelog integration and root package manager setup .changeset/config.json, package.json	Changelog generator switched from @svitejs/changesets-changelog-github-compact to @changesets/changelog-github with disableThanks enabled. Root pnpm upgraded to 11.3.0 and TypeScript version aliases expanded to include typescript54 through typescript58 at newer patch/minor versions.
Angular examples framework and configuration updates examples/angular/*/package.json, examples/angular/*/tsconfig.json, docs/framework/angular/guides/*	All Angular examples upgraded from 20.3.x to 21.2.14, TypeScript bumped to 5.9.3, and compilerOptions.moduleResolution changed from "node" to "bundler". Angular documentation templates reformatted for improved readability.
React, Next.js, and Remix example dependency updates examples/react/next-server-actions*/package.json, examples/react/remix/package.json, examples/react/{expo,tanstack-start,ui-libraries}/package.json	Next.js updated from 16.0.5 to 16.2.6, Remix packages bumped to 2.17.4, and TypeScript raised to 5.9.3 across all React example variants.
Vue, Solid, and Svelte example TypeScript updates examples/{vue,solid,svelte}/*/package.json	TypeScript dependency uniformly updated to 5.9.3 across all 12 Vue, Solid, and Svelte example projects.
TypeScript 5.8/5.9 type-checking test scripts across packages packages/*/package.json (form-core, form-devtools, lit-form, preact-form, react-form-devtools, react-form-nextjs, react-form-remix, react-form-start, react-form, solid-form, vue-form)	All framework packages' test:types:ts58 scripts now run the pinned TypeScript 5.8 compiler from node_modules, and new test:types:ts59 scripts added to validate against TypeScript 5.9.
Package exports and tsconfig.json scope adjustments packages/angular-form/package.json, packages/react-form-*/tsconfig.json	Angular-form package exports updated to reference ./dist/types/tanstack-angular-form.d.ts instead of ./dist/index.d.ts. Multiple react-form packages' TypeScript includes refined to exclude vite.config.ts while retaining src, tests, and eslint.config.js.
Form devtools event handler caching packages/form-devtools/src/contexts/eventClientContext.tsx	Form-submission event handler now caches the matched store entry as a local variable to eliminate redundant array access during history update.
pnpm workspace trust and dependency policies pnpm-workspace.yaml	Workspace trustPolicy: 'no-downgrade' extended with trustPolicyExclude list for specific packages, and tinyexec pinned to 1.1.2 via inline overrides.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• TanStack/form#2186: Modifies pnpm-workspace.yaml to tighten pnpm dependency trust and policy settings.

---

🐰 Hop along with TypeScript, where bundles align,
Angular frames now twenty-one shine,
Five-point-nine tests the code so fine,
Dependencies dance in orderly line, 🎉
A devtools leap makes logic less define!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fix trusted provenance' is vague and generic; it doesn't provide enough specificity about the main changes (dependency upgrades, Angular/TypeScript versions).	Consider a more descriptive title like 'Upgrade Angular to 21, TypeScript to 5.9, and PNPM to 11.3.0 for trusted provenance' to clarify the scope.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description clearly outlines the changes (provenance fix, Angular 21 upgrade, TypeScript 5.9 upgrade, PNPM update, changeset modifications) but the provided template checklist items are unchecked.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-trusted-provenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 28398c9

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	✅ Succeeded	2m 47s	View ↗
nx run-many --target=build --exclude=examples/**	✅ Succeeded	37s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-26 17:29:40 UTC

[github-actions]

🚀 Changeset Version Preview

2 package(s) bumped directly, 12 bumped as dependents.

