chore(deps)(deps): bump the batched-minor-patch group across 1 directory with 27 updates

[dependabot]

Bumps the batched-minor-patch group with 25 updates in the / directory:

Package	From	To
@radix-ui/themes	3.2.1	3.3.0
@upstash/ratelimit	2.0.7	2.0.8
@upstash/redis	1.35.6	1.38.0
better-auth	1.3.34	1.6.11
date-fns	4.1.0	4.2.1
next	16.0.3	16.2.6
next-auth	4.24.13	4.24.14
next-devtools-mcp	0.3.3	0.3.10
otpauth	9.4.1	9.5.1
react	19.2.0	19.2.6
@types/react	19.2.4	19.2.14
react-dom	19.2.0	19.2.6
react-hook-form	7.66.0	7.76.0
recharts	3.4.1	3.8.1
@axe-core/playwright	4.11.0	4.11.3
@eslint/eslintrc	3.3.1	3.3.5
@playwright/test	1.56.1	1.60.0
@tailwindcss/forms	0.5.10	0.5.11
@tailwindcss/postcss	4.1.17	4.3.0
@testing-library/react	16.3.0	16.3.2
autoprefixer	10.4.22	10.5.0
jest-mock-extended	4.0.0	4.0.1
prettier	3.6.2	3.8.3
prettier-plugin-tailwindcss	0.7.1	0.8.0
tsx	4.20.6	4.22.3

Updates @radix-ui/themes from 3.2.1 to 3.3.0

Release notes

Sourced from @​radix-ui/themes's releases.

3.3.0

What's Changed

• Add soft variant to the Kbd component (#774)
• Add new layout props to Grid and layout components: alignContent, justifyItems, alignSelf, justifySelf (#744)
• Deprecate breakpoints array. In the next major version, it will be replaced with a Set for easier lookups and comparisons.

Changelog

Sourced from @​radix-ui/themes's changelog.

Release process

This is a work-in-progress document and will be updated as we refine our release process.

Release strategy

We track versions during the pull request process. As features are added, modified or improved it's important to keep track of these via versioning.

Tracking version changes

PRs that fix bugs or add features should include an addition to packages/radix-ui-themes/CHANGELOG.md under a new version heading. The actual release version may differ, so be sure to double check this at publish time.

Publishing a stable release

You must be a maintainer of the repository and have write access to publish a release.

1. Create a new branch for the release. We recommend the branch naming convention release/<version> for this (e.g. release/3.3.0).
2. Update the version in packages/radix-ui-themes/package.json and ensure the changelog is up to date.
3. Add and commit with the commit message of v<version> (e.g. v3.3.0).
4. Push the branch to the repository and create a pull request.
5. When checks pass and the pull request is approved, merge it into main.
6. Create a new tag for the release with the format <version> (e.g. 3.3.0).
   • If you do this locally, be sure to pull the latest changes from main to ensure you have the new version changes from the previous step.
7. Create a new GitHub release from the tag. Use the changelog entry for the version as its release notes.
8. The GitHub action will be triggered by the publish workflow and will automatically publish the package to npm.

To publish a pre-release you must build and publish manually. Use pnpm publish -r --tag <tag>, where <tag> is the pre-release tag (e.g. alpha, beta, rc)

Updating documentation

Our documentation is in a separate repository and updating it is a three step process:

1. Write and update the change log
2. Bump package version/s and create / update the pages for each version change
3. Perform documentation updates and remove live demos from previous versions

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/themes since your current version.

Updates @upstash/ratelimit from 2.0.7 to 2.0.8

Release notes

Sourced from @​upstash/ratelimit's releases.

v2.0.8

What's Changed

• DX-2280: Remove large-group runners by @​CahidArda in upstash/ratelimit-js#144
• Fix React Server Components CVE vulnerabilities by @​vercel[bot] in upstash/ratelimit-js#145
• DX-2316: bump next by @​CahidArda in upstash/ratelimit-js#146
• DX-2254: add global dynamic limit by @​CahidArda in upstash/ratelimit-js#147

New Contributors

• @​vercel[bot] made their first contribution in upstash/ratelimit-js#145

Full Changelog: upstash/ratelimit-js@v2.0.7...v2.0.8

Commits

• a8b1b99 DX-2254: add global dynamic limit (#147)
• 8589adb fix: bump next (#146)
• ade4aa8 Merge pull request #145 from upstash/vercel/react-server-components-cve-vu-qx...
• e19785d Fix React Server Components CVE vulnerabilities
• 67e8bc2 DX-2280: Remove specific runner configuration from test job in GitHub Actions...
• See full diff in compare view

Updates @upstash/redis from 1.35.6 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

@​upstash/redis@​1.37.0

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

@upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424
• DX-2445: use pnpm publish for search packages to resolve workspace:* deps by @​CahidArda in upstash/redis-js#1425

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• 7e8fbed chore: version packages (#1420)
• 703f6d4 fix: handle FROM field option in SEARCH.DESCRIBE deserialization (#1426)
• 15b4fc9 fix: use pnpm publish for search packages to resolve workspace:* deps (#1425)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​upstash/redis since your current version.

Updates better-auth from 1.3.34 to 1.6.11

Release notes

Sourced from better-auth's releases.

v1.6.11

better-auth

Bug Fixes

• Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
• Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
• Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
• Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
• Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
• Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
• Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
• Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
• Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
• Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed an invalid import list in the instrumentation module (#9582)
• Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

• Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
• Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
• Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.11

Patch Changes

• #9568 0cbddb8 Thanks @​gustavovalverde! - Add internalAdapter.consumeVerificationValue(identifier): atomically consume a verification row keyed by identifier. The first concurrent caller receives the row; later racers receive null. Backed by a new DBAdapter.consumeOne primitive implemented natively per adapter (memory, mongo, drizzle, kysely, prisma), with a transaction(findMany + delete) factory fallback. SecondaryStorage.getAndDelete is added as an optional companion; Redis ships it via an atomic Lua get-and-delete operation for compatibility with Redis versions before 6.2.

• #9162 a26333b Thanks @​ping-maxwell! - fix: cleanup sessions when admin, anonymous, or SCIM deletes a user

• #9573 99a254a Thanks @​gustavovalverde! - fix(device-authorization): require verify-time ownership claim for approve/deny

  Pending device codes were not bound to the user who entered the code on the verification page until approval, leaving a window where any authenticated user could approve or deny another user's pending code by knowing the user_code. GET /device now claims the pending row for the calling session, and POST /device/approve and POST /device/deny require the calling session to match the claimed owner. Custom verification pages must be served to an authenticated session for the flow to succeed.

• #8948 ee93485 Thanks @​ping-maxwell! - fix: add error code to change-email-disabled

• #9572 5f09d56 Thanks @​gustavovalverde! - Fix race condition in the magic-link plugin's verify handler that allowed two concurrent requests to mint two sessions from the same single-use token. The handler now consumes the verification row atomically via internalAdapter.consumeVerificationValue, so a given magic link mints at most one session regardless of concurrency. The allowedAttempts option is retained for backward compatibility but no longer multiplies successful redemptions; tokens are single-use. The second-redeem error code changes from ATTEMPTS_EXCEEDED to INVALID_TOKEN (the token no longer exists after consumption).

• b4bc65a Thanks @​gustavovalverde! - Fix race condition in the OAuth authorization-code grant: two concurrent token-exchange requests sharing the same code could both pass the find step before either delete completed and each mint an independent access/refresh/id token set. The authorization_code handler in @better-auth/oauth-provider, plus the legacy oidc-provider and mcp plugins in better-auth, now consume the verification row atomically via internalAdapter.consumeVerificationValue. The first caller mints tokens; concurrent racers receive invalid_grant (RFC 6749 §5.2). Malformed-verification-value branches in @better-auth/oauth-provider previously returned a project-specific invalid_verification code; those are now invalid_grant so spec-compliant clients can branch on the standard code.

• #9578 da7e50b Thanks @​gustavovalverde! - handleOAuthUserInfo (used by every social provider, generic-oauth, oauth-proxy, SSO OIDC and SAML, and idToken sign-in) implicitly linked a returning OAuth identity into a local user row whenever the IdP's email_verified claim was true or the provider was trusted. The local row's own emailVerified flag was read only to flip it after linking, never as a precondition. POST /sign-up/email creates rows with emailVerified: false for any caller, so an attacker who pre-registered a victim's email at the application could wait for the legitimate user's first OAuth sign-in: the IdP's verified claim was treated as ownership proof, and the victim's IdP identity was linked into the attacker-owned row.

  The implicit-link gate now requires dbUser.user.emailVerified === true in addition to the provider trust check by default. A new account.accountLinking.requireLocalEmailVerified option (default true) is the public surface for this gate. Apps whose users sign up via OAuth without verifying their email locally can opt back into the legacy behavior with account: { accountLinking: { requireLocalEmailVerified: false } }; understand the takeover risk before doing so. The option is @deprecated; a FIXME at each gate site points at the next-minor follow-up on next that drops the option and makes the gate unconditional.

  The one-tap plugin honored its own copy of the gate and was updated identically: requireLocalEmailVerified and accountLinking.disableImplicitLinking both apply on /one-tap/callback. The email_verified claim from the Google ID token is now normalized via toBoolean so a string "false" is treated as falsy.

  Test fixtures across admin, oidc-provider, mcp, generic-oauth, last-login-method, and oauth-provider suites now mark users emailVerified: true via a databaseHooks.user.create.before hook (or the disableTestUser opt-in on the oauth-provider RP) so the suites continue to exercise their role/flow logic rather than the new gate.

• #9507 a1c9f3c Thanks @​GautamBytes! - Preserve exact access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript.

• #9577 23094a6 Thanks @​gustavovalverde! - The organization plugin's invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) treated invitation.email.toLowerCase() === session.user.email.toLowerCase() as proof that the calling user owned the invited address. A session-authenticated user whose email matched but was never verified passed the gate, so anyone who could pre-register an unverified account at a victim's email could accept invitations addressed to that email. The requireEmailVerificationOnInvitation opt-in option closed the gap only when explicitly enabled and did not protect getInvitation or listUserInvitations at all.

  The gate is now applied on all four recipient endpoints and the requireEmailVerificationOnInvitation option default flips from false to true so existing apps are secure by default. Apps that intentionally accept invitations from unverified accounts can keep the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }), but they should understand the takeover risk before doing so. Server-side calls to listUserInvitations with ctx.query.email and no session continue to bypass the gate (the caller is trusted).

  The option is @deprecated. The next-minor release on next removes it entirely and makes the gate unconditional.

• #9548 142b86c Thanks @​dipan-ck! - anonymous plugin now correctly calls onLinkAccount when email verification triggers auto sign-in

• #9576 1f2ff42 Thanks @​gustavovalverde! - fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant and harden secret comparison

  Refresh-token grants on the legacy oidc-provider and mcp plugins now require the registered client_secret from confidential clients, matching the authorization_code path. Public clients (where code_verifier substitutes for the secret on the auth-code grant) continue to skip secret validation. Secret comparisons across both plugins now use constant-time equality. The /mcp/token endpoint no longer emits a wildcard CORS Access-Control-Allow-Origin: * header.

  These plugins are deprecated in favor of @better-auth/oauth-provider, which is unaffected. New deployments should adopt the replacement; this patch keeps existing deployments protected while migrating.

• #9575 699b09a Thanks @​gustavovalverde! - fix(oidc-provider, mcp): drop "none" from advertised signing algorithms, default allowPlainCodeChallengeMethod to false, and reject missing PKCE method

  The legacy oidc-provider and mcp plugins now follow OAuth 2.1 (RFC 9700) on three protocol gates:

  • id_token_signing_alg_values_supported (oidc-provider, mcp) and resource_signing_alg_values_supported (mcp) no longer include "none". Relying parties that negotiate from this list will no longer be steered toward unsigned tokens.
  • allowPlainCodeChallengeMethod defaults to false. Callers who need plain PKCE must opt in explicitly.
  • Under the secure default the authorize endpoint no longer silently rewrites a missing code_challenge_method to "plain" before the allowlist check. A request that provides code_challenge without code_challenge_method is now rejected with invalid_request; the inverse case (code_challenge_method without code_challenge) is also rejected so no inconsistent PKCE state is persisted on the authorization code record.

  Non-breaking for callers who never relied on "none" advertisement or the plain default. Callers who explicitly set allowPlainCodeChallengeMethod: true keep plain on the allowlist and retain the legacy "missing method defaults to plain" behavior for backward compatibility, so existing integrations that opted into plain PKCE continue to work. The next-minor on next will drop both the plain allowlist entry and this fallback; until then, the option is the single explicit knob for legacy behavior. Migrate to @better-auth/oauth-provider for the canonical, spec-aligned implementation.

... (truncated)

Commits

• f41514e chore: release v1.6.11 (#9532)
• 699b09a fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject miss...
• b4bc65a Merge commit from fork
• a1c9f3c fix(access): preserve exact role statement types (#9507)
• da7e50b fix(oauth): block OAuth linking to unverified local accounts (#9578)
• 23094a6 fix(organization): default-on requireEmailVerificationOnInvitation & extend...
• 1f2ff42 fix(oidc-provider, mcp): authenticate confidential clients on refresh_token g...
• 5f09d56 fix(magic-link): consume verification token atomically on verify (#9572)
• 99a254a fix(device-authorization): bind approval to verifier session (#9573)
• 0cbddb8 refactor(db): rename claimOne adapter primitive to consumeOne (#9568)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.

Updates date-fns from 4.1.0 to 4.2.1

Release notes

Sourced from date-fns's releases.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Changelog

Sourced from date-fns's changelog.

v4.2.1 - 2026-05-19

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0 - 2026-05-18

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• 87635a8 Fix missing type definitions, promote to v4.2.1 (closed #4190)
• 3d4ca4b Update browserslist
• 562c485 Promote to v4.2.0
• 3709c02 Make steps into the Temporal-first future
• 07592b9 Upgrade Node.js types, upgrade TypeScript
• 09ece22 Upgrade Vitest
• c37c22e Set up Oxfmt as the default formatter
• d40bb80 Upgrade mise setup
• dd66398 Fix tz tests workflow
• ef962f8 Adjust smoke tests
• Additional commits viewable in compare view

Updates next from 16.0.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-auth from 4.24.13 to 4.24.14

Release notes

Sourced from next-auth's releases.

next-auth@4.24.14

Bugfixes

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13412)

GitHub now returns an iss parameter in OAuth callbacks. openid-client validates it unconditionally, which was breaking authentication for apps that didn't configure an issuer. This sets the default GitHub provider issuer to https://github.com/login/oauth.

Commits

• e9a892a chore(release): bump version [skip ci]
• 0497da4 fix(providers): add issuer to github (#13412)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates next-devtools-mcp from 0.3.3 to 0.3.10

Release notes

Sourced from next-devtools-mcp's releases.

v0.3.10

What's Changed

• docs: add Google Antigravity configuration instructions to README by @​0ldh in vercel/next-devtools-mcp#111
• Perf: Optimize doc lookup by @​gaojude in vercel/next-devtools-mcp#112

New Contributors

• @​0ldh made their first contribution in vercel/next-devtools-mcp#111

Full Changelog: vercel/next-devtools-mcp@v0.3.9...v0.3.10

v0.3.8

What's Changed

• fix: filter base64 image from screenshot result by @​Burry in vercel/next-devtools-mcp#105
• fix(init): avoid agent idle caused by strict reply prohibition (fix #109) by @​MapleCity1314 in vercel/next-devtools-mcp#110

New Contributors

• @​Burry made their first contribution in vercel/next-devtools-mcp#105
• @​MapleCity1314 made their first contribution in vercel/next-devtools-mcp#110

Full Changelog: vercel/next-devtools-mcp@v0.3.7...v0.3.8

v0.3.7

Fixes

• fix: upgrade @​modelcontextprotocol/sdk to 1.24.3 (CVE-2025-66414) by @​gaojude in vercel/next-devtools-mcp#107

Misc

• fix: upgrade Next.js to 16.0.7 (CVE-2025-55182) by @​ctate in vercel/next-devtools-mcp#106

• @​ctate made their first contribution in vercel/next-devtools-mcp#106

Full Changelog: vercel/next-devtools-mcp@v0.3.6...v0.3.7

v0.3.6

Improvements

• Fix screenshot action using wrong Playwright MCP tool name by @​gaojude in vercel/next-devtools-mcp#98
• Improve port discovery by @​gaojude in vercel/next-devtools-mcp#101

Misc

• ci: update server.json for mcp registry when bump version by @​huozhi in vercel/next-devtools-mcp#102
• Add troubleshooting section for common user issues by @​gaojude in vercel/next-devtools-mcp#97

Full Changelog: vercel/next-devtools-mcp@v0.3.5...v0.3.6

v0.3.5

What's Changed

• Simplify Next.js server discovery by combining server and tool listing by @​gaojude in vercel/next-devtools-mcp#96

Full Changelog: vercel/next-devtools-mcp@v0.3.4...v0.3.5

... (truncated)

Commits

• d1b3e56 chore: bump version to 0.3.10
• 7330deb simplify docs search (#112)
• 6751777 docs: add Google Antigravity configuration instructions to README (#111)
• 38bf006 chore: bump version to 0.3.9
• edd1acf improve use cache migration (#108)
• af3d601 chore: bump version to 0.3.8
• 19cd8c3 fix: update ai_response_instruction for initialization process (#110)
• 8b8a4e5 fix: filter base64 image from screenshot result (#105)
• 316fcec chore: bump version to 0.3.7
• e869d6e bump mcp sdk (#107)
• Additional commits viewable in compare view

Updates otpauth from 9.4.1 to 9.5.1

Release notes

Sourced from otpauth's releases.

v9.5.1

What's Changed

• Bump rollup from 4.57.1 to 4.59.0 by @​dependabot[bot] in hectorm/otpauth#674
• Bump minimatch by @​dependabot[bot] in hectorm/otpauth#673
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#675
• Bump the npm-development-minor-patch group across 1 directory with 7 updates by @​dependabot[bot] in hectorm/otpauth#677
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#679
• Bump @​rollup/plugin-terser from 0.4.4 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#680
• Bump eslint from 9.39.2 to 10.0.3 by @​dependabot[bot] in hectorm/otpauth#678
• Bump @​eslint/js from 9.39.2 to 10.0.1 by @​dependabot[bot] in hectorm/otpauth#670
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#686
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#685
• Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in hectorm/otpauth#684
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in hectorm/otpauth#682
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#692
• Bump @​noble/hashes from 2.0.1 to 2.2.0 in the npm-production-minor-patch group by @​dependabot[bot] in hectorm/otpauth#688
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#690

Full Changelog: hectorm/otpauth@v9.5.0...v9.5.1

v9.5.0

What's Changed

• Bump the npm-development-minor-patch group across 1 directory with 13 updates by @​dependabot[bot] in hectorm/otpauth#635
• Bump @​noble/hashes from 1.8.0 to 2.0.1 by @​dependabot[bot] in hectorm/otpauth#632
• Bump the github-actions-all group across 1 directory with 5 updates by @​dependabot[bot] in hectorm/otpauth#637
• Bump the npm-development-minor-patch group with 3 updates by @​dependabot[bot] in hectorm/otpauth#636
• Bump glob by @​dependabot[bot] in hectorm/otpauth#645
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in

[github-actions]

👋 Thanks for opening your first pull request in StormCom!

A maintainer will review your PR soon. Please make sure:

• Your PR follows our
  Contributing Guidelines
• All CI checks pass
• You've added appropriate tests
• Documentation has been updated (if needed)

We appreciate your contribution to making StormCom better! 🚀