📦 Update subpackage devDependencies#40481

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/subpackage-devdependencies

Contributor

renovate bot commented Feb 23, 2026 •

edited

Loading

This PR contains the following updates:

Package	Update	Type	Change	Package file	Age	Confidence
actions/dependency-review-action	patch	action	`v4.8.2` → `v4.8.3`	.github/workflows/dependency-review.yml
browser-tools	minor	orb	`2.3.2` → `2.4.0`	.circleci/config.yml
cimg/openjdk	patch	docker	`25.0-node` → `25.0.1-node`	.circleci/config.yml
eslint (source)	patch	devDependencies	`9.39.2` → `9.39.3`	third_party/amp-toolbox-cache-url/package.json
github/codeql-action	minor	action	`v3.31.9` → `v3.32.5`	.github/workflows/scorecard.yml
rollup (source)	minor	devDependencies	`4.55.1` → `4.59.0`	third_party/amp-toolbox-cache-url/package.json
semver	patch	devDependencies	`7.7.3` → `7.7.4`	third_party/amp-toolbox-cache-url/package.json
step-security/harden-runner	minor	action	`v2.14.0` → `v2.15.0`	.github/workflows/update-session-issues.yml

See all other Renovate PRs on the Dependency Dashboard

How to resolve breaking changes

This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:

# Check out the PR branch
git checkout -b renovate/subpackage-devdependencies main
git pull https://github.com/ampproject/amphtml.git renovate/subpackage-devdependencies

# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors

# Push the changes to the branch
git push git@github.com:ampproject/amphtml.git renovate/subpackage-devdependencies:renovate/subpackage-devdependencies

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

`v4.8.3`: 4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

GitHub Actions can't push to our protected main by @dangoor in #1017
Bump actions/stale from 9.1.0 to 10.1.0 by @dependabot[bot] in #995
Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1003
Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #1005
Upgrade glob to address a vulnerability by @brrygrdn in #1024
Bump js-yaml by @dependabot[bot] in #1020
Addressing vulnerabilities by @Ahmed3lmallah in #1036
Bump fast-xml-parser from 5.3.3 to 5.3.5 by @dependabot[bot] in #1050
Bump fast-xml-parser from 5.3.5 to 5.3.6 by @dependabot[bot] in #1053
Properly truncate long summaries and catch errors by @juxtin in #1052
Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @dependabot[bot] in #931
Changes for Release 4.8.3 by @ahpook in #1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

eslint/eslint (eslint)

`v9.39.3`

Bug Fixes

791bf8d fix: restore TypeScript 4.0 compatibility in types (#20504) (sethamus)

Chores

8594a43 chore: upgrade @eslint/js@9.39.3 (#20529) (Milos Djermanovic)
9ceef92 chore: package.json update for @eslint/js release (Jenkins)
af498c6 chore: ignore /docs/v9.x in link checker (#20453) (Milos Djermanovic)

github/codeql-action (github/codeql-action)

`v3.32.5`

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

`v3.32.4`

Update default CodeQL bundle version to 2.24.2. #3493
Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

`v3.32.3`

Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

`v3.32.2`

Update default CodeQL bundle version to 2.24.1. #3460

`v3.32.1`

A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

`v3.32.0`

Update default CodeQL bundle version to 2.24.0. #3425

`v3.31.11`

When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
Improved error handling throughout the CodeQL Action. #3415
Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

`v3.31.10`

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.10 - 12 Jan 2026

Update default CodeQL bundle version to 2.23.9. #3393

See the full CHANGELOG.md for more information.

rollup/rollup (rollup)

`v4.59.0`

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

`v4.58.0`

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

#6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@njg7194, @lukastaegert)
#6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@millerick, @lukastaegert)
#6260: fix(deps): update rust crate swc_compiler_base to v47 (@renovate[bot], @lukastaegert)
#6261: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)
#6262: Avoid unnecessary cloning of the code string (@lukastaegert)
#6263: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)
#6265: chore(deps): lock file maintenance (@renovate[bot])
#6267: fix(deps): update minor/patch updates (@renovate[bot])
#6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@renovate[bot], @lukastaegert)
#6269: chore(deps): update dependency lru-cache to v11 (@renovate[bot])
#6270: chore(deps): lock file maintenance (@renovate[bot])
#6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@lukastaegert)

`v4.57.1`

2026-01-30

Bug Fixes

Fix heap corruption issue in Windows (#6251)
Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

#6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@alan-agius4, @lukastaegert)
#6252: chore(deps): update dependency lru-cache to v11 (@renovate[bot])
#6253: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)
#6254: Fully include dynamic imports in a try-catch (@lukastaegert)
#6255: chore(deps): lock file maintenance (@renovate[bot])

`v4.57.0`

2026-01-27

Features

Add import attributes to all plugin hooks that did not provide them yet (#5700)
Deprecate returning import attributes from load or transform hooks as that will no longer be supported with rollup 5 (#5700)

Pull Requests

#5700: extend more hooks to include import attributes and add warnings (@TrickyPi, @lukastaegert)
#6243: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)
#6244: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)
#6245: chore(deps): lock file maintenance (@renovate[bot])
#6246: Refactor to reduce Rollup 5 upgrade diff (@lukastaegert)

`v4.56.0`

2026-01-22

Features

Track object property inclusions of dynamic namespace members (#6230)

Bug Fixes

Handle methods that access dynamically imported namespace members via this (#6230)

Pull Requests

#6230: Refine namespace handling (@lukastaegert)

`v4.55.3`

2026-01-21

Bug Fixes

Fix JSX semicolon insert position in variable declarations (#6241)

Pull Requests

#6241: Fix JSX semicolon insertion (@lukastaegert)

`v4.55.2`

2026-01-19

Bug Fixes

Sort manual chunks by execution order to reduce circular dependency issues (#6240)

Pull Requests

#6234: chore(deps): pin cross-platform-actions/action action to 492b0c8 (@renovate[bot])
#6235: chore(deps): update dependency globals to v17 (@renovate[bot], @lukastaegert)
#6236: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])
#6237: chore(deps): lock file maintenance (@renovate[bot])
#6239: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)
#6240: Sort manual chunks by module execution order (@TrickyPi)

npm/node-semver (semver)

`v7.7.4`

Bug Fixes

a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@mldangelo)

Documentation

1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@mldangelo)

Dependencies

120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

44d7130 #824 bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@dependabot[bot])
7073576 #820 reorder parameters in invalid-versions.js test (#820) (@reggi)
5816d4c #829 bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@dependabot[bot], @npm-cli-bot)

step-security/harden-runner (step-security/harden-runner)

`v2.15.0`

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

`v2.14.2`

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

`v2.14.1`

What's Changed

In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.
Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

Configuration

📅 Schedule: Branch creation - "after 12am every weekday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot enabled auto-merge (squash)

February 23, 2026 15:18

renovate-approve bot approved these changes

View reviewed changes

renovate bot force-pushed the renovate/subpackage-devdependencies branch 2 times, most recently from 8ffb5e4 to 70d9f75 Compare

February 24, 2026 20:09


          📦 Update subpackage devDependencies

3a2627d

renovate bot force-pushed the renovate/subpackage-devdependencies branch from 70d9f75 to 3a2627d Compare

March 3, 2026 21:51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet