chore(deps): bump the npm-prod-minor group across 1 directory with 7 updates

[dependabot]

Bumps the npm-prod-minor group with 7 updates in the / directory:

Package	From	To
@tanstack/react-query	5.90.10	5.101.0
autoprefixer	10.4.21	10.5.0
date-fns	4.1.0	4.4.0
dompurify	3.3.3	3.4.11
react-hot-toast	2.5.2	2.6.0
tailwind-merge	3.3.1	3.6.0
use-debounce	10.0.4	10.1.1

Updates @tanstack/react-query from 5.90.10 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

... (truncated)

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.

Updates autoprefixer from 10.4.21 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

• Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
• Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
• Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
• Updated up the linting tool-chain and removed now-redundant lint directives
• Updated the documentation is several spots, README, wiki, etc.
• Bumped several dependencies where possible

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
• Added more test coverage for IN_PLACE and Trusted Types related usage
• Bumped several dependencies where possible
• Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits

• 0cae518 release: 3.4.11 (#1494)
• 6ee5716 release: 3.4.10 (#1478)
• 5210247 release: 3.4.9 (#1459)
• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates react-hot-toast from 2.5.2 to 2.6.0

Release notes

Sourced from react-hot-toast's releases.

v2.6.0

• Adds support for multiple toasters
• Adapt build to minify inlined CSS

---

timolins/react-hot-toast@v2.5.2...v2.6.0

v2.6.0-beta.0

What's new

• Adds support for multiple toasters
• Add first version of Multi toaster docs
• Add dismissAll and removeAll More ergonomic API when working with multiple toasters a1d0b02

Ready to try it out?

npm i react-hot-toast@beta

Other Changes

• Update pnpm version f6c867b
• Move timeouts inside a useRef cb1fe8e
• Use data tag instead of id 1d5d3d3
• Fix dispatch to be id specific again fe934fd
• Merge branch 'main' into global-settings 0953822
• Add first version of multi toaster page 5b1ee55
• Merge branch 'main' into global-settings 4d43622
• Move toaster settings into state cf9ae4b
• Some experimentation with global settings API 2e0a4dd

---

timolins/react-hot-toast@v2.5.1...v2.6.0-beta.0

Commits

• 3a870ed 2.6.0
• 85d4b21 Merge pull request #383 from timolins/multi-toaster
• 15605ee Remove example
• 2bf1aaa Improve multi toaster docs
• b53bdb3 Merge branch 'main' into multi-toaster
• 4607412 Slight bump size limit
• e1bfeaf Merge branch 'main' into multi-toaster
• 35f5efe Merge pull request #407 from timolins/minify-inline-css
• 6dca025 Remove not working option
• 5f27b51 Remove fragile css minifier for now
• Additional commits viewable in compare view

Updates tailwind-merge from 3.3.1 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.5.0

New Features

• Add support for Tailwind CSS v4.2 by @​dcastil in dcastil/tailwind-merge#651

Full Changelog: dcastil/tailwind-merge@v3.4.1...v3.5.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.1

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in dcastil/tailwind-merge#635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.0

New Features

• Performance optimizations which make tailwind-merge >10% faster
  • Vibe optimization by @​quantizor in dcastil/tailwind-merge#547
  • Additional optimizations by @​quantizor in dcastil/tailwind-merge#619

Documentation

• Improve docs by clarifying things, adding more examples by @​dcastil in dcastil/tailwind-merge#618
• Make examples more realistic by @​dcastil in dcastil/tailwind-merge#617
• Add custom variant as an alternative to docs by @​kidonng in dcastil/tailwind-merge#592

... (truncated)

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tailwind-merge since your current version.

Updates use-debounce from 10.0.4 to 10.1.1

Release notes

Sourced from use-debounce's releases.

10.0.6

What's Changed

• Bump form-data from 4.0.0 to 4.0.4 by @​dependabot[bot] in xnimorz/use-debounce#198
• Fix/cancel ispending UI update by @​elrion018 in xnimorz/use-debounce#199

Full Changelog: xnimorz/use-debounce@10.0.5...10.0.6

10.0.5

What's Changed

• Update outdated tsdoc for useDebouncedCallback by @​stephan281094 in xnimorz/use-debounce#195
• Fix isPending updating bug and add a test case. by @​elrion018 in xnimorz/use-debounce#196
• Bump esbuild and @​size-limit/preset-small-lib by @​dependabot[bot] in xnimorz/use-debounce#197

New Contributors

• @​stephan281094 made their first contribution in xnimorz/use-debounce#195
• @​elrion018 made their first contribution in xnimorz/use-debounce#196

Full Changelog: xnimorz/use-debounce@10.0.4...10.0.5

Changelog

Sourced from use-debounce's changelog.

10.1.1

• replace global with globalThis which is defined in all possible environments (browser, node, workers) to address xnimorz/use-debounce#212

10.1.0

• New parameter introduced: flushOnExit. See issue #205 for details. This parameter allows the callback to be executed on component unmount or page exit, enabling specific side-effect such as persistence or other required I/O operations. Thanks to @​h for the contribution. PR

10.0.5

• Fixed issue xnimorz/use-debounce#192, where isPending remains true with leading: true configuration, thanks to @​elrion018

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​dompurify@​3.3.3 ⏵ 3.4.11	+1	+31			-20
	npm/​react-hot-toast@​2.5.2 ⏵ 2.6.0			+1
	npm/​use-debounce@​10.0.4 ⏵ 10.1.1	+1		+1
	npm/​autoprefixer@​10.4.21 ⏵ 10.5.0	+1		-2
	npm/​tailwind-merge@​3.3.1 ⏵ 3.6.0			+1	+2
	npm/​@​tanstack/​react-query@​5.90.10 ⏵ 5.101.0	+1		+1	-1
	npm/​date-fns@​4.4.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm date-fns is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/date-fns@4.4.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/date-fns@4.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report