Skip to content

chore(deps): bump the prod-dependencies group across 1 directory with 4 updates#29

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/prod-dependencies-a21915c580
Closed

chore(deps): bump the prod-dependencies group across 1 directory with 4 updates#29
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/prod-dependencies-a21915c580

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the prod-dependencies group with 4 updates in the / directory: @github/copilot-sdk, cosmiconfig-typescript-loader, express-rate-limit and ora.

Updates @github/copilot-sdk from 0.1.23 to 0.3.0

Release notes

Sourced from @​github/copilot-sdk's releases.

v0.3.0

This release adds new capabilities — per-session authentication, scoped permissions, agent-level tool and skill control, MCP interop utilities, and more — alongside a broad naming cleanup across all four SDK languages. As we close in on a GA release, we've done a deep clean on our naming to bring it closer to the final state, reducing the amount of churn you should expect in subsequent releases. The result is a more consistent, more readable API surface across the board.

New features

Per-session GitHub authentication

Sessions can now carry their own GitHub identity. Different sessions on the same CLI server can have different GitHub users, Copilot plans, and quota limits.

const session = await client.createSession({
    onPermissionRequest: approveAll,
    gitHubToken: userAToken, // Session-level identity
});

This is independent of the client-level gitHubToken (which authenticates the CLI process itself, and is not required if all sessions bring their own auth). The session-level token determines the identity used for content exclusion, model routing, and quota checks.

Per-agent tool visibility

A new defaultAgent.excludedTools option lets you hide tools from the default agent while keeping them available to custom sub-agents, enabling the orchestrator pattern where the default agent delegates to specialized sub-agents. (#1098)

Per-agent skills

Custom agents can now declare skills: string[] to eagerly inject specific skills into their context at startup. Skills are opt-in — agents receive no skills by default, and sub-agents do not inherit skills from the parent. (#995)

Sub-agent streaming content

When streaming is enabled, assistant.message_delta and assistant.reasoning_delta events are now also delivered for sub-agents. Each event carries an agentId field identifying which sub-agent produced it (absent for the root agent). If your application renders all streaming deltas to the UI, you'll want to filter by agentId (or for pure back-compat, set includeSubAgentStreamingEvents: false on SessionConfig to get the old behavior of only streaming main-agent content updates). (#1108)

Session idle timeout

A new sessionIdleTimeoutSeconds client option configures automatic session cleanup after inactivity. When set, sessions without activity for the specified duration are cleaned up. Disabled by default (sessions live indefinitely). Previously, sessions would always time out after 30 minutes of idleness - this change fixes that. (#1093)

Custom HTTP headers for BYOK model providers

Provider headers and per-message requestHeaders can now be passed through createSession, resumeSession, and send, enabling custom header forwarding to bring-your-own-key model providers. (#1094)

MCP CallToolResult conversion

A new convertMcpCallToolResult() utility function converts MCP CallToolResult objects (with content arrays of text, image, and resource blocks) into the SDK's ToolResultObject format. This makes it easy to use MCP tool servers as backends for SDK tool handlers. (#1049)

ProviderConfig exported

ProviderConfig is now re-exported from the Node.js and Python SDK entry points, so consumers no longer need to duplicate the type locally when configuring Responses API providers. (#1048)

New RPC methods

... (truncated)

Commits
  • dd2dcbc Per-session GitHub authentication for all SDK languages, plus update runtime ...
  • b4ef955 Add configurable session idle timeout option (#1093)
  • a3e273c SessionFs structured error contract and codegen changes
  • b1b0df5 feat: add per-agent tool visibility via defaultAgent.excludedTools (#1098)
  • 922959f Expose IncludeSubAgentStreamingEvents in all four SDKs (#1108)
  • fd0495c Update @​github/copilot to 1.0.32 (#1107)
  • cf5694c Update @​github/copilot to 1.0.32-1 (#1105)
  • 48e244d Clean up redundant Python codegen lambdas (#1104)
  • dbcea81 Add deprecated schema support to all four code generators (#1099)
  • 883cc02 Update @​github/copilot to 1.0.30 (#1096)
  • Additional commits viewable in compare view

Updates cosmiconfig-typescript-loader from 6.2.0 to 6.3.0

Release notes

Sourced from cosmiconfig-typescript-loader's releases.

Release 6.3.0

   ⚙️ Maintenance Release

  • deps: Update dependencies to resolve security advisories
  • security: Pin all dependencies
  • security: Use trusted NPM OIDC for releases
  • security: Remove any manually generated tokens
Changelog

Sourced from cosmiconfig-typescript-loader's changelog.

[6.3.0](https://github.com/Codex-/cosmiconfig-typescript-loader.git

/compare/6.2.0...6.3.0)

... (truncated)

Commits
  • 20b1c63 Release 6.3.0
  • 4a3813b cicd(release): fix gh token usage (#216)
  • 7e86241 cicd(release): fix misconfigured release (#215)
  • 6d91f9a build(deps): release-it from 19.2.4 to 20.0.0-1 (#214)
  • 226d168 build(deps): bump basic-ftp from 5.2.0 to 5.2.1 (#213)
  • ee083c9 chore(deps): lock file maintenance (#212)
  • 55e4993 build(deps): bump lodash from 4.17.21 to 4.18.1 (#211)
  • 1a6dee9 chore(deps): update pnpm/action-setup action to v5 (#210)
  • 8625a57 chore(deps): update jdx/mise-action action to v4 (#209)
  • 9072213 chore(deps): update all non-major dependencies (#207)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for cosmiconfig-typescript-loader since your current version.


Updates express-rate-limit from 8.3.2 to 8.4.1

Release notes

Sourced from express-rate-limit's releases.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

Commits

Updates ora from 9.3.0 to 9.4.0

Release notes

Sourced from ora's releases.

v9.4.0

  • Add successSymbol and failSymbol options to oraPromise 3d2e0a9

sindresorhus/ora@v9.3.0...v9.4.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the prod-dependencies group across 1 directory with…
57bb03d 
… 4 updates

Bumps the prod-dependencies group with 4 updates in the / directory: [@github/copilot-sdk](https://github.com/github/copilot-sdk), [cosmiconfig-typescript-loader](https://github.com/Codex-/cosmiconfig-typescript-loader), [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) and [ora](https://github.com/sindresorhus/ora).


Updates `@github/copilot-sdk` from 0.1.23 to 0.3.0
- [Release notes](https://github.com/github/copilot-sdk/releases)
- [Changelog](https://github.com/github/copilot-sdk/blob/main/CHANGELOG.md)
- [Commits](github/copilot-sdk@v0.1.23...v0.3.0)

Updates `cosmiconfig-typescript-loader` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/Codex-/cosmiconfig-typescript-loader/releases)
- [Changelog](https://github.com/Codex-/cosmiconfig-typescript-loader/blob/main/CHANGELOG.md)
- [Commits](Codex-/cosmiconfig-typescript-loader@6.2.0...6.3.0)

Updates `express-rate-limit` from 8.3.2 to 8.4.1
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v8.3.2...v8.4.1)

Updates `ora` from 9.3.0 to 9.4.0
- [Release notes](https://github.com/sindresorhus/ora/releases)
- [Commits](sindresorhus/ora@v9.3.0...v9.4.0)

---
updated-dependencies:
- dependency-name: "@github/copilot-sdk"
  dependency-version: 0.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: cosmiconfig-typescript-loader
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: express-rate-limit
  dependency-version: 8.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: ora
  dependency-version: 9.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 28, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 5, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/prod-dependencies-a21915c580 branch May 5, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants