Skip to content

📦 [0.84]: Bump the all-dependencies group across 1 directory with 7 updates#16296

Open
dependabot[bot] wants to merge 1 commit into
0.84-stablefrom
dependabot/npm_and_yarn/0.84-stable/all-dependencies-eb362a3dd2
Open

📦 [0.84]: Bump the all-dependencies group across 1 directory with 7 updates#16296
dependabot[bot] wants to merge 1 commit into
0.84-stablefrom
dependabot/npm_and_yarn/0.84-stable/all-dependencies-eb362a3dd2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-dependencies group with 7 updates in the / directory:

Package From To
lage 2.15.12 2.15.16
@types/react 19.2.15 19.2.17
semver 7.8.1 7.8.5
tinyglobby 0.2.16 0.2.17
@microsoft/1ds-core-js 4.4.1 4.4.3
@microsoft/1ds-post-js 4.4.1 4.4.3
shell-quote 1.8.4 1.9.0

Updates lage from 2.15.12 to 2.15.16

Commits

Updates @types/react from 19.2.15 to 19.2.17

Commits

Updates semver from 7.8.1 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

Chores

v7.8.2

7.8.2 (2026-06-04)

Bug Fixes

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

7.8.4 (2026-06-09)

Bug Fixes

7.8.3 (2026-06-08)

Bug Fixes

Chores

7.8.2 (2026-06-04)

Bug Fixes

Commits

Updates tinyglobby from 0.2.16 to 0.2.17

Release notes

Sourced from tinyglobby's releases.

0.2.17

Changed

  • Enabled staged publishing for stronger supply-chain security

Fixed

  • Defaults when undefined is passed to any of the options by @​chloeelim
  • Drive-relative paths on Windows by @​Andrej730
  • FileSystemAdapter is now exported again

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Changelog

Sourced from tinyglobby's changelog.

0.2.17

Changed

  • Enabled staged publishing for stronger supply-chain security

Fixed

  • Defaults when undefined is passed to any of the options by chloeelim
  • Drive-relative paths on Windows by Andrej730
  • FileSystemAdapter is now exported again
Commits

Updates @microsoft/1ds-core-js from 4.4.1 to 4.4.3

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.3 (July 2nd, 2026)

This is a maintenance release for the 3.4.x version line adding a new SDK statistics feature, a PostChannel reliability fix, and dependency security hardening. The @microsoft/1ds-post-js channel is numbered 4.4.3 and requires v3.4.3.

Significant Changes (since 3.4.2)

  • Customer SDK Stats: Added a new SdkStats feature that periodically collects internal SDK usage/health statistics. It is enabled by default and can be disabled (or explicitly configured) via the featureOptIn configuration (e.g. featureOptIn: { SdkStats: { mode: FeatureOptInMode.disable } }); the collection interval defaults to 15 minutes (sdkStats.int).

  • PostChannel Auto-Flush Stall Fix: Fixed a permanent stall in @microsoft/1ds-post-js where, under sustained intermittent send failures (e.g. a load balancer returning occasional 503s), auto flush could wedge behind the flush() wait-for-idle timer and permanently stop draining the in-memory queue — causing telemetry to be silently dropped as QueueFull until the process was restarted. Auto flush is now fire-and-forget and no longer parks the scheduler waiting for the manager to become completely idle.

  • Dependency Security Hardening: Pinned tar to >=7.5.16 to remediate CVE-2026-53655 and resolved the remaining npm audit findings in build tooling via dependency overrides (js-yaml, yaml, markdown-it, linkify-it). These are build/tooling changes and do not affect the published runtime packages.

Changelog

  • #2746 Fix PostChannel auto-flush permanent stall under sustained intermittent send failures
  • #2745 fix(security): pin tar >=7.5.16 to remediate CVE-2026-53655
  • #2707 Enable Customer SDK Stats
  • Resolve remaining npm audit findings via dependency overrides (js-yaml, yaml, markdown-it, linkify-it)

Full Changelog: microsoft/ApplicationInsights-JS@3.4.2...3.4.3

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

  • Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

  • Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

  • OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

  • RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

  • Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

  • Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

  • Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
  • Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
  • Migrated from npm to pnpm: Dependency management now uses pnpm.

... (truncated)

Commits

Updates @microsoft/1ds-post-js from 4.4.1 to 4.4.3

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.3 (July 2nd, 2026)

This is a maintenance release for the 3.4.x version line adding a new SDK statistics feature, a PostChannel reliability fix, and dependency security hardening. The @microsoft/1ds-post-js channel is numbered 4.4.3 and requires v3.4.3.

Significant Changes (since 3.4.2)

  • Customer SDK Stats: Added a new SdkStats feature that periodically collects internal SDK usage/health statistics. It is enabled by default and can be disabled (or explicitly configured) via the featureOptIn configuration (e.g. featureOptIn: { SdkStats: { mode: FeatureOptInMode.disable } }); the collection interval defaults to 15 minutes (sdkStats.int).

  • PostChannel Auto-Flush Stall Fix: Fixed a permanent stall in @microsoft/1ds-post-js where, under sustained intermittent send failures (e.g. a load balancer returning occasional 503s), auto flush could wedge behind the flush() wait-for-idle timer and permanently stop draining the in-memory queue — causing telemetry to be silently dropped as QueueFull until the process was restarted. Auto flush is now fire-and-forget and no longer parks the scheduler waiting for the manager to become completely idle.

  • Dependency Security Hardening: Pinned tar to >=7.5.16 to remediate CVE-2026-53655 and resolved the remaining npm audit findings in build tooling via dependency overrides (js-yaml, yaml, markdown-it, linkify-it). These are build/tooling changes and do not affect the published runtime packages.

Changelog

  • #2746 Fix PostChannel auto-flush permanent stall under sustained intermittent send failures
  • #2745 fix(security): pin tar >=7.5.16 to remediate CVE-2026-53655
  • #2707 Enable Customer SDK Stats
  • Resolve remaining npm audit findings via dependency overrides (js-yaml, yaml, markdown-it, linkify-it)

Full Changelog: microsoft/ApplicationInsights-JS@3.4.2...3.4.3

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

  • Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

  • Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

  • OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

  • RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

  • Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

  • Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

  • Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
  • Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
  • Migrated from npm to pnpm: Dependency management now uses pnpm.

... (truncated)

Commits

Updates shell-quote from 1.8.4 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 12:23
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 1, 2026
…pdates

Bumps the all-dependencies group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [lage](https://github.com/microsoft/lage) | `2.15.12` | `2.15.16` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.15` | `19.2.17` |
| [semver](https://github.com/npm/node-semver) | `7.8.1` | `7.8.5` |
| [tinyglobby](https://github.com/SuperchupuDev/tinyglobby) | `0.2.16` | `0.2.17` |
| [@microsoft/1ds-core-js](https://github.com/microsoft/ApplicationInsights-JS) | `4.4.1` | `4.4.3` |
| [@microsoft/1ds-post-js](https://github.com/microsoft/ApplicationInsights-JS) | `4.4.1` | `4.4.3` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.4` | `1.9.0` |



Updates `lage` from 2.15.12 to 2.15.16
- [Commits](microsoft/lage@lage_v2.15.12...lage_v2.15.16)

Updates `@types/react` from 19.2.15 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `semver` from 7.8.1 to 7.8.5
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.1...v7.8.5)

Updates `tinyglobby` from 0.2.16 to 0.2.17
- [Release notes](https://github.com/SuperchupuDev/tinyglobby/releases)
- [Changelog](https://github.com/SuperchupuDev/tinyglobby/blob/main/CHANGELOG.md)
- [Commits](SuperchupuDev/tinyglobby@0.2.16...0.2.17)

Updates `@microsoft/1ds-core-js` from 4.4.1 to 4.4.3
- [Release notes](https://github.com/microsoft/ApplicationInsights-JS/releases)
- [Changelog](https://github.com/microsoft/ApplicationInsights-JS/blob/main/RELEASES.md)
- [Commits](https://github.com/microsoft/ApplicationInsights-JS/commits)

Updates `@microsoft/1ds-post-js` from 4.4.1 to 4.4.3
- [Release notes](https://github.com/microsoft/ApplicationInsights-JS/releases)
- [Changelog](https://github.com/microsoft/ApplicationInsights-JS/blob/main/RELEASES.md)
- [Commits](https://github.com/microsoft/ApplicationInsights-JS/commits)

Updates `shell-quote` from 1.8.4 to 1.9.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: "@microsoft/1ds-core-js"
  dependency-version: 4.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@microsoft/1ds-post-js"
  dependency-version: 4.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: lage
  dependency-version: 2.15.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: semver
  dependency-version: 7.8.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: tinyglobby
  dependency-version: 0.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/0.84-stable/all-dependencies-eb362a3dd2 branch from 864b28d to f4965bf Compare July 8, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants