build(deps): Bump the all-deps group across 1 directory with 13 updates

[dependabot]

Bumps the all-deps group with 13 updates in the / directory:

Package	From	To
@types/node	22.19.15	22.19.18
turbo	2.9.6	2.9.12
@hono/node-server	1.19.11	1.19.14
@hono/zod-validator	0.7.6	0.8.0
bullmq	5.76.4	5.76.7
hono	4.12.15	4.12.18
tsc-alias	1.8.16	1.8.17
lucide-react	0.400.0	0.577.0
next	15.5.14	15.5.18
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
eslint-config-next	15.5.15	15.5.18
postcss	8.5.12	8.5.14

Updates @types/node from 22.19.15 to 22.19.18

Commits

• See full diff in compare view

Updates turbo from 2.9.6 to 2.9.12

Release notes

Sourced from turbo's releases.

Turborepo v2.9.12

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in vercel/turborepo#12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in vercel/turborepo#12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

Turborepo v2.9.11

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in vercel/turborepo#12745
• ci: Publish VS Code extension on release by @​anthonyshew in vercel/turborepo#12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in vercel/turborepo#12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in vercel/turborepo#12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in vercel/turborepo#12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in vercel/turborepo#12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in vercel/turborepo#12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in vercel/turborepo#12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in vercel/turborepo#12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in vercel/turborepo#12750
• ci: Parallelize LSP release publishing by @​anthonyshew in vercel/turborepo#12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in vercel/turborepo#12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in vercel/turborepo#12760
• fix: Remove VS Code task key gradient by @​anthonyshew in vercel/turborepo#12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in vercel/turborepo#12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in vercel/turborepo#12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in vercel/turborepo#12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in vercel/turborepo#12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in vercel/turborepo#12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in vercel/turborepo#12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in vercel/turborepo#12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in vercel/turborepo#12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in vercel/turborepo#12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

Turborepo v2.9.11-canary.7

What's Changed

Changelog

• fix: Support shimmed VS Code LSP probes by @​anthonyshew in vercel/turborepo#12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in vercel/turborepo#12766

... (truncated)

Commits

• b3f2345 publish 2.9.12 to registry
• 2c850cb fix: Allow transit nodes in LSP diagnostics (#12773)
• 1444cc3 release(turborepo): 2.9.11 (#12771)
• a968db7 fix: Allow TURBO_EXTENDS in LSP diagnostics (#12770)
• 87d468b release(turborepo): 2.9.11-canary.7 (#12768)
• 5a4310d release(turborepo): 2.9.11-canary.6 (#12766)
• e7c4575 fix: Support shimmed VS Code LSP probes (#12767)
• 2db74b4 fix: Publish VS Code extension from release tag (#12765)
• bfffbaa release(turborepo): 2.9.11-canary.5 (#12764)
• 8a0bd8b ci: Stop VS Code publish from blocking release PR (#12763)
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.11 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• See full diff in compare view

Updates @hono/zod-validator from 0.7.6 to 0.8.0

Release notes

Sourced from @​hono/zod-validator's releases.

@​hono/zod-validator@​0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Changelog

Sourced from @​hono/zod-validator's changelog.

0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 475cd12 chore: update typescript to 5.9.3 (#1741)
• 96ae310 chore: update Zod/Valibot import examples to use namespace imports in docs an...
• fbec266 chore(deps-dev): bump hono from 4.11.3 to 4.11.4 (#1710)
• c7edf1e chore(deps-dev): upgrade @cloudflare/vitest-pool-workers and vitest (#1714)
• 03a28c5 fix: less strict template expressions (#1681)
• 1f8372e chore(typescript): add @tsconfig/strictest (#1679)
• 49db969 chore(eslint): update suppressions (#1678)
• Additional commits viewable in compare view

Updates bullmq from 5.76.4 to 5.76.7

Release notes

Sourced from bullmq's releases.

v5.76.7

5.76.7 (2026-05-11)

Bug Fixes

• deps: update dependency semver to v7.8.0 [security] (#4160) (093743a)

v5.76.6

5.76.6 (2026-05-06)

Bug Fixes

• connection: reconnect wedged blocking cluster clients (#4151) (e94e8cd)

v5.76.5

5.76.5 (2026-05-02)

Bug Fixes

• deps: update dependency msgpackr to v1.11.12 (#3939) (b47f00b)

Commits

• 093743a fix(deps): update dependency semver to v7.8.0 [security] (#4160)
• 38b208e chore(deps): update devdependencies (non-major) [security] (#4158)
• c2508be chore(release): vpy2.25.2 (#4156)
• 51c935b fix(worker): [python] avoid tight error loop on Redis disconnect (#4102)
• 16cb101 docs: fix several typos (#4130) (#4153)
• f5a3fc8 chore(deps): bump the npm_and_yarn group across 4 directories with 1 update (...
• 9503bfb docs: update bullmq-pro changelog for version v7.45.1 (#4154)
• 9df4b7e chore(release): 5.76.6 (#4152)
• e94e8cd fix(connection): reconnect wedged blocking cluster clients (#4151)
• 9214391 chore(deps): bump the npm_and_yarn group across 4 directories with 1 update (...
• Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates tsc-alias from 1.8.16 to 1.8.17

Release notes

Sourced from tsc-alias's releases.

v1.8.17 (2025-04-30)

What's Changed

• minor typo in README.md by @​danielrentz in justkey007/tsc-alias#249
• CI by @​justkey007 in justkey007/tsc-alias#258
• chore(deps): bump minimatch from 10.0.1 to 10.2.5 by @​dependabot[bot] in justkey007/tsc-alias#257

New Contributors

• @​danielrentz made their first contribution in justkey007/tsc-alias#249
• @​dependabot[bot] made their first contribution in justkey007/tsc-alias#257

Full Changelog: justkey007/tsc-alias@v1.8.16...v1.8.17

Commits

• d51d3e6 1.8.17
• 0b1a906 test: increase timeout for prepareSingleFileReplaceTscAliasPaths test
• 318b473 Merge pull request #257 from justkey007/dependabot/npm_and_yarn/minimatch-10.2.5
• 0f67a39 Merge pull request #258 from justkey007/_ci
• 9aa5362 test: fix prepareSingleFileReplaceTscAliasPaths test to use JS API instead of...
• f450e74 chore: update tsconfig.json files in project14 packages to include compiler o...
• 14aa685 chore: add "skipLibCheck" option to tsconfig.json files in project14 and proj...
• 57d8c33 chore: add "skipLibCheck" option to tsconfig.json files across multiple projects
• b8984a4 chore: update Node.js and pnpm versions in CI workflow
• a435cd4 chore(deps): bump minimatch from 10.0.1 to 10.2.5
• Additional commits viewable in compare view

Updates lucide-react from 0.400.0 to 0.577.0

Release notes

Sourced from lucide-react's releases.

Version 0.577.0

What's Changed

• chore(deps): bump rollup from 4.53.3 to 4.59.0 by @​dependabot[bot] in lucide-icons/lucide#4106
• fix(repo): correctly ignore docs/releaseMetadata via .gitignore by @​bhavberi in lucide-icons/lucide#4100
• feat(icons): added ellipse icon by @​KISHORE-KUMAR-S in lucide-icons/lucide#3749

New Contributors

• @​bhavberi made their first contribution in lucide-icons/lucide#4100
• @​KISHORE-KUMAR-S made their first contribution in lucide-icons/lucide#3749

Full Changelog: lucide-icons/lucide@0.576.0...0.577.0

Version 0.576.0

What's Changed

• Added zodiac signs by @​karsa-mistmere in lucide-icons/lucide#712
• fix(icons): fixes guideline violations in package-* icons. by @​karsa-mistmere in lucide-icons/lucide#4074
• fix(icons): changed receipt icon by @​karsa-mistmere in lucide-icons/lucide#4075
• fix(icons): updated cuboid icon tags and categories by @​karsa-mistmere in lucide-icons/lucide#4095
• fix(icons): changed cuboid icon by @​jamiemlaw in lucide-icons/lucide#4098
• fix(lucide-font, lucide-static): Fixing stable code points by @​ericfennis in lucide-icons/lucide#3894
• feat(icons): added fishing-rod icon by @​7ender in lucide-icons/lucide#3839

Full Changelog: lucide-icons/lucide@0.575.0...0.576.0

Version 0.575.0

What's Changed

• feat(icons): added message-square-check icon by @​karsa-mistmere in lucide-icons/lucide#4076
• fix(lucide): Fix ESM Module output path in build by @​ericfennis in lucide-icons/lucide#4084
• feat(icons): added metronome icon by @​edwloef in lucide-icons/lucide#4063
• fix(icons): remove execution permission of SVG files by @​duckafire in lucide-icons/lucide#4053
• fix(icons): changed file-pen-line icon by @​jguddas in lucide-icons/lucide#3970
• feat(icons): added square-arrow-right-exit and square-arrow-right-enter icons by @​EthanHazel in lucide-icons/lucide#3958
• fix(icons): renamed flip-* to square-centerline-dashed-* by @​jguddas in lucide-icons/lucide#3945

New Contributors

• @​edwloef made their first contribution in lucide-icons/lucide#4063
• @​duckafire made their first contribution in lucide-icons/lucide#4053

Full Changelog: lucide-icons/lucide@0.573.0...0.575.0

Version 0.574.0

What's Changed

• fix(icons): changed rocking-chair icon by @​jamiemlaw in lucide-icons/lucide#3445
• fix(icons): flipped coins icon by @​jguddas in lucide-icons/lucide#3158
• feat(icons): added x-line-top icon by @​jguddas in lucide-icons/lucide#2838
• feat(icons): added mouse-left icon by @​marvfash in lucide-icons/lucide#2788
• feat(icons): added mouse-right icon by @​marvfash in lucide-icons/lucide#2787

New Contributors

... (truncated)

Commits

• f6c0d06 chore(deps): bump rollup from 4.53.3 to 4.59.0 (#4106)
• 67c0485 feat(scripts): added helper script to automatically update OpenCollective bac...
• b6ed43d feat(packages): Added aria-hidden fallback for decorative icons to all packag...
• 076e0bb chore(dependencies): Update dependencies (#3809)
• 80d6f73 fix(icons): Rename fingerprint icon to fingerprint-pattern (#3767)
• 1cfb3ff chore(deps-dev): bump vite from 6.3.5 to 6.3.6 (#3611)
• e71198d chore: icon alias improvements (#2861)
• 3e644fd chore(scripts): Refactor scripts to typescript (#3316)
• 19fa01b build(deps-dev): bump vite from 6.3.2 to 6.3.4 (#3181)
• 03eb862 use implicit return in react package (#2325)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for lucide-react since your current version.

Updates next from 15.5.14 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

Commits

• 9ff92ce v15.5.18
• 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
• 62c97ab v15.5.17
• 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
• fa78739 Turbopack: Fix middleware matcher suffix (#93590)
• 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
• 36589b5 [backport][test] Pin package manager to patch versions (#93596)
• ad6fd4e v15.5.16
• 79d7dff Ignore malformed CSP nonce headers (#103)
• c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates eslint-config-next from 15.5.15 to 15.5.18

Release notes

Sourced from eslint-config-next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• 9ff92ce v15.5.18
• 62c97ab v15.5.17
• ad6fd4e v15.5.16
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

Updates postcss from 8.5.12 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits ...

Description has been truncated

---

Summary by cubic

Upgrade dependencies across API, dashboard, and site for security fixes and stability. Key bumps include next@15.5.18, react@19.2.6, hono@4.12.18, @hono/node-server@1.19.14, and bullmq@5.76.7.

• Dependencies

  • Frontend: next@15.5.18 (multiple security fixes), eslint-config-next@15.5.18, react/react-dom@19.2.6, lucide-react@0.577.0, postcss@8.5.14.
  • API: hono@4.12.18 and @hono/node-server@1.19.14 (security fixes), @hono/zod-validator@0.8.0 (typed 400 failures; peer hono >=4.10), bullmq@5.76.7.
  • Tooling: turbo@2.9.12, @types/node@22.19.18, tsc-alias@1.8.17.

• Migration

  • Install deps and rebuild.
  • @hono/zod-validator: 400 error responses are now typed; update any affected types.
  • lucide-react: check for renamed icons if imports fail.

^{Written for commit d39ce90. Summary will update on new commits.}

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commerce-agent-protocol-site	Ready	Preview, Comment	May 11, 2026 6:10pm

[cubic-dev-ai]

No issues found across 5 files

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.