Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) #3403

Copilot · 2026-01-08T08:09:28Z

Combines three passing dependabot PRs to reduce CI cost by testing them together rather than individually.

Changes

PR #3400 - GitHub Actions references

Updates toolshed commit hash across 34 workflow/action files
a64caca35cf1872601518b84aa85650c06ef85e2 → c73c1b842058331a14008432c0e162b97cccb2f5

PR #3401 - Rust dependencies

indexmap: 2.12.1 → 2.13.0
Updated in rust/Cargo.lock, rust/core/Cargo.toml, rust/echo/Cargo.toml

PR #3402 - Python dependencies (security)

urllib3: 2.6.0 → 2.6.3
Fixes CVE-2026-21441 (High): decompression-bomb safeguards bypass on redirects
Updated in actions/gcp/setup/requirements.txt

Merge Strategy

Cherry-picked commits in order with zero conflicts. No file overlap between PRs (workflows, Rust, Python are independent).

Total: 38 files, 125 insertions, 125 deletions

Original prompt

this repo has many pending dependabot prs - some are failing, some are passing

ci is expensive - so rather than landing all the passing ones individually i want you to create a merge queue pr that picks the commits from all the passing dependabot prs

ive labelled the passing ones with pick-me - ONLY pick those

note: if any touch the same file then you should apply in reverse order from their affected line nos - this generally avoids conflicts

if there is conflict skip - you are rubbish at resolving we will get it in the next pass

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

netlify · 2026-01-08T08:09:34Z

✅ Deploy Preview for nifty-bassi-e26446 ready!

Name	Link
🔨 Latest commit	`b74c986`
🔍 Latest deploy log	https://app.netlify.com/projects/nifty-bassi-e26446/deploys/695f675e15386300082de305
😎 Deploy Preview	https://deploy-preview-3403--nifty-bassi-e26446.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

… update Bumps the dependencies group with 1 update in the / directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/bson directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/cache/prime directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/cache/restore directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/docker/cache/prime directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/docker/cache/restore directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/docker/fetch directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/docker/shas directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/envoy/ci/env directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/envoy/ci/request directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/envoy/run/summary directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/foreach directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/checkout directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/command directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/env/load directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/env/save directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/env/summary directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/merge-commit directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/pr directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/github/run directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/json/table directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Bumps the dependencies group with 1 update in the /actions/using/recurse directory: [envoyproxy/toolshed](https://github.com/envoyproxy/toolshed). Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) Updates `envoyproxy/toolshed` from a64caca to c73c1b8 - [Release notes](https://github.com/envoyproxy/toolshed/releases) - [Commits](a64caca...c73c1b8) --- updated-dependencies: - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies - dependency-name: envoyproxy/toolshed dependency-version: c73c1b8 dependency-type: direct:production dependency-group: dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps the dependencies group with 1 update in the /rust directory: [indexmap](https://github.com/indexmap-rs/indexmap). Updates `indexmap` from 2.12.1 to 2.13.0 - [Changelog](https://github.com/indexmap-rs/indexmap/blob/main/RELEASES.md) - [Commits](indexmap-rs/indexmap@2.12.1...2.13.0) --- updated-dependencies: - dependency-name: indexmap dependency-version: 2.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.0 to 2.6.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.0...2.6.3) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>

Initial plan

b85c000

Copilot AI assigned Copilot and phlax Jan 8, 2026

Copilot started work on behalf of phlax January 8, 2026 08:10 View session

dependabot bot added 3 commits January 8, 2026 08:13

Copilot AI changed the title ~~[WIP] Create merge queue for passing dependabot PRs~~ Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) Jan 8, 2026

Copilot AI requested a review from phlax January 8, 2026 08:21

Copilot finished work on behalf of phlax January 8, 2026 08:21

phlax approved these changes Jan 8, 2026

View reviewed changes

phlax marked this pull request as ready for review January 8, 2026 08:37

phlax merged commit dd3e129 into main Jan 8, 2026
153 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) #3403

Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) #3403

Uh oh!

Copilot AI commented Jan 8, 2026 •

edited

Loading

Uh oh!

netlify bot commented Jan 8, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) #3403

Merge queue: Combine passing dependabot PRs (#3400, #3401, #3402) #3403

Uh oh!

Conversation

Copilot AI commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Merge Strategy

Uh oh!

netlify bot commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for nifty-bassi-e26446 ready!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Jan 8, 2026 •

edited

Loading

netlify bot commented Jan 8, 2026 •

edited

Loading