build(deps): bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
@github/copilot-sdk	0.2.0	0.2.2
@inquirer/prompts	8.3.2	8.4.1
ink	6.8.0	7.0.0
react	19.2.4	19.2.5
simple-git	3.33.0	3.36.0

Updates @github/copilot-sdk from 0.2.0 to 0.2.2

Release notes

Sourced from @​github/copilot-sdk's releases.

v0.2.2

Feature: session filesystem support across all four SDKs

The sessionFs feature introduced earlier in Node.js is now available across .NET, Go, and Python too, so you can redirect session-scoped storage (events, checkpoints, temp files, workspace state) to your own backing store instead of the runtime's default local filesystem. This is especially useful for serverless and multi-tenant hosts. (#1036)

// TypeScript
const client = new CopilotClient({
  sessionFs: { initialCwd: "/", sessionStatePath: "/s", conventions: "posix" },
});
const session = await client.createSession({
createSessionFsHandler: () => ({ readFile: async () => "...", writeFile: async () => { /* ... / }, / ... */ })
});

// C#
var client = new CopilotClient(new CopilotClientOptions {
    SessionFs = new()
    {
        InitialCwd = "/",
        SessionStatePath = "/",
        Conventions = SessionFsSetProviderRequestConventions.Posix
    }
});
var session = await client.CreateSessionAsync(new SessionConfig
{
CreateSessionFsHandler = _ => new MySessionFsHandler(/* ... */) // e.g., map to in-memory storage, etc
});

For a full end-to-end sample of a multi-user hosted system using sessionFs, see https://github.com/github/copilot-sdk-server-sample

Feature: override model capabilities when creating a session or switching models

All SDKs can now override individual model capabilities such as vision support without replacing the full capabilities object. This makes BYOK and custom-provider scenarios easier, and lets you change behavior mid-session with setModel/SetModelAsync. (#1029)

const session = await client.createSession({
  modelCapabilities: { supports: { vision: false } },
});
await session.setModel("claude-sonnet-4.5", { modelCapabilities: { supports: { vision: true } } });

await session.SetModelAsync("claude-sonnet-4.5", reasoningEffort: null,
    modelCapabilities: new ModelCapabilitiesOverride { Supports = new ModelCapabilitiesOverrideSupports { Vision = true } });

... (truncated)

Changelog

Sourced from @​github/copilot-sdk's changelog.

v0.2.2 (2026-04-10)

Feature: enableConfigDiscovery for automatic MCP and skill config loading

Set enableConfigDiscovery: true when creating a session to let the runtime automatically discover MCP server configurations (.mcp.json, .vscode/mcp.json) and skill directories from the working directory. Discovered settings are merged with any explicitly provided values; explicit values take precedence on name collision. (#1044)

const session = await client.createSession({
  enableConfigDiscovery: true,
});

var session = await client.CreateSessionAsync(new SessionConfig {
    EnableConfigDiscovery = true,
});

• Python: await client.create_session(enable_config_discovery=True)
• Go: client.CreateSession(ctx, &copilot.SessionConfig{EnableConfigDiscovery: ptr(true)})

v0.2.1 (2026-04-03)

Feature: commands and UI elicitation across all four SDKs

Register slash commands that CLI users can invoke and drive interactive input dialogs from any SDK language. This feature was previously Node.js-only; it now ships in Python, Go, and .NET as well. (#906, #908, #960)

const session = await client.createSession({
  onPermissionRequest: approveAll,
  commands: [{
    name: "summarize",
    description: "Summarize the conversation",
    handler: async (context) => { /* ... */ },
  }],
  onElicitationRequest: async (context) => {
    if (context.type === "confirm") return { action: "confirm" };
  },
});
// Drive dialogs from the session
const confirmed = await session.ui.confirm({ message: "Proceed?" });
const choice = await session.ui.select({ message: "Pick one", options: ["A", "B"] });

var session = await client.CreateSessionAsync(new SessionConfig {
    OnPermissionRequest = PermissionHandler.ApproveAll,
    Commands = [
        new CommandDefinition {
</tr></table> 

... (truncated)

