Skip to content

chore(deps)(deps): bump the production-dependencies group across 1 directory with 16 updates#2441

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-399ec25fda
Closed

chore(deps)(deps): bump the production-dependencies group across 1 directory with 16 updates#2441
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-399ec25fda

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 16 updates in the / directory:

Package From To
@oclif/core 4.11.9 4.11.11
@hono/node-server 2.0.5 2.0.6
tar 7.5.16 7.5.19
js-yaml 5.0.0 5.2.0
mongodb 7.3.0 7.4.0
nanoid 5.1.15 5.1.16
knex 3.2.10 3.3.0
@better-auth/core 1.6.20 1.6.22
@better-auth/oauth-provider 1.6.20 1.6.22
@better-auth/sso 1.6.20 1.6.22
better-auth 1.6.20 1.6.22
hono 4.12.26 4.12.27
fumadocs-core 16.10.5 16.10.6
fumadocs-mdx 15.0.12 15.0.13
fumadocs-ui 16.10.5 16.10.6
lucide-react 1.21.0 1.22.0

Updates @oclif/core from 4.11.9 to 4.11.11

Release notes

Sourced from @​oclif/core's releases.

4.11.11

Bug Fixes

  • deps: bump undici from 6.25.0 to 6.27.0 (319945a)

4.11.10

Bug Fixes

  • deps: bump tinyglobby from 0.2.16 to 0.2.17 (f941872)
Changelog

Sourced from @​oclif/core's changelog.

4.11.11 (2026-06-23)

Bug Fixes

  • deps: bump undici from 6.25.0 to 6.27.0 (319945a)

4.11.10 (2026-06-22)

Bug Fixes

  • deps: bump tinyglobby from 0.2.16 to 0.2.17 (f941872)
Commits
  • 87eeca3 chore(release): 4.11.11 [skip ci]
  • 93a64bb Merge pull request #1617 from oclif/dependabot-npm_and_yarn-undici-6.27.0
  • 319945a fix(deps): bump undici from 6.25.0 to 6.27.0
  • 09090f6 Merge pull request #1610 from oclif/dependabot-npm_and_yarn-oclif-plugin-plug...
  • 246f11e chore(dev-deps): bump @​oclif/plugin-plugins from 5.4.69 to 5.4.78
  • 1a54415 chore(release): 4.11.10 [skip ci]
  • 48a73f8 Merge pull request #1609 from oclif/dependabot-npm_and_yarn-tinyglobby-0.2.17
  • f941872 fix(deps): bump tinyglobby from 0.2.16 to 0.2.17
  • See full diff in compare view

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates tar from 7.5.16 to 7.5.19

Commits

Updates js-yaml from 5.0.0 to 5.2.0

Changelog

Sourced from js-yaml's changelog.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.
Commits
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • eb5cb5b fix: round-trip integers that stringify in exponential notation (#771)
  • 89024c4 Update migration info, close #770
  • f1e45cd 5.1.0 released
  • 53b22be Fix constructor coverage
  • a1eaa2b Fix quote style options and restore forceQuotes
  • 0532e7d Add finalizers for immutable collection tags
  • Additional commits viewable in compare view

Updates mongodb from 7.3.0 to 7.4.0

Release notes

Sourced from mongodb's releases.

v7.4.0

7.4.0 (2026-06-25)

The MongoDB Node.js team is pleased to announce version 7.4.0 of the mongodb package!

Release Notes

Explicit resource management is now stable

The Symbol.asyncDispose methods on MongoClient, ClientSession, ChangeStream, and cursors enable await using for automatic cleanup. These methods were introduced as experimental in v6.9.0. Since then, TC39 Explicit Resource Management proposal reached Stage 4 in 2025, and Node.js enabled explicit resource management as a stable feature in Node.js 24, so the experimental flags have been removed from our APIs and the APIs are now officially supported.

afterClusterTime now sent on writes in causally-consistent sessions

When a session has causal consistency enabled, write operations now include readConcern.afterClusterTime, matching the existing read behavior. This maintains the "read your own writes" guarantee across primary failovers in shareded clusters. There are no API changes.

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)

Documentation

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

Changelog

Sourced from mongodb's changelog.

7.4.0 (2026-06-25)

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)
Commits
  • 1c4333e chore(main): release 7.4.0 (#4974)
  • 43ce3eb feat(NODE-7634): remove experimental tag from async dispose methods (#4976)
  • 3abfd26 fix(NODE-7549): send afterClusterTime on writes in causally-consistent sessio...
  • 88ec159 chore(NODE-7418): skip csot tests on latest (#4969)
  • 1f5ac37 chore(NODE-7473): upgrade to chai 5 (#4958)
  • b17288c chore: skip csfle tests and fix related broken tests (#4965)
  • 5b401aa test(NODE-7493): enable source maps and add nyc-free debug scripts (#4947)
  • 3ba2dd2 docs: clarify release notes verification steps (#4960)
  • 0a434d3 docs: add 7.3 docs (#4959)
  • See full diff in compare view

Updates nanoid from 5.1.15 to 5.1.16

Release notes

Sourced from nanoid's releases.

5.1.16

Changelog

Sourced from nanoid's changelog.

5.1.16

Commits

Updates knex from 3.2.10 to 3.3.0

Release notes

Sourced from knex's releases.

3.3.0

New features

Bug fixes

Misc

New Contributors

Full Changelog: knex/knex@3.2.10...3.3.0

Changelog

Sourced from knex's changelog.

3.3.0 - 26 June, 2026

New features

  • feat: add support for returning in mariadb #4572
  • feat: mariadb driver support #6415
  • Fixes _setNullableState not respecting schema #6025
  • feat: add connectionPool option for bringing an external pool #6414
  • Added knex.migrate.to and knex.migrate.before #6420
  • feat: set error.cause for tarn acquire connection error #5681

Bug fixes

  • Fix FOR UPDATE OF with explicit schema #5791
  • Fix sqlite conditional insert/merge when inserting multiple rows #6185
  • Fix: Stream postProcessResponse error is not catchable with .on('error') #6033
  • fix(pg): preserve updateFrom binding order #6454
  • fix: #6451, support token-credential in mssql auth #6465
  • fix(types): #6452 - .where type regression for invalid types #6463
  • fix: #6460 unhandled error on connection timeout with stream #6462
  • fix: #6455, correctly state tedious as dependency needed for mssql #6464
  • fix(pg,mssql): preserve binding order in delete and update queries #6438

Misc

  • chore: bump tarn@3.1.0 #6492
  • micro-optimization in wrappingFormatter #6456
  • cleanup flake in the cancellation tests #6486
  • Update docs: timeout section #6471
  • ci: make npm install resilient to transient network failures #6468
  • Update homepage urls #6450
  • chore: add mariadb to docker-compose #6466
  • chore: set codecov to default coverage provider #6448
Commits

Updates @better-auth/core from 1.6.20 to 1.6.22

Release notes

Sourced from @​better-auth/core's releases.

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed SCIM write-path operations to be properly scoped and to correctly honor the active attribute (#10242)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Added account-level verification lockout for two-factor authentication (#10240)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​gustavovalverde

Full changelog: v1.6.21...v1.6.22

v1.6.21

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)

... (truncated)

Changelog

Sourced from @​better-auth/core's changelog.

1.6.22

Patch Changes

  • #10241 8bd43d9 Thanks @​gustavovalverde! - Refuse HTTP redirects on server-side OAuth requests

    Better Auth refuses HTTP redirects on the server-side OAuth requests it makes: the token exchange, token refresh, client-credentials, token introspection, and JWKS requests. A provider endpoint cannot redirect one of these requests to an unintended internal address. Conformant OAuth providers answer these endpoints with a direct response and never redirect, so standard integrations are unaffected.

1.6.21

Patch Changes

  • #10180 90d509e Thanks @​ping-maxwell! - adapter.update now returns null when no row matches or when it is called without a predicate. Use updateMany for intentional bulk updates.

    The Kysely MySQL adapter no longer returns a row after a guarded update misses. Updates with an id guard also return the targeted row when id is not the first predicate. Keep MySQL rows-matched semantics enabled, which mysql2 does by default through FOUND_ROWS; disabling it can make idempotent updates look like misses.

    The Prisma adapter now returns null when an update guard excludes the targeted row instead of surfacing Prisma's not-found exception. The shared adapter test suite now asserts the same fail-closed update behavior for adapter implementations.

  • #10197 816d7f9 Thanks @​Paola3stefania! - Google sign-in now accepts hd: "*" to allow any Google Workspace hosted domain while still rejecting tokens with no hosted-domain claim.

    Google One Tap now applies the configured Google hosted-domain restriction before creating a session.

  • #10198 570267c Thanks @​rachit367! - Honor disableMigration on plugin schema tables. Tables flagged with disableMigration: true are now skipped by better-auth generate (Drizzle and Prisma output) and by the runtime migrator, instead of being emitted and created anyway. The flag was previously dropped while assembling the table list, so it had no effect.

  • #10203 5953157 Thanks @​bytaesu! - Rate limiting no longer trusts multi-hop X-Forwarded-For chains, preventing a client behind an appending proxy from spoofing the leftmost hop to bypass the per-IP rate limit. Single-value IP headers continue to work. To key the real client behind a proxy chain, set advanced.ipAddress.trustedProxies to your reverse-proxy IPs or CIDR ranges (the chain is walked right to left, skipping trusted hops), or point advanced.ipAddress.ipAddressHeaders at a single trusted client-IP header.

Commits

Updates @better-auth/oauth-provider from 1.6.20 to 1.6.22

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed SCIM write-path operations to be properly scoped and to correctly honor the active attribute (#10242)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Added account-level verification lockout for two-factor authentication (#10240)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​gustavovalverde

Full changelog: v1.6.21...v1.6.22

v1.6.21

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.22

Patch Changes

1.6.21

Patch Changes

Commits

Updates @better-auth/sso from 1.6.20 to 1.6.22

Release notes

Sourced from @​better-auth/sso's releases.

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed SCIM write-path operations to be properly scoped and to correctly honor the active attribute (#10242)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Added account-level verification lockout for two-factor authentication (#10240)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​gustavovalverde

Full changelog: v1.6.21...v1.6.22

v1.6.21

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)

... (truncated)

Changelog

Sourced from @​better-auth/sso's changelog.

1.6.22

Patch Changes

1.6.21

Patch Changes

  • #10224 7a7a7b3 Thanks @​Bekacru! - Deleting an SSO provider no longer leaves linked accounts that a later provider with the same provider ID can reuse.

    SSO and SCIM provider setup now rejects provider IDs already used by another account provider.

    SSO provider updates now reject identity-defining changes, such as issuer, login endpoints, client ID, SAML metadata, or user ID mappings, after accounts are linked. Secret rotation and same-value updates still work.

  • #10226 fa1e036 Thanks @​Bekacru! - SAML SSO now rejects responses whose audience, bearer recipient, or response destination does not match the configured Service Provider before creating a session.

  • #10225 1a8b7cc Thanks @​Bekacru! - SAML single logout now rejects IdP SLO POST URLs that use non-http(s) schemes, such as javascript: or data:.

  • #10227 fcabaaf Thanks @​Bekacru! - SSO domain verification now requires proof for every domain a provider lists. When a provider's domain has multiple comma-separated domains, each listed domain must publish the verification TXT record before the provider is marked verified. The verifier accepts TXT records that exactly match the raw verification token, matching the documented setup flow, or the existing identifier=value format.

  • Updated dependencies [e0762a1, 882cf9e, f52e1ab, 90d509e, b5bec19, 816d7f9, 239bcc8, 1bc370a, 570267c, 461ca6f, 88409b0, 5953157, b046f9e, ae647b4]:

    • better-auth@1.6.21
    • @​better-auth/core@​1.6.21
Commits

Updates better-auth from 1.6.20 to 1.6.22

Release notes

Sourced from better-auth's releases.

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed SCIM write-path operations to be properly scoped and to correctly honor the active attribute (#10242)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Added account-level verification lockout for two-factor authentication (#10240)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​gustavovalverde

Full changelog: v1.6.21...v1.6.22

v1.6.21

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jun 29, 2026 11:16am

Request Review

@github-actions github-actions Bot added documentation Improvements or additions to documentation size/s labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown
Contributor

📓 Docs Drift Check

This PR changes 10 package(s): packages/adapters, @objectstack/cli, @objectstack/client, create-objectstack, @objectstack/metadata, @objectstack/driver-mongodb, @objectstack/driver-sql, @objectstack/driver-sqlite-wasm, @objectstack/plugin-auth, @objectstack/plugin-hono-server.

30 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:

  • content/docs/concepts/cloud-artifact-api.mdx (via packages/cli)
  • content/docs/concepts/cluster-semantics.mdx (via packages/metadata)
  • content/docs/concepts/core/plugins.mdx (via @objectstack/driver-sql)
  • content/docs/concepts/implementation-status.mdx (via @objectstack/cli, @objectstack/client, @objectstack/driver-mongodb, @objectstack/driver-sql, @objectstack/driver-sqlite-wasm, @objectstack/plugin-auth, @objectstack/plugin-hono-server)
  • content/docs/concepts/metadata-lifecycle.mdx (via @objectstack/metadata)
  • content/docs/concepts/packages.mdx (via @objectstack/cli, @objectstack/client, create-objectstack, @objectstack/metadata, @objectstack/driver-mongodb, @objectstack/plugin-auth, @objectstack/plugin-hono-server)
  • content/docs/concepts/skills.mdx (via create-objectstack)
  • content/docs/concepts/terminology.mdx (via @objectstack/driver-mongodb, @objectstack/driver-sql)
  • content/docs/getting-started/cli.mdx (via @objectstack/cli, @objectstack/plugin-auth)
  • content/docs/getting-started/glossary.mdx (via @objectstack/driver-mongodb, @objectstack/driver-sql, @objectstack/driver-sqlite-wasm)
  • content/docs/getting-started/quick-start.mdx (via @objectstack/cli)
  • content/docs/guides/auth-sso.mdx (via @objectstack/plugin-auth)
  • content/docs/guides/authentication.mdx (via @objectstack/cli, @objectstack/client, @objectstack/plugin-auth, @objectstack/plugin-hono-server)
  • content/docs/guides/client-sdk.mdx (via @objectstack/cli, @objectstack/client)
  • content/docs/guides/driver-configuration.mdx (via @objectstack/driver-mongodb, @objectstack/driver-sql, @objectstack/driver-sqlite-wasm)
  • content/docs/guides/hook-bodies.mdx (via packages/cli)
  • content/docs/guides/kernel-services.mdx (via @objectstack/plugin-auth)
  • content/docs/guides/packages.mdx (via packages/adapters, @objectstack/cli, @objectstack/client, create-objectstack, @objectstack/metadata, @objectstack/driver-mongodb, @objectstack/driver-sql, @objectstack/driver-sqlite-wasm, @objectstack/plugin-auth, @objectstack/plugin-hono-server)
  • content/docs/guides/plugins.mdx (via @objectstack/plugin-auth, @objectstack/plugin-hono-server)
  • content/docs/guides/production-readiness.mdx (via @objectstack/plugin-auth)
  • content/docs/guides/project-scoping.mdx (via @objectstack/cli, @objectstack/client)
  • content/docs/guides/runtime-services/data-service.mdx (via packages/cli, packages/client)
  • content/docs/guides/runtime-services/index.mdx (via packages/cli, packages/client)
  • content/docs/guides/skills.mdx (via packages/cli, packages/client, create-objectstack)
  • content/docs/protocol/objectos/index.mdx (via @objectstack/driver-sql)
  • content/docs/protocol/objectos/lifecycle.mdx (via @objectstack/driver-sql)
  • content/docs/protocol/objectos/metadata-service.mdx (via @objectstack/metadata)
  • content/docs/protocol/objectos/plugin-spec.mdx (via @objectstack/cli)
  • content/docs/protocol/objectos/realtime-protocol.mdx (via @objectstack/cli, @objectstack/client)
  • content/docs/releases/v9.mdx (via create-objectstack, @objectstack/plugin-auth)

Advisory only. To re-verify, run the docs-accuracy-audit workflow scoped to these files:
node scripts/docs-audit/affected-docs.mjs origin/main → pass the list as args.docs.

@dependabot dependabot Bot changed the title chore(deps)(deps): bump the production-dependencies group with 16 updates chore(deps)(deps): bump the production-dependencies group across 1 directory with 16 updates Jun 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-399ec25fda branch from 2b3a04a to b556822 Compare June 29, 2026 03:20
…rectory with 16 updates

Bumps the production-dependencies group with 16 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@oclif/core](https://github.com/oclif/core) | `4.11.9` | `4.11.11` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.6` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.16` | `7.5.19` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `5.0.0` | `5.2.0` |
| [mongodb](https://github.com/mongodb/node-mongodb-native) | `7.3.0` | `7.4.0` |
| [nanoid](https://github.com/ai/nanoid) | `5.1.15` | `5.1.16` |
| [knex](https://github.com/knex/knex) | `3.2.10` | `3.3.0` |
| [@better-auth/core](https://github.com/better-auth/better-auth/tree/HEAD/packages/core) | `1.6.20` | `1.6.22` |
| [@better-auth/oauth-provider](https://github.com/better-auth/better-auth/tree/HEAD/packages/oauth-provider) | `1.6.20` | `1.6.22` |
| [@better-auth/sso](https://github.com/better-auth/better-auth/tree/HEAD/packages/sso) | `1.6.20` | `1.6.22` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.20` | `1.6.22` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.10.5` | `16.10.6` |
| [fumadocs-mdx](https://github.com/fuma-nama/fumadocs) | `15.0.12` | `15.0.13` |
| [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.10.5` | `16.10.6` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.21.0` | `1.22.0` |



Updates `@oclif/core` from 4.11.9 to 4.11.11
- [Release notes](https://github.com/oclif/core/releases)
- [Changelog](https://github.com/oclif/core/blob/main/CHANGELOG.md)
- [Commits](oclif/core@4.11.9...4.11.11)

Updates `@hono/node-server` from 2.0.5 to 2.0.6
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.6)

Updates `tar` from 7.5.16 to 7.5.19
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.16...v7.5.19)

Updates `js-yaml` from 5.0.0 to 5.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@5.0.0...5.2.0)

Updates `mongodb` from 7.3.0 to 7.4.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v7.3.0...v7.4.0)

Updates `nanoid` from 5.1.15 to 5.1.16
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@5.1.15...5.1.16)

Updates `knex` from 3.2.10 to 3.3.0
- [Release notes](https://github.com/knex/knex/releases)
- [Changelog](https://github.com/knex/knex/blob/master/CHANGELOG.md)
- [Commits](knex/knex@3.2.10...3.3.0)

Updates `@better-auth/core` from 1.6.20 to 1.6.22
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/core/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.22/packages/core)

Updates `@better-auth/oauth-provider` from 1.6.20 to 1.6.22
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/oauth-provider/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.22/packages/oauth-provider)

Updates `@better-auth/sso` from 1.6.20 to 1.6.22
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/sso/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.22/packages/sso)

Updates `better-auth` from 1.6.20 to 1.6.22
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.22/packages/better-auth)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `fumadocs-core` from 16.10.5 to 16.10.6
- [Release notes](https://github.com/fuma-nama/fumadocs/releases)
- [Commits](https://github.com/fuma-nama/fumadocs/compare/fumadocs@16.10.5...fumadocs@16.10.6)

Updates `fumadocs-mdx` from 15.0.12 to 15.0.13
- [Release notes](https://github.com/fuma-nama/fumadocs/releases)
- [Commits](https://github.com/fuma-nama/fumadocs/compare/fumadocs-mdx@15.0.12...fumadocs-mdx@15.0.13)

Updates `fumadocs-ui` from 16.10.5 to 16.10.6
- [Release notes](https://github.com/fuma-nama/fumadocs/releases)
- [Commits](https://github.com/fuma-nama/fumadocs/compare/fumadocs@16.10.5...fumadocs@16.10.6)

Updates `lucide-react` from 1.21.0 to 1.22.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.22.0/packages/lucide-react)

---
updated-dependencies:
- dependency-name: "@better-auth/core"
  dependency-version: 1.6.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@better-auth/oauth-provider"
  dependency-version: 1.6.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@better-auth/sso"
  dependency-version: 1.6.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@oclif/core"
  dependency-version: 4.11.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: better-auth
  dependency-version: 1.6.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: fumadocs-core
  dependency-version: 16.10.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: fumadocs-mdx
  dependency-version: 15.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: fumadocs-ui
  dependency-version: 16.10.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: js-yaml
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: knex
  dependency-version: 3.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: lucide-react
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: mongodb
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: nanoid
  dependency-version: 5.1.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: tar
  dependency-version: 7.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-399ec25fda branch from b556822 to d3791bb Compare June 29, 2026 11:08
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/production-dependencies-399ec25fda branch June 29, 2026 11:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation javascript Pull requests that update javascript code size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants