📦 Update subpackage devDependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Update	Type	Package file
@rollup/plugin-node-resolve (source)	15.3.1 → 16.0.3			major	devDependencies	third_party/amp-toolbox-cache-url/package.json
actions/checkout	v4.3.1 → v6.0.2			major	action	.github/workflows/update-session-issues.yml
actions/checkout	v4 → v6			major	action	.github/workflows/moderator.yml
actions/setup-node	v4.4.0 → v6.2.0			major	action	.github/workflows/status-page.yml
actions/upload-artifact	v4.6.2 → v7.0.0			major	action	.github/workflows/scorecard.yml
eslint (source)	9.39.2 → 10.0.2			major	devDependencies	third_party/amp-toolbox-cache-url/package.json
github/codeql-action	v3.31.9 → v4.32.5			major	action	.github/workflows/scorecard.yml
jasmine (source)	5.13.0 → 6.1.0			major	devDependencies	third_party/amp-toolbox-cache-url/package.json
npm-run-all2	6.2.6 → 8.0.4			major	devDependencies	third_party/amp-toolbox-cache-url/package.json

See all other Renovate PRs on the Dependency Dashboard

How to resolve breaking changes

This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:

# Check out the PR branch
git checkout -b renovate/major-subpackage-devdependencies main
git pull https://github.com/ampproject/amphtml.git renovate/major-subpackage-devdependencies

# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors

# Push the changes to the branch
git push git@github.com:ampproject/amphtml.git renovate/major-subpackage-devdependencies:renovate/major-subpackage-devdependencies

---

Release Notes

rollup/plugins (@​rollup/plugin-node-resolve)

v16.0.3

2025-10-13

Bugfixes

• fix: resolve bare targets of package "imports" using export maps; avoid fileURLToPath(null) (#​1908)

v16.0.2

2025-10-04

Bugfixes

• fix: error thrown with empty entry (#​1893)

v16.0.1

2025-03-11

Bugfixes

• fix: add ignoreSideEffectsForRoot to exported interface (#​1841)

v16.0.0

2024-12-15

Breaking Changes

• feat!: set development or production condition (#​1823)

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

Compare Source

v5.0.0

Compare Source

eslint/eslint (eslint)

v10.0.2

Compare Source

v10.0.1

Compare Source

Bug Fixes

• c87d5bd fix: update eslint (#​20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#​20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#​20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#​20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#​20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#​20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#​20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#​20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#​20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#​20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#​20467) (Milos Djermanovic)

v10.0.0

Compare Source

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

github/codeql-action (github/codeql-action)

v4.32.5

Compare Source

v4.32.4

Compare Source

• Update default CodeQL bundle version to 2.24.2. #​3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

v4.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v4.31.9

Compare Source

v4.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v4.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v4.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #​3321

See the full CHANGELOG.md for more information.

v4.31.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.4 - 18 Nov 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #​3288

See the full CHANGELOG.md for more information.

v4.31.2

Compare Source

v4.31.1

Compare Source

v4.31.0

Compare Source

v4.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v4.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.7 - 06 Oct 2025

• [v4+ only] The CodeQL Action now runs on Node.js v24. #​3169

See the full CHANGELOG.md for more information.

v3.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #​3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #​3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #​3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #​3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #​3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #​3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #​3503, #​3504

v3.32.4

Compare Source

• Update default CodeQL bundle version to 2.24.2. #​3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

v3.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v3.32.2

Compare Source

• Update default CodeQL bundle version to 2.24.1. #​3460

v3.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v3.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v3.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v3.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

jasmine/jasmine-npm (jasmine)

v6.1.0

Compare Source

Please see the release notes.

v6.0.0

Compare Source

Please see the release notes.

bcomnes/npm-run-all2 (npm-run-all2)

v8.0.4

Compare Source

Commits

• Merge pull request #​182 from bcomnes/beta afcc18a

v8.0.3

Compare Source

Commits

• Merge pull request #​175 from bcomnes/revert-pico 75bb00e
• Revert "replace minimatch with picomatch" 5d93a54

v8.0.2

Compare Source

Commits

• Merge pull request #​172 from beeequeue/picomatch 4f42923
• replace minimatch with picomatch 74201f5
• add type field e8f046a

v8.0.1

Compare Source

Commits

• Merge pull request #​159 from bcomnes/dependabot/npm_and_yarn/minimatch-10.0.1 54af3ab
• Upgrade: Bump minimatch from 9.0.5 to 10.0.1 f50ddf4
• Merge pull request #​170 from bcomnes/fix-engine-range e43e670

v8.0.0

Compare Source

Commits

• Breaking change: Raise engine floor to >= Node 20 b1b12f8
• Merge pull request #​169 from bcomnes/node-20-or-greater bb27458

v7.0.2

Compare Source

Merged

• Upgrade: Bump neostandard from 0.11.9 to 0.12.0 #164
• Upgrade: Bump codecov/codecov-action from 4 to 5 #161

Commits

• Raise cross-spawn version floor to ^7.0.6 45a9e19
• Merge pull request #​163 from bcomnes/dependabot/npm_and_yarn/mocha-11.0.1 285967a
• Upgrade: Bump mocha from 10.8.2 to 11.0.1 5d1aea5

v7.0.1

Compare Source

Commits

• Revert engine range bump back to Node 18 b2e849b

v7.0.0

Compare Source

Merged

• Prevent a throw when looking up undefined results #158

Commits

• Breaking change: Bump node engines ^18.17.0 || >=20.5.0 49b95f0
• Merge pull request #​156 from bcomnes/rm-rf-rimraf c661ffc
• Remove rimraf c77e085

---

Configuration

📅 Schedule: Branch creation - "after 12am every weekday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.