chore(deps): bump the patch-and-minor group across 1 directory with 33 updates

[dependabot]

Bumps the patch-and-minor group with 33 updates in the / directory:

Package	From	To
@arcjet/next	1.3.1	1.4.0
@sentry/nextjs	10.46.0	10.55.0
@trigger.dev/sdk	4.4.3	4.4.6
@upstash/redis	1.37.0	1.38.0
framer-motion	12.38.0	12.40.0
groq-sdk	1.1.2	1.2.1
next-safe-action	8.3.0	8.5.3
posthog-js	1.364.1	1.376.4
resend	6.10.0	6.12.4
tailwind-merge	3.5.0	3.6.0
workbox-window	7.4.0	7.4.1
xstate	5.30.0	5.32.0
zod	4.3.6	4.4.3
zustand	5.0.12	5.0.14
@axe-core/playwright	4.11.1	4.11.3
@biomejs/biome	2.4.9	2.4.16
@chromatic-com/storybook	5.1.1	5.2.1
@next/bundle-analyzer	16.2.4	16.2.6
@playwright/test	1.58.2	1.60.0
@storybook/addon-a11y	10.3.3	10.4.1
@storybook/addon-docs	10.3.3	10.4.1
@storybook/addon-onboarding	10.3.3	10.4.1
@storybook/nextjs-vite	10.3.3	10.4.1
@tailwindcss/postcss	4.2.2	4.3.0
@trigger.dev/build	4.4.3	4.4.6
eslint-config-next	16.1.1	16.2.6
eslint-plugin-storybook	10.3.3	10.4.1
msw	2.12.14	2.14.6
playwright	1.58.2	1.60.0
prettier	3.8.1	3.8.3
storybook	10.3.3	10.4.1
tailwindcss	4.2.2	4.3.0
vite	8.0.8	8.0.14

Updates @arcjet/next from 1.3.1 to 1.4.0

Release notes

Sourced from @​arcjet/next's releases.

v1.4.0

1.4.0 (2026-04-14)

🚀 New Features

Introducing Arcjet Guard - protect AI agent tool calls, background jobs, and anything beyond HTTP. @arcjet/guard is a new API built for the agentic era: rate limit by any key, detect prompt injection, and catch PII.

• guard: promote @​arcjet/guard from experimental to stable release (#5996) (f511f44)

📝 Documentation

• add @​arcjet/guard documentation to root README (#5993) (4be39c8)
• add MCP server mentions to @​arcjet/guard (#5974) (cd398c0)

🧹 Miscellaneous Chores

• add .claude/ to .gitignore (#5988) (6f0f922)
• always trigger workflows on release-please branch (#5998) (6554cd1)
• delete astro-5 example (#5995) (38487cb)
• Deprecate score and threshold fields in detectPromptInjection (#5987) (de46cb7)
• examples: Add Astro 5 example, upgrade main Astro example to v6 (#5975) (a77c077)
• guard: add legacy type resolution for typescript@<=5 (#5978) (fd6ad6d)
• guard: introduce arcjet guard js (#5957) (53ff2e2)
• guard: update protobuf (#5986) (25f0e9e)
• proto: sync generated proto (#5994) (25b11fe)
• regenerate wasm binaries after aws-lc-rs update (#5969) (bda5448)

🔨 Build System

• deps-dev: bump vite from 7.3.1 to 7.3.2 (#5980) (8a253f6)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router (#5982) (ddf3416)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router-middleware (#5985) (e36cf35)
• deps: bump @​nestjs/core from 11.1.17 to 11.1.18 in /examples/nestjs (#5983) (514ae8b)
• deps: bump unhead and @​unhead/vue in /examples/nuxt (#5989) (6add894)
• deps: bump vite from 7.3.1 to 7.3.2 in /examples/nuxt (#5981) (97138bc)
• deps: bump vite in /examples/remix-express (#5977) (3b97d6f)

Changelog

Sourced from @​arcjet/next's changelog.

1.4.0 (2026-04-14)

🧹 Miscellaneous Chores

• Deprecate score and threshold fields in detectPromptInjection (#5987) (de46cb7)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​arcjet/body bumped from 1.3.1 to 1.4.0
    • @​arcjet/env bumped from 1.3.1 to 1.4.0
    • @​arcjet/headers bumped from 1.3.1 to 1.4.0
    • @​arcjet/ip bumped from 1.3.1 to 1.4.0
    • @​arcjet/logger bumped from 1.3.1 to 1.4.0
    • @​arcjet/protocol bumped from 1.3.1 to 1.4.0
    • @​arcjet/transport bumped from 1.3.1 to 1.4.0
    • arcjet bumped from 1.3.1 to 1.4.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.3.1 to 1.4.0
    • @​arcjet/rollup-config bumped from 1.3.1 to 1.4.0

Commits

• b4337ec chore: Release 1.4.0 (#5972)
• de46cb7 chore: Deprecate score and threshold fields in detectPromptInjection (#...
• See full diff in compare view

Updates @sentry/nextjs from 10.46.0 to 10.55.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.55.0

Important Changes

• feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#21208)

  The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

• docs(tanstackstart-react): Promote SDK status to beta (#21175)

  This release promotes the @sentry/tanstackstart-react SDK to beta. For details on how to use it, check out the Sentry TanStack Start SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(hono): Add shouldHandleError option to sentry() middleware (#21205)

  The sentry() middleware now accepts a shouldHandleError callback to control which errors are captured and sent to Sentry. By default, 3xx/4xx HTTP errors are ignored and 5xx errors and plain Error objects are captured. Return true from the callback to capture an error, false to suppress it.

  app.use(
    sentry(app, {
      dsn: '__DSN__',
      shouldHandleError(error) {
        const status = (error as { status?: number })?.status;
        // Capture 401/403 in addition to the default 5xx errors
        return status === 401 || status === 403 || typeof status !== 'number' || status >= 500;
      },
    }),
  );

• test(tanstackstart-react): Move initialization to client entry point (#21161)

  Change the recommended setup for the SDK to do Sentry.init() in the client entry file to capture telemetry that is emitted ahead of page hydration.

• feat(tanstackstart-react): Add distributed tracing (#21144)

  Server and client traces are now automatically connected, allowing you to see the full request lifecycle from server-side rendering through client-side hydration in a single trace.

• feat(tanstackstart-react): Add server-side route parametrization (#21147)

  Server transaction names are now parametrized automatically (e.g., GET /users/123 becomes GET /users/$userId), improving transaction grouping in Sentry.

• feat(tanstackstart-react): Show readable server function names in traces (#21190)

  Server function spans now show human-readable names (e.g., GET /_serverFn/greet instead of GET /_serverFn/a10e70b3...). The tanstackstart.function.hash.sha256 span attribute has been renamed to tanstackstart.function.id.

Other Changes

• feat(core): Migrate request data to dataCollection (#21071)
• feat(hono): Add warning in Bun for double init (#21195)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.55.0

Important Changes

• feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#21208)

  The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

• docs(tanstackstart-react): Promote SDK status to beta (#21175)

  This release promotes the @sentry/tanstackstart-react SDK to beta. For details on how to use it, check out the Sentry TanStack Start SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(hono): Add shouldHandleError option to sentry() middleware (#21205)

  The sentry() middleware now accepts a shouldHandleError callback to control which errors are captured and sent to Sentry. By default, 3xx/4xx HTTP errors are ignored and 5xx errors and plain Error objects are captured. Return true from the callback to capture an error, false to suppress it.

  app.use(
    sentry(app, {
      dsn: '__DSN__',
      shouldHandleError(error) {
        const status = (error as { status?: number })?.status;
        // Capture 401/403 in addition to the default 5xx errors
        return status === 401 || status === 403 || typeof status !== 'number' || status >= 500;
      },
    }),
  );

• test(tanstackstart-react): Move initialization to client entry point (#21161)

  Change the recommended setup for the SDK to do Sentry.init() in the client entry file to capture telemetry that is emitted ahead of page hydration.

• feat(tanstackstart-react): Add distributed tracing (#21144)

  Server and client traces are now automatically connected, allowing you to see the full request lifecycle from server-side rendering through client-side hydration in a single trace.

• feat(tanstackstart-react): Add server-side route parametrization (#21147)

  Server transaction names are now parametrized automatically (e.g., GET /users/123 becomes GET /users/$userId), improving transaction grouping in Sentry.

• feat(tanstackstart-react): Show readable server function names in traces (#21190)

  Server function spans now show human-readable names (e.g., GET /_serverFn/greet instead of GET /_serverFn/a10e70b3...). The tanstackstart.function.hash.sha256 span attribute has been renamed to tanstackstart.function.id.

Other Changes

• feat(core): Migrate request data to dataCollection (#21071)

... (truncated)

Commits

• acd7b57 release: 10.55.0
• d5323d2 Merge pull request #21216 from getsentry/prepare-release/10.55.0
• 2fb1929 meta(changelog): Update changelog for 10.55.0
• 556bcb3 feat(hono): Add shouldHandleError as middleware option (#21205)
• 7a67ea4 feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration ...
• cead7f9 fix(e2e): Fix astro-6 e2e test build by relaxing astro version range (#21211)
• 75fd1d5 chore(changelog): clarify array attributes impact on beforeSend* callbacks ...
• 8a2a490 fix(cloudflare): Use original waitUntil to not create a deadlock (#21197)
• f7b506d feat(metrics): Migrate metrics to use dataCollection instead of `sendDefaul...
• f55fc30 feat(core): Migrate request data to dataCollection (#21071)
• Additional commits viewable in compare view

Updates @trigger.dev/sdk from 4.4.3 to 4.4.6

Changelog

Sourced from @​trigger.dev/sdk's changelog.

4.4.6

Patch Changes

• Updated dependencies:
  • @trigger.dev/core@4.4.6

4.4.5

Patch Changes

• Updated dependencies:
  • @trigger.dev/core@4.4.5

4.4.4

Patch Changes

• Define and manage AI prompts with prompts.define(). Create typesafe prompt templates with variables, resolve them at runtime, and manage versions and overrides from the dashboard without redeploying. (#3244)
• Add support for setting TTL (time-to-live) defaults at the task level and globally in trigger.config.ts, with per-trigger overrides still taking precedence (#3196)
• Adapted the CLI API client to propagate the trigger source via http headers. (#3241)
• Updated dependencies:
  • @trigger.dev/core@4.4.4

Commits

• 41a486e chore: release v4.4.6 (#3501)
• d825427 chore: release v4.4.5 (#3406)
• 91fd8a8 chore(security): close dependabot alerts q2 (#3456)
• 5ea36e0 chore: release v4.4.4 (#3228)
• 0e63f83 feat: add ttl support at task and config levels (#3196)
• 54d95ee feat: AI prompt management dashboard and enhanced span inspectors (#3244)
• See full diff in compare view

Updates @upstash/redis from 1.37.0 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• See full diff in compare view

Updates framer-motion from 12.38.0 to 12.40.0

Changelog

Sourced from framer-motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• bc2107e Revert "no should"
• 6eeb92d no should
• Additional commits viewable in compare view

Updates groq-sdk from 1.1.2 to 1.2.1

Release notes

Sourced from groq-sdk's releases.

v1.2.1

1.2.1 (2026-05-28)

Full Changelog: v1.2.0...v1.2.1

Bug Fixes

• typescript: upgrade tsc-multi so that it works with Node 26 (4ab1f54)

Chores

• GitHub Terraform: Create/Update .github/workflows/code-freeze-bypass.yaml [skip ci] (fa53cca)
• GitHub Terraform: Create/Update .github/workflows/stale.yaml [skip ci] (07d7e5a)
• internal: codegen related update (b9aa6b9)
• lint: ignore Terraform-managed workflow yamls in prettier (e6d0c51)
• tests: remove redundant File import (f978085)

v1.2.0

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

... (truncated)

Changelog

Sourced from groq-sdk's changelog.

1.2.1 (2026-05-28)

Full Changelog: v1.2.0...v1.2.1

Bug Fixes

• typescript: upgrade tsc-multi so that it works with Node 26 (4ab1f54)

Chores

• GitHub Terraform: Create/Update .github/workflows/code-freeze-bypass.yaml [skip ci] (fa53cca)
• GitHub Terraform: Create/Update .github/workflows/stale.yaml [skip ci] (07d7e5a)
• internal: codegen related update (b9aa6b9)
• lint: ignore Terraform-managed workflow yamls in prettier (e6d0c51)
• tests: remove redundant File import (f978085)

1.2.0 (2026-05-08)

Full Changelog: v1.1.2...v1.2.0

Features

• support setting headers via env (4141bb0)

Bug Fixes

• ci: set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259) (67f676b)

Chores

• format: run eslint and prettier separately (32c1a70)
• internal: codegen related update (f4bca6a)
• internal: codegen related update (22ebc5e)
• internal: codegen related update (da82d5d)
• internal: codegen related update (d8648d9)
• internal: more robust bootstrap script (991fe2c)
• internal: update multipart form array serialization (d0681d2)
• redact api-key headers in debug logs (3640895)
• tests: bump steady to v0.20.1 (4f47a2d)
• tests: bump steady to v0.20.2 (ceeeeea)
• tests: bump steady to v0.22.1 (59eabab)

Documentation

• improve examples (d8f62df)

Commits

• 92ec78c release: 1.2.1 (#262)
• 07d7e5a chore: GitHub Terraform: Create/Update .github/workflows/stale.yaml [skip ci]
• fa53cca chore: GitHub Terraform: Create/Update .github/workflows/code-freeze-bypass.y...
• 90d2938 release: 1.2.0 (#260)
• 67f676b fix(ci): set NODE_AUTH_TOKEN for npm OIDC trusted publisher auth (#259)
• See full diff in compare view

Updates next-safe-action from 8.3.0 to 8.5.3

Release notes

Sourced from next-safe-action's releases.

next-safe-action@8.5.3

Patch Changes

• #450 edf9dd6 Thanks @​TheEdoRan! - Remove the deepmerge-ts runtime dependency by inlining the small subset of deep-merge logic the library actually uses into an internal deep-merge.ts. Behavior is unchanged (records merged recursively, arrays concatenated, Sets/Maps combined, otherwise last value wins, with a __proto__ pollution guard), and the package now ships with zero runtime dependencies.

next-safe-action@8.5.2

Patch Changes

• #448 c10b464 Thanks @​TheEdoRan! - Add the pkg.pr.new badge to README. Documentation-only change, no runtime impact.

next-safe-action@8.5.1

Patch Changes

• #446 6b1e3f6 Thanks @​TheEdoRan! - Filter out undefined entries from the callback promises array before awaiting Promise.all, to satisfy the stricter await-thenable rule in the latest oxlint-tsgolint. No runtime behavior change.

next-safe-action@8.5.0

Minor Changes

• #444 adea4c6 Thanks @​TheEdoRan! - Narrow SafeActionResult into a discriminated union so that checking one field narrows the others to undefined.

  Previously, data, serverError, and validationErrors were all independently optional on the result type, which meant TypeScript could not infer that they are mutually exclusive. Now:

  const { data, serverError, validationErrors } = await myAction(input);
  if (data) {
  // TypeScript knows serverError and validationErrors are undefined here
  }
  if (serverError) {
  // TypeScript knows data and validationErrors are undefined here
  }

  Destructured narrowing works end-to-end: checking any one of the three fields propagates to the other two. No hook API changes are required — useAction().result narrows automatically.

  Runtime behavior change (compound-error precedence)

  To make narrowing honest, the action builder now applies a precedence rule when building the result, whereas previously it could return multiple populated fields at once in rare edge cases. The precedence is:

  1. validationErrors
  2. serverError
  3. data

  Two documented edge cases changed as a result:

  • Middleware calling next() twice. Previously the result contained both the first call's data AND a serverError describing the second call. Now the result contains only the serverError. Calling next() twice is a programmer error, and returning partial data alongside the error was confusing.
  • Invalid bind args combined with invalid main input. Previously the result contained both a serverError (wrapped bind args errors) AND validationErrors (main input). Now the result contains only the validationErrors. After the user fixes the main input and resubmits, the bind args errors will surface on the next attempt.

  Migration guide

... (truncated)

Commits

• 9d54c79 Version Packages (#451)
• edf9dd6 inline deepmerge logic (#450)
• 25455e4 bump pnpm to 11.1.0
• 745ba86 enforce harden-runner egress policy across workflows
• ea72791 harden CI/CD workflows against supply chain attacks
• b368025 update dependencies
• a46a600 pass required env vars during docs build
• 3dc9a49 add plausible proxy
• ade3358 update fumadocs
• 36b6457 add context7 verification
• Additional commits viewable in compare view

Updates posthog-js from 1.364.1 to 1.376.4

Release notes

Sourced from posthog-js's releases.

posthog-js@1.376.4

1.376.4

Patch Changes

• #3685 f59f35a Thanks @​ioannisj! - fix(cookieless): enable request queue when opting out in on_reject mode. When using cookieless_mode: "on_reject", calling opt_out_capturing() correctly switched the SDK into cookieless capturing but never enabled the RequestQueue — so batched events were enqueued but never flushed over the network. At init time the queue was not started because consent was PENDING and is_capturing() returned false; opt_out_capturing() is the first moment capturing becomes active but was missing the _start_queue_if_opted_in() call that opt_in_capturing() already had. (2026-05-28)

• #3692 f01cd93 Thanks @​ksvat! - fix(replay): take a fresh full snapshot after session ID rotates via forcedIdleReset. Previously, when the session manager's idle enforcement timer rotated the session id, the recorder tore down rrweb and set _isIdle = 'unknown' before the new session id was observed. Neither restart path then fired (the _onSessionIdCallback guard only restarted when _isIdle === true, and _updateWindowAndSessionIds could not run with rrweb stopped), so the new session received only incremental mutations until a later snapshot — leaving the player stuck on "Buffering". The restart guard now also fires when rrweb isn't running. (2026-05-28)

• #3691 cc71f3f Thanks @​ksvat! - fix(replay): ship ph-no-capture absolute-position fix from #3678 to posthog-js. The original changeset only bumped @posthog/rrweb and @posthog/rrweb-snapshot; because posthog-js depends on @posthog/rrweb via workspace:*, the cascade did not bump posthog-js, so the rebuilt bundle containing the fix was not published. This changeset re-publishes posthog-js with the fix. (2026-05-28)

• #3695 e1ff722 Thanks @​ksvat! - chore(replay): expose $sdk_debug_rrweb_attached and $sdk_debug_rrweb_start_attempted debug properties on captured events. Today the SDK already stamps several $sdk_debug_* properties (start reason, linked-flag trigger status, recording status) that report the SDK's intent to record — they all flip to "active" as soon as the state machine evaluates the configured triggers. None of them observe whether rrweb actually attached and is producing events. The new booleans close that gap: $sdk_debug_rrweb_start_attempted is set when _startRecorder() is first entered, and $sdk_debug_rrweb_attached reflects whether _stopRrweb is currently a non-falsy stop handle (i.e. rrwebRecord({...}) returned successfully and the recorder has not been torn down). No behavior change — this only adds two booleans to the existing sdkDebugProperties channel, used to diagnose cases where a session reports trigger_activated / recording_status: active but no $snapshot data is ever uploaded. (2026-05-28)

• Updated dependencies [7b84b75]:

  • @​posthog/core@​1.29.13
  • @​posthog/types@​1.376.4

posthog-js@1.376.3

1.376.3

Patch Changes

• #3649 9cac1f6 Thanks @​marandaneto! - Improve console log serialization performance for large objects. (2026-05-27)
• Updated dependencies []:
  • @​posthog/types@​1.376.3
  • @​posthog/core@​1.29.12

posthog-js@1.376.2

1.376.2

Patch Changes

• #3667 cafa9cc Thanks @​pauldambra! - fix(replay): stop polling preload-as-style <link> elements forever. Session recorder treated <link rel="preload" as="style" href="*.css"> as if it were a stylesheet and waited for link.sheet to populate. Per spec preload links never instantiate a CSSStyleSheet, so the wait timed out, re-serialized the link, scheduled another wait, and leaked a load listener on every cycle — multiplying further on every real load event. Pages with Next.js-style CSS preloads accumulated thousands of active polling chains, saturating the main thread and freezing the tab on refocus (2026-05-26)
• Updated dependencies []:
  • @​posthog/types@​1.376.2
  • @​posthog/core@​1.29.11

posthog-js@1.376.1

1.376.1

Patch Changes

• Updated dependencies [5568f12]:
  • @​posthog/core@​1.29.10
  • @​posthog/types@​1.376.1

... (truncated)

Commits

• a122070 chore: update versions and lockfile [version bump]
• 714ffa5 fix(convex): register refresh cron unconditionally (#3684)
• e1ff722 fix(replay): add debugging logs for recorder (#3695)
• f01cd93 fix(replay): fix idle session rotation race condition (#3692)
• e05aea5 fix(core): stop leaking DOM globals into public type surface (#3693)
• f59f35a fix(cookieless): enable request queue when opting out in on_reject mode (#3685)
• cc71f3f chore(replay): bump posthog-js (#3691)
• 7b84b75 fix: unify capture exception (#3681)
• 8ade9cb feat(mcp): scaffold @​posthog/mcp package (1/2) (#3652)
• 4b1231f chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates resend from 6.10.0 to 6.12.4

Release notes

Sourced from resend's releases.

v6.12.4

What's Changed

• fix(deps): update dependency next to v16.2.6 [security] by @​renovate[bot] in resend/resend-node#957
• chore(dev-660): harden github actions workflows by @​felipefreitag in resend/resend-node#959
• chore: add sync-prs-to-linear action by @​dielduarte in resend/resend-node#961
• fix: rename misnamed get-contact.interface.ts to get-topic.interface.ts in topics module by @​wesleyramalho in resend/resend-node#903
• fix: avoid mutating payloads in emails, broadcasts, and templates by @​Shubhdeep12 in resend/resend-node#862
• feat: add optional baseUrl and userAgent to Resend constructor by @​xiaoyu2er in resend/resend-node#839
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#965
• chore: bump public-shared-workflows hash by @​dielduarte in resend/resend-node#966
• refactor: align delete method with other HTTP methods in Resend class by @​wesleyramalho in resend/resend-node#904
• fix: to support @​react-email/render exports across versions in templates by @​Shubhdeep12 in resend/resend-node#863
• fix: replace svix with standardwebhooks to reduce install size (#969) by @​dielduarte in resend/resend-node#970
• chore: bump version to 6.12.4 by @​dielduarte in resend/resend-node#971

Full Changelog: resend/resend-node@v6.12.3...v6.12.4

v6.12.3

What's Changed

• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in resend/resend-node#940
• chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq by @​ulrichstark in resend/resend-node#942
• fix: correct paylaod into payload typo in contacts overload signatures by @​wesleyramalho in resend/resend-node#902
• chore(deps): update dependency tsdown to v0.21.10 by @​renovate[bot] in resend/resend-node#929
• chore(deps): update dependency @​biomejs/biome to v2.4.14 by @​renovate[bot] in resend/resend-node#943
• chore: add missing suppressed event to resend node sdk interface by @​dielduarte in resend/resend-node#946<...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
skill-mapper	Ignored	Preview	May 30, 2026 6:02pm

[coderabbitai]

Warning

Review limit reached

@dependabot[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 23 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 51ffa7e5-00c6-431a-a353-98ab4448a1be

📥 Commits

Reviewing files that changed from the base of the PR and between 514d547 and fdcf363.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/patch-and-minor-a680dd1bee

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-next@​16.2.6
	@​axe-core/​playwright@​4.11.3
	groq-sdk@​1.2.1
	@​trigger.dev/​build@​4.4.6
	@​storybook/​addon-a11y@​10.4.1
	@​storybook/​nextjs-vite@​10.4.1
	@​storybook/​addon-onboarding@​10.4.1
	@​trigger.dev/​sdk@​4.4.6
	@​next/​bundle-analyzer@​16.2.6
	@​arcjet/​next@​1.4.0
	@​sentry/​nextjs@​10.55.0
	@​chromatic-com/​storybook@​5.2.1
	framer-motion@​12.40.0
	@​upstash/​redis@​1.38.0
	@​tailwindcss/​postcss@​4.3.0
	@​playwright/​test@​1.60.0
	eslint-plugin-storybook@​10.4.1
	@​biomejs/​biome@​2.4.16
	@​storybook/​addon-docs@​10.4.1

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report