📦 Bump the all-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the all-dependencies group with 7 updates in the / directory:

Package	From	To
lage	2.15.12	2.15.13
@types/react	19.2.16	19.2.17
semver	7.8.2	7.8.5
@microsoft/1ds-core-js	4.4.1	4.4.2
@microsoft/1ds-post-js	4.4.1	4.4.2
@microsoft/api-extractor	7.58.7	7.58.9
memfs	4.57.6	4.57.8

Updates lage from 2.15.12 to 2.15.13

Commits

• 780ca2f applying package updates
• ce44a8e Expose the --output-format option on the affected command (#1148)
• c7dddd7 Update dependency js-yaml to v4.2.0 (#1143)
• 7d240db Bump tmp from 0.2.5 to 0.2.7 (#1144)
• a896a49 Update GitHub Actions (official) (#1142)
• be570ac Update devDependency beachball to v2.65.5 (#1139)
• eaf70c6 Update dependency shell-quote to v1.8.4 (#1140)
• de630ad Lock file maintenance (#1088)
• f159e33 Update github/codeql-action digest to 7211b7c (#1138)
• 14d49f0 Bump @​tootallnate/once from 2.0.0 to 2.0.1 (#1137)
• Additional commits viewable in compare view

Updates @types/react from 19.2.16 to 19.2.17

Commits

• See full diff in compare view

Updates semver from 7.8.2 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

Commits

• 6e05b76 chore: release 7.8.5 (#879)
• 9c8692a fix: include prereleases in tilde range lower bound with includePrerelease (#...
• 8640bd6 chore: release 7.8.4 (#875)
• e583226 fix: reject numeric segments after x-ranges
• 6b77aa8 chore: release 7.8.3 (#873)
• 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• 046da7f fix: align caret includePrerelease lower bounds (#872)
• See full diff in compare view

Updates @microsoft/1ds-core-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Updates @microsoft/1ds-post-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Updates @microsoft/api-extractor from 7.58.7 to 7.58.9

Changelog

Sourced from @​microsoft/api-extractor's changelog.

7.58.9

Sat, 13 Jun 2026 00:16:18 GMT

Version update only

7.58.8

Mon, 08 Jun 2026 15:15:49 GMT

Patches

• Add support for new d.ts extension format when using TS moduleResolution 'bundler' or 'nodenext'.

Commits

• b6a0df8 Bump versions [skip ci]
• 8c28c0d Update changelogs [skip ci]
• 2a07c93 chore: bump decoupled local dependencies (#5825)
• 89cbc56 Bump versions [skip ci]
• 4a6de47 Update changelogs [skip ci]
• 0310914 [api-extractor] Add support for new TS declaration format when using module r...
• fde6ed5 Fix: syntax error in resulting d.ts file (#5799)
• 2b7c453 chore: bump decoupled local dependencies (#5790)
• See full diff in compare view

Updates memfs from 4.57.6 to 4.57.8

Release notes

Sourced from memfs's releases.

Release v4.57.8

What's Changed

• fix: clamp negative truncate length to zero (uninitialized-memory leak) by @​chatman-media in streamich/memfs#1261

New Contributors

• @​chatman-media made their first contribution in streamich/memfs#1261

Full Changelog: streamich/memfs@v4.57.7...v4.57.8

Release v4.57.7

What's Changed

• fix: 🐛 do not allow relative paths in snapshot restoration by @​streamich in streamich/memfs#1260

Full Changelog: streamich/memfs@v4.57.6...v4.57.7

Commits

• 29b912b chore: release v4.57.8
• b5c6c62 Merge pull request #1261 from chatman-media/fix/truncate-negative-length-memo...
• f2be1ce fix: 🐛 clamp negative truncate length to zero
• bbcc695 chore: release v4.57.7
• c67f51e Merge pull request #1260 from streamich/snapshot-fix
• d20c3e9 fix: 🐛 do not allow relative paths in snapshot restoration
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/16277)