fix(deps): bump the prod-minor-patch group with 4 updates

[dependabot]

Bumps the prod-minor-patch group with 4 updates: @oclif/core, react, react-dom and tar.

Updates @oclif/core from 4.11.0 to 4.11.1

Release notes

Sourced from @​oclif/core's releases.

4.11.1

Bug Fixes

• deps: bump ip-address from 10.1.0 to 10.2.0 (e36a6d8)

Changelog

Sourced from @​oclif/core's changelog.

4.11.1 (2026-05-07)

Bug Fixes

• deps: bump ip-address from 10.1.0 to 10.2.0 (e36a6d8)

Commits

• 9765e73 chore(release): 4.11.1 [skip ci]
• b18a4a3 Merge pull request #1591 from oclif/dependabot-npm_and_yarn-ip-address-10.2.0
• e36a6d8 fix(deps): bump ip-address from 10.1.0 to 10.2.0
• 23ca6c1 Merge pull request #1589 from oclif/dependabot-npm_and_yarn-oclif-plugin-help...
• 298b991 Merge pull request #1590 from oclif/dependabot-npm_and_yarn-eslint-config-ocl...
• d0b6792 chore(dev-deps): bump eslint-config-oclif from 6.0.159 to 6.0.160
• 069cfd7 chore(dev-deps): bump @​oclif/plugin-help from 6.2.44 to 6.2.45
• See full diff in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates tar from 7.5.13 to 7.5.15

Commits

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	May 11, 2026 1:23pm

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: @oclif/core 4.11.0 → 4.11.1, react + react-dom 19.2.5 → 19.2.6, tar 7.5.13 → 7.5.15 (all patch)
Scope: runtime dependencies (root package)
Workspace: root

What changed upstream

• @oclif/core 4.11.1: bumps internal ip-address dep from 10.1.0 → 10.2.0; no API changes
• react/react-dom 19.2.6: React Server Components type hardening and perf improvements; no CLI-facing changes
• tar 7.5.14–7.5.15: security patches for hardlink edge cases in extraction; extract() public API is unchanged

Migration concerns checked

• Peer dependencies: OK
• Type changes: OK — extract export in tar unchanged, verified at runtime
• Config files: OK
• Module format: OK — all packages remain CJS-compatible
• React compatibility: OK — no duplicate-React risk
• Monorepo impact: OK — react/react-dom bump covered by packages/react-web-cli; tar only used in root

What broke

• E2E test skills-e2e.test.ts > downloads the published bundle and installs skills into the cursor target: received 503 Service Unavailable from https://api.github.com/repos/ably/agent-skills/releases/latest — a transient GitHub API outage. The error fires in src/services/skills-downloader.ts:101 before any tar extraction, so the tar bump is irrelevant.

What was fixed

No code changes required. The failure is a transient GitHub 503, not a dependency compatibility issue. A CI re-run should pass.

Verification

• Build: ✅ (no source changes)
• Lint: ✅ (no source changes)
• Unit tests: ✅ (no source changes)
• Web CLI tests: ✅ (no source changes)

Notes for reviewer

Re-trigger the failed E2E Tests workflow — the skills install test depends on the live GitHub Releases API and is susceptible to transient network errors. All four dependency bumps are safe to merge as-is.