Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@opennextjs/cloudflare (source)	^1.19.5 → ^1.19.9
@tailwindcss/postcss (source)	^4.2.4 → ^4.3.0
@types/node (source)	^25.6.0 → ^25.7.0
eslint (source)	^9 → ^9.39.4
eslint-config-next (source)	16.2.4 → 16.2.6
next (source)	16.2.4 → 16.2.6
pnpm (source)	10.29.2 → 10.33.4
postcss (source)	^8.5.13 → ^8.5.14
react (source)	^19.2.5 → ^19.2.6
react-dom (source)	^19.2.5 → ^19.2.6
shadcn (source)	^4.6.0 → ^4.7.0
tailwind-merge	^3.5.0 → ^3.6.0
tailwindcss (source)	^4.2.4 → ^4.3.0
wrangler (source)	^4.87.0 → ^4.90.0

---

Release Notes

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.19.9

Compare Source

Patch Changes

• #​1259 3b35c6e Thanks @​vicb! - chore: bump Next.js to 15.5.18 / 16.2.6 and @​opennextjs/aws to 4.0.2

v1.19.8

Compare Source

Patch Changes

• #​1256 9696cd0 Thanks @​vicb! - bump @opennextjs/aws to 4.0.1

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v4.0.1

v1.19.7

Compare Source

Patch Changes

• #​1252 29fe15d Thanks @​vicb! - bump the number of retries for r2 cache uploads

  Increase the retry count from 5 to 15 with a capped exponential backoff to improve resilience against transient R2 write failures during cache population.

• #​1255 364b7d9 Thanks @​vicb! - Bump react and next

v1.19.6

Compare Source

Patch Changes

• #​1246 5d2014f Thanks @​vicb! - fix: do not log expected expected D1 errors

  The populateCache command adds columns to the D1 tag cache for SWR support.
  This is required for older deployments made before those column were added.
  SQLite errors when the columns exist and we should not log those errors.

• #​1244 01babce Thanks @​tahmid-23! - fix: drop streaming wasm calls in Turbopack runtime

  Turbopack replaces wasm imports using WebAssembly.compileStreaming and
  WebAssembly.instantiateStreaming. These functions are not available in
  the workerd runtime.

  We add a helper loadWasmChunkFn. This is a generated switch statement
  that contains an import for each wasm chunk. We use static strings for
  all imports to ensure that all necessary wasm chunks will be detected
  and bundled for the final build.

  The Turbopack patcher replaces the invocations in loadWebAssembly and
  loadWebAssemblyModule, using the synchronous WebAssembly.instantiate
  and redirecting to loadWasmChunkFn.

• #​1243 1c815de Thanks @​tahmid-23! - fix: detect object-valued conditions

  The pre-existing build condition transform logic had subtle errors:

  • failed to recognize object conditions
    (e.g. "workerd": { "import": ..., "require": ... })
  • sibling pruning only applied to strings, not objects

  Now, we fully support object conditions. Furthermore, we prune siblings,
  unless its subtree also contains the build condition.

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

vercel/next.js (eslint-config-next)

v16.2.6

Compare Source

v16.2.5

Compare Source

vercel/next.js (next)

v16.2.6

Compare Source

v16.2.5

Compare Source

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

postcss/postcss (postcss)

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

facebook/react (react)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

shadcn-ui/ui (shadcn)

v4.7.0

Compare Source

Minor Changes

• #​10519 eb42ae25fda81e90e621f1e334e5126b1f22371d Thanks @​shadcn! - add support for package imports

• #​10528 309d95017fce3936548c15d2ef827c84560cc45a Thanks @​shadcn! - allow alias placeholders in target for registry items

Patch Changes

• #​10559 28b3e5f36086677b0533583817407d8f936a567b Thanks @​shadcn! - add previous version error suggestion

dcastil/tailwind-merge (tailwind-merge)

v3.6.0

Compare Source

cloudflare/workers-sdk (wrangler)

v4.90.0

Compare Source

Minor Changes

• #​12279 248bc08 Thanks @​penalosa! - Add deprecation warning for delivery_delay in queue producer bindings

  The delivery_delay setting in [[queues.producers]] was silently having no effect since 2024. This change adds a deprecation warning when the setting is used, informing users that queue-level settings should be configured using wrangler queues update instead. The setting will be removed in a future version.

Patch Changes

• #​13853 8852b0c Thanks @​gpanders! - Fix Containers SSH config

• #​13858 e414e56 Thanks @​penalosa! - Fix wrangler whoami and account selection failing for Account API Tokens

  The /memberships fallback for Account API Tokens was checking for code 9109, but /memberships actually returns 9106 for that case. Correct the code so the fallback to /accounts triggers as intended.

• Updated dependencies []:

  • miniflare@​4.20260507.1

v4.89.1

Compare Source

Patch Changes

• #​13824 dd3baf3 Thanks @​emily-shen! - Fix container deployment being skipped for Workers for Platforms user workers

  Previously, deploying a worker with --dispatch-namespace would early-exit before calling deployContainers(), meaning container-app registration that links the image to the Durable Object namespace was never executed for WfP user workers. Container deployment now runs before the WfP early exit.

• Updated dependencies [5cf6f81]:

  • miniflare@​4.20260507.1

v4.89.0

Compare Source

Minor Changes

• #​13055 f3fed88 Thanks @​GregBrimble! - Introducing the cache configuration option for Workers.

  You can now set { cache: { enabled: true } } in your Wrangler configuration file to enable a HTTP cache in front of your Worker's fetch handler. This is also supported in [previews] configuration — previews.cache overrides the top-level cache setting for preview deployments, and falls back to the top-level value when absent. More information can be found in our documentation.

• #​13776 1a54ac5 Thanks @​petebacondarwin! - wrangler dev and other Miniflare-backed commands now run the local workerd runtime with TZ=UTC to match production

  Previously, wrangler dev (and other commands that spin up Miniflare, such as wrangler kv, wrangler d1, wrangler r2, wrangler check) inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused subtle, hard-to-debug differences between local and deployed behaviour.

  Local development now matches production. Code that previously relied on the host timezone during wrangler dev will need to either accept UTC (the production behaviour) or explicitly construct dates/formatters with the desired timezone.

Patch Changes

• #​13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260504.1	1.20260506.1

• #​13841 332f527 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260506.1	1.20260507.1

• #​13777 18e833d Thanks @​matingathani! - fix: throw a clear error when _routes.json contains invalid JSON instead of silently skipping it

• #​13751 b6cea17 Thanks @​matingathani! - fix: ensure `wrangler types --check --env-fi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Monday (* * * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.