Skip to content

Bump the production-dependencies group across 1 directory with 4 updates#21

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-80e49d3095
Open

Bump the production-dependencies group across 1 directory with 4 updates#21
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-80e49d3095

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 5, 2026

Bumps the production-dependencies group with 4 updates in the / directory: marked, @huggingface/transformers, vectra and @github/copilot-sdk.

Updates marked from 17.0.4 to 17.0.6

Release notes

Sourced from marked's releases.

v17.0.6

17.0.6 (2026-04-05)

Bug Fixes

  • avoid race condition in async parallel parse/parseInline with hooks (#3924) (6e96fa7)
  • cli: honor positional input file (#3922) (a1c2617)
  • cli: use file URL for config import (#3923) (73e1f3f)

v17.0.5

17.0.5 (2026-03-20)

Bug Fixes

  • Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#3918) (4625980)
  • prevent quadratic complexity in emStrongLDelim regex (#3906) (c732dd2)
  • prevent single-tilde strikethrough false positives (#3910) (5e03369)
  • re-assign tokenizer.lexer and renderer.parser at start of each parse call (#3907) (f3a3ec0)
  • trim trailing whitespace from lheading text (#3920) (3ea7e88)
Commits
  • e07037e chore(release): 17.0.6 [skip ci]
  • 6e96fa7 fix: avoid race condition in async parallel parse/parseInline with hooks (#3924)
  • 73e1f3f fix(cli): use file URL for config import (#3923)
  • a1c2617 fix(cli): honor positional input file (#3922)
  • 3b59e81 refactor: use strict equality in RegExp exec checks (#3935)
  • e6b37f2 chore(deps-dev): Bump lodash from 4.17.23 to 4.18.1 (#3937)
  • abb5667 chore(deps-dev): Bump lodash-es from 4.17.23 to 4.18.1 (#3936)
  • 4969cf2 chore(deps-dev): Bump handlebars from 4.7.8 to 4.7.9 (#3931)
  • d44cafc chore(deps-dev): Bump picomatch from 2.3.1 to 2.3.2 (#3929)
  • 59386ad chore(deps-dev): Bump eslint from 10.0.3 to 10.1.0 (#3928)
  • Additional commits viewable in compare view

Updates @huggingface/transformers from 3.8.1 to 4.0.1

Release notes

Sourced from @​huggingface/transformers's releases.

4.0.0

🚀 Transformers.js v4

We're excited to announce that Transformers.js v4 is now available on NPM! After a year of development (we started in March 2025 🤯), we're finally ready for you to use it.

npm i @huggingface/transformers

Links: YouTube Video, Blog Post, Demo Collection

New WebGPU backend

The biggest change is undoubtedly the adoption of a new WebGPU Runtime, completely rewritten in C++. We've worked closely with the ONNX Runtime team to thoroughly test this runtime across our ~200 supported model architectures, as well as many new v4-exclusive architectures.

In addition to better operator support (for performance, accuracy, and coverage), this new WebGPU runtime allows the same transformers.js code to be used across a wide variety of JavaScript environments, including browsers, server-side runtimes, and desktop applications. That's right, you can now run WebGPU-accelerated models directly in Node, Bun, and Deno!

We've proven that it's possible to run state-of-the-art AI models 100% locally in the browser, and now we're focused on performance: making these models run as fast as possible, even in resource-constrained environments. This required completely rethinking our export strategy, especially for large language models. We achieve this by re-implementing new models operation by operation, leveraging specialized ONNX Runtime Contrib Operators like com.microsoft.GroupQueryAttention, com.microsoft.MatMulNBits, or com.microsoft.QMoE to maximize performance.

For example, adopting the com.microsoft.MultiHeadAttention operator, we were able to achieve a ~4x speedup for BERT-based embedding models.

New models

Thanks to our new export strategy and ONNX Runtime's expanding support for custom operators, we've been able to add many new models and architectures to Transformers.js v4. These include popular models like GPT-OSS, Chatterbox, GraniteMoeHybrid, LFM2-MoE, HunYuanDenseV1, Apertus, Olmo3, FalconH1, and Youtu-LLM. Many of these required us to implement support for advanced architectural patterns, including Mamba (state-space models), Multi-head Latent Attention (MLA), and Mixture of Experts (MoE). Perhaps most importantly, these models are all compatible with WebGPU, allowing users to run them directly in the browser or server-side JavaScript environments with hardware acceleration. We've released several Transformers.js v4 demos so far... and we'll continue to release more!

Additionally, we've added support for larger models exceeding 8B parameters. In our tests, we've been able to run GPT-OSS 20B (q4f16) at ~60 tokens per second on an M4 Pro Max.

... (truncated)

Commits

Updates vectra from 0.12.3 to 0.14.0

Release notes

Sourced from vectra's releases.

v0.14.0

What's New

Breaking Changes

  • fetch() replaces axios — All HTTP requests now use the built-in fetch() API. Projects relying on axios interceptors or custom axios config need to switch to the requestConfig option (a standard RequestInit object) on OpenAIEmbeddings.
  • Node.js 22.x minimum — Minimum Node.js version is now 22.x (up from 20.x), driven by undici@8.0.0 requiring node >=22.19.0.

New Features

  • Browser & Electron support — Full browser and Electron compatibility with dedicated vectra/browser entry point, IndexedDBStorage, and Webpack browser bundle (#99)
  • Local embeddingsTransformersEmbeddings class using @huggingface/transformers for fully local embedding generation with GPU/WASM device selection, quantization, and progress callbacks
  • Protocol Buffer format — Opt-in binary protobuf-based index serialization achieving 40–50% smaller index files via ProtobufCodec
  • gRPC servervectra serve exposes 19 RPCs for cross-language access
  • Language binding generatorvectra generate scaffolds clients for Python, C#, Rust, Go, Java, TypeScript
  • FolderWatchervectra watch CLI command and FolderWatcher class for automatic re-indexing when files change
  • Pluggable storage systems — Storage abstraction layer allowing custom storage backends (in-memory, cloud, database)
  • vectra delete — Delete indexes from the CLI
  • vectra migrate — Migrate between JSON and protobuf formats
  • BrowserWebFetcher — Browser-native web fetcher using Fetch API + DOMParser
  • TransformersTokenizer — Tokenizer matching TransformersEmbeddings model for chunk alignment
  • Agent Ready support — Agent-compatible capabilities

Security

  • Removed axios dependency — Eliminated supply chain risk by switching to built-in fetch()
  • Fixed dependency vulnerabilities — Resolved additional security issues in transitive dependencies

Infrastructure

  • CI/CD pipeline with GitHub Actions (build, test, lint, coverage via Coveralls)
  • ESLint configuration added
  • Developer documentation site launched
  • GitHub Pages docs site with Jekyll + just-the-docs

Version Compatibility

Vectra version Node.js Optional dependencies
0.14.x 22.x+ @huggingface/transformers (local embeddings), protobufjs (protobuf format)

Full Changelog: Stevenic/vectra@v0.12.0...v0.14.0

Changelog

Sourced from vectra's changelog.

title: Changelog layout: default nav_order: 11

Changelog

{: .no_toc }

Release history, breaking changes, and migration guides. {: .fs-6 .fw-300 }

v0.14.x

Breaking: fetch() replaces axios

All HTTP requests now use the built-in fetch() API instead of axios. This removes axios as a dependency and eliminates third-party code from the HTTP request path.

Who is affected: Projects that relied on axios interceptors or custom axios configuration passed through Vectra's HTTP layer.

Migration: Remove any axios-specific customization. If you need to customize requests, use the requestConfig option (a standard RequestInit object) on OpenAIEmbeddings:

const embeddings = new OpenAIEmbeddings({
  apiKey: '...',
  model: 'text-embedding-3-small',
  requestConfig: {
    headers: { 'X-Custom-Header': 'value' },
  },
});

Breaking: Node.js 22.x minimum

The minimum Node.js version is now 22.x (up from 20.x). This is driven by the undici@8.0.0 transitive dependency which requires node >=22.19.0.

Who is affected: Projects running Node.js 20.x or earlier.

Migration: Upgrade to Node.js 22.x LTS. Node.js 20.x reached end-of-life on March 26, 2026.

New features in v0.14.x

... (truncated)

Commits

Updates @github/copilot-sdk from 0.1.32 to 0.2.1

Release notes

Sourced from @​github/copilot-sdk's releases.

v0.2.1

Feature: commands and UI elicitation across all four SDKs

Register slash commands that CLI users can invoke and drive interactive input dialogs from any SDK language. This feature was previously Node.js-only; it now ships in Python, Go, and .NET as well. (#906, #908, #960)

const session = await client.createSession({
  onPermissionRequest: approveAll,
  commands: [{
    name: "summarize",
    description: "Summarize the conversation",
    handler: async (context) => { /* ... */ },
  }],
  onElicitationRequest: async (context) => {
    if (context.type === "confirm") return { action: "confirm" };
  },
});
// Drive dialogs from the session
const confirmed = await session.ui.confirm({ message: "Proceed?" });
const choice = await session.ui.select({ message: "Pick one", options: ["A", "B"] });

var session = await client.CreateSessionAsync(new SessionConfig {
    OnPermissionRequest = PermissionHandler.ApproveAll,
    Commands = [
        new CommandDefinition {
            Name = "summarize",
            Description = "Summarize the conversation",
            Handler = async (context) => { /* ... */ },
        }
    ],
});
// Drive dialogs from the session
var confirmed = await session.Ui.ConfirmAsync(new ConfirmOptions { Message = "Proceed?" });

⚠️ Breaking change (Node.js): The onElicitationRequest handler signature changed from two arguments (request, invocation) to a single ElicitationContext that combines both. Update callers to use context.sessionId and context.message directly.

Feature: session.getMetadata across all SDKs

Efficiently fetch metadata for a single session by ID without listing all sessions. Returns undefined/null (not an error) when the session is not found. (#899)

  • TypeScript: const meta = await client.getSessionMetadata(sessionId);
  • C#: var meta = await client.GetSessionMetadataAsync(sessionId);
  • Python: meta = await client.get_session_metadata(session_id)
  • Go: meta, err := client.GetSessionMetadata(ctx, sessionID)

... (truncated)

Changelog

Sourced from @​github/copilot-sdk's changelog.

v0.2.1 (2026-04-03)

Feature: commands and UI elicitation across all four SDKs

Register slash commands that CLI users can invoke and drive interactive input dialogs from any SDK language. This feature was previously Node.js-only; it now ships in Python, Go, and .NET as well. (#906, #908, #960)

const session = await client.createSession({
  onPermissionRequest: approveAll,
  commands: [{
    name: "summarize",
    description: "Summarize the conversation",
    handler: async (context) => { /* ... */ },
  }],
  onElicitationRequest: async (context) => {
    if (context.type === "confirm") return { action: "confirm" };
  },
});
// Drive dialogs from the session
const confirmed = await session.ui.confirm({ message: "Proceed?" });
const choice = await session.ui.select({ message: "Pick one", options: ["A", "B"] });

var session = await client.CreateSessionAsync(new SessionConfig {
    OnPermissionRequest = PermissionHandler.ApproveAll,
    Commands = [
        new CommandDefinition {
            Name = "summarize",
            Description = "Summarize the conversation",
            Handler = async (context) => { /* ... */ },
        }
    ],
});
// Drive dialogs from the session
var confirmed = await session.Ui.ConfirmAsync(new ConfirmOptions { Message = "Proceed?" });

⚠️ Breaking change (Node.js): The onElicitationRequest handler signature changed from two arguments (request, invocation) to a single ElicitationContext that combines both. Update callers to use context.sessionId and context.message directly.

Feature: session.getMetadata across all SDKs

Efficiently fetch metadata for a single session by ID without listing all sessions. Returns undefined/null (not an error) when the session is not found. (#899)

  • TypeScript: const meta = await client.getSessionMetadata(sessionId);
  • C#: var meta = await client.GetSessionMetadataAsync(sessionId);
  • Python: meta = await client.get_session_metadata(session_id)
  • Go: meta, err := client.GetSessionMetadata(ctx, sessionID)

... (truncated)

Commits
  • 0388b9d Update @​github/copilot to 1.0.17 (#999)
  • 7ecf1d8 Update getting-started.md (#998)
  • 588951e Add roles: all to handler workflows so issues from any user are triaged (#992)
  • 28d0a33 Public preview update (#996)
  • dd42d42 Close Language Gaps for Commands + Dialogs/Elicitations (#960)
  • ad63b09 Add AI-powered issue triage system with correction tracking (#951)
  • 1587e34 fix: Cross-SDK Consistency Reviewer posts duplicate comments per commit (#983)
  • ec72d41 Pass structured tool results via RPC instead of stringifying (#970)
  • 8fb154e fix: update runtime to 1.0.15-2, re-enable postToolUse hook tests (#978)
  • 6e3d72c Support sessionFs in Node SDK. Update runtime. (#917)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the production-dependencies group across 1 directory with 4 updates
65887f7 
Bumps the production-dependencies group with 4 updates in the / directory: [marked](https://github.com/markedjs/marked), [@huggingface/transformers](https://github.com/huggingface/transformers.js), [vectra](https://github.com/Stevenic/vectra) and [@github/copilot-sdk](https://github.com/github/copilot-sdk).


Updates `marked` from 17.0.4 to 17.0.6
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@v17.0.4...v17.0.6)

Updates `@huggingface/transformers` from 3.8.1 to 4.0.1
- [Release notes](https://github.com/huggingface/transformers.js/releases)
- [Commits](https://github.com/huggingface/transformers.js/commits)

Updates `vectra` from 0.12.3 to 0.14.0
- [Release notes](https://github.com/Stevenic/vectra/releases)
- [Changelog](https://github.com/Stevenic/vectra/blob/main/docs/changelog.md)
- [Commits](https://github.com/Stevenic/vectra/commits/v0.14.0)

Updates `@github/copilot-sdk` from 0.1.32 to 0.2.1
- [Release notes](https://github.com/github/copilot-sdk/releases)
- [Changelog](https://github.com/github/copilot-sdk/blob/main/CHANGELOG.md)
- [Commits](github/copilot-sdk@v0.1.32...v0.2.1)

---
updated-dependencies:
- dependency-name: marked
  dependency-version: 17.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@huggingface/transformers"
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: vectra
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@github/copilot-sdk"
  dependency-version: 0.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 5, 2026

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants