chore(deps): bump the dependencies group across 1 directory with 13 updates

[dependabot]

Bumps the dependencies group with 13 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.16	2.5.0
@types/node	24.13.1	24.13.2
turbo	2.9.17	2.9.18
ai	6.0.199	6.0.208
better-auth	1.6.16	1.6.19
ably	2.22.1	2.23.0
vitest	4.1.8	4.1.9
@vitest/coverage-v8	4.1.8	4.1.9
@base-ui/react	1.5.0	1.6.0
@radix-ui/react-slot	1.2.5	1.3.0
radix-ui	1.5.0	1.6.0
@tailwindcss/postcss	4.3.0	4.3.1
tailwindcss	4.3.0	4.3.1

Updates @biomejs/biome from 2.4.16 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates @types/node from 24.13.1 to 24.13.2

Commits

• See full diff in compare view

Updates turbo from 2.9.17 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in vercel/turborepo#13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in vercel/turborepo#13050
• fix: Harden cache archive symlink restore by @​anthonyshew in vercel/turborepo#13051
• chore: Remove web UI mode by @​anthonyshew in vercel/turborepo#13052
• fix: Harden query server file access by @​anthonyshew in vercel/turborepo#13053
• fix: Confine prune patch paths by @​anthonyshew in vercel/turborepo#13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in vercel/turborepo#13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in vercel/turborepo#13056
• fix: Contain incremental cache outputs by @​anthonyshew in vercel/turborepo#13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in vercel/turborepo#13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in vercel/turborepo#13058
• fix: Separate artifact signature fields by @​anthonyshew in vercel/turborepo#13059
• fix: Validate OidHash hex buffers by @​anthonyshew in vercel/turborepo#13060
• fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @​anthonyshew in vercel/turborepo#13061

New Contributors

• @​Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Commits

• 3bdce32 publish 2.9.18 to registry
• 2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
• da8e348 fix: Validate OidHash hex buffers (#13060)
• 3018717 fix: Separate artifact signature fields (#13059)
• 34514e2 fix: Preserve vt100 cell byte counts (#13058)
• 24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
• 16dc881 fix: Contain incremental cache outputs (#13057)
• 92e1f8e fix: Strip special mode bits from cache restore (#13056)
• f46f896 fix: Prevent git argument injection in SCM refs (#13055)
• 7f353ca fix: Confine prune patch paths (#13054)
• Additional commits viewable in compare view

Updates ai from 6.0.199 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

ai@6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

• Updated dependencies [6160ced]
• Updated dependencies [c9b8abd]
  • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

• Updated dependencies [c5d4716]
  • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

• f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

  validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

... (truncated)

Commits

• 3270146 Version Packages (#16243)
• f994df3 Backport: Serialize undefined tool output to null in UI message chunks (#16240)
• 8261640 Backport: fix(ai): handle partial unicode escapes in fixJson (#16233)
• caebb44 Version Packages (#16157)
• 779f5cd Backport: fix(provider-utils): cancel response body on download rejection to ...
• 5623117 Version Packages (#16134)
• 5548672 Version Packages (#16097)
• 63b3f60 Version Packages (#16086)
• bae9bab Version Packages (#16026)
• b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
• Additional commits viewable in compare view

Updates better-auth from 1.6.16 to 1.6.19

Release notes

Sourced from better-auth's releases.

v1.6.19

better-auth

Features

• Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

• Fixed headerless session checks (#10053)
• Fixed cookie cache fallback lookup (#9348)
• Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
• Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
• Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
• Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
• Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
• Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
• Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed the generate command not handling a directory path passed to --output (#9564)
• Fixed array additionalField default values not being serialized correctly in the Drizzle schema generator (#10048)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

• Fixed password reset tokens not working with the Drizzle MySQL adapter after being consumed (#10081)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

Bug Fixes

• Fixed guarded state transitions (token rotation, revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance) failing on Prisma and on MongoDB servers older than 5.0 (#10086)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.19

Patch Changes

• #10088 de4aa52 Thanks @​bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

• #9995 b4b0266 Thanks @​ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

• #10086 5bd5e1c Thanks @​gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

  On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

  @better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

• #9319 581f827 Thanks @​ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

• #10067 8407885 Thanks @​bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

• #9555 c1a8a64 Thanks @​ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

• #10071 635f190 Thanks @​gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

• #10070 a787e0b Thanks @​gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

• #9348 c2f718f Thanks @​ping-maxwell! - fix: cookie cache fallback lookup

• #8863 7d18175 Thanks @​ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

  Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

• Updated dependencies [0895993, 5bd5e1c, a787e0b]:

  • @​better-auth/drizzle-adapter@​1.6.19
  • @​better-auth/core@​1.6.19
  • @​better-auth/mongo-adapter@​1.6.19
  • @​better-auth/kysely-adapter@​1.6.19
  • @​better-auth/memory-adapter@​1.6.19
  • @​better-auth/prisma-adapter@​1.6.19
  • @​better-auth/telemetry@​1.6.19

1.6.18

Patch Changes

• #9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

• #9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

• Updated dependencies [b21a5f7]:

  • @​better-auth/core@​1.6.18
  • @​better-auth/drizzle-adapter@​1.6.18

... (truncated)

Commits

• ac4d81d chore: release v1.6.19 (#10034)
• 1e69725 docs: clarify stateless Cognito token refresh (#10092)
• de4aa52 fix(cookies): chunk session and account cookies near the browser size limit (...
• 5bd5e1c fix: make guarded state transitions portable on Prisma (#10086)
• 36f345b revert: fix: allow headerless get session checks (#10053) (#10074)
• 635f190 fix(client): name auth client return types (#10071)
• d009dae fix: allow headerless get session checks (#10053)
• 8407885 fix(oauth-popup): filter internal state keys from additionalData (#10067)
• c2f718f fix: cookie cache fallback lookup (#9348)
• 581f827 fix(last-login-method): include domain when clearing cross-subdomain cookies ...
• Additional commits viewable in compare view

Updates ably from 2.22.1 to 2.23.0

Release notes

Sourced from ably's releases.

v2.23.0

Full Changelog: ably/ably-js@2.22.1...2.23.0

What's Changed

• Allow omitting channelName in the React channel hooks to use the nearest ChannelProvider #2248
• Fix presence auto-reenter causing "Unable to perform operation on channel" NACKs after reconnecting from a transient disconnect; presence operations are now queued at the channel level until the channel next re-attaches #2241

Changelog

Sourced from ably's changelog.

2.23.0 (2026-06-19)

Full Changelog

What's Changed

• Allow omitting channelName in the React channel hooks to use the nearest ChannelProvider #2248
• Fix presence auto-reenter causing "Unable to perform operation on channel" NACKs after reconnecting from a transient disconnect; presence operations are now queued at the channel level until the channel next re-attaches #2241

Commits

• 13bd25d Merge pull request #2251 from ably/release/2.23.0
• d6c52f6 chore: release/2.23.0
• fa63502 Merge pull request #2241 from ably/ECO-5728/fix-presence-auto-reenter
• 2931422 Queue presence onto re-attaching channels on reconnect (RTL3d2)
• 55dae3c Honor queueMessages for channel-level presence queueing (RTP16b)
• a645238 Merge pull request #2248 from ably/react-hooks-channel
• 6d54416 feat(react): allow omitting channelName to use the nearest ChannelProvider
• c7cf2a9 Merge pull request #2250 from ably/fix/broken-publish-tests
• cb64947 Merge branch 'main' into fix/broken-publish-tests
• 266dd87 Merge pull request #2247 from ably/uts-pubsub
• Additional commits viewable in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.8 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• See full diff in compare view

Updates @base-ui/react from 1.5.0 to 1.6.0

Release notes

Sourced from @​base-ui/react's releases.

v1.6.0

General changes

• Correct inaccurate prop JSDoc (#5036) by @​atomiks
• Update the hook value when store/arguments change (#4866) by @​chuganzy
• Restore viewport morphing after reopen for kept-mounted popups (#5010) by @​atomiks
• Fix pseudo-element bounds in dev mode (#5000) by @​atomiks

Accordion

• Fix trigger behavior bugs (#4833) by @​atomiks
• Remove region role from Accordion.Root (#4961) by @​chuganzy
• Align keyboard navigation with APG (#4965) by @​chuganzy

Alert Dialog

• Fix programmatic focus return (#4849) by @​atomiks

Autocomplete

• Keep ArrowLeft/ArrowRight on the input caret in grid mode (#4948) by @​spokodev
• Document open requirement for the inline prop (#5069) by @​atomiks

Avatar

• Fix image status edge cases (#4835) by @​atomiks

Checkbox

• Fix parent group cancellation and indeterminate state (#4941) by @​atomiks
• Ignore data-focused Field attribute when disabled (#4998) by @​atomiks
• Fix extra validate fn calls (#4911) by @​mj12albert

Checkbox Group

• Fix parent group cancellation and indeterminate state (#4941) by @​atomiks
• Fix parent checkbox with custom validate fn (#4912) by @​mj12albert
• Fix validation with multiple required checkboxes (#4958) by @​atomiks
• Forward group ids (#4997) by @​atomiks

Collapsible

• Fix trigger and panel state bugs (#4848) by @​atomiks

Combobox

• Fix chip context error (#4877) by @​lyzno1
• Keep ArrowLeft/ArrowRight on the input caret in grid mode (#4948) by @​spokodev
• Avoid re-rendering every item on each keystroke (#4964) by @​flaviendelangle
• Fix autofill and selected state edge cases (#4972) by @​atomiks

... (truncated)

Changelog

Sourced from @​base-ui/react's changelog.

v1.6.0

Jun 18, 2026

General changes

• Correct inaccurate prop JSDoc (#5036) by @​atomiks
• Update the hook value when store/arguments change (#4866) by @​chuganzy
• Restore viewport morphing after reopen for kept-mounted popups (#5010) by @​atomiks
• Fix pseudo-element bounds in dev mode (#5000) by @​atomiks

Accordion

• Fix trigger behavior bugs (#4833) by @​atomiks
• Remove region role from Accordion.Root (#4961) by @​chuganzy
• Align keyboard navigation with APG (#4965) by @​chuganzy

Alert Dialog

• Fix programmatic focus return (#4849) by @​atomiks

Autocomplete

• Keep ArrowLeft/ArrowRight on the input caret in grid mode (#4948) by @​spokodev
• Document open requirement for the inline prop (#5069) by @​atomiks

Avatar

• Fix image status edge cases (#4835) by @​atomiks

Checkbox

• Fix parent group cancellation and indeterminate state (#4941) by @​atomiks
• Ignore data-focused Field attribute when disabled (#4998) by @​atomiks
• Fix extra validate fn calls (#4911) by @​mj12albert

Checkbox Group

• Fix parent group cancellation and indeterminate state (#4941) by @​atomiks
• Fix parent checkbox with custom validate fn (#4912) by @​mj12albert
• Fix validation with multiple required checkboxes (#4958) by @​atomiks
• Forward group ids (#4997) by @​atomiks

Collapsible

• Fix trigger and panel state bugs (#4848) by @​atomiks

Combobox

• Fix chip context error (#4877) by @​lyzno1

... (truncated)

Commits

• b34551d [code-infra] Fix package publishing (#5074)
• 615b0e8 [release] v1.6.0 (#5064)
• 8b7ca5d [test] Restore slider listener spies (#5072)
• 2502524 [combobox][autocomplete] Document open requirement for the inline prop (#...
• 4c33d74 [slider] Fix touchend listener accumulation ...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.