📦 Update subpackage devDependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Update	Type	Package file
@rollup/plugin-node-resolve (source)	15.3.0 -> 15.3.1					patch	devDependencies	third_party/amp-toolbox-cache-url/package.json
actions/checkout	v4.2.1 -> v4.2.2					patch	action	.github/workflows/update-session-issues.yml
actions/dependency-review-action	v4.3.4 -> v4.5.0					minor	action	.github/workflows/dependency-review.yml
actions/setup-node	v4.0.4 -> v4.1.0					minor	action	.github/workflows/status-page.yml
actions/upload-artifact	v4.4.3 -> v4.6.0					minor	action	.github/workflows/scorecard.yml
browser-tools	1.4.8 -> 1.5.0					minor	orb	.circleci/config.yml
codecov	5.0.0 -> 5.0.3					patch	orb	.circleci/config.yml
eslint (source)	9.13.0 -> 9.17.0					minor	devDependencies	third_party/amp-toolbox-cache-url/package.json
github/codeql-action	v3.26.13 -> v3.28.0					minor	action	.github/workflows/scorecard.yml
jasmine (source)	5.4.0 -> 5.5.0					minor	devDependencies	third_party/amp-toolbox-cache-url/package.json
npm-run-all2	6.2.4 -> 6.2.6					patch	devDependencies	third_party/amp-toolbox-cache-url/package.json
rollup (source)	4.24.0 -> 4.30.1					minor	devDependencies	third_party/amp-toolbox-cache-url/package.json
rollup-plugin-json	4.0.0 -> 4.0.0					replacement	devDependencies	third_party/amp-toolbox-cache-url/package.json
step-security/harden-runner	v2.10.1 -> v2.10.3					patch	action	.github/workflows/update-session-issues.yml

See all other Renovate PRs on the Dependency Dashboard

How to resolve breaking changes

This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:

# Check out the PR branch
git checkout -b renovate/subpackage-devdependencies main
git pull https://github.com/ampproject/amphtml.git renovate/subpackage-devdependencies

# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors

# Push the changes to the branch
git push [email protected]:ampproject/amphtml.git renovate/subpackage-devdependencies:renovate/subpackage-devdependencies

This is a special PR that replaces rollup-plugin-json with the community suggested minimal stable replacement version.

---

Release Notes

rollup/plugins (@​rollup/plugin-node-resolve)

v15.3.1

2024-12-15

Updates

• refactor: replace test with includes (#​1787)

actions/checkout (actions/checkout)

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in https://github.com/actions/checkout/pull/1941
• Expand unit test coverage for isGhes by @​jww3 in https://github.com/actions/checkout/pull/1946

actions/dependency-review-action (actions/dependency-review-action)

v4.5.0

Compare Source

What's Changed

• Bump got from 14.4.2 to 14.4.3 by @​dependabot in https://github.com/actions/dependency-review-action/pull/844
• Bump nodemon from 3.1.0 to 3.1.7 by @​dependabot in https://github.com/actions/dependency-review-action/pull/847
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in https://github.com/actions/dependency-review-action/pull/849
• Overriding the cross-spawn dependency to use a safe version by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/850
• fix: add summary comment on failure when warn-only: true by @​ebickle in https://github.com/actions/dependency-review-action/pull/827
• Prepare for 4.5.0 release by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/851

New Contributors

• @​ebickle made their first contribution in https://github.com/actions/dependency-review-action/pull/827

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

• Fix for merge_group event bug by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/846

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

• fix: getRefs function to handle merge_group events by @​louis-bompart in https://github.com/actions/dependency-review-action/pull/766
• Create pull_request_template.md by @​jonjanego in https://github.com/actions/dependency-review-action/pull/794
• Update CONTRIBUTING.md by @​jonjanego in https://github.com/actions/dependency-review-action/pull/793
• Bump @​types/node from 20.11.28 to 20.16.0 by @​dependabot in https://github.com/actions/dependency-review-action/pull/815
• Upgrade transitive micromatch library by @​elireisman in https://github.com/actions/dependency-review-action/pull/829
• Do not list changed dependencies in summary by @​hmaurer in https://github.com/actions/dependency-review-action/pull/828
• Update stale.yaml by @​jonjanego in https://github.com/actions/dependency-review-action/pull/832
• Bump got from 14.4.1 to 14.4.2 by @​dependabot in https://github.com/actions/dependency-review-action/pull/822
• Bump eslint-plugin-jest and ts-jest by @​Ahmed3lmallah in https://github.com/actions/dependency-review-action/pull/840

New Contributors

• @​louis-bompart made their first contribution in https://github.com/actions/dependency-review-action/pull/766
• @​Ahmed3lmallah made their first contribution in https://github.com/actions/dependency-review-action/pull/840

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

actions/setup-node (actions/setup-node)

v4.1.0

Compare Source

actions/upload-artifact (actions/upload-artifact)

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in https://github.com/actions/upload-artifact/pull/662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

eslint/eslint (eslint)

v9.17.0

Compare Source

v9.16.0

Compare Source

Features

• 8f70eb1 feat: Add ignoreComputedKeys option in sort-keys rule (#​19162) (Milos Djermanovic)

Documentation

• 9eefc8f docs: fix typos in use-isnan (#​19190) (루밀LuMir)
• 0c8cea8 docs: switch the order of words in no-unreachable (#​19189) (루밀LuMir)
• 0c19417 docs: add missing backtick to no-async-promise-executor (#​19188) (루밀LuMir)
• 8df9276 docs: add backtick in -0 in description of no-compare-neg-zero (#​19186) (루밀LuMir)
• 7e16e3f docs: fix caseSensitive option's title of sort-keys (#​19183) (Tanuj Kanti)
• 0c6b842 docs: fix typos in migration-guide.md (#​19180) (루밀LuMir)
• 353266e docs: fix a typo in debug.md (#​19179) (루밀LuMir)
• 5ff318a docs: delete unnecessary horizontal rule(---) in nodejs-api (#​19175) (루밀LuMir)
• 576bcc5 docs: mark more rules as handled by TypeScript (#​19164) (Tanuj Kanti)
• 742d054 docs: note that no-restricted-syntax can be used with any language (#​19148) (Milos Djermanovic)

Chores

• feb703b chore: upgrade to @eslint/[email protected] (#​19195) (Francesco Trotta)
• df9bf95 chore: package.json update for @​eslint/js release (Jenkins)
• f831893 chore: add type for ignoreComputedKeys option of sort-keys (#​19184) (Tanuj Kanti)
• 3afb8a1 chore: update dependency @​eslint/json to ^0.8.0 (#​19177) (Milos Djermanovic)
• 1f77c53 chore: add repository.directory property to package.json (#​19165) (루밀LuMir)
• d460594 chore: update dependency @​arethetypeswrong/cli to ^0.17.0 (#​19147) (renovate[bot])
• 45cd4ea refactor: update default options in rules (#​19136) (Milos Djermanovic)

v9.15.0

Compare Source

v9.14.0

Compare Source

github/codeql-action (github/codeql-action)

v3.28.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.28.0 - 20 Dec 2024

• Bump the minimum CodeQL bundle version to 2.15.5. #​2655
• Don't fail in the unusual case that a file is on the search path. #​2660.

See the full CHANGELOG.md for more information.

v3.27.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.9 - 12 Dec 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.8

Compare Source

v3.27.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.7 - 10 Dec 2024

• We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. #​2631
• Update default CodeQL bundle version to 2.20.0. #​2636

See the full CHANGELOG.md for more information.

v3.27.6

Compare Source

v3.27.5

Compare Source

v3.27.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.4 - 14 Nov 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.3 - 12 Nov 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.2 - 12 Nov 2024

• Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". #​2590

See the full CHANGELOG.md for more information.

v3.27.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.1 - 08 Nov 2024

• The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. #​2573
• Update default CodeQL bundle version to 2.19.3. #​2576

See the full CHANGELOG.md for more information.

v3.27.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.0 - 22 Oct 2024

• Bump the minimum CodeQL bundle version to 2.14.6. #​2549
• Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. #​2557
• Update default CodeQL bundle version to 2.19.2. #​2552

See the full CHANGELOG.md for more information.

jasmine/jasmine-npm (jasmine)

v5.5.0

Compare Source

Please see the release notes.

bcomnes/npm-run-all2 (npm-run-all2)

v6.2.6

Compare Source

Commits

• Prevent a throw when looking up undefined results d928f9a

v6.2.5

Compare Source

rollup/rollup (rollup)

v4.30.1

Compare Source

2025-01-07

Bug Fixes

• Prevent invalid code when simplifying unary expressions in switch cases (#​5786)

Pull Requests

• #​5786: fix: consider that literals cannot following switch case. (@​TrickyPi)

v4.30.0

Compare Source

2025-01-06

Features

• Inline values of resolvable unary expressions for improved tree-shaking (#​5775)

Pull Requests

• #​5775: feat: enhance the treehshaking for unary expression (@​TrickyPi)
• #​5783: Improve CI caching for node_modules (@​lukastaegert)

v4.29.2

Compare Source

2025-01-05

Bug Fixes

• Keep import attributes when using dynamic ESM import() expressions from CommonJS (#​5781)

Pull Requests

• #​5772: Improve caching on CI (@​lukastaegert)
• #​5773: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5780: feat: use picocolors instead of colorette (@​re-taro)
• #​5781: fix: keep import attributes for cjs format (@​TrickyPi)

v4.29.1

Compare Source

2024-12-21

Bug Fixes

• Fix crash from deoptimized logical expressions (#​5771)

Pull Requests

• #​5769: Remove unnecessary lifetimes (@​lukastaegert)
• #​5771: fix: do not optimize the literal value if the cache is deoptimized (@​TrickyPi)

v4.29.0

Compare Source

2024-12-20

Features

• Treat objects as truthy and always check second argument to better simplify logical expressions (#​5763)

Pull Requests

• #​5759: docs: add utf-8 encoding to JSON file reading (@​chouchouji)
• #​5760: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5763: fix: introduce UnknownFalsyValue for enhancing if statement tree-shaking (@​TrickyPi)
• #​5766: chore(deps): update dependency @​rollup/plugin-node-resolve to v16 (@​renovate[bot])
• #​5767: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.28.1

Compare Source

2024-12-06

Bug Fixes

• Support running Rollup natively on LoongArch (#​5749)
• Add optional debugId to SourceMap types (#​5751)

Pull Requests

• #​5749: feat: add support for LoongArch (@​darkyzhou)
• #​5751: feat: Add debugId to SourceMap types (@​timfish, @​lukastaegert)
• #​5752: chore(deps): update dependency mocha to v11 (@​renovate[bot])
• #​5753: chore(deps): update dependency vite to v6 (@​renovate[bot])
• #​5754: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​5755: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5756: Test if saving the Cargo cache can speed up FreeBSD (@​lukastaegert)

v4.28.0

Compare Source

2024-11-30

Features

• Allow to specify how to handle import attributes when transpiling Rollup config files (#​5743)

Pull Requests

• #​5743: fix: supports modify the import attributes key in the config file (@​TrickyPi, @​lukastaegert)
• #​5747: chore(deps): update codecov/codecov-action action to v5 (@​renovate[bot])
• #​5748: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.27.4

Compare Source

2024-11-23

Bug Fixes

• Update bundled magic-string to support sourcemap debug ids (#​5740)

Pull Requests

• #​5740: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.27.3

Compare Source

2024-11-18

Bug Fixes

• Revert object property tree-shaking for now (#​5736)

Pull Requests

• #​5736: Revert object tree-shaking until some issues have been resolved (@​lukastaegert)

v4.27.2

Compare Source

2024-11-15

Bug Fixes

• Ensure unused variables in patterns are always deconflicted if rendered (#​5728)

Pull Requests

• #​5728: Fix more variable deconflicting issues (@​lukastaegert)

v4.27.1

Compare Source

2024-11-15

Bug Fixes

• Fix some situations where parameter declarations could put Rollup into an infinite loop (#​5727)

Pull Requests

• #​5727: Debug out-of-memory issues with Rollup v4.27.0 (@​lukastaegert)

v4.27.0

Compare Source

2024-11-15

Features

• Tree-shake unused properties in object literals (#​5420)

Bug Fixes

• Change hash length limit to 21 to avoid inconsistent hash length (#​5423)

Pull Requests

• #​5420: feat: implement object tree-shaking (@​TrickyPi, @​lukastaegert)
• #​5723: Reduce max hash size to 21 (@​lukastaegert)
• #​5724: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​5725: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.26.0

Compare Source

2024-11-13

Features

• Allow to avoid await bundle.close() via explicit resource management in TypeScript (#​5721)

Pull Requests

• #​5721: feat: support using for RollupBuild (@​shulaoda)

v4.25.0

Compare Source

2024-11-09

Features

• Add output.sourcemapDebugIds option to add matching debug ids to sourcemaps and code for tools like Sentry or Rollbar (#​5712)

Bug Fixes

• Make it easier to manually reproduce base16 hashes by using a more standard base16 conversion algorithm (#​5719)

Pull Requests

• #​5712: feat: Add support for injecting Debug IDs (@​timfish)
• #​5717: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​5718: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5719: Use a less surprising base-16 encoding (@​lukastaegert)

v4.24.4

Compare Source

2024-11-04

Bug Fixes

• Ensure mutations by handlers in Proxy definitions are always respected when tree-shaking (#​5713)

Pull Requests

• #​5708: Update configuration-options document (@​sacru2red, @​lukastaegert)
• #​5711: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5713: fix: Deoptimize the proxied object if its property is reassigned in the handler functions (@​TrickyPi)

v4.24.3

Compare Source

2024-10-29

Bug Fixes

• Slightly reduce memory consumption by specifying fixed array sizes where possible (#​5703)

Pull Requests

• #​5703: perf: use pre-allocated arrays for known result sizes (@​GalacticHypernova)

v4.24.2

Compare Source

2024-10-27

Bug Fixes

• Add missing build dependency (#​5705)

Pull Requests

• #​5705: Fix "Couldn't find package" error when installing rollup using yarn (@​tagattie)

v4.24.1

Compare Source

2024-10-27

Bug Fixes

• Support running Rollup natively on FreeBSD (#​5698)

Pull Requests

• #​5689: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5690: chore(deps): update dependency @​inquirer/prompts to v7 (@​renovate[bot])
• #​5691: chore(deps): update dependency eslint-plugin-unicorn to v56 (@​renovate[bot])
• #​5692: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​5695: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​5696: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5698: Add support for FreeBSD (x64 and arm64) (@​tagattie, @​lukastaegert)

step-security/harden-runner (step-security/harden-runner)

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

Compare Source

What's Changed

1. Fixes low-severity command injection weaknesses
   The advisory is here: GHSA-g85v-wf27-67xc

2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2

---

Configuration

📅 Schedule: Branch creation - "after 12am every weekday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.