Skip to content

chore(deps): bump the minor-and-patch group across 1 directory with 12 updates#422

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/minor-and-patch-032a80b1a3
Open

chore(deps): bump the minor-and-patch group across 1 directory with 12 updates#422
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/develop/minor-and-patch-032a80b1a3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 11 updates in the / directory:

Package From To
@next/mdx 16.2.6 16.2.7
@sentry/nextjs 10.53.1 10.56.0
axios 1.16.1 1.17.0
better-auth 1.6.11 1.6.14
next 16.2.6 16.2.7
react 19.2.6 19.2.7
react-dom 19.2.6 19.2.7
@next/eslint-plugin-next 16.2.6 16.2.7
@types/node 25.8.0 25.9.2
@vitest/coverage-v8 4.1.6 4.1.8
eslint-plugin-prettier 5.5.5 5.5.6

Updates @next/mdx from 16.2.6 to 16.2.7

Release notes

Sourced from @​next/mdx's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

Updates @sentry/nextjs from 10.53.1 to 10.56.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.56.0

Important Changes

  • feat(deno): Redis diagnostics channel based integration for Deno (#21087)

    Adds Redis integration support for Deno, covering both redis and ioredis clients.

Other Changes

  • feat(cloudflare): Only capture workflow step error on final retry attempt (#21025)
  • feat(hono): Emit warning if @sentry/node was imported instead of @sentry/hono/node (#21240)
  • feat(node): Use ioredis tracing channels (#21187)
  • fix(browser): Correctly parse sampleRate when consistentTraceSampling is enabled (#21281)
  • fix(cloudflare): Fix instrumentDurableObjectWithSentry breaking Cloudflare Agents (#21101)
  • fix(cloudflare): Wait for span links to be set (#21167)
  • fix(core): Use WeakRef for Span-Scope circular references (#21242)
  • fix(node): Vendor InstrumentationNodeModuleFile to fix Bun --bytecode crash (#21262)
  • fix(profiling-node): Ensure node version support warning includes latest 26 (#21229)
  • chore: Ignore scheduled_tasks.lock (#21252)
  • chore: Promote lint warnings to errors (#21213)
  • chore(docs): Document how to support a new node version (#21228)
  • chore(size-limit): Weekly auto-bump (#21243)
  • chore(skills): Add linear-project-status skill (#21214)
  • chore(skills): Add linear-project-update skill (#21233)
  • chore(skills): Improve triage-issue skill (#21257)
  • chore(skills): Update linear-project-status skill with more details & context (#21234)
  • feat(deps): Bump axios from 1.15.0 to 1.16.0 in /dev-packages/e2e-tests/test-applications/nestjs-basic (#21263)
  • feat(server-utils): Initial scaffolding (#21200)
  • ref(cloudflare): Move D1 instrumentation (#21266)
  • ref(node): Refactor usage of hrTime utilities from @opentelemetry/core (#21191)
  • ref(node): Stop mutating OTel RPC metadata to set http.route (#21193)
  • ref(opentelemetry): Vendor minimal TraceState implementation (#21192)
  • test(browser): Add unit test for http client header collection behavior (#21273)
  • test(browser): Move browser integration tests to dataCollection (#21282)
  • test(cloudflare): Remove vitest in CF e2e tests (#21259)

Bundle size 📦

Path Size
@​sentry/browser 26.57 KB
@​sentry/browser - with treeshaking flags 25.05 KB
@​sentry/browser (incl. Tracing) 44.19 KB
@​sentry/browser (incl. Tracing + Span Streaming) 46.37 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.56.0

Important Changes

  • feat(deno): Redis diagnostics channel based integration for Deno (#21087)

    Adds Redis integration support for Deno, covering both redis and ioredis clients.

Other Changes

  • feat(cloudflare): Only capture workflow step error on final retry attempt (#21025)
  • feat(hono): Emit warning if @sentry/node was imported instead of @sentry/hono/node (#21240)
  • feat(node): Use ioredis tracing channels (#21187)
  • fix(browser): Correctly parse sampleRate when consistentTraceSampling is enabled (#21281)
  • fix(cloudflare): Fix instrumentDurableObjectWithSentry breaking Cloudflare Agents (#21101)
  • fix(cloudflare): Wait for span links to be set (#21167)
  • fix(core): Use WeakRef for Span-Scope circular references (#21242)
  • fix(node): Vendor InstrumentationNodeModuleFile to fix Bun --bytecode crash (#21262)
  • fix(profiling-node): Ensure node version support warning includes latest 26 (#21229)
  • chore: Ignore scheduled_tasks.lock (#21252)
  • chore: Promote lint warnings to errors (#21213)
  • chore(docs): Document how to support a new node version (#21228)
  • chore(size-limit): Weekly auto-bump (#21243)
  • chore(skills): Add linear-project-status skill (#21214)
  • chore(skills): Add linear-project-update skill (#21233)
  • chore(skills): Improve triage-issue skill (#21257)
  • chore(skills): Update linear-project-status skill with more details & context (#21234)
  • feat(deps): Bump axios from 1.15.0 to 1.16.0 in /dev-packages/e2e-tests/test-applications/nestjs-basic (#21263)
  • feat(server-utils): Initial scaffolding (#21200)
  • ref(cloudflare): Move D1 instrumentation (#21266)
  • ref(node): Refactor usage of hrTime utilities from @opentelemetry/core (#21191)
  • ref(node): Stop mutating OTel RPC metadata to set http.route (#21193)
  • ref(opentelemetry): Vendor minimal TraceState implementation (#21192)
  • test(browser): Add unit test for http client header collection behavior (#21273)
  • test(browser): Move browser integration tests to dataCollection (#21282)
  • test(cloudflare): Remove vitest in CF e2e tests (#21259)

10.55.0

Important Changes

  • feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#21208)

    The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

... (truncated)

Commits
  • 29b276c release: 10.56.0
  • f94a87b Merge pull request #21291 from getsentry/prepare-release/10.56.0
  • 165c82a meta(changelog): Update changelog for 10.56.0
  • a7cb7e6 fix(cloudflare): Fix instrumentDurableObjectWithSentry breaking Cloudflare Ag...
  • d8015e2 feat(deps): Bump axios from 1.15.0 to 1.16.0 in /dev-packages/e2e-tests/test-...
  • 01104fb fix(browser): Correctly parse sampleRate when consistentTraceSampling is en...
  • 0613ef7 test(browser): Move browser integration tests to dataCollection (#21282)
  • 231e1f5 test(browser): Add unit test for http client header collection behavior (#21273)
  • ec5f82c feat(server-utils): initial scaffolding (#21200)
  • dfeeb11 fix(cloudflare): Wait for span links to be set (#21167)
  • Additional commits viewable in compare view

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits

Updates better-auth from 1.6.11 to 1.6.14

Release notes

Sourced from better-auth's releases.

v1.6.14

better-auth

Bug Fixes

  • Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user.
  • Fixed null values being rejected for optional fields in the generated database schema (#9841)
  • Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session (#9806)
  • Fixed redirect URI validation to work on all supported runtimes and to reject URIs containing a fragment component per RFC 6749 §3.1.2 (#9845)
  • Fixed organization invitation verification to restore the normal emailed-invitation flow while enforcing stricter email verification for externally controlled or predictable invitation IDs (#9877)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SAML Single Logout leaving the user signed in due to the logout handlers matching the session by ID instead of token.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​gustavovalverde

Full changelog: v1.6.13...v1.6.14

v1.6.13

better-auth

Features

  • Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

  • Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
  • Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
  • Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
  • Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
  • Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
  • Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.14

Patch Changes

  • #9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

    Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

  • #9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The generated input validation previously rejected null even though the column is nullable, so a nullable field could not be cleared by passing null.

  • #9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

  • #9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

  • Updated dependencies [13abc79]:

    • @​better-auth/core@​1.6.14
    • @​better-auth/drizzle-adapter@​1.6.14
    • @​better-auth/kysely-adapter@​1.6.14
    • @​better-auth/memory-adapter@​1.6.14
    • @​better-auth/mongo-adapter@​1.6.14
    • @​better-auth/prisma-adapter@​1.6.14
    • @​better-auth/telemetry@​1.6.14

1.6.13

Patch Changes

  • #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

    auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

    The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

  • #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

  • #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

    Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

    Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

  • #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

    /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

  • #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

    Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

... (truncated)

Commits
  • 5038d41 chore: release v1.6.14 (#9846)
  • 2d9781a fix(organization): split invitation verification gates (#9877)
  • 5a2d642 fix: accept null for optional fields in generated schema (#9841)
  • 9d3450a fix(cookies): prefer __Secure- cookie in getSessionCookie (#9806)
  • a6f38c7 chore: release v1.6.13 (#9804)
  • 87c1a0c fix(organization): allow null logo on create and update (#9842)
  • be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
  • 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
  • 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
  • 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
  • Additional commits viewable in compare view

Updates next from 16.2.6 to 16.2.7

Release notes

Sourced from next's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits
  • 9bd3c26 v16.2.7
  • c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
  • 63115c7 [16.2.x] Don't drop FormData entries (#94240)
  • aef22fd [backport] Propagate adapter preferred regions (#94200)
  • f126e72 [backport] Fix "type: module" in project dir when using standalone or adapter...
  • bda3e2a [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • 7e16e07 [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • 6139f4b [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • c021d10 [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • 9184ddb [backport] Fix catch-all router.query corruption with basePath + `rewrite...
  • Additional commits viewable in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.


Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from

@dependabot
chore(deps): bump the minor-and-patch group across 1 directory with 1…
dcb2680 
…2 updates

Bumps the minor-and-patch group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@next/mdx](https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx) | `16.2.6` | `16.2.7` |
| [@sentry/nextjs](https://github.com/getsentry/sentry-javascript) | `10.53.1` | `10.56.0` |
| [axios](https://github.com/axios/axios) | `1.16.1` | `1.17.0` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.11` | `1.6.14` |
| [next](https://github.com/vercel/next.js) | `16.2.6` | `16.2.7` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.6` | `19.2.7` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.6` | `19.2.7` |
| [@next/eslint-plugin-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-plugin-next) | `16.2.6` | `16.2.7` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.8.0` | `25.9.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.6` | `4.1.8` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.5` | `5.5.6` |



Updates `@next/mdx` from 16.2.6 to 16.2.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.7/packages/next-mdx)

Updates `@sentry/nextjs` from 10.53.1 to 10.56.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.53.1...10.56.0)

Updates `axios` from 1.16.1 to 1.17.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.16.1...v1.17.0)

Updates `better-auth` from 1.6.11 to 1.6.14
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.14/packages/better-auth)

Updates `next` from 16.2.6 to 16.2.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.6...v16.2.7)

Updates `react` from 19.2.6 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `react-dom` from 19.2.6 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `@next/eslint-plugin-next` from 16.2.6 to 16.2.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.7/packages/eslint-plugin-next)

Updates `@types/node` from 25.8.0 to 25.9.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.1.6 to 4.1.8
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/coverage-v8)

Updates `eslint-plugin-prettier` from 5.5.5 to 5.5.6
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/eslint-plugin-prettier@v5.5.5...v5.5.6)

Updates `vitest` from 4.1.6 to 4.1.8
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest)

---
updated-dependencies:
- dependency-name: "@next/mdx"
  dependency-version: 16.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@sentry/nextjs"
  dependency-version: 10.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: better-auth
  dependency-version: 1.6.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: next
  dependency-version: 16.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@next/eslint-plugin-next"
  dependency-version: 16.2.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/node"
  dependency-version: 25.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependency updates npm npm package updates labels Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates npm npm package updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants