deps(deps): bump the minor-and-patch group with 13 updates

[dependabot]

Bumps the minor-and-patch group with 13 updates:

Package	From	To
@supabase/supabase-js	2.99.3	2.105.4
next	16.2.4	16.2.6
openai	6.36.0	6.37.0
puppeteer	24.42.0	24.43.1
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
resend	6.12.2	6.12.3
tailwind-merge	3.5.0	3.6.0
@tailwindcss/postcss	4.2.4	4.3.0
@types/jsdom	28.0.0	28.0.2
@types/node	25.6.0	25.7.0
eslint-config-next	16.2.4	16.2.6
tailwindcss	4.2.4	4.3.0

Updates @supabase/supabase-js from 2.99.3 to 2.105.4

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.105.4

2.105.4 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)
• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.2

2.105.4-canary.2 (2026-05-08)

This was a version bump only, there were no code changes.

v2.105.4-canary.1

2.105.4-canary.1 (2026-05-08)

🩹 Fixes

• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.0

2.105.4-canary.0 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)

v2.105.3

2.105.3 (2026-05-04)

🩹 Fixes

• auth: narrow OAuth/CustomProvider types to fix downstream consumer typecheck (#2326)

v2.105.2

2.105.2 (2026-05-04)

🩹 Fixes

• auth: forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• auth: add toJSON to WebAuthnError for correct JSON serialization (#2317)
• misc: widen enum-like unions with (string & {}) for forward compat (#2303)
• misc: reduce any usage across packages (#2314)
• postgrest: unify insert/upsert signatures (#2315)

❤️ Thank You

• Muzzaiyyan Hussain @​MuzzaiyyanHussain

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.105.1 (2026-04-28)

🩹 Fixes

• postgrest: query reassignment regression (#2292)
• realtime: surface real Error on transport-level CHANNEL_ERROR (#2299)

❤️ Thank You

• Vaibhav @​7ttp

2.105.0 (2026-04-27)

🚀 Features

• auth: add passkey support with WebAuthn registration, authentication, and management (#2283)
• realtime: Realtime deferred disconnect (#2282)

🩹 Fixes

• postgrest: narrow column types after not(column, is, null) (#2264)
• realtime: annotate Timer/Vsn getters to avoid deep phoenix imports (#2284)
• storage: apply metadata, headers, and cacheControl dedupe to uploadToSignedUrl (#2275)
• storage: forward duplex option for stream uploads via uploadToSignedUrl (#2289)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• oniani1

2.104.1 (2026-04-23)

🩹 Fixes

• auth: emit PASSWORD_RECOVERY event for PKCE recovery flows (#2272)
• postgrest: restore runtime test files to tstyche scope (#2266)
• supabase: propagate custom fetch to realtime client (#2267)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.104.0 (2026-04-20)

🚀 Features

• storage: extract shared header normalization utility (#2251)

❤️ Thank You

... (truncated)

Commits

• db53b0f chore(release): version 2.105.2 changelogs (#2323)
• 5223888 [patchback] docs(repo): @​category and @​subcategory tags across all packages (...
• 0412d0d fix(auth): forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• 42c9cbb [patchback] fix(misc): widen enum-like unions with (string & {}) for forward ...
• 7e1773c chore(release): version 2.105.1 changelogs (#2302)
• ca8c418 chore(release): version 2.105.0 changelogs (#2290)
• d19e6d3 [patchback] docs(misc): rename anon key → publishable key and service role ke...
• c420456 [patchback] feat(auth): add passkey support with WebAuthn registration, authe...
• bfb18bc [patchback] feat(realtime): Realtime deferred disconnect (#2282)
• ed49eed chore(release): version 2.104.1 changelogs (#2273)
• Additional commits viewable in compare view

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates openai from 6.36.0 to 6.37.0

Release notes

Sourced from openai's releases.

v6.37.0

6.37.0 (2026-05-07)

Full Changelog: v6.36.0...v6.37.0

Features

• api: add quantity field to admin organization usage responses (273a8f7)
• api: add web_search_call.results output option to responses (91c75e0)
• api: launch realtime translate + update image 2 (a296b66)
• api: manual updates (794b905)
• api: manual updates (6963729)
• api: realtime 2 (f4b7177)

Bug Fixes

• api: fix imagegen size enum regression (4fe8469)

Chores

• redact api-key headers in debug logs (99c9c80)

Changelog

Sourced from openai's changelog.

6.37.0 (2026-05-07)

Full Changelog: v6.36.0...v6.37.0

Features

• api: add quantity field to admin organization usage responses (273a8f7)
• api: add web_search_call.results output option to responses (91c75e0)
• api: launch realtime translate + update image 2 (a296b66)
• api: manual updates (794b905)
• api: manual updates (6963729)
• api: realtime 2 (f4b7177)

Bug Fixes

• api: fix imagegen size enum regression (4fe8469)

Chores

• redact api-key headers in debug logs (99c9c80)

Commits

• b0e89cd release: 6.37.0
• 2151063 feat(api): realtime 2
• a5c4184 feat(api): manual updates
• 17c79fb chore: redact api-key headers in debug logs
• 36f69f6 codegen metadata
• 5cd49e4 codegen metadata
• a1b2c9c codegen metadata
• badc738 fix(api): fix imagegen size enum regression
• 15d48e0 codegen metadata
• 0ff2cda feat(api): add quantity field to admin organization usage responses
• Additional commits viewable in compare view

Updates puppeteer from 24.42.0 to 24.43.1

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v24.43.1

24.43.1 (2026-05-11)

🛠️ Fixes

• reject BiDi URL restrictions (#14956) (b2140ae)
• remove networkidle options from setContent (#14940) (54254e4)
• roll to Firefox 150.0.2 (#14946) (a588310)

⚡ Performance

• dispose sub-classes correctly (#14430) (e285ff2)
• optimize url blocking on navigation (#14945) (e4002a4)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.1 to 2.13.2

puppeteer: v24.43.1

24.43.1 (2026-05-11)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.1 to 2.13.2
    • puppeteer-core bumped from 24.43.0 to 24.43.1

puppeteer-core: v24.43.0

24.43.0 (2026-05-06)

🎉 Features

• Implement allowlist (#14897) (e7e31f8)
• roll to Chrome 148.0.7778.56 (#14918) (65890b7)
• roll to Firefox 150.0 (#14900) (beab61b)
• support checkboxes and radios in locator.fill (#14939) (fec05a0)
• webmcp: Add support for untrustedContent WebMCPAnnotation (#14901) (0314942)

... (truncated)

Changelog

Sourced from puppeteer's changelog.

24.43.1 (2026-05-11)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.1 to 2.13.2

🛠️ Fixes

• reject BiDi URL restrictions (#14956) (b2140ae)
• remove networkidle options from setContent (#14940) (54254e4)
• roll to Firefox 150.0.2 (#14946) (a588310)

⚡ Performance

• dispose sub-classes correctly (#14430) (e285ff2)
• optimize url blocking on navigation (#14945) (e4002a4)

24.43.0 (2026-05-06)

🎉 Features

• Implement allowlist (#14897) (e7e31f8)
• roll to Chrome 148.0.7778.56 (#14918) (65890b7)
• roll to Firefox 150.0 (#14900) (beab61b)
• support checkboxes and radios in locator.fill (#14939) (fec05a0)
• webmcp: Add support for untrustedContent WebMCPAnnotation (#14901) (0314942)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.0 to 2.13.1

🛠️ Fixes

• Disable WebUIReloadButton experiment (#14925) (d9639e9)

... (truncated)

Commits

• 970bda6 chore: release main (#14944)
• 8465576 chore(deps): bump deps (#14962)
• e285ff2 perf: dispose sub-classes correctly (#14430)
• 6a091b6 build: fix tools/ensure-correct-devtools-protocol-package.mts (#14961)
• d8b5fd9 fix: do not use shell for setup.exe (#14959)
• b2140ae fix: reject BiDi URL restrictions (#14956)
• 4b4c762 chore(deps): bump fast-uri from 3.0.6 to 3.1.2 in /website (#14950)
• a588310 fix: roll to Firefox 150.0.2 (#14946)
• 9eb59d1 chore(deps): bump @​babel/plugin-transform-modules-systemjs from 7.28.5 to 7.2...
• 5bc26eb chore(deps): bump the all group in /website with 4 updates (#14952)
• Additional commits viewable in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates resend from 6.12.2 to 6.12.3

Release notes

Sourced from resend's releases.

v6.12.3

What's Changed

• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in resend/resend-node#940
• chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq by @​ulrichstark in resend/resend-node#942
• fix: correct paylaod into payload typo in contacts overload signatures by @​wesleyramalho in resend/resend-node#902
• chore(deps): update dependency tsdown to v0.21.10 by @​renovate[bot] in resend/resend-node#929
• chore(deps): update dependency @​biomejs/biome to v2.4.14 by @​renovate[bot] in resend/resend-node#943
• chore: add missing suppressed event to resend node sdk interface by @​dielduarte in resend/resend-node#946
• chore: bump sdk version to 6.12.3 by @​dielduarte in resend/resend-node#947

New Contributors

• @​ulrichstark made their first contribution in resend/resend-node#942
• @​wesleyramalho made their first contribution in resend/resend-node#902
• @​dielduarte made their first contribution in resend/resend-node#946

Full Changelog: resend/resend-node@v6.12.2...v6.12.3

Commits

• 3f41290 chore: bump sdk version to 6.12.3 (#947)
• 2679c32 chore: add missing suppressed event to resend node sdk interface (#946)
• 08cb7a1 chore(deps): update dependency @​biomejs/biome to v2.4.14 (#943)
• 20741e3 chore(deps): update dependency tsdown to v0.21.10 (#929)
• 4e26bc0 fix: correct paylaod into payload typo in contacts overload signatures (#...
• 9ca7487 chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq (#942)
• 6759d31 chore(deps): update pnpm to v10.33.2 (#940)
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.2.4 to 4.3.0

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

Commits

• 588bd73 4.3.0 (#20023)
• 12eb5ae Cleanup noisy test output (#20015)
• 4255671 Improve snapshot tests (#20013)
• 52f94c7 Improve codebase quality (#19999)
• d194d4c docs: fix various typos in comments and documentation (#19878)
• bfb5732 Fall back to the plugin base when PostCSS has no from option (#19980)
• 3a890c3 Bump dependencies (#19957)
• See full diff in compare view

Updates @types/jsdom from 28.0.0 to 28.0.2

Commits

• See full diff in compare view

Updates @types/node from 25.6.0 to 25.7.0

Commits

• See full diff in compare view

Updates eslint-config-next from 16.2.4 to 16.2.6

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

Updates tailwindcss from 4.2.4 to 4.3.0

Release notes

Sourced from tailwindcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.4 ⏵ 16.2.6		+70	+1
	undici@​7.24.4
	openai@​6.36.0 ⏵ 6.37.0			+1	+1
	eslint-config-next@​16.2.4 ⏵ 16.2.6
	@​supabase/​supabase-js@​2.99.3 ⏵ 2.105.4	-3
	@​types/​jsdom@​28.0.0 ⏵ 28.0.2				+6
	@​types/​node@​25.6.0 ⏵ 25.7.0			+1	+1
	tailwindcss@​4.2.4 ⏵ 4.3.0
	react@​19.2.5 ⏵ 19.2.6
	tailwind-merge@​3.5.0 ⏵ 3.6.0	+1		+1
	puppeteer@​24.42.0 ⏵ 24.43.1	+8		+1
	react-dom@​19.2.5 ⏵ 19.2.6
	resend@​6.12.2 ⏵ 6.12.3
	@​tailwindcss/​postcss@​4.2.4 ⏵ 4.3.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.6 → npm/@typescript-eslint/eslint-plugin@8.59.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.59.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm puppeteer-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/puppeteer@24.43.1 → npm/puppeteer-core@24.43.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/puppeteer-core@24.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report