Skip to content

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 32 updates#80

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-d5ca8ef942
Open

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 32 updates#80
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-d5ca8ef942

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 32 updates in the / directory:

Package From To
turbo 2.9.18 2.10.3
@hono/node-server 2.0.5 2.0.8
@langchain/core 1.2.0 1.2.1
@langchain/openai 1.5.1 1.5.3
better-auth 1.6.20 1.6.23
hono 4.12.26 4.12.27
mongodb 7.3.0 7.4.0
mongoose 9.7.1 9.7.3
tsx 4.22.4 4.23.0
@astrojs/starlight 0.40.0 0.41.3
sharp 0.35.2 0.35.3
starlight-image-zoom 0.14.2 0.15.0
@playwright/test 1.61.0 1.61.1
@tanstack/react-query 5.101.0 5.101.2
@tanstack/react-router 1.170.16 1.170.17
@xyflow/react 12.11.0 12.11.1
lucide-react 1.21.0 1.23.0
recharts 3.8.1 3.9.2
@tailwindcss/postcss 4.3.1 4.3.2
@tanstack/router-plugin 1.168.18 1.168.19
@vitejs/plugin-react 6.0.2 6.0.3
postcss 8.5.15 8.5.16
tailwindcss 4.3.1 4.3.2
vite 8.0.16 8.1.3
bullmq 5.79.1 5.79.2
@langchain/anthropic 1.5.0 1.5.1
isomorphic-git 1.38.5 1.38.6
langchain 1.5.0 1.5.2
@radix-ui/react-label 2.1.10 2.1.11
@radix-ui/react-separator 1.1.10 1.1.11
@radix-ui/react-tooltip 1.2.10 1.2.11
radix-ui 1.6.0 1.6.1

Updates turbo from 2.9.18 to 2.10.3

Release notes

Sourced from turbo's releases.

Turborepo v2.10.3

What's Changed

Changelog

... (truncated)

Commits
  • 9980449 publish 2.10.3 to registry
  • bc32fcc fix: Correct gitignore precedence in untracked walk and memoize matcher chain...
  • dccab93 fix: Harden TUI terminal restore during shutdown (#13220)
  • 65efe27 fix: Remove devtools feature flag (#13219)
  • c2115dc refactor: Use upstream libghostty-vt crates instead of vendored bindings (#13...
  • c3c91ab fix: Include untracked symlinks in repo-index dirty hash (#13218)
  • b521d32 perf: Derive dirty hash from repo index (#13213)
  • 28d1871 perf: Replace per-package graph traversals in scope filtering (#13212)
  • 148b1dd perf: Cache env wildcard matches across tasks during hashing (#13210)
  • 61d6013 feat: Automatically copy TUI selection to clipboard on mouse release (#13208)
  • Additional commits viewable in compare view

Updates @hono/node-server from 2.0.5 to 2.0.8

Release notes

Sourced from @​hono/node-server's releases.

v2.0.8

What's Changed

Full Changelog: honojs/node-server@v2.0.7...v2.0.8

v2.0.7

What's Changed

Full Changelog: honojs/node-server@v2.0.6...v2.0.7

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • 114c15e 2.0.8
  • 5db2d5d ci(release): add --no-git-checks option for pnpm stage publish (#369)
  • a528a77 2.0.7
  • b2d610c chore: bump supertest (#368)
  • 1b0040a fix(serve-static): serve precompressed files for application/octet-stream (#366)
  • ad5b13a chore: migrate to pnpm (#367)
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates @langchain/core from 1.2.0 to 1.2.1

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.1

Patch Changes

  • #10674 f017708 Thanks @​christian-bromann! - fix: classify provider 429s before retrying

  • #11092 7918bbd Thanks @​aolsenjazz! - fix(core): only treat arrays of content blocks as ToolMessage content

    Fix tool outputs that are arrays of plain objects being forwarded as malformed message content. An array is now only treated as message content blocks when every element is an object with a type; otherwise it is JSON-stringified.

Commits
  • 1ee0df0 chore: version packages (#11097)
  • f017708 fix(core): better 429 error handling (#10674)
  • 05936ab fix(openai): omit empty reasoning item id in Responses API input (#11045)
  • 798cb70 fix(openai): route standard url file blocks to native input_file in Responses...
  • 80c790b fix(openai): stream built-in tool progress events (#11090)
  • d2e6afc fix(groq): require @​langchain/core >= 1.1.30 in peer dependency (#11072)
  • c66870e feat(weaviate): add X-Weaviate-Client-Integration telemetry header (#11088)
  • baa57ba fix(anthropic): omit default disabled thinking from requests (#11073)
  • 04edb8d docs(ibm): fix "Recieved" typo in tool_choice error message (#11066)
  • 2b7f368 chore(deps): bump uuid from 14.0.0 to 14.0.1 (#11094)
  • Additional commits viewable in compare view

Updates @langchain/openai from 1.5.1 to 1.5.3

Release notes

Sourced from @​langchain/openai's releases.

@​langchain/openai@​1.5.3

Patch Changes

@​langchain/openai@​1.5.2

Patch Changes

  • #11045 05936ab Thanks @​jackjin1997! - fix(openai): omit empty id and content on reasoning items in Responses API input

    Reasoning blocks reassembled from streaming chunks (e.g. via streamEvents) never carry an id, since OpenAI's streaming protocol only includes it in non-streaming responses. When such a message was replayed as Responses API input on the next turn, the reasoning item was emitted with id: "", which OpenAI rejects with 400 Invalid 'input[n].id': ''. The id field is now omitted when absent.

    A second error surfaced immediately after that fix: the same converter set a populated content array on the reasoning input item, which the Responses API also rejects (400 Invalid 'input[n].content': array too long. Expected an array with maximum length 0). Reasoning input items only carry summary, so content is no longer forwarded. Thanks to @​csrujanreddy for catching the second issue and verifying both fixes against the live API.

  • #11065 798cb70 Thanks @​rxits! - fix(openai): route standard url file blocks to native input_file in Responses API

  • #11090 80c790b Thanks @​nikhilpakhloo! - fix(openai): stream built-in tool progress events

Commits
  • f1d64ff chore: version packages (#11101)
  • 72ffc4b fix(aws): add Bedrock stream idle timeout (#11098)
  • 3205b35 fix(langchain, openai): decouple strict tools from strict structured output r...
  • 1ee0df0 chore: version packages (#11097)
  • f017708 fix(core): better 429 error handling (#10674)
  • 05936ab fix(openai): omit empty reasoning item id in Responses API input (#11045)
  • 798cb70 fix(openai): route standard url file blocks to native input_file in Responses...
  • 80c790b fix(openai): stream built-in tool progress events (#11090)
  • d2e6afc fix(groq): require @​langchain/core >= 1.1.30 in peer dependency (#11072)
  • c66870e feat(weaviate): add X-Weaviate-Client-Integration telemetry header (#11088)
  • Additional commits viewable in compare view

Updates better-auth from 1.6.20 to 1.6.23

Release notes

Sourced from better-auth's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.23

Patch Changes

  • #9138 8581f97 Thanks @​vladflotsky! - Add a pre-configured Yandex provider helper for the generic OAuth plugin.

  • Updated dependencies [930b260]:

    • @​better-auth/drizzle-adapter@​1.6.23
    • @​better-auth/core@​1.6.23
    • @​better-auth/kysely-adapter@​1.6.23
    • @​better-auth/memory-adapter@​1.6.23
    • @​better-auth/mongo-adapter@​1.6.23
    • @​better-auth/prisma-adapter@​1.6.23
    • @​better-auth/telemetry@​1.6.23

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

... (truncated)

Commits

Updates hono from 4.12.26 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

Commits

Updates mongodb from 7.3.0 to 7.4.0

Release notes

Sourced from mongodb's releases.

v7.4.0

7.4.0 (2026-06-25)

The MongoDB Node.js team is pleased to announce version 7.4.0 of the mongodb package!

Release Notes

Explicit resource management is now stable

The Symbol.asyncDispose methods on MongoClient, ClientSession, ChangeStream, and cursors enable await using for automatic cleanup. These methods were introduced as experimental in v6.9.0. Since then, TC39 Explicit Resource Management proposal reached Stage 4 in 2025, and Node.js enabled explicit resource management as a stable feature in Node.js 24, so the experimental flags have been removed from our APIs and the APIs are now officially supported.

afterClusterTime now sent on writes in causally-consistent sessions

When a session has causal consistency enabled, write operations now include readConcern.afterClusterTime, matching the existing read behavior. This maintains the "read your own writes" guarantee across primary failovers in shareded clusters. There are no API changes.

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)

Documentation

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

Changelog

Sourced from mongodb's changelog.

7.4.0 (2026-06-25)

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)
Commits
  • 1c4333e chore(main): release 7.4.0 (#4974)
  • 43ce3eb feat(NODE-7634): remove experimental tag from async dispose methods (#4976)
  • 3abfd26 fix(NODE-7549): send afterClusterTime on writes in causally-consistent sessio...
  • 88ec159 chore(NODE-7418): skip csot tests on latest (#4969)
  • 1f5ac37 chore(NODE-7473): upgrade to chai 5 (#4958)
  • b17288c chore: skip csfle tests and fix related broken tests (#4965)
  • 5b401aa test(NODE-7493): enable source maps and add nyc-free debug scripts (#4947)
  • 3ba2dd2 docs: clarify release notes verification steps (#4960)
  • 0a434d3 docs: add 7.3 docs (#4959)
  • See full diff in compare view

Updates mongoose from 9.7.1 to 9.7.3

Release notes

Sourced from mongoose's releases.

9.7.3 / 2026-06-26

  • types(model): correct Model.validate() return type to Promise #16340 #16338
  • types: use @​standard-schema/spec for StandardSchema types rather than inlining #16341 #16339

9.7.2 / 2026-06-22

  • fix(documentarray): reindex subdocs after array reordering and removal so subsequent nested changes save using the correct path #16282 AbdelrahmanHafez
  • fix(document): avoid accessing special properties in Document.prototype.get()
  • fix(schema): only return own properties in schematype lookups and disallow setting schema paths under special properties
  • docs: update homepage sponsor layout
Changelog

Sourced from mongoose's changelog.

9.7.3 / 2026-06-26

  • types(model): correct Model.validate() return type to Promise #16340 #16338
  • types: use @​standard-schema/spec for StandardSchema types rather than inlining #16341 #16339

9.7.2 / 2026-06-22

  • fix(documentarray): reindex subdocs after array reordering and removal so subsequent nested changes save using the correct path #16282 AbdelrahmanHafez
  • fix(document): avoid accessing special properties in Document.prototype.get()
  • fix(schema): only return own properties in schematype lookups and disallow setting schema paths under special properties
  • docs: update homepage sponsor layout
Commits
  • df72bff chore: release 9.7.3
  • 97f0f36 Merge pull request #16341 from Automattic/vkarpov15/gh-16339
  • aa58b76 types: use @​standard-schema/spec for StandardSchema types rather than inlining
  • 0734de7 fix(types): correct Model.validate() return type to Promise<TRawDocType> (#16...
  • 87ade9b chore: release 9.7.2
  • 4e12786 Merge branch 'vkarpov15/fix-security-20260609-master'
  • b3dd12a docs: flex wrap for major sponsors
  • d48fee3 fix(documentarray): reindex subdocs after reordering (#16282)
  • 3e0e079 fix(types): correct Model.validate() return type to Promise<TRawDocType>
  • 03bedea docs: add mongodb as sponsor on homepage
  • Additional commits viewable in compare view

Updates tsx from 4.22.4 to 4.23.0

Release notes

Sourced from tsx's releases.

v4.23.0

4.23.0 (2026-07-03)

Bug Fixes

Features


This release is also available on:

v4.22.5

4.22.5 (2026-07-02)

Bug Fixes

  • isolate hook state per async module.register() registration (a305f36)

This release is also available on:

Commits
  • 1dfad37 docs: cite esbuild's extension-resolution model in node notes
  • 257bbbb fix: avoid redundant filesystem probes during module resolution
  • c178197 feat: add multi-scenario startup benchmark suite
  • 51800ac docs: add Node internals knowledge base (notes/node)
  • a305f36 fix: isolate hook state per async module.register() registration
  • ca501a9 chore: upgrade skills-npm to v1.2.0
  • 596cd1f test: cover __dirname, __filename, & require.cache in CJS TS file
  • 75d9bf0 test: lock in lenient ESM for ambiguous and CJS-typed packages
  • 1472f3e test: cover ESM-syntax dependency with omitted "type" field
  • See full diff in compare view

Updates @astrojs/starlight from 0.40.0 to 0.41.3

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.41.3

Patch Changes

  • #3911 1686ecc Thanks @​timothyjordan! - Keeps keyboard focus inside the mobile menu while it is open, preventing focus moving to hidden interactive elements in page content.

@​astrojs/starlight@​0.41.2

Patch Changes

  • #4008 58a3520 Thanks @​FrancoKaddour! - Fixes the table of contents overflowing the right edge of the viewport when a custom --sl-content-width value exceeds available space

  • #4015 bdbfffc Thanks @​delucis! - Fixes an issue where aside icons were rendered incorrectly in projects where Astro’s MDX integration had optimization disabled

@​astrojs/starlight@​0.41.1

Patch Changes

…with 32 updates

Bumps the minor-and-patch group with 32 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [turbo](https://github.com/vercel/turborepo) | `2.9.18` | `2.10.3` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.8` |
| [@langchain/core](https://github.com/langchain-ai/langchainjs) | `1.2.0` | `1.2.1` |
| [@langchain/openai](https://github.com/langchain-ai/langchainjs) | `1.5.1` | `1.5.3` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.20` | `1.6.23` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [mongodb](https://github.com/mongodb/node-mongodb-native) | `7.3.0` | `7.4.0` |
| [mongoose](https://github.com/Automattic/mongoose) | `9.7.1` | `9.7.3` |
| [tsx](https://github.com/privatenumber/tsx) | `4.22.4` | `4.23.0` |
| [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight) | `0.40.0` | `0.41.3` |
| [sharp](https://github.com/lovell/sharp) | `0.35.2` | `0.35.3` |
| [starlight-image-zoom](https://github.com/HiDeoo/starlight-image-zoom/tree/HEAD/packages/starlight-image-zoom) | `0.14.2` | `0.15.0` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.61.0` | `1.61.1` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.101.0` | `5.101.2` |
| [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) | `1.170.16` | `1.170.17` |
| [@xyflow/react](https://github.com/xyflow/xyflow/tree/HEAD/packages/react) | `12.11.0` | `12.11.1` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.21.0` | `1.23.0` |
| [recharts](https://github.com/recharts/recharts) | `3.8.1` | `3.9.2` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.1` | `4.3.2` |
| [@tanstack/router-plugin](https://github.com/TanStack/router/tree/HEAD/packages/router-plugin) | `1.168.18` | `1.168.19` |
| [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) | `6.0.2` | `6.0.3` |
| [postcss](https://github.com/postcss/postcss) | `8.5.15` | `8.5.16` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.1` | `4.3.2` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.16` | `8.1.3` |
| [bullmq](https://github.com/taskforcesh/bullmq) | `5.79.1` | `5.79.2` |
| [@langchain/anthropic](https://github.com/langchain-ai/langchainjs) | `1.5.0` | `1.5.1` |
| [isomorphic-git](https://github.com/isomorphic-git/isomorphic-git) | `1.38.5` | `1.38.6` |
| [langchain](https://github.com/langchain-ai/langchainjs) | `1.5.0` | `1.5.2` |
| [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.10` | `2.1.11` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/separator) | `1.1.10` | `1.1.11` |
| [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.10` | `1.2.11` |
| [radix-ui](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radix-ui) | `1.6.0` | `1.6.1` |



Updates `turbo` from 2.9.18 to 2.10.3
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.18...v2.10.3)

Updates `@hono/node-server` from 2.0.5 to 2.0.8
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.8)

Updates `@langchain/core` from 1.2.0 to 1.2.1
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core@1.2.0...@langchain/core@1.2.1)

Updates `@langchain/openai` from 1.5.1 to 1.5.3
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/openai@1.5.1...@langchain/openai@1.5.3)

Updates `better-auth` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/better-auth)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `mongodb` from 7.3.0 to 7.4.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v7.3.0...v7.4.0)

Updates `mongoose` from 9.7.1 to 9.7.3
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@9.7.1...9.7.3)

Updates `tsx` from 4.22.4 to 4.23.0
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.22.4...v4.23.0)

Updates `@astrojs/starlight` from 0.40.0 to 0.41.3
- [Release notes](https://github.com/withastro/starlight/releases)
- [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md)
- [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.41.3/packages/starlight)

Updates `sharp` from 0.35.2 to 0.35.3
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.35.2...v0.35.3)

Updates `starlight-image-zoom` from 0.14.2 to 0.15.0
- [Release notes](https://github.com/HiDeoo/starlight-image-zoom/releases)
- [Changelog](https://github.com/HiDeoo/starlight-image-zoom/blob/main/packages/starlight-image-zoom/CHANGELOG.md)
- [Commits](https://github.com/HiDeoo/starlight-image-zoom/commits/starlight-image-zoom@0.15.0/packages/starlight-image-zoom)

Updates `@playwright/test` from 1.61.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.61.0...v1.61.1)

Updates `@tanstack/react-query` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `@tanstack/react-router` from 1.170.16 to 1.170.17
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.170.17/packages/react-router)

Updates `@xyflow/react` from 12.11.0 to 12.11.1
- [Release notes](https://github.com/xyflow/xyflow/releases)
- [Changelog](https://github.com/xyflow/xyflow/blob/main/packages/react/CHANGELOG.md)
- [Commits](https://github.com/xyflow/xyflow/commits/@xyflow/react@12.11.1/packages/react)

Updates `lucide-react` from 1.21.0 to 1.23.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.23.0/packages/lucide-react)

Updates `recharts` from 3.8.1 to 3.9.2
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v3.8.1...v3.9.2)

Updates `@tailwindcss/postcss` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss)

Updates `@tanstack/router-plugin` from 1.168.18 to 1.168.19
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/router-plugin/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/router-plugin@1.168.19/packages/router-plugin)

Updates `@vitejs/plugin-react` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

Updates `postcss` from 8.5.15 to 8.5.16
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.15...8.5.16)

Updates `tailwindcss` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss)

Updates `vite` from 8.0.16 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `bullmq` from 5.79.1 to 5.79.2
- [Release notes](https://github.com/taskforcesh/bullmq/releases)
- [Commits](taskforcesh/bullmq@v5.79.1...v5.79.2)

Updates `@langchain/anthropic` from 1.5.0 to 1.5.1
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/anthropic@1.5.0...@langchain/anthropic@1.5.1)

Updates `isomorphic-git` from 1.38.5 to 1.38.6
- [Release notes](https://github.com/isomorphic-git/isomorphic-git/releases)
- [Commits](isomorphic-git/isomorphic-git@v1.38.5...v1.38.6)

Updates `langchain` from 1.5.0 to 1.5.2
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/langchain@1.5.0...langchain@1.5.2)

Updates `@radix-ui/react-label` from 2.1.10 to 2.1.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label)

Updates `@radix-ui/react-separator` from 1.1.10 to 1.1.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/separator/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/separator)

Updates `@radix-ui/react-tooltip` from 1.2.10 to 1.2.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip)

Updates `radix-ui` from 1.6.0 to 1.6.1
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radix-ui/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radix-ui)

---
updated-dependencies:
- dependency-name: turbo
  dependency-version: 2.10.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/core"
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/openai"
  dependency-version: 1.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: better-auth
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: mongodb
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: mongoose
  dependency-version: 9.7.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@astrojs/starlight"
  dependency-version: 0.41.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: sharp
  dependency-version: 0.35.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: starlight-image-zoom
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-router"
  dependency-version: 1.170.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@xyflow/react"
  dependency-version: 12.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: lucide-react
  dependency-version: 1.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: recharts
  dependency-version: 3.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/router-plugin"
  dependency-version: 1.168.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: postcss
  dependency-version: 8.5.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: bullmq
  dependency-version: 5.79.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/anthropic"
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: isomorphic-git
  dependency-version: 1.38.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: langchain
  dependency-version: 1.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: radix-ui
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review against the requested threat surfaces found no concrete issues in this PR.

Checked:

  • MCP endpoint auth: no MCP route/tool-handler code changed.
  • Query execution sandboxing: no DuckDB/query execution code changed.
  • Admin auth (Better Auth): only better-auth patch bumps; no auth configuration or session/cookie code changed.
  • API input validation: no Hono route handlers or Zod schemas changed.
  • Environment secrets: no env files or hardcoded secret-bearing source files changed.
  • Dependency exposure: direct changes are existing dependency minor/patch bumps only. pnpm audit --prod on the PR head reports the same 15 advisories as the base branch, so this PR does not introduce new known audit findings.
Open in Web View Automation 

Sent by Cursor Automation: archmax Security Review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review against the requested threat surfaces found no concrete issues in this PR.

Checked:

  • MCP endpoint auth: no MCP route/tool-handler code changed.
  • Query execution sandboxing: no DuckDB/query execution code changed.
  • Admin auth (Better Auth): only better-auth patch bumps; no auth configuration or session/cookie code changed.
  • API input validation: no Hono route handlers or Zod schemas changed.
  • Environment secrets: no env files or hardcoded secret-bearing source files changed.
  • Dependency exposure: direct changes are existing dependency minor/patch bumps only. pnpm audit --prod on the PR head reports the same 15 advisories as the base branch, so this PR does not introduce new known audit findings.
Open in Web View Automation 

Sent by Cursor Automation: archmax Security Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants