chore(deps): bump the dev group across 1 directory with 15 updates

[dependabot]

Bumps the dev group with 15 updates in the / directory:

Package	From	To
lint-staged	16.4.0	17.0.7
prettier	3.8.3	3.8.4
turbo	2.9.14	2.9.18
typescript	5.9.3	6.0.3
@axe-core/playwright	4.11.2	4.11.3
@next/bundle-analyzer	16.2.4	16.2.9
@playwright/test	1.59.1	1.60.0
@tailwindcss/postcss	4.2.4	4.3.1
@types/node	20.19.39	25.9.3
@vitest/coverage-v8	4.1.5	4.1.8
eslint	9.39.4	10.5.0
eslint-config-next	16.2.6	16.2.9
tailwindcss	4.2.4	4.3.1
tsx	4.21.0	4.22.4
vitest	4.1.7	4.1.8

Updates lint-staged from 16.4.0 to 17.0.7

Release notes

Sourced from lint-staged's releases.

v17.0.7

Patch Changes

• #1806 e692e58 - Update dependency tinyexec@^1.2.4.

v17.0.6

Patch Changes

• #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

v17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

v17.0.4

Patch Changes

• #1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

  • after editing <file> it is staged with git add <file>, and then committed with git commit
  • after editing <file> it is committed with git commit --all without explicit git add
  • after editing <file> it is committed with git commit <pathspec> without explicit git add

  There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

v17.0.3

Patch Changes

• #1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
  • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
  • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

v17.0.2

Patch Changes

• #1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

v17.0.1

Patch Changes

• #1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

... (truncated)

Changelog

Sourced from lint-staged's changelog.

17.0.7

Patch Changes

• #1806 e692e58 - Update dependency tinyexec@^1.2.4.

17.0.6

Patch Changes

• #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

17.0.4

Patch Changes

• #1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

  • after editing <file> it is staged with git add <file>, and then committed with git commit
  • after editing <file> it is committed with git commit --all without explicit git add
  • after editing <file> it is committed with git commit <pathspec> without explicit git add

  There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

17.0.3

Patch Changes

• #1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
  • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
  • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

17.0.2

Patch Changes

• #1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

17.0.1

... (truncated)

Commits

• cd11fec Merge pull request #1807 from lint-staged/changeset-release/main
• 15a8ee0 chore(changeset): release
• 797bbd9 Merge pull request #1808 from lint-staged/add-stashing-faq
• 504e307 docs: add FAQ entry on how stashing works
• eff5cd1 Merge pull request #1806 from lint-staged/update-tinyexec
• e692e58 build(deps): update tinyexec@^1.2.4
• a2dd4ea Merge pull request #1805 from lint-staged/update-github-templates
• c928519 docs: update GitHub templates
• 094ba56 Merge pull request #1798 from lint-staged/changeset-release/main
• 88e19fe chore(changeset): release
• Additional commits viewable in compare view

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d

Commits

• 1c6ba55 Release 3.8.4
• 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
• 074aaed Replace main branch in changelog link with tags (#19054)
• c22a003 Bump Prettier dependency to 3.8.3
• 07bad1f Clean changelog_unreleased
• See full diff in compare view

Updates turbo from 2.9.14 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in vercel/turborepo#13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in vercel/turborepo#13050
• fix: Harden cache archive symlink restore by @​anthonyshew in vercel/turborepo#13051
• chore: Remove web UI mode by @​anthonyshew in vercel/turborepo#13052
• fix: Harden query server file access by @​anthonyshew in vercel/turborepo#13053
• fix: Confine prune patch paths by @​anthonyshew in vercel/turborepo#13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in vercel/turborepo#13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in vercel/turborepo#13056
• fix: Contain incremental cache outputs by @​anthonyshew in vercel/turborepo#13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in vercel/turborepo#13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in vercel/turborepo#13058
• fix: Separate artifact signature fields by @​anthonyshew in vercel/turborepo#13059
• fix: Validate OidHash hex buffers by @​anthonyshew in vercel/turborepo#13060
• fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @​anthonyshew in vercel/turborepo#13061

New Contributors

• @​Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

• fix: Keep non-PTY stdin alive for persistent tasks by @​anthonyshew in vercel/turborepo#12972
• release(turborepo): 2.9.16 by @​github-actions[bot] in vercel/turborepo#12970
• release(turborepo): 2.9.17-canary.1 by @​github-actions[bot] in vercel/turborepo#12973
• fix: Add auth HTTP timeouts by @​anthonyshew in vercel/turborepo#12976
• fix: Detect affected root tasks in query by @​anthonyshew in vercel/turborepo#12977
• fix: Wait for Windows graceful shutdown by @​anthonyshew in vercel/turborepo#12979
• release(turborepo): 2.9.17-canary.2 by @​github-actions[bot] in vercel/turborepo#12980
• test: Skip installs for JSON output fixtures by @​anthonyshew in vercel/turborepo#12981
• feat: Add Rsbuild examples by @​Nsttt in vercel/turborepo#12942
• test: Skip installs for single package dry runs by @​anthonyshew in vercel/turborepo#12982
• test: Skip Corepack setup without installs by @​anthonyshew in vercel/turborepo#12983
• test: Skip installs for metadata-only Rust tests by @​anthonyshew in vercel/turborepo#12985
• test: Skip remaining unnecessary fixture installs by @​anthonyshew in vercel/turborepo#12986
• test: Add final hash contract snapshots by @​anthonyshew in vercel/turborepo#12984
• test: Trim run logging integration matrix by @​anthonyshew in vercel/turborepo#12987
• test: Trim affected query integration matrix by @​anthonyshew in vercel/turborepo#12988
• test: Narrow Windows integration test group by @​anthonyshew in vercel/turborepo#12989
• test: Trim task dependency integration coverage by @​anthonyshew in vercel/turborepo#12990
• test: Trim affected integration coverage by @​anthonyshew in vercel/turborepo#12991
• test: Collapse integration test matrices by @​anthonyshew in vercel/turborepo#12992

... (truncated)

Commits

• 3bdce32 publish 2.9.18 to registry
• 2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
• da8e348 fix: Validate OidHash hex buffers (#13060)
• 3018717 fix: Separate artifact signature fields (#13059)
• 34514e2 fix: Preserve vt100 cell byte counts (#13058)
• 24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
• 16dc881 fix: Contain incremental cache outputs (#13057)
• 92e1f8e fix: Strip special mode bits from cache restore (#13056)
• f46f896 fix: Prevent git argument injection in SCM refs (#13055)
• 7f353ca fix: Confine prune patch paths (#13054)
• Additional commits viewable in compare view

Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Updates @axe-core/playwright from 4.11.2 to 4.11.3

Release notes

Sourced from @​axe-core/playwright's releases.

v4.11.3

What's Changed

• chore: add create-release workflow by @​Garbee in dequelabs/axe-core-npm#1326
• chore: merge master into develop by @​attest-team-ci in dequelabs/axe-core-npm#1324
• fix: Update axe-core to v4.11.4 by @​attest-team-ci in dequelabs/axe-core-npm#1330
• chore: RC v4.11.3 by @​github-actions[bot] in dequelabs/axe-core-npm#1332
• chore: release v4.11.3 by @​axe-core in dequelabs/axe-core-npm#1335

New Contributors

• @​axe-core made their first contribution in dequelabs/axe-core-npm#1335

Full Changelog: dequelabs/axe-core-npm@v4.11.2...v4.11.3

Changelog

Sourced from @​axe-core/playwright's changelog.

4.11.3 (2026-04-29)

Bug Fixes

• Update axe-core to v4.11.4 (#1330) (eed87f5)

Commits

• 25fbfd2 chore: release v4.11.3 (#1335)
• dad3572 chore: RC v4.11.3 (#1332)
• 582a7fc chore: RC v4.11.3
• eed87f5 fix: Update axe-core to v4.11.4 (#1330)
• 57c5437 chore: merge master into develop (#1324)
• da56b5d chore: add create-release workflow (#1326)
• See full diff in compare view

Updates @next/bundle-analyzer from 16.2.4 to 16.2.9

Release notes

Sourced from @​next/bundle-analyzer's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• 6f16804 v16.2.8
• 411c455 v16.2.7
• ee6e79b v16.2.6
• 766148f v16.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/bundle-analyzer since your current version.

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.2.4 to 4.3.1

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.1

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)

... (truncated)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.1] - 2026-06-12

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
craftstack-collab	Ready	Preview, Comment	Jun 15, 2026 12:21am
craftstack-knowledge	Ready	Preview, Comment	Jun 15, 2026 12:21am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​eslint-config-next@​16.2.9
	npm/​@​axe-core/​playwright@​4.11.3
	npm/​vitest@​4.1.8
	npm/​@​vitest/​coverage-v8@​4.1.8
	npm/​@​types/​node@​25.9.3
	npm/​tsx@​4.22.4
	npm/​tailwindcss@​4.3.1
	npm/​turbo@​2.9.18
	npm/​@​next/​bundle-analyzer@​16.2.9
	npm/​typescript@​5.9.3 ⏵ 6.0.3	+1		+1
	npm/​lint-staged@​17.0.7
	npm/​prettier@​3.8.4
	npm/​eslint@​9.39.4 ⏵ 10.5.0	+1			+1
	npm/​@​tailwindcss/​postcss@​4.3.1
	npm/​@​playwright/​test@​1.60.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.9 → npm/@typescript-eslint/eslint-plugin@8.61.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report