deps(deps): bump the production-dependencies group across 1 directory with 13 updates

[dependabot]

Bumps the production-dependencies group with 11 updates in the / directory:

Package	From	To
semver	7.7.4	7.8.4
@azure/core-client	1.10.1	1.10.2
@azure/core-rest-pipeline	1.23.0	1.24.0
@azure/storage-blob	12.31.0	12.32.0
@typespec/ts-http-runtime	0.3.5	0.3.6
brace-expansion	1.1.14	1.1.15
es-object-atoms	1.1.1	1.1.2
fast-xml-builder	1.1.4	1.2.0
fast-xml-parser	5.6.0	5.8.0
hasown	2.0.2	2.0.4
undici	6.25.0	6.26.0

Updates semver from 7.7.4 to 7.8.4

Release notes

Sourced from semver's releases.

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

v7.8.2

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

v7.8.1

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@​owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@​puneetdixit200, Puneet Dixit)

v7.8.0

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from semver's changelog.

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@​owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@​puneetdixit200, Puneet Dixit)

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Commits

• 8640bd6 chore: release 7.8.4 (#875)
• e583226 fix: reject numeric segments after x-ranges
• 6b77aa8 chore: release 7.8.3 (#873)
• 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• 046da7f fix: align caret includePrerelease lower bounds (#872)
• efafcf8 chore: release 7.8.2 (#871)
• bea6028 fix: increment dotted prerelease identifiers (#870)
• 7641608 chore: release 7.8.1 (#868)
• 17aa702 fix: strip build metadata before comparator trimming (#869)
• 5f3ca13 fix: handle prerelease bounds in subset (#867)
• Additional commits viewable in compare view

Updates @azure/core-client from 1.10.1 to 1.10.2

Changelog

Sourced from @​azure/core-client's changelog.

1.10.2 (2026-06-04)

Bugs Fixed

• Fixes to additional property serialization. [PR #38006](Azure/azure-sdk-for-js#38006)

Commits

• 000bfb6 [core] prepare for June 2026 release (#38788)
• 08fae51 chore: consolidate with @​azure/core-util APIs and simplify runtime checks (#3...
• 0117af3 feat(core/core-client): migrate to #platform/* imports (#38200)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• be0d109 fix(core-client): fix typos in serializer error messages (#38258)
• 55155ea Improve test coverage to ~100% for @​azure/core-client (#38176)
• 8edb91b chore(core): remove dead code, unnecessary casts, and redundant async (#38149)
• 38b6a92 fix(core): handle Uint8Array subarrays correctly in createFile and encodeByte...
• 686b9db chore(core): improve cross-platform test compatibility (#38145)
• c4de0e1 chore(core): add react-native and @​types/react devDependencies (#38135)
• Additional commits viewable in compare view

Updates @azure/core-rest-pipeline from 1.23.0 to 1.24.0

Changelog

Sourced from @​azure/core-rest-pipeline's changelog.

1.24.0 (2026-06-05)

Features Added

• Use and export type aliases on public API surface [PR #38205](Azure/azure-sdk-for-js#38205)

Commits

• 2d3b618 [core-rest-pipeline] prepare for june 2026 release (#38847)
• 4765ec8 fix: consolidate duplicate changelog sections for core-rest-pipeline and core...
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 8d8b5b5 feat(core/core-rest-pipeline): migrate to #platform/* imports (#38205)
• ef31af4 Improve test coverage to ~100% for @​azure/core-rest-pipeline (#38180)
• 8edb91b chore(core): remove dead code, unnecessary casts, and redundant async (#38149)
• 38b6a92 fix(core): handle Uint8Array subarrays correctly in createFile and encodeByte...
• 686b9db chore(core): improve cross-platform test compatibility (#38145)
• c4de0e1 chore(core): add react-native and @​types/react devDependencies (#38135)
• ca0618c chore(core): add per-platform tsconfig files in config/ directories (#38136)
• Additional commits viewable in compare view

Updates @azure/storage-blob from 12.31.0 to 12.32.0

Changelog

Sourced from @​azure/storage-blob's changelog.

12.32.0 (2026-05-22)

Features Added

• Includes all features released in 12.32.0-beta.1.

12.32.0-beta.1 (2026-03-05)

Features Added

• Added support for service version 2026-04-06.
• Added support for Content Validation via Structured Message.
• Added support for Delete Blob Conditional Tier.
• Added support for Server-side Encryption Rekeying.
• Added cross-tenant support for Principal-Bound User Delegation SAS.
• Added support for Dynamic User Delegation SAS.

Commits

• d740d83 Resolve interface comments (#38702)
• ff9fc24 Update package version for stg101 (#38623)
• 603366d [storage] update streamToBuffer helpers to handle chunks correctly (#38465)
• 3de1abe Add imports field to all warp-built packages (#38391)
• 0aa0f0f Add react-native devDependency to packages with RN targets (#38392)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 8226e6f [test] Fix swapped assertion arguments across test files (#37972)
• 65c0ccc feat(warp): explicit CJS via moduleType, esbuild ESM→CJS transform (#37893)
• 7b9b6aa Storage/content checksum (#37208)
• 460a94d [warp] Migrate storage packages to warp with type-compatible browser … (#37443)
• Additional commits viewable in compare view

Updates @azure/storage-common from 12.3.0 to 12.4.0

Changelog

Sourced from @​azure/storage-common's changelog.

12.4.0 (2026-05-22)

Features Added

• Includes all features released in 12.4.0-beta.1.

Bugs Fixed

• Fixed CRC64 checksum calculator failing under both module systems: ReferenceError: require is not defined when loaded as ESM under Node, and SyntaxError: Unexpected token 'export' when loaded as CommonJS. The bundled Emscripten output now polyfills require/__filename/__dirname from import.meta.url for the ESM build, and the CommonJS copy is rewritten to use module.exports. Issues #38069 and #38501.

12.4.0-beta.1 (2026-03-05)

Features Added

• Added functions structuredMessageDecodingStream and structuredMessageEncoding to parsing and construct structured message with CRC64 checksum for content validation.
• Added property of signedDelegatedUserTid in UserDelegationKey

Commits

• 9d83f5e [storage-common] remove top-level await from crc64.js (#38741)
• ff9fc24 Update package version for stg101 (#38623)
• 626a45b [storage-common] Fix CRC64 module loading under ESM and CommonJS (#38507)
• cd995b1 Migrate @​azure/storage-common to #platform/* wildcard imports (#38440)
• 3de1abe Add imports field to all warp-built packages (#38391)
• 0aa0f0f Add react-native devDependency to packages with RN targets (#38392)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 65c0ccc feat(warp): explicit CJS via moduleType, esbuild ESM→CJS transform (#37893)
• 8c0d6ee Update change log for STG101 release (#37503)
• 7b9b6aa Storage/content checksum (#37208)
• Additional commits viewable in compare view

Updates @typespec/ts-http-runtime from 0.3.5 to 0.3.6

Changelog

Sourced from @​typespec/ts-http-runtime's changelog.

0.3.6 (2026-06-04)

Bugs Fixed

• Fix an issue in NodeHttpClient where we incorrectly send the whole backing buffer when request body is an ArrayBufferView. [PR #38718](Azure/azure-sdk-for-js#38718)
• createHttpHeaders now strips CR (\r) and LF (\n) characters from header values to prevent obs-fold (line folding) sequences, as required by RFC 7230 §3.2.4. [PR #38744](Azure/azure-sdk-for-js#38744)

Other Changes

• Set RestError.response.bodyAsText when the error response body has string type [PR #38059](Azure/azure-sdk-for-js#38059)
• Forward tracingOptions to pipeline requests. [PR #38285](Azure/azure-sdk-for-js#38285)

Commits

• 000bfb6 [core] prepare for June 2026 release (#38788)
• 1d12fe2 Sanitize HTTP header values to strip CR/LF (RFC 7230 §3.2.4) (#38744)
• a44316c [core] send request body of ArrayBufferView subarray properly (#38718)
• 1c23475 [core-client-rest] preserve tracingOptions in request parameters (#38285)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 686b9db chore(core): improve cross-platform test compatibility (#38145)
• b9e6755 feat(ts-http-runtime): migrate to #platform/* subpath imports (#37974)
• 7cf73b6 [ts-http-runtime] set bodyAsText on RestError.response (#38059)
• 047b6ad chore(ts-http-runtime): add react-native platform tests (#38066)
• See full diff in compare view

Updates brace-expansion from 1.1.14 to 1.1.15

Release notes

Sourced from brace-expansion's releases.

v1.1.15

• Backport v5.0.6 change to v1 (#111) 0b09384

---

juliangruber/brace-expansion@v1.1.14...v1.1.15

Commits

• 2203f4f 1.1.15
• 0b09384 Backport v5.0.6 change to v1 (#111)
• See full diff in compare view

Updates es-object-atoms from 1.1.1 to 1.1.2

Changelog

Sourced from es-object-atoms's changelog.

v1.1.2 - 2026-05-22

Commits

• [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, auto-changelog, eslint, npmignore 41e3d94
• [types] improve isObject type 758edc2

Commits

• 9e62644 v1.1.2
• 41e3d94 [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, `auto-changelo...
• 758edc2 [types] improve isObject type
• See full diff in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

• Add support for sanitizeName option
• Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

• fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

• fix: skip text property for PI tags
• improve typings

1.1.7 (2026--05-04)

• fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

• fix security issues related to comment
• skip comment with null value

1.1.5 (2026-04-17)

• fix security issues related to comment and cdata

1.1.4 (2026-03-16)

• support maxNestedTags option

1.1.3 (2026-03-13)

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

• fix typings

1.1.1 (2026-03-11)

• upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

• Integrate path-expression-matcher

Commits

• a9a905b for release
• 42680e8 support name sanitization
• 8b00185 release info
• 8a08f17 allow indentation to be empty string
• 7fc5dec update docs
• c241b6a improve documentation
• 15d5668 update for release
• 9877485 fix: skip text property for PI tags
• 311a221 fix #5 typing import issues
• e8fc5b1 update for releast
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.6.0 to 5.8.0

Release notes

Sourced from fast-xml-parser's releases.

update strnum, FXB. Use xml-naming for DOCTYPE

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is by deault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• 4bcee44 for release
• 8a287bf release info
• 50b01dc Use "@​byspec/xml" for testing
• 816b652 update typings to mark validator use deprecated
• 8ad0e65 update fast-xml-builder and strnum
• 58e967e integrate xml-naming
• 42fa3c3 separate XML validator, UPDATE DOCS
• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• Additional commits viewable in compare view

Updates hasown from 2.0.2 to 2.0.4

Changelog

Sourced from hasown's changelog.

v2.0.4 - 2026-05-28

Commits

• [types] drop the dead key-narrowing overload fdab00e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint 91f6247

v2.0.3 - 2026-04-17

Commits

• [actions] update workflows fb837b8
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/tape, auto-changelog, eslint, mock-property, npmignore, tape f4b279b
• [Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config 7e415ce
• [Dev Deps] update eslint ef313da
• [meta] use npm audit instead of aud d5c6d4d
• [types] add overload that narrows the key cc03a09

Commits

• 97f3a85 v2.0.4
• fdab00e [types] drop the dead key-narrowing overload
• 91f6247 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint
• 27ebd40 v2.0.3
• fb837b8 [actions] update workflows
• cc03a09 [types] add overload that narrows the key
• f4b279b [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, `@ljharb/...
• ef313da [Dev Deps] update eslint
• 7e415ce [Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config
• d5c6d4d [meta] use npm audit instead of aud
• See full diff in compare view

Updates strnum from 2.2.3 to 2.4.0

Changelog

Sourced from strnum's changelog.

2.4.0 / 2026-06-09

• support unicode numerals using 'anynum'

2.3.0 / 2026-05-07

• support octal and binary, test with @​byspec/numbers
• test with @​byspec/numbers

2.2.3 / 2026-04-07

• remove unnecessary files from npm package

2.2.2 / 2026-03-23

• fix for space string

2.2.1 / 2026-03-19

• fix false positive for eNotation when no leading zeros

2.2.0 / 2026-02-28

• support infinity

2.1.0 / 2025-05-01

• fix e-notation
  • to return string when invalid enotation is found. Eg E24
  • to return valid number when only leading zero before e char is present

2.0.5 / 2025-02-27

• changes done in 1.1.2

1.1.2 / 2025-02-27

• fix skiplike for 0

1.1.1 / 2025-02-21

• All recent fixes of version 2

2.0.4 / 2025-02-20

• remove console log

2.0.3 / 2025-02-20

• fix for string which are falsly identified as e-notation

2.0.1 / 2025-02-20

• fix: handle only zeros
• fix: return original string when NaN

2.0.0 / 2025-02-20

• Migrating to ESM modules. No functional change

1.1.0 / 2025-02-20

... (truncated)

Commits

• 741d115 support unicode numerals using 'anynum'
• c8c32aa Add badges for downloads, version, and license
• 3984183 support octal and binary, test with @​byspec/numbers
• See full diff in compare view

Updates undici from 6.25.0 to 6.26.0

Release notes

Sourced from undici's releases.

v6.26.0

What's Changed

• fix: validate EOF for chunked h1 responses by @​mcollina in nodejs/undici#5308

Full Changelog: nodejs/undici@v6.25.0...v6.26.0

Commits

• 768beac Bumped v6.26.0 (#5323)
• 7917b25 fix: validate EOF for chunked h1 responses (#5308)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔮 Release Preview

Full Changelog: V2...preview