🟩 Patch bumps

Package	Version	Reason
@tanstack/form-core	1.32.0 → 1.32.1	Changeset
@tanstack/vue-form	1.32.0 → 1.32.1	Changeset
@tanstack/angular-form	1.32.0 → 1.32.1	Dependent
@tanstack/form-devtools	0.2.27 → 0.2.28	Dependent
@tanstack/lit-form	1.24.1 → 1.24.2	Dependent
@tanstack/preact-form	1.29.7 → 1.29.8	Dependent
@tanstack/react-form	1.32.0 → 1.32.1	Dependent
@tanstack/react-form-devtools	0.2.27 → 0.2.28	Dependent
@tanstack/react-form-nextjs	1.32.0 → 1.32.1	Dependent
@tanstack/react-form-remix	1.32.0 → 1.32.1	Dependent
@tanstack/react-form-start	1.32.0 → 1.32.1	Dependent
@tanstack/solid-form	1.32.0 → 1.32.1	Dependent
@tanstack/solid-form-devtools	0.2.27 → 0.2.28	Dependent
@tanstack/svelte-form	1.32.0 → 1.32.1	Dependent

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.6
	@​tanstack/​svelte-store@​0.10.3
	@​tanstack/​angular-store@​0.9.3
	@​tanstack/​vue-store@​0.9.3
	@​tanstack/​react-store@​0.9.3
	@​tanstack/​solid-store@​0.9.3
	@​changesets/​changelog-github@​0.7.0
	@​angular/​platform-browser-dynamic@​21.2.14
	@​remix-run/​serve@​2.17.4
	@​remix-run/​react@​2.17.4
	@​tanstack/​store@​0.9.3
	effect@​3.21.2
	@​remix-run/​node@​2.17.4
	@​angular-devkit/​build-angular@​21.2.12
	@​angular/​cli@​21.2.12
	@​angular/​core@​21.2.14
	vue-tsc@​2.2.12
	@​angular/​compiler@​21.2.14
	@​angular/​platform-browser@​21.2.14
	@​types/​react-dom@​19.2.3
	@​react-navigation/​elements@​2.9.18
	@​tanstack/​devtools-ui@​0.5.2
	@​react-navigation/​bottom-tabs@​7.16.1
	@​angular/​animations@​21.2.14
	@​tanstack/​react-router@​1.170.8
	@​sveltejs/​package@​2.5.7
	@​angular/​compiler-cli@​21.2.14
	@​angular/​forms@​21.2.14
	@​tsconfig/​svelte@​5.0.8
	@​angular/​router@​21.2.14
	@​tanstack/​solid-devtools@​0.7.33
	tinyglobby@​0.2.16
	@​remix-run/​dev@​2.17.4
See 42 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Publisher changed: npm @expo/spawn-async is now published by philpl Author: philpl From: pnpm-lock.yaml → npm/expo-splash-screen@31.0.13 → npm/expo@54.0.34 → npm/@expo/spawn-async@1.8.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/spawn-async@1.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm lodash vulnerable to Code Injection via `_.template` imports key names CVE: GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via _.template imports key names (HIGH) Affected versions: >= 4.0.0 < 4.18.0 Patched version: 4.18.0 From: pnpm-lock.yaml → npm/@tanstack/vite-config@0.4.1 → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/@tanstack/typedoc-config@0.3.1 → npm/markdown-it@14.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: examples/svelte/array/package.json → npm/svelte@5.55.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.55.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte2tsx is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/@sveltejs/package@2.5.7 → npm/svelte2tsx@0.7.55 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte2tsx@0.7.55. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm type-is is now published by blakeembrey Author: blakeembrey From: pnpm-lock.yaml → npm/@angular/cli@21.2.12 → npm/type-is@2.1.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/type-is@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @harperfast/extended-iterable Location: Package overview From: pnpm-lock.yaml → npm/@angular-devkit/build-angular@21.2.12 → npm/@analogjs/vite-plugin-angular@2.5.2 → npm/@harperfast/extended-iterable@1.0.3 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@harperfast/extended-iterable@1.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @humanfs/types Location: Package overview From: pnpm-lock.yaml → npm/eslint@9.36.0 → npm/@humanfs/types@0.15.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanfs/types@0.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @package-json/types Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-expo@10.0.0 → npm/@tanstack/eslint-config@0.3.2 → npm/@package-json/types@0.0.12 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@package-json/types@0.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pkg-pr-new]

More templates

• @tanstack/form-example-angular-array
• @tanstack/form-example-angular-large-form
• @tanstack/form-example-angular-simple
• @tanstack/form-example-angular-standard-schema
• @tanstack/form-example-lit-array
• @tanstack/form-example-lit-large-form
• @tanstack/form-example-lit-simple
• @tanstack/form-example-lit-standard-schema
• @tanstack/form-example-lit-ui-libraries
• @tanstack/form-example-preact-simple
• @tanstack/form-example-react-array
• @tanstack/form-example-react-compiler
• @tanstack/form-example-react-composition
• @tanstack/form-example-react-devtools
• @tanstack/form-example-react-dynamic
• @tanstack/form-example-react-expo
• @tanstack/field-errors-from-form-validators
• @tanstack/form-example-react-large-form
• @tanstack/form-example-react-next-server-actions
• @tanstack/form-example-react-next-server-actions-zod
• @tanstack/form-example-react-query-integration
• @tanstack/form-example-remix
• @tanstack/form-example-react-simple
• @tanstack/form-example-react-standard-schema
• @tanstack/form-example-react-tanstack-start
• @tanstack/form-example-react-ui-libraries
• @tanstack/form-example-solid-array
• @tanstack/form-example-solid-devtools
• @tanstack/form-example-solid-large-form
• @tanstack/form-example-solid-simple
• @tanstack/form-example-solid-standard-schema
• @tanstack/form-example-svelte-array
• @tanstack/form-example-svelte-large-form
• @tanstack/form-example-svelte-simple
• @tanstack/form-example-svelte-standard-schema
• @tanstack/form-example-vue-array
• @tanstack/form-example-vue-simple
• @tanstack/form-example-vue-standard-schema

@tanstack/angular-form

npm i https://pkg.pr.new/@tanstack/angular-form@2194

@tanstack/form-core

npm i https://pkg.pr.new/@tanstack/form-core@2194

@tanstack/form-devtools

npm i https://pkg.pr.new/@tanstack/form-devtools@2194

@tanstack/lit-form

npm i https://pkg.pr.new/@tanstack/lit-form@2194

@tanstack/preact-form

npm i https://pkg.pr.new/@tanstack/preact-form@2194

@tanstack/react-form

npm i https://pkg.pr.new/@tanstack/react-form@2194

@tanstack/react-form-devtools

npm i https://pkg.pr.new/@tanstack/react-form-devtools@2194

@tanstack/react-form-nextjs

npm i https://pkg.pr.new/@tanstack/react-form-nextjs@2194

@tanstack/react-form-remix

npm i https://pkg.pr.new/@tanstack/react-form-remix@2194

@tanstack/react-form-start

npm i https://pkg.pr.new/@tanstack/react-form-start@2194

@tanstack/solid-form

npm i https://pkg.pr.new/@tanstack/solid-form@2194

@tanstack/solid-form-devtools

npm i https://pkg.pr.new/@tanstack/solid-form-devtools@2194

@tanstack/svelte-form

npm i https://pkg.pr.new/@tanstack/svelte-form@2194

@tanstack/vue-form

npm i https://pkg.pr.new/@tanstack/vue-form@2194

commit: 159324b

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.42%. Comparing base (6892ed0) to head (159324b).
⚠️ Report is 229 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2194      +/-   ##
==========================================
+ Coverage   90.35%   91.42%   +1.07%     
==========================================
  Files          38       59      +21     
  Lines        1752     2345     +593     
  Branches      444      584     +140     
==========================================
+ Hits         1583     2144     +561     
- Misses        149      180      +31     
- Partials       20       21       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.