build(deps): bump the production-dependencies group with 6 updates

[dependabot]

Bumps the production-dependencies group with 6 updates:

Package	From	To
@anthropic-ai/sdk	0.65.0	0.105.0
inngest	3.54.2	4.7.0
next	15.5.19	16.2.9
react	19.2.3	19.2.7
react-dom	19.2.3	19.2.7
zod	3.25.76	4.4.3

Updates @anthropic-ai/sdk from 0.65.0 to 0.105.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.105.0

0.105.0 (2026-06-18)

Full Changelog: sdk-v0.104.2...sdk-v0.105.0

Features

• api: add support for new code_execution_20260120 tool (8dc2b54)
• stream: lazily parse partial tool json input (#99) (e55ceee)

Chores

• internal/deps: bump swc to 1.15.40 (#97) (a1d4d75)
• internal: use are the types wrong directly (#94) (3d362af)
• tests: stop using deprecated models (#98) (65ae1af)

sdk: v0.104.2

0.104.2 (2026-06-15)

Full Changelog: sdk-v0.104.1...sdk-v0.104.2

Chores

• api: remove retired models from API and SDKs (a942876)

sdk: v0.104.1

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

sdk: v0.104.0

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

sdk: v0.103.0

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.105.0 (2026-06-18)

Full Changelog: sdk-v0.104.2...sdk-v0.105.0

Features

• api: add support for new code_execution_20260120 tool (8dc2b54)
• stream: lazily parse partial tool json input (#99) (e55ceee)

Chores

• internal/deps: bump swc to 1.15.40 (#97) (a1d4d75)
• internal: use are the types wrong directly (#94) (3d362af)
• tests: stop using deprecated models (#98) (65ae1af)

0.104.2 (2026-06-15)

Full Changelog: sdk-v0.104.1...sdk-v0.104.2

Chores

• api: remove retired models from API and SDKs (a942876)

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

... (truncated)

Commits

• ab700dc chore: release main
• a322517 feat(api): add support for new code_execution_20260120 tool
• 65a0106 feat(stream): lazily parse partial tool json input (#99)
• 384ab51 chore(tests): stop using deprecated models (#98)
• a49a191 chore(internal/deps): bump swc to 1.15.40 (#97)
• 7ac63f3 chore(internal): use are the types wrong directly (#94)
• fbee0d1 chore: release main
• e984ba4 chore(api): remove retired models from API and SDKs
• 9a0442d chore: release main
• 1ccd401 fix(api): add frontier_llm refusal category
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​anthropic-ai/sdk since your current version.

Updates inngest from 3.54.2 to 4.7.0

Release notes

Sourced from inngest's releases.

inngest@4.7.0

Minor Changes

• #1577 1bc2ac7c Thanks @​scottnuma! - Add metadata to steps containing LLM calls instrumented with OTel by Langfuse

• #1547 04a79c95 Thanks @​jakobevangelista! - Add sessions to event payloads

Patch Changes

• #1588 50a349b7 Thanks @​rhino1998! - fix(extended traces): Emit extended trace spans parented to the finalized step span

inngest@4.6.0

Minor Changes

• #1567 1c3ad876 Thanks @​Linell! - Deprecate optimizeParallelism: false — use group.parallel({ mode: "race" }) for race semantics instead. Opting out prevents runs from resuming checkpointing after a Promise.all.

• #1568 bd6016c1 Thanks @​scottnuma! - Add metadata to steps containing OTel instrumented LLM calls

Patch Changes

• #1561 ba9874dc Thanks @​rhino1998! - feat(experiments): Rename experiment_name -> experiment in metadata

inngest@4.5.1

Patch Changes

• #1551 0af90c3c Thanks @​rhino1998! - fix: Add step attribution attributes to all extended trace spans

• #1556 5bd87775 Thanks @​Linell! - Update internal tracing values used for identifying checkpointed data.

• #1548 7be1cee3 Thanks @​amh4r! - Fix unnecessary outgoing Durable Endpoint request

• #1511 79558be2 Thanks @​Linell! - Fix duplicate execution when response terminates early

inngest@4.5.0

Minor Changes

• #1522 ebeb4516 Thanks @​Linell! - Bump minimum @opentelemetry/auto-instrumentations-node to 0.75.0 to address GHSA-q7rr-3cgh-j5r3 in the transitive @opentelemetry/sdk-node / @opentelemetry/exporter-prometheus packages.

  Note that upstream auto-instrumentations-node@0.72.0 dropped bundled Fastify, instrumentation, so if you relied on it for tracing your Fastify routes, add @opentelemetry/instrumentation-fastify directly.

Patch Changes

• #1540 10dad398 Thanks @​amh4r! - Fix attempt count not resetting during checkpointing

• #1544 f1ee6f34 Thanks @​jacobheric! - Allow useRealtime to accept direct client subscription tokens from getClientSubscriptionToken() when channel and topics are provided as hook options, and avoid reconnecting solely because an inline token factory or token object gets a new render identity.

... (truncated)

Changelog

Sourced from inngest's changelog.

4.7.0

Minor Changes

• #1577 1bc2ac7c Thanks @​scottnuma! - Add metadata to steps containing LLM calls instrumented with OTel by Langfuse

• #1547 04a79c95 Thanks @​jakobevangelista! - Add sessions to event payloads

Patch Changes

• #1588 50a349b7 Thanks @​rhino1998! - fix(extended traces): Emit extended trace spans parented to the finalized step span

4.6.0

Minor Changes

• #1567 1c3ad876 Thanks @​Linell! - Deprecate optimizeParallelism: false — use group.parallel({ mode: "race" }) for race semantics instead. Opting out prevents runs from resuming checkpointing after a Promise.all.

• #1568 bd6016c1 Thanks @​scottnuma! - Add metadata to steps containing OTel instrumented LLM calls

Patch Changes

• #1561 ba9874dc Thanks @​rhino1998! - feat(experiments): Rename experiment_name -> experiment in metadata

4.5.1

Patch Changes

• #1551 0af90c3c Thanks @​rhino1998! - fix: Add step attribution attributes to all extended trace spans

• #1556 5bd87775 Thanks @​Linell! - Update internal tracing values used for identifying checkpointed data.

• #1548 7be1cee3 Thanks @​amh4r! - Fix unnecessary outgoing Durable Endpoint request

• #1511 79558be2 Thanks @​Linell! - Fix duplicate execution when response terminates early

4.5.0

Minor Changes

• #1522 ebeb4516 Thanks @​Linell! - Bump minimum @opentelemetry/auto-instrumentations-node to 0.75.0 to address GHSA-q7rr-3cgh-j5r3 in the transitive @opentelemetry/sdk-node / @opentelemetry/exporter-prometheus packages.

  Note that upstream auto-instrumentations-node@0.72.0 dropped bundled Fastify, instrumentation, so if you relied on it for tracing your Fastify routes, add @opentelemetry/instrumentation-fastify directly.

Patch Changes

... (truncated)

Commits

• 326fd5d Release @​latest (#1586)
• 04a79c9 Sessions (#1547)
• 50a349b fix(extended traces): Emit extended trace spans parented to the finalized ste...
• 1bc2ac7 Parse langfuse attributes for AI Metadata (EXE-1938) (#1577)
• 16fc3fc Pivot to vitest instead of copying OSS's golden files (EXE-1938) (#1580)
• 5431699 Release @​latest (#1566)
• f39ca24 Fix step metadata tests (#1581)
• 83ed6f7 Create @inngest/otel package (#1573)
• f256221 Skip declaring startings spans when the span processor is not active (EXE-195...
• bd6016c Process AI Metadata from Spans (EXE-1950) (#1568)
• Additional commits viewable in compare view

Updates next from 15.5.19 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates react from 19.2.3 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates react-dom from 19.2.3 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates zod from 3.25.76 to 4.4.3

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

v4.4.2

Commits:

• 0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
• 20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
• 6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
• 4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
• bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
• cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
• 292c894a5fd2aa42e527900b83d8d7a3009a709c docs: add Zernio gold sponsor
• 1fc9f311c28dcf80d0bb5a36b177086cbc3d8eca docs: document codec inversion
• 1373c85da9aeff704a9762d27bc58699618aefb7 docs: remove AI disclosure guidance
• e20d02b473c08e3a4e557bc610b1b5fac079b649 chore: ignore triage notes
• e58ea4d91b1dfe8194b73508203213cbc7e9c936 docs: test Zod Mini tab code heights
• 905761a5d127e8d5dd2ebb3bc88c75cb0b8149ff docs: document preprocess input type narrowing
• bf64bac850d4dee2b7dde7e64909d5d796d32043 chore: tighten test guidance in AGENTS.md
• 8ec4e73f4c4693b6361ad591be40fb41eb8a9f95 chore: update play.ts scratch
• 02c2baf7d0d615872fa4528a8020603b71211702 Make z.preprocess defer optionality to inner schema (#5929)
• 88015df8e25c44fb5385eb3ef28935119cd5edea fix(docs): drop deprecated baseUrl from tsconfig
• c59d4474e3b4cad1b323462186cf607178ce8267 4.4.2

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

... (truncated)

Commits

• 1fb56a5 docs: document release procedure in AGENTS.md
• f3c9ec0 4.4.3
• c2be4f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent...
• 1cab693 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• b8dffe9 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 9195250 docs: remove Mintlify from bronze sponsors (churned)
• 2c70332 docs: normalize bronze sponsor logos to github avatar pattern
• 7391be8 docs: prune lapsed silver/bronze sponsors and add active ones
• 2aeec83 docs: prune lapsed gold sponsors and rebalance logo sizing
• 4c2fa95 docs: use Zernio primary wordmark for gold sponsor logo
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions