fix(deps): bump the production-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the production-dependencies group with 8 updates in the / directory:

Package	From	To
autoprefixer	10.4.20	10.5.0
date-fns	4.1.0	4.2.1
lucide-react	1.14.0	1.16.0
next-intl	4.11.0	4.12.0
react-hook-form	7.60.0	7.76.0
react-resizable-panels	4.11.0	4.11.1
swagger-ui-react	5.32.5	5.32.6
tailwind-merge	3.5.0	3.6.0

Updates autoprefixer from 10.4.20 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.2.1

Release notes

Sourced from date-fns's releases.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Changelog

Sourced from date-fns's changelog.

v4.2.1 - 2026-05-19

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0 - 2026-05-18

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• 87635a8 Fix missing type definitions, promote to v4.2.1 (closed #4190)
• 3d4ca4b Update browserslist
• 562c485 Promote to v4.2.0
• 3709c02 Make steps into the Temporal-first future
• 07592b9 Upgrade Node.js types, upgrade TypeScript
• 09ece22 Upgrade Vitest
• c37c22e Set up Oxfmt as the default formatter
• d40bb80 Upgrade mise setup
• dd66398 Fix tz tests workflow
• ef962f8 Adjust smoke tests
• Additional commits viewable in compare view

Updates lucide-react from 1.14.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-intl from 4.11.0 to 4.12.0

Release notes

Sourced from next-intl's releases.

v4.12.0

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

⚠️ A small config change is required for useExtracted users to upgrade, please see amannn/next-intl#2316 for details.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Changelog

Sourced from next-intl's changelog.

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Commits

• d7bf7af v4.12.0
• bff2f96 feat: Improvements for useExtracted (#2316)
• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• See full diff in compare view

Updates react-hook-form from 7.60.0 to 7.76.0

Release notes

Sourced from react-hook-form's releases.

Version v7.76.0

🪭 close #13141 improve isDirty sync with dirtyFields state (#13370) 🐞 fix isValidating reactivity when validatingFields is not subscribed (#13440) 🛺 test: fix duplicate-word typos in test descriptions (#13439) 🐞 fix #13436: errors state when using form level validation (#13437) 🐞 fix #13429 append({ obj: null }) is silently replaced by defaultValues after remove() (#13435) 🐞 fix native validation tooltip suppression caused by duplicate submit-error focus (#13432) 🐞 fix: propagate setValues updates to mounted Controller fields (#13431) 🐞 fix: rreserve reset values for conditionally mounted Controller fields with shouldUnregister 🐞 fix: useFieldArray remove leaves array with empty object when using values prop (#13422) 🐞 fix #13260: notify all matching field-array roots on nested setValue updates (#13420) 🐞 fix #13104: preserve nested resolver field-array errors in trigger() (#13419) 🐞 fix #13413: preserve formState.defaultValues when useFieldArray + watch are used together 📝 docs: fix JSDoc for IsNever, register, and getFieldState (#13410) (#13411) 🐞 fix(Watch): restore TypeScript 4 compatibility (#13409)

Big thanks to @​dfedoryshchev for multiple fixes, and to @​EduardF1, @​in-ch and @​johnstrand.

Version 7.75.0

🦧 feat: improve get dirty fields prune empty fields (#13363)

+ dirtyFields: { test: [{ data: false }] }
- dirtyFields: {} // removed the empty node with false value

🎹 typescript 6.0 (#13330) 🌡️ chore: minor improvement on setValue & reset (#13366) 🐞 fix #13403: include setValues in FormProvider context value (#13404) 🐞 fix: recompute isDirty after re-registering a previously unregistered field (#13399) 🐞 fix: preserve watch updates on field array unmount fixes #13375 (#13385) 🐞 fix: prevent useWatch re-render when unrelated field validation is … (#13398)

thanks to @​dfedoryshchev, @​cyky & @​gkarabelos

Version 7.74.0

🪇 feat: setValues (#13201)

setValues((data) => {
  return {
    ...data,
    name: 'test'
  }
})
setValues(formValues);

🐞 fix: preserve previous field value when useController name changes (#13395)

... (truncated)

Changelog

Sourced from react-hook-form's changelog.

[7.76.0] - 2026-05-16

Added

• Improve isDirty sync with dirtyFields state

Fixed

• Preserve formState.defaultValues when useFieldArray and watch are used together
• Preserve nested resolver field-array errors in trigger()
• Notify all matching field-array roots on nested setValue updates
• useFieldArray remove leaves array with empty object when using values prop
• Preserve reset values for conditionally mounted Controller fields with shouldUnregister
• Propagate setValues updates to mounted Controller fields
• Native validation tooltip suppression caused by duplicate submit-error focus
• append({ obj: null }) silently replaced by defaultValues after remove()
• Errors state when using form-level validation
• isValidating reactivity when validatingFields is not subscribed

[7.75.0] - 2026-05-02

Added

• Improve getDirtyFields to prune empty fields
• TypeScript 6.0 support

Fixed

• Include setValues in FormProvider context value
• Preserve watch updates on field array unmount
• Prevent useWatch re-render when unrelated field validation occurs
• Recompute isDirty after re-registering a previously unregistered field

[7.74.0] - 2026-04-26

Added

• setValues API

Fixed

• Preserve previous field value when useController name changes
• Handle null parent when unregistering nested field
• Treat NaN as empty when valueAsNumber is true in validateField

[7.73.1] - 2026-04-21

Fixed

• Reverted setValues that was accidentally included in patch; fix build to exclude test files

... (truncated)

Commits

• 2d3ce0a 7.76.0
• 3e09bad 🐞 fix isValidating reactivity when validatingFields is not subscribed (#1...
• c697da2 🛺 test: fix duplicate-word typos in test descriptions (#13439)
• 2476004 🐞 fix #13436: errors state when using form level validation (#13437)
• f7ba834 🐞 fix #13429 append({ obj: null }) is silently replaced by defaultValues afte...
• 75fc3a5 🐞 fix native validation tooltip suppression caused by duplicate submit-error ...
• 0c3e82d 🐞 fix: propagate setValues updates to mounted Controller fields (#13431)
• 879bb12 🐞 fix: rreserve reset values for conditionally mounted Controller fields wi...
• 2a7b683 🐞 fix: useFieldArray remove leaves array with empty object when using values ...
• c6c3d87 🐞 fix #13260: notify all matching field-array roots on nested setValue update...
• Additional commits viewable in compare view

Updates react-resizable-panels from 4.11.0 to 4.11.1

Changelog

Sourced from react-resizable-panels's changelog.

4.11.1

• 715): Edge case SSR bug fix for panels with defaultSize={0}

Commits

• a5b961f 4.11.0 -> 4.11.1
• 806a7c0 Fixed Panel condition to properly handle explicit defaultSize (#715)
• See full diff in compare view

Updates swagger-ui-react from 5.32.5 to 5.32.6

Release notes

Sourced from swagger-ui-react's releases.

v5.32.6

5.32.6 (2026-05-12)

Bug Fixes

• deps-dev: address undici vulnerability (#10870) (35f5a6a)
• docker: address CVE-2026-27135 nghttp2-libs vulnerability (#10879) (0a63415)

Commits

• dcdca62 chore(release): cut the 5.32.6 release
• 871b897 chore(deps): swagger-client to 3.37.4 (#10880)
• 0a63415 fix(docker): address CVE-2026-27135 nghttp2-libs vulnerability (#10879)
• 9da9aed chore(deps-dev): bump fast-uri from 3.0.6 to 3.1.2 (#10875)
• 716b006 chore(deps): bump @​babel/plugin-transform-modules-systemjs (#10877)
• 70120da chore(deps-dev): replace html-webpack-skip-assets-plugin with native excludeC...
• f672bd2 chore(deps): bump axios from 1.15.0 to 1.16.0 (#10872)
• 35f5a6a fix(deps-dev): address undici vulnerability (#10870)
• 5210ab5 chore(deps-dev): bump postcss from 8.5.3 to 8.5.12 (#10859)
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 2 packages with OpenSSF Scorecard issues.

View full job summary

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.