Skip to content

security(deps-dev): bump the root-npm-dependencies group with 4 updates#402

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/root-npm-dependencies-d8fc959ac0
Closed

security(deps-dev): bump the root-npm-dependencies group with 4 updates#402
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/root-npm-dependencies-d8fc959ac0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 7, 2026
edited
Loading

Bumps the root-npm-dependencies group with 4 updates: cspell, lint-staged, markdown-table-formatter and markdownlint-cli2.

Updates cspell from 9.4.0 to 10.0.0

Release notes

Sourced from cspell's releases.

v10.0.0

Features

fix: upgrade import-fresh from v3 to v4 (#8786)

Summary

Upgrades import-fresh from v3 to v4.

API changes in v4

  • v3: Synchronous default export — importFresh(modulePath) returns the module directly
  • v4: Factory pattern — createImportFresh(parentURL) returns an async function; v4 is ESM-only and uses Node.js module loader hooks instead of manipulating the require cache

Changes

  • packages/cspell-lib/package.json: bump import-fresh to ^4.0.0; remove clear-module dependency (no longer needed since v4 uses module loader hooks instead of Node's require cache)
  • packages/cspell-lib/src/lib/Settings/Controller/pnpLoader.ts:
    • Import createImportFresh factory; call createImportFresh(pnpFileUrl) at use time inside loadPnp(), bound to the pnp file's own URL so each load is correctly scoped to the file being loaded
    • Make loadPnp and loadPnpIfNeeded async
    • Change cachedPnpImportsSynccachedPnpImports (now stores Promise<LoaderResult>)
    • Remove clearModule.single usage (v4 cache-busts via loader hooks; clearing the require cache is no longer applicable)
    • Pass a file URL (toFileUrl(pnpFile).href) to importFresh since v4 uses import() under the hood, which requires URLs or relative specifiers for absolute paths
    • Use optional chaining on the module's default export to handle edge cases
  • test-packages/cspell-lib/test-cspell-lib-rollup/package.json: bump import-fresh to ^4.0.0
  • test-packages/cspell-lib/test-cspell-lib-webpack/package.json: bump import-fresh to ^4.0.0

Testing

All 91 test files (1584 tests) pass, including the 10 dedicated pnpLoader tests.

feat!: Drop support for Node 20 (#8779)

Pull request overview

This PR updates the monorepo to require Node.js 22.18+ (dropping Node 20 support), aligning package engine constraints, CI matrices, and documentation with the new baseline.

Changes:

  • Bump engines.node across packages/test-packages to >=22.18.0 and update root @types/node to ^22.19.15.
  • Update CI workflows to test Node 22/24/25 and adjust integration update workflow to Node 22.
  • Remove eslint-plugin-n “unsupported node builtins” disables now that the minimum Node version includes those built-ins.

... (truncated)

Changelog

Sourced from cspell's changelog.

v10.0.0 (2026-04-06)

Features

fix: upgrade import-fresh from v3 to v4 (#8786)

Summary

Upgrades import-fresh from v3 to v4.

API changes in v4

  • v3: Synchronous default export — importFresh(modulePath) returns the module directly
  • v4: Factory pattern — createImportFresh(parentURL) returns an async function; v4 is ESM-only and uses Node.js module loader hooks instead of manipulating the require cache

Changes

  • packages/cspell-lib/package.json: bump import-fresh to ^4.0.0; remove clear-module dependency (no longer needed since v4 uses module loader hooks instead of Node's require cache)
  • packages/cspell-lib/src/lib/Settings/Controller/pnpLoader.ts:
    • Import createImportFresh factory; call createImportFresh(pnpFileUrl) at use time inside loadPnp(), bound to the pnp file's own URL so each load is correctly scoped to the file being loaded
    • Make loadPnp and loadPnpIfNeeded async
    • Change cachedPnpImportsSynccachedPnpImports (now stores Promise<LoaderResult>)
    • Remove clearModule.single usage (v4 cache-busts via loader hooks; clearing the require cache is no longer applicable)
    • Pass a file URL (toFileUrl(pnpFile).href) to importFresh since v4 uses import() under the hood, which requires URLs or relative specifiers for absolute paths
    • Use optional chaining on the module's default export to handle edge cases
  • test-packages/cspell-lib/test-cspell-lib-rollup/package.json: bump import-fresh to ^4.0.0
  • test-packages/cspell-lib/test-cspell-lib-webpack/package.json: bump import-fresh to ^4.0.0

Testing

All 91 test files (1584 tests) pass, including the 10 dedicated pnpLoader tests.

feat!: Drop support for Node 20 (#8779)

Pull request overview

This PR updates the monorepo to require Node.js 22.18+ (dropping Node 20 support), aligning package engine constraints, CI matrices, and documentation with the new baseline.

Changes:

... (truncated)

Commits

Updates lint-staged from 16.2.7 to 16.4.0

Release notes

Sourced from lint-staged's releases.

v16.4.0

Minor Changes

v16.3.4

Patch Changes

v16.3.3

Patch Changes

  • #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

v16.3.2

Patch Changes

  • #1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

v16.3.1

Patch Changes

  • #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Minor Changes

  • #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

  • #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

  • #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.
Changelog

Sourced from lint-staged's changelog.

16.4.0

Minor Changes

16.3.4

Patch Changes

16.3.3

Patch Changes

  • #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

16.3.2

Patch Changes

  • #1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

16.3.1

Patch Changes

  • #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

16.3.0

Minor Changes

  • #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

  • #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

  • #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.
Commits
  • 445f9dd chore(changeset): release
  • d91be60 docs: update readme to use picomatch
  • b392a9f refactor: extract matchFiles and add unit tests
  • 687fc90 refactor: replace micromatch with picomatch
  • 26dadf9 chore(changeset): release
  • 9d6e827 build(deps): update dependencies
  • 8aea986 chore(changeset): release
  • 0109e8d fix: strip Git CRLF warning from output
  • dfd6a7a chore(changeset): release
  • 2adaf6c fix(Windows): do not spawn tasks as detached since it opens a cmd window on ...
  • Additional commits viewable in compare view

Updates markdown-table-formatter from 1.6.0 to 1.7.0

Release notes

Sourced from markdown-table-formatter's releases.

v1.7.0

What's Changed

  • Upgrade dependencies
  • CI: Add tests for Node 20, 22 and 24

Pull Requests

Full Changelog: nvuillam/markdown-table-formatter@v1.6.1...v1.7.0

v1.6.1

What's Changed

... (truncated)

Changelog

Sourced from markdown-table-formatter's changelog.

[1.7.0] 2025-12-27

  • Upgrade dependencies
  • CI: Add tests for Node 20, 22 and 24

[1.6.1] 2024-06-11

  • Upgrade dependencies
Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for markdown-table-formatter since your current version.


Updates markdownlint-cli2 from 0.21.0 to 0.22.0

Changelog

Sourced from markdownlint-cli2's changelog.

0.22.0

  • Make --config parameter more flexible
  • Support TOML with --config parameter
  • Add --configPointer parameter
  • Update dependencies
Commits
  • 3766ad8 Update to version 0.22.0.
  • 18fab89 Bump eslint from 10.0.3 to 10.1.0
  • b7106cb Freshen list of external custom rules included with the markdownlint-cli2-rul...
  • cfaf497 Update README.md to show how to use the Docker container image with pre-commit.
  • 0ae96d5 Remove test-only shims for import.meta limitations in Node 18.
  • 6c8d949 Add support for TOML files to --config, --configPointer, and extends (fixes #...
  • 02e491d Bump pnpm/action-setup from 4 to 5
  • 4777cf9 Add --configPointer command-line parameter, supersedes dedicated handling of ...
  • 7ecda61 Bump eslint-plugin-jsdoc from 62.7.1 to 62.8.0
  • 69616e9 Bump eslint from 10.0.2 to 10.0.3
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps-dev): bump the root-npm-dependencies group with 4 updates
fbff08c 
Bumps the root-npm-dependencies group with 4 updates: [cspell](https://github.com/streetsidesoftware/cspell/tree/HEAD/packages/cspell), [lint-staged](https://github.com/lint-staged/lint-staged), [markdown-table-formatter](https://github.com/nvuillam/markdown-table-formatter) and [markdownlint-cli2](https://github.com/DavidAnson/markdownlint-cli2).


Updates `cspell` from 9.4.0 to 10.0.0
- [Release notes](https://github.com/streetsidesoftware/cspell/releases)
- [Changelog](https://github.com/streetsidesoftware/cspell/blob/main/packages/cspell/CHANGELOG.md)
- [Commits](https://github.com/streetsidesoftware/cspell/commits/v10.0.0/packages/cspell)

Updates `lint-staged` from 16.2.7 to 16.4.0
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](lint-staged/lint-staged@v16.2.7...v16.4.0)

Updates `markdown-table-formatter` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/nvuillam/markdown-table-formatter/releases)
- [Changelog](https://github.com/nvuillam/markdown-table-formatter/blob/main/CHANGELOG.md)
- [Commits](nvuillam/markdown-table-formatter@v1.6.0...v1.7.0)

Updates `markdownlint-cli2` from 0.21.0 to 0.22.0
- [Changelog](https://github.com/DavidAnson/markdownlint-cli2/blob/main/CHANGELOG.md)
- [Commits](DavidAnson/markdownlint-cli2@v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: cspell
  dependency-version: 10.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: root-npm-dependencies
- dependency-name: lint-staged
  dependency-version: 16.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: root-npm-dependencies
- dependency-name: markdown-table-formatter
  dependency-version: 1.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: root-npm-dependencies
- dependency-name: markdownlint-cli2
  dependency-version: 0.22.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: root-npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 7, 2026

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Dependency version updates label Apr 7, 2026
@github-actions github-actions Bot changed the title chore(deps-dev): bump the root-npm-dependencies group with 4 updates security(deps-dev): bump the root-npm-dependencies group with 4 updates Apr 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 7, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.48%. Comparing base (bb85560) to head (597f241).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #402   +/-   ##
=======================================
  Coverage   50.48%   50.48%           
=======================================
  Files         267      267           
  Lines       18188    18188           
  Branches     1903     1903           
=======================================
  Hits         9182     9182           
  Misses       8716     8716           
  Partials      290      290
Flag Coverage Δ *Carryforward flag
pester 81.21% <ø> (ø)
pytest 6.89% <ø> (ø) Carriedforward from fbff08c
pytest-dataviewer 61.97% <ø> (ø)
vitest 50.72% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This was referenced Apr 8, 2026
Closed
Merged
WilliamBerryiii added a commit that referenced this pull request Apr 8, 2026
@WilliamBerryiii
build(build): upgrade to Node 24 and bump npm devDependencies (#414)
e46ddcd 
## Description

cspell 10.0.0 drops Node 20 support (requires `>=22.18.0`). This PR
upgrades the entire repository to **Node 24.14.1** and bumps all four
pending devDependency updates.

Closes #413
Supersedes #402

## Type of Change

- [x] Bug fix (non-breaking change that fixes an issue)
- [ ] New feature (non-breaking change that adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [ ] Infrastructure change
- [ ] Code refactoring

## Component(s) Affected

- [x] Infrastructure / Terraform
- [ ] Training Pipeline
- [ ] Evaluation / SIL
- [ ] Data Management / Viewer
- [ ] Data Pipeline
- [x] CI/CD / Scripts

## Testing Performed

- [x] `npm run spell-check` — 544 files, zero issues
- [x] `npm run lint:md` — 183 files, zero errors
- [x] `npm run lint:yaml` — zero issues
- [x] `npm run test:ps` — 1026 tests passed, 0 failed

## Documentation Impact

- [x] No documentation changes needed

## Bug Fix Checklist

- [x] Root cause identified: cspell 10.0.0 engines field requires Node
>=22.18.0
- [x] Fix addresses root cause (not just symptoms): Node pinned to
24.14.1 everywhere
- [x] Regression test: Pester fixtures updated to validate pinned
version

## Checklist

- [x] My code follows the project's style guidelines
- [x] I have performed a self-review of my code
- [x] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] New and existing tests pass locally with my changes

---

### Changes Summary

| File | Change |
|------|--------|
| `.github/actions/setup-node-deps/action.yml` | Default `'20'` →
`'24.14.1'` |
| `.github/workflows/deploy-docs.yml` | `node-version: 20` → `'24.14.1'`
|
| `.github/workflows/docusaurus-tests.yml` | `'20'` → `'24.14.1'` |
| `data-management/viewer/frontend/.nvmrc` | `22` → `24.14.1` |
| `data-management/viewer/frontend/Dockerfile` | `node:22-slim` →
`node:24.14.1-slim` |
| `docs/docusaurus/package.json` | engines `>=20` → `>=24` |
| `package.json` | engines `>=20` → `>=24`; cspell 9→10, lint-staged
16.2→16.4, markdown-table-formatter 1.6→1.7, markdownlint-cli2 0.21→0.22
|
| `package-lock.json` | Regenerated |
| 5× Pester fixtures | `node-version: '20'` → `'24.14.1'` |
jjottar pushed a commit to jjottar/physical-ai-toolchain that referenced this pull request Apr 9, 2026
@physical-ai-toolchain-release @github-actions
chore(main): release 0.5.0 (microsoft#173)
fedf854 
🤖 I have created a release *beep* *boop*
---


##
[0.5.0](microsoft/physical-ai-toolchain@v0.4.0...v0.5.0)
(2026-03-26)


### ✨ Features

* add dataviewer web application for dataset analysis and annotation
([microsoft#375](microsoft#375))
([c44d7bb](microsoft@c44d7bb))
* add return type annotations to cli_args functions
([microsoft#476](microsoft#476))
([35523ee](microsoft@35523ee))
* add YAML config schema with pydantic validation for ROS 2 recording
([microsoft#376](microsoft#376))
([1fa5243](microsoft@1fa5243))
* **agents:** Copilot agents and skills for dataviewer and OSMO training
workflows.
([microsoft#444](microsoft#444))
([8b72daf](microsoft@8b72daf))
* **build:** add automated ms.date freshness checking
([microsoft#448](microsoft#448))
([f92ddbc](microsoft@f92ddbc))
* **build:** add CLA section, Dependabot security prefix, and OWASP ZAP
DAST scan
([microsoft#241](microsoft#241))
([083a8af](microsoft@083a8af))
* **build:** add coverage.py configuration to pyproject.toml
([microsoft#428](microsoft#428))
([eac7426](microsoft@eac7426))
* **build:** add Go CI pipeline with golangci-lint and go test
([microsoft#351](microsoft#351))
([b27e4fb](microsoft@b27e4fb))
* **build:** add OpenSSF Scorecard workflow and badge
([microsoft#431](microsoft#431))
([98a62e7](microsoft@98a62e7))
* **build:** add release artifact signing and SBOM attestation
([microsoft#480](microsoft#480))
([b226e96](microsoft@b226e96))
* **build:** add TFLint reusable GitHub Actions workflow
([microsoft#229](microsoft#229))
([34d5575](microsoft@34d5575))
* **build:** split Go CI into separate lint and test pipelines
([microsoft#354](microsoft#354))
([2dec155](microsoft@2dec155))
* **dataviewer:** add authentication middleware and CSRF protection for
mutation endpoints
([microsoft#432](microsoft#432))
([77c8a01](microsoft@77c8a01))
* **docs:** create training documentation hub with guides and migration
([microsoft#380](microsoft#380))
([0fdccc5](microsoft@0fdccc5))
* **docs:** port Docusaurus documentation site with full build
validation
([microsoft#182](microsoft#182))
([29dd640](microsoft@29dd640))
* fix and deploy dataviewer
([microsoft#498](microsoft#498))
([c922d49](microsoft@c922d49))
* **inference:** add AzureML and local LeRobot inference workflows
([microsoft#438](microsoft#438))
([f7d786a](microsoft@f7d786a))
* **inference:** add MLflow trajectory plots and multi-source support to
OSMO inference workflow
([microsoft#421](microsoft#421))
([8637458](microsoft@8637458))
* **infra:** add blob storage lifecycle policies and folder structure
([microsoft#179](microsoft#179))
([101a6e8](microsoft@101a6e8))
* **infrastructure:** add optional observability and compute feature
flags
([microsoft#437](microsoft#437))
([9eba0da](microsoft@9eba0da))
* **infrastructure:** add private Linux Isaac Sim VM deployment option
([microsoft#348](microsoft#348))
([3748c2d](microsoft@3748c2d))
* **infrastructure:** add terraform-docs auto-generation pipeline
([microsoft#358](microsoft#358))
([6565caa](microsoft@6565caa))
* **infrastructure:** harden Isaac Sim VM deployment with encryption and
spot options
([microsoft#355](microsoft#355))
([6ebc1f2](microsoft@6ebc1f2))
* **repo:** migrate to domain-driven architecture
([microsoft#270](microsoft#270))
([a339e70](microsoft@a339e70))
* **scripts:** add --config-preview and deployment summary to submission
scripts
([microsoft#499](microsoft#499))
([4069806](microsoft@4069806))
* **scripts:** add Copilot attribution footer validation to frontmatter
linting
([microsoft#378](microsoft#378))
([4d595f2](microsoft@4d595f2))
* **src:** add dataviewer web application with storage adapter layer
([microsoft#404](microsoft#404))
([8a9fb70](microsoft@8a9fb70))


### 🐛 Bug Fixes

* **build:** add GHSA to cspell custom dictionary
([microsoft#315](microsoft#315))
([67db81a](microsoft@67db81a))
* **build:** correct codecov report_type input for terraform test
uploads
([microsoft#324](microsoft#324))
([d90d66d](microsoft@d90d66d))
* **build:** expand CODEOWNERS coverage to critical paths
([microsoft#505](microsoft#505))
([bafade1](microsoft@bafade1))
* **build:** pin Docker base image and pip dependencies with Dependabot
coverage
([microsoft#497](microsoft#497))
([d3d7ea4](microsoft@d3d7ea4))
* **build:** pin pydantic version and use uv in config schema validation
workflow
([microsoft#493](microsoft#493))
([28d823f](microsoft@28d823f))
* **build:** pin uv installer to versioned URL
([microsoft#495](microsoft#495))
([8d8541b](microsoft@8d8541b))
* **build:** remediate GHSA vulnerabilities flagged by OSSF Scorecard
([microsoft#271](microsoft#271))
([49b6e58](microsoft@49b6e58))
* **build:** remove README frontmatter, add FrontmatterExcludePaths,
enforce Pester 5
([microsoft#443](microsoft#443))
([641d0f3](microsoft@641d0f3))
* **build:** resolve CI failures for release 0.5.0 PR
([microsoft#174](microsoft#174))
([62c9900](microsoft@62c9900))
* **build:** resolve codecov PR comment suppression
([microsoft#523](microsoft#523))
([5603bd7](microsoft@5603bd7))
* **build:** use npm ci for deterministic frontend dependency install
([microsoft#491](microsoft#491))
([ee8b5d3](microsoft@ee8b5d3)),
closes
[microsoft#490](microsoft#490)
* **ci:** add `wait_for_ci` to Codecov configuration
([microsoft#183](microsoft#183))
([370cf44](microsoft@370cf44))
* **CI:** Issue 116 clean up dataviewer tests
([microsoft#184](microsoft#184))
([f466c23](microsoft@f466c23))
* **ci:** pin pydantic to ==2.12.5 across all references
([microsoft#230](microsoft#230))
([9d841d5](microsoft@9d841d5))
* **dataviewer:** add HTTP Range support for blob video streaming
([microsoft#165](microsoft#165))
([8adde50](microsoft@8adde50))
* **dataviewer:** remediate CodeQL alerts and align ruff config
([microsoft#419](microsoft#419))
([eb6fac9](microsoft@eb6fac9))
* **dataviewer:** remediate path traversal and input validation
vulnerabilities
([microsoft#413](microsoft#413))
([0a1d2ca](microsoft@0a1d2ca))
* **docs:** remove trailingSlash: false for GitHub Pages compatibility
([microsoft#228](microsoft#228))
([a78cb97](microsoft@a78cb97))
* **gpu:** add GPU Operator validation dependencies to GRID driver
installer
([microsoft#441](microsoft#441))
([eec42da](microsoft@eec42da))
* **infrastructure:** add zone-redundant config to VPN gateway public IP
([microsoft#352](microsoft#352))
([2d734f4](microsoft@2d734f4))
* **infrastructure:** improve stdout handling for helm commands in GPU…
([microsoft#311](microsoft#311))
([153f467](microsoft@153f467))
* **infrastructure:** resolve remaining TFLint violations in SIL module
and example configs
([microsoft#298](microsoft#298))
([c0ce3e5](microsoft@c0ce3e5))
* **infrastructure:** resolve TFLint violations in root and automation
modules
([microsoft#287](microsoft#287))
([b6a4604](microsoft@b6a4604)),
closes
[microsoft#203](microsoft#203)
* **infrastructure:** update deprecated bgp vng variable name
([microsoft#307](microsoft#307))
([f530734](microsoft@f530734))
* **scripts:** pin uv version in OSMO workflow templates
([microsoft#500](microsoft#500))
([7edf13a](microsoft@7edf13a))
* **scripts:** replace lambda with def in lerobot_handler to satisfy R…
([microsoft#176](microsoft#176))
([baf9e58](microsoft@baf9e58))
* **scripts:** support OSMO control-plane deploys with in-cluster Redis
([microsoft#317](microsoft#317))
([d4b70de](microsoft@d4b70de))
* **scripts:** update compute target name derivation logic
([microsoft#319](microsoft#319))
([bb20431](microsoft@bb20431))
* **settings:** update devcontainer name to match project context
([microsoft#177](microsoft#177))
([745321e](microsoft@745321e))
* **terraform:** create PostgreSQL Key Vault secret via ARM control
plane
([microsoft#304](microsoft#304))
([5d73b81](microsoft@5d73b81))
* **terraform:** gate observability with feature flags
([microsoft#303](microsoft#303))
([ea5e056](microsoft@ea5e056))
* **terraform:** switch VPN gateway defaults to AZ SKUs
([microsoft#309](microsoft#309))
([74989c5](microsoft@74989c5))
* **training:** correct learning rate mapping and pin LeRobot version
([microsoft#439](microsoft#439))
([5cf9943](microsoft@5cf9943))
* **workflows:** enable SARIF upload for dependency-pinning scans
([microsoft#502](microsoft#502))
([124cad6](microsoft@124cad6)),
closes
[microsoft#501](microsoft#501)
* **workflows:** remove redundant top-level permissions from
codeql-analysis
([microsoft#489](microsoft#489))
([1490fda](microsoft@1490fda))
* **workflows:** use bash shell for uv.lock regeneration and add SARIF
to dictionary
([microsoft#225](microsoft#225))
([e6fa6ea](microsoft@e6fa6ea))


### 📚 Documentation

* add chunking and compression configuration guide for Jetson edge
recording
([microsoft#408](microsoft#408))
([787a322](microsoft@787a322))
* add OpenSSF Best Practices badge to README
([microsoft#282](microsoft#282))
([01ea384](microsoft@01ea384))
* add threat model cross-reference to SECURITY.md
([microsoft#235](microsoft#235))
([88a461e](microsoft@88a461e))
* add vulnerability remediation timeline to SECURITY.md
([microsoft#233](microsoft#233))
([5ead3ee](microsoft@5ead3ee))
* **contributing:** remove version-specific planning language from
ownership tip
([microsoft#407](microsoft#407))
([3191f9b](microsoft@3191f9b))
* **deploy:** replace deploy/ READMEs with pointer files
([microsoft#379](microsoft#379))
([b3c3abb](microsoft@b3c3abb))
* **docs:** add bug report response timeline for OSSF report_responses
criterion
([microsoft#485](microsoft#485))
([9b26212](microsoft@9b26212))
* **docs:** add component update process for OpenSSF Silver badge
([microsoft#446](microsoft#446))
([6adc8a2](microsoft@6adc8a2))
* **docs:** Add data collection and training recipes
([microsoft#343](microsoft#343))
([9c34f86](microsoft@9c34f86))
* **docs:** add deprecation policy for external interfaces
([microsoft#445](microsoft#445))
([229d5db](microsoft@229d5db))
* **docs:** add structure for recipes in repo
([microsoft#322](microsoft#322))
([098757b](microsoft@098757b))
* **docs:** add YAML frontmatter to SUPPORT.md
([microsoft#478](microsoft#478))
([d94c15d](microsoft@d94c15d)),
closes
[microsoft#347](microsoft#347)
* **docs:** clarify issue assignment requirement before starting work
([microsoft#299](microsoft#299))
([1534462](microsoft@1534462))
* **docs:** create inference and training docs hubs
([microsoft#402](microsoft#402))
([7a20a2e](microsoft@7a20a2e))
* **docs:** create reference hub and migrate script documentation
([microsoft#503](microsoft#503))
([03a31c6](microsoft@03a31c6))
* **docs:** create training and inference documentation hubs
([microsoft#403](microsoft#403))
([7be003b](microsoft@7be003b))
* **operations:** create operations hub and troubleshooting guide
([microsoft#525](microsoft#525))
([31c7aaa](microsoft@31c7aaa))
* **reference:** add copilot artifacts documentation hub
([microsoft#170](microsoft#170))
([9a45ca4](microsoft@9a45ca4))
* simplify root README and update prerequisites
([microsoft#440](microsoft#440))
([c0c7710](microsoft@c0c7710))


### ♻️ Code Refactoring

* **build:** align Python dependency workflows with uv
([microsoft#447](microsoft#447))
([3102e03](microsoft@3102e03))
* **docs:** rename Docusaurus site to Physical AI Toolchain
([microsoft#224](microsoft#224))
([cfdf47a](microsoft@cfdf47a))
* **infrastructure:** rename boolean variables to `should_` prefix and
add missing core variables
([microsoft#292](microsoft#292))
([4496593](microsoft@4496593))
* **python:** move runtime deps to workflow pyproject manifests
([microsoft#405](microsoft#405))
([6c5fbeb](microsoft@6c5fbeb))


### 📦 Build System

* **build:** add Codecov upload to pytest workflow
([microsoft#434](microsoft#434))
([0110c17](microsoft@0110c17))
* **deps-dev:** bump the npm_and_yarn group across 2 directories with 1
update
([microsoft#325](microsoft#325))
([59cf9e6](microsoft@59cf9e6))
* **workflows:** enable coverage parameters and fix Pester test
infrastructure
([microsoft#435](microsoft#435))
([528bbde](microsoft@528bbde))


### 🔧 Miscellaneous

* add gomod to cspell general-technical wordlist
([microsoft#362](microsoft#362))
([1f93f47](microsoft@1f93f47))
* **build:** add codecov.yml for unified coverage reporting
([microsoft#430](microsoft#430))
([b0faf70](microsoft@b0faf70))
* **build:** add Go toolchain devcontainer feature and Dependabot gomod
([microsoft#337](microsoft#337))
([8a36620](microsoft@8a36620))
* **deps:** bump cryptography from 45.0.7 to 46.0.5 in /src/training
([microsoft#506](microsoft#506))
([a06434e](microsoft@a06434e))
* **deps:** bump minimatch in /src/dataviewer/frontend
([microsoft#416](microsoft#416))
([38a7607](microsoft@38a7607))
* **deps:** bump pyasn1 from 0.6.2 to 0.6.3 in /training/rl
([microsoft#296](microsoft#296))
([7b42cf5](microsoft@7b42cf5))
* **deps:** bump rollup in /src/dataviewer/frontend
([microsoft#417](microsoft#417))
([6302ce4](microsoft@6302ce4))
* **deps:** bump the common-dependencies group in /src/common with 3
updates
([microsoft#507](microsoft#507))
([db05074](microsoft@db05074))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([microsoft#284](microsoft#284))
([c40eff6](microsoft@c40eff6))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([microsoft#433](microsoft#433))
([2d9dd4f](microsoft@2d9dd4f))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([microsoft#510](microsoft#510))
([c334a64](microsoft@c334a64))
* **deps:** bump the github-actions group with 2 updates
([microsoft#163](microsoft#163))
([f25713e](microsoft@f25713e))
* **deps:** bump the inference-dependencies group in /evaluation with 3
updates
([microsoft#279](microsoft#279))
([1d2d3dc](microsoft@1d2d3dc))
* **deps:** bump the inference-dependencies group in /src/inference with
5 updates
([microsoft#508](microsoft#508))
([2852ffb](microsoft@2852ffb))
* **deps:** bump the lerobot-inference-dependencies group in
/workflows/azureml with 4 updates
([microsoft#511](microsoft#511))
([b7c5773](microsoft@b7c5773))
* **deps:** bump the npm_and_yarn group across 2 directories with 1
update
([microsoft#223](microsoft#223))
([6a261ab](microsoft@6a261ab))
* **deps:** bump the training-dependencies group
([microsoft#429](microsoft#429))
([66e43f4](microsoft@66e43f4))
* **deps:** bump tornado from 6.5.4 to 6.5.5 in the uv group across 1
directory
([microsoft#172](microsoft#172))
([d6caf29](microsoft@d6caf29))
* **docs:** correct ms.date tooling and refresh stale documentation
([microsoft#349](microsoft#349))
([ccaa1e8](microsoft@ccaa1e8))
* **infrastructure:** add Go module and golangci-lint config for e2e
tests
([microsoft#347](microsoft#347))
([e0e6bbf](microsoft@e0e6bbf))
* **infrastructure:** add root .terraform-docs.yml configuration
([microsoft#312](microsoft#312))
([bb73bbb](microsoft@bb73bbb))
* migrate references from Azure-Samples to
microsoft/physical-ai-toolchain
([f58f0ef](microsoft@f58f0ef))
* **workflows:** update Dependabot, CodeQL, CODEOWNERS, and cspell for
dataviewer coverage
([microsoft#231](microsoft#231))
([6d8c2e8](microsoft@6d8c2e8))


### 🔒 Security

* **deps:** bump mlflow from 3.5.0 to 3.8.0rc0 in /training/rl
([microsoft#297](microsoft#297))
([e9929df](microsoft@e9929df))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([microsoft#344](microsoft#344))
([6826929](microsoft@6826929))
* **deps:** bump the inference-dependencies group in /evaluation with 2
updates
([microsoft#339](microsoft#339))
([6804630](microsoft@6804630))
* **deps:** bump the npm_and_yarn group across 3 directories with 1
update
([microsoft#361](microsoft#361))
([6760857](microsoft@6760857))
* **deps:** bump the training-dependencies group across 1 directory with
54 updates
([microsoft#286](microsoft#286))
([d9ae04f](microsoft@d9ae04f))
* **deps:** bump the uv group across 3 directories with 1 update
([microsoft#360](microsoft#360))
([dfbda06](microsoft@dfbda06))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Bill Berry <wbery@microsoft.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 13, 2026

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 13, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/root-npm-dependencies-d8fc959ac0 branch April 13, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency version updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @WilliamBerryiii