chore(deps): bump the production-minor-patch group across 1 directory with 14 updates

[dependabot]

Summary

• Tell dependabot to ignore @byteslice/result in upgrades
• Bump packages in the minor patch group

Depends on #488 and #489 being merged.

Tell dependabot to ignore @byteslice/result in upgrades

• @byteslice/results doesn't strictly follow semver
• It frequently breaks tests in dependabot PRs (chore(deps)(deps): bump the production-minor-patch group across 1 directory with 10 updates #455, this one)
• Tell dependabot to ignore it, we will upgrade it manually

Bump packages in the minor patch group

Bumps the production-minor-patch group with 14 updates in the / directory:

Package	From	To
@clack/prompts	1.3.0	1.4.0
posthog-node	5.33.5	5.34.2
zod	3.24.2	3.25.76
@rollup/rollup-linux-x64-gnu	4.60.3	4.60.4
@byteslice/result	0.2.0	0.3.0
@stricli/core	1.2.6	1.2.7
evlog	1.9.0	1.11.0
@anthropic-ai/claude-agent-sdk	0.2.138	0.3.143
@clerk/nextjs	7.3.0	7.3.5
next	15.5.10	15.5.18
tsx	4.21.0	4.22.1
typescript	5.6.3	5.9.3
vitest	3.1.3	3.2.4
vite	8.0.9	8.0.13

Updates @clack/prompts from 1.3.0 to 1.4.0

Release notes

Sourced from @​clack/prompts's releases.

@​clack/prompts@​1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]
  • @​clack/core@​1.3.1

Changelog

Sourced from @​clack/prompts's changelog.

1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]
  • @​clack/core@​1.3.1

Commits

• fe2bcd2 [ci] release (#530)
• aab46a2 docs: add jsdoc for text, password, and multiline prompts (#523)
• 54be8d7 fix: trim lines from correct end (#532)
• 284677e feat(prompts): support maxItems in groupMultiselect (#528)
• See full diff in compare view

Updates posthog-node from 5.33.5 to 5.34.2

Changelog

Sourced from posthog-node's changelog.

5.34.2

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.29.2

5.34.1

Patch Changes

• Updated dependencies [4b895bf]:
  • @​posthog/core@​1.29.1

5.34.0

Minor Changes

• #3599 ad60818 Thanks @​turnipdabeets! - Expose UUID and cookie helpers from @posthog/core and posthog-node for users managing distinct_id outside the browser SDK (e.g. Lambda functions handing out cross-domain redirects). The helpers were already implemented in @posthog/next — this change lifts them to core so all SDKs can re-use them. @posthog/next now re-exports the same surface from @posthog/core to keep existing consumers working without churn. Closes #2143. (2026-05-12)

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0

5.33.7

Patch Changes

• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7

5.33.6

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.28.6

Commits

• 0a7143b chore: update versions and lockfile [version bump]
• 50480eb chore: update versions and lockfile [version bump]
• 417765c chore: update versions and lockfile [version bump]
• 4a4cf7e Revert reference files changes (#3601)
• ad60818 feat(node): expose UUID v7 and cookie helpers (#3599)
• 04e168f chore: update versions and lockfile [version bump]
• 5efb512 chore: update versions and lockfile [version bump]
• See full diff in compare view

Updates zod from 3.24.2 to 3.25.76

Release notes

Sourced from zod's releases.

v3.25.76

Commits:

• 91c9ca6385bef38278605294498af06c89b9aa68 fix: cleanup _idmap of $ZodRegistry (#4837)
• 9cce1c5779aea32d00226a931a7f67d3e2529d58 docs: fix typo in flattenError example on error-formatting page (#4819) (#4833)
• a3560aeb6c3a8675a932601be79cfae897eec9d9 v3.25.76 (#4838)
• 50606616c0d291caf3210a7521da51271b918333 Release 3.25.76
• 7baee4e17f86f4017e09e12b0acdee36a5b1c087 Update index.mdx (#4831)

v3.25.75

Commits:

• c5f349b6c4e76f879eba9fd350dd79950fcb02f9 Fix z.undefined() behavior in toJSONSchema

v3.25.74

Commits:

• ae0dbe1f79b2421f6d91ec0796295763436b26e2 Partial record
• 39c5f71c92b9c4c39fc0a59b9375204fa140eaf0 3.25.74

v3.25.73

Commits:

• 1021d3c230d41d600698a6d98b9db86c19f56904 v3.25.73 (#4822)

v3.25.72

Commits:

• 4a4dac7cfb787162eeb79165d39bbb4830d4a6de Warn about id uniqueness check on Metadata page (#4782)
• 7a5838dc0da967e15a217bf5abdd81f725da46c4 feat(locale): Add Esperanto (eo) locale (#4743)
• 36fe14e1472f2a7cd71415841be8832fc4e9acc5 Fix optionality of schemas (#4769)
• 20c8c4b67b508d653012808f69c43c7cfe5b39e3 Fix re-export bug
• 8b0df10c8757a5fbd75bd65128ae183d764b3304 3.25.72

v3.25.71

Commits:

• 66a0f34bfc746acddbfb68426b8b1b3f1d3d1727 Move source to /src (#4808)
• 2a15f44606fd66335c6ebc1f91d702bb6bc95693 3.25.71

v3.25.70

Commits:

• bd81c7cfaa03f61365d1c708c7e0f1cac54ea9ca Add ecosystem listing to homepage
• 1ddb9719564e644722852193930a09d54f720443 Add Mobb to sponsors
• 30ba440859f5b9184817f578626ff85d484aec27 Clean up ecosystem.mdx
• 0ef1b85b5923a1a06a2afab47dbad249d105a997 Add svelte-jsonschema-form to form integrations (#4784)
• 14715f147363e88e73190bb6ddbdf008914f0b19 docs: fix Lambda spelling (#4804)
• f6da030188ea30defc025bbc672e5a81fbe93078 Add back src (#4806)
• 364200a67c9f74ef252dbfa65ea93aab8fb15c06 Revert "Add back src (#4806)"

... (truncated)

Commits

• 463f03e Release 3.25.76
• fa2791d Detect cycle on root schema. Closes #4651
• 7a51879 Set when converting registry to JSON Schema. Closes #4620
• db354b6 Update docs
• e542398 Add when param. Clean up z.check. Closes #4598
• c842698 Implement .clear() in . Fixes #4834
• 9f122ae Add toString to ZodError. Fixes #4830
• 0df5f69 Fix tests
• c5f349b Fix z.undefined() behavior in toJSONSchema
• 5267f90 Improve recursive types
• Additional commits viewable in compare view

Updates @rollup/rollup-linux-x64-gnu from 4.60.3 to 4.60.4

Release notes

Sourced from @​rollup/rollup-linux-x64-gnu's releases.

v4.60.4

4.60.4

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#6362)

Pull Requests

• #6362: fix: stabilize chunk assignment across parallel file reads (@​sonukapoor, @​Sonu Kapoor, @​TrickyPi, @​lukastaegert)
• #6370: fix(deps): update minor/patch updates (@​renovate[bot])
• #6371: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6372: chore(deps): update react monorepo to v19 (major) (@​renovate[bot])
• #6373: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6375: Resolve vulnerabilities (@​lukastaegert)

Changelog

Sourced from @​rollup/rollup-linux-x64-gnu's changelog.

4.60.4

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#6362)

Pull Requests

• #6362: fix: stabilize chunk assignment across parallel file reads (@​sonukapoor, @​Sonu Kapoor, @​TrickyPi, @​lukastaegert)
• #6370: fix(deps): update minor/patch updates (@​renovate[bot])
• #6371: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6372: chore(deps): update react monorepo to v19 (major) (@​renovate[bot])
• #6373: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6375: Resolve vulnerabilities (@​lukastaegert)

Commits

• d311a84 4.60.4
• 6aa3248 fix: stabilize chunk assignment across parallel file reads (#6362)
• 82a0fe7 Resolve vulnerabilities (#6375)
• 71f5ebc chore(deps): update dependency lru-cache to v11 (#6371)
• af91d77 chore(deps): lock file maintenance (#6373)
• 65e7b94 chore(deps): update react monorepo to v19 (major) (#6372)
• 642587f fix(deps): update minor/patch updates (#6370)
• See full diff in compare view

Updates @byteslice/result from 0.2.0 to 0.3.0

Release notes

Sourced from @​byteslice/result's releases.

@​byteslice/result@​0.3.0

Minor Changes

• 83fe1d3: Modified failure option to permit object with error property.
• 83fe1d3: Renamed optional withResult parameter to options.

@​byteslice/result@​0.2.2

Patch Changes

• 28bb191: Added project homepage to manifest.

@​byteslice/result@​0.2.1

Patch Changes

• a02e44d: Added "motivation" section to documentation.

Changelog

Sourced from @​byteslice/result's changelog.

0.3.0

Minor Changes

• 83fe1d3: Modified failure option to permit object with error property.
• 83fe1d3: Renamed optional withResult parameter to options.

0.2.2

Patch Changes

• 28bb191: Added project homepage to manifest.

0.2.1

Patch Changes

• a02e44d: Added "motivation" section to documentation.

Commits

• d54ccc3 chore(repo): version workspaces (#35)
• 83fe1d3 feat(result): modified failure option (#34)
• 024308e chore(repo): version workspaces (#26)
• 28bb191 chore: add homepage to manifest (#25)
• b06884b chore(repo): version workspaces (#24)
• a02e44d docs(result): add motivation section (#23)
• See full diff in compare view

Updates @stricli/core from 1.2.6 to 1.2.7

Release notes

Sourced from @​stricli/core's releases.

v1.2.7

🩹 Fixes

• only set exit code if not set by application (85a4a14)
• remove unnecessary logging (ca534c9)
• treat empty string as true for loose boolean parser (6c2e6b6)
• use loose boolean parser to check env vars (6a7f180)
• allow override for formatException on formatting object (2f2ed04)
• allow single application text, disabling locale support (d7de2b1)

❤️ Thank You

• Michael Molisani

Changelog

Sourced from @​stricli/core's changelog.

1.2.7 (2026-05-04)

🩹 Fixes

• only set exit code if not set by application (85a4a14)
• remove unnecessary logging (ca534c9)
• treat empty string as true for loose boolean parser (6c2e6b6)
• use loose boolean parser to check env vars (6a7f180)
• allow override for formatException on formatting object (2f2ed04)
• allow single application text, disabling locale support (d7de2b1)

❤️ Thank You

• Michael Molisani
• mmolisani

Commits

• fc7e3ec chore(release): 1.2.7
• b665505 docs: prioritize app text, locale support is additional
• d7de2b1 fix: allow single application text, disabling locale support
• ada556e docs: add formatException to application text section
• 2f2ed04 fix: allow override for formatException on formatting object
• 0adf0de test: reorganize test to reduce file sizes
• 6a7f180 fix: use loose boolean parser to check env vars
• 6c2e6b6 fix: treat empty string as true for loose boolean parser
• ca534c9 fix: remove unnecessary logging
• b0214c6 ci: remove step that ensured npm was updated to latest
• Additional commits viewable in compare view

Updates evlog from 1.9.0 to 1.11.0

Release notes

Sourced from evlog's releases.

evlog@1.11.0

What's Changed

Features 🚀

• feat: improve landing page by @​HugoRCD in HugoRCD/evlog#98
• feat: add tanstack-start support and example by @​HugoRCD in HugoRCD/evlog#102

Bug Fixes 🐞

• fix: await drain when waitUntil is unavailable by @​HugoRCD in HugoRCD/evlog#100

Dependency Updates 📦

• chore(deps): lock file maintenance by @​renovate[bot] in HugoRCD/evlog#91

Full Changelog: https://github.com/HugoRCD/evlog/compare/@​evlog/nuxthub@1.1.0...evlog@1.11.0

evlog@1.10.0

What's Changed

Features 🚀

• feat(evlog): add first-class support for next.js by @​HugoRCD in HugoRCD/evlog#97

Bug Fixes 🐞

• fix(nuxthub): add retry with backoff to drain insert by @​HugoRCD in HugoRCD/evlog#95

Documentation 📚

• docs: various improvements by @​atinux in HugoRCD/evlog#94

Dependency Updates 📦

• chore(deps): update all non-major dependencies by @​renovate[bot] in HugoRCD/evlog#90

New Contributors

• @​atinux made their first contribution in HugoRCD/evlog#94

Full Changelog: https://github.com/HugoRCD/evlog/compare/@​evlog/nuxthub@1.0.0...evlog@1.10.0

Commits

• c8647b3 chore(repo): version packages (#101)
• 1f7c43f fix: prevent unnecessary major bumps on peer dependents
• 059114f chore: add missing CHANGELOG.md for @​evlog/nuxthub
• db98326 feat: add tanstack-start support and example (#102)
• 7e9d7f5 re-add changelog file
• 46c9b44 fix: await drain when waitUntil is unavailable (#100)
• a270f55 improve responsive
• d6cc1d0 chore(deps): lock file maintenance (#91)
• 91d16a4 perf: optimize images (#99)
• 372f5d2 feat: improve landing page (#98)
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-agent-sdk from 0.2.138 to 0.3.143

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.3.143

What's changed

• @anthropic-ai/sdk and @modelcontextprotocol/sdk are now peerDependencies instead of dependencies. Runtime is unaffected (both are bundled); npm/bun/pnpm auto-install them. yarn classic users should add them explicitly for full TypeScript type resolution

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.143
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.143
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.143
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.143

v0.3.142

What's changed

• Breaking: Removed the v2 session API (unstable_v2_createSession, unstable_v2_resumeSession, unstable_v2_prompt, SDKSession, SDKSessionOptions), deprecated since 0.2.133. Use query() — pass an AsyncIterable<SDKUserMessage> for multi-turn, or options.resume to continue a session.
• Breaking: MCP servers now connect in the background by default; sessions start immediately and slow servers report status: "pending" in init until ready. Set MCP_CONNECTION_NONBLOCKING=0 to restore the old behavior of waiting up to 5s before the first query, or mark a server alwaysLoad: true to require it in turn 1.
• Breaking: Headless and SDK sessions now use Task tools (TaskCreate / TaskUpdate / TaskGet / TaskList) instead of TodoWrite, deprecated since 0.2.136. Tool consumers should accumulate by task ID instead of replacing a snapshot list.
• Surfaced request_id, subagent_type, and task_description on SDK message types and task system events
• Headless --sdk-url sessions now exit non-zero with a stderr diagnostic when the remote transport closes permanently (401/403/404 or WS permanent close), instead of silently exiting 0

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.142
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.142
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.142
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.142

v0.2.141

What's changed

• TaskCreateInput, TaskCreateOutput, TaskGetInput, TaskGetOutput, TaskUpdateInput, TaskUpdateOutput, TaskListInput, and TaskListOutput types are now exported from @anthropic-ai/claude-agent-sdk/sdk-tools and included in the ToolInputSchemas/ToolOutputSchemas unions
• Aligned @anthropic-ai/sdk dependency to ^0.93.0

Update

npm install @anthropic-ai/claude-agent-sdk@0.2.141
# or
yarn add @anthropic-ai/claude-agent-sdk@0.2.141
</tr></table> 

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.3.143

• @anthropic-ai/sdk and @modelcontextprotocol/sdk are now peerDependencies instead of dependencies. Runtime is unaffected (both are bundled); npm/bun/pnpm auto-install them. yarn classic users should add them explicitly for full TypeScript type resolution

0.3.142

• Breaking: Removed the v2 session API (unstable_v2_createSession, unstable_v2_resumeSession, unstable_v2_prompt, SDKSession, SDKSessionOptions), deprecated since 0.2.133. Use query() — pass an AsyncIterable<SDKUserMessage> for multi-turn, or options.resume to continue a session.
• Breaking: MCP servers now connect in the background by default; sessions start immediately and slow servers report status: "pending" in init until ready. Set MCP_CONNECTION_NONBLOCKING=0 to restore the old behavior of waiting up to 5s before the first query, or mark a server alwaysLoad: true to require it in turn 1.
• Breaking: Headless and SDK sessions now use Task tools (TaskCreate / TaskUpdate / TaskGet / TaskList) instead of TodoWrite, deprecated since 0.2.136. Tool consumers should accumulate by task ID instead of replacing a snapshot list.
• Surfaced request_id, subagent_type, and task_description on SDK message types and task system events
• Headless --sdk-url sessions now exit non-zero with a stderr diagnostic when the remote transport closes permanently (401/403/404 or WS permanent close), instead of silently exiting 0

0.2.141

• TaskCreateInput, TaskCreateOutput, TaskGetInput, TaskGetOutput, TaskUpdateInput, TaskUpdateOutput, TaskListInput, and TaskListOutput types are now exported from @anthropic-ai/claude-agent-sdk/sdk-tools and included in the ToolInputSchemas/ToolOutputSchemas unions
• Aligned @anthropic-ai/sdk dependency to ^0.93.0

0.2.140

• Updated to parity with Claude Code v2.1.140

0.2.139

• Updated to parity with Claude Code v2.1.139

Commits

• fa5d004 chore: Update CHANGELOG.md
• dcac163 chore: Update CHANGELOG.md
• b6d0490 chore: Update CHANGELOG.md
• b14b7c9 chore: Update CHANGELOG.md
• ee3fe61 chore: Update CHANGELOG.md
• See full diff in compare view

Updates @clerk/nextjs from 7.3.0 to 7.3.5

Release notes

Sourced from @​clerk/nextjs's releases.

@​clerk/nextjs@​7.3.5

Patch Changes

• Bump next devDependency to 15.5.18 to pick up the fix for GHSA-26hh-7cqf-hhc6, a high-severity (CVSS 7.5) Middleware/Proxy bypass in App Router applications via segment-prefetch routes (incomplete-fix follow-up). If you use the Next.js App Router, we recommend upgrading to Next.js 15.5.18, 16.2.6, or a later patched release. The 16.0.0 through 16.2.5 versions are still affected. (#8547) by @​jacekradko

• Updated dependencies [9fa6642, 930047f, b45777c, 5441d86, 5a7225e]:

  • @​clerk/shared@​4.12.0
  • @​clerk/react@​6.6.4
  • @​clerk/backend@​3.4.9

Changelog

Sourced from @​clerk/nextjs's changelog.

7.3.5

Patch Changes

• Bump next devDependency to 15.5.18 to pick up the fix for GHSA-26hh-7cqf-hhc6, a high-severity (CVSS 7.5) Middleware/Proxy bypass in App Router applications via segment-prefetch routes (incomplete-fix follow-up). If you use the Next.js App Router, we recommend upgrading to Next.js 15.5.18, 16.2.6, or a later patched release. The 16.0.0 through 16.2.5 versions are still affected. (#8547) by @​jacekradko

• Updated dependencies [9fa6642, 930047f, b45777c, 5441d86, 5a7225e]:

  • @​clerk/shared@​4.12.0
  • @​clerk/react@​6.6.4
  • @​clerk/backend@​3.4.9

7.3.4

Patch Changes

• Updated dependencies [1a4d7d1, a6916b1, 1084180, ee25cf2, 39099b6, 2377305, 18e0a1a]:
  • @​clerk/shared@​4.11.0
  • @​clerk/backend@​3.4.8
  • @​clerk/react@​6.6.3

7.3.3

Patch Changes

• Updated dependencies [0ab09a8, 6408ab6, 5cda3ee]:
  • @​clerk/backend@​3.4.7
  • @​clerk/shared@​4.10.2
  • @​clerk/react@​6.6.2

7.3.2

Patch Changes

• Improved auth() error message when clerkMiddleware() is not detected to mention that infrastructure issues (e.g. edge runtime errors or platform outages) can also cause this error. (#8007) by @​jacekradko

• Updated dependencies [7a5892f]:

  • @​clerk/backend@​3.4.6
  • @​clerk/shared@​4.10.1
  • @​clerk/react@​6.6.1

7.3.1

Patch Changes

• Enforce middleware authorization during the keyless bootstrap window. auth.protect() and custom authorization checks now fail closed instead of being bypassed while the publishable key is being provisioned. (#8369) by @​jacekradko

• Updated dependencies [9e9230c, 68d32df, 1c27d4d, 1001193]:

  • @​clerk/shared@​4.10.0
  • @​clerk/react@​6.6.0
  • @​clerk/backend@​3.4.5

Commits

• 166733f ci(repo): Version packages (#8555)
• 54ddc2f chore(nextjs): Update next to patched versions for GHSA-26hh-7cqf-hhc6 (#8547)
• 8a81fb0 ci(repo): Version packages (#8518)
• ba158ac ci(repo): Version packages (#8501)
• 4c44aa6 ci(repo): Version packages (#8484)
• 30ec271 fix(nextjs): improve auth() error message to mention infrastructure failures ...
• cd6c4b7 ci(repo): Version packages (#8440)
• f1d257d fix(nextjs): enforce middleware authorization during keyless bootstrap (#8369)
• See full diff in compare view

Updates next from 15.5.10 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits

• 9ff92ce v15.5.18
• 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
• 62c97ab v15.5.17
• 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
• fa78739 Turbopack: Fix middleware matcher suffix (#93590)
• 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
• 36589b5 [backport][test] Pin package manager to patch versions (#93596)
• ad6fd4e v15.5.16
• 79d7dff Ignore malformed CSP nonce headers (#103)
• c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates tsx from 4.21.0 to 4.22.1

Release notes

Sourced from tsx's releases.

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.21.1

4.21.1 (2026-05-14)

Bug Fixes

• support Node 20.11/21.2 import.meta paths (acf3d8f)
• support Node.js 24.15.0 (c1d2d45)
• support Node.js 26.1.0 and 25.9.0 (1d7e528)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 6979f28 fix: resolve tsconfig path aliases containing a colon (#780)
• b29f6ee feat: upgrade esbuild to 0.28 (#789)
• 0dd17e9 test: cover registerHooks loader composition
• acf3d8f fix: support Node 20.11/21.2 import.meta paths
• 4bbef80 test: cover configDir paths without baseUrl
• dddc5ce test: cover sync-hook watch reruns and cleanup retries
• 09e8f8c test: assert CLI runs without warnings
• 1d7e528 fix: support Node.js 26.1.0 and 25.9.0
• c1d2d45 fix: support Node.js 24.15.0
• d04672d test: update node version feature gates
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Updates typescript from 5.6.3 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

TypeScript 5.9

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

• npm

TypeScript 5.9 RC

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).

[dependabot]

Labels

The following labels could not be found: supply-chain. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3e5fdd7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[auxesis]

Hold off merging until #488 and #489 are merged, otherwise there's a 50/50 chance we'll see a test failure on merge to main.