chore(deps): update javascript

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@hookform/resolvers (source)	5.2.2 → 5.4.0
@radix-ui/react-accordion (source)	1.2.12 → 1.2.13
@radix-ui/react-alert-dialog (source)	1.1.15 → 1.1.16
@radix-ui/react-aspect-ratio (source)	1.1.8 → 1.1.9
@radix-ui/react-avatar (source)	1.1.11 → 1.1.12
@radix-ui/react-checkbox (source)	1.3.3 → 1.3.4
@radix-ui/react-collapsible (source)	1.1.12 → 1.1.13
@radix-ui/react-context-menu (source)	2.2.16 → 2.3.0
@radix-ui/react-dialog (source)	1.1.15 → 1.1.16
@radix-ui/react-dropdown-menu (source)	2.1.16 → 2.1.17
@radix-ui/react-hover-card (source)	1.1.15 → 1.1.16
@radix-ui/react-label (source)	2.1.8 → 2.1.9
@radix-ui/react-menubar (source)	1.1.16 → 1.1.17
@radix-ui/react-navigation-menu (source)	1.2.14 → 1.2.15
@radix-ui/react-popover (source)	1.1.15 → 1.1.16
@radix-ui/react-progress (source)	1.1.8 → 1.1.9
@radix-ui/react-radio-group (source)	1.3.8 → 1.4.0
@radix-ui/react-scroll-area (source)	1.2.10 → 1.2.11
@radix-ui/react-select (source)	2.2.6 → 2.3.0
@radix-ui/react-separator (source)	1.1.8 → 1.1.9
@radix-ui/react-slider (source)	1.3.6 → 1.4.0
@radix-ui/react-slot (source)	1.2.4 → 1.2.5
@radix-ui/react-switch (source)	1.2.6 → 1.3.0
@radix-ui/react-tabs (source)	1.1.13 → 1.1.14
@radix-ui/react-toast (source)	1.2.15 → 1.2.16
@radix-ui/react-toggle (source)	1.1.10 → 1.1.11
@radix-ui/react-toggle-group (source)	1.1.11 → 1.1.12
@radix-ui/react-tooltip (source)	1.2.8 → 1.2.9
@tailwindcss/postcss (source)	4.2.2 → 4.3.0
@tanstack/react-query (source)	5.95.2 → 5.101.0
@types/node (source)	24.12.0 → 24.13.1
@types/react (source)	19.2.14 → 19.2.17
@vitejs/plugin-react-swc (source)	4.3.0 → 4.3.1
autoprefixer	10.4.27 → 10.5.0
date-fns	4.1.0 → 4.4.0
eslint (source)	10.1.0 → 10.4.1
eslint-plugin-react-hooks (source)	7.0.1 → 7.1.1
globals	17.4.0 → 17.6.0
lovable-tagger	1.1.13 → 1.3.0
lucide-react (source)	1.6.0 → 1.17.0
postcss (source)	8.5.8 → 8.5.15
react (source)	19.2.4 → 19.2.7
react-dom (source)	19.2.4 → 19.2.7
react-hook-form (source)	7.72.0 → 7.78.0
react-resizable-panels (source)	4.7.5 → 4.11.2
react-router-dom (source)	7.13.2 → 7.17.0
recharts	3.8.0 → 3.8.1
tailwind-merge	3.5.0 → 3.6.0
tailwindcss (source)	4.2.2 → 4.3.0
typescript (source)	6.0.2 → 6.0.3
typescript-eslint (source)	8.57.2 → 8.61.0
vite (source)	8.0.2 → 8.0.16
zod (source)	4.3.6 → 4.4.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

react-hook-form/resolvers (@​hookform/resolvers)

v5.4.0

Compare Source

Features

• feat: add ata-validator resolver (#​845)

Fixes

• fix issue with toNestErrors.ts (#​848)

• add guidance on passing context to yupResolver (useForm context) (#​835) (3d29924)

radix-ui/primitives (@​radix-ui/react-accordion)

v1.2.13

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-collapsible@1.1.13, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-alert-dialog)

v1.1.16

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-dialog@1.1.16, @radix-ui/react-slot@1.2.5, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5

radix-ui/primitives (@​radix-ui/react-aspect-ratio)

v1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-primitive@2.1.5

radix-ui/primitives (@​radix-ui/react-avatar)

v1.1.12

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-is-hydrated@0.1.1, @radix-ui/react-use-layout-effect@1.1.2

radix-ui/primitives (@​radix-ui/react-checkbox)

v1.3.4

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

radix-ui/primitives (@​radix-ui/react-collapsible)

v1.1.13

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2

radix-ui/primitives (@​radix-ui/react-context-menu)

v2.3.0

• Added support for a controlled open prop on ContextMenu.Root. This is intended for reading the open state and closing the menu programmatically, though we discourage opening the menu programmatically since opening the menu depends on user interaction to position the menu.
• Fixed bug in context menu where submenus stayed expanded after re-opening on long-press touch events
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-dialog)

v1.1.16

• Fixed disabled pointer events in closed dialogs
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-dropdown-menu)

v2.1.17

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-hover-card)

v1.1.16

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-label)

v2.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-primitive@2.1.5

radix-ui/primitives (@​radix-ui/react-menubar)

v1.1.17

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-navigation-menu)

v1.2.15

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-visually-hidden@1.2.5

radix-ui/primitives (@​radix-ui/react-popover)

v1.1.16

• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-progress)

v1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5

radix-ui/primitives (@​radix-ui/react-radio-group)

v1.4.0

• Added unstable RadioGroupItemProvider, RadioGroupItemTrigger and RadioGroupItemBubbleInput parts. These expose the previously internal composition of a radio item (context provider, the interactive control, and the hidden form input) so consumers can directly access and recompose them. The RadioGroupItem component continues to render them by default.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

radix-ui/primitives (@​radix-ui/react-scroll-area)

v1.2.11

• Fixed missing data-state attribute for Scroll Area scrollbars
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-layout-effect@1.1.2

radix-ui/primitives (@​radix-ui/react-select)

v2.3.0

• Added unstable Provider and BubbleInput parts to Select. Select.unstable_Provider sets up Select's context and state without implicitly rendering the hidden native select, and Select.unstable_BubbleInput exposes that previously internal native select so consumers can recompose it explicitly. Select continues to render both by default.
• Added support for presence-based exit animations in Select
• Fixed Select hidden input so it submits empty string when no value is selected
• Fixed placeholder rendering when a controlled Select is reset to an empty value
• Added missing __selectScope prop to PopperContent component
• Fixed Select closing unexpectedly after touch-scrolling its content when rendered inside an open shadow DOM
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Fixed SelectValue logging invalid prop errors when used with both asChild and a placeholder
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-visually-hidden@1.2.5

radix-ui/primitives (@​radix-ui/react-separator)

v1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-primitive@2.1.5

radix-ui/primitives (@​radix-ui/react-slider)

v1.4.0

• Added unstable ThumbProvider, ThumbTrigger, and BubbleInput parts to Slider. SliderThumb was previously a single component that implicitly rendered a hidden native input for form submission. It is now composed from these new parts, which are exposed so consumers can decouple the bubble input from the thumb (for example, to render or customize it independently) instead of relying on SliderThumb to render it implicitly. SliderThumb continues to render all three by default, so existing usage is unaffected.
• Added focusVisible for non-keyboard interactions with slider thumbs for progressively enabling styles using :focus-visible alongside programmatic focus management
• Fixed Slider focus bugs in scrollable context
• Fixed a Slider bug where very small step values made the thumbs unresponsive
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

radix-ui/primitives (@​radix-ui/react-slot)

v1.2.5

• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
• Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
• Added repository.directory to all package.json files
• Improved error messages for invalid slot children
• Updated dependencies: @radix-ui/react-compose-refs@1.1.3

radix-ui/primitives (@​radix-ui/react-switch)

v1.3.0

• Added unstable Provider, Trigger and BubbleInput parts to Switch. These expose the previously internal composition (context provider, the interactive control, and the hidden form input) so consumers can directly access and recompose them. The Switch component continues to render them by default.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

radix-ui/primitives (@​radix-ui/react-tabs)

v1.1.14

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-toast)

v1.2.16

• Allow to specify container for ToastAnnounce
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-visually-hidden@1.2.5

radix-ui/primitives (@​radix-ui/react-toggle)

v1.1.11

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/primitive@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-toggle-group)

v1.1.12

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-toggle@1.1.11, @radix-ui/react-use-controllable-state@1.2.3

radix-ui/primitives (@​radix-ui/react-tooltip)

v1.2.9

• Fixed runtime error when event target is non-Node
• Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-visually-hidden@1.2.5

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

TanStack/query (@​tanstack/react-query)

v5.101.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

v5.100.14

Compare Source

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#​10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

v5.100.13

Compare Source

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

v5.100.12

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

v5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

[v5.100.9](https://redirect.github.com/TanStack/query/blob/HEAD/packages/react-query

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • "before 10am on friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Warning

[Medium Risk] New production EC2 server is being launched without an attached IAM instance profile

The change creates a new production EC2 instance at github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server with custom user-data that installs Python and starts a long-running HTTP service on port 9090, but there is no IAM role or instance-profile resource anywhere else in the plan to attach to it. On AWS, EC2 applications receive AWS permissions through an instance profile, and the organization’s compute-hardening standard explicitly treats instances without one as a security finding.

When this instance launches, it will not have a least-privilege machine identity for SSM-managed access, agent-based logging, or any future AWS API calls the workload needs. That forces operators toward unmanaged access patterns or later ad hoc permission changes, and it leaves a production server outside the organization’s required EC2 hardening baseline. This is a real medium-severity security/compliance risk even if the HTTP service itself starts successfully.
_{View reasoning tree here.}

Warning

[Medium Risk] New API access instance exposes an HTTP service from a public subnet outside the intended load-balancer boundary

This change creates a new production-tagged EC2 instance in subnet-07b5b1fb2ba02f964, starts a Python HTTP service bound to 0.0.0.0:9090, and registers the instance IP to the api-health-terraform-example target group on port 9090. Blast-radius data shows that subnet is associated with route table rtb-0279ca2304acbbb97, which has a 0.0.0.0/0 route to internet gateway igw-0beefc4b4a0653a6e, so this is a public subnet. The organizational security standard explicitly says EC2 instances must not be directly reachable from the internet and should be placed in private subnets.

Even though associate_public_ip_address is still (known after apply), the same change also updates the module-managed Elastic IP resource, so this instance is being introduced on a path that can make it directly addressable outside the ALB. That bypasses the intended edge boundary and exposes the unauthenticated health service outside a controlled ALB/WAF layer. If the attached security groups permit ingress, the instance will become directly exploitable; even without that, the change is already a confirmed network-segmentation violation and creates an unsafe dual-path design where traffic can reach the workload both through load balancer health registration and directly at the instance.
_{View reasoning tree here.}

Signals

Routine → Multiple compute and supporting infrastructure resources are showing unusual and infrequent routine changes at 1-2 events/week for the last 3 months, with the API server instance repeatedly appearing at 1 event/week for the last 3 months.
Policies → Multiple infrastructure resources showing unusual policy violations that may need review: an S3 bucket is missing required tags and does not have server-side encryption configured, and a security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

_{Additional Change Details:} Items 87 Edges 195 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 97 · Edges 246

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 27 · Edges 66

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 8 · Edges 30

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 11 · Edges 25

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 8 · Edges 30

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 12 · Edges 38

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 4 · Edges 20

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 2 · Edges 20

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 16 · Edges 45

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 21 · Edges 63

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 49 · Edges 141

---

View full analysis in Overmind ↗