fix(deps): bump the production-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the production-dependencies group with 10 updates in the / directory:

Package	From	To
@hookform/resolvers	5.2.2	5.4.0
autoprefixer	10.4.20	10.5.0
date-fns	4.1.0	4.3.0
lucide-react	1.14.0	1.16.0
next	16.2.4	16.2.6
next-intl	4.11.0	4.12.0
react-hook-form	7.60.0	7.76.1
react-resizable-panels	4.11.0	4.11.2
swagger-ui-react	5.32.5	5.32.6
tailwind-merge	3.5.0	3.6.0

Updates @hookform/resolvers from 5.2.2 to 5.4.0

Release notes

Sourced from @​hookform/resolvers's releases.

v5.4.0

5.4.0 (2026-05-21)

Features

• feat: add ata-validator resolver (#845)

Fixes

• fix issue with toNestErrors.ts (#848)

• add guidance on passing context to yupResolver (useForm context) (#835) (3d29924)

Commits

• 3d29924 feat: add guidance on passing context to yupResolver (useForm context) (#835)
• 56b68f3 feat: 5.3.0
• cf8562d update readme on ata-validator
• 5e5b610 fix issue with toNestErrors.ts (#848)
• 72aacf8 Revise supported versions in SECURITY.md
• ad89a20 feat: add ata-validator resolver (#845)
• 02286db ci: updated publish workflow to use node 24 (#838)
• 2e9bc7c Fix(zodResolver): error paths in complex unions #787 (#819)
• See full diff in compare view

Updates autoprefixer from 10.4.20 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.3.0

Release notes

Sourced from date-fns's releases.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• f95bcf1 (docs): Add missing tsx dependency
• baaca11 Add //pkgs/core:release/docs task
• 8aa0373 Update docs website secrets location in scripts
• c7ad6eb Promote to v4.3.0
• da8c548 Add change log entry for Chinese locale fix (#4194)
• f8d8fa8 Split Chinese locale tests (#4194)
• b9c5865 Fix Chinese locale month parsing (#4194)
• 39d1e14 Add pt fix change log entry (#4195)
• f3f1963 Fix pt locale first day of week to be Sunday (#4195)
• cd6ebda Add basic AGENTS.md
• Additional commits viewable in compare view

Updates geist from 1.7.0 to 1.7.1

Changelog

Sourced from geist's changelog.

1.7.1

Patch Changes

• c8ed578: Fix Geist Mono rendering source-code text with unintended programming ligatures.

  v1.7.0 unintentionally activated programming-ligature substitutions (-->, ==, !=, ..., --, etc.) under the liga (Standard Ligatures) OpenType feature, which is on by default in every renderer. As a result, text like --debug-prerender, [id...], [...id], or NODE_OPTIONS='--debug-prerender' node rendered with ligated glyphs and broke monospace alignment in code.

  The source-level fix is in #217; this release ships the rebuilt binaries.

Commits

• 8b8b75f fix(release): sync package.json version and unignore packages/**/package.json...
• 88309a4 Version Packages (#223)
• 6af2e7f ci: harden release workflow (#222)
• c8ed578 chore: add changeset for geist@1.7.1 (Mono liga regression fix) (#221)
• a0a06a3 make build
• 855f609 Fix broken link in README.md
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for geist since your current version.

Updates lucide-react from 1.14.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-intl from 4.11.0 to 4.12.0

Release notes

Sourced from next-intl's releases.

v4.12.0

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

⚠️ A small config change is required for useExtracted users to upgrade, please see amannn/next-intl#2316 for details.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Changelog

Sourced from next-intl's changelog.

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Commits

• d7bf7af v4.12.0
• bff2f96 feat: Improvements for useExtracted (#2316)
• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• See full diff in compare view

Updates react-hook-form from 7.60.0 to 7.76.1

Release notes

Sourced from react-hook-form's releases.

Version 7.76.1

🐞 fix: pass options parameter through setValues to enable validation (#13457) 🐞 fix(setValues): emit whole-form change without stale name/type (#13450) 🚗 perf(setValues): thread skipClone through setFieldValue (#13448) 🚗 perf(setValues): skip redundant per-field deep clones (#13445) Revert "🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#13388)"

thanks to @​philibea & @​maxkostow

Version v7.76.0

🪭 close #13141 improve isDirty sync with dirtyFields state (#13370) 🐞 fix isValidating reactivity when validatingFields is not subscribed (#13440) 🛺 test: fix duplicate-word typos in test descriptions (#13439) 🐞 fix #13436: errors state when using form level validation (#13437) 🐞 fix #13429 append({ obj: null }) is silently replaced by defaultValues after remove() (#13435) 🐞 fix native validation tooltip suppression caused by duplicate submit-error focus (#13432) 🐞 fix: propagate setValues updates to mounted Controller fields (#13431) 🐞 fix: rreserve reset values for conditionally mounted Controller fields with shouldUnregister 🐞 fix: useFieldArray remove leaves array with empty object when using values prop (#13422) 🐞 fix #13260: notify all matching field-array roots on nested setValue updates (#13420) 🐞 fix #13104: preserve nested resolver field-array errors in trigger() (#13419) 🐞 fix #13413: preserve formState.defaultValues when useFieldArray + watch are used together 📝 docs: fix JSDoc for IsNever, register, and getFieldState (#13410) (#13411) 🐞 fix(Watch): restore TypeScript 4 compatibility (#13409)

Big thanks to @​dfedoryshchev for multiple fixes, and to @​EduardF1, @​in-ch and @​johnstrand.

Version 7.75.0

🦧 feat: improve get dirty fields prune empty fields (#13363)

+ dirtyFields: { test: [{ data: false }] }
- dirtyFields: {} // removed the empty node with false value

🎹 typescript 6.0 (#13330) 🌡️ chore: minor improvement on setValue & reset (#13366) 🐞 fix #13403: include setValues in FormProvider context value (#13404) 🐞 fix: recompute isDirty after re-registering a previously unregistered field (#13399) 🐞 fix: preserve watch updates on field array unmount fixes #13375 (#13385) 🐞 fix: prevent useWatch re-render when unrelated field validation is … (#13398)

thanks to @​dfedoryshchev, @​cyky & @​gkarabelos

Version 7.74.0

🪇 feat: setValues (#13201)

setValues((data) => {
  return {
</tr></table> 

... (truncated)

Changelog

Sourced from react-hook-form's changelog.

[7.76.1] - 2026-05-23

Fixed

• Revert notify all matching field-array roots on nested setValue updates
• Revert treat NaN as empty when valueAsNumber is true in validateField
• setValues pass options parameter through to enable validation
• setValues emit whole-form change without stale name/type

Performance

• setValues skip redundant per-field deep clones
• setValues thread skipClone through setFieldValue

[7.76.0] - 2026-05-16

Added

• Improve isDirty sync with dirtyFields state

Fixed

• Preserve formState.defaultValues when useFieldArray and watch are used together
• Preserve nested resolver field-array errors in trigger()
• Notify all matching field-array roots on nested setValue updates
• useFieldArray remove leaves array with empty object when using values prop
• Preserve reset values for conditionally mounted Controller fields with shouldUnregister
• Propagate setValues updates to mounted Controller fields
• Native validation tooltip suppression caused by duplicate submit-error focus
• append({ obj: null }) silently replaced by defaultValues after remove()
• Errors state when using form-level validation
• isValidating reactivity when validatingFields is not subscribed

[7.75.0] - 2026-05-02

Added

• Improve getDirtyFields to prune empty fields
• TypeScript 6.0 support

Fixed

• Include setValues in FormProvider context value
• Preserve watch updates on field array unmount
• Prevent useWatch re-render when unrelated field validation occurs
• Recompute isDirty after re-registering a previously unregistered field

[7.74.0] - 2026-04-26

Added

... (truncated)

Commits

• 2b900d2 7.76.1
• 079348e 🚮 chore: remove --frozen-lockfile
• edf5c45 🧪 fix unit test
• d79648c Revert "🐞 fix: treat NaN as empty when valueAsNumber is true in validateField...
• 778881c 🐞 fix: pass options parameter through setValues to enable validation (#13457)
• a2ac01f 🧪 test(useFieldArray): regression coverage for descendant setValue key thrash...
• dfcebdb Revert "🐞 fix #13260: notify all matching field-array roots on nested setValu...
• ca01f65 Revert "🐞 fix(useFieldArray): preserve managed field ids in array subscriber ...
• 15d1762 🐞 fix(setValues): emit whole-form change without stale name/type (#13450)
• 989cbff 🚗 perf(setValues): thread skipClone through setFieldValue (#13448)
• Additional commits viewable in compare view

Updates react-resizable-panels from 4.11.0 to 4.11.2

Changelog

Sourced from react-resizable-panels's changelog.

4.11.2

• 719): Bug fix: Calculate rem-based sizes relative to owner document (not body)

4.11.1

• 715): Edge case SSR bug fix for panels with defaultSize={0}

Commits

• See full diff in compare view

Updates swagger-ui-react from 5.32.5 to 5.32.6

Release notes

Sourced from swagger-ui-react's releases.

v5.32.6

5.32.6 (2026-05-12)

Bug Fixes

• deps-dev: address undici vulnerability (#10870) (35f5a6a)
• docker: address CVE-2026-27135 nghttp2-libs vulnerability (#10879) (0a63415)

Commits

• dcdca62 chore(release): cut the 5.32.6 release
• 871b897 chore(deps): swagger-client to 3.37.4 (#10880)
• 0a63415 fix(docker): address CVE-2026-27135 nghttp2-libs vulnerability (#10879)
• 9da9aed chore(deps-dev): bump fast-uri from 3.0.6 to 3.1.2 (#10875)
• 716b006 chore(deps): bump @​babel/plugin-transform-modules-systemjs (#10877)
• 70120da chore(deps-dev): replace html-webpack-skip-assets-plugin with native excludeC...
• f672bd2 chore(deps): bump axios from 1.15.0 to 1.16.0 (#10872)
• 35f5a6a fix(deps-dev): address undici vulnerability (#10870)
• 5210ab5 chore(deps-dev): bump postcss from 8.5.3 to 8.5.12 (#10859)
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

View full job summary

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.