📦 [0.84]: Bump the all-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the all-dependencies group with 9 updates in the / directory:

Package	From	To
beachball	2.64.2	2.64.3
lage	2.15.6	2.15.8
simple-git	3.35.2	3.36.0
metro-runtime	0.83.5	0.83.6
metro-source-map	0.83.5	0.83.6
tinyglobby	0.2.15	0.2.16
@microsoft/1ds-core-js	4.3.11	4.4.1
@microsoft/1ds-post-js	4.3.11	4.4.1
resolve	1.22.11	1.22.12

Updates beachball from 2.64.2 to 2.64.3

Changelog

Sourced from beachball's changelog.

2.64.3

Fri, 10 Apr 2026 02:42:47 GMT

Patches

• Refine publish logging (elcraig@microsoft.com)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for beachball since your current version.

Updates lage from 2.15.6 to 2.15.8

Commits

• d386157 applying package updates
• 56f718d Enable trusted publishing (#1108)
• 67207bc Remove backfill-utils-dotenv (#1106)
• 4d11192 Security updates for nested deps (#1105)
• 874e75f Move normalized-tmpdir into lage repo (#1103)
• dbc1f0d Update github/codeql-action digest to c10b806 (#1104)
• 48b588e Add advanced CodeQL setup to run on all PRs
• ba8e7f0 Add reporter option to config file (#1101)
• 2ec5b1f applying package updates
• 3e9927e Fix Node compatibility of swc output (#1100)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lage since your current version.

Updates simple-git from 3.35.2 to 3.36.0

Release notes

Sourced from simple-git's releases.

simple-git@3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

Changelog

Sourced from simple-git's changelog.

3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

Commits

• 7dc1a53 Version Packages
• 76f5376 Merge pull request #1061 from Vinzent03/fix/buffer-import
• 89a2294 Environment Parsing (#1156)
• 1b91b76 fix: remove explicit node:buffer import
• See full diff in compare view

Updates metro-runtime from 0.83.5 to 0.83.6

Release notes

Sourced from metro-runtime's releases.

v0.83.6

This release is on the 0.83.x branch

• [Feature]: Add keepalive "heartbeat" message to Fast Refresh connections (facebook/metro#1685 by @​robhogan)
• [Feature]: Add changeId metadata on HMRClient update-done messages (facebook/metro@1585e444284f by @​huntie)
• [Fix]: Include user-defined Babel config in transformer cache key to ensure correctness (facebook/metro#1638 by @​evanbacon)
• [Fix]: Detection of contents of directories moved or cloned into a watched location (facebook/metro#1660 by @​robhogan)
• [Fix]: Correctly detect contents as removed when a watched directory is moved, on macOS without Watchman (facebook/metro@c9e9fe64a77c by @​robhogan)
• [Performance]: Optimize PackageCache: use Map/Set, cache null results, eliminate per-hit allocations (facebook/metro@877b64ea5967 by @​robhogan)
• [Types]: Restore type exports from metro that were previously TypeScript-specific (facebook/metro#1672 by @​robhogan)

NOTE: Experimental features are not covered by semver and can change at any time.

• [Experimental]: Add config.unstable_fileMapPlugins (facebook/metro@567aa8b62b95 by @​robhogan)

Commits

• 3eecb5a Publish hotfix 0.83.6
• 7da3861 Add keepalive "heartbeat" message to Fast Refresh connections (#1685)
• b6e3989 Add changeId on HMRClient update-done message
• 41a2713 fix console errors thrown about not wrapping renders in act during tests
• c81087f Add SignedSource (@​generated) to generated TS types, use @​noformat
• See full diff in compare view

Updates metro-source-map from 0.83.5 to 0.83.6

Release notes

Sourced from metro-source-map's releases.

v0.83.6

This release is on the 0.83.x branch

• [Feature]: Add keepalive "heartbeat" message to Fast Refresh connections (facebook/metro#1685 by @​robhogan)
• [Feature]: Add changeId metadata on HMRClient update-done messages (facebook/metro@1585e444284f by @​huntie)
• [Fix]: Include user-defined Babel config in transformer cache key to ensure correctness (facebook/metro#1638 by @​evanbacon)
• [Fix]: Detection of contents of directories moved or cloned into a watched location (facebook/metro#1660 by @​robhogan)
• [Fix]: Correctly detect contents as removed when a watched directory is moved, on macOS without Watchman (facebook/metro@c9e9fe64a77c by @​robhogan)
• [Performance]: Optimize PackageCache: use Map/Set, cache null results, eliminate per-hit allocations (facebook/metro@877b64ea5967 by @​robhogan)
• [Types]: Restore type exports from metro that were previously TypeScript-specific (facebook/metro#1672 by @​robhogan)

NOTE: Experimental features are not covered by semver and can change at any time.

• [Experimental]: Add config.unstable_fileMapPlugins (facebook/metro@567aa8b62b95 by @​robhogan)

Commits

• 3eecb5a Publish hotfix 0.83.6
• f5a16a1 transformTypeParamBound codemod 9/9 (#1665)
• c81087f Add SignedSource (@​generated) to generated TS types, use @​noformat
• See full diff in compare view

Updates tinyglobby from 0.2.15 to 0.2.16

Release notes

Sourced from tinyglobby's releases.

