chore(deps): bump the production-minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the production-minor-and-patch group with 5 updates in the / directory:

Package	From	To
@supabase/supabase-js	2.108.0	2.108.2
@supabase/ssr	0.10.3	0.12.0
@xyflow/react	12.11.0	12.11.1
sharp	0.34.5	0.35.2
@anthropic-ai/sdk	0.102.0	0.105.0

Updates @supabase/supabase-js from 2.108.0 to 2.108.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.108.2

2.108.2 (2026-06-15)

🩹 Fixes

• auth: preserve valid session on refresh failure and cooldown repeat failures (#2436)
• realtime: clarify httpSend() 404 error and server migration note (#2444)
• release: pin Deno and bound JSR publish to survive stranded-task hangs (#2439)
• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.5

2.108.2-canary.5 (2026-06-15)

This was a version bump only, there were no code changes.

v2.108.2-canary.4

2.108.2-canary.4 (2026-06-12)

🩹 Fixes

• realtime: clarify httpSend() 404 error and server migration note (#2444)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.3

2.108.2-canary.3 (2026-06-11)

This was a version bump only, there were no code changes.

v2.108.2-canary.2

2.108.2-canary.2 (2026-06-11)

🩹 Fixes

• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.1

2.108.2-canary.1 (2026-06-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.108.2 (2026-06-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• 76f3f02 test(auth): add passkey unit and e2e coverage (#2442)
• 65fafe5 chore(release): version 2.108.0 changelogs (#2433)
• See full diff in compare view

Updates @supabase/ssr from 0.10.3 to 0.12.0

Release notes

Sourced from @​supabase/ssr's releases.

v0.12.0

0.12.0 (2026-06-09)

Features

• adds cookies.encode option allowing minimal cookie sizes (#126) (cf38b22)
• bump cookie to 1.0.2 (#113) (b4a77b4)
• cookies: add clearAuthCookiesAtScopes migration helper (#240) (4e47249)
• full rewrite using getAll and setAll cookie methods (#1) (b6ae192)
• improve cookie chunk handling via base64url+length encoding (#90) (6deb687)
• pass cache headers to setAll to prevent CDN caching of auth responses (#176) (14962d2)
• publish SSR under deprecated auth-helpers package names (#127) (e8b6102)
• release workflow RC versioning and publish reliability (#164) (81e68f4)
• update CI so it runs on release as well (#33) (4517996)
• update supabase-js to latest (#133) (d65044d)
• update supabase-js to latest (#145) (08bf7d6)
• upgrade cookie dependency and cleanup imports (#77) (9524528)

Bug Fixes

• add @​types/cookies to dependencies (#63) (47e5f16)
• add create*Client string in x-client-info (#85) (f271acc)
• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• allow use of createBrowserClient without window present (#20) (27d868d)
• auth: respect user-provided auth options in createBrowserClient (#167) (5f04837)
• check chunkedCookie is string in server client (#57) (549fe62)
• ci: remove packageManager field (#197) (6bf0226)
• cookies console warnings (#136) (64ff6b3)
• deprecate parse, serialize exports for more useful functions (#14) (0b5f881)
• enable tree-shaking for browser bundles (#216) (f009d71)
• fix createBrowserClient deprecation tsdoc (#17) (1df70ad)
• force release (#98) (66710e8)
• re-apply update CI so it runs on release as well (#49) (51d5a43)
• release: pin npm to 11.5.2 so OIDC trusted publisher works (#249) (4af89f7)
• remove optional dependencies (#41) (a48fe6f)
• remove usage of internal type params (#123) (8f3e89e)
• revert "update CI so it runs on release as well" (#44) (9d0e859)
• revert: "feat: improve cookie chunk handling via base64url+length encoding (#90)" (#100) (2ea8e23)
• set max-age default cookie option to 400 days (#54) (f4ed2e0)
• set cookies for password recovery event (#32) (7dc1837)
• set cookies when mfa challenge is verified (#27) (c217f53)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• update conventional commits ci to use main instead of master (#31) (bebce89)
• update README session docs (#159) (b859905)
• update type, remove unused imports, define AuthEvent type (#47) (4f4a375)
• use skipAutoInitialize to prevent SSR token refresh race condition (#131) (0b7be28)
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

... (truncated)

Changelog

Sourced from @​supabase/ssr's changelog.

0.12.0 (2026-06-09)

Features

• adds cookies.encode option allowing minimal cookie sizes (#126) (cf38b22)
• bump cookie to 1.0.2 (#113) (b4a77b4)
• cookies: add clearAuthCookiesAtScopes migration helper (#240) (4e47249)
• full rewrite using getAll and setAll cookie methods (#1) (b6ae192)
• improve cookie chunk handling via base64url+length encoding (#90) (6deb687)
• pass cache headers to setAll to prevent CDN caching of auth responses (#176) (14962d2)
• publish SSR under deprecated auth-helpers package names (#127) (e8b6102)
• release workflow RC versioning and publish reliability (#164) (81e68f4)
• update CI so it runs on release as well (#33) (4517996)
• update supabase-js to latest (#133) (d65044d)
• update supabase-js to latest (#145) (08bf7d6)
• upgrade cookie dependency and cleanup imports (#77) (9524528)

Bug Fixes

• add @​types/cookies to dependencies (#63) (47e5f16)
• add create*Client string in x-client-info (#85) (f271acc)
• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• allow use of createBrowserClient without window present (#20) (27d868d)
• auth: respect user-provided auth options in createBrowserClient (#167) (5f04837)
• check chunkedCookie is string in server client (#57) (549fe62)
• ci: remove packageManager field (#197) (6bf0226)
• cookies console warnings (#136) (64ff6b3)
• deprecate parse, serialize exports for more useful functions (#14) (0b5f881)
• enable tree-shaking for browser bundles (#216) (f009d71)
• fix createBrowserClient deprecation tsdoc (#17) (1df70ad)
• force release (#98) (66710e8)
• re-apply update CI so it runs on release as well (#49) (51d5a43)
• release: pin npm to 11.5.2 so OIDC trusted publisher works (#249) (4af89f7)
• remove optional dependencies (#41) (a48fe6f)
• remove usage of internal type params (#123) (8f3e89e)
• revert "update CI so it runs on release as well" (#44) (9d0e859)
• revert: "feat: improve cookie chunk handling via base64url+length encoding (#90)" (#100) (2ea8e23)
• set max-age default cookie option to 400 days (#54) (f4ed2e0)
• set cookies for password recovery event (#32) (7dc1837)
• set cookies when mfa challenge is verified (#27) (c217f53)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• update conventional commits ci to use main instead of master (#31) (bebce89)
• update README session docs (#159) (b859905)
• update type, remove unused imports, define AuthEvent type (#47) (4f4a375)
• use skipAutoInitialize to prevent SSR token refresh race condition (#131) (0b7be28)
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

0.11.0 (2026-06-05)

... (truncated)

Commits

• d8c9b60 chore(main): release 0.12.0 (#247)
• 4af89f7 fix(release): pin npm to 11.5.2 so OIDC trusted publisher works (#249)
• 164c7ab build(deps-dev): bump vitest from 1.6.1 to 4.1.0 in the npm_and_yarn group ac...
• 2fd3333 chore: update @​supabase/supabase-js to v2.108.0 (#248)
• dd766c4 chore(main): release 0.11.0 (#244)
• 932931e build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#245)
• 4e47249 feat(cookies): add clearAuthCookiesAtScopes migration helper (#240)
• 34f2b6a chore: update @​supabase/supabase-js to v2.107.0 (#243)
• 4292d04 chore: update @​supabase/supabase-js to v2.106.1 (#236)
• a6896b1 chore: update @​supabase/supabase-js to v2.106.0 (#232)
• Additional commits viewable in compare view

Updates @xyflow/react from 12.11.0 to 12.11.1

Release notes

Sourced from @​xyflow/react's releases.

@​xyflow/react@​12.11.1

Patch Changes

• #5815 87da45c - Fix FinalConnectionState type so it preserves the discriminated union.

• #5823 a6afc91 - Update attribution link

• #5824 6b1dac5 - Do not fire on pane click when connection ends on pane

• #5818 4ddc2d8 - Provide the shared handle config (connectOnClick, noPanClassName, rfId) through context instead of subscribing to the store in every Handle, so a store update no longer runs a selector once per handle

• #5817 8df250b - Reduce per-handle work on store updates by returning a shared connection state while no connection is in progress.

• #5822 a6249de - Return stable reference for edge position when connected node gets deleted

• Updated dependencies [ceb8604, 87da45c]:

  • @​xyflow/system@​0.0.78

Changelog

Sourced from @​xyflow/react's changelog.

12.11.1

Patch Changes

• #5815 87da45c - Fix FinalConnectionState type so it preserves the discriminated union.

• #5823 a6afc91 - Update attribution link

• #5824 6b1dac5 - Do not fire on pane click when connection ends on pane

• #5818 4ddc2d8 - Provide the shared handle config (connectOnClick, noPanClassName, rfId) through context instead of subscribing to the store in every Handle, so a store update no longer runs a selector once per handle

• #5817 8df250b - Reduce per-handle work on store updates by returning a shared connection state while no connection is in progress.

• #5822 a6249de - Return stable reference for edge position when connected node gets deleted

• Updated dependencies [ceb8604, 87da45c]:

  • @​xyflow/system@​0.0.78

Commits

• eedbc81 chore(packages): bump
• c7bdce4 chore(pane): cleanup
• cd5ec45 chore(react/pane): cleanup
• f919daa fix(pane): do not fire pane click when connection ends on pane
• 36c8a1a chore(attribution): update link
• 50fd4b4 Merge pull request #5823 from xyflow/refactor/attribution
• 5f1a206 chore(attr): update link
• 4710765 Merge pull request #5822 from xyflow/refactor/edge-deleted-nodes
• 503fc15 Merge branch 'main' into perf/handle-config-context
• ae1b237 refactor(edges): don't create new object when edge returns early because conn...
• Additional commits viewable in compare view

Updates sharp from 0.34.5 to 0.35.2

Release notes

Sourced from sharp's releases.

v0.35.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

• Bound dilate and erode width to avoid mask-size overflow. #4548 @​metsw24-max

• Verify convolve kernel values are numbers. #4549 @​metsw24-max

v0.35.2-rc.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

... (truncated)

Commits

• c9622a3 Release v0.35.2
• cd4568f Upgrade to sharp-libvips v1.3.1
• 78390cf Tests: Add font file to prevent font discovery flakiness (#4550)
• 61210b4 Verify convolve kernel values are numbers (#4549)
• 1cb27dc Prerelease v0.35.2-rc.2
• c7606c3 Upgrade to sharp-libvips v1.3.1-rc.0
• 29d1e9e Prerelease v0.35.2-rc.1
• bbba0a1 Improve code bundler support with stub binaries
• ab52866 Bound dilate and erode width to avoid mask-size overflow (#4548)
• 0f594dd Prerelease v0.35.2-rc.0
• Additional commits viewable in compare view

Updates @anthropic-ai/sdk from 0.102.0 to 0.105.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.105.0

0.105.0 (2026-06-18)

Full Changelog: sdk-v0.104.2...sdk-v0.105.0

Features

• api: add support for new code_execution_20260120 tool (8dc2b54)
• stream: lazily parse partial tool json input (#99) (e55ceee)

Chores

• internal/deps: bump swc to 1.15.40 (#97) (a1d4d75)
• internal: use are the types wrong directly (#94) (3d362af)
• tests: stop using deprecated models (#98) (65ae1af)

sdk: v0.104.2

0.104.2 (2026-06-15)

Full Changelog: sdk-v0.104.1...sdk-v0.104.2

Chores

• api: remove retired models from API and SDKs (a942876)

sdk: v0.104.1

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

sdk: v0.104.0

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

sdk: v0.103.0

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.105.0 (2026-06-18)

Full Changelog: sdk-v0.104.2...sdk-v0.105.0

Features

• api: add support for new code_execution_20260120 tool (8dc2b54)
• stream: lazily parse partial tool json input (#99) (e55ceee)

Chores

• internal/deps: bump swc to 1.15.40 (#97) (a1d4d75)
• internal: use are the types wrong directly (#94) (3d362af)
• tests: stop using deprecated models (#98) (65ae1af)

0.104.2 (2026-06-15)

Full Changelog: sdk-v0.104.1...sdk-v0.104.2

Chores

• api: remove retired models from API and SDKs (a942876)

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

... (truncated)

Commits

• ab700dc chore: release main
• a322517 feat(api): add support for new code_execution_20260120 tool
• 65a0106 feat(stream): lazily parse partial tool json input (#99)
• 384ab51 chore(tests): stop using deprecated models (#98)
• a49a191 chore(internal/deps): bump swc to 1.15.40 (#97)
• 7ac63f3 chore(internal): use are the types wrong directly (#94)
• fbee0d1 chore: release main
• e984ba4 chore(api): remove retired models from API and SDKs
• 9a0442d chore: release main
• 1ccd401 fix(api): add frontier_llm refusal category
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions