chore(deps-dev): bump sinon from 21.1.2 to 22.0.0

[dependabot]

Bumps sinon from 21.1.2 to 22.0.0.

Changelog

Sourced from sinon's changelog.

22.0.0

• ed911df5 Update Ruby gems (Carl-Erik Kopseng)
• 75a1e5b8 Update to Node 26 (Carl-Erik Kopseng)
• 197d6608 Update documentation on faking timers to reflect the current state of fake-timers (Carl-Erik Kopseng)
• c5ddf80b Update fake-timers@15.4: includes new Temporal API (Carl-Erik Kopseng)
• f4ab02f6 Update updatable packages (Carl-Erik Kopseng)
• 0536afc8 Quality: Global mutable call id can grow unbounded across long-lived processes (#2691) (tuanaiseo)

  • refactor: global mutable call id can grow unbounded across l

  callId is module-scoped and incremented on every invocation. In long-running test runners or embedded usage, this can grow indefinitely and eventually lose integer precision semantics for strict ordering comparisons.

  Affected files: proxy-invoke.js

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com

  • Wrap around for all values that are too high

  ---

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com Co-authored-by: Carl-Erik Kopseng carlerik@gmail.com

• f4f7d93b Perform additional cleanup when calling callThrough() (#2670) (Cyrille)
• 6199e9e4 improve GitHubworkflows by introducing zizmor for monitoring (#2686) (Till!)

  • fix(workflows): fetch-depth is for actions/checkout
  • chore(workflows): update

  • pin all actions to precise commits
  • avoid credential leakage from actions/checkout
  • group action updates going forward
  • add zimor config to ignore "secrets outside env"
  • add job to keep validating workflows

• f7476b59 Use path.normalize() for path normalization (Carl-Erik Kopseng)
• 2c975393 fix: make build and node test scripts cross-platform (laplace young)
• a7692917 fix: isolate walk state from Object prototype (laplace young)
• 66df977a Fix sinon.restore() cascade-restoring sub-sandboxes (#2704) (Charlie Leitheiser)

  The ESM port of createApi (#2683, shipped in 21.1.0) replaced createSandbox: createSandbox with a wrapper that pushes every newly-created sandbox into the root sandbox's fake collection:

... (truncated)

Commits

• 52555af 22.0.0
• ed911df Update Ruby gems
• 75a1e5b Update to Node 26
• 197d660 Update documentation on faking timers to reflect the current state of fake-ti...
• c5ddf80 Update fake-timers@15.4: includes new Temporal API
• f4ab02f Update updatable packages
• 0536afc Quality: Global mutable call id can grow unbounded across long-lived processe...
• f4f7d93 Perform additional cleanup when calling callThrough() (#2670)
• 6199e9e improve GitHubworkflows by introducing zizmor for monitoring (#2686)
• 1519009 Merge #2703: isolate walk state from Object prototype
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mroderick]

Dependency Upgrade Review: sinon v21.1.2 → v22.0.0

PR Scope

Dependency-only — only package.json and package-lock.json modified.

Changes in sinon 22.0.0

16 commits since v21.1.2. Key changes (sinon changelog):

• Internal diff dependency bumped from v8.0.4 → v9.0.0 (sinon's internal dep)
• fake-timers updated to 15.4 (adds Temporal API support)
• Bug fixes: walk() no longer touches __proto__, fix for sinon.restore() cascading into sub-sandboxes
• CI updated to Node 26
• Various internal/CI improvements

No explicit API-level breaking changes documented for consumer-facing APIs.

Usage in Repository

Sinon is used in one test file (test/features/health.test.js) using three basic APIs:

• sinon.fake.throws(...) — create fakes that throw
• sinon.fake.returns(...) — create fakes that return values
• sinon.fake.rejects(...) — create fakes that reject promises

No usage of: stub, spy, mock, useFakeTimers, createSandbox, restore, match, assert, or any diff-related functionality.

Compatibility Assessment

Compatible — All three APIs used are fundamental, long-stable sinon.fake methods. None of the changes in 22.0.0 affect these. The diff v9 upgrade is internal to sinon.

Test Coverage

99 tests currently pass. The sinon-dependent tests cover health endpoint error handling flows. Good coverage for the code paths using sinon.

Confidence Rating

High — trivial API surface, no breaking changes touching used features.

[mroderick]

Approved. See analysis comment above.