build(deps): bump @github/copilot and @github/copilot-sdk in /tests

[dependabot]

Bumps @github/copilot to 1.0.45 and updates ancestor dependency @github/copilot-sdk. These dependencies need to be updated together.

Updates @github/copilot from 0.0.399 to 1.0.45

Release notes

Sourced from @​github/copilot's releases.

1.0.45

2026-05-11

• Add /autopilot slash command to toggle between interactive and autopilot modes
• Fall back to Windows PowerShell (powershell.exe) when PowerShell 7+ (pwsh) is not available on Windows
• OpenTelemetry output aligns with GenAI semantic conventions: MCP tool calls now use standard tool_call spans, and a new gen_ai.client.operation.duration metric tracks tool execution time
• Sessions with extension permission prompts can be resumed without a "Session file is corrupted" error
• agentStop hook now fires correctly when the agent stops via task_complete
• CLI starts faster on terminals with limited OSC color query support, shaving up to ~1.5s off startup time.
• Add /fork command to fork the current session into a new independent session

1.0.44

2026-05-08

• Path completion in /add-dir no longer flickers or gets intercepted by @ and # pickers
• Slash commands can now appear mid-input, and multiple skills can be invoked in a single message
• userPromptSubmitted hooks can now handle requests directly, bypassing the LLM and returning a response without making a model call
• Faster /user list and /user switch for multi-account users
• Add optional prerelease argument to copilot update and /update to fetch the latest prerelease build
• Shell commands via ! prefix work correctly with all shell configurations
• Shell aliases and rc file settings now work in ! commands
• Quota display correctly shows remaining usage for Free users instead of always showing 100% used
• Tool permissions granted in autopilot mode are preserved after /clear
• Effort level applies correctly when switching models via the /model picker
• Pressing Ctrl+C while a permission prompt is pending no longer causes the CLI to hang
• Project info remains visible in slash command picker when no results match
• Invalid URL entries in settings.json no longer crash CLI startup and are skipped with a warning
• Timeline shows the resolved model for rubber-duck sub-agents (e.g. Rubber-duck(claude-opus-4.7))

1.0.44-3

Added

• userPromptSubmitted hooks can now handle requests directly, bypassing the LLM and returning a response without making a model call

Improved

• Faster /user list and /user switch for multi-account users

1.0.44-2

Added

• Add optional prerelease argument to copilot update and /update to fetch the latest prerelease build

Fixed

• Shell commands via ! prefix work correctly with all shell configurations

1.0.44-1

Improved

• Shell aliases and rc file settings now work in ! commands

1.0.44-0

Improved

• Timeline shows the resolved model for rubber-duck sub-agents (e.g. Rubber-duck(claude-opus-4.7))

... (truncated)

Changelog

Sourced from @​github/copilot's changelog.

1.0.45 - 2026-05-11

• Add /autopilot slash command to toggle between interactive and autopilot modes
• Fall back to Windows PowerShell (powershell.exe) when PowerShell 7+ (pwsh) is not available on Windows
• OpenTelemetry output aligns with GenAI semantic conventions: MCP tool calls now use standard tool_call spans, and a new gen_ai.client.operation.duration metric tracks tool execution time
• Sessions with extension permission prompts can be resumed without a "Session file is corrupted" error
• agentStop hook now fires correctly when the agent stops via task_complete
• CLI starts faster on terminals with limited OSC color query support, shaving up to ~1.5s off startup time.
• Add /fork command to fork the current session into a new independent session

1.0.44 - 2026-05-08

• Path completion in /add-dir no longer flickers or gets intercepted by @ and # pickers
• Slash commands can now appear mid-input, and multiple skills can be invoked in a single message
• userPromptSubmitted hooks can now handle requests directly, bypassing the LLM and returning a response without making a model call
• Faster /user list and /user switch for multi-account users
• Add optional prerelease argument to copilot update and /update to fetch the latest prerelease build
• Shell commands via ! prefix work correctly with all shell configurations
• Shell aliases and rc file settings now work in ! commands
• Quota display correctly shows remaining usage for Free users instead of always showing 100% used
• Tool permissions granted in autopilot mode are preserved after /clear
• Effort level applies correctly when switching models via the /model picker
• Pressing Ctrl+C while a permission prompt is pending no longer causes the CLI to hang
• Project info remains visible in slash command picker when no results match
• Invalid URL entries in settings.json no longer crash CLI startup and are skipped with a warning
• Timeline shows the resolved model for rubber-duck sub-agents (e.g. Rubber-duck(claude-opus-4.7))

1.0.43 - 2026-05-06

• Add username toggle to /statusline picker to display the active account in the footer
• Auto mode uses server-side model routing for improved real-time model selection
• Resume prompt shows correct session name when multiple sessions are active
• Protect against RCE from malicious bare repositories nested inside a project
• MCP server child processes (e.g. started via npx or uvx) are now fully terminated when a session ends
• Show download progress when running the update command

1.0.42 - 2026-05-06

• MCP server failure warning now suggests a directly runnable /mcp show command when the server name contains whitespace
• MCP server failure warnings include stderr output to help diagnose connection errors
• Add -C flag to change working directory before starting, similar to git -C
• Exit message resume command shows session ID instead of auto-generated name when session has not been renamed
• Remote session export now supports non-GitHub repositories and repo-less directories
• Resuming a session no longer shows a false "session in use" warning after choosing "Go back"
• Enter key no longer gets permanently stuck after cancelling a request
• Suppress the exit summary when the session has no user messages and no saved session to resume
• CLI updates on Windows no longer fail with ENOENT when a transient EPERM occurs during package extraction
• Add rubber-duck agent for GPT sessions, powered by Claude (available in /experimental)

1.0.41 - 2026-05-05

... (truncated)

Commits

• 41b4018 Update changelog.md for version 1.0.44
• bee20d0 Update changelog.md for version 1.0.43
• 5ab6de6 Update changelog.md for version 1.0.42
• ac346d1 Update changelog.md for version 1.0.41
• cc85e32 Update changelog.md for version 1.0.40
• cb0ddf8 Update changelog.md for version 1.0.39
• 4e5cb95 Update changelog.md for version 1.0.37
• 6d1c577 Update changelog.md for version 1.0.36
• d7a0581 Update changelog.md for version 1.0.35
• 6594437 Update changelog.md for version 1.0.34
• Additional commits viewable in compare view

Updates @github/copilot-sdk from 0.1.25 to 0.1.32

Release notes

Sourced from @​github/copilot-sdk's releases.

v0.1.32

Feature: backward compatibility with v2 CLI servers

SDK applications written against the v3 API now also work when connected to a v2 CLI server, with no code changes required.

Generated by Release Changelog Generator

Generated by Release Changelog Generator

v0.1.31

Feature: strongly-typed PermissionRequestResultKind for .NET and Go

Rather than comparing result.Kind against undiscoverable magic strings like "approved" or "denied-interactively-by-user", .NET and Go now provide typed constants. Node and Python already had typed unions for this; this brings full parity. (#631)

session.OnPermissionCompleted += (e) => {
    if (e.Result.Kind == PermissionRequestResultKind.Approved) { /* ... */ }
    if (e.Result.Kind == PermissionRequestResultKind.DeniedInteractivelyByUser) { /* ... */ }
};

// Go: PermissionKindApproved, PermissionKindDeniedByRules,
//     PermissionKindDeniedCouldNotRequestFromUser, PermissionKindDeniedInteractivelyByUser
if result.Kind == copilot.PermissionKindApproved { /* ... */ }

Other changes

• feature: [Python] [Go] add get_last_session_id() / GetLastSessionID() for SDK-wide parity (was already available in Node and .NET) (#671)
• improvement: [Python] add timeout parameter to generated RPC methods, allowing callers to override the default 30s timeout for long-running operations (#681)
• bugfix: [Go] PermissionRequest fields are now properly typed (ToolName, Diff, Path, etc.) instead of a generic Extra map[string]any catch-all (#685)

Generated by Release Changelog Generator

v0.1.30

Feature: support overriding built-in tools

Applications can now override built-in tools such as grep, edit_file, or read_file. To do this, register a custom tool with the same name and set the override flag. Without the flag, the runtime will return an error if the name clashes with a built-in. (#636)

import { defineTool } from "`@github/copilot-sdk`";
const session = await client.createSession({
tools: [defineTool("grep", {
overridesBuiltInTool: true,
</tr></table>

... (truncated)

Changelog

Sourced from @​github/copilot-sdk's changelog.

v0.1.32 (2026-03-07)

Feature: backward compatibility with v2 CLI servers

SDK applications written against the v3 API now also work when connected to a v2 CLI server, with no code changes required. The SDK detects the server's protocol version and automatically adapts v2 tool.call and permission.request messages into the same user-facing handlers used by v3. (#706)

const session = await client.createSession({
  tools: [myTool],           // unchanged — works with v2 and v3 servers
  onPermissionRequest: approveAll,
});

var session = await client.CreateSessionAsync(new SessionConfig {
    Tools = [myTool],          // unchanged — works with v2 and v3 servers
    OnPermissionRequest = approveAll,
});

v0.1.31 (2026-03-07)

Feature: multi-client tool and permission broadcasts (protocol v3)

The SDK now uses protocol version 3, where the runtime broadcasts external_tool.requested and permission.requested as session events to all connected clients. This enables multi-client architectures where different clients contribute different tools, or where multiple clients observe the same permission prompts — if one client approves, all clients see the result. Your existing tool and permission handler code is unchanged. (#686)

// Two clients each register different tools; the agent can use both
const session1 = await client1.createSession({
  tools: [defineTool("search", { handler: doSearch })],
  onPermissionRequest: approveAll,
});
const session2 = await client2.resumeSession(session1.id, {
  tools: [defineTool("analyze", { handler: doAnalyze })],
  onPermissionRequest: approveAll,
});

var session1 = await client1.CreateSessionAsync(new SessionConfig {
    Tools = [AIFunctionFactory.Create(DoSearch, "search")],
    OnPermissionRequest = PermissionHandlers.ApproveAll,
});
var session2 = await client2.ResumeSessionAsync(session1.Id, new ResumeSessionConfig {
    Tools = [AIFunctionFactory.Create(DoAnalyze, "analyze")],
    OnPermissionRequest = PermissionHandlers.ApproveAll,
});

Feature: strongly-typed PermissionRequestResultKind for .NET and Go

... (truncated)

Commits

• 396e8b3 Add v2 protocol backward compatibility adapters (#706)
• 1653812 Handle tool and permission broadcasts via event model (protocol v3) (#686)
• 4e1499d docs: clarify session destroy vs delete semantics (#599)
• 4246289 Go: remove hand-written PermissionRequest that conflicts with generated type ...
• 5b4a6ec Update @​github/copilot to 0.0.421 (#684)
• 2951807 Improve .NET SDK build infrastructure and documentation (#643)
• 207b85b fix(python): add timeout parameter to generated RPC methods (#681)
• 87a54de chore: rename runtime-fix-needed label to runtime
• b49e5d8 fix: remove add-comment from runtime triage to prevent code leaks
• c13dbba fix: trigger runtime triage workflow on label instead of issue open
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.