build(deps): bump the production-dependencies group across 1 directory with 66 updates

[dependabot]

Bumps the production-dependencies group with 66 updates in the / directory:

Package	From	To
@ai-sdk/openai	3.0.26	3.0.64
@ai-sdk/react	3.0.80	3.0.186
@aws-sdk/client-s3	3.984.0	3.1049.0
@aws-sdk/s3-request-presigner	3.984.0	3.1049.0
@fumadocs/content-collections	1.2.6	1.2.9
@hono/zod-openapi	1.2.1	1.4.0
@hono/zod-validator	0.7.6	0.8.0
@next/third-parties	16.1.6	16.2.6
@paralleldrive/cuid2	2.3.1	3.3.0
@prisma/client	7.3.0	7.8.0
@react-email/components	0.0.41	1.0.12
@react-email/render	1.4.0	2.0.8
@scalar/hono-api-reference	0.9.40	0.10.16
@tanstack/react-query	5.90.20	5.100.10
@tiptap/extension-dropcursor	3.19.0	3.23.4
@tiptap/extension-image	3.19.0	3.23.4
@tiptap/extension-placeholder	3.19.0	3.23.4
@tiptap/react	3.19.0	3.23.4
@tiptap/starter-kit	3.19.0	3.23.4
@uiw/react-md-editor	4.0.11	4.1.0
ai	6.0.78	6.0.184
better-auth	1.4.18	1.6.11
boring-avatars	1.11.2	2.0.4
date-fns	4.1.0	4.2.1
dompurify	3.3.1	3.4.5
fumadocs-core	16.5.2	16.8.11
fumadocs-ui	16.5.2	16.8.11
geist	1.5.1	1.7.0
hono	4.11.8	4.12.19
hono-openapi	0.4.8	1.3.0
isomorphic-dompurify	2.35.0	3.13.0
jotai	2.12.3	2.20.0
js-cookie	3.0.5	3.0.7
lucide-react	0.542.0	1.16.0
nanoid	5.1.6	5.1.11
next	16.2.4	16.2.6
next-intl	4.8.3	4.12.0
nodemailer	7.0.13	8.0.7
@types/nodemailer	6.4.22	8.0.0
nuqs	2.8.8	2.8.9
openai	6.19.0	6.38.0
react	19.2.4	19.2.6
@types/react	19.1.3	19.2.14
react-day-picker	9.13.0	10.0.1
react-dom	19.2.4	19.2.6
@types/react-dom	19.1.3	19.2.3
react-dropzone	14.4.0	15.0.0
react-hook-form	7.71.1	7.76.0
react-qr-code	2.0.18	2.0.21
react-resizable-panels	3.0.6	4.11.1
recharts	2.15.4	3.8.1
sharp	0.34.4	0.34.5
slugify	1.6.6	1.6.9
stripe	18.5.0	22.1.1
tailwind-merge	3.4.0	3.6.0
tencentcloud-sdk-nodejs	4.1.184	4.1.233
ufo	1.6.3	1.6.4
use-debounce	10.1.0	10.1.1
use-intl	4.8.2	4.12.0
uuid	11.1.0	14.0.0
zod	4.3.6	4.4.3
zustand	5.0.11	5.0.13
@prisma/adapter-pg	7.3.0	7.8.0
pg	8.18.0	8.21.0
@types/pg	8.16.0	8.20.0
ws	8.19.0	8.20.1

Updates @ai-sdk/openai from 3.0.26 to 3.0.64

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.64

Patch Changes

• b7ed8bd: feat(openai): add opt-in pass-through for unsupported file media types

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.64

Patch Changes

• b7ed8bd: feat(openai): add opt-in pass-through for unsupported file media types

3.0.63

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

3.0.62

Patch Changes

• 65edcca: feat: add allowedTools provider option for OpenAI Responses

3.0.61

Patch Changes

• b93f9b4: feat(provider/openai): forward imageDetail providerOptions on tool-result image content

3.0.60

Patch Changes

• 6dcd8e6: feat(openai): add GPT-5.5 chat model IDs

3.0.59

Patch Changes

• 38966ab: fix(openai, openai-compatible): only send null content for assistant messages with tool calls

3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

3.0.56

... (truncated)

Commits

• 2e7664b Version Packages (#15315)
• b7ed8bd Backport: feat(openai): add opt-in pass-through for unsupported file media ty...
• e3ccdb5 Version Packages (#15094)
• bf9de31 Version Packages (#15046)
• 65edcca Backport: feat(openai): add allowedTools provider option for Responses (#15044)
• ee37690 Version Packages (#15020)
• b93f9b4 Backport: feat(provider/openai): forward imageDetail providerOptions on tool-...
• c706111 Version Packages (#14971)
• 6dcd8e6 Backport: feat(openai): add GPT-5.5 chat model IDs (#14965)
• a1dddcc Version Packages (#14954)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates @ai-sdk/react from 3.0.80 to 3.0.186

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

@​ai-sdk/react@​3.0.185

Patch Changes

• ai@6.0.183

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

3.0.185

Patch Changes

• ai@6.0.183

3.0.184

Patch Changes

• Updated dependencies [e76a29a]
  • ai@6.0.182

3.0.183

Patch Changes

• Updated dependencies [538974a]
  • ai@6.0.181

3.0.182

Patch Changes

• Updated dependencies [253bd5a]
• Updated dependencies [57ec10f]
  • ai@6.0.180

3.0.181

Patch Changes

• ai@6.0.179

3.0.180

Patch Changes

• Updated dependencies [ac6f27e]
  • ai@6.0.178

3.0.179

... (truncated)

Commits

• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• 43e5359 Version Packages (#15221)
• e2f1bca Version Packages (#15216)
• d37fb1f Version Packages (#15202)
• e70aab9 Version Packages (#15138)
• e3ccdb5 Version Packages (#15094)
• 3015153 Version Packages (#14960)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @aws-sdk/client-s3 from 3.984.0 to 3.1049.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1049.0

3.1049.0(2026-05-18)

Documentation Changes

• client-evs: Amazon EVS now supports up to 32 hosts per EVS environment, increasing the previous host limit to allow a larger scale of VMware workload deployments and reduce operational overhead. (34718dc5)

New Features

• clients: update client endpoints as of 2026-05-18 (a5f4e2a2)
• client-ec2: Amazon VPC IP Address Manager (IPAM) now supports tags on IPAM pool allocations, enabling all standard tagging features for allocations including tag-on-create. (0ac6d448)
• client-accessanalyzer: Services manage service-linked analyzers through dedicated APIs - CreateServiceLinkedAnalyzer and DeleteServiceLinkedAnalyzer that separate service-linked specific operations from customer-managed operations. It also shows up in ListAnalyzers and GetAnalyzer responses. (fdfcbe80)
• client-ecs: Amazon ECS now supports Pause lifecycle hooks for service deployments, allowing customers to automatically pause deployments at specified stages and use the new ContinueServiceDeployment API to continue or roll back with confidence. (8437bd6c)
• client-connect: Amazon Connect Cases now supports SLA durations of up to 2 years (1,051,200 minutes), increased from the previous maximum of 90 days (129,600 minutes). This enables you to track long-running service level agreements for cases that require extended resolution timelines. (045e1382)
• client-ivs: Adds support for up to 3 mediaTailorPlaybackConfiguration objects in an ad configuration resource (e7a59d85)
• client-quicksight: Support for dataset enrichment and geo spatial in new data preparation experience (c3036698)

Bug Fixes

• core/protocols: make error namespace removal unconditional in JSON RPC (#8031) (7cee4f27)
• client-sts: update imports to new module locations (#8025) (be183b6d)

---

For list of updated packages, view updated-packages.md in assets-3.1049.0.zip

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1049.0 (2026-05-18)

Bug Fixes

• client-sts: update imports to new module locations (#8025) (be183b6)

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/client-s3

3.1044.0 (2026-05-06)

Features

• client-s3: Validate outpost access point resource name (bee88a5)

... (truncated)

Commits

• 04d52f3 Publish v3.1049.0
• be183b6 fix(client-sts): update imports to new module locations (#8025)
• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• Additional commits viewable in compare view

Updates @aws-sdk/s3-request-presigner from 3.984.0 to 3.1049.0

Release notes

Sourced from @​aws-sdk/s3-request-presigner's releases.

v3.1049.0

3.1049.0(2026-05-18)

Documentation Changes

• client-evs: Amazon EVS now supports up to 32 hosts per EVS environment, increasing the previous host limit to allow a larger scale of VMware workload deployments and reduce operational overhead. (34718dc5)

New Features

• clients: update client endpoints as of 2026-05-18 (a5f4e2a2)
• client-ec2: Amazon VPC IP Address Manager (IPAM) now supports tags on IPAM pool allocations, enabling all standard tagging features for allocations including tag-on-create. (0ac6d448)
• client-accessanalyzer: Services manage service-linked analyzers through dedicated APIs - CreateServiceLinkedAnalyzer and DeleteServiceLinkedAnalyzer that separate service-linked specific operations from customer-managed operations. It also shows up in ListAnalyzers and GetAnalyzer responses. (fdfcbe80)
• client-ecs: Amazon ECS now supports Pause lifecycle hooks for service deployments, allowing customers to automatically pause deployments at specified stages and use the new ContinueServiceDeployment API to continue or roll back with confidence. (8437bd6c)
• client-connect: Amazon Connect Cases now supports SLA durations of up to 2 years (1,051,200 minutes), increased from the previous maximum of 90 days (129,600 minutes). This enables you to track long-running service level agreements for cases that require extended resolution timelines. (045e1382)
• client-ivs: Adds support for up to 3 mediaTailorPlaybackConfiguration objects in an ad configuration resource (e7a59d85)
• client-quicksight: Support for dataset enrichment and geo spatial in new data preparation experience (c3036698)

Bug Fixes

• core/protocols: make error namespace removal unconditional in JSON RPC (#8031) (7cee4f27)
• client-sts: update imports to new module locations (#8025) (be183b6d)

---

For list of updated packages, view updated-packages.md in assets-3.1049.0.zip

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

... (truncated)

Changelog

Sourced from @​aws-sdk/s3-request-presigner's changelog.

3.1049.0 (2026-05-18)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1044.0 (2026-05-06)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1043.0 (2026-05-05)

... (truncated)

Commits

• 04d52f3 Publish v3.1049.0
• 313813d Publish v3.1048.0
• 901b75a chore(packages): update import paths (#8024)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 6a0f061 chore(core/util): migrate minor utility functions to core (#8007)
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• Additional commits viewable in compare view

Updates @fumadocs/content-collections from 1.2.6 to 1.2.9

Commits

• fa60913 Version Packages (#3202)
• 2d8f596 Chore: fix npm pack skipping nested node_modules
• b5af621 Merge pull request #3200 from fuma-nama/changeset-release/dev
• 79995e9 fix tsdown warnings
• 9518cc8 OpenAPI: remove openapi-sampler dep
• 335b9c1 Chore: bundle more deps
• 498425b UI: pre-calculate TOC item positions
• 7cdde7c UI: improve TOC performance
• 690ddb9 Chore: bundle more deps
• 8999346 Version Packages (#3198)
• Additional commits viewable in compare view

Updates @hono/zod-openapi from 1.2.1 to 1.4.0

Release notes

Sourced from @​hono/zod-openapi's releases.

@​hono/zod-openapi@​1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

@​hono/zod-openapi@​1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

@​hono/zod-openapi@​1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

@​hono/zod-openapi@​1.2.3

Patch Changes

... (truncated)

Changelog

Sourced from @​hono/zod-openapi's changelog.

1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

1.2.3

... (truncated)

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• 5eeca71 Version Packages (#1849)
• fe0f8e4 feat(zod-openapi): add defineOpenAPIRoute and openapiRoutes for batch route r...
• a6f4ef5 Version Packages (#1832)
• 40ede9c fix(zod-openapi): publish to JSR (#1831)
• 38993fa Version Packages (#1811)
• db8fd16 fix(zod-openapi): bump @​asteasolutions/zod-to-openapi to allow nested discrim...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 27d8981 Version Packages (#1749)
• Additional commits viewable in compare view

Updates @hono/zod-validator from 0.7.6 to 0.8.0

Release notes

Sourced from @​hono/zod-validator's releases.

@​hono/zod-validator@​0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Changelog

Sourced from @​hono/zod-validator's changelog.

0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 475cd12 chore: update typescript to 5.9.3 (#1741)
• 96ae310 chore: update Zod/Valibot import examples to use namespace imports in docs an...
• fbec266 chore(deps-dev): bump hono from 4.11.3 to 4.11.4 (#1710)
• c7edf1e chore(deps-dev): upgrade @cloudflare/vitest-pool-workers and vitest (#1714)
• 03a28c5 fix: less strict template expressions (#1681)
• 1f8372e chore(typescript): add @tsconfig/strictest (#1679)
• 49db969 chore(eslint): update suppressions (#1678)
• Additional commits viewable in compare view

Updates @next/third-parties from 16.1.6 to 16.2.6

Release notes

Sourced from @​next/third-parties's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @paralleldrive/cuid2 from 2.3.1 to 3.3.0

Changelog

Sourced from @​paralleldrive/cuid2's changelog.

[3.3.0] - 2026-01-25

Fixed

• Fix typo in package.json exports field: ./package.json path was incorrectly specified
• Fix TypeScript compilation error (TS1203) by replacing export = with named exports in index.d.ts

Updated

• Update AI development framework (aidd) to v2.5.0 for enhanced security reviews
• Update all devDependencies to latest versions (@​types/node, @​types/react, eslint, eslint-config-next, eslint-config-prettier, eslint-plugin-prettier, next, prettier, react, react-dom, release-it, riteway, updtr, watch)

[3.0.2] - 2025-10-27

Changed

• Remove collision-test from pre-commit hook to unblock release process

Fixed

• Replace BigInt with bignumber.js for broader browser support (legacy browsers)
• Add export module field to package.json for better ESM compatibility

Added

• Implement CSPRNG using crypto.getRandomValues for enhanced security
• Add validation to throw error when length > 32

Documentation

• Fix typo: Change "P...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.