0.2.16

Fixed

• Upgraded picomatch to 4.0.4, mitigating any potential exposure to CVE-2026-33671 and CVE-2026-33672

Changed

• Overhauled and optimized most internals by @​Torathion
• Ignore patterns are no longer compiled twice by @​webpro

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Changelog

Sourced from tinyglobby's changelog.

0.2.16

Fixed

• Upgraded picomatch to 4.0.4, mitigating any potential exposure to CVE-2026-33671 and CVE-2026-33672

Changed

• Overhauled and optimized most internals by Torathion
• Ignore patterns are no longer compiled twice by webpro

Commits

• 5779202 release 0.2.16
• 071954f bump deps once more
• e541dde do not import the whole fs module
• 2381b76 fix root being too broad
• 0addeb9 chore(deps): update all non-major dependencies (#191)
• 91ac26c chore(deps): update pnpm/action-setup action to v5 (#192)
• c50558e upgrade picomatch (and everything else)
• 6185175 chore(deps): update dependency picomatch to v4.0.4 [security] (#193)
• 49c2b93 enable pnpm trustPolicy
• bc825c4 chore(deps): update all non-major dependencies (#181)
• Additional commits viewable in compare view

Updates @microsoft/1ds-core-js from 4.3.11 to 4.4.1

Changelog

Sourced from @​microsoft/1ds-core-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.1 (April 7th, 2026)

This is the first full supported release of the 3.4.x version line. While a 3.4.0-beta was previously released for early testing and validation, version 3.4.0 was not released as a standard supported version — 3.4.1 is the first production-ready release in this series. The @microsoft/1ds-post-js channel is numbered 4.4.1 and requires v3.4.1.

Significant Changes (since 3.3.11)

The following are the significant changes since the previous full release (3.3.11). Some of these changes were previously included in the 3.4.0-beta release.

• W3C Trace State Support: Added full support for managing W3C Trace State and sending headers in distributed tracing, including new distributed tracing modes AI_AND_W3C_TRACE and W3C_TRACE that enable the tracestate header to be sent with requests when trace state information is available, the existing states will continue to not send the header.

• New Distributed Tracing Modes: Added new eDistributedTracingModes enum values:

  • AI_AND_W3C_TRACE (17): Sends Application Insights headers + W3C traceparent + W3C tracestate headers (if state value is present)
  • W3C_TRACE (18): Sends only W3C traceparent + W3C tracestate headers (if state value is present)

• Enhanced Distributed Tracing: Refactored the distributed tracing implementation to provide better support for the W3C Trace Context specification and prepare for future OpenTelemetry Span-style API integration.

• New W3C TraceState API: Introduced the IW3cTraceState interface that provides a mutable, ordered list of key/value pairs for trace state information with proper parent-child relationships.

• OpenTelemetry Integration Preparation: Added foundational OpenTelemetry interfaces (IOTelSpanContext, IOTelTraceState) to provide OpenTelemetry API compatibility.

• Additional Configuration: Added new configuration properties for W3C trace state support:

  • traceHdrMode: Controls if the SDK should look for the traceparent and/or tracestate values from service timing headers or meta tags from the initial page load (in IConfiguration)
  • Enhanced distributedTracingMode property to support the new W3C trace state modes (in ICorrelationConfig)

• Dependencies Extension: The dependency tracking extension now includes additional logic for W3C trace state handling, which may affect custom dependency listeners or initializers. The following interfaces and functions have been enhanced with W3C trace state support:

  • IDependencyListenerDetails interface now also includes a readonly traceState along with the previous traceId, spanId, traceFlags properties
  • addDependencyListener() function now provides access to W3C trace state information through the enhanced details object
  • addDependencyInitializer() function continues to work with existing dependency telemetry processing
  • Custom dependency listeners can now access and modify W3C trace state information before requests are sent

• Enhanced Cookie Management: Cookie values are now cached in memory when cookies are disabled instead of being lost, enabling support for consent banner workflows where cookies must be temporarily disabled until user approval. Automatic flushing occurs when cookies are re-enabled.

• OsPlugin Reliability Improvements: Improved OsPlugin with proactive OS retrieval, unload handling, and session caching for more reliable OS detection.

• URL Redaction Enhancements: Made URL redaction more dynamic for improved flexibility in field redaction scenarios.

Package Deprecation

The following packages have been merged into @microsoft/applicationinsights-core-js and are now deprecated. They continue to be published as backward-compatible shims (re-exporting from Core) so existing code will not break, but they are no longer used as dependencies by the main SDK packages. You should stop importing from these packages and migrate to @microsoft/applicationinsights-core-js directly.

• @microsoft/applicationinsights-common — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the Migration Guide for details on updating your imports. This package will be removed in a future major release (4.0.0).

• @microsoft/1ds-core-js — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the 1DS Core Migration Guide for class/import name changes and migration steps. Consumers should update their imports to reference @microsoft/applicationinsights-core-js directly. This package will be removed in a future major release (4.0.0).

... (truncated)

Commits

• See full diff in compare view

Updates @microsoft/1ds-post-js from 4.3.11 to 4.4.1

Changelog

Sourced from @​microsoft/1ds-post-js's changelog.

Releases

Note: ES3/IE8 compatibility will be removed in the future v3.x.x releases (scheduled for mid-late 2022), so if you need to retain ES3 compatibility you will need to remain on the 2.x.x versions of the SDK or your runtime will need install polyfill's to your ES3 environment before loading / initializing the SDK.

3.4.1 (April 7th, 2026)

This is the first full supported release of the 3.4.x version line. While a 3.4.0-beta was previously released for early testing and validation, version 3.4.0 was not released as a standard supported version — 3.4.1 is the first production-ready release in this series. The @microsoft/1ds-post-js channel is numbered 4.4.1 and requires v3.4.1.

Significant Changes (since 3.3.11)

The following are the significant changes since the previous full release (3.3.11). Some of these changes were previously included in the 3.4.0-beta release.

• W3C Trace State Support: Added full support for managing W3C Trace State and sending headers in distributed tracing, including new distributed tracing modes AI_AND_W3C_TRACE and W3C_TRACE that enable the tracestate header to be sent with requests when trace state information is available, the existing states will continue to not send the header.

• New Distributed Tracing Modes: Added new eDistributedTracingModes enum values:

  • AI_AND_W3C_TRACE (17): Sends Application Insights headers + W3C traceparent + W3C tracestate headers (if state value is present)
  • W3C_TRACE (18): Sends only W3C traceparent + W3C tracestate headers (if state value is present)

• Enhanced Distributed Tracing: Refactored the distributed tracing implementation to provide better support for the W3C Trace Context specification and prepare for future OpenTelemetry Span-style API integration.

• New W3C TraceState API: Introduced the IW3cTraceState interface that provides a mutable, ordered list of key/value pairs for trace state information with proper parent-child relationships.

• OpenTelemetry Integration Preparation: Added foundational OpenTelemetry interfaces (IOTelSpanContext, IOTelTraceState) to provide OpenTelemetry API compatibility.

• Additional Configuration: Added new configuration properties for W3C trace state support:

  • traceHdrMode: Controls if the SDK should look for the traceparent and/or tracestate values from service timing headers or meta tags from the initial page load (in IConfiguration)
  • Enhanced distributedTracingMode property to support the new W3C trace state modes (in ICorrelationConfig)

• Dependencies Extension: The dependency tracking extension now includes additional logic for W3C trace state handling, which may affect custom dependency listeners or initializers. The following interfaces and functions have been enhanced with W3C trace state support:

  • IDependencyListenerDetails interface now also includes a readonly traceState along with the previous traceId, spanId, traceFlags properties
  • addDependencyListener() function now provides access to W3C trace state information through the enhanced details object
  • addDependencyInitializer() function continues to work with existing dependency telemetry processing
  • Custom dependency listeners can now access and modify W3C trace state information before requests are sent

• Enhanced Cookie Management: Cookie values are now cached in memory when cookies are disabled instead of being lost, enabling support for consent banner workflows where cookies must be temporarily disabled until user approval. Automatic flushing occurs when cookies are re-enabled.

• OsPlugin Reliability Improvements: Improved OsPlugin with proactive OS retrieval, unload handling, and session caching for more reliable OS detection.

• URL Redaction Enhancements: Made URL redaction more dynamic for improved flexibility in field redaction scenarios.

Package Deprecation

The following packages have been merged into @microsoft/applicationinsights-core-js and are now deprecated. They continue to be published as backward-compatible shims (re-exporting from Core) so existing code will not break, but they are no longer used as dependencies by the main SDK packages. You should stop importing from these packages and migrate to @microsoft/applicationinsights-core-js directly.

• @microsoft/applicationinsights-common — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the Migration Guide for details on updating your imports. This package will be removed in a future major release (4.0.0).

• @microsoft/1ds-core-js — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the 1DS Core Migration Guide for class/import name changes and migration steps. Consumers should update their imports to reference @microsoft/applicationinsights-core-js directly. This package will be removed in a future major release (4.0.0).

... (truncated)

Commits

• See full diff in compare view

Updates resolve from 1.22.11 to 1.22.12

Commits

• d2d30de v1.22.12
• 655c3db [Fix] defaultPaths: handle null homedir gracefully
• 0cec52b [Fix] homedir: fix operator precedence bug with HOMEDRIVE/HOMEPATH concaten...
• a93a913 [Fix] loadpkg: add missing return after error callback to prevent double-...
• eeb965e [meta] update security policy to use GitHub PVR instead of Tidelift
• 7929ac1 [Test] add test from v2 branch
• 9fcaf60 [Refactor] use non-hoisted declarations instead of expressions
• 4c6db66 [Robustness] use es-errors
• 29bac90 [readme] replace runkit CI badge with shields.io check-runs badge
• 651f4d1 [Performance] avoid an unnecessary slice
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/15995)

[azure-pipelines]

Azure Pipelines:
1 pipeline(s) require an authorized user to comment /azp run to run.