Bump @microsoft/applicationinsights-web from 3.3.11 to 3.4.1

[dependabot]

Bumps @microsoft/applicationinsights-web from 3.3.11 to 3.4.1.

Release notes

Sourced from @​microsoft/applicationinsights-web's releases.

3.4.1

This is the first full supported release of the 3.4.x version line. While a 3.4.0-beta was previously released for early testing and validation, version 3.4.0 was not released as a standard supported version — 3.4.1 is the first production-ready release in this series. The @microsoft/1ds-post-js channel is numbered 4.4.1 and requires v3.4.1.

Significant Changes (since 3.3.11)

The following are the significant changes since the previous full release (3.3.11). Some of these changes were previously included in the 3.4.0-beta release.

• W3C Trace State Support: Added full support for managing W3C Trace State and sending headers in distributed tracing, including new distributed tracing modes AI_AND_W3C_TRACE and W3C_TRACE that enable the tracestate header to be sent with requests when trace state information is available, the existing states will continue to not send the header.

• New Distributed Tracing Modes: Added new eDistributedTracingModes enum values:

  • AI_AND_W3C_TRACE (17): Sends Application Insights headers + W3C traceparent + W3C tracestate headers (if state value is present)
  • W3C_TRACE (18): Sends only W3C traceparent + W3C tracestate headers (if state value is present)

• Enhanced Distributed Tracing: Refactored the distributed tracing implementation to provide better support for the W3C Trace Context specification and prepare for future OpenTelemetry Span-style API integration.

• New W3C TraceState API: Introduced the IW3cTraceState interface that provides a mutable, ordered list of key/value pairs for trace state information with proper parent-child relationships.

• OpenTelemetry Integration Preparation: Added foundational OpenTelemetry interfaces (IOTelSpanContext, IOTelTraceState) to provide OpenTelemetry API compatibility.

• Additional Configuration: Added new configuration properties for W3C trace state support:

  • traceHdrMode: Controls if the SDK should look for the traceparent and/or tracestate values from service timing headers or meta tags from the initial page load (in IConfiguration)
  • Enhanced distributedTracingMode property to support the new W3C trace state modes (in ICorrelationConfig)

• Dependencies Extension: The dependency tracking extension now includes additional logic for W3C trace state handling, which may affect custom dependency listeners or initializers. The following interfaces and functions have been enhanced with W3C trace state support:

  • IDependencyListenerDetails interface now also includes a readonly traceState along with the previous traceId, spanId, traceFlags properties
  • addDependencyListener() function now provides access to W3C trace state information through the enhanced details object
  • addDependencyInitializer() function continues to work with existing dependency telemetry processing
  • Custom dependency listeners can now access and modify W3C trace state information before requests are sent

• Enhanced Cookie Management: Cookie values are now cached in memory when cookies are disabled instead of being lost, enabling support for consent banner workflows where cookies must be temporarily disabled until user approval. Automatic flushing occurs when cookies are re-enabled.

• OsPlugin Reliability Improvements: Improved OsPlugin with proactive OS retrieval, unload handling, and session caching for more reliable OS detection.

• URL Redaction Enhancements: Made URL redaction more dynamic for improved flexibility in field redaction scenarios.

Package Deprecation

The following packages have been merged into @microsoft/applicationinsights-core-js and are now deprecated. They continue to be published as backward-compatible shims (re-exporting from Core) so existing code will not break, but they are no longer used as dependencies by the main SDK packages. You should stop importing from these packages and migrate to @microsoft/applicationinsights-core-js directly.

• @microsoft/applicationinsights-common — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the Migration Guide for details on updating your imports. This package will be removed in a future major release (4.0.0).

• @microsoft/1ds-core-js — All exports have been merged into @microsoft/applicationinsights-core-js. The package is now a compatibility shim that re-exports from Core. See the 1DS Core Migration Guide for class/import name changes and migration steps. Consumers should update their imports to reference @microsoft/applicationinsights-core-js directly. This package will be removed in a future major release (4.0.0).

Breaking Changes

The following is a list of known breaking changes for anyone attempting to implement the interfaces, for end-users / consumers of the existing interface this is considered to be only a potential breaking change as the existing functions are still provided and provide the same level of functionality. The breaking nature of these changes is for anyone attempting to provide their own implementation of these changes.

Interface Changes

• The IDistributedTraceContext interface has been significantly expanded to include W3C trace state management capabilities, which may affect custom telemetry processors that interact with distributed tracing context.

... (truncated)

Changelog

Sourced from @​microsoft/applicationinsights-web's changelog.

3.4.1 (April 7th, 2026)

This is the first full supported release of the 3.4.x version line. While a 3.4.0-beta was previously released for early testing and validation, version 3.4.0 was not released as a standard supported version — 3.4.1 is the first production-ready release in this series. The @microsoft/1ds-post-js channel is numbered 4.4.1 and requires v3.4.1.

Commits

• 2d5271b [Release] Increase version to 3.4.1 (#2720)
• dd66e91 Improve OsPlugin reliability: proactive OS retrieval, unload handling, and se...
• a598f47 Address issue with the AppInsightsExtCore using the wrong version number (#2718)
• 847c292 Make URL Redaction more dynamic (#2716)
• 2a15b82 [Main] Merge 1ds-core-js into applicationinsights-core-ts (#2712)
• 37eec11 [Main] Merge Trace API Features from Beta (#2710)
• 73d40dc Bump: @​microsoft/rush to 5.169.3 (#2709)
• b6de144 Enable compression in CDN config (#2701)
• 6185620 chore: Update Component versions and remove vulnerable dependency usage (#2700)
• a137ab6 Update vulnerable dependencies (#2692)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, frontend. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@microsoft/applicationinsights-analytics-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-cfgsync-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-channel-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-core-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-dependencies-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-properties-js	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@microsoft/applicationinsights-web	3.4.1	🟢 6.8	Details Check Score Reason Maintained 🟢 10 22 commit(s) out of 30 and 13 issue activity out of 30 found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all last 30 commits are reviewed through GitHub CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 9 binaries present in source code Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed

Scanned Files

• package-lock.json