chore(deps): bump the npm-deps group across 4 directories with 18 updates

[dependabot]

Bumps the npm-deps group with 1 update in the /cmd/hatchet-cli/cli/templates/typescript/pnpm directory: @hatchet-dev/typescript-sdk.
Bumps the npm-deps group with 9 updates in the /frontend/app directory:

Package	From	To
@sentry/react	10.49.0	10.50.0
@tanstack/react-query	5.99.0	5.100.1
@tanstack/react-query-devtools	5.99.0	5.100.1
axios	1.15.0	1.15.2
dompurify	3.4.0	3.4.1
lucide-react	1.8.0	1.9.0
posthog-js	1.369.2	1.371.2
react-hook-form	7.72.1	7.73.1
prettier-plugin-tailwindcss	0.7.2	0.7.3

Bumps the npm-deps group with 3 updates in the /frontend/docs directory: lucide-react, posthog-js and posthog-node.
Bumps the npm-deps group with 8 updates in the /sdks/typescript directory:

Package	From	To
axios	1.15.0	1.15.2
eslint	10.2.0	10.2.1
@bufbuild/protobuf	2.11.0	2.12.0
typescript-eslint	8.58.2	8.59.0
@opentelemetry/core	2.6.1	2.7.0
@opentelemetry/exporter-trace-otlp-grpc	0.214.0	0.215.0
@opentelemetry/instrumentation	0.214.0	0.215.0
@opentelemetry/sdk-trace-base	2.6.1	2.7.0

Updates @hatchet-dev/typescript-sdk from 1.21.0 to 1.21.2

Commits

• See full diff in compare view

Updates @sentry/react from 10.49.0 to 10.50.0

Release notes

Sourced from @​sentry/react's releases.

10.50.0

Important Changes

• feat(effect): Support v4 beta (#20394)

  The @sentry/effect integration now supports Effect v4 beta, enabling Sentry instrumentation for the latest Effect framework version. Read more in the Effect SDK readme.

• feat(hono): Add @sentry/hono/bun for Bun runtime (#20355)

  A new @sentry/hono/bun entry point adds first-class support for running Hono applications instrumented with Sentry on the Bun runtime. Read more in the Hono SDK readme.

• feat(replay): Add replayStart/replayEnd client lifecycle hooks (#20369)

  New replayStart and replayEnd client lifecycle hooks let you react to replay session start and end events in your application.

Other Changes

• feat(core): Emit no_parent_span client outcomes for discarded spans requiring a parent (#20350)
• feat(deps): Bump protobufjs from 7.5.4 to 7.5.5 (#20372)
• feat(hono): Add runtime packages as optional peer dependencies (#20423)
• feat(opentelemetry): Add tracingChannel utility for context propagation (#20358)
• fix(browser): Enrich graphqlClient spans for relative URLs (#20370)
• fix(browser): Filter implausible LCP values (#20338)
• fix(cloudflare): Use TransformStream to keep track of streams (#20452)
• fix(console): Re-patch console in AWS Lambda runtimes (#20337)
• fix(core): Correct GoogleGenAIIstrumentedMethod typo in type name
• fix(core): Handle stateless MCP wrapper transport correlation (#20293)
• fix(hono): Remove undefined from options type (#20419)
• fix(node): Guard against null httpVersion in outgoing request span attributes (#20430)
• fix(node-core): Pass rejection reason instead of Promise as originalException (#20366)

• chore: Ignore claude worktrees (#20440)
• chore: Prevent test from creating zombie process (#20392)
• chore: Update size-limit (#20412)
• chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
• chore(e2e-tests): Use tarball symlinks for E2E tests instead of verdaccio (#20386)
• chore(lint): Remove lint warnings (#20413)
• chore(test): Remove empty variant tests (#20443)
• chore(tests): Use verdaccio as node process instead of docker image (#20336)
• docs(readme): Update usage instructions for binary scripts (#20426)
• ref(node): Vendor undici instrumentation (#20190)
• test(aws-serverless): Ensure aws-serverless E2E tests run locally (#20441)
• test(aws-serverless): Split npm & layer tests (#20442)
• test(browser): Fix flaky sessions route-lifecycle test + upgrade axios (#20197)
• test(cloudflare): Use .makeRequestAndWaitForEnvelope to wait for envelopes (#20208)

... (truncated)

Changelog

Sourced from @​sentry/react's changelog.

10.50.0

Important Changes

• feat(effect): Support v4 beta (#20394)

  The @sentry/effect integration now supports Effect v4 beta, enabling Sentry instrumentation for the latest Effect framework version. Read more in the Effect SDK readme.

• feat(hono): Add @sentry/hono/bun for Bun runtime (#20355)

  A new @sentry/hono/bun entry point adds first-class support for running Hono applications instrumented with Sentry on the Bun runtime. Read more in the Hono SDK readme.

• feat(replay): Add replayStart/replayEnd client lifecycle hooks (#20369)

  New replayStart and replayEnd client lifecycle hooks let you react to replay session start and end events in your application.

Other Changes

• feat(core): Emit no_parent_span client outcomes for discarded spans requiring a parent (#20350)
• feat(deps): Bump protobufjs from 7.5.4 to 7.5.5 (#20372)
• feat(hono): Add runtime packages as optional peer dependencies (#20423)
• feat(opentelemetry): Add tracingChannel utility for context propagation (#20358)
• fix(browser): Enrich graphqlClient spans for relative URLs (#20370)
• fix(browser): Filter implausible LCP values (#20338)
• fix(cloudflare): Use TransformStream to keep track of streams (#20452)
• fix(console): Re-patch console in AWS Lambda runtimes (#20337)
• fix(core): Correct GoogleGenAIIstrumentedMethod typo in type name
• fix(core): Handle stateless MCP wrapper transport correlation (#20293)
• fix(hono): Remove undefined from options type (#20419)
• fix(node): Guard against null httpVersion in outgoing request span attributes (#20430)
• fix(node-core): Pass rejection reason instead of Promise as originalException (#20366)

• chore: Ignore claude worktrees (#20440)
• chore: Prevent test from creating zombie process (#20392)
• chore: Update size-limit (#20412)
• chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
• chore(e2e-tests): Use tarball symlinks for E2E tests instead of verdaccio (#20386)
• chore(lint): Remove lint warnings (#20413)
• chore(test): Remove empty variant tests (#20443)
• chore(tests): Use verdaccio as node process instead of docker image (#20336)
• docs(readme): Update usage instructions for binary scripts (#20426)
• ref(node): Vendor undici instrumentation (#20190)
• test(aws-serverless): Ensure aws-serverless E2E tests run locally (#20441)
• test(aws-serverless): Split npm & layer tests (#20442)
• test(browser): Fix flaky sessions route-lifecycle test + upgrade axios (#20197)

... (truncated)

Commits

• 785e756 release: 10.50.0
• ed26a19 Merge pull request #20461 from getsentry/prepare-release/10.50.0
• 7b584c4 meta(changelog): Update changelog for 10.50.0
• 39740da test(cloudflare): Use .makeRequestAndWaitForEnvelope to wait for envelopes (#...
• c741030 test(aws-serverless): Split npm & layer tests (#20442)
• f97076d chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
• 4b4ac76 fix(node): Guard against null httpVersion in outgoing request span attribut...
• 7569b10 fix(cloudflare): Use TransformStream to keep track of streams (#20452)
• a4c9686 test(hono): Add E2E tests for middleware spans (#20451)
• ff23846 chore: Ignore claude worktrees (#20440)
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.99.0 to 5.100.1

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

5.100.0

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

5.99.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.2

5.99.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

Commits

• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• 6540a41 feat(core): callback for retryOnMount (#10515)
• e236194 test(react-query/useQuery.promise): improve stability by isolating 'queryClie...
• 59efc40 test(*): resolve 'require-await' warnings in test files (#10551)
• cf8a765 test(react-query/useQuery): rename 'throwOnError' callback parameter to 'err'...
• 6b6667e test(*): migrate 'test' to 'it' and enforce 'vitest/consistent-test-it' rule ...
• a3ec7b3 ci: Version Packages (#10520)
• 69d2757 ci: Version Packages (#10514)
• 7ffa1ed test({react,preact,solid}-query/useQueries): fix test description from 'useQu...
• Additional commits viewable in compare view

Updates @tanstack/react-query-devtools from 5.99.0 to 5.100.1

Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.100.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.1
  • @​tanstack/react-query@​5.100.1

5.100.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.0
  • @​tanstack/react-query@​5.100.0

5.99.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.99.2
  • @​tanstack/react-query@​5.99.2

5.99.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.99.1
  • @​tanstack/react-query@​5.99.1

Commits

• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• a3ec7b3 ci: Version Packages (#10520)
• 69d2757 ci: Version Packages (#10514)
• See full diff in compare view

Updates axios from 1.15.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates dompurify from 3.4.0 to 3.4.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Commits

• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates lucide-react from 1.8.0 to 1.9.0

Release notes

Sourced from lucide-react's releases.

Version 1.9.0

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in lucide-icons/lucide#4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in lucide-icons/lucide#4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in lucide-icons/lucide#4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in lucide-icons/lucide#4300
• feat(icons): added timeline icon by @​jguddas in lucide-icons/lucide#4270

New Contributors

• @​swastik7805 made their first contribution in lucide-icons/lucide#4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

Commits

• 653e44b feat(packages): use .mjs for ESM bundles (#4285)
• See full diff in compare view

Updates posthog-js from 1.369.2 to 1.371.2

Release notes

Sourced from posthog-js's releases.

posthog-js@1.371.2

1.371.2

Patch Changes

• #3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the upcoming React Native logs feature consumes the same builders. Browser gains two fixes as a side effect: NaN and ±Infinity attribute values no longer get silently dropped during JSON encoding, and the scope.version OTLP field is now populated with the SDK version (changes the server's instrumentation_scope column from "posthog-js@" to "posthog-js@"). (2026-04-23)
• Updated dependencies [96f19b7]:
  • @​posthog/types@​1.371.2
  • @​posthog/core@​1.27.1

posthog-js@1.371.1

1.371.1

Patch Changes

• #3425 2da17e8 Thanks @​marandaneto! - Classify SDK-owned persistence keys with an explicit event exposure policy so new internal persistence state must be intentionally marked as event-visible, hidden, or derived. (2026-04-23)
• Updated dependencies []:
  • @​posthog/types@​1.371.1

posthog-js@1.371.0

1.371.0

Patch Changes

• #3432 1a8b727 Thanks @​richardsolomou! - refactor: rename __add_tracing_headers to addTracingHeaders. The __ prefix signalled an internal/experimental option, but the config is a public API (documented for linking LLM traces to session replays). __add_tracing_headers continues to work as a deprecated alias on the browser SDK.

  Also exposes patchFetchForTracingHeaders from @posthog/core so non-browser SDKs can reuse the implementation. (2026-04-23)

• Updated dependencies [1a8b727]:

  • @​posthog/core@​1.27.0
  • @​posthog/types@​1.371.0

posthog-js@1.370.1

1.370.1

Patch Changes

• #3442 6f19ce8 Thanks @​marandaneto! - fix(surveys): guard survey seen localStorage access (2026-04-22)
• Updated dependencies []:
  • @​posthog/types@​1.370.1

posthog-js@1.370.0

1.370.0

... (truncated)

Commits

• ee4fb75 chore: update versions and lockfile [version bump]
• 96f19b7 refactor(logs): lift OTLP utilities to @​posthog/core (#3453)
• 21679b8 chore: update versions and lockfile [version bump]
• 2da17e8 fix(browser): classify SDK persistence keys explicitly (#3425)
• 37d7897 chore: update versions and lockfile [version bump]
• 1a8b727 feat: support addTracingHeaders in react-native sdk (#3432)
• 45dbf03 chore: update versions and lockfile [version bump]
• 6f19ce8 fix(surveys): guard eligibility checks against storage access errors (#3442)
• 73f5cb5 chore: update versions and lockfile [version bump]
• 922a1c1 feat: add exception steps buffering and public API (#3389)
• Additional commits viewable in compare view

Updates react-hook-form from 7.72.1 to 7.73.1

Release notes

Sourced from react-hook-form's releases.

Version 7.73.1

⚡perf: memoize submit (#13378) 🚉 perf: improve deepEqual performance (#13362) 👀 perf: skip re-render in setValue when value is unchanged (#13352) ✂️ remove unneeded flag check for shouldDirty 🚨 fix: safely access field._f during register (#13365) 🧹 close #13298: improve fieldState errors when resolver uses dot-notation string keys (#13350) 🐞 fix #13178: update state correctly in watch callback with Controller, trigger, and reset (#13180) 🐞 fix #13331: skip field array validation when mode is onBlur (#13333) 🐞 fix #13334 sDirty remains false after deletion an item with shouldDirty: true (#13357) 🐞 fix: handle nested field when parent defaultValue is null (#13348)

thanks to @​Prasadzoman, @​cyphercodes, @​lorenzoceglia, @​rizwan-rizu, @​tomeelog & @​ap0nia

Commits

• 6cd9e45 7.73.1
• 9b07561 Revert "🪢 fix build to exclude test files (#13387)"
• 3710942 Revert "🪇 feat: setValues (#13201)"
• e45b08f 🪢 fix build to exclude test files (#13387)
• cdd0444 🪇 feat: setValues (#13201)
• 95278b7 7.73.0
• a0dbc99 📖 fix table formatting in Past Sponsors section
• 6a4f45e 📝 fix past sponsors list
• f9b3946 ⚡perf: memoize submit (#13378)
• f61bc27 ✂️ remove unneeded flag check for shouldDirty
• Additional commits viewable in compare view

Updates prettier-plugin-tailwindcss from 0.7.2 to 0.7.3

Release notes

Sourced from prettier-plugin-tailwindcss's releases.

v0.7.3

Changed

• Remove top-level await (#420)
• Improve load-time performance (#420)

Fixed

• Collapse whitespace in template literals with adjacent quasis (#427)

Changelog

Sourced from prettier-plugin-tailwindcss's changelog.

[0.7.3] - 2026-04-23

Changed

• Remove top-level await (#420)
• Improve load-time performance (#420)

Fixed

• Collapse whitespace in template literals with adjacent quasis (#427)

Commits

• f7d2598 0.7.3
• 9a51191 merge release.yml and release-insiders.yml
• 3997fbd Use explicit import() expressions in plugin load arrays for bundler compatibi...
• 125a8bc Fix v3 config loading with Jiti re-exports (#448)
• 2ac6e70 Enable minify: "dce-only in tsdown (#447)
• 9907134 Add oxlint with type-aware linting (#445)
• 9caa70c Add knip for detecting unused files and dependencies (#444)
• 550f74c Use the plugin that has already been imported rather than dynamically importi...
• a087de3 Skip visiting non-node children (#443)
• 1abb2ef Remove unused deps (#441)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for prettier-plugin-tailwindcss since your current version.

Updates lucide-react from 1.8.0 to 1.9.0

Release notes

Sourced from lucide-react's releases.

Version 1.9.0

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in lucide-icons/lucide#4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in lucide-icons/lucide#4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in lucide-icons/lucide#4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in lucide-icons/lucide#4300
• feat(icons): added timeline icon by @​jguddas in lucide-icons/lucide#4270

New Contributors

• @​swastik7805 made their first contribution in lucide-icons/lucide#4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

Commits

• 653e44b feat(packages): use .mjs for ESM bundles (#4285)
• See full diff in compare view

Updates posthog-js from 1.369.2 to 1.371.2

Release notes

Sourced from posthog-js's releases.

posthog-js@1.371.2

1.371.2

Patch Changes

• #3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the upcoming React Native logs feature consumes the same builders. Browser gains two fixes as a side effect: NaN and ±Infinity attribute values no longer get silently dropped during JSON encoding, and the scope.version OTLP field is now populated with the SDK version (changes the server's instrumentation_scope column from "posthog-js@" to "posthog-js@"). (2026-04-23)
• Updated dependencies [96f19b7]:
  • @​posthog/types@​1.371.2
  • @​posthog/core@​1.27.1

posthog-js@1.371.1

1.371.1

Patch Cha...

Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hatchet-docs	Ready	Preview, Comment	Apr 27, 2026 5:14am

[gregfurman]

@dependabot recreate

[dependabot]

The dependabot.yml entry that created this PR has been deleted so this PR can't be recreated. Please close the PR so Dependabot can create a new one with the current dependabot.yml.