Skip to content

build: bump the deps-minor-update group across 1 directory with 8 updates#356

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/master/deps-minor-update-010bb2b880
Open

build: bump the deps-minor-update group across 1 directory with 8 updates#356
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/master/deps-minor-update-010bb2b880

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the deps-minor-update group with 8 updates in the / directory:

Package From To
@vscode/extension-telemetry 1.5.1 1.5.2
adm-zip 0.5.16 0.5.17
applicationinsights 3.14.0 3.15.0
axios 1.13.6 1.18.0
compressing 2.1.0 2.1.1
jimp 1.6.0 1.6.1
lodash 4.17.23 4.18.1
sanitize-filename 1.6.3 1.6.4

Updates @vscode/extension-telemetry from 1.5.1 to 1.5.2

Release notes

Sourced from @​vscode/extension-telemetry's releases.

v1.5.2

Changes:

  • #245: Update and explicitly list direct dependencies
  • #243: npm update brace-expansion
  • #242: Bump flatted from 3.4.1 to 3.4.2
  • #241: chore: migrate to ESLint 9 with flat config
  • #240: Bump minimatch from 3.1.2 to 3.1.5

This list of changes was auto generated.

Commits
  • e33243f Merge pull request #245 from microsoft/updateAndAddExplicitDependencies
  • 5c7de26 Update version.
  • 2e31d47 Update and explicitly list all dependencies.
  • 31e45f2 npm update brace-expansion (#243)
  • 5d142e3 Bump flatted from 3.4.1 to 3.4.2 (#242)
  • 7d1752f Merge pull request #241 from microsoft/copilot/migrate-to-eslint-9
  • 8131abe chore: migrate to ESLint 9 with flat config
  • 71d0bac Initial plan
  • 9e42092 Merge pull request #240 from microsoft/dependabot/npm_and_yarn/minimatch-3.1.5
  • 66b07a3 Bump minimatch from 3.1.2 to 3.1.5
  • See full diff in compare view

Updates adm-zip from 0.5.16 to 0.5.17

Release notes

Sourced from adm-zip's releases.

v0.5.17

What's Changed

New Contributors

Full Changelog: cthackers/adm-zip@v0.5.16...v0.5.17

Commits
  • 094d08c Incremented package version
  • 23c5e1d Added readUInt64LE test
  • 2818b03 Downgraded rimraf version to maintain node compatibility
  • 7c77752 Fixed readUInt64LE
  • 220f817 Updated vulnerable dependencies
  • c8c20fd Merge pull request #559 from kwolfy/master
  • 840bfdf Merge pull request #557 from DennisHill/DennisHill-patch-1
  • fdf64a4 fix issue with absolute paths
  • 6f0af5b Create only if the directory does not exist
  • 1cd32f7 Merge pull request #543 from issacgerges/master
  • Additional commits viewable in compare view

Updates applicationinsights from 3.14.0 to 3.15.0

Release notes

Sourced from applicationinsights's releases.

3.15.0

Breaking Changes

  • Minimum supported Node.js version is now 20.0.0. Node.js 18 is end-of-life (April 2025) and the underlying @azure/monitor-opentelemetry / @azure/monitor-opentelemetry-exporter dependencies require Node >= 20.

Other Changes

  • Updated @azure/monitor-opentelemetry to ^1.18.0 and @azure/monitor-opentelemetry-exporter to ^1.0.0-beta.41.
  • Resolved vulnerabilities in dependencies (added overrides for protobufjs ^8.2.0 and serialize-javascript ^7.0.5).

Bug Fixes

  • Fix memory leak caused by process event listener accumulation when useAzureMonitor() is called multiple times. (#1415)

Release PRs

Full Changelog: microsoft/ApplicationInsights-node.js@3.14.0...3.15.0

Changelog

Sourced from applicationinsights's changelog.

3.15.0 (2026-05-13)

Breaking Changes

  • Minimum supported Node.js version is now 20.0.0. Node.js 18 is end-of-life (April 2025) and the underlying @azure/monitor-opentelemetry / @azure/monitor-opentelemetry-exporter dependencies require Node >= 20.

Other Changes

  • Updated @​azure/monitor-opentelemetry and @​azure/monitor-opentelemetry-exporter.
  • Resolve vulnerabilities in dependencies.

Bug Fixes

  • Fix memory leak caused by process event listener accumulation when useAzureMonitor() is called multiple times. (#1415)
Commits

Updates axios from 1.13.6 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits
  • 2d06f96 chore(release): prepare release 1.18.0 (#11003)
  • 32fc489 fix: malformed http urls (#11000)
  • b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
  • fe964f9 docs: mark proxy config as Node.js only (#10995)
  • 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
  • fae9d4e docs: clarify package update PR policy (#10992)
  • 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
  • a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
  • 614f455 docs: publish v1.17.0 release notes (#10988)
  • 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates compressing from 2.1.0 to 2.1.1

Release notes

Sourced from compressing's releases.

v2.1.1

2.1.1 (2026-04-13)

  • fix: prevent symlink path traversal via pre-existing symlinks during tar extraction (9c885e5)
  • chore: map npm package links to npmx.dev (#134) (fba303c), closes #134

This release is also available on:

Changelog

Sourced from compressing's changelog.

2.1.1 (2026-04-13)

  • fix: prevent symlink path traversal via pre-existing symlinks during tar extraction (9c885e5)
  • chore: map npm package links to npmx.dev (#134) (fba303c), closes #134
Commits
  • 0a77278 Release 2.1.1
  • 9c885e5 fix: prevent symlink path traversal via pre-existing symlinks during tar extr...
  • fba303c chore: map npm package links to npmx.dev (#134)
  • See full diff in compare view

Updates jimp from 1.6.0 to 1.6.1

Release notes

Sourced from jimp's releases.

v1.6.1

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3

Changelog

Sourced from jimp's changelog.

v1.6.1 (Tue Apr 07 2026)

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3


v1.5.0 (Mon Sep 09 2024)

Release Notes

Add support for image decoder options (#1336)

Can now have options for the underlying image codecs

CleanShot 2024-09-07 at 15 26 41


🚀 Enhancement

  • @jimp/core, @jimp/types, @jimp/js-bmp, @jimp/js-jpeg, @jimp/js-png

... (truncated)

Commits

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates sanitize-filename from 1.6.3 to 1.6.4

Commits

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
applicationinsights [>= 3.6.a, < 3.7]

@dependabot dependabot Bot added dependencies Pull request updating dependency manifests (package.json, lockfiles, etc.) javascript labels Jun 1, 2026
Copilot AI review requested due to automatic review settings June 1, 2026 22:38
@dependabot dependabot Bot requested a review from a team as a code owner June 1, 2026 22:38
@dependabot dependabot Bot added dependencies Pull request updating dependency manifests (package.json, lockfiles, etc.) javascript labels Jun 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown
Messages
Your PR title & description are valid

Generated 29. 6. 2026 9:03:48 GMT+2 for ec39059

@make-pulumi make-pulumi Bot removed the javascript label Jun 1, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/master/deps-minor-update-010bb2b880 branch from 408e1a9 to d9edf58 Compare June 15, 2026 07:03
…ates

Bumps the deps-minor-update group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@vscode/extension-telemetry](https://github.com/Microsoft/vscode-extension-telemetry) | `1.5.1` | `1.5.2` |
| [adm-zip](https://github.com/cthackers/adm-zip) | `0.5.16` | `0.5.17` |
| [applicationinsights](https://github.com/microsoft/ApplicationInsights-node.js) | `3.14.0` | `3.15.0` |
| [axios](https://github.com/axios/axios) | `1.13.6` | `1.18.0` |
| [compressing](https://github.com/node-modules/compressing) | `2.1.0` | `2.1.1` |
| [jimp](https://github.com/jimp-dev/jimp) | `1.6.0` | `1.6.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [sanitize-filename](https://github.com/parshap/node-sanitize-filename) | `1.6.3` | `1.6.4` |



Updates `@vscode/extension-telemetry` from 1.5.1 to 1.5.2
- [Release notes](https://github.com/Microsoft/vscode-extension-telemetry/releases)
- [Commits](microsoft/vscode-extension-telemetry@v1.5.1...v1.5.2)

Updates `adm-zip` from 0.5.16 to 0.5.17
- [Release notes](https://github.com/cthackers/adm-zip/releases)
- [Changelog](https://github.com/cthackers/adm-zip/blob/master/history.md)
- [Commits](cthackers/adm-zip@v0.5.16...v0.5.17)

Updates `applicationinsights` from 3.14.0 to 3.15.0
- [Release notes](https://github.com/microsoft/ApplicationInsights-node.js/releases)
- [Changelog](https://github.com/microsoft/ApplicationInsights-node.js/blob/main/CHANGELOG.md)
- [Commits](microsoft/ApplicationInsights-node.js@3.14.0...3.15.0)

Updates `axios` from 1.13.6 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.6...v1.18.0)

Updates `compressing` from 2.1.0 to 2.1.1
- [Release notes](https://github.com/node-modules/compressing/releases)
- [Changelog](https://github.com/node-modules/compressing/blob/master/CHANGELOG.md)
- [Commits](node-modules/compressing@v2.1.0...v2.1.1)

Updates `jimp` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/jimp-dev/jimp/releases)
- [Changelog](https://github.com/jimp-dev/jimp/blob/v1.6.1/CHANGELOG.md)
- [Commits](jimp-dev/jimp@v1.6.0...v1.6.1)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `sanitize-filename` from 1.6.3 to 1.6.4
- [Changelog](https://github.com/parshap/node-sanitize-filename/blob/master/Changelog.md)
- [Commits](parshap/node-sanitize-filename@v1.6.3...v1.6.4)

---
updated-dependencies:
- dependency-name: "@vscode/extension-telemetry"
  dependency-version: 1.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: deps-minor-update
- dependency-name: adm-zip
  dependency-version: 0.5.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: deps-minor-update
- dependency-name: applicationinsights
  dependency-version: 3.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: deps-minor-update
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: deps-minor-update
- dependency-name: compressing
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: deps-minor-update
- dependency-name: jimp
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: deps-minor-update
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: deps-minor-update
- dependency-name: sanitize-filename
  dependency-version: 1.6.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: deps-minor-update
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/master/deps-minor-update-010bb2b880 branch from d9edf58 to ec39059 Compare June 29, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull request updating dependency manifests (package.json, lockfiles, etc.)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant