Skip to content

chore(deps): bump the npm-dependencies group across 1 directory with 22 updates#70

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-5a742c8b2d
Open

chore(deps): bump the npm-dependencies group across 1 directory with 22 updates#70
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-5a742c8b2d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown

Bumps the npm-dependencies group with 21 updates in the / directory:

Package From To
@ai-sdk/anthropic 3.0.63 3.0.84
@auth0/ai-vercel 5.1.0 5.1.1
@auth0/nextjs-auth0 4.16.0 4.22.0
@base-ui/react 1.3.0 1.5.0
@google/genai 1.46.0 2.8.0
ai 6.0.146 6.0.205
lucide-react 0.577.0 1.18.0
next 16.2.1 16.2.9
react 19.2.4 19.2.7
@types/react 19.2.14 19.2.17
react-dom 19.2.4 19.2.7
tailwind-merge 3.5.0 3.6.0
zod 4.3.6 4.4.3
@tailwindcss/postcss 4.2.2 4.3.1
@types/node 20.19.37 25.9.3
eslint 9.39.4 10.5.0
eslint-config-next 16.2.1 16.2.9
lint-staged 16.4.0 17.0.7
shadcn 4.1.0 4.11.0
typescript 5.9.3 6.0.3
vitest 4.1.2 4.1.8

Updates @ai-sdk/anthropic from 3.0.63 to 3.0.84

Release notes

Sourced from @​ai-sdk/anthropic's releases.

@​ai-sdk/google@​3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

@​ai-sdk/openai@​3.0.71

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29
Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.84

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.83

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.82

Patch Changes

  • 2a91a17: feat(provider/anthropic): add support for claude-fable-5 and the fallbacks API parameter

3.0.81

Patch Changes

  • 4084fcd: feat(provider/anthropic): add support for claude-opus-4-8

3.0.80

Patch Changes

  • 263d3e6: fix(provider/anthropic): fix remaining errors with Anthropic code_execution tool dynamic calls from latest web_fetch or web_search

3.0.79

Patch Changes

  • d61a788: Handle errors from anthropic websearch tool

3.0.78

Patch Changes

  • 6e28d25: fix(anthropic): propagate toModelOutput providerOption to anthropic tool results

3.0.77

Patch Changes

  • d53314d: feat(anthropic): add the new advisor tool

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/anthropic since your current version.


Updates @auth0/ai-vercel from 5.1.0 to 5.1.1

Commits
  • 2adab18 fix: add repository url to package.json for npm provenance validation (#354)
  • 2dda59e fix: bump @​openfga/sdk to ^0.9.5 and remove axios override (#353)
  • cfd1acc chore: migrate to npm trusted publishing (#352)
  • a89ed42 fix: bump axios via npm overrides (#350)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​auth0/ai-vercel since your current version.


Updates @auth0/nextjs-auth0 from 4.16.0 to 4.22.0

Release notes

Sourced from @​auth0/nextjs-auth0's releases.

v4.22.0

Added

Fixed

  • fix: allow path-based domain URLs for Okta custom authorization servers #2666 (sleitor)

v4.21.0

Added

  • feat: allow-list auth0-client header for forwarding #2668 (tusharpandey13)
  • feat(passwordless): passwordless example #2634 (Piyush-85)
  • feat(passwordless): add client-side passwordless module #2633 (Piyush-85)
  • feat(passwordless): Add Next.js route handlers for passwordless flows #2608 (Piyush-85)
  • feat(passwordless): add passwordlessStart and passwordlessVerify to AuthClient #2607 (Piyush-85)
  • feat(passwordless): add error classes and types for passwordless authentication #2606 (Piyush-85)
  • feat(passwordless): add connection, screen_hint, login_hint to AuthorizationParameters #2605 (Piyush-85)

Fixed

  • fix(cookies): include Secure/SameSite/HttpOnly on deletion Set-Cookie… #2651 (Piyush-85)

v4.20.0

Added

  • feat: support customizing profile and accessToken routes #2451 (eliw00d)

Fixed

  • fix: stale session reuse on proxy DPoP nonce retry #2582 (nandan-bhat)
  • fix: move NextResponse-dependent buildEnrollOptions to server-only module #2643 (sleitor)
  • fix: delete v3 appSession cookie on logout #2552 (gmurphey)
  • fix: respect allowInsecureRequests option in AuthClientProvider domain validation #2630 (sleitor)

v4.19.0

v4.19.0 (2026-04-22)

Added

  • feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login #2524 (tusharpandey13)

Fixed

v4.18.0

Added

... (truncated)

Changelog

Sourced from @​auth0/nextjs-auth0's changelog.

v4.22.0 (2026-06-01)

Full Changelog

Added

Fixed

  • fix: allow path-based domain URLs for Okta custom authorization servers #2666 (sleitor)

v4.21.0 (2026-05-22)

Full Changelog

Added

Fixed

  • fix(cookies): include Secure/SameSite/HttpOnly on deletion Set-Cookie… #2651 (Piyush-85)

v4.20.0 (2026-05-05)

Full Changelog

Added

  • feat: support customizing profile and accessToken routes #2451 (eliw00d)

Fixed

  • fix: stale session reuse on proxy DPoP nonce retry #2582 (nandan-bhat)
  • fix: move NextResponse-dependent buildEnrollOptions to server-only module #2643 (sleitor)
  • fix: delete v3 appSession cookie on logout #2552 (gmurphey)
  • fix: respect allowInsecureRequests option in AuthClientProvider domain validation #2630 (sleitor)

v4.19.0 (2026-04-22)

Full Changelog

Added

  • feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login #2524 (tusharpandey13)

Fixed

v4.18.0 (2026-04-17)

Full Changelog

Added

Fixed

... (truncated)

Commits
  • a3feef0 Release v4.22.0 (#2685)
  • 258e20b release v4.22.0
  • 1fba293 chore(deps): bump postcss from 8.4.31 to 8.5.15 in /examples/with-passkeys (#...
  • 46b91c3 Merge branch 'main' into dependabot/npm_and_yarn/examples/with-passkeys/postc...
  • 8e02de8 chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 in /examples/with-dpo...
  • 1b04c5e Merge branch 'main' into dependabot/npm_and_yarn/examples/with-dpop/tootallna...
  • 225de40 chore(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 (#2671)
  • 1c50f98 Merge branch 'main' into dependabot/github_actions/codecov/codecov-action-6.0.1
  • 2c5041b docs: show returnTo pattern in middleware and clarify automatic behav… (#2679)
  • 3bb69e8 Merge branch 'main' into dependabot/npm_and_yarn/examples/with-passkeys/postc...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​auth0/nextjs-auth0 since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @base-ui/react from 1.3.0 to 1.5.0

Release notes

Sourced from @​base-ui/react's releases.

v1.5.0

General changes

  • Improve mount performance with interaction splitting, including closed popup mount performance by up to 50% and unmounting performance by up to 85% (#4661) by @​atomiks
  • Use local document for virtual arrow (#4662) by @​lyzno1
  • Fix macOS Safari and Firefox minimizing fullscreen when closing popups with Esc (#4695) by @​arturbien
  • Drop unnecessary memoization (#4693) by @​flaviendelangle
  • Do not use Math.random() in useStableCallback() (#4732) by @​michaldudak
  • Fix return focus when reference disconnects (#4655) by @​atomiks
  • Don't steal initial focus if focus already moved inside a popup (#4775) by @​stefee

Alert Dialog

Autocomplete

Checkbox

Combobox

Dialog

Drawer

Field

Form

Menu

... (truncated)

Changelog

Sourced from @​base-ui/react's changelog.

v1.5.0

May 19, 2026

General changes

  • Improve mount performance with interaction splitting, including closed popup mount performance by up to 50% and unmounting performance by up to 85% (#4661) by @​atomiks
  • Use local document for virtual arrow (#4662) by @​lyzno1
  • Fix macOS Safari and Firefox minimizing fullscreen when closing popups with Esc (#4695) by @​arturbien
  • Drop unnecessary memoization (#4693) by @​flaviendelangle
  • Do not use Math.random() in useStableCallback() (#4732) by @​michaldudak
  • Fix return focus when reference disconnects (#4655) by @​atomiks
  • Don't steal initial focus if focus already moved inside a popup (#4775) by @​stefee

Alert Dialog

Autocomplete

Checkbox

Combobox

Dialog

Drawer

Field

Form

... (truncated)

Commits

Updates @google/genai from 1.46.0 to 2.8.0

Release notes

Sourced from @​google/genai's releases.

v2.8.0

2.8.0 (2026-06-03)

Features

  • Add Agent Platform MCP support to async generate_content (baeaeaa)
  • Add transcription language code. (d2981d6)
  • Add TranslationConfig for live translation. (8c44240)
  • Support ReinforcementTuning in GenAI SDK including ValidateReward API method. (36f0bfb)

v2.7.0

2.7.0 (2026-05-27)

Features

  • Add Skill Registry ListSkills and DeleteSkill to SDK (d75582a)
  • additional computer_use field support for vertex. (54a692b)
  • interaction-api: Allow "text/csv" as a supported document mime type for Interaction API. (3cc830e)
  • interaction-api: Enable BigQuery tool in Deep Research config. (58c8c7e)
  • Support Reinforcement Tuning in GenAI SDK (418cc35)

v2.6.0

2.6.0 (2026-05-21)

Features

  • add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
  • Add budget_exceeded status (1e97bd0)
  • Add gemini-3.5-flash (1e97bd0)
  • add new fields (b78eeee)

v2.5.0

2.5.0 (2026-05-20)

Features

  • Add Gemini 3.5 Flash model to options (fcf26e3)

v2.4.0

2.4.0 (2026-05-17)

Features

  • support Agent and Environment APIs. (b0d9d2b)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

2.8.0 (2026-06-03)

Features

  • Add Agent Platform MCP support to async generate_content (baeaeaa)
  • Add transcription language code. (d2981d6)
  • Add TranslationConfig for live translation. (8c44240)
  • Support ReinforcementTuning in GenAI SDK including ValidateReward API method. (36f0bfb)

2.7.0 (2026-05-27)

Features

  • Add Skill Registry ListSkills and DeleteSkill to SDK (d75582a)
  • additional computer_use field support for vertex. (54a692b)
  • interaction-api: Allow "text/csv" as a supported document mime type for Interaction API. (3cc830e)
  • interaction-api: Enable BigQuery tool in Deep Research config. (58c8c7e)
  • Support Reinforcement Tuning in GenAI SDK (418cc35)

2.6.0 (2026-05-21)

Features

  • add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
  • Add budget_exceeded status (1e97bd0)
  • Add gemini-3.5-flash (1e97bd0)
  • add new fields (b78eeee)

2.5.0 (2026-05-20)

Features

  • Add Gemini 3.5 Flash model to options (fcf26e3)

2.4.0 (2026-05-17)

Features

  • support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

  • output_text for turns that don't end with text. (1a3d94f)

... (truncated)

Commits
  • ea0dd60 chore(main): release 2.8.0 (#1646)
  • 36f0bfb feat: Support ReinforcementTuning in GenAI SDK including ValidateReward API m...
  • d2981d6 feat: Add transcription language code.
  • 98ac90d chore: deprecate Google Maps grounding widget API fields
  • 8c44240 feat: Add TranslationConfig for live translation.
  • baeaeaa feat: Add Agent Platform MCP support to async generate_content
  • c1d3cb7 chore: Internal cleanup
  • bd78ed3 chore: Fix relative import path in pagers.ts.
  • 2821346 chore(main): release 2.7.0 (#1630)
  • 54a692b feat: additional computer_use field support for vertex.
  • Additional commits viewable in compare view
Install script changes

This version adds preinstall script that runs during installation. Review the package contents before updating.


Updates ai from 6.0.146 to 6.0.205

Release notes

Sourced from ai's releases.

ai@6.0.205

Patch Changes

  • Updated dependencies [6160ced]
  • Updated dependencies [c9b8abd]
    • @​ai-sdk/gateway@​3.0.131

ai@6.0.204

Patch Changes

  • Updated dependencies [c5d4716]
    • @​ai-sdk/gateway@​3.0.130

ai@6.0.203

Patch Changes

  • f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

    • A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
    • IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
    • Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
    • Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).

    The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.

  • 5291f7e: Harden stream text processing and middleware against prototype pollution from stream part IDs.

  • b4b575a: fix: redact server error details from UI message streams by default

    streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

    The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29
    • @​ai-sdk/gateway@​3.0.129
Changelog

Sourced from ai's changelog.

6.0.205

Patch Changes

  • Updated dependencies [6160ced]
  • Updated dependencies [c9b8abd]
    • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

  • Updated dependencies [c5d4716]
    • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

  • f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

    • A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
    • IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
    • Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
    • Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).

    The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.

  • 5291f7e: Harden stream text processing and middleware against prototype pollution from stream part IDs.

  • b4b575a: fix: redact server error details from UI message streams by default

    streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

    The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29
    • @​ai-sdk/gateway@​3.0.129

6.0.202

Patch Changes

  • 942f2f8: fix(security): re-validate tool approvals from client message history before execution

    The approval-replay path in generateText/streamText reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-checking that the tool actually requires approval. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.

... (truncated)

Commits
  • 5548672 Version Packages (#16097)
  • 63b3f60 Version Packages (#16086)
  • bae9bab Version Packages (#16026)
  • b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
  • f42aa79 Backport: fix(provider-utils,ai): harden download SSRF guard against hostname...
  • 5291f7e Backport: fix: Harden stream text processing and middleware against prototype...
  • 9ef2c3c Version Packages (#15998)
  • 942f2f8 Backport: fix(security): harden tool approval replay path against client-forg...
  • dca8c38 Version Packages (#15992)
  • 0c8c0ed Backport: fix(ai): return schema-transformed elements in array output mode (#...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.


Updates lucide-react from 0.577.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Version 1.17.0

What's Changed

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Version 1.16.0

What's Changed

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 8, 2026
@vercel

vercel Bot commented Jun 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commerce-changeset Ready Ready Preview, Comment Jun 15, 2026 4:35am

Request Review

…22 updates

Bumps the npm-dependencies group with 21 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@ai-sdk/anthropic](https://github.com/vercel/ai/tree/HEAD/packages/anthropic) | `3.0.63` | `3.0.84` |
| [@auth0/ai-vercel](https://github.com/auth0/auth0-ai-js) | `5.1.0` | `5.1.1` |
| [@auth0/nextjs-auth0](https://github.com/auth0/nextjs-auth0) | `4.16.0` | `4.22.0` |
| [@base-ui/react](https://github.com/mui/base-ui/tree/HEAD/packages/react) | `1.3.0` | `1.5.0` |
| [@google/genai](https://github.com/googleapis/js-genai) | `1.46.0` | `2.8.0` |
| [ai](https://github.com/vercel/ai/tree/HEAD/packages/ai) | `6.0.146` | `6.0.205` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.577.0` | `1.18.0` |
| [next](https://github.com/vercel/next.js) | `16.2.1` | `16.2.9` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.7` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [zod](https://github.com/colinhacks/zod) | `4.3.6` | `4.4.3` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.2` | `4.3.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.37` | `25.9.3` |
| [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.5.0` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.1` | `16.2.9` |
| [lint-staged](https://github.com/lint-staged/lint-staged) | `16.4.0` | `17.0.7` |
| [shadcn](https://github.com/shadcn-ui/ui/tree/HEAD/packages/shadcn) | `4.1.0` | `4.11.0` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.3` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.2` | `4.1.8` |



Updates `@ai-sdk/anthropic` from 3.0.63 to 3.0.84
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/anthropic@3.0.84/packages/anthropic/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/anthropic@3.0.84/packages/anthropic)

Updates `@auth0/ai-vercel` from 5.1.0 to 5.1.1
- [Release notes](https://github.com/auth0/auth0-ai-js/releases)
- [Commits](https://github.com/auth0/auth0-ai-js/compare/@auth0/ai-vercel-v5.1.0...@auth0/ai-vercel-v5.1.1)

Updates `@auth0/nextjs-auth0` from 4.16.0 to 4.22.0
- [Release notes](https://github.com/auth0/nextjs-auth0/releases)
- [Changelog](https://github.com/auth0/nextjs-auth0/blob/main/CHANGELOG.md)
- [Commits](auth0/nextjs-auth0@v4.16.0...v4.22.0)

Updates `@base-ui/react` from 1.3.0 to 1.5.0
- [Release notes](https://github.com/mui/base-ui/releases)
- [Changelog](https://github.com/mui/base-ui/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mui/base-ui/commits/v1.5.0/packages/react)

Updates `@google/genai` from 1.46.0 to 2.8.0
- [Release notes](https://github.com/googleapis/js-genai/releases)
- [Changelog](https://github.com/googleapis/js-genai/blob/main/CHANGELOG.md)
- [Commits](googleapis/js-genai@v1.46.0...v2.8.0)

Updates `ai` from 6.0.146 to 6.0.205
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/ai@6.0.205/packages/ai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/ai@6.0.205/packages/ai)

Updates `lucide-react` from 0.577.0 to 1.18.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.18.0/packages/lucide-react)

Updates `next` from 16.2.1 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.1...v16.2.9)

Updates `react` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `zod` from 4.3.6 to 4.4.3
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v4.3.6...v4.4.3)

Updates `@tailwindcss/postcss` from 4.2.2 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss)

Updates `@types/node` from 20.19.37 to 25.9.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `eslint` from 9.39.4 to 10.5.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v9.39.4...v10.5.0)

Updates `eslint-config-next` from 16.2.1 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.9/packages/eslint-config-next)

Updates `lint-staged` from 16.4.0 to 17.0.7
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](lint-staged/lint-staged@v16.4.0...v17.0.7)

Updates `shadcn` from 4.1.0 to 4.11.0
- [Release notes](https://github.com/shadcn-ui/ui/releases)
- [Changelog](https://github.com/shadcn-ui/ui/blob/main/packages/shadcn/CHANGELOG.md)
- [Commits](https://github.com/shadcn-ui/ui/commits/shadcn@4.11.0/packages/shadcn)

Updates `tailwindcss` from 4.2.2 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `typescript` from 5.9.3 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.3)

Updates `vitest` from 4.1.2 to 4.1.8
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ai-sdk/anthropic"
  dependency-version: 3.0.81
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@auth0/ai-vercel"
  dependency-version: 5.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@auth0/nextjs-auth0"
  dependency-version: 4.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@base-ui/react"
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@google/genai"
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@types/node"
  dependency-version: 25.9.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: ai
  dependency-version: 6.0.197
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: eslint
  dependency-version: 10.4.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: eslint-config-next
  dependency-version: 16.2.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: lint-staged
  dependency-version: 17.0.7
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: lucide-react
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: next
  dependency-version: 16.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: shadcn
  dependency-version: 4.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: tailwindcss
  dependency-version: 4.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: vitest
  dependency-version: 4.1.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: zod
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the npm-dependencies group with 22 updates chore(deps): bump the npm-dependencies group across 1 directory with 22 updates Jun 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-dependencies-5a742c8b2d branch from fb4c0e5 to b0f18d1 Compare June 15, 2026 04:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants