chore(deps)(deps): bump the batched-minor-patch group across 1 directory with 26 updates

[dependabot]

Bumps the batched-minor-patch group with 24 updates in the / directory:

Package	From	To
@radix-ui/themes	3.2.1	3.3.0
@upstash/ratelimit	2.0.7	2.0.8
@upstash/redis	1.35.6	1.38.0
better-auth	1.3.34	1.6.10
next	16.0.3	16.2.6
next-auth	4.24.13	4.24.14
next-devtools-mcp	0.3.3	0.3.10
otpauth	9.4.1	9.5.1
react	19.2.0	19.2.6
@types/react	19.2.4	19.2.14
react-dom	19.2.0	19.2.6
react-hook-form	7.66.0	7.75.0
recharts	3.4.1	3.8.1
@axe-core/playwright	4.11.0	4.11.3
@eslint/eslintrc	3.3.1	3.3.5
@playwright/test	1.56.1	1.59.1
@tailwindcss/forms	0.5.10	0.5.11
@tailwindcss/postcss	4.1.17	4.3.0
@testing-library/react	16.3.0	16.3.2
autoprefixer	10.4.22	10.5.0
jest-mock-extended	4.0.0	4.0.1
prettier	3.6.2	3.8.3
prettier-plugin-tailwindcss	0.7.1	0.8.0
tsx	4.20.6	4.21.0

Updates @radix-ui/themes from 3.2.1 to 3.3.0

Release notes

Sourced from @​radix-ui/themes's releases.

3.3.0

What's Changed

• Add soft variant to the Kbd component (#774)
• Add new layout props to Grid and layout components: alignContent, justifyItems, alignSelf, justifySelf (#744)
• Deprecate breakpoints array. In the next major version, it will be replaced with a Set for easier lookups and comparisons.

Changelog

Sourced from @​radix-ui/themes's changelog.

Release process

This is a work-in-progress document and will be updated as we refine our release process.

Release strategy

We track versions during the pull request process. As features are added, modified or improved it's important to keep track of these via versioning.

Tracking version changes

PRs that fix bugs or add features should include an addition to packages/radix-ui-themes/CHANGELOG.md under a new version heading. The actual release version may differ, so be sure to double check this at publish time.

Publishing a stable release

You must be a maintainer of the repository and have write access to publish a release.

1. Create a new branch for the release. We recommend the branch naming convention release/<version> for this (e.g. release/3.3.0).
2. Update the version in packages/radix-ui-themes/package.json and ensure the changelog is up to date.
3. Add and commit with the commit message of v<version> (e.g. v3.3.0).
4. Push the branch to the repository and create a pull request.
5. When checks pass and the pull request is approved, merge it into main.
6. Create a new tag for the release with the format <version> (e.g. 3.3.0).
   • If you do this locally, be sure to pull the latest changes from main to ensure you have the new version changes from the previous step.
7. Create a new GitHub release from the tag. Use the changelog entry for the version as its release notes.
8. The GitHub action will be triggered by the publish workflow and will automatically publish the package to npm.

To publish a pre-release you must build and publish manually. Use pnpm publish -r --tag <tag>, where <tag> is the pre-release tag (e.g. alpha, beta, rc)

Updating documentation

Our documentation is in a separate repository and updating it is a three step process:

1. Write and update the change log
2. Bump package version/s and create / update the pages for each version change
3. Perform documentation updates and remove live demos from previous versions

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/themes since your current version.

Updates @upstash/ratelimit from 2.0.7 to 2.0.8

Release notes

Sourced from @​upstash/ratelimit's releases.

v2.0.8

What's Changed

• DX-2280: Remove large-group runners by @​CahidArda in upstash/ratelimit-js#144
• Fix React Server Components CVE vulnerabilities by @​vercel[bot] in upstash/ratelimit-js#145
• DX-2316: bump next by @​CahidArda in upstash/ratelimit-js#146
• DX-2254: add global dynamic limit by @​CahidArda in upstash/ratelimit-js#147

New Contributors

• @​vercel[bot] made their first contribution in upstash/ratelimit-js#145

Full Changelog: upstash/ratelimit-js@v2.0.7...v2.0.8

Commits

• a8b1b99 DX-2254: add global dynamic limit (#147)
• 8589adb fix: bump next (#146)
• ade4aa8 Merge pull request #145 from upstash/vercel/react-server-components-cve-vu-qx...
• e19785d Fix React Server Components CVE vulnerabilities
• 67e8bc2 DX-2280: Remove specific runner configuration from test job in GitHub Actions...
• See full diff in compare view

Updates @upstash/redis from 1.35.6 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

@​upstash/redis@​1.37.0

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

@upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424
• DX-2445: use pnpm publish for search packages to resolve workspace:* deps by @​CahidArda in upstash/redis-js#1425

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• 7e8fbed chore: version packages (#1420)
• 703f6d4 fix: handle FROM field option in SEARCH.DESCRIBE deserialization (#1426)
• 15b4fc9 fix: use pnpm publish for search packages to resolve workspace:* deps (#1425)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​upstash/redis since your current version.

Updates better-auth from 1.3.34 to 1.6.10

Release notes

Sourced from better-auth's releases.

v1.6.10

better-auth

Bug Fixes

• Exposed refreshUserSessions on the internal adapter (#7764)
• Fixed organization invitation roles to accept dynamic access control roles (#9437)
• Improved link accessibility (#9521)
• Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
• Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
• Added a warning when the cookie plugin is placed last in the plugins array (#9484)
• Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
• Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
• Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
• Fixed captcha plugin breaking the email-otp flow (#8339)
• Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
• Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
• Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
• Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
• Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
• Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
• Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
• Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
• Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
• Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
• Fixed stale prompt=login consent continuations not completing after a forced login
• Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
• Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
• Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
• Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
• Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
• Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
• Renamed internal subscription webhook variables for clarity (#9355)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.10

Patch Changes

• #8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

• #9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

• #9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

• #9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in callbacks and magic-link verification) no longer emit each Set-Cookie entry twice on the response.

• #9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging its session token into the request Cookie header. Previously the merged header could carry two entries for the same name if the request already had a stale session cookie, which would surface to downstream code that picks the first occurrence.

• #9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

  The endpoint accepted a callbackURL body field but ignored it, so authClient.signIn.username({ ..., callbackURL }) silently did nothing while authClient.signIn.email redirected as expected. The handler now sets a Location header when callbackURL is provided and returns { redirect, url } alongside token/user, matching the email flow.

• #9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

• #9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

• #9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

• #9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

• #8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

• #9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

• #9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

• #9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

• #9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

• #9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

• #9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

... (truncated)

Commits

• cbb5014 chore: release v1.6.10 (#9350)
• 09f1327 fix(api): prevent duplicate set-cookie on redirect (#9497)
• 15ff28a fix(internal-adapter): rename deleteAccount param from accountId to id (#...
• fde0432 fix: improve link accessibility issues (#9521)
• cf59136 fix(organization): re-export field types to prevent TS2742 with additionalFie...
• 8c1e917 fix: warn for cookie-plugin being last in array (#9484)
• 3a9a2c3 chore: expose refreshUserSessions on internal adapter (#7764)
• e9c978e fix(username): respect callbackURL on sign-in (#9475)
• 36ef808 fix: incorrect email casing across one-tap, email-otp & email-verification (#...
• 9a7b51d fix(credential): apply enumeration protection when autoSignIn is false (#8839)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.

Updates next from 16.0.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-auth from 4.24.13 to 4.24.14

Release notes

Sourced from next-auth's releases.

next-auth@4.24.14

Bugfixes

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13412)

GitHub now returns an iss parameter in OAuth callbacks. openid-client validates it unconditionally, which was breaking authentication for apps that didn't configure an issuer. This sets the default GitHub provider issuer to https://github.com/login/oauth.

Commits

• e9a892a chore(release): bump version [skip ci]
• 0497da4 fix(providers): add issuer to github (#13412)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates next-devtools-mcp from 0.3.3 to 0.3.10

Release notes

Sourced from next-devtools-mcp's releases.

v0.3.10

What's Changed

• docs: add Google Antigravity configuration instructions to README by @​0ldh in vercel/next-devtools-mcp#111
• Perf: Optimize doc lookup by @​gaojude in vercel/next-devtools-mcp#112

New Contributors

• @​0ldh made their first contribution in vercel/next-devtools-mcp#111

Full Changelog: vercel/next-devtools-mcp@v0.3.9...v0.3.10

v0.3.8

What's Changed

• fix: filter base64 image from screenshot result by @​Burry in vercel/next-devtools-mcp#105
• fix(init): avoid agent idle caused by strict reply prohibition (fix #109) by @​MapleCity1314 in vercel/next-devtools-mcp#110

New Contributors

• @​Burry made their first contribution in vercel/next-devtools-mcp#105
• @​MapleCity1314 made their first contribution in vercel/next-devtools-mcp#110

Full Changelog: vercel/next-devtools-mcp@v0.3.7...v0.3.8

v0.3.7

Fixes

• fix: upgrade @​modelcontextprotocol/sdk to 1.24.3 (CVE-2025-66414) by @​gaojude in vercel/next-devtools-mcp#107

Misc

• fix: upgrade Next.js to 16.0.7 (CVE-2025-55182) by @​ctate in vercel/next-devtools-mcp#106

• @​ctate made their first contribution in vercel/next-devtools-mcp#106

Full Changelog: vercel/next-devtools-mcp@v0.3.6...v0.3.7

v0.3.6

Improvements

• Fix screenshot action using wrong Playwright MCP tool name by @​gaojude in vercel/next-devtools-mcp#98
• Improve port discovery by @​gaojude in vercel/next-devtools-mcp#101

Misc

• ci: update server.json for mcp registry when bump version by @​huozhi in vercel/next-devtools-mcp#102
• Add troubleshooting section for common user issues by @​gaojude in vercel/next-devtools-mcp#97

Full Changelog: vercel/next-devtools-mcp@v0.3.5...v0.3.6

v0.3.5

What's Changed

• Simplify Next.js server discovery by combining server and tool listing by @​gaojude in vercel/next-devtools-mcp#96

Full Changelog: vercel/next-devtools-mcp@v0.3.4...v0.3.5

... (truncated)

Commits

• d1b3e56 chore: bump version to 0.3.10
• 7330deb simplify docs search (#112)
• 6751777 docs: add Google Antigravity configuration instructions to README (#111)
• 38bf006 chore: bump version to 0.3.9
• edd1acf improve use cache migration (#108)
• af3d601 chore: bump version to 0.3.8
• 19cd8c3 fix: update ai_response_instruction for initialization process (#110)
• 8b8a4e5 fix: filter base64 image from screenshot result (#105)
• 316fcec chore: bump version to 0.3.7
• e869d6e bump mcp sdk (#107)
• Additional commits viewable in compare view

Updates otpauth from 9.4.1 to 9.5.1

Release notes

Sourced from otpauth's releases.

v9.5.1

What's Changed

• Bump rollup from 4.57.1 to 4.59.0 by @​dependabot[bot] in hectorm/otpauth#674
• Bump minimatch by @​dependabot[bot] in hectorm/otpauth#673
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#675
• Bump the npm-development-minor-patch group across 1 directory with 7 updates by @​dependabot[bot] in hectorm/otpauth#677
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#679
• Bump @​rollup/plugin-terser from 0.4.4 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#680
• Bump eslint from 9.39.2 to 10.0.3 by @​dependabot[bot] in hectorm/otpauth#678
• Bump @​eslint/js from 9.39.2 to 10.0.1 by @​dependabot[bot] in hectorm/otpauth#670
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#686
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#685
• Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in hectorm/otpauth#684
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in hectorm/otpauth#682
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#692
• Bump @​noble/hashes from 2.0.1 to 2.2.0 in the npm-production-minor-patch group by @​dependabot[bot] in hectorm/otpauth#688
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#690

Full Changelog: hectorm/otpauth@v9.5.0...v9.5.1

v9.5.0

What's Changed

• Bump the npm-development-minor-patch group across 1 directory with 13 updates by @​dependabot[bot] in hectorm/otpauth#635
• Bump @​noble/hashes from 1.8.0 to 2.0.1 by @​dependabot[bot] in hectorm/otpauth#632
• Bump the github-actions-all group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#637
• Bump the npm-development-minor-patch group with 3 updates by @​dependabot[bot] in hectorm/otpauth#636
• Bump glob by @​dependabot[bot] in hectorm/otpauth#645
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in hectorm/otpauth#643
• Bump the github-actions-all group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#647
• Bump the npm-development-minor-patch group across 1 directory with 14 updates by @​dependabot[bot] in hectorm/otpauth#646
• Bump @​eslint/core from 0.16.0 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#650
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#654
• Bump the npm-development-minor-patch group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#653
• Bump the npm-development-minor-patch group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#661
• Bump @​types/node from 24.10.1 to 25.0.3 by @​dependabot[bot] in hectorm/otpauth#657
• Bump globals from 16.5.0 to 17.0.0 by @​dependabot[bot] in hectorm/otpauth#656
• Bump the npm-development-minor-patch group with 6 updates by @​dependabot[bot] in hectorm/otpauth#662
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#663
• Bump hectorm/ghaction-setup-quickjs from 1.1.0 to 1.2.0 in the github-actions-all group by @​dependabot[bot] in hectorm/otpauth#664
• Add custom HMAC support and bare build, fixes #659 by @​hectorm in hectorm/otpauth#666
• Bump github/codeql-action from 4.32.0 to 4.32.1 in the github-actions-all group by @​dependabot[bot] in hectorm/otpauth#667
• Bump the npm-development-minor-patch group with 6 updates by @​dependabot[bot] in hectorm/otpauth#665

Full Changelog: hectorm/otpauth@v9.4.1...v9.5.0

Commits

• 4903d3d 9.5.1
• b5c6df7 Add 7 day cooldown for new dependency versions
• 01f7caf Update dependencies
• adff202 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• 0e4fa84 Bump @​noble/hashes in the npm-production-minor-patch group (#688)
• b7f24c9 Bump the github-actions-all group with 4 updates (#692)
• 80b053d Bump flatted from 3.3.3 to 3.4.2 (#682)
• 4d0f0cc Bump picomatch from 4.0.3 to 4.0.4 (#684)
• 2f0e384 Bump the github-actions-all group with 5 updates (#685)
• 7097f14 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for otpauth since your current version.

Updates react from 19.2.0 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and

[github-actions]

👋 Thanks for opening your first pull request in StormCom!

A maintainer will review your PR soon. Please make sure:

• Your PR follows our
  Contributing Guidelines
• All CI checks pass
• You've added appropriate tests
• Documentation has been updated (if needed)

We appreciate your contribution to making StormCom better! 🚀

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.