chore(deps): bump the server-deps group across 1 directory with 17 updates

[dependabot]

Bumps the server-deps group with 17 updates in the / directory:

Package	From	To
ip-address	10.1.0	10.1.1
@tanstack/react-query	5.96.2	5.100.6
@tiptap/extension-placeholder	3.22.2	3.22.5
@tiptap/react	3.22.2	3.22.5
@tiptap/starter-kit	3.22.2	3.22.5
axios	1.14.0	1.15.2
dompurify	3.3.3	3.4.1
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-router-dom	7.14.0	7.14.2
@prisma/adapter-pg	7.7.0	7.8.0
@prisma/client	7.7.0	7.8.0
dotenv	17.4.1	17.4.2
nodemailer	8.0.5	8.0.7
prisma	7.7.0	7.8.0
puppeteer	24.40.0	24.42.0
sanitize-html	2.17.2	2.17.3

Updates ip-address from 10.1.0 to 10.1.1

Commits

• See full diff in compare view

Updates @tanstack/react-query from 5.96.2 to 5.100.6

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.6
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query-next-experimental@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query-persist-client@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.6
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

@​tanstack/react-query-devtools@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.5
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query-next-experimental@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query-persist-client@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.5
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query@​5.100.5

Patch Changes

• Updated dependencies [a53ef97]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

5.100.5

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

5.100.4

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

5.100.3

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

5.100.2

Patch Changes

• Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:
  • @​tanstack/query-core@​5.100.2

5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

5.100.0

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

... (truncated)

Commits

• 87f7ccf ci: Version Packages (#10604)
• 441204b ci: Version Packages (#10582)
• 55afb3e ci: Version Packages (#10581)
• fe287cc ci: Version Packages (#10579)
• f85d825 Feature/use suspense queries combine (#10576)
• 93b2845 ci: Version Packages (#10575)
• ea4497e fix(query-core): stop wrapping persister generics in NoInfer (#10510)
• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• 6540a41 feat(core): callback for retryOnMount (#10515)
• Additional commits viewable in compare view

Updates @tiptap/extension-placeholder from 3.22.2 to 3.22.5

Release notes

Sourced from @​tiptap/extension-placeholder's releases.

v3.22.5

@​tiptap/react

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-2

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-3

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/core

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• @​tiptap/pm@​3.22.5

@​tiptap/extension-table-of-contents

Patch Changes

• 13b5894: Fix duplicate onUpdate invocation per document change in the TableOfContents extension.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/static-renderer

Patch Changes

• 13b5894: Escape HTML string renderer text content and attribute values to prevent injected markup from untrusted content.
• Updated dependencies [13b5894]

... (truncated)

Changelog

Sourced from @​tiptap/extension-placeholder's changelog.

3.22.5

Patch Changes

• @​tiptap/extensions@​3.22.5

3.22.4

Patch Changes

• 27ea931: Fix dependencies installation after packages updates producing peer dependency resolution conflicts
• Updated dependencies [27ea931]
  • @​tiptap/extensions@​3.22.4

3.22.3

Patch Changes

• @​tiptap/extensions@​3.22.3

Commits

• 898a8ed chore(release): publish a new stable version (#7756)
• dec9735 chore(release): publish a new stable version (#7727)
• 27ea931 fix: restrict peer dependency ranges to avoid npm resolution conflicts (#7593)
• 626b052 chore(release): publish a new stable version (#7714)
• See full diff in compare view

Updates @tiptap/react from 3.22.2 to 3.22.5

Release notes

Sourced from @​tiptap/react's releases.

v3.22.5

@​tiptap/react

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-2

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-3

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/core

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• @​tiptap/pm@​3.22.5

@​tiptap/extension-table-of-contents

Patch Changes

• 13b5894: Fix duplicate onUpdate invocation per document change in the TableOfContents extension.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/static-renderer

Patch Changes

• 13b5894: Escape HTML string renderer text content and attribute values to prevent injected markup from untrusted content.
• Updated dependencies [13b5894]

... (truncated)

Changelog

Sourced from @​tiptap/react's changelog.

3.22.5

Patch Changes

• a375002: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [a375002]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

3.22.4

Patch Changes

• 27ea931: Fix dependencies installation after packages updates producing peer dependency resolution conflicts
• Updated dependencies [27ea931]
• Updated dependencies [64f36b8]
• Updated dependencies [032f8f1]
  • @​tiptap/core@​3.22.4
  • @​tiptap/pm@​3.22.4

3.22.3

Patch Changes

• Updated dependencies [cb28e7b]
  • @​tiptap/core@​3.22.3
  • @​tiptap/pm@​3.22.3

Commits

• 898a8ed chore(release): publish a new stable version (#7756)
• 45d4592 Merge branch 'main' into fix/node-view-selected-prop
• eb288d6 feat(core): add selectedOnTextSelection option to node views
• dec9735 chore(release): publish a new stable version (#7727)
• 27ea931 fix: restrict peer dependency ranges to avoid npm resolution conflicts (#7593)
• 626b052 chore(release): publish a new stable version (#7714)
• See full diff in compare view

Updates @tiptap/starter-kit from 3.22.2 to 3.22.5

Release notes

Sourced from @​tiptap/starter-kit's releases.

v3.22.5

@​tiptap/react

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-2

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/vue-3

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/core

Patch Changes

• 13b5894: Add selectedOnTextSelection option to node view renderers. When enabled, the selected prop also becomes true when a TextSelection is fully inside the node's range, not only on NodeSelection.
• @​tiptap/pm@​3.22.5

@​tiptap/extension-table-of-contents

Patch Changes

• 13b5894: Fix duplicate onUpdate invocation per document change in the TableOfContents extension.
• Updated dependencies [13b5894]
  • @​tiptap/core@​3.22.5
  • @​tiptap/pm@​3.22.5

@​tiptap/static-renderer

Patch Changes

• 13b5894: Escape HTML string renderer text content and attribute values to prevent injected markup from untrusted content.
• Updated dependencies [13b5894]

... (truncated)

Changelog

Sourced from @​tiptap/starter-kit's changelog.

3.22.5

Patch Changes

• Updated dependencies [a375002]
  • @​tiptap/core@​3.22.5
  • @​tiptap/extension-blockquote@​3.22.5
  • @​tiptap/extension-bold@​3.22.5
  • @​tiptap/extension-code@​3.22.5
  • @​tiptap/extension-code-block@​3.22.5
  • @​tiptap/extension-document@​3.22.5
  • @​tiptap/extension-hard-break@​3.22.5
  • @​tiptap/extension-heading@​3.22.5
  • @​tiptap/extension-horizontal-rule@​3.22.5
  • @​tiptap/extension-italic@​3.22.5
  • @​tiptap/extension-link@​3.22.5
  • @​tiptap/extension-list@​3.22.5
  • @​tiptap/extension-paragraph@​3.22.5
  • @​tiptap/extension-strike@​3.22.5
  • @​tiptap/extension-text@​3.22.5
  • @​tiptap/extension-underline@​3.22.5
  • @​tiptap/extensions@​3.22.5
  • @​tiptap/extension-list-item@​3.22.5
  • @​tiptap/extension-list-keymap@​3.22.5
  • @​tiptap/extension-bullet-list@​3.22.5
  • @​tiptap/extension-ordered-list@​3.22.5
  • @​tiptap/extension-dropcursor@​3.22.5
  • @​tiptap/extension-gapcursor@​3.22.5
  • @​tiptap/pm@​3.22.5

3.22.4

Patch Changes

• 27ea931: Fix dependencies installation after packages updates producing peer dependency resolution conflicts
• Updated dependencies [27ea931]
• Updated dependencies [64f36b8]
• Updated dependencies [5ca9902]
• Updated dependencies [032f8f1]
  • @​tiptap/core@​3.22.4
  • @​tiptap/extension-blockquote@​3.22.4
  • @​tiptap/extension-bold@​3.22.4
  • @​tiptap/extension-bullet-list@​3.22.4
  • @​tiptap/extension-code@​3.22.4
  • @​tiptap/extension-code-block@​3.22.4
  • @​tiptap/extension-document@​3.22.4
  • @​tiptap/extension-hard-break@​3.22.4
  • @​tiptap/extension-heading@​3.22.4
  • @​tiptap/extension-horizontal-rule@​3.22.4
  • @​tiptap/extension-italic@​3.22.4

... (truncated)

Commits

• 898a8ed chore(release): publish a new stable version (#7756)
• dec9735 chore(release): publish a new stable version (#7727)
• 626b052 chore(release): publish a new stable version (#7714)
• See full diff in compare view

Updates axios from 1.14.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-router-dom from 7.14.0 to 7.14.2

Changelog

Sourced from react-router-dom's changelog.

v7.14.2

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

v7.14.1

Patch Changes

• Updated dependencies:
  • react-router@7.14.1

Commits

• cf1d250 Release v7.14.2 (#14993)
• 197674b Release 7.14.1 (#14973)
• a87774f Add new release process (#14916)
• See full diff in compare view

Updates @prisma/adapter-pg from 7.7.0 to 7.8.0

Release notes

Sourced from @​prisma/adapter-pg's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

• Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

• Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
• Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
• Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
• Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
• Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

• Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
• Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
• Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

• @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

Commits

• See full diff in compare view

Updates @prisma/client from 7.7.0 to 7.8.0

Release notes

Sourced from @​prisma/client's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

• Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

• Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
• Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
• Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
• Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
• Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

• Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
• Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
• Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

• @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

Commits

• 62b44ac chore(deps): update engines to 7.8.0-5.e96eae70cf4ade6a15d7e6064d5b0b4f7d835d...
• 4104864 feat: add a query plan cache si...

  Description has been truncated