build(deps): Bump the minor-patch group across 1 directory with 24 updates

[dependabot]

Bumps the minor-patch group with 21 updates in the / directory:

Package	From	To
fast-xml-parser	5.5.8	5.7.3
lefthook	2.1.4	2.1.6
markdownlint-cli2	0.22.0	0.22.1
turbo	2.8.20	2.9.12
@azure/monitor-opentelemetry	1.16.0	1.17.0
@opentelemetry/api	1.9.0	1.9.1
mssql	12.2.1	12.5.2
@types/mssql	9.1.9	12.3.0
next	16.2.1	16.2.6
react	19.2.4	19.2.6
react-dom	19.2.4	19.2.6
recharts	3.8.0	3.8.1
tailwind-merge	3.5.0	3.6.0
zod	4.3.6	4.4.3
@next/eslint-plugin-next	16.2.1	16.2.6
@playwright/test	1.58.2	1.59.1
@tailwindcss/postcss	4.2.2	4.3.0
@types/node	25.5.0	25.6.2
@vitest/coverage-v8	4.1.0	4.1.5
eslint	10.1.0	10.3.0
typescript-eslint	8.57.1	8.59.2

Updates fast-xml-parser from 5.5.8 to 5.7.3

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• b65da87 update changelog and mark addEntity deprecated
• c2ca631 update fxb
• da75191 fix stop node expression when ns prefix is removed
• 31bbc99 fix: alwaysCreateTextNode should create text node when attributes are present...
• dab327a remove unnecessary
• ab04eeb update docs
• 383cb3f Revise security information for v6 release
• Additional commits viewable in compare view

Updates lefthook from 2.1.4 to 2.1.6

Release notes

Sourced from lefthook's releases.

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

v2.1.5

Changelog

• afac466157f88b5a5f9d03eb28acc90b095a4b5d chore(golangci-lint): upgrade to 2.11.4 (#1362)
• f8e73b947e2eefd6950d6a19c20bbde19070809d chore: fix golangci-lint version lookup
• 4564da343b1497f73f8a82f6104e1b5903f8a081 chore: move golangci-lint version to .tool-versions (#1349)
• 236a5bd07c650aaa882963d68ab5e5e654a47681 chore: small cleanup (#1370)
• 5ddf2206dd23e826c5434392e034fa7db523cd3d deps: April 2026 (#1375)
• e26c719f5a85e8ff35871e9724649714d6f05c13 fix: git repository merge issue (#1372)
• 3503a3b102c2b41c298e1e7dc6549181508518a6 fix: prevent lefthook run from overwriting global hooks (#1371)
• f3fc175f6c638fd54ab49b8d7c060898f936c934 fix: use pre-push stdin for push file detection (#1368)

Changelog

Sourced from lefthook's changelog.

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#1393) by @​technicalpickles
• docs: upgrade docmd (#1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#1291) by @​scop
• fix: do not pipe stdout and stderr (#1382) by @​mrexox

2.1.5 (2026-04-06)

• deps: April 2026 (#1375) by @​mrexox
• docs: update documentation and docs for claude (#1373) by @​mrexox
• fix: git repository merge issue (#1372) by @​mrexox
• fix: use pre-push stdin for push file detection (#1368) by @​supitsdu
• chore: small cleanup (#1370) by @​mrexox
• fix: prevent lefthook run from overwriting global hooks (#1371) by @​ivy
• chore: upgrade to 2.11.4 (#1362) by @​scop
• chore: fix golangci-lint version lookup by @​mrexox
• chore: move golangci-lint version to .tool-versions (#1349) by @​scop

Commits

• 679ce27 2.1.6: fixes for Windows and AI tools execution
• 04da006 fix(windows): normalize lefthook path for sh script (#1383)
• eb3e70d fix: normalize root to always include trailing slash before path replacemen...
• f90f3f5 fix: skip pty allocation when stdout is not a terminal (#1393)
• 1481e9d docs: upgrade docmd (#1391)
• de9597a fix: log full scoped name for skipped jobs (#1291)
• bf73ea2 fix(packaging): do not pipe stdout and stderr (#1382)
• 4cec579 2.1.5: prevent overwriting global hooks and fix pre-push for sha256 repos
• 5ddf220 deps: April 2026 (#1375)
• 0c16199 docs: update documentation and docs for claude (#1373)
• Additional commits viewable in compare view

Updates markdownlint-cli2 from 0.22.0 to 0.22.1

Changelog

Sourced from markdownlint-cli2's changelog.

0.22.1

• Update dependencies

Commits

• 996abf6 Update to version 0.22.1.
• 70b6875 Improve definition of OutputFormatterConfiguration type, minor other type twe...
• 2cf5440 Add additional test case for previous commit fixing dotfile behavior.
• 21c53ed Bump eslint from 10.2.0 to 10.2.1
• b738aa0 Update removeIgnoredFiles use of micromatch to include dotfiles for consisten...
• 24c04f4 Bump junit-report-builder from 5.1.1 to 5.1.2 in /formatter-junit
• 650f208 Bump pnpm/action-setup from 5 to 6
• 726eaab Bump eslint from 10.1.0 to 10.2.0
• 1aa7579 Update indirect playwright dependencies to 1.59.1.
• fee080d Bump @​playwright/test from 1.58.2 to 1.59.1
• Additional commits viewable in compare view

Updates turbo from 2.8.20 to 2.9.12

Release notes

Sourced from turbo's releases.

Turborepo v2.9.12

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in vercel/turborepo#12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in vercel/turborepo#12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

Turborepo v2.9.11

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in vercel/turborepo#12745
• ci: Publish VS Code extension on release by @​anthonyshew in vercel/turborepo#12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in vercel/turborepo#12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in vercel/turborepo#12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in vercel/turborepo#12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in vercel/turborepo#12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in vercel/turborepo#12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in vercel/turborepo#12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in vercel/turborepo#12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in vercel/turborepo#12750
• ci: Parallelize LSP release publishing by @​anthonyshew in vercel/turborepo#12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in vercel/turborepo#12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in vercel/turborepo#12760
• fix: Remove VS Code task key gradient by @​anthonyshew in vercel/turborepo#12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in vercel/turborepo#12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in vercel/turborepo#12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in vercel/turborepo#12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in vercel/turborepo#12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in vercel/turborepo#12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in vercel/turborepo#12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in vercel/turborepo#12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in vercel/turborepo#12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in vercel/turborepo#12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

Turborepo v2.9.11-canary.7

What's Changed

Changelog

• fix: Support shimmed VS Code LSP probes by @​anthonyshew in vercel/turborepo#12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in vercel/turborepo#12766

... (truncated)

Commits

• b3f2345 publish 2.9.12 to registry
• 2c850cb fix: Allow transit nodes in LSP diagnostics (#12773)
• 1444cc3 release(turborepo): 2.9.11 (#12771)
• a968db7 fix: Allow TURBO_EXTENDS in LSP diagnostics (#12770)
• 87d468b release(turborepo): 2.9.11-canary.7 (#12768)
• 5a4310d release(turborepo): 2.9.11-canary.6 (#12766)
• e7c4575 fix: Support shimmed VS Code LSP probes (#12767)
• 2db74b4 fix: Publish VS Code extension from release tag (#12765)
• bfffbaa release(turborepo): 2.9.11-canary.5 (#12764)
• 8a0bd8b ci: Stop VS Code publish from blocking release PR (#12763)
• Additional commits viewable in compare view

Updates @azure/monitor-opentelemetry from 1.16.0 to 1.17.0

Changelog

Sourced from @​azure/monitor-opentelemetry's changelog.

1.17.0 (2026-05-07)

Features Added

• Added GenAI main agent attribution: AzureMonitorSpanProcessor and AzureLogRecordProcessor now propagate microsoft.gen_ai.main_agent.* attributes (with fallback to gen_ai.agent.* / gen_ai.conversation.id) from parent spans to child spans, derive them on invoke_agent spans, and copy them from the active span onto emitted log records.
• Added support for the AKS resource detector from @opentelemetry/resource-detector-azure.
• Added AKS_RESOURCE_DETECTOR_POPULATION statsbeat feature signal to track when the AKS resource detector successfully populates resource attributes.

Bugs Fixed

• Fixed Available Memory performance counter on Linux to report MemAvailable from /proc/meminfo instead of MemFree (via os.freemem()). MemAvailable accounts for reclaimable memory (page cache, buffers), providing a more accurate measure of memory available to processes.
• Fixed standard metrics and performance counters recording 0ms duration for all sub-second requests. span.duration is an HrTime tuple [seconds, nanoseconds] but was incorrectly read as span.duration[0] (seconds only). Converted to milliseconds using hrTimeToMilliseconds() from @opentelemetry/core.

Other Changes

• Restructured samples-dev to use the standard Azure SDK dev-tool format with @summary tags.
• Updated to using exporter version 1.0.0-beta.40.

Commits

• 1cc3584 [Monitor OpenTelemetry] Remove azure functions instrumentation (#38461)
• 19734e9 [monitor] Update @​azure/opentelemetry-instrumentation-azure-sdk dependencies ...
• ac224e2 [Monitor OpenTelemetry][Monitor OpenTelemetry Exporter] Release Distro 1.17.0...
• 9be3be3 feat(monitor-opentelemetry): implement GenAI main agent attribution (#38445)
• 3de1abe Add imports field to all warp-built packages (#38391)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 7b834ea Add missing polyfillSuffix entries to warp.config.yml for .cts polyfill packa...
• 65c0ccc feat(warp): explicit CJS via moduleType, esbuild ESM→CJS transform (#37893)
• 0f1cd87 [Monitor OpenTelemetry] Linux Perf Counter Update (#37835)
• 2467920 [Monitor OpenTelemetry] Fix monitor-opentelemetry samples-dev to use standard...
• Additional commits viewable in compare view

Updates @opentelemetry/api from 1.9.0 to 1.9.1

Release notes

Sourced from @​opentelemetry/api's releases.

api/v1.9.1

1.9.1

🐛 (Bug Fix)

• fix(api): prioritize esnext export condition as it is more specific #5458
• fix(api): update diag consoleLogger to use original console methods to prevent infinite loop when a console instrumentation is present #6395
• fix(api): use Attributes instead of deprecated SpanAttributes in SpanOptions #6478 @​overbalance
• fix(diag): change types in DiagComponentLogger from any to unknown#5478 @​loganrosen
• fix(api): re-introduce fallback chain for global utils #6523 @​pichlermarc

🏠 (Internal)

• refactor(api): refactor to avoid circular deps by merging observable types into Metric.ts #6441 @​pichlermarc
• refactor(api): remove "export *" in favor of explicit named exports #4880 @​robbkidd
• chore: enable tsconfig isolatedModules #5697 @​legendecas
• chore: disallow constructor parameter property syntax #6187 @​legendecas
• refactor(api): remove platform-specific globalThis, use globalThis directly #6208 @​overbalance
• chore(api): mark ProxyTracerProvider as deprecated #6328 @​cjihrig
• chore: enforce import type for type-only imports via ESLint #6467 @​overbalance
• perf(api): improve isValidSpanId, isValidTraceId performance #5714 @​seemk

Changelog

Sourced from @​opentelemetry/api's changelog.

1.9.1

🐛 (Bug Fix)

• fix: avoid grpc types dependency #3551 @​flarna
• fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter #3562 @​scheler
• fix: include tracestate in export #3569 @​flarna

🏠 (Internal)

• chore: fix cross project links and missing implicitly exported types #3533 @​legendecas
• feat(sdk-metrics): add exponential histogram mapping functions #3504 @​mwear

Commits

• 279458e Release 1.9.1 / 0.35.1 (#3573)
• 4978743 fix(http): remove outgoing headers normalization (#3557)
• d1f9594 chore(deps): update dependency rimraf to v4 (#3532)
• e0abcc0 fix: remove JSON syntax error and regenerate tsconfig files (#3566)
• a90c558 fix(sdk-node): register instrumentations early (#3502)
• 5b070b8 fix: include TraceState in trace exports (#3569)
• dcb09b7 chore(deps): update dependency gh-pages to v5 (#3571)
• 3bc93a9 feat: exponential histogram - part 1 - mapping functions (#3504)
• 3670071 fix: avoid grpc types dependency (#3551)
• b5ef0e4 chore: fix proto generation (#3567)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/api since your current version.

Updates mssql from 12.2.1 to 12.5.2

Release notes

Sourced from mssql's releases.

v12.5.2

12.5.2 (2026-05-05)

Bug Fixes

• prevent TypeError in PreparedStatement.execute() when streaming without callback (7934ff1), closes #1848

v12.5.1

12.5.1 (2026-05-04)

Bug Fixes

• pass dataLength to getMssqlType in valueCorrection (d8026d3), closes #1853

v12.5.0

12.5.0 (2026-04-23)

Features

• add ability to set per-request requestTimeout (075c6cb), closes #1529

v12.4.0

12.4.0 (2026-04-22)

Features

• add connection create/destroy and abort diagnostics events (bb553ea)
• add core diagnostics_channel infrastructure (2ea53ae)
• bump minimum Node.js version to >=18.19.0 (e4d4f53)
• export CHANNELS constant from public API (8719212)
• extend TracingChannel coverage to the callback API (a3083c9), closes TracingChannel#traceCallback
• instrument base classes with diagnostics_channel (d921d60)
• nest prepared-statement tracing channels under the ps namespace (d11447f)

Bug Fixes

• emit POOL_CLOSE on destroy failure too, include reason (090bad1)
• improve geography/geometry parser robustness (7138b66), closes #322

v12.3.1

12.3.1 (2026-04-17)

Bug Fixes

• clean up listeners on batch parameter validation error (75e76f8)
• clean up listeners on execute parameter error (839ce85)
• clear error when sql_variant used in TVP columns (#1796) (6effc3e)

v12.3.0

12.3.0 (2026-04-15)

... (truncated)

Commits

• dd22da2 Merge pull request #1849 from dhensby/fix/ps-execute-stream
• 0e9c326 Merge pull request #1856 from tediousjs/dependabot/npm_and_yarn/release-tools...
• 96b6495 chore(deps-dev): bump the release-tools group with 2 updates
• 062f1fd Merge pull request #1854 from tediousjs/dependabot/npm_and_yarn/multi-8a066debe3
• 7934ff1 fix: prevent TypeError in PreparedStatement.execute() when streaming without ...
• 3a7e45f Merge pull request #1855 from dhensby/fix/value-correction-length
• d8026d3 fix: pass dataLength to getMssqlType in valueCorrection
• 7382819 chore(deps): bump uuid and @​azure/identity
• ce9078d Merge pull request #1852 from tediousjs/dependabot/github_actions/actions/upl...
• 7214f9a chore(deps): bump actions/upload-pages-artifact from 4 to 5
• Additional commits viewable in compare view

Updates @types/mssql from 9.1.9 to 12.3.0

Commits

• See full diff in compare view

Updates next from 16.2.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates recharts from 3.8.0 to 3.8.1

Release notes

Sourced from recharts's releases.

v3.8.1

What's Changed

Bugfixes!

• fix(z-index): prevent elements from disappearing during dynamic zIndex transitions by @​VIDHITTS in recharts/recharts#7006
• fix: prevent tooltip flicker in syncMethod="value" with mismatched data arrays by @​roy7 in recharts/recharts#7020
• docs: add missing SVG props documentation to PolarGrid #3400 by @​ramanverse in recharts/recharts#6987
• fix: add cursor prop type to BaseChartProps by @​mixelburg in recharts/recharts#7065
• fix: restore arrow key navigation when active index is outside zoomed… by @​AbishekRaj2007 in recharts/recharts#7086
• Add test for ticks spacing by @​VIDHITTS in recharts/recharts#7082
• fix(Pie): skip minAngle redistribution when no segment needs it by @​Harikrushn9118 in recharts/recharts#7097
• fix(DefaultLegendContent): use entry.value for aria-label when formatter returns React element by @​mixelburg in recharts/recharts#7109
• fix(PolarRadiusAxis): update ticks prop type by @​PavelVanecek...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.