Bump the npm-minor group across 1 directory with 6 updates

[dependabot]

Bumps the npm-minor group with 6 updates in the / directory:

Package	From	To
@octokit/plugin-retry	8.0.3	8.1.0
jsonschema	1.4.1	1.5.0
@eslint/compat	2.0.3	2.0.4
@types/sinon	21.0.0	21.0.1
esbuild	0.27.4	0.28.0
nock	14.0.11	14.0.12

Updates @octokit/plugin-retry from 8.0.3 to 8.1.0

Release notes

Sourced from @​octokit/plugin-retry's releases.

v8.1.0

8.1.0 (2026-02-18)

Features

• add types (#661) (e8bdeb7)

Commits

• e8bdeb7 feat: add types (#661)
• 96f572f chore(deps): replace glob with tinyglobby (#657)
• 2b9b2ea build(deps): bump glob (#656)
• 31bd239 build(deps): lock file maintenance (#643)
• 58b66d1 chore(deps): update dependency node to v24 (#649)
• 927b598 chore(deps): update dependency prettier to v3.6.2 (#636)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​octokit/plugin-retry since your current version.

Updates jsonschema from 1.4.1 to 1.5.0

Commits

• See full diff in compare view

Updates @eslint/compat from 2.0.3 to 2.0.4

Release notes

Sourced from @​eslint/compat's releases.

migrate-config: v2.0.4

2.0.4 (2026-03-20)

Bug Fixes

• update dependency @​eslint/eslintrc to ^3.3.5 (#397) (8567c19)

compat: v2.0.4

2.0.4 (2026-04-03)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^1.1.1 to ^1.2.0

Changelog

Sourced from @​eslint/compat's changelog.

2.0.4 (2026-04-03)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^1.1.1 to ^1.2.0

Commits

• fe114ee chore: release main (#413)
• 8863791 docs: Update README sponsors
• 835ddf9 docs: Update README sponsors
• 8cd3676 docs: Update README sponsors
• 4d73459 docs: Update README sponsors
• a6c7a26 chore: update eslint and eslint-config-eslint (#401)
• See full diff in compare view

Updates @types/sinon from 21.0.0 to 21.0.1

Commits

• See full diff in compare view

Updates esbuild from 0.27.4 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }

... (truncated)

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Updates nock from 14.0.11 to 14.0.12

Release notes

Sourced from nock's releases.

v14.0.12

14.0.12 (2026-04-05)

Bug Fixes

• prevent crash when query params have conflicting dot-notation keys (#2958) (7ea9933)

Commits

• 7ea9933 fix: prevent crash when query params have conflicting dot-notation keys (#2958)
• d00d371 chore(deps): bump picomatch
• e899c49 chore(deps-dev): bump minimatch from 3.1.2 to 3.1.5
• 9ad19ea chore(deps): bump qs and @​definitelytyped/dtslint
• 657d9a1 chore(deps): bump actions/checkout from 5 to 6 (#2933)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Pushed a commit to rebuild the Action. Please mark the PR as ready for review to trigger PR checks.

[Copilot]

Pull request overview

This PR updates the repository’s npm dependencies (a Dependabot “npm-minor” group bump) and refreshes the bundled lib/ artifacts that ship with the CodeQL Action.

Changes:

• Bump 6 npm packages: @octokit/plugin-retry, jsonschema, @eslint/compat, @types/sinon, esbuild, and nock.
• Update package-lock.json accordingly (including updated resolved URLs/integrities and dependency tree changes).
• Regenerate lib/ bundled outputs to incorporate updated dependency code.

Show a summary per file

File	Description
package.json	Updates declared dependency/devDependency versions for the grouped bump.
package-lock.json	Updates lockfile entries for the bumped packages and their transitive dependencies.
lib/upload-sarif-action.js	Bundled output updated (generated); not reviewed.
lib/upload-sarif-action-post.js	Bundled output updated (generated); not reviewed.
lib/upload-lib.js	Bundled output updated (generated); not reviewed.
lib/start-proxy-action.js	Bundled output updated (generated); not reviewed.
lib/start-proxy-action-post.js	Bundled output updated (generated); not reviewed.
lib/setup-codeql-action.js	Bundled output updated (generated); not reviewed.
lib/resolve-environment-action.js	Bundled output updated (generated); not reviewed.
lib/init-action.js	Bundled output updated (generated); not reviewed.
lib/init-action-post.js	Bundled output updated (generated); not reviewed.
lib/autobuild-action.js	Bundled output updated (generated); not reviewed.
lib/analyze-action.js	Bundled output updated (generated); not reviewed.
lib/analyze-action-post.js	Bundled output updated (generated); not reviewed.

Copilot's findings

• Files reviewed: 1/14 changed files
• Comments generated: 0