chore(deps): bump the production-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the production-dependencies group with 4 updates in the / directory: @sentry/node, groq-sdk, posthog-node and yaml.

Updates @sentry/node from 10.52.0 to 10.53.0

Release notes

Sourced from @​sentry/node's releases.

10.53.0

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are sent to Sentry. When set, the SDK extracts all gen_ai spans out of a transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#20789)
• feat(core): split exports by browser/server for bundle size (#20435)
• feat(nextjs): Add top-level applicationKey option (#20794)
• feat(node): Support Node 26 (#20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#20720)
• fix(cloudflare): avoid flush lock self-wait (#20719)
• fix(hono): Capture transaction name on request for correct culprit (#20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#20722)

• chore: bump replay dependencies (#20746)
• chore: Typo intergation -> integration (#20799)
• chore(deps): Bump @​babel/plugin-transform-modules-systemjs from 7.24.1 to 7.29.4 (#20773)
• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15 (#20818)
• chore(deps): Bump next from 16.2.4 to 16.2.6 in /dev-packages/e2e-tests/test-applications/nextjs-16-streaming (#20811)
• chore(deps): Bump rollup from 4.59.0 to 4.60.3 (#20716)
• ci: Ensure PR reminder workflow considers new sub teams (#20814)
• ci: Remove codecov reporting (#20803)
• feat(deps): Bump bundler plugins to 5.3.0 (#20820)
• feat(deps): Bump fast-uri from 3.0.6 to 3.1.2 (#20774)
• feat(deps): Bump hono from 4.12.16 to 4.12.18 (#20777)
• test(cloudflare-hono): fix 'occured' -> 'occurred' typo in error log (#20783)
• test(deps): Bump hono from 4.12.14 to 4.12.16 (#20712)
• test(deps): Bump hono from 4.12.14 to 4.12.18 in /dev-packages/e2e-tests/test-applications/cloudflare-hono (#20776)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.53.0

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are sent to Sentry. When set, the SDK extracts all gen_ai spans out of a transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#20789)
• feat(core): split exports by browser/server for bundle size (#20435)
• feat(nextjs): Add top-level applicationKey option (#20794)
• feat(node): Support Node 26 (#20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#20720)
• fix(cloudflare): avoid flush lock self-wait (#20719)
• fix(hono): Capture transaction name on request for correct culprit (#20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#20722)

• chore: bump replay dependencies (#20746)
• chore: Typo intergation -> integration (#20799)
• chore(deps): Bump @​babel/plugin-transform-modules-systemjs from 7.24.1 to 7.29.4 (#20773)
• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15 (#20818)
• chore(deps): Bump next from 16.2.4 to 16.2.6 in /dev-packages/e2e-tests/test-applications/nextjs-16-streaming (#20811)
• chore(deps): Bump rollup from 4.59.0 to 4.60.3 (#20716)
• ci: Ensure PR reminder workflow considers new sub teams (#20814)
• ci: Remove codecov reporting (#20803)
• feat(deps): Bump bundler plugins to 5.3.0 (#20820)
• feat(deps): Bump fast-uri from 3.0.6 to 3.1.2 (#20774)
• feat(deps): Bump hono from 4.12.16 to 4.12.18 (#20777)
• test(cloudflare-hono): fix 'occured' -> 'occurred' typo in error log (#20783)
• test(deps): Bump hono from 4.12.14 to 4.12.16 (#20712)

... (truncated)

Commits

• 05489b8 release: 10.53.0
• 2e95132 Merge pull request #20822 from getsentry/prepare-release/10.53.0
• e01d66c meta(changelog): Update changelog for 10.53.0
• a93d32f feat(deps): Bump bundler plugins to 5.3.0 (#20820)
• 9f99463 feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• 0411061 chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/tes...
• ca96884 chore(deps): Bump @​babel/plugin-transform-modules-systemjs from 7.24.1 to 7.2...
• e932256 feat(deps): Bump fast-uri from 3.0.6 to 3.1.2 (#20774)
• ebec4e9 test(deps): Bump hono from 4.12.14 to 4.12.18 in /dev-packages/e2e-tests/test...
• 6be4955 chore(deps): Bump next from 16.2.4 to 16.2.6 in /dev-packages/e2e-tests/test-...
• Additional commits viewable in compare view

Updates groq-sdk from 1.1.2 to 1.2.0

Release notes

Sourced from groq-sdk's releases.

v1.2.0

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

• improve examples (d8f62df)

Changelog

Sourced from groq-sdk's changelog.

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

• improve examples (d8f62df)

Commits

• 90d2938 release: 1.2.0 (#260)
• 67f676b fix(ci): set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259)
• See full diff in compare view

Updates posthog-node from 5.33.4 to 5.34.0

Release notes

Sourced from posthog-node's releases.

posthog-node@5.34.0

5.34.0

Minor Changes

• #3599 ad60818 Thanks @​turnipdabeets! - Expose UUID and cookie helpers from @posthog/core and posthog-node for users managing distinct_id outside the browser SDK (e.g. Lambda functions handing out cross-domain redirects). The helpers were already implemented in @posthog/next — this change lifts them to core so all SDKs can re-use them. @posthog/next now re-exports the same surface from @posthog/core to keep existing consumers working without churn. Closes #2143. (2026-05-12)

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0

posthog-node@5.33.7

5.33.7

Patch Changes

• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7

posthog-node@5.33.6

5.33.6

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.28.6

posthog-node@5.33.5

5.33.5

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.28.5

Changelog

Sourced from posthog-node's changelog.

5.34.0

Minor Changes

• #3599 ad60818 Thanks @​turnipdabeets! - Expose UUID and cookie helpers from @posthog/core and posthog-node for users managing distinct_id outside the browser SDK (e.g. Lambda functions handing out cross-domain redirects). The helpers were already implemented in @posthog/next — this change lifts them to core so all SDKs can re-use them. @posthog/next now re-exports the same surface from @posthog/core to keep existing consumers working without churn. Closes #2143. (2026-05-12)

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0

5.33.7

Patch Changes

• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7

5.33.6

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.28.6

5.33.5

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.28.5

Commits

• 417765c chore: update versions and lockfile [version bump]
• 4a4cf7e Revert reference files changes (#3601)
• ad60818 feat(node): expose UUID v7 and cookie helpers (#3599)
• 04e168f chore: update versions and lockfile [version bump]
• 5efb512 chore: update versions and lockfile [version bump]
• a417a52 chore: update versions and lockfile [version bump]
• See full diff in compare view

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• See full diff in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.