Skip to content

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 39 updates#74

Merged
tobias-gp merged 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-153a7e9462
Jun 28, 2026
Merged

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 39 updates#74
tobias-gp merged 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-153a7e9462

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 39 updates in the / directory:

Package From To
@vitest/coverage-v8 4.1.7 4.1.9
esbuild 0.28.0 0.28.1
turbo 2.9.14 2.9.18
vitest 4.1.7 4.1.9
@hono/node-server 2.0.4 2.0.5
@langchain/core 1.1.48 1.2.0
@langchain/openai 1.4.7 1.5.1
better-auth 1.6.11 1.6.20
deepagents 1.10.2 1.10.5
hono 4.12.23 4.12.26
mongodb 7.2.0 7.3.0
mongoose 9.6.2 9.7.1
tsx 4.22.3 4.22.4
@astrojs/starlight 0.39.2 0.40.0
astro 6.3.7 6.4.8
sharp 0.34.5 0.35.2
@playwright/test 1.60.0 1.61.0
@tanstack/react-query 5.100.14 5.101.0
@tanstack/react-router 1.170.8 1.170.16
@xyflow/react 12.10.2 12.11.0
lucide-react 1.16.0 1.21.0
react 19.2.6 19.2.7
@types/react 19.2.15 19.2.17
react-dom 19.2.6 19.2.7
@tailwindcss/postcss 4.3.0 4.3.1
@tanstack/router-plugin 1.168.11 1.168.18
tailwindcss 4.3.0 4.3.1
vite 8.0.14 8.0.16
bullmq 5.77.2 5.79.1
ioredis 5.10.1 5.11.1
@langchain/anthropic 1.4.0 1.5.0
isomorphic-git 1.38.1 1.38.5
langchain 1.4.0 1.5.0
@radix-ui/react-label 2.1.8 2.1.10
@radix-ui/react-separator 1.1.8 1.1.10
@radix-ui/react-slot 1.2.4 1.3.0
@radix-ui/react-tooltip 1.2.8 1.2.10
date-fns 4.3.0 4.4.0
radix-ui 1.4.3 1.6.0

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates esbuild from 0.28.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Commits

Updates turbo from 2.9.14 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

New Contributors

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

... (truncated)

Commits

Updates vitest from 4.1.7 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • See full diff in compare view

Updates @hono/node-server from 2.0.4 to 2.0.5

Release notes

Sourced from @​hono/node-server's releases.

v2.0.5

Security Fix

Fixed a security issue in Serve Static Middleware where prefix-mounted middleware could be bypassed on Windows. This only affects applications running on Windows that use Serve Static Middleware. Affected users are encouraged to upgrade to this version.

See GHSA-frvp-7c67-39w9 for details.

Commits

Updates @langchain/core from 1.1.48 to 1.2.0

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.0

Minor Changes

Patch Changes

  • #11047 ac0f71d Thanks @​christian-bromann! - fix(core): preserve AIMessage content blocks

    Keep existing v1 contentBlocks when constructing AIMessage instances so serialized messages do not lose block content during deserialization.

Commits
  • c5e8962 chore: version packages (#11059)
  • e51478a feat(aws): bedrock prompt caching middleware (#11080)
  • 7d61f5f fix(groq): tighten @​langchain/core peer dependency to ^1.1.30 (#11069)
  • 2e28115 feat(deps): native streamEvents ChatModelStreamEvent protocol (#10924)
  • 6d212ef docs(tavily): fix "refering" typo in tool description (#11067)
  • a001816 chore(deps): bump esbuild from 0.28.0 to 0.28.1 in /environment_tests/test-ex...
  • 234c8bb ci(infra): pin GitHub Actions to full-length commit SHAs (#11061)
  • 4aeaa76 feat(langchain): add when predicate to human-in-the-loop middleware (#11012)
  • ac0f71d fix(core): preserve AIMessage content blocks (#11047)
  • 39f338e chore: remove deprecated @​langchain/google-cloud-sql-pg package (#11060)
  • Additional commits viewable in compare view

Updates @langchain/openai from 1.4.7 to 1.5.1

Release notes

Sourced from @​langchain/openai's releases.

@​langchain/openai@​1.5.1

Patch Changes

  • #11001 80b43ec Thanks @​Herrtian! - Wrap Responses API stream iteration errors with existing OpenAI client error handling.

@​langchain/openai@​1.5.0

Minor Changes

Commits
  • 0066b88 chore: version packages (#11085)
  • 80b43ec fix(openai): wrap responses stream errors (#11001)
  • 3ebd10a feat(langchain): surface tool-dispatched subagents on run.subagents (#11062)
  • c5e8962 chore: version packages (#11059)
  • e51478a feat(aws): bedrock prompt caching middleware (#11080)
  • 7d61f5f fix(groq): tighten @​langchain/core peer dependency to ^1.1.30 (#11069)
  • 2e28115 feat(deps): native streamEvents ChatModelStreamEvent protocol (#10924)
  • 6d212ef docs(tavily): fix "refering" typo in tool description (#11067)
  • a001816 chore(deps): bump esbuild from 0.28.0 to 0.28.1 in /environment_tests/test-ex...
  • 234c8bb ci(infra): pin GitHub Actions to full-length commit SHAs (#11061)
  • Additional commits viewable in compare view

Updates better-auth from 1.6.11 to 1.6.20

Release notes

Sourced from better-auth's releases.

v1.6.20

better-auth

Bug Fixes

  • Fixed account-linking logs to route through the configured logger (#10121)
  • Fixed TypeScript inference errors by declaring inherited APIError properties (#8734)
  • Fixed refresh cookie Max-Age to be capped at expiresIn (#9621)

For detailed changes, see CHANGELOG

@better-auth/i18n

Bug Fixes

  • Fixed English language fallback behavior and improved i18n documentation (#9872)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​adityachaudhary99, @​dipan-ck, @​sleepe229, @​WilsonnnTan

Full changelog: v1.6.19...v1.6.20

v1.6.19

better-auth

Features

  • Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

  • Fixed headerless session checks (#10053)
  • Fixed cookie cache fallback lookup (#9348)
  • Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
  • Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
  • Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
  • Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
  • Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
  • Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
  • Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.20

Patch Changes

  • #10121 21448b1 Thanks @​adityachaudhary99! - OAuth account-linking and create-user error logs now respect a custom logger configured in betterAuth(), instead of always being written to the default console logger.

  • #9621 8ecf238 Thanks @​dipan-ck! - Session refresh no longer emits a cookie Max-Age above the browser's 400-day ceiling when using a database without fractional-second precision.

  • #8734 930f534 Thanks @​sleepe229! - declare inherited APIError properties to fix TypeScript inference errors

  • Updated dependencies []:

    • @​better-auth/core@​1.6.20
    • @​better-auth/drizzle-adapter@​1.6.20
    • @​better-auth/kysely-adapter@​1.6.20
    • @​better-auth/memory-adapter@​1.6.20
    • @​better-auth/mongo-adapter@​1.6.20
    • @​better-auth/prisma-adapter@​1.6.20
    • @​better-auth/telemetry@​1.6.20

1.6.19

Patch Changes

  • #10088 de4aa52 Thanks @​bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

  • #9995 b4b0266 Thanks @​ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

  • #10086 5bd5e1c Thanks @​gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

    On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

    @better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

  • #9319 581f827 Thanks @​ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

  • #10067 8407885 Thanks @​bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

  • #9555 c1a8a64 Thanks @​ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

  • #10071 635f190 Thanks @​gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

  • #10070 a787e0b Thanks @​gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

  • #9348 c2f718f Thanks @​ping-maxwell! - fix: cookie cache fallback lookup

  • #8863 7d18175 Thanks @​ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

    Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

  • Updated dependencies [0895993, 5bd5e1c, a787e0b]:

... (truncated)

Commits

Updates deepagents from 1.10.2 to 1.10.5

Release notes

Sourced from deepagents's releases.

deepagents@1.10.5

Patch Changes

  • #598 7c4a11e Thanks @​christian-bromann! - refactor(stream): use langchain run.subagents instead of bespoke transformer

    Remove deepagents' custom createSubagentTransformer and rely on the native subagent stream that createAgent registers (langchain#37739). Keep DeepAgentRunStream as a compile-time overlay that narrows run.subagents to declared subagent specs. Update streaming tests for cause and per-subagent message coverage.

deepagents@1.10.4

Patch Changes

  • #551 18557db Thanks @​antonnak! - fix(deepagents): gate cache_control writes on per-call request.model

    createCacheBreakpointMiddleware and createMemoryMiddleware were gating the Anthropic-specific cache_control write at agent-creation time only. When modelFallbackMiddleware swapped request.model to a non-Anthropic provider mid-flight (e.g. on Anthropic 5xx), the marker leaked through and the fallback provider rejected the request with 400 Unknown parameter: 'cache_control'. Both middlewares now also check isAnthropicModel(request.model) inside wrapModelCall. Fixes #550.

  • #591 773cac5 Thanks @​colifran! - chore(deepagents): expose createSubAgent

  • #541 1ca6dc9 Thanks @​ixchio! - fix getMimeType to return application/octet-stream for unknown file extensions instead of text/plain

  • #572 03df237 Thanks @​hntrl! - fix: scope CompositeBackend grep/glob route fanout by search path

    CompositeBackend now limits fallback route fanout to routes mounted under the requested search path, instead of querying all routed backends unconditionally.

    This avoids unrelated...

    Description has been truncated


    [!NOTE]
    Medium Risk
    Wide dependency refresh touches auth (better-auth), HTTP stack (hono/node-server), AI agents (langchain/deepagents), and DB drivers without accompanying code changes—regression risk is mostly integration and runtime behavior.

    Overview
    Bumps ~39 npm dependencies across the monorepo by updating version ranges only in workspace package.json files (root, api, frontend, worker, core, ui, docs, e2e). There are no application source changes in this diff.

    Notable version moves include better-auth on api/frontend, the LangChain stack (@langchain/core 1.2.x, langchain, deepagents) on api/core/worker, Hono / @hono/node-server on api/frontend, MongoDB drivers on api/core, Vitest / Turbo / esbuild at the root, and frontend UI/router packages (TanStack, React 19.2.7, Radix / radix-ui).

    Review should focus on lockfile resolution, CI (build, test, e2e), and any behavior changes from auth, static file serving, or agent streaming dependencies rather than reading app diffs.

    Reviewed by Cursor Bugbot for commit e21c0c5. Bugbot is set up for automated code reviews on this repo. Configure here.

…with 39 updates

Bumps the minor-and-patch group with 39 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.7` | `4.1.9` |
| [esbuild](https://github.com/evanw/esbuild) | `0.28.0` | `0.28.1` |
| [turbo](https://github.com/vercel/turborepo) | `2.9.14` | `2.9.18` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.7` | `4.1.9` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.4` | `2.0.5` |
| [@langchain/core](https://github.com/langchain-ai/langchainjs) | `1.1.48` | `1.2.0` |
| [@langchain/openai](https://github.com/langchain-ai/langchainjs) | `1.4.7` | `1.5.1` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.11` | `1.6.20` |
| [deepagents](https://github.com/langchain-ai/deepagentsjs) | `1.10.2` | `1.10.5` |
| [hono](https://github.com/honojs/hono) | `4.12.23` | `4.12.26` |
| [mongodb](https://github.com/mongodb/node-mongodb-native) | `7.2.0` | `7.3.0` |
| [mongoose](https://github.com/Automattic/mongoose) | `9.6.2` | `9.7.1` |
| [tsx](https://github.com/privatenumber/tsx) | `4.22.3` | `4.22.4` |
| [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight) | `0.39.2` | `0.40.0` |
| [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `6.3.7` | `6.4.8` |
| [sharp](https://github.com/lovell/sharp) | `0.34.5` | `0.35.2` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.60.0` | `1.61.0` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.14` | `5.101.0` |
| [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) | `1.170.8` | `1.170.16` |
| [@xyflow/react](https://github.com/xyflow/xyflow/tree/HEAD/packages/react) | `12.10.2` | `12.11.0` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.16.0` | `1.21.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.6` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.15` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.6` | `19.2.7` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.0` | `4.3.1` |
| [@tanstack/router-plugin](https://github.com/TanStack/router/tree/HEAD/packages/router-plugin) | `1.168.11` | `1.168.18` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.14` | `8.0.16` |
| [bullmq](https://github.com/taskforcesh/bullmq) | `5.77.2` | `5.79.1` |
| [ioredis](https://github.com/luin/ioredis) | `5.10.1` | `5.11.1` |
| [@langchain/anthropic](https://github.com/langchain-ai/langchainjs) | `1.4.0` | `1.5.0` |
| [isomorphic-git](https://github.com/isomorphic-git/isomorphic-git) | `1.38.1` | `1.38.5` |
| [langchain](https://github.com/langchain-ai/langchainjs) | `1.4.0` | `1.5.0` |
| [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.8` | `2.1.10` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/separator) | `1.1.8` | `1.1.10` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.4` | `1.3.0` |
| [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.8` | `1.2.10` |
| [date-fns](https://github.com/date-fns/date-fns) | `4.3.0` | `4.4.0` |
| [radix-ui](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radix-ui) | `1.4.3` | `1.6.0` |



Updates `@vitest/coverage-v8` from 4.1.7 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8)

Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

Updates `turbo` from 2.9.14 to 2.9.18
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.14...v2.9.18)

Updates `vitest` from 4.1.7 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

Updates `@hono/node-server` from 2.0.4 to 2.0.5
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.4...v2.0.5)

Updates `@langchain/core` from 1.1.48 to 1.2.0
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core@1.1.48...@langchain/core@1.2.0)

Updates `@langchain/openai` from 1.4.7 to 1.5.1
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/openai@1.4.7...@langchain/openai@1.5.1)

Updates `better-auth` from 1.6.11 to 1.6.20
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.20/packages/better-auth)

Updates `deepagents` from 1.10.2 to 1.10.5
- [Release notes](https://github.com/langchain-ai/deepagentsjs/releases)
- [Commits](https://github.com/langchain-ai/deepagentsjs/compare/deepagents@1.10.2...deepagents@1.10.5)

Updates `hono` from 4.12.23 to 4.12.26
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.23...v4.12.26)

Updates `mongodb` from 7.2.0 to 7.3.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v7.2.0...v7.3.0)

Updates `mongoose` from 9.6.2 to 9.7.1
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@9.6.2...9.7.1)

Updates `tsx` from 4.22.3 to 4.22.4
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.22.3...v4.22.4)

Updates `@astrojs/starlight` from 0.39.2 to 0.40.0
- [Release notes](https://github.com/withastro/starlight/releases)
- [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md)
- [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.40.0/packages/starlight)

Updates `astro` from 6.3.7 to 6.4.8
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro)

Updates `sharp` from 0.34.5 to 0.35.2
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.34.5...v0.35.2)

Updates `@playwright/test` from 1.60.0 to 1.61.0
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.60.0...v1.61.0)

Updates `@tanstack/react-query` from 5.100.14 to 5.101.0
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.0/packages/react-query)

Updates `@tanstack/react-router` from 1.170.8 to 1.170.16
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.170.16/packages/react-router)

Updates `@xyflow/react` from 12.10.2 to 12.11.0
- [Release notes](https://github.com/xyflow/xyflow/releases)
- [Changelog](https://github.com/xyflow/xyflow/blob/main/packages/react/CHANGELOG.md)
- [Commits](https://github.com/xyflow/xyflow/commits/@xyflow/react@12.11.0/packages/react)

Updates `lucide-react` from 1.16.0 to 1.21.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.21.0/packages/lucide-react)

Updates `react` from 19.2.6 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 19.2.15 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.2.6 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `@tailwindcss/postcss` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss)

Updates `@tanstack/router-plugin` from 1.168.11 to 1.168.18
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/router-plugin/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/router-plugin@1.168.18/packages/router-plugin)

Updates `@types/react` from 19.2.15 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `tailwindcss` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `vite` from 8.0.14 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

Updates `bullmq` from 5.77.2 to 5.79.1
- [Release notes](https://github.com/taskforcesh/bullmq/releases)
- [Commits](taskforcesh/bullmq@v5.77.2...v5.79.1)

Updates `ioredis` from 5.10.1 to 5.11.1
- [Release notes](https://github.com/luin/ioredis/releases)
- [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md)
- [Commits](redis/ioredis@v5.10.1...v5.11.1)

Updates `@langchain/anthropic` from 1.4.0 to 1.5.0
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/anthropic@1.4.0...@langchain/anthropic@1.5.0)

Updates `isomorphic-git` from 1.38.1 to 1.38.5
- [Release notes](https://github.com/isomorphic-git/isomorphic-git/releases)
- [Commits](isomorphic-git/isomorphic-git@v1.38.1...v1.38.5)

Updates `langchain` from 1.4.0 to 1.5.0
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/aws@1.4.0...langchain@1.5.0)

Updates `@radix-ui/react-label` from 2.1.8 to 2.1.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label)

Updates `@radix-ui/react-separator` from 1.1.8 to 1.1.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/separator/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/separator)

Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot)

Updates `@radix-ui/react-tooltip` from 1.2.8 to 1.2.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip)

Updates `date-fns` from 4.3.0 to 4.4.0
- [Release notes](https://github.com/date-fns/date-fns/releases)
- [Commits](date-fns/date-fns@v4.3.0...v4.4.0)

Updates `radix-ui` from 1.4.3 to 1.6.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radix-ui/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radix-ui)

---
updated-dependencies:
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: turbo
  dependency-version: 2.9.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/core"
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@langchain/openai"
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: better-auth
  dependency-version: 1.6.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: deepagents
  dependency-version: 1.10.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: hono
  dependency-version: 4.12.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: mongodb
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: mongoose
  dependency-version: 9.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.22.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@astrojs/starlight"
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: astro
  dependency-version: 6.4.8
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: sharp
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@playwright/test"
  dependency-version: 1.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-router"
  dependency-version: 1.170.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@xyflow/react"
  dependency-version: 12.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: lucide-react
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/router-plugin"
  dependency-version: 1.168.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: bullmq
  dependency-version: 5.79.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: ioredis
  dependency-version: 5.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@langchain/anthropic"
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: isomorphic-git
  dependency-version: 1.38.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: langchain
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: date-fns
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: radix-ui
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review completed for the changed files (package.json files and pnpm-lock.yaml). I found no concrete issues introduced by this PR.

Checked against the requested surfaces:

  • MCP endpoint auth: no MCP route or handler code changed; dependency resolution keeps the existing MCP packages and updates Hono to 4.12.26.
  • Query execution sandboxing: no execute_query, DuckDB, semantic model, timeout, or result-limit code changed.
  • Admin auth (Better Auth): better-auth is bumped from 1.6.11 to 1.6.20; no session-secret, CSRF, or cookie-configuration code changed.
  • API input validation: no Hono route handler or Zod schema code changed.
  • Environment secrets: no .env.local, secret literals, logging, or response-shaping code changed.
  • Dependency exposure: no new direct dependencies were added. I ran pnpm audit / pnpm audit --prod on the PR head and compared with the base commit; the PR reduces the full audit count from 29 to 15 and the production audit count from 28 to 15. Remaining advisories are pre-existing carryovers rather than new exposure from this diff.
Open in Web View Automation 

Sent by Cursor Automation: archmax Security Review

@github-actions

Copy link
Copy Markdown

Docker image ready

docker pull ghcr.io/archmaxai/archmax:pr-74

@tobias-gp tobias-gp merged commit ffe1a0a into main Jun 28, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/minor-and-patch-153a7e9462 branch June 28, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant