build(deps): Bump the minor-patch group across 1 directory with 25 updates

[dependabot]

Bumps the minor-patch group with 22 updates in the / directory:

Package	From	To
fast-xml-parser	5.5.8	5.8.0
lefthook	2.1.4	2.1.8
markdownlint-cli2	0.22.0	0.22.1
turbo	2.8.20	2.9.14
@azure/monitor-opentelemetry	1.16.0	1.18.0
@opentelemetry/api	1.9.0	1.9.1
mssql	12.2.1	12.5.4
@types/mssql	9.1.9	12.3.0
next	16.2.1	16.2.6
react	19.2.4	19.2.6
@types/react	19.2.14	19.2.15
react-dom	19.2.4	19.2.6
recharts	3.8.0	3.8.1
tailwind-merge	3.5.0	3.6.0
zod	4.3.6	4.4.3
@next/eslint-plugin-next	16.2.1	16.2.6
@playwright/test	1.58.2	1.60.0
@tailwindcss/postcss	4.2.2	4.3.0
@types/node	25.5.0	25.9.1
@vitest/coverage-v8	4.1.0	4.1.7
eslint	10.1.0	10.4.0
typescript-eslint	8.57.1	8.59.4

Updates fast-xml-parser from 5.5.8 to 5.8.0

Release notes

Sourced from fast-xml-parser's releases.

update strnum, FXB. Use xml-naming for DOCTYPE

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is by deault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

</tr></table> 

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• 4bcee44 for release
• 8a287bf release info
• 50b01dc Use "@​byspec/xml" for testing
• 816b652 update typings to mark validator use deprecated
• 8ad0e65 update fast-xml-builder and strnum
• 58e967e integrate xml-naming
• 42fa3c3 separate XML validator, UPDATE DOCS
• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• Additional commits viewable in compare view

Updates lefthook from 2.1.4 to 2.1.8

Release notes

Sourced from lefthook's releases.

v2.1.8

Changelog

• 488a5f99a5a496e5837f757f8ce3e6c6d1415792 fix: do not warn if local hooks path is equal to default hooks path (#1421)

v2.1.7

Changelog

• f415a9d3fce1d4f6af62622cf96c72e04ecf7bd3 chore: go mod tidy
• cf4ab9ea4580f5aeb0d4b61d4dd169533e5bb0c9 fix: always restore unstaged changes (#1416)
• 4c0e000d6fe9f35f42efefb9263b0b4cb5dfbd49 fix: apply stage_fixed only if it is safe (#1418)
• 76aa843ef5ceb6970f61cd2ff28d16dd2ec82272 fix: linter, sacrifice optimization for readability
• 9d53c36ed9a26d3bf66e341a9650a0ecac9b6a37 fix: separate fallback push branch from pathspecs (#1396)
• 22c9f773cf93b59005bd244c5b00caab2947a755 fix: try to always restore unstaged changes (#1417)
• 37d83986d8e6d6bf6792f57e22e7cbb1a9e28064 fix: use contrast colors (#1420)
• eb1064d0b8c6248627960bea1abf6891db5a21b1 refactor: add new logger without a global state (#1385)

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

v2.1.5

Changelog

• afac466157f88b5a5f9d03eb28acc90b095a4b5d chore(golangci-lint): upgrade to 2.11.4 (#1362)
• f8e73b947e2eefd6950d6a19c20bbde19070809d chore: fix golangci-lint version lookup
• 4564da343b1497f73f8a82f6104e1b5903f8a081 chore: move golangci-lint version to .tool-versions (#1349)
• 236a5bd07c650aaa882963d68ab5e5e654a47681 chore: small cleanup (#1370)
• 5ddf2206dd23e826c5434392e034fa7db523cd3d deps: April 2026 (#1375)
• e26c719f5a85e8ff35871e9724649714d6f05c13 fix: git repository merge issue (#1372)
• 3503a3b102c2b41c298e1e7dc6549181508518a6 fix: prevent lefthook run from overwriting global hooks (#1371)
• f3fc175f6c638fd54ab49b8d7c060898f936c934 fix: use pre-push stdin for push file detection (#1368)

Changelog

Sourced from lefthook's changelog.

2.1.8 (2026-05-19)

• fix: do not warn if local hooks path is equal to default hooks path (#1421) by @​mrexox

2.1.7 (2026-05-19)

• fix: use contrast colors (#1420) by @​mrexox
• fix: apply stage_fixed only if it is safe (#1418) by @​mrexox
• fix: try to always restore unstaged changes (#1417) by @​mrexox
• fix: always restore unstaged changes (#1416) by @​mrexox
• refactor: add new logger without a global state (#1385) by @​mrexox
• fix: linter, sacrifice optimization for readability by @​mrexox
• fix: separate fallback push branch from pathspecs (#1396) by @​lawrence3699

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#1393) by @​technicalpickles
• docs: upgrade docmd (#1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#1291) by @​scop
• fix: do not pipe stdout and stderr (#1382) by @​mrexox

2.1.5 (2026-04-06)

• deps: April 2026 (#1375) by @​mrexox
• docs: update documentation and docs for claude (#1373) by @​mrexox
• fix: git repository merge issue (#1372) by @​mrexox
• fix: use pre-push stdin for push file detection (#1368) by @​supitsdu
• chore: small cleanup (#1370) by @​mrexox
• fix: prevent lefthook run from overwriting global hooks (#1371) by @​ivy
• chore: upgrade to 2.11.4 (#1362) by @​scop
• chore: fix golangci-lint version lookup by @​mrexox
• chore: move golangci-lint version to .tool-versions (#1349) by @​scop

Commits

• 9e75b21 2.1.8: reduce warning for core.hooksPath if it matches the default
• 488a5f9 fix: do not warn if local hooks path is equal to default hooks path (#1421)
• b5c8310 2.1.7: restore unstaged changes when possible
• 37d8398 fix: use contrast colors (#1420)
• 4c0e000 fix: apply stage_fixed only if it is safe (#1418)
• 22c9f77 fix: try to always restore unstaged changes (#1417)
• cf4ab9e fix: always restore unstaged changes (#1416)
• f415a9d chore: go mod tidy
• eb1064d refactor: add new logger without a global state (#1385)
• 76aa843 fix: linter, sacrifice optimization for readability
• Additional commits viewable in compare view

Updates markdownlint-cli2 from 0.22.0 to 0.22.1

Changelog

Sourced from markdownlint-cli2's changelog.

0.22.1

• Update dependencies

Commits

• 996abf6 Update to version 0.22.1.
• 70b6875 Improve definition of OutputFormatterConfiguration type, minor other type twe...
• 2cf5440 Add additional test case for previous commit fixing dotfile behavior.
• 21c53ed Bump eslint from 10.2.0 to 10.2.1
• b738aa0 Update removeIgnoredFiles use of micromatch to include dotfiles for consisten...
• 24c04f4 Bump junit-report-builder from 5.1.1 to 5.1.2 in /formatter-junit
• 650f208 Bump pnpm/action-setup from 5 to 6
• 726eaab Bump eslint from 10.1.0 to 10.2.0
• 1aa7579 Update indirect playwright dependencies to 1.59.1.
• fee080d Bump @​playwright/test from 1.58.2 to 1.59.1
• Additional commits viewable in compare view

Updates turbo from 2.8.20 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801
• chore: Release 2.9.13 by @​anthonyshew in vercel/turborepo#12803

New Contributors

• @​dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in vercel/turborepo#12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in vercel/turborepo#12770
• release(turborepo): 2.9.11 by @​github-actions[bot] in vercel/turborepo#12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in vercel/turborepo#12773
• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

• fc62fe0 publish 2.9.14 to registry
• fb8c9ae chore: Release 2.9.13 (#12803)
• e8e629d fix: Avoid project-local Yarn during detection (#12801)
• 91c90cb fix: Harden VS Code extension command execution (#12800)
• 84f4508 fix: Validate auth callback state (#12802)
• 1779ad7 Removed unneeded import form hash creation script in docs (#12799)
• 71f8c90 test: Validate lockfiles without dependency downloads (#12789)
• 5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
• 4cf9fab ci: Use pull_request for PR title linting (#12787)
• 859c629 fix: Restore docs mobile menu (#12782)
• Additional commits viewable in compare view

Updates @azure/monitor-opentelemetry from 1.16.0 to 1.18.0

Changelog

Sourced from @​azure/monitor-opentelemetry's changelog.

