chore(deps): bump the npm-minor-patch group across 1 directory with 24 updates

[dependabot]

Bumps the npm-minor-patch group with 24 updates in the / directory:

Package	From	To
@aws-sdk/client-s3	3.1057.0	3.1068.0
@sentry/nextjs	10.55.0	10.57.0
@tanstack/react-query	5.100.14	5.101.0
@tanstack/react-virtual	3.13.26	3.14.2
@xyflow/react	12.10.2	12.11.0
ioredis	5.11.0	5.11.1
js-yaml	4.1.1	4.2.0
lucide-react	1.17.0	1.18.0
next	16.2.6	16.2.9
nodemailer	8.0.10	8.0.11
@types/nodemailer	8.0.0	8.0.1
radix-ui	1.4.3	1.5.0
react	19.2.6	19.2.7
@types/react	19.2.15	19.2.17
react-dom	19.2.6	19.2.7
react-hook-form	7.76.1	7.79.0
@next/bundle-analyzer	16.2.6	16.2.9
@tailwindcss/postcss	4.3.0	4.3.1
@types/node	25.9.1	25.9.3
eslint-config-next	16.2.6	16.2.9
shadcn	4.8.3	4.11.0
tailwindcss	4.3.0	4.3.1
tsx	4.22.3	4.22.4
vitest	4.1.7	4.1.8

Updates @aws-sdk/client-s3 from 3.1057.0 to 3.1068.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1068.0

3.1068.0(2026-06-12)

Documentation Changes

• client-iam: Updating documentation for select service-specific credential APIs (f572228a)

New Features

• clients: update client endpoints as of 2026-06-12 (3f89d039)
• client-acm: Certificate transparency logging opt-out is no longer available. Per compliance requirements, all public ACM certificates are automatically recorded in certificate transparency logs. The CertificateTransparencyLoggingPreference option is deprecated. (ca60b0f9)
• client-eks: Patches missing enum values for EKS updates (c2df34dc)
• client-sagemaker-runtime: Added support for inline request payloads to the InvokeEndpointAsync operation to allow users to provide the inference payload directly in the request Body (up to 128,000 bytes) as an alternative to uploading the payload to Amazon S3 and passing InputLocation. (c4e229dd)
• client-glue: Adds support for retrieving Apache Iceberg table metadata via GetTable. Use the new AttributesToGet parameter with LATEST ICEBERG METADATA to receive schema, partition specs, sort orders, and table properties in the response. (f45445f9)
• client-firehose: Update KeyARN in DeliveryStreamEncryptionConfigurationInput to accept KMS key ARNs only (not alias ARNs), matching service behavior. (80837cd3)
• client-bedrock-agentcore: Added tagging and CMK support across optimization, an explanation field in recommendation output, and an insights feature to identify failure patterns, extract user intents, and summarize execution behavior (1c06496f)
• client-devops-agent: Adds support for Trigger CRUD APIs (CreateTrigger, GetTrigger, UpdateTrigger, DeleteTrigger, ListTriggers) for managing schedule-based automation triggers in DevOps Agent agent spaces. (7139cf1e)
• client-bedrock-agentcore-control: Added tagging and CMK support for optimizations and an insights feature to identify failure patterns, extract user intents, and summarize execution behavior (571ac1e7)

---

For list of updated packages, view updated-packages.md in assets-3.1068.0.zip

v3.1067.0

3.1067.0(2026-06-11)

Documentation Changes

• suggest UndiciHttpHandler as an alternative request handler (#8092) (bd18a9f0)

New Features

• client-eks: Introduce new CreateCluster parameters for Amazon EKS local clusters on AWS Outposts. Added etcdInstanceType for configuring the EC2 instance type for dedicated etcd instances, and spreadLevel for configuring the placement group spread level for Kubernetes control plane and etcd instances. (383363d5)
• client-omics: Adds support for workflowName in the ListRuns API response. (fa2f4604)
• client-neptune: Amazon Neptune now supports IPv6 dual-stack networking. You can create and manage Neptune DB clusters accessible over both IPv4 and IPv6 by specifying NetworkType as DUAL in CreateDBCluster, ModifyDBCluster, RestoreDBClusterFromSnapshot, and RestoreDBClusterToPointInTime API operations (ae089f94)
• client-bedrock-agentcore: Adds support to perform cross account data plane actions on an AgentCore Memory resource (8d92e480)
• client-healthlake: Adds the UpdateFHIRDatastore API and adds analytics, NLP, and profile configuration support to CreateFHIRDatastore and DescribeFHIRDatastore. (c74ab005)
• client-bedrock-agentcore-control: Supports deterministic metadata for AgentCore Memory (af7a995a)
• client-support: Adding new BDD representation of endpoint ruleset (cd9dac21)

---

For list of updated packages, view updated-packages.md in assets-3.1067.0.zip

v3.1066.0

3.1066.0(2026-06-10)

New Features

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

3.1067.0 (2026-06-11)

Note: Version bump only for package @​aws-sdk/client-s3

3.1066.0 (2026-06-10)

Note: Version bump only for package @​aws-sdk/client-s3

3.1065.0 (2026-06-09)

Note: Version bump only for package @​aws-sdk/client-s3

3.1064.0 (2026-06-08)

Note: Version bump only for package @​aws-sdk/client-s3

3.1063.0 (2026-06-05)

Note: Version bump only for package @​aws-sdk/client-s3

3.1062.0 (2026-06-04)

... (truncated)

Commits

• 0632f6d Publish v3.1068.0
• 0a3246f Publish v3.1067.0
• 4b11912 Publish v3.1066.0
• e4ef6c5 test: use crypto.randomUUID for resource names in e2e tests (#8091)
• 62daf07 Publish v3.1065.0
• bac7175 Publish v3.1064.0
• 86792c5 chore(scripts): update pkg json linting (#8082)
• 85dabf4 Publish v3.1063.0
• 9bd1a86 chore: update author URL in package.json (#8080)
• f5235bb Publish v3.1062.0
• Additional commits viewable in compare view

Updates @sentry/nextjs from 10.55.0 to 10.57.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

• chore: Bump volta node version from 20.19.2 to 20.19.5 (#21359)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

... (truncated)

Commits

• 950cf97 release: 10.57.0
• 55f9343 Merge pull request #21369 from getsentry/prepare-release/10.57.0
• 88d9d30 meta(changelog): Update changelog for 10.57.0
• 03ffd25 fix(cloudflare): Don't track negatively sampled spans (#21367)
• 7c19ead ref(node): Streamline sql-common (#21360)
• 95df562 feat(hono): Filter noisy transactions (favicon etc) (#21365)
• 92eb5d2 feat(deps): Bump hono from 4.12.18 to 4.12.21 (#21341)
• c6f790b fix(node): Prevent PostgresJs integration from emitting duplicate spans per q...
• d645349 ref(node): Streamline lru-memoizer instrumentation (#21350)
• 4293015 feat(deps): Bump @​types/aws-lambda from 8.10.150 to 8.10.161 (#21105)
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.100.14 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• See full diff in compare view

Updates @tanstack/react-virtual from 3.13.26 to 3.14.2

Release notes

Sourced from @​tanstack/react-virtual's releases.

@​tanstack/react-virtual@​3.14.2

Patch Changes

• Updated dependencies [c0b84c8, fbf3bdb]:
  • @​tanstack/virtual-core@​3.17.0

@​tanstack/react-virtual@​3.14.1

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

@​tanstack/react-virtual@​3.14.0

Minor Changes

• Add opt-in direct DOM updates for scroll positioning with directDomUpdates, directDomUpdatesMode, and containerRef. (#1180)

Changelog

Sourced from @​tanstack/react-virtual's changelog.

3.14.2

Patch Changes

• Updated dependencies [c0b84c8, fbf3bdb]:
  • @​tanstack/virtual-core@​3.17.0

3.14.1

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

3.14.0

Minor Changes

• Add opt-in direct DOM updates for scroll positioning with directDomUpdates, directDomUpdatesMode, and containerRef. (#1180)

Commits

• b983b21 ci: Version Packages (#1184)
• fbf3bdb feat(virtual-core): add useCachedMeasurements option to preserve sizes when...
• 13dec39 docs: add directDomUpdates and directDomUpdatesMode options (#1185)
• c33902f ci: Version Packages (#1182)
• d789c6e ci: Version Packages (#1181)
• 73e115d feat(react-virtual): add directDomUpdates for re-render-free scroll positioni...
• See full diff in compare view

Updates @xyflow/react from 12.10.2 to 12.11.0

Release notes

Sourced from @​xyflow/react's releases.

@​xyflow/react@​12.11.0

12.11.0

Minor Changes

• #5677 e6661de - Add autoPanOnSelection to auto-pan when user drags a selection close to the edge of the viewport.

Patch Changes

• #5791 732c8eb - Adds a type error when handleId is used without handleType in useNodeConnections

• #5793 c5c853d - Dev Warnings now use library-specific messaging with the correct documentation links.

• #5776 0441e9f - Export NodeHandle type

• #5755 88737f9 - Add @types/react and @types/react-dom as optional peer dependencies to prevent issues with pnpm strict mode (hoist: false)

• #5105 076ad38 - Fix type for event passed to onNodeDrag

• #5784 7055140 - Fix node resizing possible beyond absolute extents

• #5769 ad4d547 - Use useEffect for StoreUpdater to restore previous behaviour

• Updated dependencies [732c8eb, c5c853d, e6661de, 737194d, 40660cd, 4806e7c, 7055140]:

  • @​xyflow/system@​0.0.77

Changelog

Sourced from @​xyflow/react's changelog.

12.11.0

Minor Changes

• #5677 e6661de - Add autoPanOnSelection to auto-pan when user drags a selection close to the edge of the viewport.

Patch Changes

• #5791 732c8eb - Adds a type error when handleId is used without handleType in useNodeConnections

• #5793 c5c853d - Dev Warnings now use library-specific messaging with the correct documentation links.

• #5776 0441e9f - Export NodeHandle type

• #5755 88737f9 - Add @types/react and @types/react-dom as optional peer dependencies to prevent issues with pnpm strict mode (hoist: false)

• #5105 076ad38 - Fix type for event passed to onNodeDrag

• #5784 7055140 - Fix node resizing possible beyond absolute extents

• #5769 ad4d547 - Use useEffect for StoreUpdater to restore previous behaviour

• Updated dependencies [732c8eb, c5c853d, e6661de, 737194d, 40660cd, 4806e7c, 7055140]:

  • @​xyflow/system@​0.0.77

Commits

• 6970ded chore(packages): bump
• c9db70d Merge branch 'main' of https://github.com/xyflow/xyflow into 5780-svelte-flow...
• af23aef chore: cleanup error messages
• 9d58ab9 fix: make error messages framework-specific
• e52bb55 Merge pull request #5105 from thedanchez/xydrag-type-generics
• 03e3dc0 Merge pull request #5755 from nielskaspers/fix/issue-5738-react-types-peer-dep
• caebfd6 Merge pull request #5784 from xyflow/fix-node-resizer-again
• 9dc7ec9 chore(react): fix util function
• c4e7833 Merge pull request #5785 from xyflow/fix-useless-promises
• 01fb1f1 chore(system): add UseNodeConnectionsParams type
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​xyflow/react since your current version.

Updates ioredis from 5.11.0 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

Commits

• fb224a7 chore(release): 5.11.1 [skip ci]
• 131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
• c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
• See full diff in compare view

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates lucide-react from 1.17.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

• chore(site): Remove survey from site by @​ericfennis in lucide-icons/lucide#4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in lucide-icons/lucide#4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in lucide-icons/lucide#4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in lucide-icons/lucide#4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in lucide-icons/lucide#4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in lucide-icons/lucide#4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in lucide-icons/lucide#4085
• feat(icons): added webcam-off icon by @​jordan-burnett in lucide-icons/lucide#4242

New Contributors

• @​alecglassford made their first contribution in lucide-icons/lucide#4432
• @​jordan-burnett made their first contribution in lucide-icons/lucide#4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Commits

• See full diff in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates nodemailer from 8.0.10 to 8.0.11

Release notes

Sourced from nodemailer's releases.

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

• apply the transport-level newline option in stream and sendmail transports (cb4f904)
• include icalEvent path/href content in the application/ics attachment (b801c48)
• parse Ethereal response props without polynomial regex backtracking (067aebe)
• resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
• return the promise from every resolveContent branch (07ffe8c)
• strip the url scheme from List-ID header values (77e5885)
• tag AWS SES transport errors with the ESES code (efa647a)

Changelog

Sourced from nodemailer's changelog.

8.0.11 (2026-06-10)

Bug Fixes

• apply the transport-level newline option in stream and sendmail transports (cb4f904)
• include icalEvent path/href content in the application/ics attachment (b801c48)
• parse Ethereal response props without polynomial regex backtracking (067aebe)
• resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
• return the promise from every resolveContent branch (07ffe8c)
• strip the url scheme from List-ID header values (77e5885)
• tag AWS SES transport errors with the ESES code (efa647a)

Commits

• e3b1bda chore(master): release 8.0.11 (#1826)
• 4358caf refactor: remove dead checks flagged by Code Quality analysis
• cf5195c chore: harden workflow token permissions and update GitHub Actions
• 067aebe fix: parse Ethereal response props without polynomial regex backtracking
• 0cee4fe chore: add CodeQL code scanning workflow
• cb9da47 chore: update dev dependencies
• e0a4928 chore: format CLAUDE.md with prettier
• 8620f2f docs: correct stale timeout defaults in SMTPConnection options JSDoc
• efa647a fix: tag AWS SES transport errors with the ESES code
• 07ffe8c fix: return the promise from every resolveContent branch
• Additional commits viewable in compare view

Updates @types/nodemailer from 8.0.0 to 8.0.1

Commits

• See full diff in compare view

Updates radix-ui from 1.4.3 to 1.5.0

Changelog

Sourced from radix-ui's changelog.

1.5.0

Context Menu

• Added support for a controlled open prop on ContextMenu.Root. This is intended for reading the open state and closing the menu programmatically, though we discourage opening the menu programmatically since opening the menu depends on user interaction to position the menu.

  function ControlledContextMenu() {
    const [open, setOpen] = React.useState(false);
    return (
      <ContextMenu.Root open={open} onOpenChange={setOpen}>
        <ContextMenu.Trigger>Open</ContextMenu.Trigger>
        <ContextMenu.Content>
          <button type="button" onClick={() => setOpen(false)}>
            Close me
          </button>
          <ContextMenu.Item>Item 1</ContextMenu.Item>
          <ContextMenu.Item>Item 2</ContextMenu.Item>
        </ContextMenu.Content>
      </ContextMenu.Root>
    );
  }

• Fixed a bug in where submenus remained expanded after re-opening on long-press touch events.

Dialog

• Fixed a bug where iOS text selection and editing on HTML inputs within dialogs were broken.
• Fixed a bug causing disabled pointer events in closed dialogs.

One-Time Password Field

• Fixed pasting into One-Time Password Field in environments that do not support the legacy "Text" clipboard format by reading the pasted value as "text/plain".
• Fixed issues with focus management in React 19.2+.
• Fixed a bug to ensure that pasted values exceeding the field length are truncated.

Popper

• Fixed a "Maximum update depth exceeded" bug for pages with a large number of popper instances.
• Exposed data-side and data-align on PopperAnchor element

Presence

• Fixed a "Maximum update depth exceeded" bug in React 19 that could occur when Presence was given a child with an unstable ref.

Radio Group

• Added unstable RadioGroupItemProvider, RadioGroupItemTrigger and RadioGroupItemBubbleInput parts. These expose the previously internal composition of a radio item that included a visually hidden input so consumers can directly access and recompose them. The RadioGroupItem component continues to render them by default.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for radix-ui since your current version.

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed ...

  Description has been truncated