chore(deps)(deps): bump the batched-minor-patch group across 1 directory with 28 updates

[dependabot]

Bumps the batched-minor-patch group with 26 updates in the / directory:

Package	From	To
@radix-ui/themes	3.2.1	3.3.0
@upstash/ratelimit	2.0.7	2.0.8
@upstash/redis	1.35.6	1.38.0
better-auth	1.3.34	1.6.13
date-fns	4.1.0	4.4.0
js-yaml	4.1.1	4.2.0
next	16.0.3	16.2.6
next-auth	4.24.13	4.24.14
next-devtools-mcp	0.3.3	0.3.10
otpauth	9.4.1	9.5.1
react	19.2.0	19.2.6
@types/react	19.2.4	19.2.15
react-dom	19.2.0	19.2.6
react-hook-form	7.66.0	7.77.0
recharts	3.4.1	3.8.1
@axe-core/playwright	4.11.0	4.11.3
@eslint/eslintrc	3.3.1	3.3.5
@playwright/test	1.56.1	1.60.0
@tailwindcss/forms	0.5.10	0.5.11
@tailwindcss/postcss	4.1.17	4.3.0
@testing-library/react	16.3.0	16.3.2
autoprefixer	10.4.22	10.5.0
jest-mock-extended	4.0.0	4.0.1
prettier	3.6.2	3.8.3
prettier-plugin-tailwindcss	0.7.1	0.8.0
tsx	4.20.6	4.22.4

Updates @radix-ui/themes from 3.2.1 to 3.3.0

Release notes

Sourced from @​radix-ui/themes's releases.

3.3.0

What's Changed

• Add soft variant to the Kbd component (#774)
• Add new layout props to Grid and layout components: alignContent, justifyItems, alignSelf, justifySelf (#744)
• Deprecate breakpoints array. In the next major version, it will be replaced with a Set for easier lookups and comparisons.

Changelog

Sourced from @​radix-ui/themes's changelog.

Release process

This is a work-in-progress document and will be updated as we refine our release process.

Release strategy

We track versions during the pull request process. As features are added, modified or improved it's important to keep track of these via versioning.

Tracking version changes

PRs that fix bugs or add features should include an addition to packages/radix-ui-themes/CHANGELOG.md under a new version heading. The actual release version may differ, so be sure to double check this at publish time.

Publishing a stable release

You must be a maintainer of the repository and have write access to publish a release.

1. Create a new branch for the release. We recommend the branch naming convention release/<version> for this (e.g. release/3.3.0).
2. Update the version in packages/radix-ui-themes/package.json and ensure the changelog is up to date.
3. Add and commit with the commit message of v<version> (e.g. v3.3.0).
4. Push the branch to the repository and create a pull request.
5. When checks pass and the pull request is approved, merge it into main.
6. Create a new tag for the release with the format <version> (e.g. 3.3.0).
   • If you do this locally, be sure to pull the latest changes from main to ensure you have the new version changes from the previous step.
7. Create a new GitHub release from the tag. Use the changelog entry for the version as its release notes.
8. The GitHub action will be triggered by the publish workflow and will automatically publish the package to npm.

To publish a pre-release you must build and publish manually. Use pnpm publish -r --tag <tag>, where <tag> is the pre-release tag (e.g. alpha, beta, rc)

Updating documentation

Our documentation is in a separate repository and updating it is a three step process:

1. Write and update the change log
2. Bump package version/s and create / update the pages for each version change
3. Perform documentation updates and remove live demos from previous versions

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/themes since your current version.

Updates @upstash/ratelimit from 2.0.7 to 2.0.8

Release notes

Sourced from @​upstash/ratelimit's releases.

v2.0.8

What's Changed

• DX-2280: Remove large-group runners by @​CahidArda in upstash/ratelimit-js#144
• Fix React Server Components CVE vulnerabilities by @​vercel[bot] in upstash/ratelimit-js#145
• DX-2316: bump next by @​CahidArda in upstash/ratelimit-js#146
• DX-2254: add global dynamic limit by @​CahidArda in upstash/ratelimit-js#147

New Contributors

• @​vercel[bot] made their first contribution in upstash/ratelimit-js#145

Full Changelog: upstash/ratelimit-js@v2.0.7...v2.0.8

Commits

• a8b1b99 DX-2254: add global dynamic limit (#147)
• 8589adb fix: bump next (#146)
• ade4aa8 Merge pull request #145 from upstash/vercel/react-server-components-cve-vu-qx...
• e19785d Fix React Server Components CVE vulnerabilities
• 67e8bc2 DX-2280: Remove specific runner configuration from test job in GitHub Actions...
• See full diff in compare view

Updates @upstash/redis from 1.35.6 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

@​upstash/redis@​1.37.0

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

@upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424
• DX-2445: use pnpm publish for search packages to resolve workspace:* deps by @​CahidArda in upstash/redis-js#1425

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• 7e8fbed chore: version packages (#1420)
• 703f6d4 fix: handle FROM field option in SEARCH.DESCRIBE deserialization (#1426)
• 15b4fc9 fix: use pnpm publish for search packages to resolve workspace:* deps (#1425)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​upstash/redis since your current version.

Updates better-auth from 1.3.34 to 1.6.13

Release notes

Sourced from better-auth's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13

... (truncated)

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• d3919dc feat(account): support server-side accountInfo calls without session header...
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• c0c574e chore: release v1.6.12 (#9590)
• c5b9f93 fix(generic-oauth): add accessTokenExpiresIn for providers that omit `expir...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.

Updates date-fns from 4.1.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates next from 16.0.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-auth from 4.24.13 to 4.24.14

Release notes

Sourced from next-auth's releases.

next-auth@4.24.14

Bugfixes

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13412)

GitHub now returns an iss parameter in OAuth callbacks. openid-client validates it unconditionally, which was breaking authentication for apps that didn't configure an issuer. This sets the default GitHub provider issuer to https://github.com/login/oauth.

Commits

• e9a892a chore(release): bump version [skip ci]
• 0497da4 fix(providers): add issuer to github (#13412)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates next-devtools-mcp from 0.3.3 to 0.3.10

Release notes

Sourced from next-devtools-mcp's releases.

v0.3.10

What's Changed

• docs: add Google Antigravity configuration instructions to README by @​0ldh in vercel/next-devtools-mcp#111
• Perf: Optimize doc lookup by @​gaojude in vercel/next-devtools-mcp#112

New Contributors

• @​0ldh made their first contribution in vercel/next-devtools-mcp#111

Full Changelog: vercel/next-devtools-mcp@v0.3.9...v0.3.10

v0.3.8

What's Changed

• fix: filter base64 image from screenshot result by @​Burry in vercel/next-devtools-mcp#105
• fix(init): avoid agent idle caused by strict reply prohibition (fix #109) by @​MapleCity1314 in vercel/next-devtools-mcp#110

New Contributors

• @​Burry made their first contribution in vercel/next-devtools-mcp#105
• @​MapleCity1314 made their first contribution in vercel/next-devtools-mcp#110

Full Changelog: vercel/next-devtools-mcp@v0.3.7...v0.3.8

v0.3.7

Fixes

• fix: upgrade @​modelcontextprotocol/sdk to 1.24.3 (CVE-2025-66414) by @​gaojude in vercel/next-devtools-mcp#107

Misc

• fix: upgrade Next.js to 16.0.7 (CVE-2025-55182) by @​ctate in vercel/next-devtools-mcp#106

• @​ctate made their first contribution in vercel/next-devtools-mcp#106

Full Changelog: vercel/next-devtools-mcp@v0.3.6...v0.3.7

v0.3.6

Improvements

• Fix screenshot action using wrong Playwright MCP tool name by @​gaojude in vercel/next-devtools-mcp#98
• Improve port discovery by @​gaojude in vercel/next-devtools-mcp#101

Misc

• ci: update server.json for mcp registry when bump version by @​huozhi in vercel/next-devtools-mcp#102
• Add troubleshooting section for common user issues by @​gaojude in vercel/next-devtools-mcp#97

Full Changelog: vercel/next-devtools-mcp@v0.3.5...v0.3.6

v0.3.5

What's Changed

• Simplify Next.js server discovery by combining server and tool listing by @​gaojude in vercel/next-devtools-mcp#96

Full Changelog: vercel/next-devtools-mcp@v0.3.4...v0.3.5

... (truncated)

Commits

• d1b3e56 chore: bump version to 0.3.10
• 7330deb simplify docs search (#112)
• 6751777 docs: add Google Antigravity configuration instructions to README (#111)
• 38bf006 chore: bump version to 0.3.9
• edd1acf improve use cache migration (#108)
• af3d601 chore: bump version to 0.3.8
• 19cd8c3 fix: update ai_response_instruction for initialization process (#110)
• 8b8a4e5 fix: filter base64 image from screenshot result (#105)
• 316fcec chore: bump version to 0.3.7
• e869d6e bump mcp sdk (#107)
• Additional commits viewable in compare view

Updates otpauth from 9.4.1 to 9.5.1

Release notes

Sourced from otpauth's releases.

v9.5.1

What's Changed

• Bump rollup from 4.57.1 to 4.59.0 by @​dependabot[bot] in hectorm/otpauth#674
• Bump minimatch by @​dependabot[bot] in hectorm/otpauth#673
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#675
• Bump the npm-development-minor-patch group across 1 directory with 7 updates by @​dependabot[bot] in hectorm/otpauth#677
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#679
• Bump @​rollup/plugin-terser from 0.4.4 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#680
• Bump eslint from 9.39.2 to 10.0.3 by @​dependabot[bot] in hectorm/otpauth#678
• Bump @​eslint/js from 9.39.2 to 10.0.1 by @​dependabot[bot] in hectorm/otpauth#670
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#686
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#685
• Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in hectorm/otpauth#684
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in hectorm/otpauth#682
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#692
• Bump @​noble/hashes from 2.0.1 to 2.2.0 in the npm-production-minor-patch group by @​dependabot[bot] in hectorm/otpauth#688
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#690

Full Changelog: hectorm/otpauth@v9.5.0...v9.5.1

v9.5.0

What's Changed

• Bump the npm-development-minor-patch group across 1 directory with 13 updates by @​dependabot[bot] in hectorm/otpauth#635
• Bump @​noble/hashes from 1.8.0 to 2.0.1 by @​dependabot[bot] in hectorm/otpauth#632
• Bump the github-actions-all group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#637
• Bump the npm-development-minor-patch group with 3 updates by @​dependabot[bot] in hectorm/otpauth#636
• Bump glob by @​dependabot[bot] in hectorm/otpauth#645
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in hectorm/otpauth#643
• Bump the github-actions-all group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#647
• Bump the npm-development-minor-patch group across 1 directory with 14 updates by @​dependabot[bot] in hectorm/otpauth#646
• Bump @​eslint/core from 0.16.0 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#650
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#654
• Bump the npm-development-minor-patch group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#653
• Bump the npm-development-minor-patch group across 1 directory with 5 updates by @​dependabot[bot] in <...

  Description has been truncated

[github-actions]

👋 Thanks for opening your first pull request in StormCom!

A maintainer will review your PR soon. Please make sure:

• Your PR follows our
  Contributing Guidelines
• All CI checks pass
• You've added appropriate tests
• Documentation has been updated (if needed)

We appreciate your contribution to making StormCom better! 🚀