deps(deps): bump the minor-and-patch group with 19 updates

[dependabot]

Bumps the minor-and-patch group with 19 updates:

Package	From	To
@supabase/supabase-js	2.99.3	2.106.2
framer-motion	12.38.0	12.40.0
isomorphic-dompurify	3.12.0	3.14.0
lucide-react	1.14.0	1.16.0
next	16.2.4	16.2.6
openai	6.36.0	6.39.0
react	19.2.5	19.2.6
@types/react	19.2.14	19.2.15
react-dom	19.2.5	19.2.6
resend	6.12.2	6.12.4
tailwind-merge	3.5.0	3.6.0
undici	8.2.0	8.3.0
@tailwindcss/postcss	4.2.4	4.3.0
@types/jsdom	28.0.0	28.0.3
@types/node	25.6.0	25.9.1
eslint-config-next	16.2.4	16.2.6
postcss	8.5.14	8.5.15
tailwindcss	4.2.4	4.3.0
tsx	4.21.0	4.22.3

Updates @supabase/supabase-js from 2.99.3 to 2.106.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.106.2

2.106.2 (2026-05-25)

🩹 Fixes

• auth: restore signup user response (#2391)
• misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

• Myroslav Hryhschenko @​BLOCKMATERIAL
• Vaibhav @​7ttp

v2.106.2-canary.1

2.106.2-canary.1 (2026-05-22)

This was a version bump only, there were no code changes.

v2.106.2-canary.0

2.106.2-canary.0 (2026-05-22)

🩹 Fixes

• auth: restore signup user response (#2391)
• misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

• Myroslav Hryhschenko @​BLOCKMATERIAL
• Vaibhav @​7ttp

v2.106.2-beta.2

2.106.2-beta.2 (2026-05-22)

This was a version bump only, there were no code changes.

v2.106.2-beta.0

2.106.2-beta.0 (2026-05-21)

This was a version bump only, there were no code changes.

v2.106.1

2.106.1 (2026-05-20)

🩹 Fixes

• auth: encode client-id in oauth requests (#2383)
• misc: hide dynamic import from hermesc (#2381)

❤️ Thank You

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.106.2 (2026-05-25)

🩹 Fixes

• misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

• Myroslav Hryhschenko @​BLOCKMATERIAL

2.106.1 (2026-05-20)

🩹 Fixes

• misc: hide dynamic import from hermesc (#2381)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.106.0 (2026-05-18)

🚀 Features

• supabase: W3C/OpenTelemetry trace context propagation (#2163)

🩹 Fixes

• release: mark @​supabase/tracing private and snapshot it for JSR (#2370)

❤️ Thank You

• Claude Sonnet 4.5
• Guilherme Souza
• Katerina Skroumpelou @​mandarini

2.105.4 (2026-05-08)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.105.2 (2026-05-04)

🩹 Fixes

• auth: forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• misc: widen enum-like unions with (string & {}) for forward compat (#2303)

❤️ Thank You

• Muzzaiyyan Hussain @​MuzzaiyyanHussain

... (truncated)

Commits

• a5f09cf chore(repo): adopt pnpm catalog and clean up devDeps (#2389)
• c72cc56 fix(misc): add react-native export condition for Hermes-safe resolution (#2393)
• a7bdb23 docs(supabase): expand tracePropagation tsdoc with examples (#2388)
• f4c149c chore(release): version 2.106.1 changelogs (#2384)
• 3f9628a fix(misc): hide dynamic import from hermesc (#2381)
• 1761a62 chore(release): version 2.106.0 changelogs (#2379)
• 1c48755 chore(deps): cleanups and updates (#2371)
• 9dfba1c chore(repo): migrate to pnpm (#2368)
• 6731c4a fix(release): mark @​supabase/tracing private and snapshot it for JSR (#2370)
• 2fe1801 feat(supabase): W3C/OpenTelemetry trace context propagation (#2163)
• Additional commits viewable in compare view

Updates framer-motion from 12.38.0 to 12.40.0

Changelog

Sourced from framer-motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• bc2107e Revert "no should"
• 6eeb92d no should
• Additional commits viewable in compare view

Updates isomorphic-dompurify from 3.12.0 to 3.14.0

Release notes

Sourced from isomorphic-dompurify's releases.

3.14.0: Updated dependencies

What's Changed

• chore(deps): bump dompurify from 3.4.3 to 3.4.5 by @​dependabot[bot]
• chore: Allowed esbuild and disallowed lefthook for ci.
• chore: Added homepage URL to package.json.

Full Changelog: kkomelin/isomorphic-dompurify@3.13.0...3.14.0

3.13.0: Updated dependencies

What's Changed

• chore(deps-dev): bump vitest from 4.1.5 to 4.1.6 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#435
• chore(deps-dev): bump @​types/jsdom from 28.0.1 to 28.0.3 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#436
• chore(deps-dev): bump @​biomejs/biome from 2.4.14 to 2.4.15 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#434
• chore(deps): bump dompurify from 3.4.2 to 3.4.3 by @​dependabot[bot] in kkomelin/isomorphic-dompurify#437

Full Changelog: kkomelin/isomorphic-dompurify@3.12.0...3.13.0

Commits

• fa11d1d chore: bump version to 3.14.0
• 3706f30 chore(deps): bump dompurify from 3.4.3 to 3.4.5
• 0f1d8b2 chore: Added homepage URL to package.json.
• 0c05491 chore: Allowed esbuild and disallowed lefthook for ci.
• c159087 chore: Updated deps and incremented project version.
• e8b2f23 chore(deps): bump dompurify from 3.4.2 to 3.4.3
• 64b1d7b chore(deps-dev): bump @​biomejs/biome from 2.4.14 to 2.4.15
• 233ed4d chore(deps-dev): bump @​types/jsdom from 28.0.1 to 28.0.3
• bf44524 chore(deps-dev): bump vitest from 4.1.5 to 4.1.6
• See full diff in compare view

Updates lucide-react from 1.14.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates openai from 6.36.0 to 6.39.0

Release notes

Sourced from openai's releases.

v6.39.0

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

v6.38.0

6.38.0 (2026-05-13)

Full Changelog: v6.37.0...v6.38.0

Features

• api: add service_tier parameter to responses compact method (423e838)

v6.37.0

6.37.0 (2026-05-07)

Full Changelog: v6.36.0...v6.37.0

Features

• api: add quantity field to admin organization usage responses (273a8f7)
• api: add web_search_call.results output option to responses (91c75e0)
• api: launch realtime translate + update image 2 (a296b66)
• api: manual updates (794b905)
• api: manual updates (6963729)
• api: realtime 2 (f4b7177)

Bug Fixes

... (truncated)

Changelog

Sourced from openai's changelog.

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

6.38.0 (2026-05-13)

Full Changelog: v6.37.0...v6.38.0

Features

• api: add service_tier parameter to responses compact method (423e838)

6.37.0 (2026-05-07)

Full Changelog: v6.36.0...v6.37.0

Features

• api: add quantity field to admin organization usage responses (273a8f7)
• api: add web_search_call.results output option to responses (91c75e0)
• api: launch realtime translate + update image 2 (a296b66)
• api: manual updates (794b905)
• api: manual updates (6963729)
• api: realtime 2 (f4b7177)

Bug Fixes

• api: fix imagegen size enum regression (4fe8469)

... (truncated)

Commits

• 2002111 release: 6.39.0
• d6dc9b7 feat(api): manual updates
• 7444892 feat(api): api update
• f5db3f1 fix(types): allow runtime fetch options
• 33b391a chore(api): docs updates
• bfe3016 fix(typescript): upgrade tsc-multi so that it works with Node 26
• 3320b20 chore(tests): remove redundant File import
• 3250890 feat(api): manual updates
• d9fbf39 feat(api): update OpenAPI spec or Stainless config
• 8a8436e codegen metadata
• Additional commits viewable in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates @types/react from 19.2.14 to 19.2.15

Commits

• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates resend from 6.12.2 to 6.12.4

Release notes

Sourced from resend's releases.

v6.12.4

What's Changed

• fix(deps): update dependency next to v16.2.6 [security] by @​renovate[bot] in resend/resend-node#957
• chore(dev-660): harden github actions workflows by @​felipefreitag in resend/resend-node#959
• chore: add sync-prs-to-linear action by @​dielduarte in resend/resend-node#961
• fix: rename misnamed get-contact.interface.ts to get-topic.interface.ts in topics module by @​wesleyramalho in resend/resend-node#903
• fix: avoid mutating payloads in emails, broadcasts, and templates by @​Shubhdeep12 in resend/resend-node#862
• feat: add optional baseUrl and userAgent to Resend constructor by @​xiaoyu2er in resend/resend-node#839
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#965
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#966
• refactor: align delete method with other HTTP methods in Resend class by @​wesleyramalho in resend/resend-node#904
• fix: to support @​react-email/render exports across versions in templates by @​Shubhdeep12 in resend/resend-node#863
• fix: replace svix with standardwebhooks to reduce install size (#969) by @​dielduarte in resend/resend-node#970
• chore: bump version to 6.12.4 by @​dielduarte in resend/resend-node#971

Full Changelog: resend/resend-node@v6.12.3...v6.12.4

v6.12.3

What's Changed

• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in resend/resend-node#940
• chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq by @​ulrichstark in resend/resend-node#942
• fix: correct paylaod into payload typo in contacts overload signatures by @​wesleyramalho in resend/resend-node#902
• chore(deps): update dependency tsdown to v0.21.10 by @​renovate[bot] in resend/resend-node#929
• chore(deps): update dependency @​biomejs/biome to v2.4.14 by @​renovate[bot] in resend/resend-node#943
• chore: add missing suppressed event to resend node sdk interface by @​dielduarte in resend/resend-node#946
• chore: bump sdk version to 6.12.3 by @​dielduarte in resend/resend-node#947

New Contributors

• @​ulrichstark made their first contribution in resend/resend-node#942
• @​wesleyramalho made their first contribution in resend/resend-node#902
• @​dielduarte made their first contribution in resend/resend-node#946

Full Changelog: resend/resend-node@v6.12.2...v6.12.3

Commits

• 58db880 chore: bump version to 6.12.4 (#971)
• 63f5ddb fix: replace svix with standardwebhooks to reduce install size (#969) (#970)
• 45dc73d fix: to support @​react-email/render exports across versions in templates (#863)
• 24950d7 refactor: align delete method with other HTTP methods in Resend class (#904)
• 2759316 chore: bump public-shared-workflows hash (#966)
• fa04efc chore: bump public-shared-workflows hash (#965)
• 77bbf2d feat: add optional baseUrl and userAgent to Resend constructor (#839)
• ebdb2d3 fix: avoid mutating payloads in emails, broadcasts, and templates (#862)
• 674ab1b fix: rename misnamed get-contact.interface.ts to get-topic.interface.ts i...
• ac0c09f chore: add sync-prs-to-linear action (#961)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by dielduarte, a new releaser for resend since your current version.

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Updates undici from 8.2.0 to 8.3.0

Release notes

Sourced from undici's releases.

v8.3.0

What's Changed

• fix: preserve pool capacity after removing stale client by @​trivikr in nodejs/undici#5151
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in nodejs/undici#5157
• build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @​dependabot[bot] in nodejs/undici#5162
• build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in nodejs/undici#5156
• chore(http2): collapse duplicate request stream setup by @​trivikr in nodejs/undici#5140
• perf(client): cache HTTP/2 authority by @​trivikr in nodejs/undici#5141
• build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @​dependabot[bot] in nodejs/undici#4819
• types: add TOpaque to client connect options by @​samuel871211 in nodejs/undici#4928
• build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @​dependabot[bot] in nodejs/undici#4688
• build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @​dependabot[bot] in nodejs/undici#4950
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @​dependabot[bot] in nodejs/undici#4951
• test(fetch): add userinfo coverage for issue-4897 URLs by @​mcollina in nodejs/undici#4901
• perf: avoid duplicate pool dispatcher selection on backpressure by @​trivikr in nodejs/undici#5149
• build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @​dependabot[bot] in nodejs/undici#5163
• build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @​dependabot[bot] in nodejs/undici#5160
• build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @​dependabot[bot] in nodejs/undici#4687
• build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @​dependabot[bot] in nodejs/undici#5161
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in nodejs/undici#4853
• build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @​dependabot[bot] in nodejs/undici#5158
• build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in nodejs/undici#5159
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in nodejs/undici#4854
• build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @​dependabot[bot] in nodejs/undici#5130
• docs: mention install() also installs WebSocket globals by @​mcollina in nodejs/undici#5174
• types: stop interfering with @​types/node by @​Renegade334 in nodejs/undici#5173
• fix: align h2 empty body content-length methods with h1 by @​trivikr in nodejs/undici#5172
• build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @​dependabot[bot] in nodejs/undici#5192
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @​dependabot[bot] in nodejs/undici#5191
• test: move cleanup from finally to after hooks by @​trivikr in nodejs/undici#5194
• test: resolve flaky timeout in issue-3356 by @​trivikr in nodejs/undici#5188
• SnapshotAgent: Add normalizeBody and normalizeQuery by @​GeoffreyBooth in nodejs/undici#5121
• fix(socks5): use configured connector in Socks5ProxyAgent by @​trivikr in nodejs/undici#5168
• perf(http2): avoid isArray checks for common headers by @​trivikr in nodejs/undici#5170
• fix(test): make deduplicate body-streaming test non-flaky by @​mcollina in nodejs/undici#5196
• test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#5137) by @​mcollina in nodejs/undici#5176
• fix(socks5): preserve dispatch backpressure return value by @​trivikr in nodejs/undici#5166
• perf(http2): end zero-length request bodies with headers by @​trivikr in nodejs/undici#5169
• fix(test): make issue-2898-comment.js assertion robust against flakiness by @​mcollina in nodejs/undici#5208
• test: disable timeouts in h2 high concurrency regression by @​trivikr in nodejs/undici#5205
• test: deflake stream compat coverage by @​mcollina in nodejs/undici#5209
• fix(dispatcher): remove unreachable assert in writeBlob by @​SAY-5 in nodejs/undici#5231
• fix: clean up benchmark resources before worker exit by @​trivikr in nodejs/undici#5225
• test: avoid per-chunk assertions in diagnostics get by @​trivikr in Description has been truncated

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.6
	openai@​6.39.0
	undici@​8.3.0
	eslint-config-next@​16.2.6
	@​types/​jsdom@​28.0.3
	@​types/​react@​19.2.15
	lucide-react@​1.16.0
	@​types/​node@​25.9.1
	postcss@​8.5.15
	tailwindcss@​4.3.0
	react@​19.2.6
	tailwind-merge@​3.6.0
	resend@​6.12.4
	react-dom@​19.2.6
	isomorphic-dompurify@​3.14.0
	framer-motion@​12.40.0
	@​tailwindcss/​postcss@​4.3.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.6 → npm/@typescript-eslint/eslint-plugin@8.60.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.60.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm resend is now published by dielduarte Author: dielduarte From: package.json → npm/resend@6.12.4 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resend@6.12.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report