chore(deps): bump the patch-and-minor group with 33 updates

[dependabot]

Bumps the patch-and-minor group with 33 updates:

Package	From	To
@arcjet/next	1.3.1	1.4.0
@sentry/nextjs	10.46.0	10.53.1
@trigger.dev/sdk	4.4.3	4.4.6
@upstash/redis	1.37.0	1.38.0
framer-motion	12.38.0	12.40.0
groq-sdk	1.1.2	1.2.0
next-safe-action	8.3.0	8.5.3
posthog-js	1.364.1	1.376.0
resend	6.10.0	6.12.4
tailwind-merge	3.5.0	3.6.0
workbox-window	7.4.0	7.4.1
xstate	5.30.0	5.31.1
zod	4.3.6	4.4.3
zustand	5.0.12	5.0.13
@axe-core/playwright	4.11.1	4.11.3
@biomejs/biome	2.4.9	2.4.15
@chromatic-com/storybook	5.1.1	5.2.1
@next/bundle-analyzer	16.2.4	16.2.6
@playwright/test	1.58.2	1.60.0
@storybook/addon-a11y	10.3.3	10.4.1
@storybook/addon-docs	10.3.3	10.4.1
@storybook/addon-onboarding	10.3.3	10.4.1
@storybook/nextjs-vite	10.3.3	10.4.1
@tailwindcss/postcss	4.2.2	4.3.0
@trigger.dev/build	4.4.3	4.4.6
eslint-config-next	16.1.1	16.2.6
eslint-plugin-storybook	10.3.3	10.4.1
msw	2.12.14	2.14.6
playwright	1.58.2	1.60.0
prettier	3.8.1	3.8.3
storybook	10.3.3	10.4.1
tailwindcss	4.2.2	4.3.0
vite	8.0.8	8.0.14

Updates @arcjet/next from 1.3.1 to 1.4.0

Release notes

Sourced from @​arcjet/next's releases.

v1.4.0

1.4.0 (2026-04-14)

🚀 New Features

Introducing Arcjet Guard - protect AI agent tool calls, background jobs, and anything beyond HTTP. @arcjet/guard is a new API built for the agentic era: rate limit by any key, detect prompt injection, and catch PII.

• guard: promote @​arcjet/guard from experimental to stable release (#5996) (f511f44)

📝 Documentation

• add @​arcjet/guard documentation to root README (#5993) (4be39c8)
• add MCP server mentions to @​arcjet/guard (#5974) (cd398c0)

🧹 Miscellaneous Chores

• add .claude/ to .gitignore (#5988) (6f0f922)
• always trigger workflows on release-please branch (#5998) (6554cd1)
• delete astro-5 example (#5995) (38487cb)
• Deprecate score and threshold fields in detectPromptInjection (#5987) (de46cb7)
• examples: Add Astro 5 example, upgrade main Astro example to v6 (#5975) (a77c077)
• guard: add legacy type resolution for typescript@<=5 (#5978) (fd6ad6d)
• guard: introduce arcjet guard js (#5957) (53ff2e2)
• guard: update protobuf (#5986) (25f0e9e)
• proto: sync generated proto (#5994) (25b11fe)
• regenerate wasm binaries after aws-lc-rs update (#5969) (bda5448)

🔨 Build System

• deps-dev: bump vite from 7.3.1 to 7.3.2 (#5980) (8a253f6)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router (#5982) (ddf3416)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router-middleware (#5985) (e36cf35)
• deps: bump @​nestjs/core from 11.1.17 to 11.1.18 in /examples/nestjs (#5983) (514ae8b)
• deps: bump unhead and @​unhead/vue in /examples/nuxt (#5989) (6add894)
• deps: bump vite from 7.3.1 to 7.3.2 in /examples/nuxt (#5981) (97138bc)
• deps: bump vite in /examples/remix-express (#5977) (3b97d6f)

Changelog

Sourced from @​arcjet/next's changelog.

1.4.0 (2026-04-14)

🧹 Miscellaneous Chores

• Deprecate score and threshold fields in detectPromptInjection (#5987) (de46cb7)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​arcjet/body bumped from 1.3.1 to 1.4.0
    • @​arcjet/env bumped from 1.3.1 to 1.4.0
    • @​arcjet/headers bumped from 1.3.1 to 1.4.0
    • @​arcjet/ip bumped from 1.3.1 to 1.4.0
    • @​arcjet/logger bumped from 1.3.1 to 1.4.0
    • @​arcjet/protocol bumped from 1.3.1 to 1.4.0
    • @​arcjet/transport bumped from 1.3.1 to 1.4.0
    • arcjet bumped from 1.3.1 to 1.4.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.3.1 to 1.4.0
    • @​arcjet/rollup-config bumped from 1.3.1 to 1.4.0

Commits

• b4337ec chore: Release 1.4.0 (#5972)
• de46cb7 chore: Deprecate score and threshold fields in detectPromptInjection (#...
• See full diff in compare view

Updates @sentry/nextjs from 10.46.0 to 10.53.1

Release notes

Sourced from @​sentry/nextjs's releases.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

Bundle size 📦

Path	Size
@​sentry/browser	26.22 KB
@​sentry/browser - with treeshaking flags	24.69 KB
@​sentry/browser (incl. Tracing)	43.69 KB
@​sentry/browser (incl. Tracing + Span Streaming)	45.62 KB
@​sentry/browser (incl. Tracing, Profiling)	48.56 KB
@​sentry/browser (incl. Tracing, Replay)	82.4 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.08 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	86.99 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	99.33 KB
@​sentry/browser (incl. Feedback)	43 KB
@​sentry/browser (incl. sendFeedback)	30.92 KB
@​sentry/browser (incl. FeedbackAsync)	35.91 KB
@​sentry/browser (incl. Metrics)	27.27 KB
@​sentry/browser (incl. Logs)	27.42 KB
@​sentry/browser (incl. Metrics & Logs)	28.08 KB
@​sentry/react	27.92 KB
@​sentry/react (incl. Tracing)	45.9 KB
@​sentry/vue	31.01 KB
@​sentry/vue (incl. Tracing)	45.5 KB
@​sentry/svelte	26.24 KB
CDN Bundle	28.55 KB
CDN Bundle (incl. Tracing)	46.04 KB
CDN Bundle (incl. Logs, Metrics)	29.89 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	47.14 KB
CDN Bundle (incl. Replay, Logs, Metrics)	68.3 KB
CDN Bundle (incl. Tracing, Replay)	82.55 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	83.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	88.23 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.3 KB
CDN Bundle - uncompressed	83.97 KB
CDN Bundle (incl. Tracing) - uncompressed	138.12 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.07 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.5 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.97 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

10.53.0

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are sent to Sentry. When set, the SDK extracts all gen_ai spans out of a transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#20789)
• feat(core): split exports by browser/server for bundle size (#20435)
• feat(nextjs): Add top-level applicationKey option (#20794)
• feat(node): Support Node 26 (#20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#20720)
• fix(cloudflare): avoid flush lock self-wait (#20719)
• fix(hono): Capture transaction name on request for correct culprit (#20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#20722)

... (truncated)

Commits

• cd97408 release: 10.53.1
• 66cfb25 Merge pull request #20838 from getsentry/prepare-release/10.53.1
• df8fd38 meta(changelog): Update changelog for 10.53.1
• 5881009 fix(core): Include subpath type shims in published package (#20835)
• 6a7d179 fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• ad47c3c ref(hono): Consolidate route patching and add clarification comments (#20829)
• 28d6fe5 Merge pull request #20826 from getsentry/master
• 46aca45 Merge branch 'release/10.53.0'
• b5cbc9c chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/tes...
• 05489b8 release: 10.53.0
• Additional commits viewable in compare view

Updates @trigger.dev/sdk from 4.4.3 to 4.4.6

Changelog

Sourced from @​trigger.dev/sdk's changelog.

4.4.6

Patch Changes

• Updated dependencies:
  • @trigger.dev/core@4.4.6

4.4.5

Patch Changes

• Updated dependencies:
  • @trigger.dev/core@4.4.5

4.4.4

Patch Changes

• Define and manage AI prompts with prompts.define(). Create typesafe prompt templates with variables, resolve them at runtime, and manage versions and overrides from the dashboard without redeploying. (#3244)
• Add support for setting TTL (time-to-live) defaults at the task level and globally in trigger.config.ts, with per-trigger overrides still taking precedence (#3196)
• Adapted the CLI API client to propagate the trigger source via http headers. (#3241)
• Updated dependencies:
  • @trigger.dev/core@4.4.4

Commits

• 41a486e chore: release v4.4.6 (#3501)
• d825427 chore: release v4.4.5 (#3406)
• 91fd8a8 chore(security): close dependabot alerts q2 (#3456)
• 5ea36e0 chore: release v4.4.4 (#3228)
• 0e63f83 feat: add ttl support at task and config levels (#3196)
• 54d95ee feat: AI prompt management dashboard and enhanced span inspectors (#3244)
• See full diff in compare view

Updates @upstash/redis from 1.37.0 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• See full diff in compare view

Updates framer-motion from 12.38.0 to 12.40.0

Changelog

Sourced from framer-motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• bc2107e Revert "no should"
• 6eeb92d no should
• Additional commits viewable in compare view

Updates groq-sdk from 1.1.2 to 1.2.0

Release notes

Sourced from groq-sdk's releases.

v1.2.0

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

• improve examples (d8f62df)

Changelog

Sourced from groq-sdk's changelog.

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

• improve examples (d8f62df)

Commits

• 90d2938 release: 1.2.0 (#260)
• 67f676b fix(ci): set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259)
• See full diff in compare view

Updates next-safe-action from 8.3.0 to 8.5.3

Release notes

Sourced from next-safe-action's releases.

next-safe-action@8.5.3

Patch Changes

• #450 edf9dd6 Thanks @​TheEdoRan! - Remove the deepmerge-ts runtime dependency by inlining the small subset of deep-merge logic the library actually uses into an internal deep-merge.ts. Behavior is unchanged (records merged recursively, arrays concatenated, Sets/Maps combined, otherwise last value wins, with a __proto__ pollution guard), and the package now ships with zero runtime dependencies.

next-safe-action@8.5.2

Patch Changes

• #448 c10b464 Thanks @​TheEdoRan! - Add the pkg.pr.new badge to README. Documentation-only change, no runtime impact.

next-safe-action@8.5.1

Patch Changes

• #446 6b1e3f6 Thanks @​TheEdoRan! - Filter out undefined entries from the callback promises array before awaiting Promise.all, to satisfy the stricter await-thenable rule in the latest oxlint-tsgolint. No runtime behavior change.

next-safe-action@8.5.0

Minor Changes

• #444 adea4c6 Thanks @​TheEdoRan! - Narrow SafeActionResult into a discriminated union so that checking one field narrows the others to undefined.

  Previously, data, serverError, and validationErrors were all independently optional on the result type, which meant TypeScript could not infer that they are mutually exclusive. Now:

  const { data, serverError, validationErrors } = await myAction(input);
  if (data) {
  // TypeScript knows serverError and validationErrors are undefined here
  }
  if (serverError) {
  // TypeScript knows data and validationErrors are undefined here
  }

  Destructured narrowing works end-to-end: checking any one of the three fields propagates to the other two. No hook API changes are required — useAction().result narrows automatically.

  Runtime behavior change (compound-error precedence)

  To make narrowing honest, the action builder now applies a precedence rule when building the result, whereas previously it could return multiple populated fields at once in rare edge cases. The precedence is:

  1. validationErrors
  2. serverError
  3. data

  Two documented edge cases changed as a result:

  • Middleware calling next() twice. Previously the result contained both the first call's data AND a serverError describing the second call. Now the result contains only the serverError. Calling next() twice is a programmer error, and returning partial data alongside the error was confusing.
  • Invalid bind args combined with invalid main input. Previously the result contained both a serverError (wrapped bind args errors) AND validationErrors (main input). Now the result contains only the validationErrors. After the user fixes the main input and resubmits, the bind args errors will surface on the next attempt.

  Migration guide

... (truncated)

Commits

• 9d54c79 Version Packages (#451)
• edf9dd6 inline deepmerge logic (#450)
• 25455e4 bump pnpm to 11.1.0
• 745ba86 enforce harden-runner egress policy across workflows
• ea72791 harden CI/CD workflows against supply chain attacks
• b368025 update dependencies
• a46a600 pass required env vars during docs build
• 3dc9a49 add plausible proxy
• ade3358 update fumadocs
• 36b6457 add context7 verification
• Additional commits viewable in compare view

Updates posthog-js from 1.364.1 to 1.376.0

Release notes

Sourced from posthog-js's releases.

posthog-js@1.376.0

1.376.0

Minor Changes

• #3655 6e8d349 Thanks @​arnaudhillen! - Expose the in-repo @posthog/rrweb, @posthog/rrweb-types, and @posthog/rrweb-plugin-console-record packages as subpath entry points on posthog-js. Consumers can now import { Replayer } from 'posthog-js/rrweb', import type { eventWithTime } from 'posthog-js/rrweb-types', and import { LogLevel } from 'posthog-js/rrweb-plugin-console-record' instead of installing the underlying rrweb packages directly. The rrweb worker sourcemap (image-bitmap-data-url-worker-*.js.map) is also shipped from posthog-js/dist/ so downstream bundlers no longer need to reach into node_modules/@posthog/rrweb. (2026-05-22)

Patch Changes

• #3639 c806cca Thanks @​marandaneto! - Use native async gzip compression for session recording events when CompressionStream is available. (2026-05-22)
• Updated dependencies [c806cca]:
  • @​posthog/core@​1.29.9
  • @​posthog/types@​1.376.0

posthog-js@1.375.0

1.375.0

Minor Changes

• #3641 2e1d5f4 Thanks @​dustinbyrne! - Add flag_keys config to restrict browser feature flag remote evaluation to specific flag keys. (2026-05-21)

Patch Changes

• Updated dependencies [2e1d5f4]:
  • @​posthog/types@​1.375.0
  • @​posthog/core@​1.29.8

posthog-js@1.374.4

1.374.4

Patch Changes

• #3638 87e2145 Thanks @​marandaneto! - Apply tracing headers to matching XMLHttpRequest requests (2026-05-21)

• #3646 4f87827 Thanks @​marandaneto! - Avoid throwing or initializing PostHogProvider when no API key or client is provided (2026-05-21)

• #3645 280832b Thanks @​TueHaulund! - Capture <link rel="stylesheet"> URLs from link.sheet.href and try link.sheet directly for inlining, so recordings survive SPA history.pushState navigations between routes of different path depths (where link.href re-resolves against a new baseURI but link.sheet.href preserves the URL the browser actually fetched).

  Ships the fix landed in #3635, which only bumped the internal @posthog/rrweb-snapshot package — that package is bundled into posthog-js at build time but is not published to npm on its own, so a posthog-js bump is needed to actually deliver the change. (2026-05-21)

• Updated dependencies []:

  • @​posthog/types@​1.374.4
  • @​posthog/core@​1.29.7

posthog-js@1.374.3

... (truncated)

Commits

• 3d41c1d chore: update versions and lockfile [version bump]
• c806cca feat: use async gzip for replay event compression (#3639)
• 6e8d349 feat(replay): expose rrweb subpath entries on posthog-js (#3655)
• ec81cc6 chore: validate changeset versioning (#3647)
• 6d3d39f chore(ci): bump pinned posthog-sdk-test-harness SHA (#3660)
• b191176 chore(ci): bump pinned PostHog/.github reusable workflow SHA (#3659)
• fb18a0a chore: pin github actions to sha (#3644)
• a05405d chore: update versions and lockfile [version bump]
• 18ea8b5 feat(node): promote flag definition cache provider types (#3642)
• 2e1d5f4 feat: add browser flag_keys config (#3641)
• Additional commits viewable in compare view

Updates resend from 6.10.0 to 6.12.4

Release notes

Sourced from resend's releases.

v6.12.4

What's Changed

• fix(deps): update dependency next to v16.2.6 [security] by @​renovate[bot] in resend/resend-node#957
• chore(dev-660): harden github actions workflows by @​felipefreitag in resend/resend-node#959
• chore: add sync-prs-to-linear action by @​dielduarte in resend/resend-node#961
• fix: rename misnamed get-contact.interface.ts to get-topic.interface.ts in topics module by @​wesleyramalho in resend/resend-node#903
• fix: avoid mutating payloads in emails, broadcasts, and templates by @​Shubhdeep12 in resend/resend-node#862
• feat: add optional baseUrl and userAgent to Resend constructor by @​xiaoyu2er in resend/resend-node#839
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#965
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#966
• refactor: align delete method with other HTTP methods in Resend class by @​wesleyramalho in resend/resend-node#904
• fix: to support @​react-email/render exports across versions in templates by @​Shubhdeep12 in resend/resend-node#863
• fix: replace svix with standardwebhooks to reduce install size (#969) by @​dielduarte in resend/resend-node#970
• chore: bump version to 6.12.4 by @​dielduarte in resend/resend-node#971

Full Changelog: resend/resend-node@v6.12.3...v6.12.4

v6.12.3

What's Changed

• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in resend/resend-node#940
• chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq by @​ulrichstark in resend/resend-node#942
• fix: correct paylaod into payload typo in contacts overload signatures by @​wesleyramalho in resend/resend-node#902
• chore(deps): update dependency tsdown to v0.21.10 by @​renovate[bot] in resend/resend-node#929
• chore(deps): update dependency @​biomejs/biome to v2.4.14 by @​renovate[bot] in resend/resend-node#943
• chore: add missing suppressed event to resend node sdk interface by @​dielduarte in resend/resend-node#946
• chore: bump sdk version to 6.12.3 by @​dielduarte in resend/resend-node#947

New Contributors

• @​ulrichstark made their first contribution in resend/resend-node#942
• @​wesleyramalho made their first contribution in resend/resend-node#902
• @​dielduarte made their first contribution in resend/resend-node#946

Full Changelog: resend/resend-node@v6.12.2...v6.12.3

v6.12.2

What's Changed

• fix: add new domain statuses by @​rehanvdm in resend/resend-node#936

Full Changelog: resend/resend-node@v6.12.1...v6.12.2

v6.12.1

What's Changed

• chore(deps): update dependency typescript to v6.0.3 by @​renovate[bot] in resend/resend-node#935
• chore(deps): update dependency dotenv to v17.4.2 by @​renovate[bot] in resend/resend-node#927
• chore(deps): update dependency @​biomejs/biome to v2.4.12 by @​renovate[bot] in resend/resend-node#916
• fix(deps): update dependency next to v16.2.4 by @​renovate[bot] in resend/resend-node#911
• feat: add missing domain types: domains can be partially_verified/partially_failed by @​CarolinaMoraes in resend/resend-node#937

... (truncated)

Commits

• 58db880 chore: bump version to 6.12.4 (#971)
• 63f5ddb fix: replace svix with standardwebhooks to reduce install size (#969) (#970)
• 45dc73d fix: to support @​react-email/render exports across versions in templates (#863)
• 24950d7 refactor: align delete method with other HTTP methods in Resend class (#904)
• 2759316 chore: bump public-shared-workflows hash (#966)
• fa04efc chore: bump public-shared-workflows hash (#965)
• 77bbf2d feat: add optional baseUrl and userAgent to Resend constructor (#839)
• ebdb2d3 fix: avoid mutating payloads in emails, broadcasts, and templates (#862)
• 674ab1b fix: rename misnamed get-contact.interface.ts to get-topic.interface.ts i...
• ac0c09f chore: add sync-prs-to-linear action (#961)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by dielduarte, a new releaser for resend since your current version.

Updates `tailw...

Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
skill-mapper	Ignored	Preview	May 26, 2026 1:53am

[coderabbitai]

Warning

Review limit reached

@dependabot[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f1513fba-aac2-44d5-8e24-1ea46df6e3a3

📥 Commits

Reviewing files that changed from the base of the PR and between f7a4121 and 27804c4.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/patch-and-minor-a680dd1bee

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​axe-core/​playwright@​4.11.3
	@​trigger.dev/​build@​4.4.6
	@​storybook/​addon-a11y@​10.4.1
	@​storybook/​nextjs-vite@​10.4.1
	playwright@​1.60.0
	tailwindcss@​4.3.0
	@​storybook/​addon-onboarding@​10.4.1
	@​trigger.dev/​sdk@​4.4.6
	@​next/​bundle-analyzer@​16.2.6
	@​sentry/​nextjs@​10.53.1
	@​chromatic-com/​storybook@​5.2.1
	@​arcjet/​next@​1.4.0
	zod@​4.4.3
	@​biomejs/​biome@​2.4.15
	@​upstash/​redis@​1.38.0
	@​tailwindcss/​postcss@​4.3.0
	@​playwright/​test@​1.60.0
	@​storybook/​addon-docs@​10.4.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @mswjs/interceptors is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@mswjs/interceptors@0.41.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mswjs/interceptors@0.41.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @sentry/core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@sentry/nextjs@10.53.1 → npm/@sentry/core@10.53.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@10.53.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @storybook/addon-onboarding is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@storybook/addon-onboarding@10.4.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/addon-onboarding@10.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@typescript-eslint/eslint-plugin@8.60.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.60.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report