📦 [0.84]: Bump the all-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the all-dependencies group with 6 updates in the / directory:

Package	From	To
lage	2.15.12	2.15.13
@types/react	19.2.15	19.2.17
semver	7.8.1	7.8.5
tinyglobby	0.2.16	0.2.17
@microsoft/1ds-core-js	4.4.1	4.4.2
@microsoft/1ds-post-js	4.4.1	4.4.2

Updates lage from 2.15.12 to 2.15.13

Commits

• 780ca2f applying package updates
• ce44a8e Expose the --output-format option on the affected command (#1148)
• c7dddd7 Update dependency js-yaml to v4.2.0 (#1143)
• 7d240db Bump tmp from 0.2.5 to 0.2.7 (#1144)
• a896a49 Update GitHub Actions (official) (#1142)
• be570ac Update devDependency beachball to v2.65.5 (#1139)
• eaf70c6 Update dependency shell-quote to v1.8.4 (#1140)
• de630ad Lock file maintenance (#1088)
• f159e33 Update github/codeql-action digest to 7211b7c (#1138)
• 14d49f0 Bump @​tootallnate/once from 2.0.0 to 2.0.1 (#1137)
• Additional commits viewable in compare view

Updates @types/react from 19.2.15 to 19.2.17

Commits

• See full diff in compare view

Updates semver from 7.8.1 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

v7.8.2

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

Commits

• 6e05b76 chore: release 7.8.5 (#879)
• 9c8692a fix: include prereleases in tilde range lower bound with includePrerelease (#...
• 8640bd6 chore: release 7.8.4 (#875)
• e583226 fix: reject numeric segments after x-ranges
• 6b77aa8 chore: release 7.8.3 (#873)
• 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• 046da7f fix: align caret includePrerelease lower bounds (#872)
• efafcf8 chore: release 7.8.2 (#871)
• bea6028 fix: increment dotted prerelease identifiers (#870)
• See full diff in compare view

Updates tinyglobby from 0.2.16 to 0.2.17

Release notes

Sourced from tinyglobby's releases.

0.2.17

Changed

• Enabled staged publishing for stronger supply-chain security

Fixed

• Defaults when undefined is passed to any of the options by @​chloeelim
• Drive-relative paths on Windows by @​Andrej730
• FileSystemAdapter is now exported again

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Changelog

Sourced from tinyglobby's changelog.

0.2.17

Changed

• Enabled staged publishing for stronger supply-chain security

Fixed

• Defaults when undefined is passed to any of the options by chloeelim
• Drive-relative paths on Windows by Andrej730
• FileSystemAdapter is now exported again

Commits

• f80cb84 release 0.2.17
• d5d1ce3 enable staged publishes
• ec39d48 Update all non-major dependencies (#204)
• d618ed4 improve benchmark infra
• dd10cb2 disable cache in publish workflow
• 749694d set minimumReleaseAge in renovate
• 937a0c7 remove .vscode folder
• 298769a fix alt text in readme (#203)
• 8927f0a run ci on node 26
• e8519ee Update all non-major dependencies (#195)
• Additional commits viewable in compare view

Updates @microsoft/1ds-core-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Updates @microsoft/1ds-post-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/16281)