deps(deps): Bump the "dependencies" group with 3 updates across multiple ecosystems

[dependabot]

Bumps the dependencies group with 7 updates:

Package	From	To
actions/upload-artifact	4.3.6	7.0.1
actions/download-artifact	4.1.8	8.0.1
peaceiris/actions-gh-pages	4.0.0	4.1.0
benchmark-action/github-action-benchmark	1.22.0	1.22.1
actions/labeler	6.0.1	6.1.0
github/codeql-action	4.35.3	4.35.4
actions/dependency-review-action	4.9.0	5.0.0

Updates actions/upload-artifact from 4.3.6 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

... (truncated)

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.1.8 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/download-artifact#440
• Download Artifact Node24 support by @​salmanmkc in actions/download-artifact#415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in actions/download-artifact#451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in actions/download-artifact#452

... (truncated)

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates peaceiris/actions-gh-pages from 4.0.0 to 4.1.0

Release notes

Sourced from peaceiris/actions-gh-pages's releases.

actions-github-pages v4.1.0

See CHANGELOG.md for more details.

What's Changed

• Actions examples: update to modern versions of actions by @​clintonsteiner in peaceiris/actions-gh-pages#1117
• chore: update Node runtime and dependencies by @​peaceiris in peaceiris/actions-gh-pages#1147
• ci: harden GitHub Actions workflows by @​peaceiris in peaceiris/actions-gh-pages#1156

New Contributors

• @​clintonsteiner made their first contribution in peaceiris/actions-gh-pages#1117

Full Changelog: peaceiris/actions-gh-pages@v4.0.0...v4.1.0

Changelog

Sourced from peaceiris/actions-gh-pages's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

4.1.0 (2026-05-12)

chore

• add .codex/ (94ae2d2)
• add hasInstallScript true (494ec9b)
• update Node runtime and dependencies (#1147) (954f6bf), closes #1147

ci

• change automerge to false (4b09552)
• harden GitHub Actions workflows (#1156) (aa0466c), closes #1156

docs

• add repository guidelines (a1f94b5)
• bump to v4 from v3 (a16b61f)
• fix note style (0b7567f)
• update versions of actions (#1117) (aa83d0c), closes #1117

4.0.0 (2024-04-08)

build

• node 20.11.1 (5049354)

chore

• bump node16 to node20 (#1067) (4eb285e), closes #1067
• downgrade engines.npm to 8.0.0 (87231bc)

ci

• pin node-version to 18 (#981) (65ebf11), closes #981

docs

• add Release Strategy (67f80d9)
• fix link to Nuxt github-pages (#980) (88b4d2a), closes #980
• remove braces in if conditions (#920) (0fbd122), closes #920

... (truncated)

Commits

• 84c30a8 chore(release): 4.1.0
• 6fa0f50 chore(release): Add build assets
• 3b7506a chore(deps): update dependency trim-newlines to v5 (#1158)
• aa0466c ci: harden GitHub Actions workflows (#1156)
• 31835fb chore(deps): update actions/labeler action to v6 (#1153)
• f4f1bc4 chore(deps): update peaceiris/actions-mdbook action to v2 (#1161)
• a5e4979 chore(deps): update dependency ubuntu to v24 (#1159)
• 6cc3bac chore(deps): update github/codeql-action action to v4 (#1160)
• 0d6e9f4 chore(deps): update actions/setup-node action to v6 (#1154)
• d70c101 chore(deps): update actions/upload-artifact action to v7 (#1155)
• Additional commits viewable in compare view

Updates benchmark-action/github-action-benchmark from 1.22.0 to 1.22.1

Release notes

Sourced from benchmark-action/github-action-benchmark's releases.

v1.22.1

• fix scope tsconfig.build.json to src/ for reproducibility (#352)
• chore bump minimatch from 3.1.2 to 3.1.5 (#347)
• chore bump uuid and @​actions/core (#350)
• chore bump flatted from 3.2.4 to 3.4.2 (#346)
• chore bump js-yaml (#344)
• chore bump picomatch from 2.3.0 to 2.3.2 (#342)

Full Changelog: benchmark-action/github-action-benchmark@v1.22.0...v1.22.1

Changelog

Sourced from benchmark-action/github-action-benchmark's changelog.

Unreleased

v1.22.1 - 6 May 2026

• fix scope tsconfig.build.json to src/ for reproducibility (#352)
• chore bump minimatch from 3.1.2 to 3.1.5 (#347)
• chore bump uuid and @​actions/core (#350)
• chore bump flatted from 3.2.4 to 3.4.2 (#346)
• chore bump js-yaml (#344)
• chore bump picomatch from 2.3.0 to 2.3.2 (#342)

v1.22.0 - 31 Mar 2026

• chore bump node to 24 (#339)

v1.21.0 - 02 Mar 2026

• fix include package name for duplicate bench names (#330)
• fix avoid duplicate package suffix in Go benchmarks (#337)

v1.20.7 - 06 Sep 2025

• fix improve parsing for custom benchmarks (#323)

v1.20.5 - 02 Sep 2025

• feat allow to parse generic cargo bench/criterion units (#280)
• fix add summary even when failure threshold is surpassed (#285)
• fix time units are not normalized (#318)

v1.20.4 - 23 Oct 2024

• feat add typings and validation workflow (#257)

v1.20.3 - 19 May 2024

• fix Catch2 v.3.5.0 changed output format (#247)

v1.20.2 - 19 May 2024

• fix Support sub-nanosecond precision on Cargo benchmarks (#246)

v1.20.1 - 02 Apr 2024

• fix release script

v1.20.0 - 02 Apr 2024

• fix Rust benchmarks not comparing to baseline (#235)
• feat Comment on PR and auto update comment (#223)

... (truncated)

Commits

• 52576c9 release v1.22.1
• See full diff in compare view

Updates actions/labeler from 6.0.1 to 6.1.0

Release notes

Sourced from actions/labeler's releases.

v6.1.0

Enhancements

• Add changed-files-labels-limit and max-files-changed configuration options to cap the number of labels added by @​bluca in actions/labeler#923

Bug Fixes

• Improve Labeler Action documentation and permission error handling by @​chiranjib-swain in actions/labeler#897
• Preserve manually added labels during workflow runs and refine label synchronization logic by @​chiranjib-swain in actions/labeler#917

Dependency Updates

• Upgrade brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v6 by @​dependabot in actions/labeler#877
• Upgrade minimatch from 10.0.1 to 10.2.3 by @​dependabot in actions/labeler#926
• Upgrade dependencies (@​actions/core, @​actions/github, js-yaml, minimatch, @​typescript-eslint) by @​Copilot in actions/labeler#934

New Contributors

• @​chiranjib-swain made their first contribution in actions/labeler#897
• @​bluca made their first contribution in actions/labeler#923
• @​Copilot made their first contribution in actions/labeler#934

Full Changelog: actions/labeler@v6...v6.1.0

Commits

• f27b608 chore: upgrade dependencies (@​actions/core, @​actions/github, js-yaml, minimat...
• c5dadc2 Add 'changed-files-labels-limit' and 'max-files-changed' configs to allow cap...
• e52e4fb Bump minimatch from 10.0.1 to 10.2.3 (#926)
• 77a4082 Fix: Preserve manually added labels during workflow run and refine label sync...
• 25abb3c Improve Labeler Action Documentation and Error Handling for Permissions (#897)
• 395c8cf Bump brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v...
• See full diff in compare view

Updates github/codeql-action from 4.35.3 to 4.35.4

Release notes

Sourced from github/codeql-action's releases.

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

... (truncated)

Commits

• 68bde55 Merge pull request #3885 from github/update-v4.35.4-803d9e8c3
• 9739ad2 Update changelog for v4.35.4
• 803d9e8 Merge pull request #3883 from github/mbg/test/macro-wrapper
• 0fd9c7d Merge pull request #3882 from github/dependabot/github_actions/dot-github/wor...
• 922d6fb Use makeMacro instead of test.macro
• df77e87 Update test macro snippet
• 6e3f985 Add wrapper for test.macro
• e7a347d Merge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.4
• 17eabb2 Rebuild
• aaef09c Bump ruby/setup-ruby
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Bumps the dependencies group with 2 updates: @typescript-eslint/eslint-plugin and typescript-eslint.

Updates @typescript-eslint/eslint-plugin from 8.59.2 to 8.59.3

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.3 (2026-05-11)

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 48e13c0 chore(release): publish 8.59.3
• e26dc80 docs: update stale links to latest (#12313)
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• See full diff in compare view

Updates typescript-eslint from 8.59.2 to 8.59.3

Release notes

Sourced from typescript-eslint's releases.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.3 (2026-05-11)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• See full diff in compare view

Updates the requirements on requests to permit the latest version.
Updates requests to 2.34.0

Release notes

Sourced from requests's releases.

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

New Contributors

• @​cjriches made their first contribution in psf/requests#7365
• @​dsanader made their first contribution in psf/requests#7376
• @​DimitriPapadopoulos made their first contribution in psf/requests#7393
• @​joshua-51 made their first contribution in psf/requests#7416
• @​eggsort made their first contribution in psf/requests#7421
• @​typhon8 made their first contribution in psf/requests#7315
• @​bastimeyer made their first contribution in psf/requests#7425

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2340-2026-05-11

Changelog

Sourced from requests's changelog.

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file

... (truncated)

Commits

• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• 3816cfa Parameterize SupportsItems to handle Mapping key invariance (#7426)
• b684dcb sessions: fix hooks type (#7425)
• dc9dbdf Formalize 3.15 support (#7422)