chore(deps): bump the dependencies group across 1 directory with 35 updates

[dependabot]

Bumps the dependencies group with 35 updates in the / directory:

Package	From	To
@biomejs/biome	2.3.11	2.4.16
@changesets/changelog-github	0.5.2	0.7.0
@changesets/cli	2.29.8	2.31.0
turbo	2.7.5	2.9.16
fumadocs-core	16.4.8	16.9.3
fumadocs-mdx	14.2.6	14.3.2
fumadocs-ui	16.4.8	16.9.3
lucide-react	0.563.0	0.577.0
next	16.2.1	16.2.6
react	19.1.0	19.2.6
@types/react	19.1.8	19.2.15
react-dom	19.2.4	19.2.6
tailwind-merge	3.4.0	3.6.0
@tailwindcss/postcss	4.1.18	4.3.0
@types/node	22.15.29	22.19.19
postcss	8.5.6	8.5.15
tailwindcss	4.1.18	4.3.0
defu	6.1.4	6.1.7
zod	4.3.5	4.4.3
vitest	4.0.17	4.1.7
@clack/prompts	1.0.0	1.5.0
c12	3.3.3	3.3.4
dotenv	17.2.3	17.4.2
prettier	3.8.1	3.8.3
@babel/core	7.29.0	7.29.7
@babel/preset-react	7.28.5	7.29.7
@babel/preset-typescript	7.28.5	7.29.7
drizzle-orm	0.45.1	0.45.2
jiti	2.6.1	2.7.0
tsx	4.21.0	4.22.3
stripe	14.0.0	14.25.0
better-auth	1.4.18	1.6.12
nuqs	2.8.7	2.8.9
postgres	3.4.8	3.4.9
drizzle-kit	0.31.8	0.31.10

Updates @biomejs/biome from 2.3.11 to 2.4.16

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.16

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Commits

• 5f4ea56 ci: release (#10326)
• de2a33c fix(core): regression in emitted types (#10478)
• d835303 docs: remove redundant default phrase in useConsistentObjectDefinitions rul...
• 4f1aaf2 fix: incorrect build when using build or test (#10426)
• dc73b6b refactor: make plugins opt-in via feature gate (#10418)
• e71f584 feat(useDestructuring): add options for assignment/declaration and improve di...
• 9b1577f fix(config): support trailingCommas in overrides (#10318)
• 9dd3271 ci: release (#10210)
• 7b8d4e1 feat(lint/html/vue): add useVueValidVFor (#10195)
• ba3480e feat(lint/js): add useTestHooksInOrder (#9394)
• Additional commits viewable in compare view

Updates @changesets/changelog-github from 0.5.2 to 0.7.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.7.0

Minor Changes

• #1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

@​changesets/changelog-github@​0.6.0

Minor Changes

• #1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

Commits

• d1ef2d8 Version Packages (#1950)
• 7af5876 Restrict publish job to the npm env (#1972)
• ff767d2 Sync config-file-options documentation with schema.json and source code (#1683)
• 951094b fix: pin 2 unpinned action(s) (#1915)
• 94578cf Added disableThanks option (#1255)
• d87334d Support dark mode banner in readme (#1943)
• 87472a7 Update .vscode/settings.json (#1944)
• 317a373 Disable publish_pr job
• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​changesets/changelog-github since your current version.

Updates @changesets/cli from 2.29.8 to 2.31.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.31.0

Minor Changes

• #1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

@​changesets/cli@​2.30.0

Minor Changes

• #1840 057cca2 Thanks @​wotan-allfather! - Add --since flag to add command

  The add command now supports a --since flag that allows you to specify which branch, tag, or git ref to use when detecting changed packages. This is useful for gitflow workflows where you have multiple target branches and the baseBranch config option doesn't cover all use cases.

  Example: changeset add --since=develop

  If not provided, the command falls back to the baseBranch value in your .changeset/config.json.

• #1845 2b4a66a Thanks @​Andarist! - Delegate OTP prompting to the package manager instead of handling it in-process. This allows Changesets to use the package manager's native web auth support.

• #1774 667fe5a Thanks @​bluwy! - Support importing custom commit option ES module. Previously, it used require() which only worked for CJS modules, however now it uses import() which supports both CJS and ES modules.

• #1839 73b1809 Thanks @​leochiu-a! - Add a --message (-m) flag to changeset add (and default changeset) so the changeset summary can be provided from the command line. When --message is present, the summary prompt is skipped while the final confirmation step is kept.

• #1806 0e8e01e Thanks @​luisadame! - Changeset CLI can now be run from the nested directories in the project, where the .changeset directory has to be found in one of the parent directories

Patch Changes

• #1849 9dc3230 Thanks @​Andarist! - Compute the terminal's size lazily to avoid spurious stderr output in non-interactive mode

• #1857 2a73025 Thanks @​mixelburg! - Fix confusing prompt labels when entering changeset summary after external editor fallback

• #1842 6df3a5e Thanks @​RodrigoHamuy! - Allow private packages to depend on skipped packages without requiring them to also be skipped. Private packages are not published to npm, so it is safe for them to have dependencies on ignored or unversioned packages.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​changesets/cli since your current version.

Updates turbo from 2.7.5 to 2.9.16

Release notes

Sourced from turbo's releases.

Turborepo v2.9.16

What's Changed

Changelog

• release(turborepo): 2.9.15 by @​github-actions[bot] in vercel/turborepo#12955
• fix: Avoid hanging PTY shutdown by @​anthonyshew in vercel/turborepo#12958
• fix: Retry npm tlog publish failures by @​anthonyshew in vercel/turborepo#12959
• release(turborepo): 2.9.16-canary.1 by @​anthonyshew in vercel/turborepo#12960
• fix: Preserve nested Bun dependency versions by @​anthonyshew in vercel/turborepo#12963
• Revert "fix: Preserve nested Bun dependency versions" by @​anthonyshew in vercel/turborepo#12964
• release(turborepo): 2.9.16-canary.2 by @​github-actions[bot] in vercel/turborepo#12961
• fix: Preserve nested Bun dependency versions by @​anthonyshew in vercel/turborepo#12965
• fix: Don't delete existing .git when using --no-git flag by @​anthonyshew in vercel/turborepo#12968

Full Changelog: vercel/turborepo@v2.9.15...v2.9.16

Turborepo v2.9.16-canary.2

What's Changed

Changelog

• release(turborepo): 2.9.15-canary.7 by @​github-actions[bot] in vercel/turborepo#12935
• fix: Restore a few internal invariant checks by @​anthonyshew in vercel/turborepo#12933
• fix: Improve profile tracing coverage by @​anthonyshew in vercel/turborepo#12936
• fix: Use build-scale OTel duration buckets by @​anthonyshew in vercel/turborepo#12939
• fix: Preserve pnpm injected peer package entries by @​anthonyshew in vercel/turborepo#12940
• feat: Add heap allocation profiling by @​anthonyshew in vercel/turborepo#12943
• release(turborepo): 2.9.15-canary.8 by @​anthonyshew in vercel/turborepo#12945
• docs: Correct attribute presence claims in turborepo-otel by @​adityasingh2400 in vercel/turborepo#12932
• chore(turbo-codemod): Remove duplicate "in" in transforms path comment by @​mvanhorn in vercel/turborepo#12948
• chore: Switch Geist font imports to npm geist package by @​christopherkindl in vercel/turborepo#12952
• fix: Respect root gitignore during prune by @​anthonyshew in vercel/turborepo#12953
• fix: Harden OTEL endpoint validation by @​anthonyshew in vercel/turborepo#12954
• release(turborepo): 2.9.15 by @​github-actions[bot] in vercel/turborepo#12955
• fix: Avoid hanging PTY shutdown by @​anthonyshew in vercel/turborepo#12958
• fix: Retry npm tlog publish failures by @​anthonyshew in vercel/turborepo#12959
• release(turborepo): 2.9.16-canary.1 by @​anthonyshew in vercel/turborepo#12960

New Contributors

• @​adityasingh2400 made their first contribution in vercel/turborepo#12932
• @​mvanhorn made their first contribution in vercel/turborepo#12948
• @​christopherkindl made their first contribution in vercel/turborepo#12952

Full Changelog: vercel/turborepo@v2.9.15-canary.7...v2.9.16-canary.2

Turborepo v2.9.15

... (truncated)

Commits

• 5e2d466 publish 2.9.16 to registry
• b4aa626 fix: Don't delete existing .git when using --no-git flag (#12968)
• 7952b46 fix: Preserve nested Bun dependency versions (#12965)
• 5e5b248 release(turborepo): 2.9.16-canary.2 (#12961)
• 3b1b6e9 Revert "fix: Preserve nested Bun dependency versions" (#12964)
• 8d4eaf8 fix: Preserve nested Bun dependency versions (#12963)
• 2284fa9 release(turborepo): 2.9.16-canary.1 (#12960)
• 5317f65 fix: Retry npm tlog publish failures (#12959)
• 52e81bd fix: Avoid hanging PTY shutdown (#12958)
• c85d410 release(turborepo): 2.9.15 (#12955)
• Additional commits viewable in compare view

Updates fumadocs-core from 16.4.8 to 16.9.3

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.9.3

Patch Changes

• 42f0255: Support invalidate & revalidate on dynamic loader
• a807798: Improve source API utils & types

fumadocs-core@16.9.1

Patch Changes

• e77b9b3: Introduce pagesIndex property to explicitly define the index page for folder
• 334c8fd: [i18n] support different orders of preset() calls

fumadocs-core@16.8.12

Patch Changes

• 768b676: Standardize structuredData in page data

fumadocs-core@16.8.11

Patch Changes

• 1dc86c7: loosen the range for waku

fumadocs-core@16.8.10

Patch Changes

• 062beab: fix internal types
• 505cfe0: Add remark-block-id plugin

fumadocs-core@16.8.8

No release notes provided.

fumadocs-core@16.8.7

No release notes provided.

fumadocs-core@16.8.6

No release notes provided.

fumadocs-core@16.8.5

Patch Changes

• 79d3209: Narrow schema type for private OpenAPI properties

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

... (truncated)

