Skip to content

deps(deps): bump the minor-and-patch group with 36 updates#119

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/minor-and-patch-e13ce11646
Closed

deps(deps): bump the minor-and-patch group with 36 updates#119
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/minor-and-patch-e13ce11646

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 36 updates:

Package From To
@noriginmedia/norigin-spatial-navigation 3.1.0 3.2.0
@radix-ui/react-dialog 1.1.15 1.1.17
@radix-ui/react-dropdown-menu 2.1.16 2.1.18
@radix-ui/react-progress 1.1.8 1.1.10
@radix-ui/react-scroll-area 1.2.10 1.2.12
@radix-ui/react-separator 1.1.8 1.1.10
@radix-ui/react-slider 1.3.6 1.4.1
@radix-ui/react-slot 1.2.4 1.3.0
@radix-ui/react-tabs 1.1.13 1.1.15
@radix-ui/react-toast 1.2.15 1.2.17
@radix-ui/react-tooltip 1.2.8 1.2.10
@supabase/supabase-js 2.99.3 2.108.2
framer-motion 12.38.0 12.42.0
imapflow 1.3.6 1.4.3
ioredis 5.10.1 5.11.1
isomorphic-dompurify 3.12.0 3.18.0
lucide-react 1.14.0 1.22.0
mailparser 3.9.9 3.9.12
next 16.2.4 16.2.9
openai 6.36.0 6.45.0
posthog-js 1.381.0 1.396.2
react 19.2.5 19.2.7
@types/react 19.2.14 19.2.17
react-dom 19.2.5 19.2.7
resend 6.12.2 6.16.0
tailwind-merge 3.5.0 3.6.0
video.js 8.23.7 8.23.9
@playwright/test 1.60.0 1.61.1
@tailwindcss/postcss 4.2.4 4.3.2
@types/jsdom 28.0.0 28.0.3
@vitest/coverage-v8 4.1.8 4.1.9
eslint-config-next 16.2.4 16.2.9
postcss 8.5.14 8.5.16
tailwindcss 4.2.4 4.3.2
tsx 4.21.0 4.22.4
vitest 4.1.8 4.1.9

Updates @noriginmedia/norigin-spatial-navigation from 3.1.0 to 3.2.0

Release notes

Sourced from @​noriginmedia/norigin-spatial-navigation's releases.

@​noriginmedia/norigin-spatial-navigation-core@​3.2.0

Minor Changes

  • a18ed66: Add focusOnPresetKey init option (default true) to control whether a component is automatically focused when it is added and its focus key was already set as the current focus key (e.g. setFocus was called before the component mounted). Set it to false to disable this implicit refocus on add.

@​noriginmedia/norigin-spatial-navigation-react@​3.2.0

Minor Changes

  • a18ed66: Add focusOnPresetKey init option (default true) to control whether a component is automatically focused when it is added and its focus key was already set as the current focus key (e.g. setFocus was called before the component mounted). Set it to false to disable this implicit refocus on add.

Patch Changes

  • Updated dependencies [a18ed66]
    • @​noriginmedia/norigin-spatial-navigation-core@​3.2.0

@​noriginmedia/norigin-spatial-navigation@​3.2.0

Minor Changes

  • a18ed66: Add focusOnPresetKey init option (default true) to control whether a component is automatically focused when it is added and its focus key was already set as the current focus key (e.g. setFocus was called before the component mounted). Set it to false to disable this implicit refocus on add.

Patch Changes

  • Updated dependencies [a18ed66]
    • @​noriginmedia/norigin-spatial-navigation-core@​3.2.0
    • @​noriginmedia/norigin-spatial-navigation-react@​3.2.0
Commits

Updates @radix-ui/react-dialog from 1.1.15 to 1.1.17

Changelog

Sourced from @​radix-ui/react-dialog's changelog.

1.1.17

  • Removed dev-only warnings for dialogs when title and/or description is not rendered.
  • Fixed Dismissable Layer so outside interactions stopped by extension UI overlays do not dismiss dialogs or popovers.
  • Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-focus-scope@1.1.10, @radix-ui/react-portal@1.1.12

1.1.16

  • Fixed disabled pointer events in closed dialogs
  • Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
  • Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dialog since your current version.


Updates @radix-ui/react-dropdown-menu from 2.1.16 to 2.1.18

Changelog

Sourced from @​radix-ui/react-dropdown-menu's changelog.

2.1.18

  • Fixed a bug where menus and submenus remained open after a window loses focus.
  • Updated dependencies: @radix-ui/react-menu@2.1.18, @radix-ui/react-primitive@2.1.6

2.1.17

  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dropdown-menu since your current version.


Updates @radix-ui/react-progress from 1.1.8 to 1.1.10

Changelog

Sourced from @​radix-ui/react-progress's changelog.

1.1.10

  • Updated dependencies: @radix-ui/react-primitive@2.1.6

1.1.9

  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-progress since your current version.


Updates @radix-ui/react-scroll-area from 1.2.10 to 1.2.12

Changelog

Sourced from @​radix-ui/react-scroll-area's changelog.

1.2.12

  • Stabilized the viewport style tag unless the nonce changes.
  • Fixed Duplicate index signature errors that surfaced when consuming multiple packages together.
  • Updated dependencies: @radix-ui/react-primitive@2.1.6

1.2.11

  • Fixed missing data-state attribute for Scroll Area scrollbars
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-layout-effect@1.1.2
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-scroll-area since your current version.


Updates @radix-ui/react-separator from 1.1.8 to 1.1.10

Changelog

Sourced from @​radix-ui/react-separator's changelog.

1.1.10

  • Updated dependencies: @radix-ui/react-primitive@2.1.6

1.1.9

  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-primitive@2.1.5
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-separator since your current version.


Updates @radix-ui/react-slider from 1.3.6 to 1.4.1

Changelog

Sourced from @​radix-ui/react-slider's changelog.

1.4.1

  • Fixed Duplicate index signature errors that surfaced when consuming multiple packages together.
  • Updated dependencies: @radix-ui/react-primitive@2.1.6, @radix-ui/react-collection@1.1.10

1.4.0

  • Added unstable ThumbProvider, ThumbTrigger, and BubbleInput parts to Slider. SliderThumb was previously a single component that implicitly rendered a hidden native input for form submission. It is now composed from these new parts, which are exposed so consumers can decouple the bubble input from the thumb (for example, to render or customize it independently) instead of relying on SliderThumb to render it implicitly. SliderThumb continues to render all three by default, so existing usage is unaffected.
  • Added focusVisible for non-keyboard interactions with slider thumbs for progressively enabling styles using :focus-visible alongside programmatic focus management
  • Fixed Slider focus bugs in scrollable context
  • Fixed a Slider bug where very small step values made the thumbs unresponsive
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slider since your current version.


Updates @radix-ui/react-slot from 1.2.4 to 1.3.0

Changelog

Sourced from @​radix-ui/react-slot's changelog.

1.3.0

Added generic type arguments for SlotProps and createSlot

SlotProps and createSlot now accept generic type arguments to specify the type of element a slot should render, as well as its props.

const Slot = createSlot<HTMLButtonElement, MyCustomButtonProps>("Slot");

1.2.5

  • Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
  • Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
  • Added repository.directory to all package.json files
  • Improved error messages for invalid slot children
  • Updated dependencies: @radix-ui/react-compose-refs@1.1.3
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slot since your current version.


Updates @radix-ui/react-tabs from 1.1.13 to 1.1.15

Changelog

Sourced from @​radix-ui/react-tabs's changelog.

1.1.15

  • Updated dependencies: @radix-ui/react-primitive@2.1.6, @radix-ui/react-roving-focus@1.1.13

1.1.14

  • Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tabs since your current version.


Updates @radix-ui/react-toast from 1.2.15 to 1.2.17

Changelog

Sourced from @​radix-ui/react-toast's changelog.

1.2.17

  • Updated dependencies: @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-collection@1.1.10, @radix-ui/react-portal@1.1.12, @radix-ui/react-visually-hidden@1.2.6

1.2.16

  • Allow to specify container for ToastAnnounce
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-visually-hidden@1.2.5
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-toast since your current version.


Updates @radix-ui/react-tooltip from 1.2.8 to 1.2.10

Changelog

Sourced from @​radix-ui/react-tooltip's changelog.

1.2.10

  • Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-popper@1.3.1, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-portal@1.1.12, @radix-ui/react-visually-hidden@1.2.6

1.2.9

  • Fixed runtime error when event target is non-Node
  • Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-visually-hidden@1.2.5
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tooltip since your current version.


Updates @supabase/supabase-js from 2.99.3 to 2.108.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.108.2

2.108.2 (2026-06-15)

🩹 Fixes

  • auth: preserve valid session on refresh failure and cooldown repeat failures (#2436)
  • realtime: clarify httpSend() 404 error and server migration note (#2444)
  • release: pin Deno and bound JSR publish to survive stranded-task hangs (#2439)
  • release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

v2.108.2-canary.5

2.108.2-canary.5 (2026-06-15)

This was a version bump only, there were no code changes.

v2.108.2-canary.4

2.108.2-canary.4 (2026-06-12)

🩹 Fixes

  • realtime: clarify httpSend() 404 error and server migration note (#2444)

❤️ Thank You

v2.108.2-canary.3

2.108.2-canary.3 (2026-06-11)

This was a version bump only, there were no code changes.

v2.108.2-canary.2

2.108.2-canary.2 (2026-06-11)

🩹 Fixes

  • release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

v2.108.2-canary.1

2.108.2-canary.1 (2026-06-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.108.2 (2026-06-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.108.0 (2026-06-08)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.107.0 (2026-06-02)

🚀 Features

  • auth: remove navigator.locks-based mutex; introduce commit guard + dispose() (#2392)
  • supabase: update X-Client-Info to structured metadata format (#2359)
  • realtime: allow httpSend to send binary payload (#2400)

❤️ Thank You

2.106.2 (2026-05-25)

🩹 Fixes

  • misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

2.106.1 (2026-05-20)

🩹 Fixes

  • misc: hide dynamic import from hermesc (#2381)

❤️ Thank You

2.106.0 (2026-05-18)

🚀 Features

  • supabase: W3C/OpenTelemetry trace context propagation (#2163)

... (truncated)

Commits
  • 76f3f02 test(auth): add passkey unit and e2e coverage (#2442)
  • 65fafe5 chore(release): version 2.108.0 changelogs (#2433)
  • 57014e1 chore(release): version 2.107.0 changelogs (#2421)
  • 54ec2b6 feat(auth): remove navigator.locks-based mutex; introduce commit guard + disp...
  • 3397c92 feat(supabase): update X-Client-Info to structured metadata format (#2359)
  • 335207f feat(realtime): allow httpSend to send binary payload (#2400)
  • 42f12dd docs(repo): ship per-package AGENTS.md and migrations via npm (#2397)
  • b200b74 chore(release): version 2.106.2 changelogs (#2396)
  • a5f09cf chore(repo): adopt pnpm catalog and clean up devDeps (#2389)
  • c72cc56 fix(misc): add react-native export condition for Hermes-safe resolution (#2393)
  • Additional commits viewable in compare view

Updates framer-motion from 12.38.0 to 12.42.0

Changelog

Sourced from framer-motion's changelog.

[12.42.0] 2026-06-24

Changed

  • animateView: Layers are automatically grouped to match their DOM-hierarchy. New .group(false) method opts-out.

Fixed

  • animateView: Auto-crop is now aspect-ratio aware, disabling crops for matching aspect-ratios.
  • animateView: Disabled automatic border-radius animation.

[12.41.0] 2026-06-23

Added

  • animateView: Moves from Motion+ Early Access and alpha to main library.
  • animateView: .add() resolves a CSS selector or Element to automatically generate, apply and remove view-transition-name.
  • animateView: .new() and .old() configures values to animate on new and old layers.
  • animateView: .layout() can set a custom transition on the size/position animation of the currently selected elements.
  • animateView: Group layers now automatically crop with children set to cover, with border-radius animating from old radius to new. .crop(false) disables this behaviour.
  • animateView: .class(name) tags currently selected elements with a view-transition-class as a custom CSS hook.

Fixed

  • AnimatePresence: Prevent stuck exit animations when children interrupt.
  • drag: Child e.stopPropagation() no longer break drag end.
  • Fixing Next.js OOM on Windows when importing via motion package.
  • animateLayout: Improve handling of parallel/interleaved calls.

Changed

  • animateView: .enter() and .exit() now refer specifically to new and old layers where there are no matching old or new layers.
  • animateView: Interrupted transition setups now return resolved animation rather than throwing.

[12.40.0] 2026-05-21

Added

  • path option to transition.
  • arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

  • Support for repeatType and repeatDelay in animation sequences.

Fixed

  • Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.

... (truncated)

Commits
  • 9c84145 v12.42.0
  • 60d7c72 Add view-transition group nesting and aspect-aware cropping
  • 6437276 Updating
  • f0f893e v12.41.0
  • c0c53cb Updating changelog
  • 18c3e3e Removing plans
  • 378fc4c Merge pull request #3761 from motiondivision/worktree-view-target
  • 94ea505 Merge branch 'main' into worktree-view-target
  • de65f6b Fade auto morph crossfades over the spring's visual duration
  • f8af239 Let an explicit duration override the inherited spring on a view layer
  • Additional commits viewable in compare view

Updates imapflow from 1.3.6 to 1.4.3

Changelog

Sourced from imapflow's changelog.

1.4.3 (2026-06-26)

Bug Fixes

  • update dependencies (libmime 5.4.0, mailsplit 5.4.13) (ae175eb)

1.4.2 (2026-06-19)

Bug Fixes

  • bump nodemailer to 9.0.1 (9c46aa9)

1.4.1 (2026-06-15)

Bug Fixes

  • ship refreshed dependencies (nodemailer 9, updated toolchain) (e1d36e6)

1.4.0 (2026-06-09)

Features

  • add Gmail label search term to the search compiler (4b2d173)

1.3.7 (2026-06-08)

Bug Fixes

  • harden FLAGS guard and bring lib to full test coverage (6666bec)
Commits
  • 57cffd4 chore(master): release 1.4.3 [skip-ci] (#362)
  • ae175eb fix: update dependencies (libmime 5.4.0, mailsplit 5.4.13)
  • 03f6831 chore(master): release 1.4.2 [skip-ci] (#361)
  • 9c46aa9 fix: bump nodemailer to 9.0.1
  • 2a02044 chore(master): release 1.4.1 [skip-ci] (#359)
  • e1d36e6 fix: ship refreshed dependencies (nodemailer 9, updated toolchain)
  • cb2503a chore: refresh dependencies and align project tooling with EmailEngine
  • 5b13151 chore(master): release 1.4.0 [skip-ci] (#358)
  • 4b2d173 feat: add Gmail label search term to the search compiler
  • c0969c6 chore(master): release 1.3.7 [skip-ci] (#357)
  • Additional commits viewable in compare view

Updates ioredis from 5.10.1 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

  • cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
  • parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

v5.11.0

5.11.0 (2026-05-26)

Bug Fixes

Features

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

  • cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
  • parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

5.11.0 (2026-05-26)

Bug Fixes

Features

Commits
  • fb224a7 chore(release): 5.11.1 [skip ci]
  • 131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
  • c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
  • 1490432 chore(release): 5.11.0 [skip ci]
  • 5359d4d refactor(utils): inline defaults and isArguments helpers (#2107)
  • b7b3def feat: add vector set command support (#2116)
  • faa53fd ci: update Node.js and Redis test matrix (#2119)
  • 37d0695 feat: add increx command (#2115)
  • 612ee9d chore: update Redis 8.8 test image to custom (#2118)
  • baf68d6 feat: add array commands, typings and tests (#2114)
  • Additional commits viewable in compare view

Updates isomorphic-dompurify from 3.12.0 to 3.18.0

Release notes

Sourced from isomorphic-dompurify's releases.

3.18.0: Updated dependencies

  • dompurify 3.4.10 -> 3.4.11
  • vitest 4.1.8 -> 4.1.9
  • pnpm/action-setup 6 -> 6.0.8

3.17.0: Updated dependencies

  • dompurify 3.4.8 -> 3.4.10
  • @​biomejs/biome 2.4.16 -> 2.5.0
  • pnpm 11.4.0 -> 11.6.0

3.16.0: Updated dependencies

  • dompurify 3.4.7 -> 3.4.8
  • vitest 4.1.7 -> 4.1.8
  • lefthook 2.1.8 -> 2.1.9

3.15.0: Updated dependencies

  • dompurify 3.4.5 -> 3.4.7
  • @​biomejs/biome 2.4.15 -> 2.4.16
  • vitest 4.1.6 -> 4.1.7
  • packageManager pnpm 11.1.3 -> 11.4.0

3.14.0: Updated dependencies

What's Changed

  • chore(deps): bump dompurify from 3.4.3 to 3.4.5 by @​dependabot[bot]
  • chore: Allowed esbuild and disallowed lefthook for ci.
  • chore: Added homepage URL to package.json.

Full Changelog: kkomelin/isomorphic-dompurify@3.13.0...3.14.0

3.13.0: Updated dependencies

What's Changed

Full Changelog: kkomelin/isomorphic-dompurify@3.12.0...3.13.0

Commits
  • 1d5745c chore: release v3.18.0
  • e1202c5 chore(deps): bump dompurify from 3.4.10 to 3.4.11
  • ab9cc6b chore(deps-dev): bump vitest from 4.1.8 to 4.1.9
  • 60491d6 chore(deps): bump pnpm/action-setup from 6 to 6.0.8
  • 4b0f0db chore: Updated dependencies.
  • 1e537bd chore(deps): bump dompurify from 3.4.8 to 3.4.9
  • bee551b chore: Bump version to 3.16.0 and update dependencies.
  • e03b0c0 chore(deps): bump dompurify from 3.4.7 to 3.4.8
  • 86abe8b chore(deps-dev): bump lefthook from 2.1.8 to 2.1.9
  • 284831c chore(deps-dev): bump vitest from 4.1.7 to 4.1.8
  • Additional commits viewable in compare view

Updates lucide-react from 1.14.0 to 1.22.0

Release notes

Sourced from lucide-react's releases.

Version 1.22.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.21.0...1.22.0

Version 1.21.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

Version 1.20.0

What's Changed

... (truncated)

Commits
  • 5ff536e ci(release.yml): Fix workflow and remove version scripts in package scripts...
  • 07c885e fix(docs): fix zephyr-cloud URL in readmes
  • See full diff in

Bumps the minor-and-patch group with 36 updates:

| Package | From | To |
| --- | --- | --- |
| [@noriginmedia/norigin-spatial-navigation](https://github.com/NoriginMedia/norigin-spatial-navigation) | `3.1.0` | `3.2.0` |
| [@radix-ui/react-dialog](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dialog) | `1.1.15` | `1.1.17` |
| [@radix-ui/react-dropdown-menu](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dropdown-menu) | `2.1.16` | `2.1.18` |
| [@radix-ui/react-progress](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/progress) | `1.1.8` | `1.1.10` |
| [@radix-ui/react-scroll-area](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/scroll-area) | `1.2.10` | `1.2.12` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/separator) | `1.1.8` | `1.1.10` |
| [@radix-ui/react-slider](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slider) | `1.3.6` | `1.4.1` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.4` | `1.3.0` |
| [@radix-ui/react-tabs](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tabs) | `1.1.13` | `1.1.15` |
| [@radix-ui/react-toast](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/toast) | `1.2.15` | `1.2.17` |
| [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.8` | `1.2.10` |
| [@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js) | `2.99.3` | `2.108.2` |
| [framer-motion](https://github.com/motiondivision/motion) | `12.38.0` | `12.42.0` |
| [imapflow](https://github.com/postalsys/imapflow) | `1.3.6` | `1.4.3` |
| [ioredis](https://github.com/luin/ioredis) | `5.10.1` | `5.11.1` |
| [isomorphic-dompurify](https://github.com/kkomelin/isomorphic-dompurify) | `3.12.0` | `3.18.0` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.14.0` | `1.22.0` |
| [mailparser](https://github.com/nodemailer/mailparser) | `3.9.9` | `3.9.12` |
| [next](https://github.com/vercel/next.js) | `16.2.4` | `16.2.9` |
| [openai](https://github.com/openai/openai-node) | `6.36.0` | `6.45.0` |
| [posthog-js](https://github.com/PostHog/posthog-js) | `1.381.0` | `1.396.2` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.7` |
| [resend](https://github.com/resend/resend-node) | `6.12.2` | `6.16.0` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [video.js](https://github.com/videojs/video.js) | `8.23.7` | `8.23.9` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.60.0` | `1.61.1` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.4` | `4.3.2` |
| [@types/jsdom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jsdom) | `28.0.0` | `28.0.3` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.4` | `16.2.9` |
| [postcss](https://github.com/postcss/postcss) | `8.5.14` | `8.5.16` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.2` |
| [tsx](https://github.com/privatenumber/tsx) | `4.21.0` | `4.22.4` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` |


Updates `@noriginmedia/norigin-spatial-navigation` from 3.1.0 to 3.2.0
- [Release notes](https://github.com/NoriginMedia/norigin-spatial-navigation/releases)
- [Changelog](https://github.com/NoriginMedia/Norigin-Spatial-Navigation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/NoriginMedia/norigin-spatial-navigation/compare/@noriginmedia/norigin-spatial-navigation@3.1.0...@noriginmedia/norigin-spatial-navigation@3.2.0)

Updates `@radix-ui/react-dialog` from 1.1.15 to 1.1.17
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dialog/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dialog)

Updates `@radix-ui/react-dropdown-menu` from 2.1.16 to 2.1.18
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dropdown-menu/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dropdown-menu)

Updates `@radix-ui/react-progress` from 1.1.8 to 1.1.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/progress/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/progress)

Updates `@radix-ui/react-scroll-area` from 1.2.10 to 1.2.12
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/scroll-area/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/scroll-area)

Updates `@radix-ui/react-separator` from 1.1.8 to 1.1.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/separator/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/separator)

Updates `@radix-ui/react-slider` from 1.3.6 to 1.4.1
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slider/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slider)

Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot)

Updates `@radix-ui/react-tabs` from 1.1.13 to 1.1.15
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tabs/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tabs)

Updates `@radix-ui/react-toast` from 1.2.15 to 1.2.17
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/toast/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/toast)

Updates `@radix-ui/react-tooltip` from 1.2.8 to 1.2.10
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip)

Updates `@supabase/supabase-js` from 2.99.3 to 2.108.2
- [Release notes](https://github.com/supabase/supabase-js/releases)
- [Changelog](https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md)
- [Commits](https://github.com/supabase/supabase-js/commits/v2.108.2/packages/core/supabase-js)

Updates `framer-motion` from 12.38.0 to 12.42.0
- [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md)
- [Commits](motiondivision/motion@v12.38.0...v12.42.0)

Updates `imapflow` from 1.3.6 to 1.4.3
- [Release notes](https://github.com/postalsys/imapflow/releases)
- [Changelog](https://github.com/postalsys/imapflow/blob/master/CHANGELOG.md)
- [Commits](postalsys/imapflow@v1.3.6...v1.4.3)

Updates `ioredis` from 5.10.1 to 5.11.1
- [Release notes](https://github.com/luin/ioredis/releases)
- [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md)
- [Commits](redis/ioredis@v5.10.1...v5.11.1)

Updates `isomorphic-dompurify` from 3.12.0 to 3.18.0
- [Release notes](https://github.com/kkomelin/isomorphic-dompurify/releases)
- [Commits](kkomelin/isomorphic-dompurify@3.12.0...3.18.0)

Updates `lucide-react` from 1.14.0 to 1.22.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.22.0/packages/lucide-react)

Updates `mailparser` from 3.9.9 to 3.9.12
- [Release notes](https://github.com/nodemailer/mailparser/releases)
- [Changelog](https://github.com/nodemailer/mailparser/blob/master/CHANGELOG.md)
- [Commits](nodemailer/mailparser@v3.9.9...v3.9.12)

Updates `next` from 16.2.4 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.4...v16.2.9)

Updates `openai` from 6.36.0 to 6.45.0
- [Release notes](https://github.com/openai/openai-node/releases)
- [Changelog](https://github.com/openai/openai-node/blob/main/CHANGELOG.md)
- [Commits](openai/openai-node@v6.36.0...v6.45.0)

Updates `posthog-js` from 1.381.0 to 1.396.2
- [Release notes](https://github.com/PostHog/posthog-js/releases)
- [Changelog](https://github.com/PostHog/posthog-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/PostHog/posthog-js/compare/posthog-js@1.381.0...posthog-js@1.396.2)

Updates `react` from 19.2.5 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.2.5 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `resend` from 6.12.2 to 6.16.0
- [Release notes](https://github.com/resend/resend-node/releases)
- [Commits](resend/resend-node@v6.12.2...v6.16.0)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `video.js` from 8.23.7 to 8.23.9
- [Release notes](https://github.com/videojs/video.js/releases)
- [Changelog](https://github.com/videojs/video.js/blob/main/CHANGELOG.md)
- [Commits](videojs/video.js@v8.23.7...v8.23.9)

Updates `@playwright/test` from 1.60.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.60.0...v1.61.1)

Updates `@tailwindcss/postcss` from 4.2.4 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss)

Updates `@types/jsdom` from 28.0.0 to 28.0.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jsdom)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8)

Updates `eslint-config-next` from 16.2.4 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.9/packages/eslint-config-next)

Updates `postcss` from 8.5.14 to 8.5.16
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.14...8.5.16)

Updates `tailwindcss` from 4.2.4 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss)

Updates `tsx` from 4.21.0 to 4.22.4
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.21.0...v4.22.4)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: "@noriginmedia/norigin-spatial-navigation"
  dependency-version: 3.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dialog"
  dependency-version: 1.1.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dropdown-menu"
  dependency-version: 2.1.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-progress"
  dependency-version: 1.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-scroll-area"
  dependency-version: 1.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slider"
  dependency-version: 1.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tabs"
  dependency-version: 1.1.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toast"
  dependency-version: 1.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@supabase/supabase-js"
  dependency-version: 2.108.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: framer-motion
  dependency-version: 12.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: imapflow
  dependency-version: 1.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: ioredis
  dependency-version: 5.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: isomorphic-dompurify
  dependency-version: 3.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: lucide-react
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: mailparser
  dependency-version: 3.9.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: next
  dependency-version: 16.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: openai
  dependency-version: 6.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: posthog-js
  dependency-version: 1.396.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: resend
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: video.js
  dependency-version: 8.23.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/jsdom"
  dependency-version: 28.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: eslint-config-next
  dependency-version: 16.2.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: postcss
  dependency-version: 8.5.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.22.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

Copy link
Copy Markdown

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedposthog-js@​1.381.0 ⏵ 1.396.237 -3710081 -1100 +1100
Updated@​radix-ui/​react-separator@​1.1.8 ⏵ 1.1.10100 +11006798100
Updated@​radix-ui/​react-progress@​1.1.8 ⏵ 1.1.10100 +11006998100
Updated@​radix-ui/​react-slot@​1.2.4 ⏵ 1.3.0100 +110069 +198100
Updated@​radix-ui/​react-tabs@​1.1.13 ⏵ 1.1.1599 +11007098100
Updated@​radix-ui/​react-dialog@​1.1.15 ⏵ 1.1.1799 +11007198100
Updated@​radix-ui/​react-dropdown-menu@​2.1.16 ⏵ 2.1.1899 +11007198100
Updated@​radix-ui/​react-tooltip@​1.2.8 ⏵ 1.2.1099 +110072 +198100
Updated@​radix-ui/​react-slider@​1.3.6 ⏵ 1.4.199 +110073 +198100
Updated@​radix-ui/​react-toast@​1.2.15 ⏵ 1.2.1799 +110073 +198100
Updated@​radix-ui/​react-scroll-area@​1.2.10 ⏵ 1.2.1299 +110073 +198100
Updated@​noriginmedia/​norigin-spatial-navigation@​3.1.0 ⏵ 3.2.0951007394 +5100
Updatedopenai@​6.36.0 ⏵ 6.45.078 +9100100 +1100100
Updated@​types/​react@​19.2.14 ⏵ 19.2.171001007995100
Updatedvitest@​4.1.8 ⏵ 4.1.998 +110079 +198100
Updated@​vitest/​coverage-v8@​4.1.8 ⏵ 4.1.9991007998100
Updatedmailparser@​3.9.9 ⏵ 3.9.12991008094100
Updatedlucide-react@​1.14.0 ⏵ 1.22.010010098 +19580
Updatedtailwindcss@​4.2.4 ⏵ 4.3.210010081 -398100
Updatedpostcss@​8.5.14 ⏵ 8.5.16100 +11008192100
Updatedtsx@​4.21.0 ⏵ 4.22.4100 +110082 +191100
Updatedreact@​19.2.5 ⏵ 19.2.71001008497100
Updatedtailwind-merge@​3.5.0 ⏵ 3.6.0100 +110086 +196100
Updated@​supabase/​supabase-js@​2.99.3 ⏵ 2.108.289 -210010096 -1100
Updatedioredis@​5.10.1 ⏵ 5.11.194 +1100100 +192100
Updatedreact-dom@​19.2.5 ⏵ 19.2.71001009298100
Updatedvideo.js@​8.23.7 ⏵ 8.23.999 +110010093100
Updatedisomorphic-dompurify@​3.12.0 ⏵ 3.18.0100 +1100100 +196 +2100
Updatedimapflow@​1.3.6 ⏵ 1.4.399 +110098 +196 +1100
Updatedframer-motion@​12.38.0 ⏵ 12.42.099 +1100100 +197100
Updatedresend@​6.12.2 ⏵ 6.16.098 +1100100100 +1100
See 2 more rows in the dashboard

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@typescript-eslint/eslint-plugin@8.62.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @videojs/http-streaming is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/video.js@8.23.9npm/@videojs/http-streaming@3.17.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@videojs/http-streaming@3.17.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @videojs/http-streaming is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/video.js@8.23.9npm/@videojs/http-streaming@3.17.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@videojs/http-streaming@3.17.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @videojs/vhs-utils is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/video.js@8.23.9npm/@videojs/vhs-utils@4.1.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@videojs/vhs-utils@4.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Publisher changed: npm @videojs/vhs-utils is now published by essk

Author: essk

From: pnpm-lock.yamlnpm/video.js@8.23.9npm/@videojs/vhs-utils@4.1.2

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@videojs/vhs-utils@4.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @zone-eu/mailsplit under EUPL-1.2

License: EUPL-1.2 - The applicable license policy does not permit this license (5) (package/LICENSE.EUPL-1.2)

License: unrecognized license - This license was not allowed or given any lesser classification by the applicable policy (package/LICENSE.EUPL-1.2)

License: EUPL-1.1+ - This license classifier is not allowed by the applicable policy (package/package.json)

From: pnpm-lock.yamlnpm/mailparser@3.9.12npm/imapflow@1.4.3npm/@zone-eu/mailsplit@5.4.13

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@zone-eu/mailsplit@5.4.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Publisher changed: npm mpd-parser is now published by essk

Author: essk

From: pnpm-lock.yamlnpm/video.js@8.23.9npm/mpd-parser@1.4.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mpd-parser@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm playwright-core under ms-azure-data-studio

License: ms-azure-data-studio - The applicable license policy does not permit this license (5) (package/ThirdPartyNotices.txt)

From: pnpm-lock.yamlnpm/@playwright/test@1.61.1npm/playwright-core@1.61.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright-core@1.61.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm playwright under ms-azure-data-studio

License: ms-azure-data-studio - The applicable license policy does not permit this license (5) (package/ThirdPartyNotices.txt)

From: pnpm-lock.yamlnpm/@playwright/test@1.61.1npm/playwright@1.61.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.61.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/module.full.js contains a PostHog/rrweb-style client telemetry SDK that instruments in-browser activity (DOM, events, errors/console), intercepts network traffic (fetch/XHR), and serializes/uploads data to remote endpoints. It includes a dynamic external script loader driven by remote configuration, creating data privacy, data-exfiltration, and supply-chain/execution risk exposure. While no explicit malware is described, misconfiguration or compromised endpoints/configs could enable excessive data capture or exfiltration; treat this as a security/privacy-critical dependency and verify permissions, capture options, and endpoint integrity.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/array.full.no-external.js implements client-side telemetry instrumentation for session replay, DOM/form capture, network traffic (including request/response data), console logs, and error capture, with configurable data redaction and potential UI surveys. It patches browser APIs (console, fetch/XHR) and may use cookies/localStorage or a Web Worker to collect and transmit data to remote ingestion endpoints; safe use requires strict configuration (masking/deny-lists) to prevent excessive data capture or data exfiltration, and sanitized UI surveys to avoid privacy leakage.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: package/dist/array.full.js is a high-sensitivity client-side analytics/telemetry SDK that can collect extensive data (session replay, errors, console output, network telemetry, DOM interactions, and performance) and load external scripts for remote configuration, introducing supply-chain and remote-execution risks along with privacy concerns. Treat it as a high security-review item requiring strict consent enforcement, data capture limits, trusted-origin validation, and allowlists/deny-lists with careful review of loaded scripts.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The package/dist/main.js fragment implements a client analytics/telemetry SDK (likely PostHog) that collects user/DOM/event data, persists local identifiers, and transmits telemetry to remote PostHog endpoints. It dynamically loads external dependencies, creating supply-chain and data-exfiltration/privacy risks, with potential XSS surfaces if remote content is not properly governed. Overall, treat as high-sensitivity telemetry code with elevated risk due to external dependencies and governance concerns, rather than classic malware; review allowed domains, CSP, and integration loading sources.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/module.no-external.js is a client-side analytics and session-recording SDK that loads external dependencies at runtime, captures extensive browser/DOM signals, and transmits telemetry to remote endpoints. While it can legitimately manage consent and state, its capability to modify the DOM and load external code creates a high-risk surface for supply-chain compromise and remote DOM manipulation (potentially enabling XSS or arbitrary script execution) if the external configuration or dependencies are compromised, necessitating strong trust and sanitization controls.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The PostHog JavaScript analytics SDK (package/dist/module.js) loads external or runtime scripts for extensions and server-driven experiments, creating a supply-chain/remote-code-execution surface and potential DOM modification or XSS-like impacts. It also collects telemetry and persists identifiers, increasing privacy and misconfiguration risks. Mitigation should include strict CSP/SRI, asset allowlisting, restricted external dependencies, and server-side sanitization for any HTML/CSS transforms.

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm posthog-js is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/posthog-js@1.396.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm rollup under unrecognized license

License: unrecognized license - This license was not allowed or given any lesser classification by the applicable policy (package/LICENSE.md)

From: pnpm-lock.yamlnpm/@vitejs/plugin-react@5.1.4npm/vitest@4.1.9npm/rollup@4.62.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ralyodio ralyodio closed this Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@ralyodio ralyodio deleted the dependabot/npm_and_yarn/minor-and-patch-e13ce11646 branch July 1, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant