deps: periodic dependency update

[qw-in]

Remaining security alerts are not easily fixable (parent package has them pinned exactly)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
arcjet-docs	Ready	Preview, Comment	Jun 12, 2026 11:07pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bun@​1.3.10 ⏵ 1.3.14
	astro-embed@​0.12.0 ⏵ 0.13.0	+3			-2
	posthog-js@​1.367.0 ⏵ 1.373.4	-26		-17	+1
	@​expressive-code/​plugin-line-numbers@​0.41.7 ⏵ 0.42.0				+4
	next@​15.5.15 ⏵ 16.2.9	+12	+70
	@​arcjet/​fastify@​1.3.1 ⏵ 1.5.0	+1		+1	-1
	@​expressive-code/​plugin-collapsible-sections@​0.41.7 ⏵ 0.42.0
	@​ai-sdk/​openai@​3.0.52 ⏵ 3.0.63	+1		+1
	@​remix-run/​node@​2.17.4 ⏵ 2.17.5				-1
	@​ai-sdk/​react@​3.0.160 ⏵ 3.0.184	+1		+1
	@​clerk/​nextjs@​6.39.2 ⏵ 6.39.3	+1	+16	+1
	@​astrojs/​check@​0.9.8 ⏵ 0.9.9
	starlight-links-validator@​0.23.0 ⏵ 0.24.0	+1		+1	-1
	@​types/​node@​24.12.0 ⏵ 24.12.4	+1		+1
	@​nanostores/​react@​1.0.0 ⏵ 1.1.0	+1		+21
	@​sveltejs/​kit@​2.57.1 ⏵ 2.65.0		+2	+1	+1
	twoslash@​0.3.6 ⏵ 0.3.8	+1		+1
	@​astrojs/​node@​10.0.4 ⏵ 10.1.1		+2	+1
	@​astrojs/​react@​5.0.3 ⏵ 5.0.5				-1
	@​astrojs/​vercel@​10.0.4 ⏵ 10.0.7	+1		+1
	react@​19.2.4 ⏵ 19.2.6
	turndown@​7.2.2 ⏵ 7.2.4
	nanostores@​1.1.1 ⏵ 1.3.0			+1
	@​astrojs/​starlight@​0.38.3 ⏵ 0.39.2	+1		+1
	@​nestjs/​config@​4.0.3 ⏵ 4.0.4				-2
	pagefind@​1.4.0 ⏵ 1.5.2			+1
	astro@​6.1.5 ⏵ 6.3.2		+3	+1
	vue@​3.5.30 ⏵ 3.5.34	+1		+1	+1
	vue-tsc@​3.2.5 ⏵ 3.2.9
	react-dom@​19.2.4 ⏵ 19.2.6
	zod@​4.3.6 ⏵ 4.4.3
	@​nestjs/​core@​11.1.18 ⏵ 11.1.20	+1			+2
	@​hono/​node-server@​1.19.13 ⏵ 1.19.14	+1
See 7 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @nuxt/vite-builder under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/dist/THIRD-PARTY-LICENSES.md) From: package-lock.json → npm/nuxt@4.4.8 → npm/@nuxt/vite-builder@4.4.8 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nuxt/vite-builder@4.4.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm astro is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/astro@6.3.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@6.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/posthog-js@1.373.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.373.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm seroval is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/nuxt@4.4.8 → npm/seroval@1.5.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[arcjet-review]

Arcjet Review — 🟡 Medium Risk

Decision: Reviewers Assigned

Rationale: Periodic dependency update bumping ~40 packages. The vast majority are patch/minor bumps to well-known packages (React, Astro, Nuxt, NestJS, Hono, AI SDK, etc.) and look low-risk. However there is one major version bump — Next.js 15.5.15 → 16.2.9 — that warrants human verification, and several pre-1.0 packages (@astrojs/starlight 0.38→0.39, astro-embed 0.12→0.13, starlight-links-validator 0.23→0.24, @expressive-code/* 0.41→0.42) where minor bumps can include breaking changes. The accompanying code changes in src/components/TOC.tsx and src/content.config.ts correctly accommodate a schema change (ajToc becoming optional) with a sensible ?? [] fallback. Pinned exact versions and no new dependencies introduced. No secrets, no security issues found. Escalating because of the Next.js major bump and the multiple 0.x package bumps; no specific reviewers are configured, so a maintainer should pick this up.

Summary of Changes

Periodic dependency update: ~40 packages bumped in root package.json plus three snippet package.jsons. Notable: Next.js 15→16 (major), Astro 6.1→6.3, @sveltejs/kit 2.57→2.65, ai 6.0.158→6.0.182, @astrojs/starlight 0.38→0.39, nuxt 4.4.2→4.4.8, arcjet snippets 1.3.1→1.5.0. Code adjustments in TOC.tsx and content.config.ts make the ajToc schema field optional (likely required by starlight 0.39 changes) and update the TypeScript types with NonNullable<...> plus a ?? [] fallback. No new dependencies added.

Escalation Triggers

• Dependency Changes: package.json files modified in root and three snippets directories; ~40 dependency version bumps including a Next.js major version bump (15 → 16).

Review Focus Areas

• Has the Next.js 15 → 16 upgrade been validated against the project's Next.js usage (snippets/examples, App Router behavior, peer-deps with React 19)?
  Major version bumps can include breaking changes to routing, caching defaults, middleware, and build output. Confirm the build still passes and any next-specific snippets render correctly.
• Did @astrojs/starlight 0.38.3 → 0.39.2 introduce the schema change that required making ajToc optional, and have you verified the docs build (astro check + build) passes end-to-end?
  Starlight is pre-1.0; 0.x → 0.x+1 jumps commonly include breaking changes. The TOC.tsx/content.config.ts edits in this PR suggest a known incompatibility, so it's worth confirming nothing else regressed.
• Were the AI SDK bumps (@ai-sdk/openai 3.0.52→3.0.63, @ai-sdk/react 3.0.160→3.0.184, ai 6.0.158→6.0.182) verified together — any peer-dep mismatches?
  The three @ai-sdk packages must stay version-compatible; mismatched versions can cause subtle runtime errors.
• When astroEntry.data.ajToc is undefined and [] is substituted, does the rest of the TOC render gracefully (no empty
  , no a11y issues, no broken sticky behavior)?
  The new fallback silently hides the TOC for entries without one — confirm that's the intended UX and that callers don't depend on TOC always being non-empty.
  • Do the snippet upgrades (@arcjet/* 1.3.1 → 1.5.0 and astro 6.1.5 → 6.3.2) still compile under astro check?
    Snippets are user-facing example code; if they break, doc readers will copy broken examples.

  Notes

  Diff is ~150 lines, well below the 1000-line threshold. All version bumps use exact (pinned) versions, no postinstall scripts introduced. No secrets, no auth/CI/infra/migration changes detected.

  Path filtering: 1 file excluded by ignore paths. 6 of 7 files included in review.

  _{Review: 5fed7432 | Model: anthropic/claude-opus-4-7 | Powered by Arcjet Review}