Bump express, typescript, re2, @types/react in pnpm verification test resources

[JamieMagee]

Bumps dependencies in both pnpm v5 and v6 verification test fixtures:

• express 4.17.2 -> 4.22.1
• typescript 4.5.5 -> 4.9.5
• @types/react 17.0.38 -> 17.0.91
• re2 1.17.3 -> 1.23.3

Same dep updates as the npm PR, applied to the pnpm lockfiles.

[Copilot]

Pull request overview

This PR updates dependencies in pnpm verification test fixtures for both pnpm v5 and v6. The changes ensure that the test resources use newer versions of several npm packages, which helps maintain test relevance and ensures the component detection tooling correctly handles updated dependency graphs.

Changes:

• Updated 4 dependencies to newer versions: express (4.17.2 → 4.22.1), typescript (4.5.5 → 4.9.5), @types/react (17.0.38 → 17.0.91), and re2 (1.17.3 → 1.23.3)
• Regenerated pnpm lockfiles for both v5 and v6 formats with corresponding transitive dependency updates

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/package.json	Updated dependency versions in package.json for pnpm v5 test fixture
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/pnpm-lock.yaml	Regenerated lockfile (format 5.4) with updated dependencies and transitive dependencies
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/package.json	Updated dependency versions in package.json for pnpm v6 test fixture
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/pnpm-lock.yaml	Regenerated lockfile (format 6.1) with updated dependencies and transitive dependencies

Files not reviewed (2)

• test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/pnpm-lock.yaml: Language not supported
• test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/pnpm-lock.yaml: Language not supported

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.8%. Comparing base (2ecde67) to head (fbac6fd).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #1665   +/-   ##
=====================================
  Coverage   90.8%   90.8%           
=====================================
  Files        451     451           
  Lines      40148   40148           
  Branches    2443    2443           
=====================================
  Hits       36461   36461           
  Misses      3188    3188           
  Partials     499     499           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

[JamieMagee]

The snapshot verification failure is expected.

The snapshot-verify workflow downloads the baseline scan output from main (built against the old lockfiles) and compares it to a fresh scan of this PR's updated lockfiles. Since we bumped express, typescript, @types/react, and re2, the transitive dependency trees changed significantly — so the detected component sets no longer match.

Specifically:

• ~35 packages disappeared from the old dependency trees: @gar/promisify, @npmcli/move-file, aggregate-error, are-we-there-yet, delegates, gauge, humanize-ms, indent-string, inflight, npmlog, once, rimraf, wrappy, etc. These were transitive deps of older express/re2/node-gyp versions.

• ~25 new packages appeared: @isaacs/fs-minipass, @npmcli/agent, call-bind-apply-helpers, dunder-proto, es-errors, es-object-atoms, fdir, get-intrinsic, gopd, hasown, picomatch, proc-log, side-channel, tinyglobby, etc. These come from the updated dependency trees.

• Many packages changed versions: accepts 1.3.7→1.3.8, body-parser 1.19.1→1.20.4, cookie 0.4.1→0.7.2, depd 1.1.2→2.0.0, statuses 1.5.0→2.0.2, and so on.

The CheckManifestFiles_ExcludingExperimentalDetectors test catches all of this, and CheckDetectorsRunTimesAndCounts likely flags the different component count too.

This is the same situation as the yarn (#1667), maven (#1661), and nuget (#1663) resource bumps. Once merged, snapshot-publish runs on main and publishes a new baseline that includes these updated lockfiles.