chore(deps): update npm packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@tailwindcss/vite (source)	4.2.2 → 4.2.4
lucide-react (source)	1.8.0 → 1.9.0
react-router-dom (source)	7.14.1 → 7.14.2
tailwindcss (source)	4.2.2 → 4.2.4

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

lucide-icons/lucide (lucide-react)

v1.9.0: Version 1.9.0

Compare Source

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in #​4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in #​4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in #​4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in #​4300
• feat(icons): added timeline icon by @​jguddas in #​4270

New Contributors

• @​swastik7805 made their first contribution in #​4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

remix-run/react-router (react-router-dom)

v7.14.2

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 10am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react-router-dom@​7.14.1 ⏵ 7.14.2				+1
	lucide-react@​1.8.0 ⏵ 1.9.0	+1		+1	+1
	vite-plus@​0.1.18 ⏵ 0.1.19				+1
	tailwindcss@​4.2.2 ⏵ 4.2.4	+1		+1
	@​tailwindcss/​vite@​4.2.2 ⏵ 4.2.4	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @voidzero-dev/vite-plus-core is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/vite-plus@0.1.19 → npm/@voidzero-dev/vite-plus-core@0.1.19 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@voidzero-dev/vite-plus-core@0.1.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report