fix(deps): bump the prod-minor-patch group with 7 updates

[dependabot]

Bumps the prod-minor-patch group with 7 updates:

Package	From	To
@inquirer/prompts	8.4.2	8.4.3
@oclif/core	4.11.1	4.11.2
@oclif/plugin-autocomplete	3.2.48	3.2.49
@oclif/plugin-warn-if-update-available	3.1.63	3.1.64
ws	8.20.0	8.20.1
lucide-react	1.14.0	1.16.0
tailwind-merge	3.5.0	3.6.0

Updates @inquirer/prompts from 8.4.2 to 8.4.3

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.4.3

• Fix: Windows rendering bug
• Fix: Preserve exact literal types in choices array (Typescript only)
• Fix: Allow input default value to be of type undefined (Typescript only)
• Bump dependencies

Commits

• 113558c chore: Publish new release
• f0ca377 chore: format everything with nano-staged
• 5341ca1 chore: Bump yarn
• cb7ffda ci: add Node.js 26 to test matrix (#2112)
• 0401a5c fix(@​inquirer/input): allow explicit undefined for default option (#2111)
• 40f87a8 fix: reset cursor to column 0 after prompt completes
• b88c9a2 fix: satisfy eslint-plugin-n v18 rules
• 697684a chore(deps-dev): Bump the linting group across 1 directory with 6 updates
• 105c439 chore(deps-dev): Bump the build group with 3 updates (#2107)
• a020d8a chore(deps-dev): Bump oxfmt in the formatting group (#2106)
• Additional commits viewable in compare view

Updates @oclif/core from 4.11.1 to 4.11.2

Release notes

Sourced from @​oclif/core's releases.

4.11.2

Bug Fixes

• deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

Changelog

Sourced from @​oclif/core's changelog.

4.11.2 (2026-05-09)

Bug Fixes

• deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

Commits

• 7fcab26 chore(release): 4.11.2 [skip ci]
• 24232fe Merge pull request #1594 from oclif/dependabot-npm_and_yarn-semver-7.8.0
• 1471fe3 fix(deps): bump semver from 7.7.4 to 7.8.0
• 195484c Merge pull request #1595 from oclif/dependabot-npm_and_yarn-eslint-config-ocl...
• 71f105d chore(dev-deps): bump eslint-config-oclif from 6.0.160 to 6.0.162
• See full diff in compare view

Updates @oclif/plugin-autocomplete from 3.2.48 to 3.2.49

Release notes

Sourced from @​oclif/plugin-autocomplete's releases.

3.2.49

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1146) (4127ce2)

Changelog

Sourced from @​oclif/plugin-autocomplete's changelog.

3.2.49 (2026-05-10)

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1146) (4127ce2)

Commits

• 5250e7c chore(release): 3.2.49 [skip ci]
• 4127ce2 fix(deps): bump @​oclif/core from 4.11.0 to 4.11.2 (#1146)
• See full diff in compare view

Updates @oclif/plugin-warn-if-update-available from 3.1.63 to 3.1.64

Release notes

Sourced from @​oclif/plugin-warn-if-update-available's releases.

3.1.64

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1016) (6aa16a8)

Changelog

Sourced from @​oclif/plugin-warn-if-update-available's changelog.

3.1.64 (2026-05-10)

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1016) (6aa16a8)

Commits

• c7801bd chore(release): 3.1.64 [skip ci]
• 6aa16a8 fix(deps): bump @​oclif/core from 4.11.0 to 4.11.2 (#1016)
• 505e8eb chore(dev-deps): bump eslint-config-oclif from 6.0.160 to 6.0.162 (#1017)
• See full diff in compare view

Updates ws from 8.20.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates lucide-react from 1.14.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	May 18, 2026 6:25pm

[ci-lockfile-regen]

Dependabot Fix Assessment

Package group: 7 prod-minor-patch updates (patch/minor)
Scope: runtime dependencies
Workspace: root + examples/web-cli + packages/react-web-cli

What changed upstream

Package	From	To	Notes
@inquirer/prompts	8.4.2	8.4.3	Windows render bug fix, TypeScript-only type fixes
@oclif/core	4.11.1	4.11.2	semver dep bump only
@oclif/plugin-autocomplete	3.2.48	3.2.49	oclif/core bump
@oclif/plugin-warn-if-update-available	3.1.63	3.1.64	oclif/core bump
ws	8.20.0	8.20.1	Security fix: uninitialized memory in websocket.close() with TypedArray
lucide-react	1.14.0	1.16.0	New icons (blender, broccoli, sticky-note variants), minor icon shape tweaks
tailwind-merge	3.5.0	3.6.0	Tailwind CSS v4.3 support, readonly array support

Migration concerns checked

• Peer dependencies: OK — no new peer dep requirements
• Type changes: OK — @inquirer/prompts TypeScript-only fixes, backward-compatible
• Config files: OK — tailwind-merge v3.6 adds new optional config; our usage unchanged
• Module format: OK — no ESM/CJS format changes
• React compatibility: OK — lucide-react and tailwind-merge changes are additive
• Monorepo impact: lucide-react used in both packages/react-web-cli and examples/web-cli; no breaking changes in either

What broke

Web CLI E2E Tests — should maintain independent sessions in split terminals in terminal-ui.test.ts:239:

The test split the terminal, then used a flat await page.waitForTimeout(5000) before typing commands. From the browser console in the CI logs, the secondary WebSocket session takes ~5–6 seconds to establish under rate limiting — making the flat wait a race condition. When the 5000ms elapsed just as the secondary was still connecting, the terminal showed the connection animation ("................................ ") rather than CLI output.

Root cause: Pre-existing timing fragility in the test, not caused by the dependency bump. The ws security patch (which fixes close() with TypedArray) does not affect connection establishment.

What was fixed

test/e2e/web-cli/terminal-ui.test.ts: Replaced the flat 5000ms wait with an explicit await expect(secondaryTerminal).toContainText("$ ", { timeout: 20000 }) assertion that waits until the secondary terminal's shell prompt is visible before typing commands. Also raised the final output assertion timeouts from the implicit 5s default to 15s.

Verification

• Build: ✅ (pnpm prepare — clean TypeScript compile)
• Lint: ✅ (pnpm exec eslint . — 0 errors, 10 pre-existing warnings)
• Unit tests: ✅ (pnpm test:unit)
• Web CLI unit tests: ✅ (pnpm --filter @ably/react-web-cli test — 57 passed, 6 skipped)
• E2E: not runnable locally (requires live server at wss://web-cli-terminal.ably-dev.com)

Notes for reviewer

The fix removes the magic 5000ms flat wait and replaces it with a condition-based wait that scales naturally with server latency. This also ensures commands are typed into a fully-established session rather than a still-connecting one. The overall test timeout remains 120s, so the wider window is safe.

[ci-lockfile-regen]

Dependabot Fix Assessment

Package group: prod-minor-patch — 7 packages

• `@inquirer/prompts` `8.4.2` → `8.4.3` (patch)
• `@oclif/core` `4.11.1` → `4.11.2` (patch)
• `@oclif/plugin-autocomplete` `3.2.48` → `3.2.49` (patch)
• `@oclif/plugin-warn-if-update-available` `3.1.63` → `3.1.64` (patch)
• `ws` `8.20.0` → `8.20.1` (patch, security fix)
• `lucide-react` `1.14.0` → `1.16.0` (minor, new icons only)
• `tailwind-merge` `3.5.0` → `3.6.0` (minor, Tailwind v4.3 support + readonly arrays)

Scope: runtime `dependencies` + root workspace
Workspace: root

What changed upstream

• All 7 bumps are low-risk: bug fixes, dependency chain bumps, new icons, and a security fix in ws
• No API surfaces used by this repo changed
• tailwind-merge v3.6.0 adds a new postfixLookupClassGroups config option (additive only)
• lucide-react v1.15–1.16: icon changes and a Vue slot fix (no impact on our React usage)

Migration concerns checked

• Peer dependencies: ✅ OK
• Type changes: ✅ OK (no API changes in any package)
• Config files: ✅ OK
• Module format: ✅ OK
• React compatibility: ✅ OK (no duplicate React issue)
• Monorepo impact: ✅ OK (packages/react-web-cli and examples/web-cli unaffected)

What broke

• "should maintain independent sessions in split terminals" (terminal-ui.test.ts:230): the previous fix attempt waited for "$ " (a bash shell prompt) to appear in the secondary terminal, but the Ably web CLI shows ably> as its interactive shell prompt — that string never appears, so the wait always timed out.

This was not caused by the dependency bump. The dependency bump itself made no breaking changes. The test was introduced in the prior fix attempt with the wrong expected prompt string.

What was fixed

• test/e2e/web-cli/terminal-ui.test.ts:230: changed toContainText("$ ", ...) → toContainText("ably> ", ...) — the actual prompt the Ably interactive shell displays. Confirmed from the CI failure's "received string" which ends with ably> .

Verification

• Build: ✅
• Lint: ✅ (0 errors)
• Unit tests: ✅
• Web CLI E2E tests: re-running in CI

Notes for reviewer

• The "$ " prompt string also appears in the skipped animation test (terminal-ui.test.ts:110) but that test is already test.skip-ped with a reference to issue Fix skipped tests in Web CLI E2E test suite #66, so no change needed there.