chore(deps): bump the npm-web-nonbreaking group across 1 directory with 17 updates

[dependabot]

Bumps the npm-web-nonbreaking group with 17 updates in the /web directory:

Package	From	To
@react-three/fiber	9.5.0	9.6.1
fumadocs-core	16.7.7	16.8.8
fumadocs-mdx	14.2.11	14.3.2
fumadocs-ui	16.7.7	16.8.8
next	16.2.1	16.2.6
react	19.2.4	19.2.6
react-dom	19.2.4	19.2.6
zustand	5.0.12	5.0.13
@next/eslint-plugin-next	16.2.1	16.2.6
@tailwindcss/postcss	4.2.2	4.3.0
@types/node	22.19.15	22.19.18
eslint-config-next	16.2.1	16.2.6
eslint-plugin-react-hooks	7.0.1	7.1.1
globals	17.4.0	17.6.0
postcss	8.5.8	8.5.14
tailwindcss	4.2.2	4.3.0
typescript-eslint	8.58.0	8.59.2

Updates @react-three/fiber from 9.5.0 to 9.6.1

Release notes

Sourced from @​react-three/fiber's releases.

v9.6.1

What's Changed

• fix: Seamlessly transfer interactivity state when swapping instances (#3743) by @​notrabs in pmndrs/react-three-fiber#3744

Full Changelog: pmndrs/react-three-fiber@v9.6.0...v9.6.1

v9.6.0 - Sunset X

Ever tried using <shaderMaterial uniforms={{ time: { value: time } }} /> and ran into immediate issues with desync? No more.

The uniforms objects on ShaderMaterial and its derivatives now have a stable reference. Objects passed into uniforms will instead copy into it. This is the same as behavior for math structures that have copy such as position, rotation, quaternion, etc. and ends up simplifying using the raw JSX where utilities were often introduced before.

Why does this matter?

1. Improves HMR. Even if you memoize the uniforms object it will still regenerate and desync Three. Now this won't happen. But also it makes compatibility with React compiler more complete with its auto-memoization.

2. Allows for inline uniform props and even prop uniforms directly on the material piercing.

<shaderMaterial
  vertexShader={vertexShader}
  fragmentShader={fragmentShader}
  // The uniforms object has a stable reference so objects can be safely merged in
  uniforms={{ 
    uTime: { value: 0 }, 
    uColor: { value: new THREE.Color('hotpink') } 
  }}
  // Individual uniforms can also be safely updated with pierce notation
  uniforms-uColor-value={hovered ? 'royalblue' : 'hotpink'}
/>

Documentation can be found here: https://r3f.docs.pmnd.rs/api/objects#shader-material-uniforms

And an example can be found here: https://github.com/pmndrs/react-three-fiber/blob/master/example/src/demos/ShaderMaterial.tsx

What's Changed

• fix: Fix broken link on "Performance pitfalls" documentation page by @​simonKristensen in pmndrs/react-three-fiber#3700
• fix: uniforms have stable refs for ShaderMaterial by @​krispya in pmndrs/react-three-fiber#3715
• docs: fix typos and documentation consistency by @​NssGourav in pmndrs/react-three-fiber#3709

New Contributors

• @​simonKristensen made their first contribution in pmndrs/react-three-fiber#3700
• @​NssGourav made their first contribution in pmndrs/react-three-fiber#3709

Full Changelog: pmndrs/react-three-fiber@v9.5.0...v9.6.0

Commits

• 2a52874 RELEASING: Releasing 1 package(s)
• b645741 docs(changeset): fix: Seamlessly transfer interactivity state when swapping i...
• 119668f fix: Seamlessly transfer interactivity state when swapping instances (#3744)
• 943a37e Merge pull request #3738 from pmndrs:chore/simplify-shadermaterial-demo
• 1be9504 chore: Add uniform piercing test
• 4df10c0 chore: Simplify ShaderMaterial demo
• 877c839 chore: Move ShaderMaterial uniform notes to objects out of pitfalls (#3734)
• 47d30ba chore: Move ShaderMaterial uniform notes to objects out of pitfalls
• ece1a3f RELEASING: Releasing 1 package(s)
• 26e4716 docs(changeset): Fix uniforms refs so they remain stable for ShaderMaterial
• Additional commits viewable in compare view

Updates fumadocs-core from 16.7.7 to 16.8.8

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.8

No release notes provided.

fumadocs-core@16.8.7

No release notes provided.

fumadocs-core@16.8.6

No release notes provided.

fumadocs-core@16.8.5

Patch Changes

• 79d3209: Narrow schema type for private OpenAPI properties

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

fumadocs-core@16.8.2

No release notes provided.

fumadocs-core@16.8.1

No release notes provided.

fumadocs-core@16.7.16

Patch Changes

• 9cf33e9: Improve inline code output
• 9cf33e9: Support async hooks in Shiki transformers

fumadocs-core@16.7.15

Patch Changes

• e1567e2: use local fork of Shiki rehype integration
• 9a200c8: fix multi-line in remark-npm
• c731a92: Implement selective re-render for TOC
• a4189ce: Improve AST plugins

fumadocs-core@16.7.14

Patch Changes

• 2d8f596: fix npm pack skipping nested node_modules

fumadocs-core@16.7.13

Patch Changes

... (truncated)

Commits

• c50ada3 Version Packages (#3249)
• 86ed0d5 Blog: introduce MDX v15
• fb8bbf6 Press: ignore
• b494c8d UI: Support copy ID in headings
• 03626ba UI: show ctrl for Linux machines
• 656c3c1 Press: make waku.server optional
• 2bc654b Press: add AI integration
• 1f1e49a Press: auto CSS & layout
• 3de9dfe MDX: require fumadocs-core 16.7+
• 5745fcf MDX: better Node.js loader
• Additional commits viewable in compare view

Updates fumadocs-mdx from 14.2.11 to 14.3.2

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@14.3.2

Patch Changes

• 79d3209: Deprecate forwarded schemas at fumadocs-mdx/config, recommend fumadocs-core/source/schema instead.
• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

fumadocs-mdx@14.3.0

Minor Changes

• fa9f678: Make Next.js config ESM only

  Newer Next.js supported .mts extension for Next.js config files, see Next.js docs for more info.

fumadocs-mdx@14.2.14

Patch Changes

• eb62304: Make mdx-remote optional for dynamic mode
• Updated dependencies [e1567e2]
• Updated dependencies [9a200c8]
• Updated dependencies [c731a92]
• Updated dependencies [a4189ce]
  • fumadocs-core@16.7.15

fumadocs-mdx@14.2.13

Patch Changes

• 2d8f596: fix npm pack skipping nested node_modules
• Updated dependencies [2d8f596]
  • @​fumadocs/mdx-remote@​1.4.8
  • fumadocs-core@16.7.14

fumadocs-mdx@14.2.12

Patch Changes

• 690ddb9: bundle more deps
• Updated dependencies [690ddb9]
  • @​fumadocs/mdx-remote@​1.4.7
  • fumadocs-core@16.7.13

Commits

• d6bf3e0 Merge pull request #3235 from fuma-nama/changeset-release/dev
• af7ee2d CLI: fix layout preserve plugin
• 970b1bf OpenAPI: fix inconsistency in option names
• 2eff8e9 Chore: update showcases
• fa781f1 fix jsdoc omitted from output
• a83709f clean code
• 3e85c69 Docs: add more docs for MDX Remote
• 79d3209 Core: narrow schema types
• 387e659 UI: relocate toc width
• e1f19c7 Version Packages (#3232)
• Additional commits viewable in compare view

Updates fumadocs-ui from 16.7.7 to 16.8.8

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.8

Patch Changes

• b494c8d: Support copy ID in headings
• 03626ba: [Search UI] show ctrl for Linux machines
  • fumadocs-core@16.8.8

fumadocs-ui@16.8.7

Patch Changes

• 34f37f3: hotfix TOC
  • fumadocs-core@16.8.7

fumadocs-ui@16.8.6

Patch Changes

• 1aa48d0: fix RTL layout for Clerk style
  • fumadocs-core@16.8.6

fumadocs-ui@16.8.5

Patch Changes

• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

fumadocs-ui@16.8.4

Patch Changes

• b5ff03b: Support new OG image design for Takumi
• Updated dependencies [61b15e9]
• Updated dependencies [1a5433c]
  • fumadocs-core@16.8.4

fumadocs-ui@16.8.3

Patch Changes

• 8082ef6: Add legacy/layout for versions prior to 16.2
• 8082ef6: Add css/preset-legacy.css for versions prior to 16.2
• 8082ef6: Add legacy/sidebar for versions prior to 16.2
  • fumadocs-core@16.8.3

fumadocs-ui@16.8.2

Patch Changes

• 0e8405a: Update default OG image
  • fumadocs-core@16.8.2

fumadocs-ui@16.8.1

Patch Changes

... (truncated)

Commits

• c50ada3 Version Packages (#3249)
• 86ed0d5 Blog: introduce MDX v15
• fb8bbf6 Press: ignore
• b494c8d UI: Support copy ID in headings
• 03626ba UI: show ctrl for Linux machines
• 656c3c1 Press: make waku.server optional
• 2bc654b Press: add AI integration
• 1f1e49a Press: auto CSS & layout
• 3de9dfe MDX: require fumadocs-core 16.7+
• 5745fcf MDX: better Node.js loader
• Additional commits viewable in compare view

Updates next from 16.2.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates zustand from 5.0.12 to 5.0.13

Release notes

Sourced from zustand's releases.

v5.0.13

This release includes an improvement in the devtools middleware.

What's Changed

• refactor(devtools): remove duplicate module augmentation by @​mahmoodhamdi in pmndrs/zustand#3443
• fix(devtools): support Firefox/Safari stack format in findCallerName by @​SBolsec in pmndrs/zustand#3469

New Contributors

• @​mahmoodhamdi made their first contribution in pmndrs/zustand#3443
• @​FelixEckl-vireq made their first contribution in pmndrs/zustand#3466
• @​KimHyeongRae0 made their first contribution in pmndrs/zustand#3471
• @​lstak made their first contribution in pmndrs/zustand#3483
• @​AlexRixten made their first contribution in pmndrs/zustand#3474
• @​SBolsec made their first contribution in pmndrs/zustand#3469

Full Changelog: pmndrs/zustand@v5.0.12...v5.0.13

Commits

• 6bc451e 5.0.13
• 8ec2169 chore(deps): update dev dependencies (#3486)
• 4e9bcf0 fix(devtools): support Firefox/Safari stack format in findCallerName (#3469)
• 4b96f4e fix(docs): correct react-dom test utils import path (#3474)
• c7516c1 fix(tests): change parameters for 'expect' in test (#3483)
• 1b04af1 docs(persist): fix signature to require persistOptions (#3477)
• 95d3f33 test(middleware/immer): add runtime tests for immer middleware (#3471)
• 3201328 Update TypeScript guide links in README.md (#3466)
• 00f96a3 chore(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 (#3447)
• 6330044 test: expand React subscribe test coverage (#3442)
• Additional commits viewable in compare view

Updates @next/eslint-plugin-next from 16.2.1 to 16.2.6

Release notes

Sourced from @​next/eslint-plugin-next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/eslint-plugin-next since your current version.

Updates @tailwindcss/postcss from 4.2.2 to 4.3.0

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)

... (truncated)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalization for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)

... (truncated)

Commits

• 588bd73 4.3.0 (#20023)
• 12eb5ae Cleanup noisy test output (#20015)
• 4255671 Improve snapshot tests (#20013)
• 52f94c7 Improve codebase quality (#19999)
• d194d4c docs: fix various typos in comments and documentation (#19878)
• bfb5732 Fall back to the plugin base when PostCSS has no from option (#19980)
• 3a890c3 Bump dependencies (#19957)
• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.

Updates @types/node from 22.19.15 to 22.19.18

Commits

• See full diff in compare view

Updates eslint-config-next from 16.2.1 to 16.2.6

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• 
  ^{Need help on this PR? Tag @codesmith with what you need.}
  • Let Codesmith autofix CI failures and bot reviews

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-space-web	Error		May 10, 2026 4:55am

[mogplex]

Mogplex PR Review

Status: No material issues found

Note: Structured review output was missing, so Mogplex used the agent summary text as fallback output.

Summary

This Dependabot PR bumps 17 dependencies in /web, including high-priority Next.js security backports (DoS, middleware bypass, SSRF, XSS, cache poisoning) in 16.2.1 → 16.2.6. The version bumps are all patch or minor and appear safe for the current codebase. However, the root pnpm-lock.yaml is stale: it still resolves the old versions (e.g. next@16.2.1, @react-three/fiber@9.5.0, tailwindcss@4.2.2) and does not reflect the new web/package.json specifiers. This will break pnpm install --frozen-lockfile in CI and leave the workspace in an inconsistent state.

Critical Issues

[CORRECTNESS] web/package.json:L19-L49

Issue: The PR updates dependency and devDependency specifiers in web/package.json (e.g. next ^16.2.1 → ^16.2.6, tailwindcss ^4.2.2 → ^4.3.0, @react-three/fiber ^9.1.0 → ^9.6.1), but the root pnpm-lock.yaml was not regenerated. The lockfile still pins the previous resolved versions, so the manifest and lockfile are out of sync.
Why it matters: pnpm install --frozen-lockfile (standard in CI) will fail because the specifiers no longer match the committed lockfile. Even without --frozen-lockfile, local installs will dirty the lockfile, making the PR incomplete and builds non-reproducible.
Suggestion: Run pnpm install from the workspace root and commit the resulting pnpm-lock.yaml changes so the resolved versions align with the updated specifiers.

Warnings

No architectural, performance, or testing warnings for this diff.

Suggestions

• web/package.json — The Next.js 16.2.6 patch fixes multiple high- and moderate-severity advisories (GHSA-8h8q-6873-q5fj, GHSA-c4j6-fc7j-m34r, GHSA-ffhc-5mcf-pf4q, etc.). Merging this promptly after the lockfile sync is recommended for security posture.
• web/package.json — fumadocs-mdx@14.3.x introduced ESM-only Next.js config loading. Verified the repo already uses ESM (next.config.ts with import/export), so this is a no-op and safe.

Verdict

⚠️ REQUEST CHANGES
The version bumps are appropriate, but the PR is incomplete without an updated pnpm-lock.yaml. Regenerate the lockfile so CI installs remain deterministic.

View check run