Bump dependencies

[compulim]

Changelog Entry

Changed

• Bumped dependencies, by @compulim in PR #5385, PR #5400, PR #5426, PR #5427, PR #5476, PR #5516, PR #5529, PR #5532, and PR #5659
  • Production dependencies
    • @babel/runtime@7.28.4
    • @emotion/css@11.13.5
    • @redux-devtools/extension@3.3.0
    • botframework-directlinejs@0.15.6
    • core-js@3.47.0
    • core-js-pure@3.47.0
    • event-as-promise@2.0.0
    • globalize@1.7.1
    • iter-fest@0.3.0
    • katex@0.16.27
    • mdast-util-from-markdown@2.0.2
    • merge-refs@2.0.0
    • micromark@4.0.2
    • micromark-extension-gfm@3.0.0
    • micromark-util-character@2.1.1
    • micromark-util-sanitize-uri@2.0.1
    • mime@4.1.0
    • punycode@2.3.1
    • react-chain-of-responsibility@0.4.2
    • react-dictate-button@4.0.0
    • react-film@4.0.0
    • react-say@2.2.0
    • react-scroll-to-bottom@4.2.1-main.53844f5
    • react-wrap-with@0.1.0
    • redux-saga@1.4.2
    • sanitize-html@2.17.0
    • shiki@2.5.0
    • use-propagate@0.2.1
    • use-reduce-memo@0.1.0
    • use-ref-from@0.1.0
    • use-state-with-ref@0.1.0
    • uuid@8.3.2
    • valibot@1.2.0
    • web-speech-cognitive-services@8.1.3
  • Development dependencies
    • @babel/cli@7.28.3
    • @babel/core@7.28.5
    • @babel/plugin-transform-runtime@7.28.5
    • @babel/plugin-transform-typescript@7.28.5
    • @babel/preset-env@7.28.5
    • @babel/preset-react@7.28.5
    • @babel/preset-typescript@7.28.5
    • @biomejs/biome@2.3.10
    • @happy-dom/jest-environment@20.0.11
    • @jridgewell/sourcemap-codec@1.5.5
    • @testduet/given-when-then@0.1.0
    • @tsconfig/strictest@2.0.8
    • @types/dom-speech-recognition@0.0.7
    • @types/jest@29.5.14
    • @types/mdast@4.0.4
    • @types/node@25.0.3
    • @types/react@16.14.68
    • @types/react@18.3.27
    • @types/react-dom@16.9.25
    • @types/react-dom@18.3.7
    • @types/react-is@16.7.5
    • @types/semver@7.7.1
    • @types/use-sync-external-store@1.5.0
    • @types/uuid@8.3.4
    • @typescript-eslint/eslint-plugin@8.50.0
    • @typescript-eslint/parser@8.50.0
    • adaptivecards@3.0.2
    • adm-zip@0.5.16
    • axe-core@4.11.0
    • babel-jest@29.7.0
    • babel-plugin-istanbul@7.0.1
    • base64-js@1.5.1
    • bent@7.3.12
    • chalk@5.6.2
    • compression@1.8.1
    • concurrently@9.2.1
    • core-js@3.47.0
    • core-js-pure@3.47.0
    • cross-env@10.1.0
    • diff@8.0.2
    • dotenv@17.2.3
    • dtsroll@1.4.1
    • esbuild@0.27.2
    • eslint@8.57.1
    • eslint-config-prettier@10.1.8
    • eslint-plugin-import@2.32.0
    • eslint-plugin-local-rules@3.0.2
    • eslint-plugin-prettier@5.5.4
    • eslint-plugin-react@7.37.5
    • eslint-plugin-react-hooks@7.0.1
    • eslint-plugin-security@3.0.1
    • express@5.2.1
    • glob@8.1.0
    • handler-chain@0.1.1
    • html-react-parser@5.2.10
    • http-proxy-middleware@2.0.9
    • husky@9.1.7
    • jest@29.7.0
    • jest-environment-node@29.7.0
    • jest-image-snapshot@6.5.1
    • keep-a-changelog@2.7.1
    • lint-staged@16.2.7
    • micromark-util-types@2.0.2
    • microsoft-cognitiveservices-speech-sdk@1.17.0
    • microsoft-cognitiveservices-speech-sdk@1.47.0
    • minimatch@10.1.1
    • nodemon@3.1.11
    • nopt@9.0.0
    • prettier@3.7.4
    • progress@2.0.3
    • q@1.5.1
    • react@16.8.6
    • react@18.3.1
    • react-dom@16.8.6
    • react-dom@18.3.1
    • react-is@16.13.1
    • read-package-up@12.0.0
    • read-pkg@10.0.0
    • selenium-webdriver@4.39.0
    • selfsigned@5.2.0
    • serve@14.2.5
    • serve-handler@6.1.6
    • simple-git@3.30.0
    • tsd@0.33.0
    • tsup@8.5.1
    • type-fest@5.3.1
    • typescript@5.9.3
    • typescript-plugin-css-modules@5.2.0
    • unplugin-lightningcss@0.4.3
    • webpack@5.104.1
    • webpack-cli@6.0.1

Description

Bump dependencies.

Design

Pull request validation bumping to Node.js 24

We no longer see Jest errors which forced us to pin to Node.js 18. We are bumping to 24.

Moving to Microsoft Container Registry

We have a security requirement to use images from mcr.microsoft.com. However, MCR does not mirror official Node.js image > 18.

When bumping selfsigned, it seems it need a newer version of Node.js that support Web Crypto.

If we are right, we need to bump to a newer Node.js. As MCR don't mirror official image > 18, we have to use images by MCR. In this PR, we are using 24-bookworm.

Happy DOM configuration

After bumping happy-dom, it starts throwing error when <script> is injected. The error said the JS file is not being downloaded, which is the right behavior. The JS file is not intended to be downloaded or executed.

We are setting the window.happyDOM.settings.handleDisabledFileLoadingAsSuccess = true to remove the error.

selfsigned updated its signature

generate() function is now async generate().

Disabling some React rules

# The rule is preventing read access to refs inside the render loop.
# For optimization, we are heavy on ref usage.
react-hooks/refs: off

# This rule does not understand validateProps and falsely claim validateProps is causing mutations.
react-hooks/preserve-manual-memoization: off

package-lock.json does not contains cross-platform packages

Node.js 24 requires package-lock.json must list cross-platform packages.

We run npm install under Node.js 24 and obtained that package-lock.json snapshot. We did not rebuild package-lock.json as it contains a lot of historical value.

Specific Changes

• Remove pin dependencies on typescript@~5.8.3
• Run npm run bump
• Fixed some tests (refer to Design section)
• Format PULL_REQUEST_TEMPLATE.md

• I have added tests and executed them locally
• I have updated CHANGELOG.md
• I have updated documentation

Review Checklist

This section is for contributors to review your work.

• Accessibility reviewed (tab order, content readability, alt text, color contrast)
• Browser and platform compatibilities reviewed
• CSS styles reviewed (minimal rules, no z-index)
• Documents reviewed (docs, samples, live demo)
• Internationalization reviewed (strings, unit formatting)
• package.json and package-lock.json reviewed
• Security reviewed (no data URIs, check for nonce leak)
• Tests reviewed (coverage, legitimacy)