deps: bump the dependency-updates group across 1 directory with 7 updates

[dependabot]

Bumps the dependency-updates group with 6 updates in the / directory:

Package	From	To
@npmcli/template-oss	4.27.0	4.28.0
@octokit/core	7.0.5	7.0.6
@octokit/plugin-retry	8.0.2	8.0.3
@octokit/plugin-throttling	11.0.2	11.0.3
@octokit/rest	22.0.0	22.0.1
esbuild	0.25.11	0.25.12

Updates @npmcli/template-oss from 4.27.0 to 4.28.0

Release notes

Sourced from @​npmcli/template-oss's releases.

v4.28.0

4.28.0 (2025-10-29)

Features

• dccde95 #537 adds script to run tests with node 20 correctly (@​owlstronaut)

v4.27.1

4.27.1 (2025-10-20)

Bug Fixes

• c9ae7dc #535 some test folders need quotes for correct globbing (#535) (@​owlstronaut)

Changelog

Sourced from @​npmcli/template-oss's changelog.

4.28.0 (2025-10-29)

Features

• dccde95 #537 adds script to run tests with node 20 correctly (@​owlstronaut)

4.27.1 (2025-10-20)

Bug Fixes

• c9ae7dc #535 some test folders need quotes for correct globbing (#535) (@​owlstronaut)

Commits

• 2ccf10d chore: release 4.28.0 (#538)
• dccde95 feat: adds script to run tests with node 20 correctly
• 008c2fa chore: release 4.27.1 (#536)
• c9ae7dc fix: some test folders need quotes for correct globbing (#535)
• See full diff in compare view

Updates @octokit/core from 7.0.5 to 7.0.6

Release notes

Sourced from @​octokit/core's releases.

v7.0.6

7.0.6 (2025-10-31)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#759) (951bd35)

Commits

• 951bd35 fix(deps): update dependency @​octokit/types to v16 (#759)
• 48961f8 ci(action): update peter-evans/create-or-update-comment action to v5 (#751)
• f65e546 ci(action): update github/codeql-action action to v4 (#753)
• c95a0d6 chore(deps): update dependency @​types/sinonjs__fake-timers to v15 (#756)
• e0fcb16 ci(action): update actions/setup-node action to v6 (#754)
• See full diff in compare view

Updates @octokit/graphql from 9.0.2 to 9.0.3

Release notes

Sourced from @​octokit/graphql's releases.

v9.0.3

9.0.3 (2025-10-31)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#676) (d5acce5)

Commits

• d5acce5 fix(deps): update dependency @​octokit/types to v16 (#676)
• db5b8fc build(deps): lock file maintenance (#670)
• 6d34f9f ci(action): update github/codeql-action action to v4 (#671)
• be6feba chore(deps): update dependency @​types/node to v24 (#675)
• 59bbbbc ci(action): update peter-evans/create-or-update-comment action to v5 (#668)
• 9014228 ci(action): update actions/setup-node action to v6 (#672)
• 2e9c447 chore(deps): update dependency prettier to v3.6.2 (#661)
• e31cf11 ci(action): update actions/setup-node action to v5 (#663)
• 9989422 build(deps): lock file maintenance (#667)
• See full diff in compare view

Updates @octokit/plugin-retry from 8.0.2 to 8.0.3

Release notes

Sourced from @​octokit/plugin-retry's releases.

v8.0.3

8.0.3 (2025-10-31)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#650) (03f2add)

Commits

• 03f2add fix(deps): update dependency @​octokit/types to v16 (#650)
• 112467a ci(action): update actions/checkout action to v5 (#638)
• fef5474 ci(action): update peter-evans/create-or-update-comment action to v5 (#644)
• 7c99a5e chore(deps): update vitest monorepo to v4 (major) (#648)
• 14d0b3b ci(action): update actions/setup-node action to v6 (#646)
• 843b86c ci(action): update github/codeql-action action to v4 (#645)
• See full diff in compare view

Updates @octokit/plugin-throttling from 11.0.2 to 11.0.3

Release notes

Sourced from @​octokit/plugin-throttling's releases.

v11.0.3

11.0.3 (2025-10-31)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#811) (d87092d)

Commits

• c253528 chore(deps): update dependency node to v24 (#809)
• d87092d fix(deps): update dependency @​octokit/types to v16 (#811)
• e3de64b ci(action): update github/codeql-action action to v4 (#805)
• 0673f3e ci(action): update actions/setup-node action to v6 (#806)
• See full diff in compare view

Updates @octokit/rest from 22.0.0 to 22.0.1

Release notes

Sourced from @​octokit/rest's releases.

v22.0.1

22.0.1 (2025-10-31)

Bug Fixes

• deps: update octokit monorepo (major) (#538) (ded2f17)

Commits

• daa3ec9 ci(action): update actions/setup-node action to v6 (#534)
• 1dec0c7 ci(action): update peter-evans/create-or-update-comment action to v5 (#531)
• ded2f17 fix(deps): update octokit monorepo (major) (#538)
• 0e0eaea chore(deps): update dependency @​types/node to v24 (#537)
• c04acc8 chore(deps): update vitest monorepo to v4 (major) (#536)
• e6dd306 chore(deps): update dependency undici to v7 (#474)
• 5f380d0 build(deps-dev): Bump form-data from 4.0.2 to 4.0.4 in /docs (#520)
• dc6827d build(deps-dev): Bump tar-fs from 2.1.2 to 2.1.3 in /docs (#516)
• See full diff in compare view

Updates esbuild from 0.25.11 to 0.25.12

Release notes

Sourced from esbuild's releases.

v0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @view-transition {
    navigation: auto;
    types: check;
  }
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  /* New output */
  @​view-transition {
  navigation: auto;
  types: check;

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @view-transition {
    navigation: auto;
    types: check;
  }
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  /* New output */
  @​view-transition {
  navigation: auto;

... (truncated)

Commits

• 208f539 publish 0.25.12 to npm
• 5f03afd update release notes
• 6b2ee78 minify: remove css rules containing empty :is()
• f361deb add some additional known static methods
• 07aa646 automatically mark "RegExp.escape()" calls as pure
• 9039c46 simplify some call expression checks
• 188944d add some additional known static methods
• d3c67f9 fix #4310: add Iterator and other known globals
• 4a51f0b fix: escape dev server breadcrumb hrefs properly (#4316)
• 26b29ed fix #4315: @media deduplication bug edge case
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions