📦 Bump the all-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the all-dependencies group with 6 updates in the / directory:

Package	From	To
lage	2.15.12	2.15.15
semver	7.8.2	7.8.5
@microsoft/1ds-core-js	4.4.1	4.4.2
@microsoft/1ds-post-js	4.4.1	4.4.2
memfs	4.57.6	4.57.8
shell-quote	1.8.4	1.9.0

Updates lage from 2.15.12 to 2.15.15

Commits

• bf086e9 applying package updates
• c05cc77 Update yargs packages (#1156)
• 345b537 Update dependency cosmiconfig to v9.0.2 (#1147)
• 66e643c Bump esbuild from 0.25.12 to 0.28.1 (#1149)
• f5c7f28 applying package updates
• b762683 Lock file maintenance (#1150)
• f5c30dc Update GitHub Actions (official) (#1145)
• 92c5b64 Update GitHub Actions (official) (major) (#1154)
• 81d349c Add resolveRemoteAndBranch helper (#1160)
• 780ca2f applying package updates
• Additional commits viewable in compare view

Updates semver from 7.8.2 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

Commits

• 6e05b76 chore: release 7.8.5 (#879)
• 9c8692a fix: include prereleases in tilde range lower bound with includePrerelease (#...
• 8640bd6 chore: release 7.8.4 (#875)
• e583226 fix: reject numeric segments after x-ranges
• 6b77aa8 chore: release 7.8.3 (#873)
• 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• 046da7f fix: align caret includePrerelease lower bounds (#872)
• See full diff in compare view

Updates @microsoft/1ds-core-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Updates @microsoft/1ds-post-js from 4.4.1 to 4.4.2

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.2 (June 18th, 2026)

This is a maintenance release for the 3.4.x version line containing security hardening, bug fixes, build tooling improvements, and CI updates. The @microsoft/1ds-post-js channel is numbered 4.4.2 and requires v3.4.2.

Significant Changes (since 3.4.1)

• Prototype Pollution Hardening: The extend() and objExtend() helpers now filter unsafe keys (__proto__, constructor, prototype) to prevent prototype pollution when merging untrusted objects.

• Dependency Vulnerability Resolution: Migrated the repository from npm to pnpm for dependency management and resolved all known dependency vulnerabilities. This is a build/tooling change and does not affect the published runtime packages.

• OsPlugin Field Name Correction: The OsPlugin now emits the correct Common Schema 4.0 field names (ext.os.name and ext.os.ver). Telemetry consumers relying on the previously emitted (incorrect) field names should update to the corrected names.

• RequestEnvelopeCreator Envelope Name Fix: Fixed RequestEnvelopeCreator so request telemetry is sent with the correct envelope name (Microsoft.ApplicationInsights.{ikey}.Request) instead of RequestData.

• Offline Channel Reliability: Fixed a missing return after reject() in the offline channel that could lead to a null provider dereference.

• Fixed [INVALID_ANNOTATION] warnings in Rolldown / Vite 8 consumers (#2736): The per-module dist-es5 output (the package module entry that modern bundlers import) emitted parenthesized PURE tree-shaking annotations with whitespace after the opening parenthesis (e.g. ( /*#__PURE__*/"http.")), which stricter bundlers such as Rolldown (Vite 8) rejected. The build now canonicalizes these annotations to the flush form ((/*#__PURE__*/"http.")) in the dist-es5 output, accepted by all bundlers while preserving the wrapping parentheses required for older Rollup / Webpack / Terser to tree-shake the constants. This complements #2737, which only normalized the rollup-bundled dist/es5 (main) output.

CI / Tooling

• Dropped Node.js 16 from CI matrix: Node.js 16 is End-of-Life and several dependencies (e.g. puppeteer, @pnpm/error) now require Node.js 18 or later. The CI pipeline no longer runs against Node.js 16.
• Added Node.js 22 and 24 to CI matrix: The CI pipeline now tests against Node.js 18, 20, 22, and 24.
• Migrated from npm to pnpm: Dependency management now uses pnpm.

Changelog

• #2733 fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities
• #2742 fix(ci): repair Node.js CI (Chrome install, bundle-size limits, ts-async offline-channel hang)
• #2737 fix: remove invalid PURE literal annotations and add bundle validation tests
• #2736 fix: canonicalize PURE annotations in dist-es5 (module) output to fix Rolldown/Vite 8 [INVALID_ANNOTATION] warnings
• #2735 fix: prevent prototype pollution in extend() and objExtend() via unsafe key filtering
• #2734 fix(offline-channel): Add missing return after reject() to prevent null provider dereference
• #2732 fix(OsPlugin): use correct CS 4.0 field names ext.os.name and ext.os.ver
• #2731 Drop Node.js 16 from CI matrix; add Node.js 22 and 24
• #2729 Potential fix for code scanning alert no. 2273: Workflow does not contain permissions
• #2728 Potential fix for code scanning alert no. 5940: Unused variable, import, function or class
• #2727 Potential fix for code scanning alert no. 5402: Semicolon insertion
• #2726 Potential fix for code scanning alert no. 5401: Unused variable, import, function or class
• #2725 Potential fix for code scanning alert no. 4240: Semicolon insertion
• #2724 fix: RequestEnvelopeCreator sends "RequestData" as envelope name instead of "Microsoft.ApplicationInsights.{ikey}.Request"
• #2722 Update Components
• #2721 Add CfgSync documentation

Full Changelog: microsoft/ApplicationInsights-JS@3.4.1...3.4.2

... (truncated)

Commits

• See full diff in compare view

Updates memfs from 4.57.6 to 4.57.8

Release notes

Sourced from memfs's releases.

Release v4.57.8

What's Changed

• fix: clamp negative truncate length to zero (uninitialized-memory leak) by @​chatman-media in streamich/memfs#1261

New Contributors

• @​chatman-media made their first contribution in streamich/memfs#1261

Full Changelog: streamich/memfs@v4.57.7...v4.57.8

Release v4.57.7

What's Changed

• fix: 🐛 do not allow relative paths in snapshot restoration by @​streamich in streamich/memfs#1260

Full Changelog: streamich/memfs@v4.57.6...v4.57.7

Commits

• 29b912b chore: release v4.57.8
• b5c6c62 Merge pull request #1261 from chatman-media/fix/truncate-negative-length-memo...
• f2be1ce fix: 🐛 clamp negative truncate length to zero
• bbcc695 chore: release v4.57.7
• c67f51e Merge pull request #1260 from streamich/snapshot-fix
• d20c3e9 fix: 🐛 do not allow relative paths in snapshot restoration
• See full diff in compare view

Updates shell-quote from 1.8.4 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

• [New] add types dca6e21
• [Dev Deps] update eslint 9aa9e8f
• [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
• [actions] update workflows 75e8497
• [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
• [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
• [actions] Windows + node 5/7: install deps with a modern node b4bafa2
• [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
• [Dev Deps] update auto-changelog, tape 7184b44
• [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

Commits

• db09fc7 v1.9.0
• 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
• b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
• 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
• abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
• 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
• 75e8497 [actions] update workflows
• dca6e21 [New] add types
• 9aa9e8f [Dev Deps] update eslint
• 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/16283)