1.18.0 (2026-05-12)

Other Changes

• Updated OpenTelemetry dependencies to the 0.217.0 / 2.7.1 release line, including @opentelemetry/sdk-node, @opentelemetry/instrumentation, @opentelemetry/instrumentation-http, @opentelemetry/api-logs, @opentelemetry/sdk-logs, the stable @opentelemetry/core / @opentelemetry/resources / @opentelemetry/sdk-metrics / @opentelemetry/sdk-trace-base / @opentelemetry/sdk-trace-node packages, @opentelemetry/semantic-conventions, and the contrib instrumentations (bunyan, mongodb, mysql, pg, redis, winston, resource-detector-azure, winston-transport).
• Updated to using exporter version 1.0.0-beta.41.

1.17.0 (2026-05-07)

Features Added

• Added GenAI main agent attribution: AzureMonitorSpanProcessor and AzureLogRecordProcessor now propagate microsoft.gen_ai.main_agent.* attributes (with fallback to gen_ai.agent.* / gen_ai.conversation.id) from parent spans to child spans, derive them on invoke_agent spans, and copy them from the active span onto emitted log records.
• Added support for the AKS resource detector from @opentelemetry/resource-detector-azure.
• Added AKS_RESOURCE_DETECTOR_POPULATION statsbeat feature signal to track when the AKS resource detector successfully populates resource attributes.

Bugs Fixed

• Fixed Available Memory performance counter on Linux to report MemAvailable from /proc/meminfo instead of MemFree (via os.freemem()). MemAvailable accounts for reclaimable memory (page cache, buffers), providing a more accurate measure of memory available to processes.
• Fixed standard metrics and performance counters recording 0ms duration for all sub-second requests. span.duration is an HrTime tuple [seconds, nanoseconds] but was incorrectly read as span.duration[0] (seconds only). Converted to milliseconds using hrTimeToMilliseconds() from @opentelemetry/core.

Other Changes

• Restructured samples-dev to use the standard Azure SDK dev-tool format with @summary tags.
• Updated to using exporter version 1.0.0-beta.40.

Commits

• 7f316ee [monitor-opentelemetry] Release 1.18.0 distro and 1.0.0-beta.41 exporter (Ope...
• 1cc3584 [Monitor OpenTelemetry] Remove azure functions instrumentation (#38461)
• 19734e9 [monitor] Update @​azure/opentelemetry-instrumentation-azure-sdk dependencies ...
• ac224e2 [Monitor OpenTelemetry][Monitor OpenTelemetry Exporter] Release Distro 1.17.0...
• 9be3be3 feat(monitor-opentelemetry): implement GenAI main agent attribution (#38445)
• 3de1abe Add imports field to all warp-built packages (#38391)
• e8f0055 chore: Update registry for all package.json and adjust check rules (#38281)
• 7b834ea Add missing polyfillSuffix entries to warp.config.yml for .cts polyfill packa...
• 65c0ccc feat(warp): explicit CJS via moduleType, esbuild ESM→CJS transform (#37893)
• 0f1cd87 [Monitor OpenTelemetry] Linux Perf Counter Update (#37835)
• Additional commits viewable in compare view

Updates @opentelemetry/api from 1.9.0 to 1.9.1

Release notes

Sourced from @​opentelemetry/api's releases.

api/v1.9.1

1.9.1

🐛 (Bug Fix)

• fix(api): prioritize esnext export condition as it is more specific #5458
• fix(api): update diag consoleLogger to use original console methods to prevent infinite loop when a console instrumentation is present #6395
• fix(api): use Attributes instead of deprecated SpanAttributes in SpanOptions #6478 @​overbalance
• fix(diag): change types in DiagComponentLogger from any to unknown#5478 @​loganrosen
• fix(api): re-introduce fallback chain for global utils #6523 @​pichlermarc

🏠 (Internal)

• refactor(api): refactor to avoid circular deps by merging observable types into Metric.ts #6441 @​pichlermarc
• refactor(api): remove "export *" in favor of explicit named exports #4880 @​robbkidd
• chore: enable tsconfig isolatedModules #5697 @​legendecas
• chore: disallow constructor parameter property syntax #6187 @​legendecas
• refactor(api): remove platform-specific globalThis, use globalThis directly #6208 @​overbalance
• chore(api): mark ProxyTracerProvider as deprecated #6328 @​cjihrig
• chore: enforce import type for type-only imports via ESLint #6467 @​overbalance
• perf(api): improve isValidSpanId, isValidTraceId performance #5714 @​seemk

Changelog

Sourced from @​opentelemetry/api's changelog.

1.9.1

🐛 (Bug Fix)

• fix: avoid grpc types dependency #3551 @​flarna
• fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter #3562 @​scheler
• fix: include tracestate in export #3569 @​flarna

🏠 (Internal)

• chore: fix cross project links and missing implicitly exported types #3533 @​legendecas
• feat(sdk-metrics): add exponential histogram mapping functions #3504 @​mwear

Commits

• 279458e Release 1.9.1 / 0.35.1 (#3573)
• 4978743 fix(http): remove outgoing headers normalization (#3557)
• d1f9594 chore(deps): update dependency rimraf to v4 (#3532)
• e0abcc0 fix: remove JSON syntax error and regenerate tsconfig files (#3566)
• a90c558 fix(sdk-node): register instrumentations early (#3502)
• 5b070b8 fix: include TraceState in trace exports (#3569)
• dcb09b7 chore(deps): update dependency gh-pages to v5 (#3571)
• 3bc93a9 feat: exponential histogram - part 1 - mapping functions (#3504)
• 3670071 fix: avoid grpc types dependency (#3551)
• b5ef0e4 chore: fix proto generation (#3567)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/api since your current version.

Updates mssql from 12.2.1 to 12.5.4

Release notes

Sourced from mssql's releases.

v12.5.4

12.5.4 (2026-05-15)

Bug Fixes

• preserve originalError on EABORT TransactionError (b9e9826), closes #1716

v12.5.3

12.5.3 (2026-05-14)

Bug Fixes

• parse boolean connection string options correctly (46db5bc), closes #1860

v12.5.2

12.5.2 (2026-05-05)

Bug Fixes

• prevent TypeError in PreparedStatement.execute() when streaming without callback (7934ff1), closes #1848

v12.5.1

12.5.1 (2026-05-04)

Bug Fixes

• pass dataLength to getMssqlType in valueCorrection (d8026d3), closes #1853

v12.5.0

12.5.0 (2026-04-23)

Features

• add ability to set per-request requestTimeout (075c6cb), closes #1529

v12.4.0

12.4.0 (2026-04-22)

Features

• add connection create/destroy and abort diagnostics events (bb553ea)
• add core diagnostics_channel infrastructure (2ea53ae)
• bump minimum Node.js version to >=18.19.0 (e4d4f53)
• export CHANNELS constant from public API (8719212)
• extend TracingChannel coverage to the callback API (a3083c9), closes TracingChannel#traceCallback
• instrument base classes with diagnostics_channel (d921d60)
• nest prepared-statement tracing channels under the ps namespace (d11447f)

Bug Fixes

... (truncated)

Commits

• 61608d0 Merge pull request #1850 from dhensby/fix/tx-original-error
• b9e9826 fix: preserve originalError on EABORT TransactionError
• 296c38d Merge pull request #1861 from dhensby/fix/useutc-connection-string-parsing
• 46db5bc fix: parse boolean connection string options correctly
• 204a9b3 Merge pull request #1857 from tediousjs/dependabot/npm_and_yarn/fast-uri-3.1.2
• 6b8c3f3 chore(deps-dev): bump fast-uri from 3.1.1 to 3.1.2
• dd22da2 Merge pull request #1849 from dhensby/fix/ps-execute-stream
• 0e9c326 Merge pull request #1856 from tediousjs/dependabot/npm_and_yarn/release-tools...
• 96b6495 chore(deps-dev): bump the release-tools group with 2 updates
• 062f1fd Merge pull request #1854 from tediousjs/dependabot/npm_and_yarn/multi-8a066debe3
• Additional commits viewable in compare view

Updates @types/mssql from 9.1.9 to 12.3.0

Commits

• See full diff in compare view

Updates next from 16.2.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates @types/react from 19.2.14 to 19.2.15

Commits

• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)Description has been truncated