build(deps): bump the production-dependencies group across 1 directory with 63 updates

[dependabot]

Bumps the production-dependencies group with 63 updates in the / directory:

Package	From	To
@ai-sdk/openai	3.0.26	3.0.64
@ai-sdk/react	3.0.80	3.0.190
@aws-sdk/client-s3	3.984.0	3.1051.0
@aws-sdk/s3-request-presigner	3.984.0	3.1051.0
@fumadocs/content-collections	1.2.6	1.2.9
@hono/zod-openapi	1.2.1	1.4.0
@hono/zod-validator	0.7.6	0.8.0
@next/third-parties	16.1.6	16.2.6
@paralleldrive/cuid2	2.3.1	3.3.0
@prisma/client	7.3.0	7.8.0
@react-email/components	0.0.41	1.0.12
@react-email/render	1.4.0	2.0.8
@scalar/hono-api-reference	0.9.40	0.10.16
@tanstack/react-query	5.90.20	5.100.11
@tiptap/extension-dropcursor	3.19.0	3.23.5
@tiptap/extension-image	3.19.0	3.23.5
@tiptap/extension-placeholder	3.19.0	3.23.5
@tiptap/react	3.19.0	3.23.5
@tiptap/starter-kit	3.19.0	3.23.5
@uiw/react-md-editor	4.0.11	4.1.0
ai	6.0.78	6.0.188
better-auth	1.4.18	1.6.11
boring-avatars	1.11.2	2.0.4
date-fns	4.1.0	4.2.1
dompurify	3.3.1	3.4.5
fumadocs-core	16.5.2	16.9.0
fumadocs-ui	16.5.2	16.9.0
geist	1.5.1	1.7.1
hono	4.11.8	4.12.21
hono-openapi	0.4.8	1.3.0
isomorphic-dompurify	2.35.0	3.14.0
jotai	2.12.3	2.20.0
js-cookie	3.0.5	3.0.7
lucide-react	0.542.0	1.16.0
nanoid	5.1.6	5.1.11
next	16.2.4	16.2.6
next-intl	4.8.3	4.12.0
nodemailer	7.0.13	8.0.7
nuqs	2.8.8	2.8.9
openai	6.19.0	6.38.0
react	19.2.4	19.2.6
react-day-picker	9.13.0	10.0.1
react-dom	19.2.4	19.2.6
react-dropzone	14.4.0	15.0.0
react-hook-form	7.71.1	7.76.0
react-qr-code	2.0.18	2.0.21
react-resizable-panels	3.0.6	4.11.1
recharts	2.15.4	3.8.1
sharp	0.34.4	0.34.5
slugify	1.6.6	1.6.9
stripe	18.5.0	22.1.1
tailwind-merge	3.4.0	3.6.0
tencentcloud-sdk-nodejs	4.1.184	4.1.235
ua-parser-js	2.0.9	2.0.10
ufo	1.6.3	1.6.4
use-debounce	10.1.0	10.1.1
use-intl	4.8.2	4.12.0
uuid	11.1.0	14.0.0
zod	4.3.6	4.4.3
zustand	5.0.11	5.0.13
@prisma/adapter-pg	7.3.0	7.8.0
pg	8.18.0	8.21.0
ws	8.19.0	8.20.1

Updates @ai-sdk/openai from 3.0.26 to 3.0.64

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.64

Patch Changes

• b7ed8bd: feat(openai): add opt-in pass-through for unsupported file media types

3.0.63

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

3.0.62

Patch Changes

• 65edcca: feat: add allowedTools provider option for OpenAI Responses

3.0.61

Patch Changes

• b93f9b4: feat(provider/openai): forward imageDetail providerOptions on tool-result image content

3.0.60

Patch Changes

• 6dcd8e6: feat(openai): add GPT-5.5 chat model IDs

3.0.59

Patch Changes

• 38966ab: fix(openai, openai-compatible): only send null content for assistant messages with tool calls

3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

3.0.56

... (truncated)

Commits

• 2e7664b Version Packages (#15315)
• b7ed8bd Backport: feat(openai): add opt-in pass-through for unsupported file media ty...
• e3ccdb5 Version Packages (#15094)
• bf9de31 Version Packages (#15046)
• 65edcca Backport: feat(openai): add allowedTools provider option for Responses (#15044)
• ee37690 Version Packages (#15020)
• b93f9b4 Backport: feat(provider/openai): forward imageDetail providerOptions on tool-...
• c706111 Version Packages (#14971)
• 6dcd8e6 Backport: feat(openai): add GPT-5.5 chat model IDs (#14965)
• a1dddcc Version Packages (#14954)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates @ai-sdk/react from 3.0.80 to 3.0.190

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.190

Patch Changes

• Updated dependencies [c98715a]
  • ai@6.0.188

@​ai-sdk/react@​3.0.189

Patch Changes

• ai@6.0.187

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.190

Patch Changes

• Updated dependencies [c98715a]
  • ai@6.0.188

3.0.189

Patch Changes

• ai@6.0.187

3.0.188

Patch Changes

• ai@6.0.186

3.0.187

Patch Changes

• ai@6.0.185

3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

3.0.185

Patch Changes

• ai@6.0.183

3.0.184

Patch Changes

• Updated dependencies [e76a29a]
  • ai@6.0.182

3.0.183

Patch Changes

• Updated dependencies [538974a]

... (truncated)

Commits

• 93ad540 Version Packages (#15489)
• a15eda9 Version Packages (#15473)
• e33b836 Version Packages (#15440)
• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• 43e5359 Version Packages (#15221)
• e2f1bca Version Packages (#15216)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @aws-sdk/client-s3 from 3.984.0 to 3.1051.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1051.0

3.1051.0(2026-05-20)

Chores

• harden GitHub Actions workflows (#8032) (3e48a098)

Documentation Changes

• client-mwaa: Updated API documentation to describe the PublicAndPrivate webserver access mode. (d96c0a14)

New Features

• clients: update client endpoints as of 2026-05-20 (1214aae4)
• client-customer-profiles: Amazon Connect Customer Profiles adds support for item catalog columns in RecommenderSchema, ExcludedColumns in Create and Update Recommender to specify columns to exclude from training, and the ability to disable automatic retraining by setting TrainingFrequency to 0. (15e208ec)
• client-bedrock-runtime: Supporting Request Metadata for Invoke Model and Invoke Model with Response Stream (d0633866)
• client-payment-cryptography-data: GenerateAuthRequestCryptogram API launch. (bb91020a)
• client-kms: AWS KMS now supports creating grants for AWS service principals using new GranteeServicePrincipal and RetiringServicePrincipal parameters. This release adds SourceArn grant constraint and three condition keys for controlling CreateGrant access. For more information, see Grants in AWS KMS. (be8a4113)

---

For list of updated packages, view updated-packages.md in assets-3.1051.0.zip

v3.1050.0

3.1050.0(2026-05-19)

New Features

• clients: update client endpoints as of 2026-05-19 (9a5e6f03)
• client-sagemaker: Add support for ml.p5.4xlarge and ml.p5en.48xlarge instances on SageMaker Notebook Instances Platform. (73a3e28f)
• client-grafana: Introduce degraded workspace status as a possible Amazon Managed Grafana workspace status, and a new field named degraded workspace reason which informs customers why the workspace is degraded in the DescribeWorkspace API response. (af49cb81)
• client-rtbfabric: This release is to deprecate 'inboundLinksCount' field in GetResponderGateway response and introduce the new field 'linksRequestedCount' to replace it. (3c9765e3)
• client-devops-agent: Added a new serviceType mcpserversigv4 service and association. This provides feature to register MCP sigv4 authorization based MCPs (84e18e58)
• client-guardduty: Adding support for exposure and vulnerability context from AWS Security Hub in GuardDuty Extended Threat Detection attack sequence findings. (de2356de)
• client-bedrock-agentcore: Add RetryableConflictException (HTTP 409) to InvokeAgentRuntime and StopRuntimeSession to prevent orphaned VMs during concurrent session access. The SDK automatically retries this exception with backoff. Enforcement is not yet active and will be enabled in a future service update. (239af13e)

Tests

• lib-storage: speed up lib-storage e2e tests by reducing permutations (#8028) (273afd4e)

---

For list of updated packages, view updated-packages.md in assets-3.1050.0.zip

v3.1049.0

3.1049.0(2026-05-18)

Documentation Changes

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1051.0 (2026-05-20)

Note: Version bump only for package @​aws-sdk/client-s3

3.1050.0 (2026-05-19)

Note: Version bump only for package @​aws-sdk/client-s3

3.1049.0 (2026-05-18)

Bug Fixes

• client-sts: update imports to new module locations (#8025) (be183b6)

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• b825c13 Publish v3.1051.0
• bdc9fc6 Publish v3.1050.0
• 04d52f3 Publish v3.1049.0
• be183b6 fix(client-sts): update imports to new module locations (#8025)
• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• Additional commits viewable in compare view

Updates @aws-sdk/s3-request-presigner from 3.984.0 to 3.1051.0

Release notes

Sourced from @​aws-sdk/s3-request-presigner's releases.

v3.1051.0

3.1051.0(2026-05-20)

Chores

• harden GitHub Actions workflows (#8032) (3e48a098)

Documentation Changes

• client-mwaa: Updated API documentation to describe the PublicAndPrivate webserver access mode. (d96c0a14)

New Features

• clients: update client endpoints as of 2026-05-20 (1214aae4)
• client-customer-profiles: Amazon Connect Customer Profiles adds support for item catalog columns in RecommenderSchema, ExcludedColumns in Create and Update Recommender to specify columns to exclude from training, and the ability to disable automatic retraining by setting TrainingFrequency to 0. (15e208ec)
• client-bedrock-runtime: Supporting Request Metadata for Invoke Model and Invoke Model with Response Stream (d0633866)
• client-payment-cryptography-data: GenerateAuthRequestCryptogram API launch. (bb91020a)
• client-kms: AWS KMS now supports creating grants for AWS service principals using new GranteeServicePrincipal and RetiringServicePrincipal parameters. This release adds SourceArn grant constraint and three condition keys for controlling CreateGrant access. For more information, see Grants in AWS KMS. (be8a4113)

---

For list of updated packages, view updated-packages.md in assets-3.1051.0.zip

v3.1050.0

3.1050.0(2026-05-19)

New Features

• clients: update client endpoints as of 2026-05-19 (9a5e6f03)
• client-sagemaker: Add support for ml.p5.4xlarge and ml.p5en.48xlarge instances on SageMaker Notebook Instances Platform. (73a3e28f)
• client-grafana: Introduce degraded workspace status as a possible Amazon Managed Grafana workspace status, and a new field named degraded workspace reason which informs customers why the workspace is degraded in the DescribeWorkspace API response. (af49cb81)
• client-rtbfabric: This release is to deprecate 'inboundLinksCount' field in GetResponderGateway response and introduce the new field 'linksRequestedCount' to replace it. (3c9765e3)
• client-devops-agent: Added a new serviceType mcpserversigv4 service and association. This provides feature to register MCP sigv4 authorization based MCPs (84e18e58)
• client-guardduty: Adding support for exposure and vulnerability context from AWS Security Hub in GuardDuty Extended Threat Detection attack sequence findings. (de2356de)
• client-bedrock-agentcore: Add RetryableConflictException (HTTP 409) to InvokeAgentRuntime and StopRuntimeSession to prevent orphaned VMs during concurrent session access. The SDK automatically retries this exception with backoff. Enforcement is not yet active and will be enabled in a future service update. (239af13e)

Tests

• lib-storage: speed up lib-storage e2e tests by reducing permutations (#8028) (273afd4e)

---

For list of updated packages, view updated-packages.md in assets-3.1050.0.zip

v3.1049.0

3.1049.0(2026-05-18)

Documentation Changes

... (truncated)

Changelog

Sourced from @​aws-sdk/s3-request-presigner's changelog.

3.1051.0 (2026-05-20)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1050.0 (2026-05-19)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1049.0 (2026-05-18)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1045.0 (2026-05-07)

... (truncated)

Commits

• b825c13 Publish v3.1051.0
• bdc9fc6 Publish v3.1050.0
• 04d52f3 Publish v3.1049.0
• 313813d Publish v3.1048.0
• 901b75a chore(packages): update import paths (#8024)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 6a0f061 chore(core/util): migrate minor utility functions to core (#8007)
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• Additional commits viewable in compare view

Updates @fumadocs/content-collections from 1.2.6 to 1.2.9

Commits

• fa60913 Version Packages (#3202)
• 2d8f596 Chore: fix npm pack skipping nested node_modules
• b5af621 Merge pull request #3200 from fuma-nama/changeset-release/dev
• 79995e9 fix tsdown warnings
• 9518cc8 OpenAPI: remove openapi-sampler dep
• 335b9c1 Chore: bundle more deps
• 498425b UI: pre-calculate TOC item positions
• 7cdde7c UI: improve TOC performance
• 690ddb9 Chore: bundle more deps
• 8999346 Version Packages (#3198)
• Additional commits viewable in compare view

Updates @hono/zod-openapi from 1.2.1 to 1.4.0

Release notes

Sourced from @​hono/zod-openapi's releases.

@​hono/zod-openapi@​1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

@​hono/zod-openapi@​1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

@​hono/zod-openapi@​1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

@​hono/zod-openapi@​1.2.3

Patch Changes

... (truncated)

Changelog

Sourced from @​hono/zod-openapi's changelog.

1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

1.2.3

... (truncated)

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• 5eeca71 Version Packages (#1849)
• fe0f8e4 feat(zod-openapi): add defineOpenAPIRoute and openapiRoutes for batch route r...
• a6f4ef5 Version Packages (#1832)
• 40ede9c fix(zod-openapi): publish to JSR (#1831)
• 38993fa Version Packages (#1811)
• db8fd16 fix(zod-openapi): bump @​asteasolutions/zod-to-openapi to allow nested discrim...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 27d8981 Version Packages (#1749)
• Additional commits viewable in compare view

Updates @hono/zod-validator from 0.7.6 to 0.8.0

Release notes

Sourced from @​hono/zod-validator's releases.

@​hono/zod-validator@​0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Changelog

Sourced from @​hono/zod-validator's changelog.

0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 475cd12 chore: update typescript to 5.9.3 (#1741)
• 96ae310 chore: update Zod/Valibot import examples to use namespace imports in docs an...
• fbec266 chore(deps-dev): bump hono from 4.11.3 to 4.11.4 (#1710)
• c7edf1e chore(deps-dev): upgrade @cloudflare/vitest-pool-workers and vitest (#1714)
• 03a28c5 fix: less strict template expressions (#1681)
• 1f8372e chore(typescript): add @tsconfig/strictest (#1679)
• 49db969 chore(eslint): update suppressions (#1678)
• Additional commits viewable in compare view

Updates @next/third-parties from 16.1.6 to 16.2.6

Release notes

Sourced from @​next/third-parties's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @paralleldrive/cuid2 from 2.3.1 to 3.3.0

Changelog

Sourced from @​paralleldrive/cuid2's changelog.

[3.3.0] - 2026-01-25

Fixed

• Fix typo in package.json exports field: ./package.json path was incorrectly specified
• Fix TypeScript compilation error (TS1203) by replacing export = with named exports in index.d.ts

Updated

• Update AI development framework (aidd) to v2.5.0 for enhanced security reviews
• Update all devDependencies to latest versions (@​types/node, @​types/react, eslint, eslint-config-next, eslint-config-prettier, eslint-plugin-prettier, next, prettier, react, react-dom, release-it, riteway, updtr, watch)

[3.0.2] - 2025-10-27

Changed

• Remove collision-test from pre-commit hook to unblock release process

Fixed

• Replace BigInt with bignumber.js for broader browser support (legacy browsers)
• Add export module field to package.json for better ESM compatibility

Added

• Implement CSPRNG using crypto.getRandomValues for enhanced security
• Add validation to throw error when length > 32

Documentation

• Fix typo: Change "Pseudo" to "Pseudo" in README.md
• Update link for PleaseRobMe.com

[3.0.0] - 2025-10-18

⚠️ BREAKING CHANGES

• Convert entire project from CommonJS to ES modules
  • Changed from require()/module.exports to import/export
  • Added "type": "module" to package.json
  • Users must use ESM imports or upgrade to this version carefully
  • For CommonJS compatibility, use v2.3.1 instead

Commits

• 2275e80 chore(release): v3.3.0
• 3af6f1b chore: update CHANGELOG for v3.2.1
• ee1ff97 Merge pull request #119 from paralleldrive/update
• 59541b5 chore: downgrade packages for security
• aebdc31 chore: remove legacy Travis CI config
• 71b5d09 ci: add GitHub Actions workflow
• d044cfe chore: update dependencies and AI framework
• 3bec9b1 Merge pull request #116 from paralleldrive/copilot/fix-typescript-error-ts1203
• a910d6e Delete REVIEW.md
<...

Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.