Commits

• 6029b37 Expose enableConfigDiscovery in all SDK languages (#1044)
• e0a9028 [go] jsonrpc2 cleanup (#949)
• 9351e26 Update @​github/copilot to 1.0.21 (#1039)
• 9ef0dac Go codegen: per-event-type data structs (#1037)
• 8569d92 Add session fs support across SDKs (#1036)
• b4fa5d9 Resolve .NET E2E race conditions in cancellation and multi-client tests (#1034)
• 6565a3b Delete .vscode/mcp.json (#1033)
• 6c98c85 fix: tolerate unknown hook types in .NET and Go SDKs (#1013)
• 0388810 Revise README for Java SDK repository details (#973)
• dfdc6a0 Add modelCapabilities override to all SDK languages (#1029)
• Additional commits viewable in compare view

Updates @inquirer/prompts from 8.3.2 to 8.4.1

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.4.1

• Improve expand prompt type inferrence.

@​inquirer/prompts@​8.4.0

• Feat: Added a loading message while validating editor prompt input.
• Type improvement: Better type inference with checkbox, search and expand prompts.
• Fix: editor prompt not always properly handling editor path on windows.

Commits

• 979b130 chore: Publish new release
• 61368c5 fix(@​inquirer/expand): infer Value type from name-only choices (#2075)
• e68fe01 chore: Publish new release
• d05d285 chore: Bump remaining dependencies
• 1ea1abf chore(deps-dev): Bump turbo from 2.8.21 to 2.9.4 in the build group (#2074)
• 7caa3b3 chore(deps-dev): Bump the linting group with 3 updates (#2073)
• e7e0a9f feat(lint): adopt oxlint type-aware linting
• 3e26b49 fix(@​inquirer/checkbox,search,expand): fix Value type inference (#2072)
• 5142a9b chore(deps): Bump vite from 8.0.3 to 8.0.5 (#2071)
• b78ac38 refactor(@​inquirer/external-editor): modernize code style and Promise-based A...
• Additional commits viewable in compare view

Updates ink from 6.8.0 to 7.0.0

Release notes

Sourced from ink's releases.

v7.0.0

Breaking

• Require Node.js 22 19b5316
• Require React 19.2+ cfaebbb
  • Ink now uses useEffectEvent internally to avoid re-subscribing input handlers on every render
• Pressing Backspace now correctly sets key.backspace instead of key.delete (#634) 321a2e8
  • Most terminals send the same byte for Backspace as the Delete key, which caused Ink to misreport it. If you were checking key.delete to handle backspace, switch to key.backspace
• key.meta is no longer set to true when Escape is pressed e195912
  • Previously a backward-compat shim made plain Escape set both key.escape and key.meta. Now only key.escape is true. key.meta is reserved for actual Alt/Meta modifier combinations

New

• Add usePaste hook for handling clipboard paste events fbbeb23
  • Automatically enables bracketed paste mode so pasted text arrives as a single string, never misinterpreted as individual key presses by useInput
• Add useWindowSize hook 7047795
  • Returns {columns, rows} and re-renders automatically on terminal resize
• Add useBoxMetrics hook for measuring box dimensions at runtime (#433) 88731d1
• Add useAnimation hook for built-in animation support (#142) ada019c
  • Provides a frame counter that increments at a configurable interval, with pause/resume support and automatic cleanup on unmount
• Add alternateScreen option to render() (#263) 5a60eb9
  • Renders into the terminal's alternate screen buffer (like vim or less), restoring the previous terminal content on exit
• Add interactive option to render() (#888) 02490f6
  • Override automatic interactive-mode detection for environments where the built-in heuristic doesn't fit
• Add activeId to useFocusManager() (#661) eb2f470
  • Returns the ID of the currently focused component, or undefined if nothing is focused
• Add borderBackgroundColor (and per-side variants) to <Box> (#906) d3c6d14
  • Set a background color on borders independently from the box content background
• Add wrap="hard" to <Text> (#925) 2b1e3a6
  • Fills each line to the full column width, breaking words mid-word as needed
• Add maxWidth and maxHeight props to <Box> (#713) 9291794
• Add aspectRatio, alignContent, position="static", and top/right/bottom/left layout props to <Box> c2f4b86
• Kitty keyboard protocol: query all terminals in auto mode instead of a hardcoded allowlist (#895) 3e672b5

Fixes

• Fix incremental rendering for trailing newline (#910) c32da0b
• Fix useInput crash on unmapped key codes (#902) 969a4f1
• Fix CJK text truncation exceeding <Box> width b5f3e3a
• Fix splitting wide characters (emoji, CJK) when overlapping writes occur (#930) 06d53f4
• Fix dangling staticNode reference (#905) 0dc4dfa

---

Migration guide

key.backspace vs key.delete

// Before — physical backspace was reported as key.delete
</tr></table> 

... (truncated)

Commits

• fb14d81 7.0.0
• 993f693 Update dependencies
• 2b1e3a6 Add wrap="hard" option to Text component (#925)
• 7c34548 Fix tests
• cfaebbb Use useEffectEvent in useInput and usePaste to avoid per-render re-subs...
• e195912 Stop setting key.meta to true when Escape is pressed
• d3c6d14 Add border background color support for Box component (#906)
• 931eba2 Fix build output and add tests (#932)
• ada019c Add useAnimation hook for built-in animation support
• 10136e6 Remove option field from keypress parser, merge Alt into meta
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates simple-git from 3.33.0 to 3.36.0

Release notes

Sourced from simple-git's releases.

simple-git@3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

simple-git@3.35.2

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

simple-git@3.35.1

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

Changelog

Sourced from simple-git's changelog.

3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

3.35.2

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

3.35.1

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

3.35.0

Minor Changes

• 3d8708b: Updating publish config

Patch Changes

• Updated dependencies [3d8708b]
  • @​simple-git/args-pathspec@​1.0.1
  • @​simple-git/argv-parser@​1.0.1

3.34.0

... (truncated)

Commits

• 7dc1a53 Version Packages
• 76f5376 Merge pull request #1061 from Vinzent03/fix/buffer-import
• 89a2294 Environment Parsing (#1156)
• 1b91b76 fix: remove explicit node:buffer import
• e390685 Version Packages
• 3c9e4b8 Pin version of @​simple-git/args-pathspec
• 94ee21f Export pathspec types through simple-git for backward compatibility
• 6d7cb51 Version Packages
• 0de400e Switch to semver from workspace revisions
• 2264722 Version Packages
• Additional commits viewable in compare view

[Copilot]

Pull request overview

This PR updates several production Node.js dependencies (including a major ink upgrade) and aligns the project’s runtime/build expectations around Node.js 22.

Changes:

• Bump dependencies in package-lock.json (notably @github/copilot-sdk, @inquirer/prompts, ink, react, simple-git), and update package.json to use ink@^7.
• Move build output targeting and repository engine requirements to Node 22 (tsup target + package.json engines).
• Update CI to test only on Node 22 and add an actionlint config to ignore an auto-generated workflow.

Show a summary per file

File	Description
tsup.config.ts	Updates build target to node22 to match the new runtime baseline.
package.json	Upgrades ink and declares Node >=22 engines requirement.
package-lock.json	Refreshes locked dependency versions for the requested bumps.
.github/workflows/ci.yml	Drops Node 20 from the test matrix (Node 22 only).
.github/actionlint.yaml	Configures actionlint to ignore an auto-generated workflow file.

Copilot's findings

Comments suppressed due to low confidence (1)

.github/workflows/ci.yml:98

• CI removes Node 20 from the test matrix, effectively dropping Node 20 support. Please ensure repository docs and build notes that currently reference Node 20/22 (eg, AGENTS.md, CONTRIBUTING.md, CHANGELOG.md) are updated to reflect the new Node >=22 requirement so contributors don’t follow outdated guidance.

    strategy:
      fail-fast: false
      matrix:
        node: [22]
        os: [ubuntu-latest]
        include:
          - node: 22
            os: windows-latest

• Files reviewed: 4/5 changed files
• Comments generated: 1

[Copilot]

Copilot's findings

• Files reviewed: 3/4 changed files
• Comments generated: 1