deps(deps): bump the production-minor-patch group with 5 updates #16

dependabot · 2026-02-02T10:18:52Z

Bumps the production-minor-patch group with 5 updates:

Package	From	To
@github/copilot-sdk	`0.1.18`	`0.1.20`
@primer/react	`38.7.1`	`38.9.0`
next	`16.1.5`	`16.1.6`
react	`19.2.3`	`19.2.4`
react-dom	`19.2.3`	`19.2.4`

Updates @github/copilot-sdk from 0.1.18 to 0.1.20

Release notes

Sourced from @github/copilot-sdk's releases.

v0.1.20

What's Changed

Fixes #227 - Premium requests consumed while running py dev test by @vivganes in github/copilot-sdk#228

Bump githubnext/gh-aw from 0.37.13 to 0.37.31 by @dependabot[bot] in github/copilot-sdk#240

Consistently use Dataclasses in Python SDK by @Copilot in github/copilot-sdk#216

Fix .NET CLI server mode code samples - add missing UseStdio = false by @Copilot in github/copilot-sdk#232

Configure Copilot agent environment to match devcontainer by @Copilot in github/copilot-sdk#236

Add provider info to docs by @patniko in github/copilot-sdk#257

Fix formatting and update README structure by @doggy8088 in github/copilot-sdk#258

Update docs to reflect you need version for Azure Foundry by @patniko in github/copilot-sdk#260

Optimize CI: Split into separate workflows with native path filtering by @Copilot in github/copilot-sdk#259

Add githubToken and useLoggedInUser options to all SDK clients by @friggeri in github/copilot-sdk#237

feat: add hooks and user input handlers to all SDKs with e2e tests by @friggeri in github/copilot-sdk#269

Add lsp config for dotnet. by @jmoseley in github/copilot-sdk#234

docs: add hooks, user input, and auth options to SDK READMEs by @friggeri in github/copilot-sdk#270

Add paths-ignore filters to SDK test workflows by @Copilot in github/copilot-sdk#271

feat(nodejs): add typed event filtering to session.on() by @friggeri in github/copilot-sdk#272

Add dependabot monitoring for npm, pip, gomod, and nuget by @Copilot in github/copilot-sdk#273

New Contributors

@vivganes made their first contribution in github/copilot-sdk#228

Full Changelog: github/copilot-sdk@v0.1.19...v0.1.20

v0.1.19

What's Changed

Fix BYOK FAQ: clarify it refers to API keys, not encryption keys by @mohamedaminehamdi in github/copilot-sdk#174

Include community SDKs in README by @brunoborges in github/copilot-sdk#178

docs: add MCP server usage documentation by @AnassKartit in github/copilot-sdk#98

Add download badges to README by @Copilot in github/copilot-sdk#156

docs: add .NET example for interactive weather assistant by @vicperdana in github/copilot-sdk#119

chore: Update generated events to match schemas. by @jmoseley in github/copilot-sdk#208

Add ListSessions and DeleteSession methods to Go SDK by @Copilot in github/copilot-sdk#213

Remove samples directory, link to awesome-copilot resources by @Copilot in github/copilot-sdk#210

Hide StreamJsonRpc implementation detail behind IOException by @Copilot in github/copilot-sdk#202

Simplify Node.js example by @SteveSandersonMS in github/copilot-sdk#221

Bump actions/download-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in github/copilot-sdk#65

Bump actions/checkout from 5.0.1 to 6.0.1 by @dependabot[bot] in github/copilot-sdk#67

New Contributors

@mohamedaminehamdi made their first contribution in github/copilot-sdk#174

@brunoborges made their first contribution in github/copilot-sdk#178

@AnassKartit made their first contribution in github/copilot-sdk#98

@vicperdana made their first contribution in github/copilot-sdk#119

Full Changelog: github/copilot-sdk@v0.1.18...v0.1.19

Commits

ccb7d5f Add dependabot monitoring for npm, pip, gomod, and nuget (#273)
0b004e0 feat(nodejs): add typed event filtering to session.on() (#272)
828cec1 Add paths-ignore filters to SDK test workflows (#271)
a124990 docs: add hooks, user input, and auth options to SDK READMEs (#270)
a76dffc Add lsp config for dotnet. (#234)
2fa6a92 feat: add hooks and user input handlers to all SDKs with e2e tests (#269)
2fe7352 Add githubToken and useLoggedInUser options to all SDK clients (#237)
fc9b54e Optimize CI: Split into separate workflows with native path filtering (#259)
ea2a69a Update docs to reflect you need version for Azure Foundry (#260)
d8f3425 Fix formatting and update README structure (#258)
Additional commits viewable in compare view

Updates @primer/react from 38.7.1 to 38.9.0

Release notes

Sourced from @primer/react's releases.

@primer/react@38.9.0

Permalink to Storybook

Minor Changes

#7472 661d16f Thanks @copilot-swe-agent! - StateLabel: Add alert status variants (alertOpened, alertFixed, alertClosed, alertDismissed) with corresponding shield icons for displaying security alert states

Patch Changes

#7471 df4bd30 Thanks @llastflowers! - Add breakpoint to shrink gutter around dialog on very small screen heights

#7468 731fb71 Thanks @jonrohan! - feat(ActionList): Optimizes CSS selector performance in ActionList by replacing expensive universal selectors (*) and broad :has() queries with targeted class selectors.

@primer/react@38.8.0

Minor Changes

#7455 a86c183 Thanks @HiroAgustin! - Remove ConfirmationDialog custom renders to ensure visual parity with Dialog

#7438 160c1c4 Thanks @francinelucca! - feat: make Spinner's delay customizable

#7436 9a4e46c Thanks @TylerJDev! - FilteredActionList: Adds new prop scrollBehavior to allow customization of scroll behavior

#7448 838859d Thanks @francinelucca! - feat(SkeletonBox): add customizable delay

Patch Changes

#7451 0fc4523 Thanks @daantosaurus! - UnderlineNav.Item: Fix layout issues when children contain React elements by extracting only direct text content for the data-content attribute.

Commits

4477fbe Release tracking (#7479)
bdd2637 chore(deps): bump next from 16.0.10 to 16.1.5 (#7480)
4299b4d chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#7474)
d28ed60 chore(deps-dev): bump lodash-es from 4.17.21 to 4.17.23 (#7465)
f248787 chore(deps): bump lodash from 4.17.21 to 4.17.23 (#7466)
661d16f Add Alert status variant to StateLabel component (#7472)
de6f3b2 chore(deps): bump changesets/action from 1.5.3 to 1.6.0 (#7473)
032eac6 chore(deps-dev): bump the eslint group across 1 directory with 4 updates (#7476)
df4bd30 Shrink gutter around dialog on very small screen heights (#7471)
7fdea6f chore(deps): bump the rollup group with 2 updates (#7442)
Additional commits viewable in compare view

Updates next from 16.1.5 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

Upgrade to swc 54 (#88207)

implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)

tweak LRU sentinel key (#89123)

Credits

Huge thanks to @mischnic, @wyattjoh, and @ztanner for helping!

Commits

adf8c61 v16.1.6
098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
d6d5734 tweak LRU sentinel cache key (#89123)
4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
See full diff in compare view

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @gnoff, @lubieowoce, @sebmarkbage, @unstubbable)

Commits

90ab3f8 Version 19.2.4
See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @gnoff, @lubieowoce, @sebmarkbage, @unstubbable)

Commits

90ab3f8 Version 19.2.4
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the production-minor-patch group with 5 updates: | Package | From | To | | --- | --- | --- | | [@github/copilot-sdk](https://github.com/github/copilot-sdk) | `0.1.18` | `0.1.20` | | [@primer/react](https://github.com/primer/react) | `38.7.1` | `38.9.0` | | [next](https://github.com/vercel/next.js) | `16.1.5` | `16.1.6` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.3` | `19.2.4` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.3` | `19.2.4` | Updates `@github/copilot-sdk` from 0.1.18 to 0.1.20 - [Release notes](https://github.com/github/copilot-sdk/releases) - [Commits](github/copilot-sdk@v0.1.18...v0.1.20) Updates `@primer/react` from 38.7.1 to 38.9.0 - [Release notes](https://github.com/primer/react/releases) - [Commits](https://github.com/primer/react/compare/@primer/react@38.7.1...@primer/react@38.9.0) Updates `next` from 16.1.5 to 16.1.6 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.5...v16.1.6) Updates `react` from 19.2.3 to 19.2.4 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react) Updates `react-dom` from 19.2.3 to 19.2.4 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react-dom) --- updated-dependencies: - dependency-name: "@github/copilot-sdk" dependency-version: 0.1.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-minor-patch - dependency-name: "@primer/react" dependency-version: 38.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-minor-patch - dependency-name: next dependency-version: 16.1.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-minor-patch - dependency-name: react dependency-version: 19.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-minor-patch - dependency-name: react-dom dependency-version: 19.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-02-02T10:18:53Z

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-02-02T10:19:06Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
❌ 7 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
@github/copilot	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-darwin-arm64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-darwin-x64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-linux-arm64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-linux-x64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-win32-arm64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License
@github/copilot-win32-x64	0.0.399	LicenseRef-bad-see-license-in-license.md	Incompatible License

Allowed Licenses:
MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

npm/@github/copilot

0.0.399

Unknown

npm/@github/copilot-darwin-arm64

0.0.399

Unknown

npm/@github/copilot-darwin-x64

0.0.399

Unknown

npm/@github/copilot-linux-arm64

0.0.399

Unknown

npm/@github/copilot-linux-x64

0.0.399

Unknown

npm/@github/copilot-sdk

0.1.20

Unknown

npm/@github/copilot-win32-arm64

0.0.399

Unknown

npm/@github/copilot-win32-x64

0.0.399

Unknown

npm/@next/env

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-darwin-arm64

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-darwin-x64

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-linux-arm64-gnu

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-linux-arm64-musl

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-linux-x64-gnu

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-linux-x64-musl

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-win32-arm64-msvc

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@next/swc-win32-x64-msvc

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/@primer/react

38.9.0

Unknown

npm/@types/react

19.2.10

🟢 6.8

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 7	Found 23/29 approved changesets -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/next

16.1.6

🟢 5.3

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	⚠️ 0	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	266 existing vulnerabilities detected
Fuzzing	🟢 10	project is fuzzed

npm/react

19.2.4

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 10	30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 9	binaries present in source code
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	244 existing vulnerabilities detected

npm/react-dom

19.2.4

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 10	30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 9	binaries present in source code
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	244 existing vulnerabilities detected

Scanned Files

package-lock.json

dependabot bot added the dependencies label Feb 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps(deps): bump the production-minor-patch group with 5 updates #16

deps(deps): bump the production-minor-patch group with 5 updates #16

Uh oh!

dependabot bot commented on behalf of github Feb 2, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Feb 2, 2026

Uh oh!

github-actions bot commented Feb 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

deps(deps): bump the production-minor-patch group with 5 updates #16

Are you sure you want to change the base?

deps(deps): bump the production-minor-patch group with 5 updates #16

Uh oh!

Conversation

dependabot bot commented on behalf of github Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.1.20

What's Changed

New Contributors

v0.1.19

What's Changed

New Contributors

@​primer/react@​38.9.0

Minor Changes

Patch Changes

@​primer/react@​38.8.0

Minor Changes

Patch Changes

v16.1.6

Core Changes

Credits

19.2.4 (January 26th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

Uh oh!

dependabot bot commented on behalf of github Feb 2, 2026

Labels

Uh oh!

github-actions bot commented Feb 2, 2026

Dependency Review

License Issues

package-lock.json

OpenSSF Scorecard

Scanned Files

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Feb 2, 2026 •

edited

Loading

`@primer/react@38`.9.0

`@primer/react@38`.8.0