chore(deps-dev): bump the dev-minor-and-patch-dependencies group across 1 directory with 6 updates by dependabot[bot] · Pull Request #8155 · DataDog/dd-trace-js

dependabot · 2026-04-29T00:58:01Z

Bumps the dev-minor-and-patch-dependencies group with 6 updates in the / directory:

Package	From	To
@actions/core	`3.0.0`	`3.0.1`
@actions/github	`9.1.0`	`9.1.1`
@openfeature/core	`1.9.2`	`1.10.0`
@openfeature/server-sdk	`1.20.2`	`1.21.0`
axios	`1.15.0`	`1.15.2`
bun	`1.3.12`	`1.3.13`

Updates @actions/core from 3.0.0 to 3.0.1

Changelog

Sourced from @actions/core's changelog.

3.0.1

Bump undici from 6.23.0 to 6.24.1 #2348

Commits

See full diff in compare view

Updates @actions/github from 9.1.0 to 9.1.1

Changelog

Sourced from @actions/github's changelog.

9.1.1

Bump undici from 6.23.0 to 6.24.0 #2346

Commits

See full diff in compare view

Updates @openfeature/core from 1.9.2 to 1.10.0

Release notes

Sourced from @openfeature/core's releases.

core: v1.10.0

1.10.0 (2026-04-21)

✨ New Features

add "sideEffects": false to package.json files for all packages (#1343) (d8e968e)

support type-safe flag keys via module augmentation (#1349) (fb2ed4a)

Commits

54acc8a chore(main): release core 1.10.0 (#1392)
a36733b chore: pin npm release version in publish
2b7ab6b chore: pin npm release version
7924205 chore: replace test-harness submodule with spec submodule (#1359)
aab82bd chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1386)
528f826 chore(deps): update dependency eslint-config-prettier to v10 (#1299)
1999690 chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1383)
0c955b5 chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1382)
e9ac76f chore(deps): update dependency @types/node to v22.19.17 (#1381)
9bb2271 chore(deps): update dependency @angular/build to v21.2.7 (#1380)
Additional commits viewable in compare view

Updates @openfeature/server-sdk from 1.20.2 to 1.21.0

Release notes

Sourced from @openfeature/server-sdk's releases.

server-sdk: v1.21.0

1.21.0 (2026-04-21)

✨ New Features

add "sideEffects": false to package.json files for all packages (#1343) (d8e968e)

support type-safe flag keys via module augmentation (#1349) (fb2ed4a)

support type-safe variant values for InMemoryProvider (#1356) (431f899)

🧹 Chore

replace test-harness submodule with spec submodule (#1359) (7924205)

📚 Documentation

fix inaccuracies in package READMEs (#1378) (ecd3759)

Commits

195f39a chore(main): release server-sdk 1.21.0 (#1353)
2f5dbd6 chore(main): release web-sdk 1.8.0 (#1354)
54acc8a chore(main): release core 1.10.0 (#1392)
a36733b chore: pin npm release version in publish
2b7ab6b chore: pin npm release version
7924205 chore: replace test-harness submodule with spec submodule (#1359)
aab82bd chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1386)
528f826 chore(deps): update dependency eslint-config-prettier to v10 (#1299)
1999690 chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1383)
0c955b5 chore(deps): update dependency @angular/compiler to v21.2.4 [security] (#1382)
Additional commits viewable in compare view

Updates axios from 1.15.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)

HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)

Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)

Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)

buildFullPath: Uses strict equality in the base/relative URL check. (#7252)

AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)

Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

5829343 chore(release): prepare release 1.15.2 (#10789)
4709a48 fix: added fix for memory leak in sockets (#10788)
be33360 chore: update changelog (#10781)
4791514 fix: more header pollutions (#10779)
6feafcf fix: socket issue (#10777)
302e273 docs: update docs, add a couple actions etc (#10776)
ac42446 chore(release): prepare release 1.15.1 (#10767)
908f220 docs: update threatmodel (#10765)
f93f815 docs: added docs around potential decompressions bomb (#10763)
1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
Additional commits viewable in compare view

Updates bun from 1.3.12 to 1.3.13

Release notes

Sourced from bun's releases.

Bun v1.3.13

To install Bun v1.3.13
curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun
Windows:
powershell -c "irm bun.sh/install.ps1|iex"
To upgrade to Bun v1.3.13:
bun upgrade
Read Bun v1.3.13's release notes on Bun's blog

Thanks to 8 contributors!

@alii

@ant-kurt

@chrislloyd

@cirospaciari

@dylan-conway

@jarred-sumner

@robobun

@sosukesuzuki

Commits

bf2e2ce Revert "webcore: fix ReadableStreamSource Strong cycle + Windows fromPipe ref...
f53ef36 build: lower minimum glibc requirement from 2.26 to 2.17 (#29461)
91d066b sys: cache memfd_create ENOSYS + BUN_FEATURE_FLAG_DISABLE_MEMFD (#29465)
55b62ef webcore: fix ReadableStreamSource Strong cycle + Windows fromPipe ref (#29472)
1e22902 Add missing docs
c2ad072 Add missing docs
f8d4254 Migrate TCPSocket/TLSSocket from hasPendingActivity to jsc.JSRef (#29451)
97d9dad ci(binary-size): drop release comparison column (#29468)
40ffda1 deps(mimalloc): set MI_OVERRIDE=OFF on Windows (#29467)
983ee68 debugger: block on a condvar instead of spinning while paused (#29438)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…ss 1 directory with 6 updates Bumps the dev-minor-and-patch-dependencies group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `3.0.0` | `3.0.1` | | [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `9.1.0` | `9.1.1` | | [@openfeature/core](https://github.com/open-feature/js-sdk) | `1.9.2` | `1.10.0` | | [@openfeature/server-sdk](https://github.com/open-feature/js-sdk) | `1.20.2` | `1.21.0` | | [axios](https://github.com/axios/axios) | `1.15.0` | `1.15.2` | | [bun](https://github.com/oven-sh/bun) | `1.3.12` | `1.3.13` | Updates `@actions/core` from 3.0.0 to 3.0.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/github` from 9.1.0 to 9.1.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github) Updates `@openfeature/core` from 1.9.2 to 1.10.0 - [Release notes](https://github.com/open-feature/js-sdk/releases) - [Commits](open-feature/js-sdk@core-v1.9.2...core-v1.10.0) Updates `@openfeature/server-sdk` from 1.20.2 to 1.21.0 - [Release notes](https://github.com/open-feature/js-sdk/releases) - [Commits](open-feature/js-sdk@server-sdk-v1.20.2...server-sdk-v1.21.0) Updates `axios` from 1.15.0 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.15.2) Updates `bun` from 1.3.12 to 1.3.13 - [Release notes](https://github.com/oven-sh/bun/releases) - [Commits](oven-sh/bun@bun-v1.3.12...bun-v1.3.13) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@actions/github" dependency-version: 9.1.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@openfeature/core" dependency-version: 1.10.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@openfeature/server-sdk" dependency-version: 1.21.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch-dependencies - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: bun dependency-version: 1.3.13 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-04-29T00:58:53Z

Overall package size

Self size: 5.66 MB
Deduped: 6.5 MB
No deduping: 6.5 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.1 | 82.56 kB | 817.39 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

codecov · 2026-04-29T00:59:19Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.20%. Comparing base (0e63640) to head (c1cfebd).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #8155   +/-   ##
=======================================
  Coverage   77.20%   77.20%           
=======================================
  Files         809      809           
  Lines       37562    37562           
=======================================
  Hits        28998    28998           
  Misses       8564     8564

Flag	Coverage Δ
aiguard-macos	`35.71% <ø> (-0.09%)`	⬇️
aiguard-ubuntu	`35.81% <ø> (-0.09%)`	⬇️
aiguard-windows	`35.61% <ø> (-0.09%)`	⬇️
apm-capabilities-tracing-macos	`48.14% <ø> (-0.01%)`	⬇️
apm-capabilities-tracing-ubuntu-active	`48.17% <ø> (ø)`
apm-capabilities-tracing-ubuntu-latest	`48.14% <ø> (ø)`
apm-capabilities-tracing-ubuntu-maintenance	`48.17% <ø> (ø)`
apm-capabilities-tracing-ubuntu-oldest	`48.15% <ø> (-0.01%)`	⬇️
apm-capabilities-tracing-windows	`47.95% <ø> (-0.02%)`	⬇️
apm-integrations-aerospike-18-gte.5.2.0	`34.85% <ø> (-0.09%)`	⬇️
apm-integrations-aerospike-20-gte.5.5.0	`34.87% <ø> (-0.09%)`	⬇️
apm-integrations-aerospike-22-gte.5.12.1	`34.87% <ø> (-0.09%)`	⬇️
apm-integrations-aerospike-22-gte.6.0.0	`34.87% <ø> (-0.09%)`	⬇️
apm-integrations-aerospike-eol-	`34.77% <ø> (-0.09%)`	⬇️
apm-integrations-child-process	`36.04% <ø> (-0.10%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-18	`41.71% <ø> (-0.09%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-20	`41.73% <ø> (-0.09%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-22	`41.73% <ø> (-0.09%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-24	`41.66% <ø> (-0.09%)`	⬇️
apm-integrations-couchbase-18	`35.04% <ø> (-0.12%)`	⬇️
apm-integrations-couchbase-eol	`35.09% <ø> (-0.12%)`	⬇️
apm-integrations-dns	`34.84% <ø> (-0.10%)`	⬇️
apm-integrations-elasticsearch	`35.44% <ø> (-0.09%)`	⬇️
apm-integrations-http-latest	`42.90% <ø> (-0.08%)`	⬇️
apm-integrations-http-maintenance	`42.96% <ø> (-0.08%)`	⬇️
apm-integrations-http-oldest	`42.97% <ø> (-0.08%)`	⬇️
apm-integrations-http2	`40.24% <ø> (-0.09%)`	⬇️
apm-integrations-kafkajs-latest	`41.59% <ø> (-0.09%)`	⬇️
apm-integrations-kafkajs-oldest	`41.65% <ø> (-0.09%)`	⬇️
apm-integrations-net	`35.50% <ø> (-0.10%)`	⬇️
apm-integrations-next-11.1.4	`29.30% <ø> (-0.08%)`	⬇️
apm-integrations-next-13.2.0	`31.15% <ø> (-0.09%)`	⬇️
apm-integrations-next-gte.10.2.0.and.lt.11	`23.33% <ø> (ø)`
apm-integrations-next-gte.11.0.0.and.lt.13	`31.16% <ø> (-0.09%)`	⬇️
apm-integrations-next-gte.13.0.0.and.lt.14	`31.41% <ø> (-0.09%)`	⬇️
apm-integrations-next-gte.14.0.0.and.lte.14.2.6	`31.23% <ø> (-0.11%)`	⬇️
apm-integrations-next-gte.14.2.7.and.lt.15	`31.23% <ø> (-0.09%)`	⬇️
apm-integrations-next-gte.15.0.0	`31.29% <ø> (-0.09%)`	⬇️
apm-integrations-prisma-18-gte.6.16.0.and.lt.7.0.0	`35.41% <ø> (-0.09%)`	⬇️
apm-integrations-prisma-latest-all	`35.74% <ø> (-0.09%)`	⬇️
apm-integrations-sharedb	`34.46% <ø> (-0.09%)`	⬇️
apm-integrations-tedious	`35.01% <ø> (-0.09%)`	⬇️
appsec-express	`52.73% <ø> (-0.07%)`	⬇️
appsec-fastify	`49.20% <ø> (-0.08%)`	⬇️
appsec-graphql	`49.39% <ø> (-0.07%)`	⬇️
appsec-kafka	`41.97% <ø> (-0.09%)`	⬇️
appsec-ldapjs	`41.22% <ø> (-0.08%)`	⬇️
appsec-lodash	`41.34% <ø> (-0.08%)`	⬇️
appsec-macos	`56.76% <ø> (-0.07%)`	⬇️
appsec-mongodb-core	`45.63% <ø> (-0.07%)`	⬇️
appsec-mongoose	`46.51% <ø> (-0.07%)`	⬇️
appsec-mysql	`48.69% <ø> (-0.07%)`	⬇️
appsec-next-latest-11.1.4	`29.49% <ø> (-0.08%)`	⬇️
appsec-next-latest-13.2.0	`31.37% <ø> (-0.09%)`	⬇️
appsec-next-latest-gte.10.2.0.and.lt.11	`31.56% <ø> (ø)`
appsec-next-latest-gte.11.0.0.and.lt.13	`31.35% <ø> (-0.09%)`	⬇️
appsec-next-latest-gte.13.0.0.and.lt.14	`31.55% <ø> (-0.09%)`	⬇️
appsec-next-latest-gte.14.0.0.and.lte.14.2.6	`31.39% <ø> (-0.09%)`	⬇️
appsec-next-latest-gte.14.2.7.and.lt.15	`31.39% <ø> (-0.09%)`	⬇️
appsec-next-latest-gte.15.0.0	`31.39% <ø> (-0.09%)`	⬇️
appsec-next-oldest-11.1.4	`29.50% <ø> (-0.08%)`	⬇️
appsec-next-oldest-13.2.0	`31.61% <ø> (-0.09%)`	⬇️
appsec-next-oldest-gte.10.2.0.and.lt.11	`31.72% <ø> (ø)`
appsec-next-oldest-gte.11.0.0.and.lt.13	`31.37% <ø> (-0.09%)`	⬇️
appsec-next-oldest-gte.13.0.0.and.lt.14	`31.80% <ø> (-0.09%)`	⬇️
appsec-next-oldest-gte.14.0.0.and.lte.14.2.6	`31.65% <ø> (-0.09%)`	⬇️
appsec-next-oldest-gte.14.2.7.and.lt.15	`31.65% <ø> (-0.09%)`	⬇️
appsec-next-oldest-gte.15.0.0	`31.65% <ø> (-0.09%)`	⬇️
appsec-node-serialize	`40.51% <ø> (-0.08%)`	⬇️
appsec-passport	`44.51% <ø> (-0.08%)`	⬇️
appsec-postgres	`48.28% <ø> (-0.06%)`	⬇️
appsec-sourcing	`40.00% <ø> (-0.08%)`	⬇️
appsec-stripe	`42.24% <ø> (-0.09%)`	⬇️
appsec-template	`40.68% <ø> (-0.08%)`	⬇️
appsec-ubuntu	`56.84% <ø> (-0.07%)`	⬇️
appsec-windows	`56.63% <ø> (-0.09%)`	⬇️
debugger-ubuntu-active	`62.12% <ø> (-0.33%)`	⬇️
debugger-ubuntu-latest	`62.02% <ø> (-0.33%)`	⬇️
debugger-ubuntu-maintenance	`62.12% <ø> (-0.33%)`	⬇️
debugger-ubuntu-oldest	`62.21% <ø> (-0.33%)`	⬇️
instrumentations-instrumentation-bluebird	`29.75% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-body-parser	`37.64% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-child_process	`35.41% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-cookie-parser	`31.68% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express	`31.90% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express-mongo-sanitize	`31.80% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express-session	`37.27% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-fs	`29.43% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-generic-pool	`30.30% <ø> (ø)`
instrumentations-instrumentation-http	`36.88% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-knex	`29.72% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-light-my-request	`37.20% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-mongoose	`30.81% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-multer	`37.41% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-mysql2	`35.38% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-passport	`41.09% <ø> (-0.08%)`	⬇️
instrumentations-instrumentation-passport-http	`40.87% <ø> (-0.08%)`	⬇️
instrumentations-instrumentation-passport-local	`41.38% <ø> (-0.08%)`	⬇️
instrumentations-instrumentation-pg	`34.91% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-promise	`29.68% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-promise-js	`29.69% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-q	`29.72% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-url	`29.69% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-when	`29.70% <ø> (-0.10%)`	⬇️
llmobs-ai	`38.35% <ø> (-0.09%)`	⬇️
llmobs-anthropic	`37.84% <ø> (-0.09%)`	⬇️
llmobs-bedrock	`37.06% <ø> (-0.08%)`	⬇️
llmobs-google-genai	`37.49% <ø> (-0.08%)`	⬇️
llmobs-langchain	`37.00% <ø> (-0.07%)`	⬇️
llmobs-openai	`41.18% <ø> (-0.08%)`	⬇️
llmobs-vertex-ai	`37.67% <ø> (-0.02%)`	⬇️
openfeature-unit-active	`50.41% <ø> (-0.52%)`	⬇️
openfeature-unit-latest	`50.25% <ø> (-0.52%)`	⬇️
openfeature-unit-maintenance	`50.41% <ø> (-0.52%)`	⬇️
openfeature-unit-oldest	`50.41% <ø> (-0.52%)`	⬇️
platform-core	`36.53% <ø> (ø)`
platform-esbuild	`40.80% <ø> (ø)`
platform-instrumentations-misc	`31.22% <ø> (ø)`
platform-shimmer	`42.11% <ø> (ø)`
platform-unit-guardrails	`35.88% <ø> (ø)`
platform-webpack	`20.72% <ø> (ø)`
plugins-azure-durable-functions	`25.36% <ø> (ø)`
plugins-azure-event-hubs	`25.51% <ø> (ø)`
plugins-azure-service-bus	`24.92% <ø> (ø)`
plugins-bullmq	`40.67% <ø> (+0.02%)`	⬆️
plugins-cassandra	`35.12% <ø> (-0.09%)`	⬇️
plugins-cookie	`26.47% <ø> (ø)`
plugins-cookie-parser	`26.28% <ø> (ø)`
plugins-crypto	`27.32% <ø> (ø)`
plugins-dd-trace-api	`35.35% <ø> (-0.09%)`	⬇️
plugins-express-mongo-sanitize	`26.42% <ø> (ø)`
plugins-express-session	`26.24% <ø> (ø)`
plugins-fastify	`39.25% <ø> (-0.09%)`	⬇️
plugins-fetch	`35.76% <ø> (-0.09%)`	⬇️
plugins-fs	`35.64% <ø> (-0.10%)`	⬇️
plugins-generic-pool	`25.40% <ø> (ø)`
plugins-google-cloud-pubsub	`42.99% <ø> (-0.08%)`	⬇️
plugins-grpc	`38.01% <ø> (-0.09%)`	⬇️
plugins-handlebars	`26.46% <ø> (ø)`
plugins-hapi	`37.25% <ø> (-0.09%)`	⬇️
plugins-hono	`37.50% <ø> (-0.09%)`	⬇️
plugins-ioredis	`35.68% <ø> (-0.09%)`	⬇️
plugins-knex	`26.14% <ø> (ø)`
plugins-langgraph	`35.03% <ø> (-0.09%)`	⬇️
plugins-ldapjs	`24.02% <ø> (ø)`
plugins-light-my-request	`25.88% <ø> (ø)`
plugins-limitd-client	`29.98% <ø> (-0.09%)`	⬇️
plugins-lodash	`25.47% <ø> (ø)`
plugins-mariadb	`36.55% <ø> (-0.14%)`	⬇️
plugins-memcached	`35.34% <ø> (-0.09%)`	⬇️
plugins-microgateway-core	`36.34% <ø> (-0.09%)`	⬇️
plugins-modelcontextprotocol-sdk	`34.27% <ø> (-0.09%)`	⬇️
plugins-moleculer	`38.03% <ø> (-0.09%)`	⬇️
plugins-mongodb	`36.50% <ø> (-0.09%)`	⬇️
plugins-mongodb-core	`36.13% <ø> (-0.09%)`	⬇️
plugins-mongoose	`36.01% <ø> (-0.09%)`	⬇️
plugins-multer	`26.24% <ø> (ø)`
plugins-mysql	`36.28% <ø> (-0.23%)`	⬇️
plugins-mysql2	`36.40% <ø> (-0.09%)`	⬇️
plugins-node-serialize	`26.51% <ø> (ø)`
plugins-opensearch	`35.00% <ø> (-0.09%)`	⬇️
plugins-passport-http	`26.30% <ø> (ø)`
plugins-pino	`31.78% <ø> (-0.09%)`	⬇️
plugins-postgres	`34.39% <ø> (-0.09%)`	⬇️
plugins-process	`27.32% <ø> (ø)`
plugins-pug	`26.47% <ø> (ø)`
plugins-redis	`35.89% <ø> (-0.09%)`	⬇️
plugins-router	`39.68% <ø> (-0.09%)`	⬇️
plugins-sequelize	`25.18% <ø> (ø)`
plugins-test-and-upstream-amqp10	`35.52% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-amqplib	`40.82% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-apollo	`36.51% <ø> (-0.08%)`	⬇️
plugins-test-and-upstream-avsc	`34.98% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-bunyan	`31.13% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-connect	`37.84% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-graphql	`37.18% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-koa	`37.45% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-protobufjs	`35.20% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-rhea	`40.90% <ø> (-0.09%)`	⬇️
plugins-undici	`36.39% <ø> (-0.21%)`	⬇️
plugins-url	`27.32% <ø> (ø)`
plugins-valkey	`35.36% <ø> (-0.09%)`	⬇️
plugins-vm	`27.32% <ø> (ø)`
plugins-winston	`31.61% <ø> (-0.09%)`	⬇️
plugins-ws	`38.97% <ø> (-0.09%)`	⬇️
profiling-macos	`40.43% <ø> (-0.08%)`	⬇️
profiling-ubuntu	`41.05% <ø> (-0.08%)`	⬇️
profiling-windows	`40.61% <ø> (-0.08%)`	⬇️
serverless-azure-functions-client	`25.25% <ø> (ø)`
serverless-azure-functions-eventhubs	`25.25% <ø> (ø)`
serverless-azure-functions-servicebus	`25.25% <ø> (ø)`
serverless-lambda	`33.45% <ø> (-0.09%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

datadog-official · 2026-04-29T00:59:47Z

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 71.48% (-0.00%)

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: c1cfebd | Docs | Datadog PR Page | Give us feedback!}

pr-commenter · 2026-04-29T01:12:35Z

Benchmarks

Benchmark execution time: 2026-04-29 01:12:31

Comparing candidate commit c1cfebd in PR branch dependabot/npm_and_yarn/dev-minor-and-patch-dependencies-ed8ca58c7e with baseline commit 0e63640 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1346 metrics, 98 unstable metrics.

…ss 1 directory with 6 updates (#8155) Bumps the dev-minor-and-patch-dependencies group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `3.0.0` | `3.0.1` | | [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `9.1.0` | `9.1.1` | | [@openfeature/core](https://github.com/open-feature/js-sdk) | `1.9.2` | `1.10.0` | | [@openfeature/server-sdk](https://github.com/open-feature/js-sdk) | `1.20.2` | `1.21.0` | | [axios](https://github.com/axios/axios) | `1.15.0` | `1.15.2` | | [bun](https://github.com/oven-sh/bun) | `1.3.12` | `1.3.13` | Updates `@actions/core` from 3.0.0 to 3.0.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/github` from 9.1.0 to 9.1.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github) Updates `@openfeature/core` from 1.9.2 to 1.10.0 - [Release notes](https://github.com/open-feature/js-sdk/releases) - [Commits](open-feature/js-sdk@core-v1.9.2...core-v1.10.0) Updates `@openfeature/server-sdk` from 1.20.2 to 1.21.0 - [Release notes](https://github.com/open-feature/js-sdk/releases) - [Commits](open-feature/js-sdk@server-sdk-v1.20.2...server-sdk-v1.21.0) Updates `axios` from 1.15.0 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.15.2) Updates `bun` from 1.3.12 to 1.3.13 - [Release notes](https://github.com/oven-sh/bun/releases) - [Commits](oven-sh/bun@bun-v1.3.12...bun-v1.3.13) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@actions/github" dependency-version: 9.1.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@openfeature/core" dependency-version: 1.10.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch-dependencies - dependency-name: "@openfeature/server-sdk" dependency-version: 1.21.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch-dependencies - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies - dependency-name: bun dependency-version: 1.3.13 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-minor-and-patch-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot added dependabot dependencies javascript Pull requests that update javascript code semver-patch labels Apr 29, 2026

dependabot Bot requested a review from a team as a code owner April 29, 2026 00:58

dependabot Bot added semver-patch dependencies javascript Pull requests that update javascript code dependabot labels Apr 29, 2026

dd-octo-sts Bot approved these changes Apr 29, 2026

View reviewed changes

dd-octo-sts Bot enabled auto-merge (squash) April 29, 2026 00:58

dd-octo-sts Bot merged commit 581ce95 into master Apr 29, 2026
987 of 990 checks passed

dd-octo-sts Bot deleted the dependabot/npm_and_yarn/dev-minor-and-patch-dependencies-ed8ca58c7e branch April 29, 2026 01:17

dd-octo-sts Bot mentioned this pull request Apr 29, 2026

v5.99.0 proposal #8077

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev): bump the dev-minor-and-patch-dependencies group across 1 directory with 6 updates#8155

chore(deps-dev): bump the dev-minor-and-patch-dependencies group across 1 directory with 6 updates#8155
dd-octo-sts[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/dev-minor-and-patch-dependencies-ed8ca58c7e

dependabot Bot commented on behalf of github Apr 29, 2026

Uh oh!

github-actions Bot commented Apr 29, 2026

Uh oh!

codecov Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

datadog-official Bot commented Apr 29, 2026 •

edited by datadog-prod-us1-3 Bot

Loading

Uh oh!

pr-commenter Bot commented Apr 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 29, 2026

3.0.1

9.1.1

core: v1.10.0

1.10.0 (2026-04-21)

✨ New Features

server-sdk: v1.21.0

1.21.0 (2026-04-21)

✨ New Features

🧹 Chore

📚 Documentation

v1.15.2

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v1.15.2 - April 21, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1 - April 19, 2026

🔒 Security Fixes

🚀 New Features

Bun v1.3.13

Read Bun v1.3.13's release notes on Bun's blog

Thanks to 8 contributors!

Uh oh!

github-actions Bot commented Apr 29, 2026

Overall package size

Uh oh!

codecov Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

datadog-official Bot commented Apr 29, 2026 • edited by datadog-prod-us1-3 Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pr-commenter Bot commented Apr 29, 2026

Benchmarks

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

codecov Bot commented Apr 29, 2026 •

edited

Loading

datadog-official Bot commented Apr 29, 2026 •

edited by datadog-prod-us1-3 Bot

Loading