chore(deps): bump the minor-and-patch group across 1 directory with 22 updates

[dependabot]

Bumps the minor-and-patch group with 22 updates in the / directory:

Package	From	To
@inquirer/prompts	8.4.3	8.5.2
@biomejs/biome	2.4.15	2.4.16
@types/node	25.7.0	25.9.3
@vitest/coverage-v8	4.1.6	4.1.8
tsx	4.22.0	4.22.4
vitest	4.1.6	4.1.8
better-auth	1.6.11	1.6.16
date-fns	4.1.0	4.4.0
lucide-react	1.16.0	1.17.0
motion	12.38.0	12.40.0
next	16.2.6	16.2.9
next-intl	4.12.0	4.13.0
pg	8.20.0	8.21.0
postcss	8.5.14	8.5.15
radix-ui	1.4.3	1.5.0
react	19.2.6	19.2.7
@types/react	19.2.14	19.2.17
react-day-picker	10.0.0	10.0.1
react-dom	19.2.6	19.2.7
react-qr-code	2.0.21	2.2.0
shadcn	4.7.0	4.11.0
react-doctor	0.1.6	0.5.1

Updates @inquirer/prompts from 8.4.3 to 8.5.2

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.5.2

• Fix security warnings in external-editor

@​inquirer/prompts@​8.5.1

• Rolled back mute-stream dependency from v4 to v3 to undo breaking compatible engines.
• Added tooling to prevent regression of the above in the future. This surfaced our min engines already enforced a higher limit, so adjusted the explicit limits to match the current state.

@​inquirer/prompts@​8.5.0

• Feat: Read env variable INQUIRER_KEYBINDINGS to enable vim or emacs keybindings; making this a user preference instead of a library author preference. One caveat is doing so disable the search feature in the select prompt. Syntax: INQUIRER_KEYBINDINGS=vim,emacs.
• Fix: Line wraps would sometime cause the cursor to be mispositioned relative to the input.
• Chore: Bump dependencies.

Commits

• bfd8710 chore: Publish new release
• 55cc5f3 feat: add reusable package lint CLI
• 3af9ed0 test(inquirer): capture prompt runner output
• 4381857 fix(@​inquirer/input): remove stale lint suppression
• 45df331 fix(@​inquirer/external-editor): harden editor temp files
• adef323 chore: limit CI token permissions
• b43359d chore: Publish new release
• 24ecae2 chore: fix yarn.lock
• b078d97 fix: validate package engine compatibility
• 3a49f9f chore(deps-dev): Bump oxfmt in the formatting group (#2143)
• Additional commits viewable in compare view

Updates @biomejs/biome from 2.4.15 to 2.4.16

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.16

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Commits

• 5f4ea56 ci: release (#10326)
• de2a33c fix(core): regression in emitted types (#10478)
• d835303 docs: remove redundant default phrase in useConsistentObjectDefinitions rul...
• 4f1aaf2 fix: incorrect build when using build or test (#10426)
• dc73b6b refactor: make plugins opt-in via feature gate (#10418)
• e71f584 feat(useDestructuring): add options for assignment/declaration and improve di...
• 9b1577f fix(config): support trailingCommas in overrides (#10318)
• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.3

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.6 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• See full diff in compare view

Updates tsx from 4.22.0 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• See full diff in compare view

Updates better-auth from 1.6.11 to 1.6.16

Release notes

Sourced from better-auth's releases.

v1.6.16

better-auth

Bug Fixes

• Fixed SIWE verification to bind the signed message to server state before creating a session, preventing acceptance of signatures produced for a different message, earlier nonce, or unrelated domain.
• Fixed PayPal ID token verification to validate the signature, issuer, audience, expiration, and nonce against PayPal's JWKS (RS256) or client secret (HS256), rejecting tokens that pass only structural checks.
• Fixed Google hd (hosted domain) enforcement to verify the hd claim on the verified ID token and callback profile, preventing accounts outside the configured Workspace domain from signing in.
• Fixed verifyAccessToken remote introspection to reject tokens with a missing or mismatching aud claim; set remoteVerify.allowMissingAudience: true to permit tokens where the introspection response legitimately omits aud.
• Fixed the admin plugin to enforce permissions on role, ban, and email fields in /admin/create-user and /admin/update-user, and prevent data from overriding protected fields. (#9974)
• Fixed email sign-in and sign-up to validate Origin and Referer headers against trustedOrigins even when requests carry no cookies. (#9973)
• Fixed /update-session to reject plugin-managed fields (activeOrganizationId, activeTeamId, impersonatedBy) with a 400 error; use their dedicated endpoints to change these values. (#9965)
• Fixed /update-session and account token routes to immediately reject deleted sessions when cookie cache is enabled alongside database or secondary storage. (#9967)
• Fixed /refresh-token to only trust the account cookie when its userId, providerId, and accountId match the resolved session user.
• Fixed generic OAuth sign-in to reject sign-ins when no account ID can be resolved from the provider response, preventing account collisions on providers that omit sub.
• Fixed createInvitation and acceptInvitation to validate that all requested team IDs belong to the invitation's organization, preventing cross-organization team membership.
• Fixed the JWKS cache to be scoped per verification source with a TTL, preventing key cross-contamination when verifying tokens against multiple issuers simultaneously.
• Fixed the Reddit provider to stop storing oauth_client_id as the user email, preventing all users of the same app from sharing a single email address; a synthetic per-user address is now used when no real email is provided via mapProfileToUser.
• Fixed Facebook token verification to validate tokens against the configured app via the debug_token endpoint, requiring is_valid, a matching app_id, and a client secret for direct sign-in.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed the token endpoint to enforce per-client grant types, preventing clients registered only for authorization_code from requesting client_credentials tokens.
• Fixed /oauth2/continue to derive post-login gate completion from a server-issued session marker rather than the client-submitted postLogin flag.
• Fixed token introspection to require an azp claim and a valid client on JWT access tokens, preventing session JWTs from being reported as active access tokens.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML AuthnRequest handling to consume the request atomically, preventing replay attacks on concurrent requests. (#9972)
• Fixed SSO provider IDs to be isolated from the OAuth/social account-linking namespace, preventing unintended account linking when an SSO provider ID matches a trusted OAuth provider name.
• Fixed OIDC endpoint validation to reject server-side requests resolving to non-publicly-routable addresses, protecting against SSRF on token, userinfo, and JWKS endpoints.

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed API key verification to persist only the fields it mutates rather than the full record, preventing concurrent disables, permission changes, or expiry updates from being reverted by an in-flight verification.
• Fixed /api-key/create to verify the session against the authoritative store with disableCookieCache: true, preventing revoked sessions from being accepted within the cookie-cache window.

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.16

Patch Changes

• #9974 cb1cbfa Thanks @​Bekacru! - Guard protected user fields in the admin plugin behind their dedicated permissions. /admin/create-user now requires user:set-role when a role is supplied (top-level or via data.role), validates requested roles against the configured roles, requires user:ban for ban fields passed in data, and no longer lets data override email, name, or role. /admin/update-user now requires user:ban for banned/banReason/banExpires (revoking the user's sessions when banning and rejecting self-bans), requires the new user:set-email permission for email/emailVerified (with email validation, lowercasing, and uniqueness checks), and rejects password updates in favor of /admin/set-user-password. If you use a custom access control, add set-email to your statements and grant it (and ban) to roles that should be able to change those fields through update-user.

• #9974 cb1cbfa Thanks @​Bekacru! - Require a provider account id when signing in through generic OAuth. The default userinfo handler previously fell back to an empty string when the provider response had no sub (or id), and the callback never checked the resolved account id. With certain non-OIDC providers that omit sub, accounts could be stored under the same empty id and a later sign-in could resolve to an existing account. The generic OAuth callback now rejects sign-in when no account id can be resolved, the default userinfo handler returns no profile when neither sub nor id is present, and the built-in OAuth callback also rejects an empty account id.

• #9974 cb1cbfa Thanks @​Bekacru! - Scope organization invitation team IDs to the invited organization. createInvitation now validates that every requested teamId belongs to the invitation's organization regardless of whether teams.maximumMembersPerTeam is set, and acceptInvitation re-checks each stored team's organization before adding team membership. Previously, with the default unlimited team size, a team ID from another organization could be stored on an invitation and applied on acceptance.

• #9973 87e7aa5 Thanks @​gustavovalverde! - Email sign-in and sign-up now validate the Origin or Referer header against trustedOrigins even when the request carries no cookies. Requests that send no Origin/Referer header and no Fetch Metadata (such as curl or server-to-server clients) are unaffected. A non-browser client that sends an untrusted Origin/Referer without cookies now receives a 403 and must add that origin to trustedOrigins.

• #9974 cb1cbfa Thanks @​Bekacru! - Require /refresh-token to only trust the account cookie when its userId, providerId and (when supplied) accountId match the resolved session user.

• #9967 893cf6c Thanks @​gustavovalverde! - Deleting a session now immediately stops /update-session and the account token endpoints (/get-access-token, /refresh-token, /account-info) from accepting it, when cookie cache is enabled alongside a database or secondary storage. Before, these routes kept serving the deleted session from the cached cookie until the cache expired. Deployments that store the session only in the cookie are unaffected.

• #9974 cb1cbfa Thanks @​Bekacru! - Bind the SIWE signed message to server state before creating a session. Previously /siwe/verify only checked that a nonce row existed for the wallet address and then delegated entirely to verifyMessage. Since the documented verifyMessage (viem) performs signature recovery only — without inspecting the message body — a signature the wallet produced for a different message (an earlier nonce, another domain, or arbitrary content) could also satisfy verification against a freshly minted nonce.

  The plugin now parses the ERC-4361 message itself and requires its nonce, domain, address, and chain ID to match the server-issued nonce and configured domain, and enforces the message's Expiration Time / Not Before bounds, before verifying the signature. message must now be a valid ERC-4361 message (which all standard SIWE clients produce); non-conforming or mismatched messages are rejected with a 401 (UNAUTHORIZED_SIWE_MESSAGE_MISMATCH, UNAUTHORIZED_SIWE_MESSAGE_EXPIRED, or UNAUTHORIZED_SIWE_MESSAGE_NOT_YET_VALID). verifyMessage implementations should continue to perform signature recovery only.

• #9974 cb1cbfa Thanks @​Bekacru! - Separate SSO provider ids from the account-linking provider namespace used for social/OAuth providers. Previously an SSO provider registered with an id matching a configured accountLinking.trustedProviders entry (e.g. google) was treated as a trusted provider and could implicitly link to an existing verified account with the same email.

  SSO registration now rejects provider ids that collide with a configured social provider, a trustedProviders entry, or a reserved built-in id. In addition, the OIDC and SAML callbacks no longer derive trust from a trustedProviders name match — SSO trust comes solely from verified domain ownership (domainVerified). handleOAuthUserInfo gains a trustProviderByName option (default true, preserving social-provider behavior) that the SSO plugin sets to false.

• #9965 5e49c56 Thanks @​gustavovalverde! - Passing activeOrganizationId, activeTeamId, or impersonatedBy to /update-session now returns a 400. Change these plugin-managed session fields through their dedicated endpoints instead, such as organization.setActive.

• Updated dependencies [cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa]:

  • @​better-auth/core@​1.6.16
  • @​better-auth/drizzle-adapter@​1.6.16
  • @​better-auth/kysely-adapter@​1.6.16
  • @​better-auth/memory-adapter@​1.6.16
  • @​better-auth/mongo-adapter@​1.6.16
  • @​better-auth/prisma-adapter@​1.6.16
  • @​better-auth/telemetry@​1.6.16

1.6.15

Patch Changes

• #9875 1012b69 Thanks @​WilsonnnTan! - The admin plugin's unbanUser, setRole and adminUpdateUser endpoints used to call internalAdapter.updateUser without checking that the target user existed, so when the caller passed an unknown id the underlying database error (for example Prisma's P2025) bubbled up as a generic HTTP 500. those endpoints now mirror the existing guard in banUser: look the user up via findUserById, and throw a clean NOT_FOUND (USER_NOT_FOUND) when no row is returned. Closes #9800.

• #9865 ad60333 Thanks @​ping-maxwell! - list-session endpoint now requires a fresh-age session check.

• #9811 0933c05 Thanks @​zeroknowledge0x! - Restore Kysely 0.28 and 0.29 compatibility for SQLite dialect introspection. The dialects now mirror Kysely's stable migration table names locally, avoiding strict ESM build failures in Turbopack without forcing consumers onto Kysely 0.29.

• #9919 b0ddfd3 Thanks @​gustavovalverde! - Run configured hooks through the whole OAuth sign-in flow

  hooks.before / hooks.after configured on the auth instance now run for the OAuth authorization that continues after a user signs in, selects an account, or consents. They were being skipped there.

  Headers or cookies a hooks.before sets before returning its own response are no longer dropped, and a hooks.after that throws an APIError no longer loses either its cookies or the error's headers.

... (truncated)

Commits

• 1a3c8c4 chore: release v1.6.16 (#9958)
• cb1cbfa fix: address bug findings across packages (#9974)
• a6b0295 fix(sso): consume SAML AuthnRequest atomically (#9972)
• 87e7aa5 fix(api): validate Origin/Referer on cookieless email sign-in and sign-up (#9...
• 893cf6c fix(session): honor server-side session deletion in update-session and token ...
• 5e49c56 fix(auth): mark plugin-owned session fields as non-input (#9965)
• afcb4dd docs(two-factor): document newSession is null during 2FA challenge (#9957)
• 03e0e36 chore: release v1.6.15 (#9886)
• b0ddfd3 fix(oauth-provider): run configured hooks when authorize resumes (#9919)
• 1012b69 fix(admin): return USER_NOT_FOUND for missing users before update (#9875)
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates lucide-react from 1.16.0 to 1.17.0

Release notes

Sourced from lucide-react's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Commits

• See full diff in compare view

Updates motion from 12.38.0 to 12.40.0

Changelog

Sourced from motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• Description has been truncated

[github-actions]

React Doctor could not complete this scan.

react-doctor exited with status 1 before producing a JSON report.

Report this bug

_{Reviewed by React Doctor for commit 65ec610.}

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.