chore(deps): bump the test-versions group across 3 directories with 6 updates

[dependabot]

Bumps the test-versions group with 1 update in the /integration-tests/appsec/iast-esbuild-cjs directory: esbuild.
Bumps the test-versions group with 1 update in the /integration-tests/appsec/iast-esbuild-esm directory: esbuild.
Bumps the test-versions group with 5 updates in the /integration-tests/esbuild directory:

Package	From	To
@apollo/server	5.4.0	5.5.0
axios	1.13.6	1.14.0
knex	3.1.0	3.2.9
koa	3.1.2	3.2.0
openai	6.32.0	6.33.0

Updates esbuild from 0.27.7 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• See full diff in compare view

Updates esbuild from 0.27.7 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• See full diff in compare view

Updates @apollo/server from 5.4.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• See full diff in compare view

Updates axios from 1.13.6 to 1.14.0

Release notes

Sourced from axios's releases.

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (#7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (#7533, #10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (#7484, #7489, #7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. (#7508, #7509, #7522)
• Documentation: Clarified JSON parsing and adapter-related docs/comments. (#7398, #7460, #7478)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​aviu16 (#7456)
• @​NETIZEN-11 (#7460)
• @​fedotov (#7457)
• @​nthbotast (#7478)
• @​veeceey (#7398)
• @​penkzhou (#7515)

Full Changelog: v1.13.6...v1.14.0

Commits

• 46bee3d chore(release): prepare release 1.14.0 (#10563)
• 518aff5 chore: add AI Moderator workflow for spam detection (#10551)
• b7dfda3 chore(sponsor): update sponsor block (#10557)
• 9aa34d5 fix: updated release flow to match the current flows (#10562)
• e9e5ebe Update packages to latest version (#10556)
• 4d8931c fix: formidable dependency vulnerable to arbitrary (#7533)
• 3a6f5c1 chore(deps-dev): bump @​babel/preset-env (#7531)
• bcfd299 fix: bug axios breaks commonjs compatibility main entry (#7532)
• d6dcbfd fix: dependabot uses the correct labels (#7530)
• 5dd7ba7 chore: upgrade to latest ts (#7522)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates knex from 3.1.0 to 3.2.9

Release notes

Sourced from knex's releases.

3.2.9

What's Changed

• fix(sqlite): append RETURNING statement when insert empty row by @​ylc395 in knex/knex#5471
• fix(postgres): escape double quotes in searchPath to prevent SQL injection by @​OlivierCavadenti in knex/knex#6411
• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't by @​erulabs in knex/knex#6429
• fix: add type support for Array which is supported in code but not in types. Add test to cover as well by @​erulabs in knex/knex#6428

New Contributors

• @​ylc395 made their first contribution in knex/knex#5471
• @​erulabs made their first contribution in knex/knex#6429

Full Changelog: knex/knex@3.2.8...3.2.9

3.2.8

What's Changed

• fix: TS types for update with subquery by @​tgriesser in knex/knex#6419
• fix: revert exports map added in #6227 by @​tgriesser in knex/knex#6422

Full Changelog: knex/knex@3.2.7...3.2.8

3.2.7

What's Changed

• chore: omit ./scripts from published package by @​myndzi in knex/knex#6356
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn by @​OlivierCavadenti in knex/knex#6407
• fix: sqlite DDL operations failing inside transactions #6402 by @​tgriesser in knex/knex#6408
• fix: correct binding order in delete with subquery join by @​OlivierCavadenti in knex/knex#6412
• docs: add link for the knex-ibmi dialect by @​bskimball in knex/knex#6359
• chore: add codecov by @​tgriesser in knex/knex#6416
• chore: add dockerhub credentials to prevent CI rate limiting by @​tgriesser in knex/knex#6418
• fix: remove __knexTxId from connection on release by @​joshAg in knex/knex#5288
• fix: clone config in client constructor by @​castarco in knex/knex#5633

New Contributors

• @​bskimball made their first contribution in knex/knex#6359
• @​joshAg made their first contribution in knex/knex#5288

Full Changelog: knex/knex@3.2.6...3.2.7

3.2.6

What's Changed

• Fix ESM types by @​kibertoad in knex/knex#6404
• fix ESM exports by @​kibertoad in knex/knex#6405
• fix: add type exports by @​tgriesser in knex/knex#6406

Full Changelog: knex/knex@3.2.3...3.2.6

3.2.3

What's Changed

... (truncated)

Changelog

Sourced from knex's changelog.

3.2.9 - 3 April, 2026

Bug fixes

• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't #6429
• fix(postgres): escape double quotes in searchPath to prevent SQL injection #6411
• fix(sqlite): append RETURNING statement when insert empty row #5471
• fix: add type support for Array #6428

3.2.8 - 30 March, 2026

Bug fixes

• Reverts the breaking changes added in #6227. This means that the ESM import of Knex is reverted to import { knex } from 'knex/knex.mjs #6422
• fix(types): allow a QueryBuilder type as a value in an update #6419

3.2.7 - 27 March, 2026

Bug fixes

• fix sqlite DDL operations failing inside transactions #6408
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn #6407
• fix: clone config in client constructor #5633
• fix: remove __knexTxId from transaction connection on release #5288
• fix: correct binding order in delete with subquery join #6412
• chore: omit ./scripts from published package #6356

3.2.6 - 24 March, 2026

Bug fixes

• Fix module exports #6406

3.2.5 - 23 March, 2026

Bug fixes

• Fix ESM exports #6405

3.2.4 - 23 March, 2026

Bug fixes

• Fix ESM type exports #6404

3.2.1 - 22 March, 2026

Bug fixes

• Fix subpath imports broken by exports field added in 3.2.0. Packages relying on deep imports (e.g. knex/lib/dialects/sqlite3/index) were blocked by the restrictive exports map

... (truncated)

Commits

• b3847cd release 3.2.9
• 59c8f5f fix: add type support for Array<Buffer> (#6428)
• d40095c fix: support DELETE... LIMIT in dialects that support it (mysql), but continu...
• 7ae8857 fix(postgres): escape double quotes in searchPath to prevent SQL injection (#...
• f44f75a fix(sqlite): append RETURNING statement when insert empty row (#5471)
• 8198fa6 release 3.2.8
• a077f37 chore: update changelog & release script
• 94185ae fix: revert exports map added in #6227 (#6422)
• e7f24c1 fix: TS types for update with subquery (#6419)
• 633b4a4 release 3.2.7
• Additional commits viewable in compare view

Updates koa from 3.1.2 to 3.2.0

Release notes

Sourced from koa's releases.

v3.2.0

What's Changed

• docs: remove dead Job Board links by @​Jerry-CodeHub in koajs/koa#1926
• build(deps-dev): bump qs from 6.14.1 to 6.14.2 by @​dependabot[bot] in koajs/koa#1927
• chore: Add workflow_dispatch trigger to npm-publish workflow by @​Copilot in koajs/koa#1930
• feat: defer AsyncLocalStorage creation for v8 startup snapshots by @​killagu in koajs/koa#1946

New Contributors

• @​Jerry-CodeHub made their first contribution in koajs/koa#1926
• @​killagu made their first contribution in koajs/koa#1946

Full Changelog: koajs/koa@v3.1.2...v3.2.0

Commits

• e0ba8ef 3.2.0
• 2503a1f feat: defer AsyncLocalStorage creation for v8 startup snapshots (#1946)
• d3ea8bf chore: Add workflow_dispatch trigger to npm-publish workflow (#1930)
• 3b0508e build(deps-dev): bump qs from 6.14.1 to 6.14.2 (#1927)
• fd11140 docs: remove dead Job Board links (#1926)
• See full diff in compare view

Updates openai from 6.32.0 to 6.33.0

Release notes

Sourced from openai's releases.

v6.33.0

6.33.0 (2026-03-25)

Full Changelog: v6.32.0...v6.33.0

Features

• api: add keys field to computer action types (27a850e)
• client: add async iterator and stream() to WebSocket classes (e1c16ee)

Bug Fixes

• api: align SDK response types with expanded item schemas (491cd52)
• types: make type required in ResponseInputMessageItem (2012293)

Chores

• ci: skip lint on metadata-only changes (74a917f)
• internal: refactor imports (cfe9c60)
• internal: update gitignore (71bd114)
• tests: bump steady to v0.19.4 (f2e9dea)
• tests: bump steady to v0.19.5 (37c6cf4)
• tests: bump steady to v0.19.6 (496b3af)
• tests: bump steady to v0.19.7 (8491eb6)

Refactors

• tests: switch from prism to steady (47c0581)

Changelog

Sourced from openai's changelog.

6.33.0 (2026-03-25)

Full Changelog: v6.32.0...v6.33.0

Features

• api: add keys field to computer action types (27a850e)
• client: add async iterator and stream() to WebSocket classes (e1c16ee)

Bug Fixes

• api: align SDK response types with expanded item schemas (491cd52)
• types: make type required in ResponseInputMessageItem (2012293)

Chores

• ci: skip lint on metadata-only changes (74a917f)
• internal: refactor imports (cfe9c60)
• internal: update gitignore (71bd114)
• tests: bump steady to v0.19.4 (f2e9dea)
• tests: bump steady to v0.19.5 (37c6cf4)
• tests: bump steady to v0.19.6 (496b3af)
• tests: bump steady to v0.19.7 (8491eb6)

Refactors

• tests: switch from prism to steady (47c0581)

Commits

• e412414 release: 6.33.0
• 8ad76b2 fix(api): align SDK response types with expanded item schemas
• c160eb9 feat(api): add keys field to computer action types
• 499d71e chore(tests): bump steady to v0.19.7
• 6170c06 chore(ci): skip lint on metadata-only changes
• f895852 chore(tests): bump steady to v0.19.6
• 33baf00 fix(types): make type required in ResponseInputMessageItem
• 33f69d0 chore(internal): update gitignore
• 4ddd31b chore(tests): bump steady to v0.19.5
• 78d2abf feat(client): add async iterator and stream() to WebSocket classes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Overall package size

Self size: 5.47 MB
Deduped: 6.32 MB
No deduping: 6.32 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.0 | 81.15 kB | 815.98 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[datadog-datadog-prod-us1]

⚠️ Tests

✨ Fix all issues with BitsAI or with Cursor

⚠️ Other Violations

🧪 1 Test failed

esbuild support for IAST cjs "before all" hook in "cjs" from cjs     (Fix with Cursor)

Command failed: npm install
npm error code ENOENT
npm error syscall spawn sh
npm error path /tmp/778f06e610ea80a0/3bf1060548166fb2/appsec/iast-esbuild-cjs/node_modules/esbuild
npm error errno -2
npm error enoent spawn sh ENOENT
npm error enoent This is related to npm not being able to find a file.
npm error enoent

Error: Command failed: npm install
...

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 68.71% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4c5f175 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.26%. Comparing base (a3baec5) to head (4c5f175).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7934   +/-   ##
=======================================
  Coverage   74.26%   74.26%           
=======================================
  Files         769      769           
  Lines       36063    36063           
=======================================
  Hits        26782    26782           
  Misses       9281     9281           

Flag	Coverage Δ
aiguard-macos	39.44% <ø> (-0.10%)	⬇️
aiguard-ubuntu	39.56% <ø> (-0.10%)	⬇️
aiguard-windows	39.23% <ø> (-0.10%)	⬇️
apm-capabilities-tracing-macos	49.52% <ø> (-0.05%)	⬇️
apm-capabilities-tracing-ubuntu	49.47% <ø> (ø)
apm-capabilities-tracing-windows	49.29% <ø> (-0.05%)	⬇️
apm-integrations-child-process	38.74% <ø> (-0.13%)	⬇️
apm-integrations-couchbase-18	37.52% <ø> (-0.10%)	⬇️
apm-integrations-couchbase-eol	38.01% <ø> (-0.10%)	⬇️
apm-integrations-oracledb	37.87% <ø> (-0.10%)	⬇️
appsec-express	55.40% <ø> (-0.05%)	⬇️
appsec-fastify	51.71% <ø> (-0.07%)	⬇️
appsec-graphql	51.87% <ø> (-0.07%)	⬇️
appsec-kafka	44.49% <ø> (-0.08%)	⬇️
appsec-ldapjs	44.11% <ø> (-0.08%)	⬇️
appsec-lodash	43.71% <ø> (-0.08%)	⬇️
appsec-macos	58.11% <ø> (-0.07%)	⬇️
appsec-mongodb-core	48.89% <ø> (-0.08%)	⬇️
appsec-mongoose	49.55% <ø> (-0.08%)	⬇️
appsec-mysql	51.08% <ø> (-0.07%)	⬇️
appsec-node-serialize	43.29% <ø> (-0.08%)	⬇️
appsec-passport	47.76% <ø> (-0.09%)	⬇️
appsec-postgres	50.70% <ø> (-0.07%)	⬇️
appsec-sourcing	42.54% <ø> (-0.08%)	⬇️
appsec-stripe	44.73% <ø> (-0.09%)	⬇️
appsec-template	43.45% <ø> (-0.08%)	⬇️
appsec-ubuntu	58.19% <ø> (-0.07%)	⬇️
appsec-windows	57.93% <ø> (-0.07%)	⬇️
instrumentations-instrumentation-bluebird	32.33% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-body-parser	40.63% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-child_process	38.07% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-cookie-parser	34.36% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-express	34.67% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-express-mongo-sanitize	34.49% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-express-session	40.27% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-fs	32.01% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-generic-pool	29.44% <ø> (ø)
instrumentations-instrumentation-http	39.99% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-knex	32.39% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-mongoose	33.51% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-multer	40.38% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-mysql2	38.40% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-passport	44.16% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-passport-http	43.84% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-passport-local	44.37% <ø> (-0.09%)	⬇️
instrumentations-instrumentation-pg	37.84% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-promise	32.26% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-promise-js	32.26% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-q	32.31% <ø> (-0.10%)	⬇️
instrumentations-instrumentation-url	32.23% <ø> (-0.11%)	⬇️
instrumentations-instrumentation-when	32.28% <ø> (-0.11%)	⬇️
llmobs-ai	41.37% <ø> (-0.10%)	⬇️
llmobs-anthropic	40.84% <ø> (-0.09%)	⬇️
llmobs-bedrock	39.32% <ø> (-0.08%)	⬇️
llmobs-google-genai	39.87% <ø> (-0.09%)	⬇️
llmobs-langchain	39.34% <ø> (-0.19%)	⬇️
llmobs-openai	44.12% <ø> (-0.09%)	⬇️
llmobs-vertex-ai	40.13% <ø> (-0.09%)	⬇️
platform-core	31.47% <ø> (ø)
platform-esbuild	34.42% <ø> (ø)
platform-instrumentations-misc	34.11% <ø> (ø)
platform-shimmer	37.56% <ø> (ø)
platform-unit-guardrails	32.89% <ø> (ø)
platform-webpack	19.86% <ø> (ø)
plugins-azure-durable-functions	25.74% <ø> (ø)
plugins-azure-event-hubs	25.90% <ø> (ø)
plugins-azure-service-bus	25.26% <ø> (ø)
plugins-bullmq	43.60% <ø> (+0.02%)	⬆️
plugins-cassandra	38.02% <ø> (-0.10%)	⬇️
plugins-cookie	26.96% <ø> (ø)
plugins-cookie-parser	26.75% <ø> (ø)
plugins-crypto	26.73% <ø> (ø)
plugins-dd-trace-api	38.43% <ø> (-0.10%)	⬇️
plugins-express-mongo-sanitize	26.89% <ø> (ø)
plugins-express-session	26.70% <ø> (ø)
plugins-fastify	42.36% <ø> (-0.09%)	⬇️
plugins-fetch	38.51% <ø> (-0.10%)	⬇️
plugins-fs	38.75% <ø> (-0.10%)	⬇️
plugins-generic-pool	25.94% <ø> (ø)
plugins-google-cloud-pubsub	45.68% <ø> (-0.09%)	⬇️
plugins-grpc	41.01% <ø> (-0.09%)	⬇️
plugins-handlebars	26.94% <ø> (ø)
plugins-hapi	40.27% <ø> (-0.10%)	⬇️
plugins-hono	40.74% <ø> (+0.04%)	⬆️
plugins-ioredis	38.60% <ø> (-0.10%)	⬇️
plugins-knex	26.57% <ø> (ø)
plugins-langgraph	37.99% <ø> (-0.10%)	⬇️
plugins-ldapjs	24.43% <ø> (ø)
plugins-light-my-request	26.30% <ø> (ø)
plugins-limitd-client	32.61% <ø> (-0.10%)	⬇️
plugins-lodash	26.03% <ø> (ø)
plugins-mariadb	39.61% <ø> (-0.15%)	⬇️
plugins-memcached	38.34% <ø> (-0.10%)	⬇️
plugins-microgateway-core	39.34% <ø> (-0.17%)	⬇️
plugins-moleculer	40.63% <ø> (-0.09%)	⬇️
plugins-mongodb	39.27% <ø> (-0.10%)	⬇️
plugins-mongodb-core	39.12% <ø> (-0.13%)	⬇️
plugins-mongoose	39.01% <ø> (ø)
plugins-multer	26.70% <ø> (ø)
plugins-mysql	39.45% <ø> (-0.10%)	⬇️
plugins-mysql2	39.41% <ø> (-0.10%)	⬇️
plugins-node-serialize	27.00% <ø> (ø)
plugins-opensearch	37.88% <ø> (+0.04%)	⬆️
plugins-passport-http	26.76% <ø> (ø)
plugins-postgres	35.58% <ø> (-0.09%)	⬇️
plugins-process	26.73% <ø> (ø)
plugins-pug	26.96% <ø> (ø)
plugins-redis	39.04% <ø> (-0.10%)	⬇️
plugins-router	43.36% <ø> (-0.10%)	⬇️
plugins-sequelize	25.55% <ø> (ø)
plugins-test-and-upstream-amqp10	38.62% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-amqplib	44.37% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-apollo	39.24% <ø> (-0.09%)	⬇️
plugins-test-and-upstream-avsc	38.69% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-bunyan	33.94% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-connect	40.93% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-graphql	40.28% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-koa	40.52% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-protobufjs	38.92% <ø> (-0.10%)	⬇️
plugins-test-and-upstream-rhea	44.40% <ø> (-0.07%)	⬇️
plugins-undici	39.36% <ø> (-0.09%)	⬇️
plugins-url	26.73% <ø> (ø)
plugins-valkey	38.31% <ø> (-0.09%)	⬇️
plugins-vm	26.73% <ø> (ø)
plugins-winston	34.26% <ø> (-0.10%)	⬇️
plugins-ws	42.12% <ø> (-0.10%)	⬇️
profiling-macos	40.65% <ø> (-0.10%)	⬇️
profiling-ubuntu	40.78% <ø> (-0.10%)	⬇️
profiling-windows	42.30% <ø> (+0.32%)	⬆️
serverless-azure-functions-client	25.62% <ø> (ø)
serverless-azure-functions-eventhubs	25.62% <ø> (ø)
serverless-azure-functions-servicebus	25.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-04-07 16:36:17

Comparing candidate commit 4c5f175 in PR branch dependabot/npm_and_yarn/integration-tests/appsec/iast-esbuild-cjs/test-versions-63b7d45381 with baseline commit a3baec5 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 232 metrics, 28 unstable metrics.