Skip to content

📦 Bump the all-dependencies group across 1 directory with 9 updates#16286

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/all-dependencies-6cbd3bde8c
Open

📦 Bump the all-dependencies group across 1 directory with 9 updates#16286
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/all-dependencies-6cbd3bde8c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-dependencies group with 9 updates in the / directory:

Package From To
lage 2.15.12 2.15.16
@types/react 19.2.16 19.2.17
semver 7.8.2 7.8.5
@microsoft/1ds-core-js 4.4.1 4.4.3
@microsoft/1ds-post-js 4.4.1 4.4.3
@microsoft/api-extractor 7.58.7 7.58.9
eslint-plugin-jest 29.15.2 29.15.4
memfs 4.57.6 4.57.8
shell-quote 1.8.4 1.9.0

Updates lage from 2.15.12 to 2.15.16

Commits

Updates @types/react from 19.2.16 to 19.2.17

Commits

Updates semver from 7.8.2 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

Chores

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

7.8.4 (2026-06-09)

Bug Fixes

7.8.3 (2026-06-08)

Bug Fixes

Chores

Commits
  • 6e05b76 chore: release 7.8.5 (#879)
  • 9c8692a fix: include prereleases in tilde range lower bound with includePrerelease (#...
  • 8640bd6 chore: release 7.8.4 (#875)
  • e583226 fix: reject numeric segments after x-ranges
  • 6b77aa8 chore: release 7.8.3 (#873)
  • 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
  • 046da7f fix: align caret includePrerelease lower bounds (#872)
  • See full diff in compare view

Updates @microsoft/1ds-core-js from 4.4.1 to 4.4.3

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.3 (July 2nd, 2026)

This is a maintenance release for the 3.4.x version line adding a new SDK statistics feature, a PostChannel reliability fix, and dependency security hardening. The @microsoft/1ds-post-js channel is numbered 4.4.3 and requires v3.4.3.

Significant Changes (since 3.4.2)

  • Customer SDK Stats: Added a new SdkStats feature that periodically collects internal SDK usage/health statistics. It is enabled by default and can be disabled (or explicitly configured) via the featureOptIn configuration (e.g. featureOptIn: { SdkStats: { mode: FeatureOptInMode.disable } }); the collection interval defaults to 15 minutes (sdkStats.int).

  • PostChannel Auto-Flush Stall Fix: Fixed a permanent stall in @microsoft/1ds-post-js where, under sustained intermittent send failures (e.g. a load balancer returning occasional 503s), auto flush could wedge behind the flush() wait-for-idle timer and permanently stop draining the in-memory queue — causing telemetry to be silently dropped as QueueFull until the process was restarted. Auto flush is now fire-and-forget and no longer parks the scheduler waiting for the manager to become completely idle.

  • Dependency Security Hardening: Pinned tar to >=7.5.16 to remediate CVE-2026-53655 and resolved the remaining npm audit findings in build tooling via dependency overrides (js-yaml, yaml, markdown-it, linkify-it). These are build/tooling changes and do not affect the published runtime packages.

Changelog

  • #2746 Fix PostChannel auto-flush permanent stall under sustained intermittent send failures
  • #2745 fix(security): pin tar >=7.5.16 to remediate CVE-2026-53655
  • #2707 Enable Customer SDK Stats
  • Resolve remaining npm audit findings via dependency overrides (js-yaml, yaml, markdown-it, linkify-it)

Full Changelog: microsoft/ApplicationInsights-JS@3.4.2...3.4.3

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

  • Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

  • Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

  • OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

  • RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

  • Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

  • Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

  • Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
  • Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
  • Migrated from npm to pnpm: Dependency management now uses pnpm.

... (truncated)

Commits

Updates @microsoft/1ds-post-js from 4.4.1 to 4.4.3

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.3 (July 2nd, 2026)

This is a maintenance release for the 3.4.x version line adding a new SDK statistics feature, a PostChannel reliability fix, and dependency security hardening. The @microsoft/1ds-post-js channel is numbered 4.4.3 and requires v3.4.3.

Significant Changes (since 3.4.2)

  • Customer SDK Stats: Added a new SdkStats feature that periodically collects internal SDK usage/health statistics. It is enabled by default and can be disabled (or explicitly configured) via the featureOptIn configuration (e.g. featureOptIn: { SdkStats: { mode: FeatureOptInMode.disable } }); the collection interval defaults to 15 minutes (sdkStats.int).

  • PostChannel Auto-Flush Stall Fix: Fixed a permanent stall in @microsoft/1ds-post-js where, under sustained intermittent send failures (e.g. a load balancer returning occasional 503s), auto flush could wedge behind the flush() wait-for-idle timer and permanently stop draining the in-memory queue — causing telemetry to be silently dropped as QueueFull until the process was restarted. Auto flush is now fire-and-forget and no longer parks the scheduler waiting for the manager to become completely idle.

  • Dependency Security Hardening: Pinned tar to >=7.5.16 to remediate CVE-2026-53655 and resolved the remaining npm audit findings in build tooling via dependency overrides (js-yaml, yaml, markdown-it, linkify-it). These are build/tooling changes and do not affect the published runtime packages.

Changelog

  • #2746 Fix PostChannel auto-flush permanent stall under sustained intermittent send failures
  • #2745 fix(security): pin tar >=7.5.16 to remediate CVE-2026-53655
  • #2707 Enable Customer SDK Stats
  • Resolve remaining npm audit findings via dependency overrides (js-yaml, yaml, markdown-it, linkify-it)

Full Changelog: microsoft/ApplicationInsights-JS@3.4.2...3.4.3

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

  • Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

  • Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

  • OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

  • RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

  • Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

  • Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

  • Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
  • Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
  • Migrated from npm to pnpm: Dependency management now uses pnpm.

... (truncated)

Commits

Updates @microsoft/api-extractor from 7.58.7 to 7.58.9

Changelog

Sourced from @​microsoft/api-extractor's changelog.

7.58.9

Sat, 13 Jun 2026 00:16:18 GMT

Version update only

7.58.8

Mon, 08 Jun 2026 15:15:49 GMT

Patches

  • Add support for new d.ts extension format when using TS moduleResolution 'bundler' or 'nodenext'.
Commits
  • b6a0df8 Bump versions [skip ci]
  • 8c28c0d Update changelogs [skip ci]
  • 2a07c93 chore: bump decoupled local dependencies (#5825)
  • 89cbc56 Bump versions [skip ci]
  • 4a6de47 Update changelogs [skip ci]
  • 0310914 [api-extractor] Add support for new TS declaration format when using module r...
  • fde6ed5 Fix: syntax error in resulting d.ts file (#5799)
  • 2b7c453 chore: bump decoupled local dependencies (#5790)
  • See full diff in compare view

Updates eslint-plugin-jest from 29.15.2 to 29.15.4

Release notes

Sourced from eslint-plugin-jest's releases.

v29.15.4

29.15.4 (2026-06-30)

Bug Fixes

  • no-export: don't report on assignment to locals named module (#1976) (da02c0c)

v29.15.3

29.15.3 (2026-06-26)

Bug Fixes

  • no-export: treat describe blocks as test files (#1978) (70568b0)
Changelog

Sourced from eslint-plugin-jest's changelog.

29.15.4 (2026-06-30)

Bug Fixes

  • no-export: don't report on assignment to locals named module (#1976) (da02c0c)

29.15.3 (2026-06-26)

Bug Fixes

  • no-export: treat describe blocks as test files (#1978) (70568b0)
Commits
  • 4ba9454 chore(release): 29.15.4 [skip ci]
  • da02c0c fix(no-export): don't report on assignment to locals named module (#1976)
  • 2e236cf chore(deps): update danger/danger-js action to v13.0.10 (#1983)
  • b121402 chore(release): 29.15.3 [skip ci]
  • 70568b0 fix(no-export): treat describe blocks as test files (#1978)
  • 4a8fc22 chore: update eslint-plugin-n (#1984)
  • 2dfc6f5 chore(deps): update dependency eslint-plugin-n to v18 (#1964)
  • 4d830d8 chore(deps): update dependency lint-staged to v17 (#1965)
  • d387524 chore(deps): update yarn monorepo (#1961)
  • 08a822a chore(deps): update commitlint monorepo to v21 (#1966)
  • Additional commits viewable in compare view

Updates memfs from 4.57.6 to 4.57.8

Release notes

Sourced from memfs's releases.

Release v4.57.8

What's Changed

New Contributors

Full Changelog: streamich/memfs@v4.57.7...v4.57.8

Release v4.57.7

What's Changed

Full Changelog: streamich/memfs@v4.57.6...v4.57.7

Commits
  • 29b912b chore: release v4.57.8
  • b5c6c62 Merge pull request #1261 from chatman-media/fix/truncate-negative-length-memo...
  • f2be1ce fix: 🐛 clamp negative truncate length to zero
  • bbcc695 chore: release v4.57.7
  • c67f51e Merge pull request #1260 from streamich/snapshot-fix
  • d20c3e9 fix: 🐛 do not allow relative paths in snapshot restoration
  • See full diff in compare view

Updates shell-quote from 1.8.4 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 12:24
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
Bumps the all-dependencies group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [lage](https://github.com/microsoft/lage) | `2.15.12` | `2.15.16` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.16` | `19.2.17` |
| [semver](https://github.com/npm/node-semver) | `7.8.2` | `7.8.5` |
| [@microsoft/1ds-core-js](https://github.com/microsoft/ApplicationInsights-JS) | `4.4.1` | `4.4.3` |
| [@microsoft/1ds-post-js](https://github.com/microsoft/ApplicationInsights-JS) | `4.4.1` | `4.4.3` |
| [@microsoft/api-extractor](https://github.com/microsoft/rushstack/tree/HEAD/apps/api-extractor) | `7.58.7` | `7.58.9` |
| [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) | `29.15.2` | `29.15.4` |
| [memfs](https://github.com/streamich/memfs) | `4.57.6` | `4.57.8` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.4` | `1.9.0` |



Updates `lage` from 2.15.12 to 2.15.16
- [Commits](microsoft/lage@lage_v2.15.12...lage_v2.15.16)

Updates `@types/react` from 19.2.16 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `semver` from 7.8.2 to 7.8.5
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.2...v7.8.5)

Updates `@microsoft/1ds-core-js` from 4.4.1 to 4.4.3
- [Release notes](https://github.com/microsoft/ApplicationInsights-JS/releases)
- [Changelog](https://github.com/microsoft/ApplicationInsights-JS/blob/main/RELEASES.md)
- [Commits](https://github.com/microsoft/ApplicationInsights-JS/commits)

Updates `@microsoft/1ds-post-js` from 4.4.1 to 4.4.3
- [Release notes](https://github.com/microsoft/ApplicationInsights-JS/releases)
- [Changelog](https://github.com/microsoft/ApplicationInsights-JS/blob/main/RELEASES.md)
- [Commits](https://github.com/microsoft/ApplicationInsights-JS/commits)

Updates `@microsoft/api-extractor` from 7.58.7 to 7.58.9
- [Changelog](https://github.com/microsoft/rushstack/blob/main/apps/api-extractor/CHANGELOG.md)
- [Commits](https://github.com/microsoft/rushstack/commits/@microsoft/api-extractor_v7.58.9/apps/api-extractor)

Updates `eslint-plugin-jest` from 29.15.2 to 29.15.4
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](jest-community/eslint-plugin-jest@v29.15.2...v29.15.4)

Updates `memfs` from 4.57.6 to 4.57.8
- [Release notes](https://github.com/streamich/memfs/releases)
- [Changelog](https://github.com/streamich/memfs/blob/master/CHANGELOG.md)
- [Commits](streamich/memfs@v4.57.6...v4.57.8)

Updates `shell-quote` from 1.8.4 to 1.9.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: "@microsoft/1ds-core-js"
  dependency-version: 4.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@microsoft/1ds-post-js"
  dependency-version: 4.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@microsoft/api-extractor"
  dependency-version: 7.58.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: eslint-plugin-jest
  dependency-version: 29.15.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: lage
  dependency-version: 2.15.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: memfs
  dependency-version: 4.57.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: semver
  dependency-version: 7.8.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/main/all-dependencies-6cbd3bde8c branch from 540b75d to 7d6a78e Compare July 3, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants