chore(deps): bump the npm-web-nonbreaking group across 1 directory with 16 updates

[dependabot]

Bumps the npm-web-nonbreaking group with 16 updates in the /web directory:

Package	From	To
@react-three/fiber	9.5.0	9.6.0
fumadocs-core	16.7.7	16.8.4
fumadocs-mdx	14.2.11	14.3.1
fumadocs-ui	16.7.7	16.8.4
next	16.2.1	16.2.4
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
@next/eslint-plugin-next	16.2.1	16.2.4
@tailwindcss/postcss	4.2.2	4.2.4
@types/node	22.19.15	22.19.17
eslint-config-next	16.2.1	16.2.4
eslint-plugin-react-hooks	7.0.1	7.1.1
globals	17.4.0	17.5.0
postcss	8.5.8	8.5.10
tailwindcss	4.2.2	4.2.4
typescript-eslint	8.58.0	8.59.0

Updates @react-three/fiber from 9.5.0 to 9.6.0

Release notes

Sourced from @​react-three/fiber's releases.

v9.6.0 - Sunset X

Ever tried using <shaderMaterial uniforms={{ time: { value: time } }} /> and ran into immediate issues with desync? No more.

The uniforms objects on ShaderMaterial and its derivatives now have a stable reference. Objects passed into uniforms will instead copy into it. This is the same as behavior for math structures that have copy such as position, rotation, quaternion, etc. and ends up simplifying using the raw JSX where utilities were often introduced before.

Why does this matter?

1. Improves HMR. Even if you memoize the uniforms object it will still regenerate and desync Three. Now this won't happen. But also it makes compatibility with React compiler more complete with its auto-memoization.

2. Allows for inline uniform props and even prop uniforms directly on the material piercing.

<shaderMaterial
  vertexShader={vertexShader}
  fragmentShader={fragmentShader}
  // The uniforms object has a stable reference so objects can be safely merged in
  uniforms={{ 
    uTime: { value: 0 }, 
    uColor: { value: new THREE.Color('hotpink') } 
  }}
  // Individual uniforms can also be safely updated with pierce notation
  uniforms-uColor-value={hovered ? 'royalblue' : 'hotpink'}
/>

Documentation can be found here: https://r3f.docs.pmnd.rs/api/objects#shader-material-uniforms

And an example can be found here: https://github.com/pmndrs/react-three-fiber/blob/master/example/src/demos/ShaderMaterial.tsx

What's Changed

• fix: Fix broken link on "Performance pitfalls" documentation page by @​simonKristensen in pmndrs/react-three-fiber#3700
• fix: uniforms have stable refs for ShaderMaterial by @​krispya in pmndrs/react-three-fiber#3715
• docs: fix typos and documentation consistency by @​NssGourav in pmndrs/react-three-fiber#3709

New Contributors

• @​simonKristensen made their first contribution in pmndrs/react-three-fiber#3700
• @​NssGourav made their first contribution in pmndrs/react-three-fiber#3709

Full Changelog: pmndrs/react-three-fiber@v9.5.0...v9.6.0

Commits

• 877c839 chore: Move ShaderMaterial uniform notes to objects out of pitfalls (#3734)
• ece1a3f RELEASING: Releasing 1 package(s)
• 26e4716 docs(changeset): Fix uniforms refs so they remain stable for ShaderMaterial
• 1fb9fcd docs: fix typos and documentation consistency (#3709)
• e1a375c fix: Uniforms have stable refs for ShaderMaterial (#3715)
• 582f787 docs: fix broken link on "Performance pitfalls" documentation page (#3700)
• 9525ea0 Update docker_tag in docs.yml workflow
• 56637a2 Upgrade pmndrs/docs workflow to version 3
• 8c9b656 chore: use latest npm in canary
• 1bdf70b chore: copy canary workflow to master
• Additional commits viewable in compare view

Updates fumadocs-core from 16.7.7 to 16.8.4

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

fumadocs-core@16.8.2

No release notes provided.

fumadocs-core@16.8.1

No release notes provided.

fumadocs-core@16.7.16

Patch Changes

• 9cf33e9: Improve inline code output
• 9cf33e9: Support async hooks in Shiki transformers

fumadocs-core@16.7.15

Patch Changes

• e1567e2: use local fork of Shiki rehype integration
• 9a200c8: fix multi-line in remark-npm
• c731a92: Implement selective re-render for TOC
• a4189ce: Improve AST plugins

fumadocs-core@16.7.14

Patch Changes

• 2d8f596: fix npm pack skipping nested node_modules

fumadocs-core@16.7.13

Patch Changes

• 690ddb9: bundle more deps

fumadocs-core@16.7.12

No release notes provided.

fumadocs-core@16.7.11

Patch Changes

• 5524927: extend page tree root scope
• d47c4f1: LLMs: support generating section for a specific page tree node

Commits

• e1f19c7 Version Packages (#3232)
• b5ff03b UI: Support new OG image design for Takumi
• 61b15e9 Core: fix Shiki languages not loaded under lazy mode
• 9b5d2b3 Core: fix file storage
• 1a5433c Core: support $ locale
• 6d7399b Version Packages (#3229)
• dcb1c25 fix: downgrade Tanstack Start
• f1b66af UI: reduce generated Tailwind CSS bundle
• a1ca76c Docs: introduce local-md non-RSC usage
• 6faf2de Bump deps
• Additional commits viewable in compare view

Updates fumadocs-mdx from 14.2.11 to 14.3.1

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@14.3.0

Minor Changes

• fa9f678: Make Next.js config ESM only

  Newer Next.js supported .mts extension for Next.js config files, see Next.js docs for more info.

fumadocs-mdx@14.2.14

Patch Changes

• eb62304: Make mdx-remote optional for dynamic mode
• Updated dependencies [e1567e2]
• Updated dependencies [9a200c8]
• Updated dependencies [c731a92]
• Updated dependencies [a4189ce]
  • fumadocs-core@16.7.15

fumadocs-mdx@14.2.13

Patch Changes

• 2d8f596: fix npm pack skipping nested node_modules
• Updated dependencies [2d8f596]
  • @​fumadocs/mdx-remote@​1.4.8
  • fumadocs-core@16.7.14

fumadocs-mdx@14.2.12

Patch Changes

• 690ddb9: bundle more deps
• Updated dependencies [690ddb9]
  • @​fumadocs/mdx-remote@​1.4.7
  • fumadocs-core@16.7.13

Commits

• 00c01b6 Merge pull request #1041 from fuma-nama/changeset-release/dev
• b571b21 Version Packages
• e7443d7 UI: Fix development errors
• a6a7b70 Merge branch 'main' into dev
• 00209d0 docs: update information
• 07e343e Merge pull request #1028 from fuma-nama/changeset-release/dev
• d21abf0 Version Packages
• acffcfd fix Orama type problems
• a11804b UI: expose more providers from fumadocs-ui/provider
• 46d9208 CFA: Add option for ESLint
• Additional commits viewable in compare view

Attestation changes

This version has no provenance attestation, while the previous version (14.2.11) was attested. Review the package versions before updating.

Updates fumadocs-ui from 16.7.7 to 16.8.4

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.4

Patch Changes

• b5ff03b: Support new OG image design for Takumi
• Updated dependencies [61b15e9]
• Updated dependencies [1a5433c]
  • fumadocs-core@16.8.4

fumadocs-ui@16.8.3

Patch Changes

• 8082ef6: Add legacy/layout for versions prior to 16.2
• 8082ef6: Add css/preset-legacy.css for versions prior to 16.2
• 8082ef6: Add legacy/sidebar for versions prior to 16.2
  • fumadocs-core@16.8.3

fumadocs-ui@16.8.2

Patch Changes

• 0e8405a: Update default OG image
  • fumadocs-core@16.8.2

fumadocs-ui@16.8.1

Patch Changes

• 3ae8809: Improve TOC sizing
  • fumadocs-core@16.8.1

fumadocs-ui@16.7.16

Patch Changes

• f2c6e59: Reduce iterations for calculating TOC track
• 9cf33e9: Improve inline code output
• 9cf33e9: Support async hooks in Shiki transformers
• Updated dependencies [9cf33e9]
• Updated dependencies [9cf33e9]
  • fumadocs-core@16.7.16

fumadocs-ui@16.7.15

Patch Changes

• c731a92: Implement selective re-render for TOC
• ccad791: Expose next-themes
• Updated dependencies [e1567e2]
• Updated dependencies [9a200c8]
• Updated dependencies [c731a92]
• Updated dependencies [a4189ce]
  • fumadocs-core@16.7.15

fumadocs-ui@16.7.14

... (truncated)

Commits

• e1f19c7 Version Packages (#3232)
• b5ff03b UI: Support new OG image design for Takumi
• 61b15e9 Core: fix Shiki languages not loaded under lazy mode
• 9b5d2b3 Core: fix file storage
• 1a5433c Core: support $ locale
• 6d7399b Version Packages (#3229)
• dcb1c25 fix: downgrade Tanstack Start
• f1b66af UI: reduce generated Tailwind CSS bundle
• a1ca76c Docs: introduce local-md non-RSC usage
• 6faf2de Bump deps
• Additional commits viewable in compare view

Updates next from 16.2.1 to 16.2.4

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• d5f649b v16.2.3
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates @next/eslint-plugin-next from 16.2.1 to 16.2.4

Release notes

Sourced from @​next/eslint-plugin-next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• See full diff in compare view

Updates @tailwindcss/postcss from 4.2.2 to 4.2.4

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Commits

• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 4527123 docs(postcss): remove duplicated optimize example from README (#19938)
• aad6017 docs/fix-lightning-css-typo-postcss-readme (#19913)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.

Updates @types/node from 22.19.15 to 22.19.17

Commits

• See full diff in compare view

Updates eslint-config-next from 16.2.1 to 16.2.4

Release notes

Sourced from eslint-config-next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• See full diff in compare view

Updates eslint-plugin-react-hooks from 7.0.1 to 7.1.1

Release notes

Sourced from eslint-plugin-react-hooks's releases.

eslint-plugin-react-hooks@7.1.1 (April 17, 2026)

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

eslint-plugin-react-hooks@7.1.0 (April 16, 2026)

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.1.1

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

7.1.0

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

Commits

• See full diff in compare view

Updates globals from 17.4.0 to 17.5.0

Release notes

Sourced from globals's releases.

v17.5.0

• Update globals (2026-04-12) (#342) 5d84602

---

sindresorhus/globals@v17.4.0...v17.5.0

Commits

• b8170c8 17.5.0
• 5d84602 Update globals (2026-04-12) (#342)
• 1b727e5 Fix build script for ES globals (#341)
• See full diff in compare view

Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-space-web	Error		Apr 26, 2026 4:55am

[mogplex]

Mogplex PR Review

Status: Attention needed

This is a routine Dependabot dependency bump across 16 packages in the /web directory. The upgrades include two security fixes (postcss XSS, Next.js CVE-2026-23869) and are broadly safe to merge. Two concerns are worth addressing before landing: the lockfile (pnpm-lock.yaml) is absent from the diff, and one package (fumadocs-mdx) lost its npm provenance attestation in the new version.

1 finding was added inline.

Warnings

• Lockfile not updated in this PR (web/package.json)
  The PR modifies web/package.json but no lockfile (pnpm-lock.yaml, which the engines field indicates is the package manager) appears in the diff. Without a committed lockfile update, the actual resolved dependency versions are unknown and reproducibility is not guaranteed. CI may install different transitive versions than intended, and the security fixes in postcss and Next.js may not actually take effect until the lockfile is regenerated and committed. Verify that the lockfile was updated and committed alongside this change, or confirm that your CI pipeline regenerates it from scratch.

Suggestions

• Security fixes included — note for changelog/release tracking (web/package.json)
  Two packages in this bump include security fixes that should be tracked: (1) postcss 8.5.10 fixes an XSS vulnerability via unescaped </style> in non-bundler output. (2) next 16.2.3 backports a fix for CVE-2026-23869. These are good reasons to prioritize landing this PR promptly. No action required beyond merging, but worth noting in release notes or a security advisory if your project tracks such things.

View check run

[mogplex]

Warning: fumadocs-mdx 14.3.1 has no npm provenance attestation

The PR description explicitly notes: 'This version has no provenance attestation, while the previous version (14.2.11) was attested.' npm provenance attestation links a published package to its source repo and build pipeline, providing supply-chain integrity guarantees. Its absence for 14.3.1 means you cannot cryptographically verify the published artifact was built from the expected source. This is worth confirming with the fumadocs maintainers (fuma-nama/fumadocs) before landing, especially since this is a minor version bump (14.3.x) that introduces a breaking change (Next.js config must now be ESM-only). If the project's security posture requires attestation, consider pinning to 14.2.11 until attestation is restored.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.