chore: update dependency sinon to v22

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sinon (source)	^21.1.2 → ^22.0.0

---

Release Notes

sinonjs/sinon (sinon)

v22.0.0

Compare Source

• ed911df5
  Update Ruby gems (Carl-Erik Kopseng)
• 75a1e5b8
  Update to Node 26 (Carl-Erik Kopseng)
• 197d6608
  Update documentation on faking timers to reflect the current state of fake-timers (Carl-Erik Kopseng)
• c5ddf80b
  Update fake-timers@​15.4: includes new Temporal API (Carl-Erik Kopseng)
• f4ab02f6
  Update updatable packages (Carl-Erik Kopseng)
• 0536afc8
  Quality: Global mutable call id can grow unbounded across long-lived processes (#​2691) (tuanaiseo)

  • refactor: global mutable call id can grow unbounded across l

  callId is module-scoped and incremented on every invocation. In long-running test runners or embedded usage, this can grow indefinitely and eventually lose integer precision semantics for strict ordering comparisons.

  Affected files: proxy-invoke.js

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com

  • Wrap around for all values that are too high

  ---

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com
  Co-authored-by: Carl-Erik Kopseng carlerik@gmail.com

• f4f7d93b
  Perform additional cleanup when calling callThrough() (#​2670) (Cyrille)
• 6199e9e4
  improve GitHubworkflows by introducing zizmor for monitoring (#​2686) (Till!)

  • fix(workflows): fetch-depth is for actions/checkout

  • chore(workflows): update

  • pin all actions to precise commits
  • avoid credential leakage from actions/checkout
  • group action updates going forward
  • add zimor config to ignore "secrets outside env"
  • add job to keep validating workflows

• f7476b59
  Use path.normalize() for path normalization (Carl-Erik Kopseng)
• 2c975393
  fix: make build and node test scripts cross-platform (laplace young)
• a7692917
  fix: isolate walk state from Object prototype (laplace young)
• 66df977a
  Fix sinon.restore() cascade-restoring sub-sandboxes (#​2704) (Charlie Leitheiser)

  The ESM port of createApi (#​2683, shipped in 21.1.0) replaced createSandbox: createSandbox with a wrapper that pushes every newly-created sandbox into the root sandbox's fake collection:

  createSandbox: function createSandbox(config) {
      const s = createConfiguredSandbox(config);
      sandbox.getFakes().push(s);
      return s;
  }
  

  Sandbox#restore then walks that collection and calls .restore() on each entry. Because a sub-sandbox is itself an entry, every top-level sinon.restore() cascades into every sub-sandbox and undoes its stubs/timers/etc. — defeating the whole point of having an isolated sub-sandbox. The same cascade hits resetHistory and
  verifyAndRestore. This is the regression reported in #​2701.

  Restore the pre-21.1 behaviour: hand the root API a direct reference to createConfiguredSandbox. Sub-sandboxes are now isolated; only subSandbox.restore() (or verifyAndRestore) clears their fakes.

  Also flip the four sandbox tests that were locking in the buggy cascade: they now assert the parent's restore/resetHistory leaves the child untouched, with an explicit child-side cleanup at the
  end.

  Closes #​2701

• f0bd6e1b
  fix: exclude proto from walk() (#​2699) (Kevin Locke)

  __proto__ is a special property to access an object's prototype. It
  has many pitfalls:

  • Setting it to an object value changes an object's prototype, which is
    generally discouraged and may be unexpected by the iterator callback.
  • Setting it to a non-object value does nothing (meaning seen[k] = true has no effect).
  • When Node.js is run with the --disable-proto=throw option, getting
    or setting __proto__ causes an exception with code
    ERR_PROTO_ACCESS to be thrown.

  Additionally, since this property (and all properties of
  Object.prototype) are currently unused in this project by consumers of
  walk(), it is both safe and preferable to exclude.

  Fixes: #​2695

  Signed-off-by: Kevin Locke kevin@kevinlocke.name

• 1f8afd50
  chore: add context7.json for ownership confirmation (Morgan Roderick)

Released by Carl-Erik Kopseng on 2026-05-05.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.