Bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
@sentry/cli	3.4.3	3.5.0
@sentry/node	10.53.1	10.57.0
semver	7.8.1	7.8.4
@vscode/vsce	3.9.1	3.9.2
esbuild	0.28.0	0.28.1

Updates @sentry/cli from 3.4.3 to 3.5.0

Release notes

Sourced from @​sentry/cli's releases.

3.5.0

Features

• (snapshots) Add snapshots diff command for locally comparing directories of PNG snapshot images using odiff (#3306)
• (snapshots) Add snapshots download command for downloading baseline snapshot images from Sentry (#3310)
• (snapshots) Add --all-image-file-names and --all-image-file-names-file flags to snapshots upload for detecting image removals and renames in selective builds (#3312)
• Add PE DWARF companion support (#3240)
• Add Windows ARM64 PE unwind support (#3240)

Fixes

• Improve error message when organization slug is missing from config (#3311)
• Respect CURL_CA_BUNDLE and SSL_CERT_FILE when configuring TLS certificate authorities (#3301).

Internal changes

• Bump symbolic to 13.1.1 (#3240)

3.4.4-snapshot.20260602.8b6f051

Snapshot build from master at 8b6f051.

3.4.4-snapshot.20260601.42c6fd4

Snapshot build from master at 42c6fd4.

3.4.4-snapshot.20260601.11d9824

Snapshot build from master at 11d9824.

3.4.4-snapshot.20260601.9b8df25

Snapshot build from master at 9b8df25.

3.4.4-snapshot.20260601.2badbb1

Snapshot build from master at 2badbb1.

3.4.4-snapshot.20260601.dd9d907

Snapshot build from master at dd9d907.

3.4.4-snapshot.20260601.b3d48e1

Snapshot build from master at b3d48e1.

3.4.4-snapshot.20260528.4338ee0

Snapshot build from master at 4338ee0.

3.4.4-snapshot.20260528.fafcbbd

Snapshot build from master at fafcbbd.

3.4.4-snapshot.20260527.807b12c

Snapshot build from master at 807b12c.

3.4.4-snapshot.20260527.48c1f24

Snapshot build from master at 48c1f24.

... (truncated)

Changelog

Sourced from @​sentry/cli's changelog.

3.5.0

Features

• (snapshots) Add snapshots diff command for locally comparing directories of PNG snapshot images using odiff (#3306)
• (snapshots) Add snapshots download command for downloading baseline snapshot images from Sentry (#3310)
• (snapshots) Add --all-image-file-names and --all-image-file-names-file flags to snapshots upload for detecting image removals and renames in selective builds (#3312)
• Add PE DWARF companion support (#3240)
• Add Windows ARM64 PE unwind support (#3240)

Fixes

• Improve error message when organization slug is missing from config (#3311)
• Respect CURL_CA_BUNDLE and SSL_CERT_FILE when configuring TLS certificate authorities (#3301).

Internal changes

• Bump symbolic to 13.1.1 (#3240)

Commits

• 3a107c2 release: 3.5.0
• 8b6f051 feat: PE DWARF companion support (#3240)
• 11d9824 build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 (#3232)
• b3d48e1 build(deps): bump openssl from 0.10.79 to 0.10.80 (#3307)
• dd9d907 build(deps): bump docker/login-action from 4.0.0 to 4.1.0 (#3299)
• 42c6fd4 build(deps): bump github/codeql-action from 4.32.6 to 4.35.4 (#3298)
• 2badbb1 build(deps): bump getsentry/craft from 2.25.0 to 2.26.3 (#3297)
• 9b8df25 fix: Fix compile error in Docker build (#3317)
• 4338ee0 feat(snapshots): Add --all-image-file-names and --all-image-file-names-file f...
• fafcbbd docs(readme): add notice pointing to the new Sentry CLI (#3315)
• Additional commits viewable in compare view

Updates @sentry/node from 10.53.1 to 10.57.0

Release notes

Sourced from @​sentry/node's releases.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

• chore: Bump volta node version from 20.19.2 to 20.19.5 (#21359)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

... (truncated)

Commits

• 950cf97 release: 10.57.0
• 55f9343 Merge pull request #21369 from getsentry/prepare-release/10.57.0
• 88d9d30 meta(changelog): Update changelog for 10.57.0
• 03ffd25 fix(cloudflare): Don't track negatively sampled spans (#21367)
• 7c19ead ref(node): Streamline sql-common (#21360)
• 95df562 feat(hono): Filter noisy transactions (favicon etc) (#21365)
• 92eb5d2 feat(deps): Bump hono from 4.12.18 to 4.12.21 (#21341)
• c6f790b fix(node): Prevent PostgresJs integration from emitting duplicate spans per q...
• d645349 ref(node): Streamline lru-memoizer instrumentation (#21350)
• 4293015 feat(deps): Bump @​types/aws-lambda from 8.10.150 to 8.10.161 (#21105)
• Additional commits viewable in compare view

Updates semver from 7.8.1 to 7.8.4

Release notes

Sourced from semver's releases.

v7.8.4

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

v7.8.2

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

Changelog

Sourced from semver's changelog.

7.8.4 (2026-06-09)

Bug Fixes

• e583226 #874 reject numeric segments after x-ranges (@​pupuking723)

7.8.3 (2026-06-08)

Bug Fixes

• 046da7f #872 align caret includePrerelease lower bounds (#872) (@​wayyoungboy)

Chores

• 3485dda #866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866) (@​dependabot[bot])

7.8.2 (2026-06-04)

Bug Fixes

• bea6028 #870 increment dotted prerelease identifiers (#870) (@​liuzemei, @​SheldonNeo)

Commits

• 8640bd6 chore: release 7.8.4 (#875)
• e583226 fix: reject numeric segments after x-ranges
• 6b77aa8 chore: release 7.8.3 (#873)
• 3485dda chore: bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#866)
• 046da7f fix: align caret includePrerelease lower bounds (#872)
• efafcf8 chore: release 7.8.2 (#871)
• bea6028 fix: increment dotted prerelease identifiers (#870)
• See full diff in compare view

Updates @vscode/vsce from 3.9.1 to 3.9.2

Release notes

Sourced from @​vscode/vsce's releases.

v3.9.2

Changes:

• #1283: fix: skip APIScan
• #1282: chore: bump CI to Node 22 and fix build
• #1279: Bump the uuid test fixture version to 100.0.0
• #1278: Bump tmp from 0.2.4 to 0.2.6
• #1277: Bump qs from 6.14.2 to 6.15.2
• #1276: Bump uuid and @​azure/msal-node
• #1274: Run npm audit fix
• #1272: Bump fast-uri from 3.0.6 to 3.1.2
• #1267: Bump minimatch from 10.2.2 to 10.2.3
• #1247: Update minimatch dependency to v10

This list of changes was auto generated.

v3.9.2-4

Changes:

• #1283: fix: skip APIScan
• #1282: chore: bump CI to Node 22 and fix build
• #1279: Bump the uuid test fixture version to 100.0.0
• #1278: Bump tmp from 0.2.4 to 0.2.6
• #1277: Bump qs from 6.14.2 to 6.15.2
• #1276: Bump uuid and @​azure/msal-node

This list of changes was auto generated.

v3.9.2-3

Changes:

• #1274: Run npm audit fix

This list of changes was auto generated.

v3.9.2-2

Changes:

• #1272: Bump fast-uri from 3.0.6 to 3.1.2

This list of changes was auto generated.

... (truncated)

Commits

• f7501f2 fix: skip APIScan (#1283)
• 7cd3244 chore: bump CI to Node 22 and fix build (#1282)
• df1a68e Bump the uuid test fixture version to 100.0.0 (#1279)
• 3a5786e Merge pull request #1278 from microsoft/dependabot/npm_and_yarn/tmp-0.2.6
• 4954e08 Bump tmp from 0.2.4 to 0.2.6
• 54dce87 Bump qs from 6.14.2 to 6.15.2 (#1277)
• 86fc2d6 Bump uuid and @​azure/msal-node (#1276)
• 4699582 Run npm audit fix and update lockfile (#1274)
• e003a0a Merge pull request #1272 from microsoft/dependabot/npm_and_yarn/fast-uri-3.1.2
• 74ab7a9 Bump fast-uri from 3.0.6 to 3.1.2
• Additional commits viewable in compare view

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.