Commits

• See full diff in compare view

Updates fumadocs-mdx from 14.2.6 to 14.3.2

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@14.3.2

Patch Changes

• 79d3209: Deprecate forwarded schemas at fumadocs-mdx/config, recommend fumadocs-core/source/schema instead.
• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

Commits

• See full diff in compare view

Updates fumadocs-ui from 16.4.8 to 16.9.3

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.9.3

Patch Changes

• Updated dependencies [42f0255]
• Updated dependencies [a807798]
  • fumadocs-core@16.9.3

fumadocs-ui@16.9.1

Patch Changes

• Updated dependencies [e77b9b3]
• Updated dependencies [334c8fd]
  • fumadocs-core@16.9.1

fumadocs-ui@16.8.12

Patch Changes

• Updated dependencies [768b676]
  • fumadocs-core@16.8.12

fumadocs-ui@16.8.11

Patch Changes

• Updated dependencies [1dc86c7]
  • fumadocs-core@16.8.11

fumadocs-ui@16.8.10

Patch Changes

• Updated dependencies [062beab]
• Updated dependencies [505cfe0]
  • fumadocs-core@16.8.10

fumadocs-ui@16.8.8

Patch Changes

• b494c8d: Support copy ID in headings
• 03626ba: [Search UI] show ctrl for Linux machines
  • fumadocs-core@16.8.8

fumadocs-ui@16.8.7

Patch Changes

• 34f37f3: hotfix TOC
  • fumadocs-core@16.8.7

fumadocs-ui@16.8.6

Patch Changes

• 1aa48d0: fix RTL layout for Clerk style

... (truncated)

Commits

• See full diff in compare view

Updates lucide-react from 0.563.0 to 0.577.0

Release notes

Sourced from lucide-react's releases.

Version 0.577.0

What's Changed

• chore(deps): bump rollup from 4.53.3 to 4.59.0 by @​dependabot[bot] in lucide-icons/lucide#4106
• fix(repo): correctly ignore docs/releaseMetadata via .gitignore by @​bhavberi in lucide-icons/lucide#4100
• feat(icons): added ellipse icon by @​KISHORE-KUMAR-S in lucide-icons/lucide#3749

New Contributors

• @​bhavberi made their first contribution in lucide-icons/lucide#4100
• @​KISHORE-KUMAR-S made their first contribution in lucide-icons/lucide#3749

Full Changelog: lucide-icons/lucide@0.576.0...0.577.0

Version 0.576.0

What's Changed

• Added zodiac signs by @​karsa-mistmere in lucide-icons/lucide#712
• fix(icons): fixes guideline violations in package-* icons. by @​karsa-mistmere in lucide-icons/lucide#4074
• fix(icons): changed receipt icon by @​karsa-mistmere in lucide-icons/lucide#4075
• fix(icons): updated cuboid icon tags and categories by @​karsa-mistmere in lucide-icons/lucide#4095
• fix(icons): changed cuboid icon by @​jamiemlaw in lucide-icons/lucide#4098
• fix(lucide-font, lucide-static): Fixing stable code points by @​ericfennis in lucide-icons/lucide#3894
• feat(icons): added fishing-rod icon by @​7ender in lucide-icons/lucide#3839

Full Changelog: lucide-icons/lucide@0.575.0...0.576.0

Version 0.575.0

What's Changed

• feat(icons): added message-square-check icon by @​karsa-mistmere in lucide-icons/lucide#4076
• fix(lucide): Fix ESM Module output path in build by @​ericfennis in lucide-icons/lucide#4084
• feat(icons): added metronome icon by @​edwloef in lucide-icons/lucide#4063
• fix(icons): remove execution permission of SVG files by @​duckafire in lucide-icons/lucide#4053
• fix(icons): changed file-pen-line icon by @​jguddas in lucide-icons/lucide#3970
• feat(icons): added square-arrow-right-exit and square-arrow-right-enter icons by @​EthanHazel in lucide-icons/lucide#3958
• fix(icons): renamed flip-* to square-centerline-dashed-* by @​jguddas in lucide-icons/lucide#3945

New Contributors

• @​edwloef made their first contribution in lucide-icons/lucide#4063
• @​duckafire made their first contribution in lucide-icons/lucide#4053

Full Changelog: lucide-icons/lucide@0.573.0...0.575.0

Version 0.574.0

What's Changed

• fix(icons): changed rocking-chair icon by @​jamiemlaw in lucide-icons/lucide#3445
• fix(icons): flipped coins icon by @​jguddas in lucide-icons/lucide#3158
• feat(icons): added x-line-top icon by @​jguddas in lucide-icons/lucide#2838
• feat(icons): added mouse-left icon by @​marvfash in lucide-icons/lucide#2788
• feat(icons): added mouse-right icon by @​marvfash in lucide-icons/lucide#2787

New Contributors

... (truncated)

Commits

• f6c0d06 chore(deps): bump rollup from 4.53.3 to 4.59.0 (#4106)
• See full diff in compare view

Updates next from 16.2.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.1.0 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
billsdk-demo	Error		May 30, 2026 1:10am
billsdk-website	Error		May 30, 2026 1:10am

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.