chore(deps): bump the patch-updates group across 1 directory with 10 updates #946

dependabot · 2026-01-12T12:43:51Z

Bumps the patch-updates group with 10 updates in the / directory:

Package	From	To
@tanstack/react-query	`5.90.12`	`5.90.16`
react	`19.2.1`	`19.2.3`
@types/react	`19.2.7`	`19.2.8`
react-dom	`19.2.1`	`19.2.3`
swr	`2.3.7`	`2.3.8`
@biomejs/biome	`2.3.8`	`2.3.11`
@tailwindcss/postcss	`4.1.17`	`4.1.18`
@testing-library/react	`16.3.0`	`16.3.1`
@vercel/node	`5.5.15`	`5.5.16`
tailwindcss	`4.1.17`	`4.1.18`

Updates @tanstack/react-query from 5.90.12 to 5.90.16

Release notes

Sourced from @tanstack/react-query's releases.

@tanstack/react-query-persist-client@5.90.16

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.91.13

@tanstack/react-query@5.90.14

@tanstack/react-query@5.90.16

Patch Changes

fix(react-query): allow retryOnMount when throwOnError is function (#9338)

Updated dependencies [7f47906]:

@tanstack/query-core@5.90.16

@tanstack/react-query-persist-client@5.90.15

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.91.12

@tanstack/react-query@5.90.13

@tanstack/react-query@5.90.15

Patch Changes

Updated dependencies [fccef79]:

@tanstack/query-core@5.90.15

@tanstack/react-query-persist-client@5.90.14

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.91.11

@tanstack/react-query@5.90.12

@tanstack/react-query@5.90.14

Patch Changes

Updated dependencies [d576092]:

@tanstack/query-core@5.90.14

@tanstack/react-query-persist-client@5.90.13

Patch Changes

Updated dependencies [c01b150]:

@tanstack/react-query@5.90.11

@tanstack/query-persist-client-core@5.91.10

Changelog

Sourced from @tanstack/react-query's changelog.

5.90.16

Patch Changes

fix(react-query): allow retryOnMount when throwOnError is function (#9338)

Updated dependencies [7f47906]:

@tanstack/query-core@5.90.16

5.90.15

Patch Changes

Updated dependencies [fccef79]:

@tanstack/query-core@5.90.15

5.90.14

Patch Changes

Updated dependencies [d576092]:

@tanstack/query-core@5.90.14

5.90.13

Patch Changes

Updated dependencies [4a0a78a]:

@tanstack/query-core@5.90.13

Commits

167db32 ci: Version Packages (#10005)
4be3ad7 fix(react-query): allow retryOnMount when throwOnError is function (#9336) (#...
0a1e3e0 ci: Version Packages (#10003)
fccef79 fix(query-core): ensure query refetches on mount/retry when status is error (...
e907f89 fix(core): report errors of useMutation callbacks asynchronously (#9676)
84564f1 ci: Version Packages (#10001)
642f72d test(react-query/ssr): add 'useIsFetching' test for SSR (#9994)
1d20c48 ci: Version Packages (#9997)
2be25ca test(react-query/HydrationBoundary): add tests for 'enabled: false' and 'stal...
f15b7fc ci: prepare for trusted publishing (#9952)
See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @tanstack/react-query since your current version.

Updates react from 19.2.1 to 19.2.3

Release notes

Sourced from react's releases.

19.2.3 (December 11th, 2025)

React Server Components

Add extra loop protection to React Server Functions (@sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@eps1lon facebook/react#35290)

Patch Promise cycles and toString on Server Functions (@sebmarkbage, @unstubbable #35289, #35345)

Commits

612e371 Version 19.2.3
b910fc1 Version 19.2.2
See full diff in compare view

Updates @types/react from 19.2.7 to 19.2.8

Commits

See full diff in compare view

Updates react-dom from 19.2.1 to 19.2.3

Release notes

Sourced from react-dom's releases.

19.2.3 (December 11th, 2025)

React Server Components

Add extra loop protection to React Server Functions (@sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@eps1lon facebook/react#35290)

Patch Promise cycles and toString on Server Functions (@sebmarkbage, @unstubbable #35289, #35345)

Commits

612e371 Version 19.2.3
b910fc1 Version 19.2.2
See full diff in compare view

Updates swr from 2.3.7 to 2.3.8

Release notes

Sourced from swr's releases.

v2.3.8

What's Changed

deps: upgrade dev deps for build by @promer94 in vercel/swr#4188

update use-sync-external-store to latest by @huozhi in vercel/swr#4189

fix: cve-2025-55182 critical rce vulnerability by @PierreCrb in vercel/swr#4192

fix: cve-2025-55184 & CVE-2025-55183 by @PierreCrb in vercel/swr#4198

upgrade dev dep nextjs by @huozhi in vercel/swr#4199

update dev dependencies to address cve by @PierreCrb in vercel/swr#4200

enhance: Improve TSDoc comments by @shuding in vercel/swr#4203

test: Import act from React by @shuding in vercel/swr#4202

New Contributors

@PierreCrb made their first contribution in vercel/swr#4192

Full Changelog: vercel/swr@v2.3.7...v2.3.8

Commits

e0426a9 2.3.8
ca6e11d test: Import act from React (#4202)
eff8fda enhance: Improve TSDoc comments (#4203)
b2e7db3 update dev dependencies to address cve (#4200)
952198b upgrade dev dep nextjs (#4199)
147c728 fix: cve-2025-55184 & CVE-2025-55183 (#4198)
7051040 fix: cve-2025-55182 critical rce vulnerability (#4192)
da76c01 update use-sync-external-store to latest (#4189)
c7eda39 deps: upgrade dev deps for build (#4188)
See full diff in compare view

Updates @biomejs/biome from 2.3.8 to 2.3.11

Release notes

Sourced from @biomejs/biome's releases.

Biome CLI v2.3.11

2.3.11

Patch Changes
#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidTemplateRoot.

This rule validates only root-level \<template> elements in Vue single-file components. If the \<template> has a src attribute, it must be empty. Otherwise, it must contain content.

Invalid examples:
\<template src="./foo.html">content</template>
\<template></template>
Valid examples:
\<template>content</template>
\<template src="./foo.html"></template>
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.
#8587 9a8c98d Thanks @dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

Invalid
<li v-for="item in items">{{ item }}</li>
Valid
<li v-for="item in items" :key="item.id">{{ item }}</li>
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.

#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.

... (truncated)

Changelog

Sourced from @biomejs/biome's changelog.

2.3.11

Patch Changes
#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidTemplateRoot.

This rule validates only root-level \<template> elements in Vue single-file components. If the \<template> has a src attribute, it must be empty. Otherwise, it must contain content.

Invalid examples:
\<template src="./foo.html">content</template>
\<template></template>
Valid examples:
\<template>content</template>
\<template src="./foo.html"></template>
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.
#8587 9a8c98d Thanks @dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

Invalid
<li v-for="item in items">{{ item }}</li>
Valid
<li v-for="item in items" :key="item.id">{{ item }}</li>
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.
#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.

... (truncated)

Commits

1550e73 ci: release (#8507)
a3a27a7 feat(analyze/html/vue): add useVueVapor rule (#8644)
9a8c98d feat(analyze/html/vue): add useVueVForKey (#8587)
ab9af9a feat: no-jsx-props-bind (#7410)
df8fe06 feat(analyze/html/vue): add v-bind/v-on style rules (#8586)
83be210 feat(analyze/html/vue): add a few more simple vue lint rules (#8583)
a3a1ad2 feat(biome_js_analyze): port noBeforeInteractiveScriptOutsideDocument from ...
9dd9ca7 feat(graphql_analyze): implement useUniqueArgumentNames (#8591)
5e85d43 feat(graphql_analyze): implement useUniqueFieldDefinitionNames (#8598)
a5f59cd feat(graphql_analyze): implement useUniqueInputFieldNames (#8592)
Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.1.17 to 4.1.18

Release notes

Sourced from @tailwindcss/postcss's releases.

v4.1.18

Fixed

Ensure validation of source(…) happens relative to the file it is in (#19274)

Include filename and line numbers in CSS parse errors (#19282)

Skip comments in Ruby files when checking for class names (#19243)

Skip over arbitrary property utilities with a top-level ! in the value (#19243)

Support environment API in @tailwindcss/vite (#18970)

Preserve case of theme keys from JS configs and plugins (#19337)

Write source maps correctly on the CLI when using --watch (#19373)

Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)

Improve backwards compatibility for content theme key from JS configs (#19381)

Upgrade: Handle future and experimental config keys (#19344)

Try to canonicalize any arbitrary utility to a bare value (#19379)

Validate candidates similarly to Oxide (#19397)

Canonicalization: combine text-* and leading-* classes (#19396)

Correctly handle duplicate CLI arguments (#19416)

Don’t emit color-mix fallback rules inside @keyframes (#19419)

CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from @tailwindcss/postcss's changelog.

[4.1.18] - 2025-12-11

Fixed

Ensure validation of source(…) happens relative to the file it is in (#19274)

Include filename and line numbers in CSS parse errors (#19282)

Skip comments in Ruby files when checking for class names (#19243)

Skip over arbitrary property utilities with a top-level ! in the value (#19243)

Support environment API in @tailwindcss/vite (#18970)

Preserve case of theme keys from JS configs and plugins (#19337)

Write source maps correctly on the CLI when using --watch (#19373)

Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)

Improve backwards compatibility for content theme key from JS configs (#19381)

Upgrade: Handle future and experimental config keys (#19344)

Try to canonicalize any arbitrary utility to a bare value (#19379)

Validate candidates similarly to Oxide (#19397)

Canonicalization: combine text-* and leading-* classes (#19396)

Correctly handle duplicate CLI arguments (#19416)

Don’t emit color-mix fallback rules inside @keyframes (#19419)

CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

9b32f7c Release v4.1.18 (#19431)
9c8cf8a Fix formatting of path in README.md (#19407)
See full diff in compare view

Updates @testing-library/react from 16.3.0 to 16.3.1

Release notes

Sourced from @testing-library/react's releases.

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

Switch to trusted publishing (#1437) (a2d37ff)

Commits

a2d37ff fix: Switch to trusted publishing (#1437)
cd6a175 chore: fix action permissions (#1436)
22b8c28 chore: fix release (#1435)
d996673 chore: new release workflow (#1434)
205ce17 chore: fix typo in jest.config.js (#1427)
aba5740 [test] Fix tests for react@experimental (#1424)
590bc18 [test] Fix npm run typecheck (#1423)
1c931a6 chore(deps): use npm-run-all2 (#1411)
See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @testing-library/react since your current version.

Updates @types/react from 19.2.7 to 19.2.8

Commits

See full diff in compare view

Updates @vercel/node from 5.5.15 to 5.5.16

Release notes

Sourced from @vercel/node's releases.

@vercel/node@5.5.16

Patch Changes

Updated dependencies [c55475f865ecf22f27b8b17f6fc98b9e1455ab5d]:

@vercel/build-utils@13.2.4

Changelog

Sourced from @vercel/node's changelog.

5.5.16

Patch Changes

Updated dependencies [c55475f865ecf22f27b8b17f6fc98b9e1455ab5d]:

@vercel/build-utils@13.2.4

Commits

354f717 Version Packages (#14498)
See full diff in compare view

Updates tailwindcss from 4.1.17 to 4.1.18

Release notes

Sourced from tailwindcss's releases.

v4.1.18

Fixed

Ensure validation of source(…) happens relative to the file it is in (#19274)

Include filename and line numbers in CSS parse errors (#19282)

Skip comments in Ruby files when checking for class names (#19243)

Skip over arbitrary property utilities with a top-level ! in the value (#19243)

Support environment API in @tailwindcss/vite (#18970)

Preserve case of theme keys from JS configs and plugins (#19337)

Write source maps correctly on the CLI when using --watch (#19373)

Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)

Improve backwards compatibility for content theme key from JS configs (#19381)

Upgrade: Handle future and experimental config keys (#19344)

Try to canonicalize any arbitrary utility to a bare value (#19379)

Validate candidates similarly to Oxide (#19397)

Canonicalization: combine text-* and leading-* classes (#19396)

Correctly handle duplicate CLI arguments (#19416)

Don’t emit color-mix fallback rules inside @keyframes (#19419)

CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from tailwindcss's changelog.

[4.1.18] - 2025-12-11

Fixed

Ensure validation of source(…) happens relative to the file it is in (#19274)

Include filename and line numbers in CSS parse errors (#19282)

Skip comments in Ruby files when checking for class names (#19243)

Skip over arbitrary property utilities with a top-level ! in the value (#19243)

Support environment API in @tailwindcss/vite (#18970)

Preserve case of theme keys from JS configs and plugins (#19337)

Write source maps correctly on the CLI when using --watch (#19373)

Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)

Improve backwards compatibility for content theme key from JS configs (#19381)

Upgrade: Handle future and experimental config keys (#19344)

Try to canonicalize any arbitrary utility to a bare value (#19379)

Validate candidates similarly to Oxide (#19397)

Canonicalization: combine text-* and leading-* classes (#19396)

Correctly handle duplicate CLI arguments (#19416)

Don’t emit color-mix fallback rules inside @keyframes (#19419)

CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

9b32f7c Release v4.1.18 (#19431)
820d907 Expose candidatesToAst to the language server (#19405)
478e959 Don’t emit color-mix fallback rules inside @keyframes (#19419)
a5f4644 Validate named values in candidate parser (#19397)
229121d Canonicalization: combine text-* and leading-* classes (#19396)
243615e Handle backwards compatibility for content theme from JS configs (#19381)
7642751 Improve compatibility with special default values in JS configs (#19348)
af48117 remove unnecessary intermediate check
9e436f7 Try to canonicalize any arbitrary utility to a bare value (#19379)
479b725 Bump Vitest to v4 (#19216)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

vercel · 2026-01-12T12:43:54Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
yearnfi	Ready	Preview, Comment	Jan 15, 2026 2:15am

github-actions · 2026-01-12T12:44:04Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

npm/@biomejs/biome

2.3.11

Unknown

npm/@tailwindcss/postcss

4.1.18

🟢 5.3

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 1/26 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	⚠️ 0	security policy file not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	14 existing vulnerabilities detected

npm/@tanstack/react-query

5.90.17

Unknown

npm/@testing-library/react

16.3.1

🟢 5

Details

Check	Score	Reason
Maintained	🟢 8	7 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 4	Found 14/29 approved changesets -- score normalized to 4
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@types/react

19.2.8

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@vercel/node

5.5.20

🟢 5.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Packaging	🟢 10	packaging workflow detected
Security-Policy	🟢 10	security policy file detected
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 6	binaries present in source code
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
Vulnerabilities	⚠️ 0	589 existing vulnerabilities detected

npm/react

19.2.3

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Binary-Artifacts	🟢 9	binaries present in source code
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	⚠️ 0	238 existing vulnerabilities detected

npm/react-dom

19.2.3

🟢 5.7

Details

Check	Score	Reason
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Binary-Artifacts	🟢 9	binaries present in source code
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	⚠️ 0	238 existing vulnerabilities detected

npm/swr

2.3.8

🟢 6.2

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 10	17 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 7	Found 22/30 approved changesets -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/tailwindcss

4.1.18

🟢 5.3

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 1/26 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	⚠️ 0	security policy file not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	14 existing vulnerabilities detected

Scanned Files

package.json

socket-security · 2026-01-12T12:44:36Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
@vercel/node@5.5.15 ⏵ 5.5.20		⁺¹
@types/react@19.2.7 ⏵ 19.2.8	⁺¹	⁺¹
tailwindcss@4.1.17 ⏵ 4.1.18	⁺¹	⁺¹
react@19.2.1 ⏵ 19.2.3			⁺¹
@tanstack/react-query@5.90.12 ⏵ 5.90.17		⁺¹	⁺²
@testing-library/react@16.3.0 ⏵ 16.3.1
react-dom@19.2.1 ⏵ 19.2.3			⁺¹
swr@2.3.7 ⏵ 2.3.8	⁺¹		⁺¹
@tailwindcss/postcss@4.1.17 ⏵ 4.1.18
@biomejs/biome@2.3.8 ⏵ 2.3.11	⁺¹		^-1

View full report

…updates Bumps the patch-updates group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.12` | `5.90.16` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.1` | `19.2.3` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.7` | `19.2.8` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.1` | `19.2.3` | | [swr](https://github.com/vercel/swr) | `2.3.7` | `2.3.8` | | [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.3.8` | `2.3.11` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.1.17` | `4.1.18` | | [@testing-library/react](https://github.com/testing-library/react-testing-library) | `16.3.0` | `16.3.1` | | [@vercel/node](https://github.com/vercel/vercel/tree/HEAD/packages/node) | `5.5.15` | `5.5.16` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.1.17` | `4.1.18` | Updates `@tanstack/react-query` from 5.90.12 to 5.90.16 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/[email protected]/packages/react-query) Updates `react` from 19.2.1 to 19.2.3 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.3/packages/react) Updates `@types/react` from 19.2.7 to 19.2.8 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.1 to 19.2.3 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.3/packages/react-dom) Updates `swr` from 2.3.7 to 2.3.8 - [Release notes](https://github.com/vercel/swr/releases) - [Commits](vercel/swr@v2.3.7...v2.3.8) Updates `@biomejs/biome` from 2.3.8 to 2.3.11 - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/[email protected]/packages/@biomejs/biome) Updates `@tailwindcss/postcss` from 4.1.17 to 4.1.18 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.1.18/packages/@tailwindcss-postcss) Updates `@testing-library/react` from 16.3.0 to 16.3.1 - [Release notes](https://github.com/testing-library/react-testing-library/releases) - [Changelog](https://github.com/testing-library/react-testing-library/blob/main/CHANGELOG.md) - [Commits](testing-library/react-testing-library@v16.3.0...v16.3.1) Updates `@types/react` from 19.2.7 to 19.2.8 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `@vercel/node` from 5.5.15 to 5.5.16 - [Release notes](https://github.com/vercel/vercel/releases) - [Changelog](https://github.com/vercel/vercel/blob/main/packages/node/CHANGELOG.md) - [Commits](https://github.com/vercel/vercel/commits/@vercel/[email protected]/packages/node) Updates `tailwindcss` from 4.1.17 to 4.1.18 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.1.18/packages/tailwindcss) --- updated-dependencies: - dependency-name: "@tanstack/react-query" dependency-version: 5.90.16 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: react dependency-version: 19.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@types/react" dependency-version: 19.2.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: react-dom dependency-version: 19.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: swr dependency-version: 2.3.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@biomejs/biome" dependency-version: 2.3.11 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@tailwindcss/postcss" dependency-version: 4.1.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@testing-library/react" dependency-version: 16.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@types/react" dependency-version: 19.2.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@vercel/node" dependency-version: 5.5.16 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: tailwindcss dependency-version: 4.1.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 12, 2026

vercel bot deployed to Preview January 12, 2026 12:45 View deployment

dependabot bot force-pushed the dependabot/bun/patch-updates-ec9a626e5c branch from 7349d29 to f714fcd Compare January 15, 2026 02:14

vercel bot deployed to Preview January 15, 2026 02:15 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump the patch-updates group across 1 directory with 10 updates #946

chore(deps): bump the patch-updates group across 1 directory with 10 updates #946

Uh oh!

dependabot bot commented on behalf of github Jan 12, 2026 •

edited

Loading

Uh oh!

vercel bot commented Jan 12, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Jan 12, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Jan 12, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

chore(deps): bump the patch-updates group across 1 directory with 10 updates #946

Are you sure you want to change the base?

chore(deps): bump the patch-updates group across 1 directory with 10 updates #946

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@​tanstack/react-query-persist-client@​5.90.16

Patch Changes

@​tanstack/react-query@​5.90.16

Patch Changes

@​tanstack/react-query-persist-client@​5.90.15

Patch Changes

@​tanstack/react-query@​5.90.15

Patch Changes

@​tanstack/react-query-persist-client@​5.90.14

Patch Changes

@​tanstack/react-query@​5.90.14

Patch Changes

@​tanstack/react-query-persist-client@​5.90.13

Patch Changes

5.90.16

Patch Changes

5.90.15

Patch Changes

5.90.14

Patch Changes

5.90.13

Patch Changes

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

v2.3.8

What's Changed

New Contributors

Biome CLI v2.3.11

2.3.11

Patch Changes

2.3.11

Patch Changes

v4.1.18

Fixed

[4.1.18] - 2025-12-11

Fixed

[3.4.19] - 2025-12-10

Fixed

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

@​vercel/node@​5.5.16

Patch Changes

5.5.16

Patch Changes

v4.1.18

Fixed

[4.1.18] - 2025-12-11

Fixed

[3.4.19] - 2025-12-10

Fixed

Uh oh!

vercel bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

socket-security bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

dependabot bot commented on behalf of github Jan 12, 2026 •

edited

Loading

`@tanstack/react-query-persist-client@5`.90.16

`@tanstack/react-query@5`.90.16

`@tanstack/react-query-persist-client@5`.90.15

`@tanstack/react-query@5`.90.15

`@tanstack/react-query-persist-client@5`.90.14

`@tanstack/react-query@5`.90.14

`@tanstack/react-query-persist-client@5`.90.13

`@vercel/node@5`.5.16

vercel bot commented Jan 12, 2026 •

edited

Loading

github-actions bot commented Jan 12, 2026 •

edited

Loading

socket-security bot commented Jan 12, 2026 •

edited

Loading