Update npm dependencies (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/core (source)	^1.11.1 → ^3.0.0
typescript (source)	^5.7.0 → ^6.0.0
undici (source)	^6.24.0 → ^8.0.0
vite (source)	^7.3.2 → ^8.0.0
vitest (source)	^3.0.0 → ^4.0.0

---

Release Notes

actions/toolkit (@​actions/core)

v3.0.1

• Bump undici from 6.23.0 to 6.24.1 #​2348

v3.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

v2.0.3

• Bump @actions/http-client to 3.0.2

v2.0.1

• Bump @​actions/exec from 1.1.1 to 2.0.0 #​2199

v2.0.0

• Add support for Node 24 #​2110
• Bump @​actions/http-client from 2.0.1 to 3.0.0

microsoft/TypeScript (typescript)

v6.0.3

Compare Source

v6.0.2

Compare Source

nodejs/undici (undici)

v8.3.0

Compare Source

What's Changed

• fix: preserve pool capacity after removing stale client by @​trivikr in #​5151
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​5157
• build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @​dependabot[bot] in #​5162
• build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in #​5156
• chore(http2): collapse duplicate request stream setup by @​trivikr in #​5140
• perf(client): cache HTTP/2 authority by @​trivikr in #​5141
• build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @​dependabot[bot] in #​4819
• types: add TOpaque to client connect options by @​samuel871211 in #​4928
• build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @​dependabot[bot] in #​4688
• build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @​dependabot[bot] in #​4950
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @​dependabot[bot] in #​4951
• test(fetch): add userinfo coverage for issue-4897 URLs by @​mcollina in #​4901
• perf: avoid duplicate pool dispatcher selection on backpressure by @​trivikr in #​5149
• build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @​dependabot[bot] in #​5163
• build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @​dependabot[bot] in #​5160
• build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @​dependabot[bot] in #​4687
• build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @​dependabot[bot] in #​5161
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​4853
• build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @​dependabot[bot] in #​5158
• build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in #​5159
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​4854
• build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @​dependabot[bot] in #​5130
• docs: mention install() also installs WebSocket globals by @​mcollina in #​5174
• types: stop interfering with @​types/node by @​Renegade334 in #​5173
• fix: align h2 empty body content-length methods with h1 by @​trivikr in #​5172
• build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @​dependabot[bot] in #​5192
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5191
• test: move cleanup from finally to after hooks by @​trivikr in #​5194
• test: resolve flaky timeout in issue-3356 by @​trivikr in #​5188
• SnapshotAgent: Add normalizeBody and normalizeQuery by @​GeoffreyBooth in #​5121
• fix(socks5): use configured connector in Socks5ProxyAgent by @​trivikr in #​5168
• perf(http2): avoid isArray checks for common headers by @​trivikr in #​5170
• fix(test): make deduplicate body-streaming test non-flaky by @​mcollina in #​5196
• test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#​5137) by @​mcollina in #​5176
• fix(socks5): preserve dispatch backpressure return value by @​trivikr in #​5166
• perf(http2): end zero-length request bodies with headers by @​trivikr in #​5169
• fix(test): make issue-2898-comment.js assertion robust against flakiness by @​mcollina in #​5208
• test: disable timeouts in h2 high concurrency regression by @​trivikr in #​5205
• test: deflake stream compat coverage by @​mcollina in #​5209
• fix(dispatcher): remove unreachable assert in writeBlob by @​SAY-5 in #​5231
• fix: clean up benchmark resources before worker exit by @​trivikr in #​5225
• test: avoid per-chunk assertions in diagnostics get by @​trivikr in #​5224
• test: capture cache test worker stderr and preserve failures by @​trivikr in #​5206
• chore: gitignore benchmarks/package-lock.json by @​trivikr in #​5228
• perf(proxy-agent): avoid extra header allocations in auth guard by @​trivikr in #​5164
• test(wpt): retry WPT server startup on port conflicts or timeout by @​trivikr in #​5215
• test: make websocket diagnostics ping-pong ordering deterministic by @​trivikr in #​5222
• test(websocket): fix flaky send test by @​mcollina in #​5232
• fix: prevent node-fetch test server close from hanging on Windows by @​mcollina in #​5246
• test: wait for cache test server to listen by @​trivikr in #​5242
• fix: accept unknown-size Content-Range values by @​trivikr in #​5120
• test: avoid global dispatcher state in mock client tests by @​trivikr in #​5258
• test: fix flaky permessage-deflate limit timeout by @​mcollina in #​5229
• test: drain request bodies in request tests by @​trivikr in #​5247
• test: reduce retry-after invalid date timing flake by @​trivikr in #​5250
• test: drive request timeout ticks after connect by @​trivikr in #​5251
• test: only fail max-listener checks on max-listener warnings by @​trivikr in #​5253
• test: avoid double-closing server in client-request test by @​trivikr in #​5255
• fix(retry-handler): validate response body length against Content-Range by @​mcollina in #​4975
• test: wait for inflight-and-close body cleanup by @​trivikr in #​5261
• fix(test): make http2-pseudo-headers test order-independent by @​mcollina in #​5234
• fix: preserve fetch multipart body on MockAgent fallback by @​mcollina in #​5269
• ci: build Node FFI fixtures for shared-builtin tests by @​trivikr in #​5275
• test: deflake issue-5137 stream count assertion by @​trivikr in #​5243
• fix: replace finished() with writable lifecycle tracking by @​trivikr in #​5001
• perf(client-h2): reuse request stream handlers by @​trivikr in #​5280
• fix: prevent pipeline body replay on redirect by @​mcollina in #​5274
• fix(types): remove throwOnError from Dispatcher.RequestOptions by @​Zelys-DFKH in #​5279
• fix: validate EOF for chunked h1 responses by @​mcollina in #​5273
• test: deflake parser-issues teardown by @​mcollina in #​5278
• test: make http2-alpn control requests explicit by @​trivikr in #​5252
• test: include cache-test worker metadata on failure by @​trivikr in #​5276
• test: include after in parser-issues by @​trivikr in #​5284
• cache formdata boundary by @​KhafraDev in #​5292
• build(deps-dev): bump fast-check from 4.7.0 to 4.8.0 by @​dependabot[bot] in #​5298
• test: retry crashed cache-test workers once by @​trivikr in #​5294
• Add Node 26 to the matrix by @​mcollina in #​5271
• perf(client-h2): reuse request upgrade stream handlers by @​trivikr in #​5293
• build(deps-dev): bump jest from 30.3.0 to 30.4.2 by @​dependabot[bot] in #​5297
• build(deps): bump uWebSockets.js from v20.66.0 to v20.67.0 in /benchmarks by @​dependabot[bot] in #​5299
• test: fix flaky http2-dispatcher WebSocket upgrade tests by @​mcollina in #​5304

New Contributors

• @​Zelys-DFKH made their first contribution in #​5279

Full Changelog: nodejs/undici@v8.2.0...v8.3.0

v8.2.0

Compare Source

What's Changed

• chore: use native addAbortListener by @​trivikr in #​5021
• fix: fix the logic for the UNDICI_NO_WASM_SIMD environment variable by @​ShenHongFei in #​5026
• fix(http2): send body for non-expectsPayload methods with content by @​mcollina in #​5030
• fix(fetch): correct 'navigator' typo to 'navigate' in fetchFinale by @​deepview-autofix in #​5044
• fix(webidl): correct signed integer bounds in ConvertToInt by @​deepview-autofix in #​5038
• fix(fetch): use || for CRLF check in multipart formdata-parser by @​deepview-autofix in #​5049
• fix(websocket): correct argument order in WebSocketStream UTF-8 failure by @​deepview-autofix in #​5050
• fix(pool): propagate useH2c to connector when connections > 1 by @​SAY-5 in #​5031
• fix(cache): return immutable staleAt in milliseconds by @​deepview-autofix in #​5048
• fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing by @​deepview-autofix in #​5041
• fix(cache): evict oldest entries first in SqliteCacheStore prune by @​deepview-autofix in #​5039
• fix(socks5): correctly expand IPv6 '::' compressed notation by @​deepview-autofix in #​5046
• Remove unused func and unnecessary shim by @​tsctx in #​5053
• fix: reject malformed content-length request headers by @​trivikr in #​5060
• fix(request): reject NaN highWaterMark during option validation by @​trivikr in #​5062
• docs: fix broken links in docsify sidebar by @​maruthang in #​5065
• fix(fetch): prefer filename* over filename in multipart form-data by @​maruthang in #​5068
• fix(http2): reject websocket upgrades on non-200 responses by @​trivikr in #​5072
• feat: support username-only proxy authentication in ProxyAgent by @​rossilor95 in #​4935
• build(deps): bump uWebSockets.js from v20.58.0 to v20.64.0 in /benchmarks by @​dependabot[bot] in #​5083
• fix(client-h2): stop double-decrementing kOpenStreams on stream timeout by @​SAY-5 in #​5076
• fix(http2): reject upgrade streams closed before response headers by @​trivikr in #​5069
• fix(http2): allow GET and HEAD request bodies over h2 by @​trivikr in #​5058
• fix(cache): include query in cache key when opts.path is undefined by @​maruthang in #​5081
• fix: avoid premature cleanup of dispatcher in Agent by @​bienzaaron in #​5034
• fix(http2): record ping failures on the socket by @​trivikr in #​5075
• add undici security policy by @​mcollina in #​5056
• fix(mock): make filterCalls AND operator actually intersect results by @​deepview-autofix in #​5045
• fix(socks5): enforce authenticated state before CONNECT by @​trivikr in #​5097
• fix(cache): skip expired sqlite vary entries during lookup by @​trivikr in #​5095
• fix: enforce maxCachedSessions in TLS session cache by @​trivikr in #​5102
• fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly by @​trivikr in #​5099
• fix: handle invalid HTTP/2 connection headers (#​4356) by @​mcollina in #​5101
• fix(interceptor): add throwOnMaxRedirect to types and interceptor opts by @​maruthang in #​5066
• fix(websocket): avoid double-closing canceled stream readers by @​colinaaa in #​5105
• fix(cache): persist vary when updating sqlite cache entries by @​trivikr in #​5109
• refactor(h1): track HEAD keep-alive override as boolean by @​trivikr in #​5110
• client: cache llhttp wasm buffer view by @​trivikr in #​5115
• deps: update llhttp to 9.3.1 by @​mcollina in #​5113
• fix(http2): preserve accepted streams after GOAWAY by @​trivikr in #​5090
• fix: reuse parser WeakRef for timeout callbacks by @​trivikr in #​5125
• fix: stop buffering data after SOCKS5 connect by @​trivikr in #​5118
• perf(http2): avoid response header reserialization by @​trivikr in #​5085
• fix(cache): enforce sqlite maxCount after insert by @​trivikr in #​5112
• perf: reduce EventSourceStream parser allocations by @​trivikr in #​5032
• types(dispatcher): use OutgoingHttpHeaders for request headers by @​maruthang in #​5067
• cleanup: delete redundant .gitkeep file by @​shivarm in #​5133
• fix(http2): respect peer max concurrent streams by @​trivikr in #​5135
• test(http2): ensure websocket upgrade resumes queued requests by @​trivikr in #​5132
• test(mock): cover SnapshotAgent excludeUrls playback by @​maruthang in #​5080
• perf(client): parse h1 content-length statelessly by @​trivikr in #​5124
• perf(http2): reduce writeH2 per-request callback allocations by @​trivikr in #​5138
• chore(deps): add lockfile by @​aduh95 in #​5139
• perf: use byteLength property for binary body chunks by @​trivikr in #​5126
• fix(cache): allow streamed entries at maxEntrySize limit by @​trivikr in #​5129
• perf(http2): avoid cloning headers when removing status by @​trivikr in #​5127
• fix: validate H2CClient maxConcurrentStreams option by @​trivikr in #​5143
• perf: avoid redundant scans in BalancedPool dispatcher selection by @​trivikr in #​5146
• fix: replace stale pool clients under connection limit by @​trivikr in #​5145

New Contributors

• @​deepview-autofix made their first contribution in #​5044
• @​SAY-5 made their first contribution in #​5031
• @​maruthang made their first contribution in #​5065
• @​bienzaaron made their first contribution in #​5034

Full Changelog: nodejs/undici@v8.1.0...v8.2.0

v8.1.0

Compare Source

What's Changed

• feat: add configurable maxPayloadSize for WebSocket by @​mcollina in #​4955

Full Changelog: nodejs/undici@v8.0.3...v8.1.0

v8.0.3

Compare Source

What's Changed

• docs: add an Undici 7 to 8 migration guide by @​mcollina in #​4963
• chore: switch deferred promise with Promise.withResolvers() by @​trivikr in #​4972
• chore: remove zstd and markAsUncloneable feature probes by @​trivikr in #​4968
• test: remove obsolete nodeMajor/nodeMinor util exports by @​trivikr in #​4976
• chore: use Promise.withResolvers in SOCKS5 proxy agent by @​trivikr in #​4978
• build(deps-dev): bump esbuild from 0.27.7 to 0.28.0 by @​dependabot[bot] in #​4985
• build(deps-dev): bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in #​4987
• build(deps): bump got from 14.6.6 to 15.0.0 in /benchmarks by @​dependabot[bot] in #​4988
• chore: use Object.hasOwn for iterator checks by @​trivikr in #​4979
• doc: Update dump({ limit: Integer }) default value by @​samuel871211 in #​4981
• fix: avoid 401 failures for stream-backed request bodies by @​mcollina in #​4941
• test: remove unsupported Node version checks from fetch tests by @​trivikr in #​4977
• types: remove legacy AbortSignal alias now provided by @​types/node by @​trivikr in #​4995
• fix: remove stale constructor interceptors from types and pool options by @​trivikr in #​4994
• doc: update incorrect description of dump.maxSize by @​samuel871211 in #​4982
• ci: enable coverage for node.js 25 by @​shivarm in #​4980
• refactor: reuse wrapRequestBody in RedirectHandler by @​trivikr in #​4992
• fix: preserve connect option in H2CClient by @​trivikr in #​5000
• types: document Client and H2CClient option declarations by @​trivikr in #​4998
• fix: native WebSocket over H2 server after undici import by @​mcollina in #​4990
• chore(test): issue 3969 by @​rozzilla in #​5005
• fix(1270): throw descriptive error when opts.dispatcher–passed instance methods by @​rozzilla in #​5007
• docs: Change the default value of allowH2 in JSDoc by @​7hokerz in #​5009
• chore(test): cover issue 5014 by @​rozzilla in #​5015
• fix: prevent cache dedup key collision via unescaped delimiters by @​eddieran in #​5013
• fix(proxy agent): respect connectTimeout by @​rozzilla in #​5011

New Contributors

• @​7hokerz made their first contribution in #​5009
• @​eddieran made their first contribution in #​5013

Full Changelog: nodejs/undici@v8.0.2...v8.0.3

v8.0.2

Compare Source

What's Changed

• fix(websocket): fallback to HTTP/1.1 when H2 CONNECT is unavailable by @​mcollina in #​4966
• fix: release ref by @​mcollina in #​4965
• ci: reenable shared builtin CI tests by @​mcollina in #​4967

Full Changelog: nodejs/undici@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916
• build(deps): bump hendrikmuhs/ccache-action from 1.2.19 to 1.2.22 by @​dependabot[bot] in #​4954
• doc: remove duplicate listItem of RetryHandler.md & RetryHandler.md by @​samuel871211 in #​4948
• fix: mirror the legacy global dispatcher for built-in fetch by @​mcollina in #​4962
• fix(websocket/stream): only enqueue parsed messages in WebSocketStream by @​colinaaa in #​4959

New Contributors

• @​colinaaa made their first contribution in #​4959

Full Changelog: nodejs/undici@v7.24.7...v8.0.1

v8.0.0

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916

Full Changelog: nodejs/undici@v7.24.7...v8.0.0

v7.26.0

Compare Source

What's Changed

• fix: backport safe main fixes to v7.x by @​mcollina in #​5136
• fix: validate EOF for chunked h1 responses by @​mcollina in #​5307

Full Changelog: nodejs/undici@v7.25.0...v7.26.0

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

v7.24.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.23.0...v7.24.0

v7.23.0

Compare Source

v7.22.0

Compare Source

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @​styfle in #​4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @​jackhax in #​4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @​SuperOleg39 in #​4676
• fix: route WebSocket upgrades through onRequestUpgrade by @​mcollina in #​4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @​dependabot[bot] in #​4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @​mcollina in #​4818
• feat: Support async cache stores in revalidation by @​marcopiraccini in #​4826

New Contributors

• @​jackhax made their first contribution in #​4816
• @​marcopiraccini made their first contribution in #​4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in #​4796
• test: restore global dispatcher after fetch tests by @​mcollina in #​4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in #​4802
• fix: error stream instead of canceling by @​KhafraDev in #​4804
• Fix clientTtl cleanup race in Agent by @​mcollina in #​4807
• feat(#​4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in #​4296
• fix: handle undefined __filename in bundled environments by @​mcollina in #​4812
• fix: set finalizer only for fetch responses by @​tsctx in #​4803

New Contributors

• @​piotr-cz made their first contribution in #​4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed

• fix: preserve fetch stack traces b

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "after 7am every weekday,before 8pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'pre-commit autoupdate --freeze || true' has not been added to the allowed list in allowedCommands

[sonarqube-cloud-us]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

Dependency Update: Major Version Bumps

This PR updates three major dependencies that will need validation:

• @actions/core ^1.11.1 → ^3.0.0: Now ESM-only (breaking change from CommonJS)
• typescript ^5.7.0 → ^6.0.0: Major release with potential type checking changes
• vitest ^3.0.0 → ^4.0.0: Significant internal refactor (removed tinypool, debug, cac; restructured internal modules)

Good news: The codebase is already written in ESM (using import statements), so @actions/core's breaking change should not cause issues. The bundled output is created via ncc, which should handle ESM dependencies correctly.

What needs verification: Build artifacts, test execution, and runtime behavior of the bundled credential setup/guard scripts.

What reviewers should know

Review Focus

Start here: Verify the bundled outputs still work:

• Run the build command (npm run build) and check that ncc successfully bundles with ESM @actions/core
• Run tests (npm run test) to confirm vitest 4 compatibility with the existing test suite
• TypeScript 6 may introduce new type errors—watch for tsc output if tests pass

Non-obvious changes:

• @actions/core's transitive deps were also bumped significantly: @actions/exec (1.1.1 → 3.0.0), @actions/http-client (2.2.3 → 4.0.1), undici (5.29 → 6.25, dropping @fastify/busboy)
• Vitest's internal module structure changed (es-module-lexer, chai, tinyrainbow versions); these may affect runtime behavior even though the test API surface is the same
• No source code changes were needed—this is purely a dependency update, which is a good sign

Potential gotchas:

• If ncc has issues bundling ESM modules, the build will fail (this would show up immediately in CI)
• Check that the bundled dist/ directories are compatible with the GitHub Actions runner environment where they execute

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

A couple of things need clarification before this can merge.

Registry split in package-lock.json: All 161 pre-existing packages in the lock file resolve from repox.jfrog.io (SonarSource's Artifactory proxy), but the 22 packages newly introduced by this upgrade resolve directly from registry.npmjs.org. If the Artifactory proxy exists for security scanning or to guarantee availability in restricted CI environments, those 22 packages are bypassing it. This looks like Renovate ran without the internal registry configured — worth confirming this is intentional or regenerating the lockfile with the proxy in place.

🗣️ Give feedback

[sonar-review-alpha]

All packages already in the lock file resolve from repox.jfrog.io, but every package newly added or replaced by this upgrade (here and in the @actions/exec, @actions/http-client, @actions/io, vitest ecosystem, and undici entries) resolves directly from registry.npmjs.org. If this Artifactory proxy is used for security scanning, licence checks, or to air-gap CI from the public registry, the 22 newly resolved packages are bypassing it.

This looks like Renovate generated the lockfile without the internal registry configured. Please regenerate with the proxy in place, or confirm this split is intentional.

• Mark as noise

[sonar-review-alpha]

@actions/core v3.0.0 is ESM-only (the release notes explicitly state CommonJS consumers must switch to dynamic import()). The TypeScript source already uses ESM import syntax and ncc/esbuild handles ESM-to-CJS bundling, so the bundle itself should be fine. However, tsconfig.json sets "module": "commonjs" — TypeScript 6 has stricter module/resolution coupling and may fail to resolve types for ESM-only packages under the old node module resolution. Please confirm npm run build and tsc --noEmit both pass cleanly with this combination before merging.

• Mark as noise

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqube-cloud-us]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud