chore(deps): bump the npm-dependencies group across 1 directory with 14 updates

[dependabot]

Bumps the npm-dependencies group with 14 updates in the / directory:

Package	From	To
@clerk/nextjs	7.0.12	7.2.3
@clerk/ui	1.5.0	1.6.3
lucide-react	1.7.0	1.8.0
next	16.2.3	16.2.4
@biomejs/biome	2.4.10	2.4.12
@clerk/testing	2.0.12	2.0.17
@rolldown/plugin-babel	0.2.2	0.2.3
@types/node	25.5.2	25.6.0
baseline-browser-mapping	2.10.16	2.10.20
dotenv	17.4.1	17.4.2
lefthook	2.1.5	2.1.6
shadcn	4.2.0	4.3.0
typescript	6.0.2	6.0.3
vitest	4.1.3	4.1.4

Updates @clerk/nextjs from 7.0.12 to 7.2.3

Release notes

Sourced from @​clerk/nextjs's releases.

@​clerk/nextjs@​7.2.3

Patch Changes

• Updated dependencies [fcc6c0c]:
  • @​clerk/backend@​3.2.13
  • @​clerk/react@​6.4.2

@​clerk/nextjs@​7.2.2

Patch Changes

• Updated dependencies [f800b4f, 8ee6a32, c7b0f47, 34762e8]:
  • @​clerk/backend@​3.2.12
  • @​clerk/shared@​4.8.2
  • @​clerk/react@​6.4.2

@​clerk/nextjs@​7.2.1

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#8311) by @​nikosdouvlis

• Updated dependencies [b0b6675]:

  • @​clerk/shared@​4.8.1
  • @​clerk/backend@​3.2.11
  • @​clerk/react@​6.4.1

@​clerk/nextjs@​7.1.0

Minor Changes

• Introduce internal useOAuthConsent() hook for fetching OAuth consent screen metadata for the signed-in user. (#8286) by @​jfoshee

Patch Changes

• Bump next devDependency to 15.5.15 to pick up the fix for CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you use the Next.js App Router, we recommend upgrading to Next.js 15.5.15 or 16.2.3. (#8257) by @​renovate

• Updated dependencies [3fd586d, f9ff9e9]:

  • @​clerk/react@​6.3.0
  • @​clerk/shared@​4.7.0
  • @​clerk/backend@​3.2.9

Changelog

Sourced from @​clerk/nextjs's changelog.

7.2.3

Patch Changes

• Updated dependencies [fcc6c0c]:
  • @​clerk/backend@​3.2.13
  • @​clerk/react@​6.4.2

7.2.2

Patch Changes

• Updated dependencies [f800b4f, 8ee6a32, c7b0f47, 34762e8]:
  • @​clerk/backend@​3.2.12
  • @​clerk/shared@​4.8.2
  • @​clerk/react@​6.4.2

7.2.1

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#8311) by @​nikosdouvlis

• Updated dependencies [b0b6675]:

  • @​clerk/shared@​4.8.1
  • @​clerk/backend@​3.2.11
  • @​clerk/react@​6.4.1

7.2.0

Minor Changes

• Introduce internal <OAuthConsent /> component for rendering a zero-config OAuth consent screen on an OAuth authorize redirect page. (#8289) by @​wobsoriano

  Usage example:

  import { OAuthConsent } from '@clerk/nextjs';
  export default function OAuthConsentPage() {
  return <OAuthConsent />;
  }

Patch Changes

• Updated dependencies [dc2de16]:
  • @​clerk/react@​6.4.0
  • @​clerk/shared@​4.8.0
  • @​clerk/backend@​3.2.10

... (truncated)

Commits

• 7994b5f ci(repo): Version packages (#8340)
• cc8fed5 ci(repo): Version packages (#8322)
• 6399251 ci(repo): Version packages (#8315)
• b0b6675 fix(shared,nextjs,astro,nuxt): normalize URL paths in createPathMatcher (#8311)
• b1f9bbe ci(repo): Version packages (#8307)
• dc2de16 feat(ui,react): Introduce OAuthConsent component (#8289)
• 4657d64 ci(repo): Version packages (#8277)
• f9ff9e9 feat(shared,nextjs,react): Introduce useOAuthConsent hook (#8286)
• 81d4df1 chore(repo): Update linting & formatting (#8271)
• 2471d41 chore(nextjs): Update next to patched versions for CVE-2026-23869 (#8281)
• Additional commits viewable in compare view

Updates @clerk/ui from 1.5.0 to 1.6.3

Release notes

Sourced from @​clerk/ui's releases.

@​clerk/ui@​1.6.3

Patch Changes

• Fix EnableOrganizationsPrompt in keyless mode: show "Claim your application" CTA instead of broken "Sign in to continue" when organizations are enabled on an unclaimed keyless app with no signed-in user. (#8341) by @​mwickett

• Use user.organizationMemberships from the already-loaded user object to populate the org select in the OAuth consent screen, avoiding a redundant memberships fetch. (#8350) by @​wobsoriano

• Correctly display IP redirect URIs in OAuth consent. (#8342) by @​wobsoriano

• Add scroll-driven fade overlays to ListGroupContent in the OAuthConsent component so overflowing scope lists visually indicate more content above and below. (#8339) by @​alexcarpenter

@​clerk/ui@​1.6.2

Patch Changes

• Add infinite loading to organization selection in <OAuthConsent />. (#8309) by @​wobsoriano

• Fix OAuthConsent always redirecting to sign-in by adopting the AuthenticatedRoutes pattern used by other full-page components (#8327) by @​alexcarpenter

• Updated dependencies [c7b0f47, 34762e8]:

  • @​clerk/shared@​4.8.2
  • @​clerk/localizations@​4.5.2

@​clerk/ui@​1.6.1

Patch Changes

• Updated dependencies [b0b6675]:
  • @​clerk/shared@​4.8.1
  • @​clerk/localizations@​4.5.1

@​clerk/ui@​1.5.1

Patch Changes

• Updated dependencies [3fd586d, f9ff9e9]:
  • @​clerk/shared@​4.7.0
  • @​clerk/localizations@​4.4.1

Changelog

Sourced from @​clerk/ui's changelog.

1.6.3

Patch Changes

• Fix EnableOrganizationsPrompt in keyless mode: show "Claim your application" CTA instead of broken "Sign in to continue" when organizations are enabled on an unclaimed keyless app with no signed-in user. (#8341) by @​mwickett

• Use user.organizationMemberships from the already-loaded user object to populate the org select in the OAuth consent screen, avoiding a redundant memberships fetch. (#8350) by @​wobsoriano

• Correctly display IP redirect URIs in OAuth consent. (#8342) by @​wobsoriano

• Add scroll-driven fade overlays to ListGroupContent in the OAuthConsent component so overflowing scope lists visually indicate more content above and below. (#8339) by @​alexcarpenter

1.6.2

Patch Changes

• Add infinite loading to organization selection in <OAuthConsent />. (#8309) by @​wobsoriano

• Fix OAuthConsent always redirecting to sign-in by adopting the AuthenticatedRoutes pattern used by other full-page components (#8327) by @​alexcarpenter

• Updated dependencies [c7b0f47, 34762e8]:

  • @​clerk/shared@​4.8.2
  • @​clerk/localizations@​4.5.2

1.6.1

Patch Changes

• Updated dependencies [b0b6675]:
  • @​clerk/shared@​4.8.1
  • @​clerk/localizations@​4.5.1

1.6.0

Minor Changes

• Introduce internal <OAuthConsent /> component for rendering a zero-config OAuth consent screen on an OAuth authorize redirect page. (#8289) by @​wobsoriano

  Usage example:

  import { OAuthConsent } from '@clerk/nextjs';
  export default function OAuthConsentPage() {
  return <OAuthConsent />;
  }

Patch Changes

... (truncated)

Commits

• 7994b5f ci(repo): Version packages (#8340)
• 22f0b27 refactor(ui): Use existing organizationMemberships and remove infinite scroll...
• ca46860 fix(ui): show claim CTA in EnableOrganizationsPrompt for keyless mode (#8341)
• 0067481 fix(ui): Correctly display IP redirect URIs in OAuth consent (#8342)
• 14d072a feat(ui): Add overflow scroll and fades to \<ListGroupContent /> (#8339)
• cc8fed5 ci(repo): Version packages (#8322)
• 6f36c51 chore(clerk-js,ui): Add infinite loading to organization selection in OAuthCo...
• 45b773a fix(ui): OAuthConsent AuthenticatedRoutes usage (#8327)
• 6399251 ci(repo): Version packages (#8315)
• b1f9bbe ci(repo): Version packages (#8307)
• Additional commits viewable in compare view

Updates lucide-react from 1.7.0 to 1.8.0

Release notes

Sourced from lucide-react's releases.

Version 1.8.0

What's Changed

• docs(packages/angular): add packageDirname for @​lucide/angular by @​rhutchison in lucide-icons/lucide#4211
• chore(icons): Username change knarlix to RajnishKMehta by @​RajnishKMehta in lucide-icons/lucide#4208
• ci(@​lucide/angular): Fix publishing problem by @​ericfennis in lucide-icons/lucide#4213
• docs: fix broken links in pull_request_template.md (got 404 page) by @​whoisBugsbunny in lucide-icons/lucide#4224
• fix(lucide-static): add viewBox to sprite symbol elements by @​TomaTV in lucide-icons/lucide#4223
• docs: Fix link to icon design principles in statement by @​whoisBugsbunny in lucide-icons/lucide#4225
• feat(docs): add Zephyr Cloud to Hero Backers tier by @​karsa-mistmere in lucide-icons/lucide#4226
• fix(icons): fixes gap issues in radio-off.svg by @​karsa-mistmere in lucide-icons/lucide#4227
• fix(icons): renamed text-select to square-dashed-text by @​jguddas in lucide-icons/lucide#3943
• fix(docs): improve mobile layout of v1 banner by @​karsa-mistmere in lucide-icons/lucide#4254
• fix(@​lucide/svelte): aria-hidden="true" was never set by @​blt-r in lucide-icons/lucide#4234
• fix(icons): remove ui/ux tag from heart-minus, add delete instead by @​karsa-mistmere in lucide-icons/lucide#4266
• chore(deps-dev): bump vite from 7.3.1 to 7.3.2 by @​dependabot[bot] in lucide-icons/lucide#4276
• chore(deps): bump lodash-es from 4.17.23 to 4.18.1 by @​dependabot[bot] in lucide-icons/lucide#4251
• chore(deps): bump vite from 5.4.21 to 6.4.2 by @​dependabot[bot] in lucide-icons/lucide#4286
• feat(docs): use initOnMounted: true for useSessionStorage in CarbonAdOverlay by @​karsa-mistmere in lucide-icons/lucide#4275
• feat(icons): added bookmark-off icon by @​ZeenatLawal in lucide-icons/lucide#4283

New Contributors

• @​rhutchison made their first contribution in lucide-icons/lucide#4211
• @​whoisBugsbunny made their first contribution in lucide-icons/lucide#4224
• @​TomaTV made their first contribution in lucide-icons/lucide#4223
• @​blt-r made their first contribution in lucide-icons/lucide#4234
• @​ZeenatLawal made their first contribution in lucide-icons/lucide#4283

Full Changelog: lucide-icons/lucide@1.7.0...1.8.0

Commits

• 7623e23 feat(docs): add Zephyr Cloud to Hero Backers tier & rework updateSponsors scr...
• See full diff in compare view

Updates next from 16.2.3 to 16.2.4

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• See full diff in compare view

Updates @biomejs/biome from 2.4.10 to 2.4.12

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.12

2.4.12

Patch Changes

• #9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #9980 098f1ff Thanks @​ematipico! - Fixed #9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #9942 9956f1d Thanks @​dyc3! - Fixed #9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #9902 3f4d103 Thanks @​ematipico! - Fixed #9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.12

Patch Changes

• #9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #9980 098f1ff Thanks @​ematipico! - Fixed #9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #9942 9956f1d Thanks @​dyc3! - Fixed #9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #9902 3f4d103 Thanks @​ematipico! - Fixed #9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #9966 322675e Thanks @​siketyan! - Fixed #9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

... (truncated)

Commits

• baaacfc ci: release (#9890)
• e0ba71d feat: implement useIframeSandbox (#9949)
• 2cff700 feat(lint/js): add useVarsOnTop (#9861)
• 27dd7b1 feat(react/js): add noComponentHookFactories (#9916)
• 0d0e611 feat(js_analyze): implement useReactAsyncServerFunction (#9909)
• f1c1363 feat(lint/js): add useStringStartsEndsWith (#9796)
• d417803 feat(js_analyze): implement noJsxNamespace (#9913)
• 9701a33 feat(lint/js): add noIdenticalTestTitle (#9376)
• c499f46 feat(lint): implement useReduceTypeParameter nursery rule (#9577)
• 40bd180 feat(lint/js): add noExcessiveSelectorClasses (#9866)
• Additional commits viewable in compare view

Updates @clerk/testing from 2.0.12 to 2.0.17

Release notes

Sourced from @​clerk/testing's releases.

@​clerk/testing@​2.0.17

Patch Changes

• Updated dependencies [fcc6c0c]:
  • @​clerk/backend@​3.2.13

@​clerk/testing@​2.0.16

Patch Changes

• Updated dependencies [f800b4f, 8ee6a32, c7b0f47, 34762e8]:
  • @​clerk/backend@​3.2.12
  • @​clerk/shared@​4.8.2

@​clerk/testing@​2.0.15

Patch Changes

• Updated dependencies [b0b6675]:
  • @​clerk/shared@​4.8.1
  • @​clerk/backend@​3.2.11

@​clerk/testing@​2.0.13

Patch Changes

• Updated dependencies [3fd586d, f9ff9e9]:
  • @​clerk/shared@​4.7.0
  • @​clerk/backend@​3.2.9

Changelog

Sourced from @​clerk/testing's changelog.

2.0.17

Patch Changes

• Updated dependencies [fcc6c0c]:
  • @​clerk/backend@​3.2.13

2.0.16

Patch Changes

• Updated dependencies [f800b4f, 8ee6a32, c7b0f47, 34762e8]:
  • @​clerk/backend@​3.2.12
  • @​clerk/shared@​4.8.2

2.0.15

Patch Changes

• Updated dependencies [b0b6675]:
  • @​clerk/shared@​4.8.1
  • @​clerk/backend@​3.2.11

2.0.14

Patch Changes

• Updated dependencies [dc2de16]:
  • @​clerk/shared@​4.8.0
  • @​clerk/backend@​3.2.10

2.0.13

Patch Changes

• Updated dependencies [3fd586d, f9ff9e9]:
  • @​clerk/shared@​4.7.0
  • @​clerk/backend@​3.2.9

Commits

• 7994b5f ci(repo): Version packages (#8340)
• cc8fed5 ci(repo): Version packages (#8322)
• 6399251 ci(repo): Version packages (#8315)
• b1f9bbe ci(repo): Version packages (#8307)
• 4657d64 ci(repo): Version packages (#8277)
• See full diff in compare view

Updates @rolldown/plugin-babel from 0.2.2 to 0.2.3

Release notes

Sourced from @​rolldown/plugin-babel's releases.

plugin-babel@0.2.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​rolldown/plugin-babel's changelog.

0.2.3 (2026-04-13)

Bug Fixes

• babel: exclude rolldown runtime module by default (#57) (d42ec45)
• deps: update all non-major dependencies (#35) (f359c39)
• deps: update all non-major dependencies (#40) (1963ed1)
• deps: update all non-major dependencies (#49) (8047e05)
• deps: update rolldown-related dependencies (#36) (b2bf24b)
• deps: update rolldown-related dependencies (#46) (6b7fcfc)
• deps: update rolldown-related dependencies (#50) (232515f)
• deps: update rolldown-related dependencies (#55) (c432590)

Miscellaneous Chores

• deps: update dependency @​types/node to v24 (#38) (d6b8baa)

Commits

• 015e64a release: plugin-babel@0.2.3
• d42ec45 fix(babel): exclude rolldown runtime module by default (#57)
• c432590 fix(deps): update rolldown-related dependencies (#55)
• 232515f fix(deps): update rolldown-related dependencies (#50)
• 8047e05 fix(deps): update all non-major dependencies (#49)
• 1963ed1 fix(deps): update all non-major dependencies (#40)
• 6b7fcfc fix(deps): update rolldown-related dependencies (#46)
• d6b8baa chore(deps): update dependency @​types/node to v24 (#38)
• b2bf24b fix(deps): update rolldown-related dependencies (#36)
• f359c39 fix(deps): update all non-major dependencies (#35)
• See full diff in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

• See full diff in compare view

Updates baseline-browser-mapping from 2.10.16 to 2.10.20

Release notes

Sourced from baseline-browser-mapping's releases.

v2.9.3 - remove process.loadEnvFile()

What's Changed

• Remove process.loadEnfFile() from main script by @​tonypconway in web-platform-dx/baseline-browser-mapping#112

Full Changelog: web-platform-dx/baseline-browser-mapping@v2.9.2...v2.9.3

Commits

• 481a1e4 Patch to 2.10.20 because browser or feature data changed
• f784244 Browser or feature data changed
• 94a5b7b Patch to 2.10.19 because browser or feature data changed
• b1fbd83 Browser or feature data changed
• 933b064 Updating static site
• 6bcec92 Updating static site
• 71803d0 Patch to 2.10.18 because browser or feature data changed
• 91e38d0 Browser or feature data changed
• c5c778c Patch to 2.10.17 because browser or feature data changed
• c3ab98d Browser or feature data changed
• Additional commits viewable in compare view

Updates dotenv from 17.4.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates lefthook from 2.1.5 to 2.1.6

Release notes

Sourced from lefthook's releases.

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

Changelog

Sourced from lefthook's changelog.

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383)...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
devflow	Ready	Preview, Comment	Apr 19, 2026 6:56pm

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.