deps(deps): bump the minor-and-patch group with 34 updates

[dependabot]

Bumps the minor-and-patch group with 34 updates:

Package	From	To
@radix-ui/react-dialog	1.1.15	1.1.16
@radix-ui/react-dropdown-menu	2.1.16	2.1.17
@radix-ui/react-progress	1.1.8	1.1.9
@radix-ui/react-scroll-area	1.2.10	1.2.11
@radix-ui/react-separator	1.1.8	1.1.9
@radix-ui/react-slider	1.3.6	1.4.0
@radix-ui/react-slot	1.2.4	1.2.5
@radix-ui/react-tabs	1.1.13	1.1.14
@radix-ui/react-toast	1.2.15	1.2.16
@radix-ui/react-tooltip	1.2.8	1.2.9
@supabase/supabase-js	2.99.3	2.108.2
framer-motion	12.38.0	12.40.0
imapflow	1.3.6	1.4.0
ioredis	5.10.1	5.11.1
isomorphic-dompurify	3.12.0	3.17.0
lucide-react	1.14.0	1.18.0
next	16.2.4	16.2.9
openai	6.36.0	6.42.0
posthog-js	1.381.0	1.386.8
react	19.2.5	19.2.7
@types/react	19.2.14	19.2.17
react-dom	19.2.5	19.2.7
resend	6.12.2	6.12.4
tailwind-merge	3.5.0	3.6.0
@playwright/test	1.60.0	1.61.0
@tailwindcss/postcss	4.2.4	4.3.1
@types/jsdom	28.0.0	28.0.3
@types/node	25.6.0	25.9.3
@vitest/coverage-v8	4.1.8	4.1.9
eslint-config-next	16.2.4	16.2.9
postcss	8.5.14	8.5.15
tailwindcss	4.2.4	4.3.1
tsx	4.21.0	4.22.4
vitest	4.1.8	4.1.9

Updates @radix-ui/react-dialog from 1.1.15 to 1.1.16

Changelog

Sourced from @​radix-ui/react-dialog's changelog.

1.1.16

• Fixed disabled pointer events in closed dialogs
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dialog since your current version.

Updates @radix-ui/react-dropdown-menu from 2.1.16 to 2.1.17

Changelog

Sourced from @​radix-ui/react-dropdown-menu's changelog.

2.1.17

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dropdown-menu since your current version.

Updates @radix-ui/react-progress from 1.1.8 to 1.1.9

Changelog

Sourced from @​radix-ui/react-progress's changelog.

1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-progress since your current version.

Updates @radix-ui/react-scroll-area from 1.2.10 to 1.2.11

Changelog

Sourced from @​radix-ui/react-scroll-area's changelog.

1.2.11

• Fixed missing data-state attribute for Scroll Area scrollbars
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-layout-effect@1.1.2

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-scroll-area since your current version.

Updates @radix-ui/react-separator from 1.1.8 to 1.1.9

Changelog

Sourced from @​radix-ui/react-separator's changelog.

1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-primitive@2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-separator since your current version.

Updates @radix-ui/react-slider from 1.3.6 to 1.4.0

Changelog

Sourced from @​radix-ui/react-slider's changelog.

1.4.0

• Added unstable ThumbProvider, ThumbTrigger, and BubbleInput parts to Slider. SliderThumb was previously a single component that implicitly rendered a hidden native input for form submission. It is now composed from these new parts, which are exposed so consumers can decouple the bubble input from the thumb (for example, to render or customize it independently) instead of relying on SliderThumb to render it implicitly. SliderThumb continues to render all three by default, so existing usage is unaffected.
• Added focusVisible for non-keyboard interactions with slider thumbs for progressively enabling styles using :focus-visible alongside programmatic focus management
• Fixed Slider focus bugs in scrollable context
• Fixed a Slider bug where very small step values made the thumbs unresponsive
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slider since your current version.

Updates @radix-ui/react-slot from 1.2.4 to 1.2.5

Changelog

Sourced from @​radix-ui/react-slot's changelog.

1.2.5

• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
• Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
• Added repository.directory to all package.json files
• Improved error messages for invalid slot children
• Updated dependencies: @radix-ui/react-compose-refs@1.1.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slot since your current version.

Updates @radix-ui/react-tabs from 1.1.13 to 1.1.14

Changelog

Sourced from @​radix-ui/react-tabs's changelog.

1.1.14

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tabs since your current version.

Updates @radix-ui/react-toast from 1.2.15 to 1.2.16

Changelog

Sourced from @​radix-ui/react-toast's changelog.

1.2.16

• Allow to specify container for ToastAnnounce
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-toast since your current version.

Updates @radix-ui/react-tooltip from 1.2.8 to 1.2.9

Changelog

Sourced from @​radix-ui/react-tooltip's changelog.

1.2.9

• Fixed runtime error when event target is non-Node
• Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tooltip since your current version.

Updates @supabase/supabase-js from 2.99.3 to 2.108.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.108.2

2.108.2 (2026-06-15)

🩹 Fixes

• auth: preserve valid session on refresh failure and cooldown repeat failures (#2436)
• realtime: clarify httpSend() 404 error and server migration note (#2444)
• release: pin Deno and bound JSR publish to survive stranded-task hangs (#2439)
• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.5

2.108.2-canary.5 (2026-06-15)

This was a version bump only, there were no code changes.

v2.108.2-canary.4

2.108.2-canary.4 (2026-06-12)

🩹 Fixes

• realtime: clarify httpSend() 404 error and server migration note (#2444)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.3

2.108.2-canary.3 (2026-06-11)

This was a version bump only, there were no code changes.

v2.108.2-canary.2

2.108.2-canary.2 (2026-06-11)

🩹 Fixes

• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.1

2.108.2-canary.1 (2026-06-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.108.2 (2026-06-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.108.0 (2026-06-08)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.107.0 (2026-06-02)

🚀 Features

• auth: remove navigator.locks-based mutex; introduce commit guard + dispose() (#2392)
• supabase: update X-Client-Info to structured metadata format (#2359)
• realtime: allow httpSend to send binary payload (#2400)

❤️ Thank You

• Claude Sonnet 4.6
• Eduardo Gurgel
• Guilherme Souza
• Katerina Skroumpelou @​mandarini
• Omar Al Matar @​Bewinxed

2.106.2 (2026-05-25)

🩹 Fixes

• misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

• Myroslav Hryhschenko @​BLOCKMATERIAL

2.106.1 (2026-05-20)

🩹 Fixes

• misc: hide dynamic import from hermesc (#2381)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.106.0 (2026-05-18)

🚀 Features

• supabase: W3C/OpenTelemetry trace context propagation (#2163)

... (truncated)

Commits

• 76f3f02 test(auth): add passkey unit and e2e coverage (#2442)
• 65fafe5 chore(release): version 2.108.0 changelogs (#2433)
• 57014e1 chore(release): version 2.107.0 changelogs (#2421)
• 54ec2b6 feat(auth): remove navigator.locks-based mutex; introduce commit guard + disp...
• 3397c92 feat(supabase): update X-Client-Info to structured metadata format (#2359)
• 335207f feat(realtime): allow httpSend to send binary payload (#2400)
• 42f12dd docs(repo): ship per-package AGENTS.md and migrations via npm (#2397)
• b200b74 chore(release): version 2.106.2 changelogs (#2396)
• a5f09cf chore(repo): adopt pnpm catalog and clean up devDeps (#2389)
• c72cc56 fix(misc): add react-native export condition for Hermes-safe resolution (#2393)
• Additional commits viewable in compare view

Updates framer-motion from 12.38.0 to 12.40.0

Changelog

Sourced from framer-motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• bc2107e Revert "no should"
• 6eeb92d no should
• Additional commits viewable in compare view

Updates imapflow from 1.3.6 to 1.4.0

Changelog

Sourced from imapflow's changelog.

1.4.0 (2026-06-09)

Features

• add Gmail label search term to the search compiler (4b2d173)

1.3.7 (2026-06-08)

Bug Fixes

• harden FLAGS guard and bring lib to full test coverage (6666bec)

Commits

• 5b13151 chore(master): release 1.4.0 [skip-ci] (#358)
• 4b2d173 feat: add Gmail label search term to the search compiler
• c0969c6 chore(master): release 1.3.7 [skip-ci] (#357)
• 6666bec fix: harden FLAGS guard and bring lib to full test coverage
• See full diff in compare view

Updates ioredis from 5.10.1 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

v5.11.0

5.11.0 (2026-05-26)

Bug Fixes

• prevent RangeError from string accumulation in pipeline (#2088) (defc077)
• replace deprecated url.parse() with WHATWG URL API (#2081) (0021a45), closes redis/ioredis#1747

Features

• add array commands, typings and tests (#2114) (baf68d6)
• add increx command (#2115) (37d0695)
• add Redis MSETEX support (#2111) (04a4615)
• add typed GCRA command support and functional tests (#2094) (468a802)
• add vector set command support (#2116) (b7b3def)
• Add xnack command (#2103) (187d29b)
• Add zinter zunion count (#2104) (0d510bb)
• Implement TracingChannel support (#2089) (4760e0a)

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

5.11.0 (2026-05-26)

Bug Fixes

• prevent RangeError from string accumulation in pipeline (#2088) (defc077)
• replace deprecated url.parse() with WHATWG URL API (#2081) (0021a45), closes redis/ioredis#1747

Features

• add array commands, typings and tests (#2114) (baf68d6)
• add increx command (#2115) (37d0695)
• add Redis MSETEX support (#2111) (04a4615)
• add typed GCRA command support and functional tests (#2094) (468a802)
• add vector set command support (#2116) (b7b3def)
• Add xnack command (#2103) (187d29b)
• Add zinter zunion count (#2104) (0d510bb)
• Implement TracingChannel support (#2089) (4760e0a)

Commits

• fb224a7 chore(release): 5.11.1 [skip ci]
• 131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
• c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
• 1490432 chore(release): 5.11.0 [skip ci]
• 5359d4d refactor(utils): inline defaults and isArguments helpers (#2107)
• b7b3def feat: add vector set command support (#2116)
• faa53fd ci: update Node.js and Redis test matrix (#2119)
• 37d0695 feat: add increx command (#2115)
• 612ee9d chore: update Redis 8.8 test image to custom (#2118)
• baf68d6 feat: add array commands, typings and tests (#2114)
• Additional commits viewable in compare view

Updates isomorphic-dompurify from 3.12.0 to 3.17.0

Release notes

Sourced from isomorphic-dompurify's releases.

3.17.0: Updated dependencies

• dompurify 3.4.8 -> 3.4.10
• @​biomejs/biome 2.4.16 -> 2.5.0
• pnpm 11.4.0 -> 11.6.0

3.16.0: Updated dependencies

• dompurify 3.4.7 -> 3.4.8
• vitest 4.1.7 -> 4.1.8
• lefthook 2.1.8 -> 2.1.9

3.15.0: Updated dependencies

• dompurify 3.4.5 -> 3.4.7
• @​biomejs/biome 2.4.15 -> 2.4.16
• vitest 4.1.6 -> 4.1.7
• packageManager pnpm 11.1.3 -> 11.4.0

3.14.0: Updated dependencies

What's Changed

• chore(deps): bump dompurify from 3.4.3 to 3.4.5 by @​dependabot[bot]
• chore: Allowed esbuild and disallowed lefthook for ci.
• chore: Added homepage URL to package.json.

Full Changelog: kkomelin/isomorphic-dompurify@3.13.0...3.14.0

3.13.0: Updated dependencies

What's Changed

• chore(deps-dev): bump vitest from 4.1.5 to 4.1.6 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#435
• chore(deps-dev): bump @​types/jsdom from 28.0.1 to 28.0.3 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#436
• chore(deps-dev): bump @​biomejs/biome from 2.4.14 to 2.4.15 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#434
• chore(deps): bump dompurify from 3.4.2 to 3.4.3 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#437

Full Changelog: kkomelin/isomorphic-dompurify@3.12.0...3.13.0

Commits

• 4b0f0db chore: Updated dependencies.
• 1e537bd chore(deps): bump dompurify from 3.4.8 to 3.4.9
• bee551b chore: Bump version to 3.16.0 and update dependencies.
• e03b0c0 chore(deps): bump dompurify from 3.4.7 to 3.4.8
• 86abe8b chore(deps-dev): bump lefthook from 2.1.8 to 2.1.9
• 284831c chore(deps-dev): bump vitest from 4.1.7 to 4.1.8
• 2542801 chore: Bump version to 3.15.0 and update dependencies.
• 82bb1de chore(deps): bump dompurify from 3.4.5 to 3.4.6
• 871d363 chore(deps-dev): bump vitest from 4.1.6 to 4.1.7
• 518ae7d chore(deps-dev): bump lefthook from 2.1.6 to 2.1.8
• Additional commits viewable in compare view

Updates lucide-react from 1.14.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

• chore(site): Remove survey from site by @​ericfennis in lucide-icons/lucide#4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in lucide-icons/lucide#4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in lucide-icons/lucide#4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in lucide-icons/lucide#4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in lucide-icons/lucide#4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in lucide-icons/lucide#4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in lucide-icons/lucide#4085
• feat(icons): added webcam-off icon by @​jordan-burnett in lucide-icons/lucide#4242

New Contributors

• @​alecglassford made their first contribution in lucide-icons/lucide#4432
• @​jordan-burnett made their first contribution in lucide-icons/lucide#4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340

... (truncated)

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates next from 16.2.4 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates openai from 6.36.0 to 6.42.0

Release notes

Sourced from openai's releases.

v6.42.0

6.42.0 (2026-06-03)

Full Changelog: v6.41.0...v6.42.0

Features

• api: responses.moderation and chat_completions.moderation (6d8f592)

v6.41.0

6.41.0 (2026-06-01)

Full Changelog: v6.40.0...v6.41.0

Features

• api: Add Amazon Bedrock Responses support (#1899) (535b045)

v6.40.0

6.40.0 (2026-06-01)

Full Changelog: v6.39.1...v6.40.0

Features

• api: workload identity in audit logs, additional_tools item in responses, fix ActionSearch.query to be optional. (aee09f3)

Chores

• remove migrate CLI (673c618)

v6.39.1

6.39.1 (2026-05-27)

Full Changelog: v6.39.0...v6.39.1

Bug Fixes

• Improve undici dispatcher mismatch guidance (#1898) (b6e5fd6)
• treat text/plan with format: binary as raw upload (f9a632a)
• treat text/plan with format: binary as raw upload (323cb78)

Chores

• internal: codegen related update (d32deef)

v6.39.0

6.39.0 (2026-05-21)

... (truncated)

Changelog

Sourced from

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.9
	@​radix-ui/​react-separator@​1.1.9
	eslint-config-next@​16.2.9
	@​radix-ui/​react-progress@​1.1.9
	@​radix-ui/​react-slot@​1.2.3 ⏵ 1.2.5	+1		+1
	@​radix-ui/​react-tabs@​1.1.14
	@​radix-ui/​react-dropdown-menu@​2.1.17
	@​radix-ui/​react-dialog@​1.1.16
	@​radix-ui/​react-tooltip@​1.2.9
	@​radix-ui/​react-slider@​1.4.0
	@​radix-ui/​react-toast@​1.2.16
	@​radix-ui/​react-scroll-area@​1.2.11
	@​types/​jsdom@​28.0.3
	openai@​6.42.0
	@​types/​react@​19.2.17
	@​vitest/​coverage-v8@​4.1.9
	lucide-react@​1.18.0
	@​types/​node@​25.9.3
	posthog-js@​1.386.8
	postcss@​8.5.15
	tailwindcss@​4.3.1
	react@​19.2.7
	tailwind-merge@​3.6.0
	react-dom@​19.2.7
	isomorphic-dompurify@​3.17.0
	imapflow@​1.4.0
	framer-motion@​12.40.0
	resend@​6.12.4
	@​tailwindcss/​postcss@​4.3.1
	@​playwright/​test@​1.61.0
	vitest@​4.1.9

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: npm esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY CVE: GHSA-gv7w-rqvm-qjhr esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY (HIGH) Affected versions: >= 0.17.0 < 0.28.1 Patched version: 0.28.1 From: pnpm-lock.yaml → npm/@vitejs/plugin-react@5.1.4 → npm/vitest@4.1.9 → npm/esbuild@0.27.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/next@16.2.9 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.9 → npm/@typescript-eslint/eslint-plugin@8.61.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/posthog-js@1.386.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.386.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm rollup under unrecognized license License: unrecognized license - This license was not allowed or given any lesser classification by the applicable policy (package/LICENSE.md) From: pnpm-lock.yaml → npm/@vitejs/plugin-react@5.1.4 → npm/vitest@4.1.9 → npm/rollup@4.62.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report