build(deps): bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
next	16.2.4	16.2.6
next-intl	4.9.1	4.9.2
@protobufjs/utf8	1.1.0	1.1.1
brace-expansion	5.0.5	5.0.6
fast-xml-builder	1.1.4	1.2.0
fast-xml-parser	5.5.9	5.8.0
postcss	8.4.31	8.5.14
protobufjs	8.0.1	8.4.0

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-intl from 4.9.1 to 4.9.2

Release notes

Sourced from next-intl's releases.

v4.9.2

4.9.2 (2026-04-27)

Bug Fixes

• Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @​amannn

Changelog

Sourced from next-intl's changelog.

4.9.2 (2026-04-27)

Bug Fixes

• Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @​amannn

Commits

• e1b1825 v4.9.2
• c0bf0ee fix: Prototype safety guards for precompile: true (#2307)
• See full diff in compare view

Updates @protobufjs/utf8 from 1.1.0 to 1.1.1

Release notes

Sourced from @​protobufjs/utf8's releases.

protobufjs-cli: v1.1.1

1.1.1 (2023-02-02)

Bug Fixes

• cli: fix relative path to Google pb files (#1859) (e42eea4)

Commits

• ab3862d chore: release protobufjs-v7.x (#2255)
• 0853a62 fix: Backport bundler-safe optional module lookups (#2254)
• d7035f9 chore: release protobufjs-v7.x (#2248)
• 54b593f fix: Backport parser hardening to 7.x (#2245)
• e88fcea chore: release protobufjs-v7.x (#2239)
• cc7d595 fix: Restore first-match namespace lookup (#2236)
• 3abc9b5 chore: release protobufjs-v7.x (#2190)
• a0bf2df fix: Update CLI peer dependency (7.x) (#2189)
• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

• Add support for sanitizeName option
• Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

• fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

• fix: skip text property for PI tags
• improve typings

1.1.7 (2026--05-04)

• fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

• fix security issues related to comment
• skip comment with null value

1.1.5 (2026-04-17)

• fix security issues related to comment and cdata

1.1.4 (2026-03-16)

• support maxNestedTags option

1.1.3 (2026-03-13)

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

• fix typings

1.1.1 (2026-03-11)

• upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

• Integrate path-expression-matcher

Commits

• a9a905b for release
• 42680e8 support name sanitization
• 8b00185 release info
• 8a08f17 allow indentation to be empty string
• 7fc5dec update docs
• c241b6a improve documentation
• 15d5668 update for release
• 9877485 fix: skip text property for PI tags
• 311a221 fix #5 typing import issues
• e8fc5b1 update for releast
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.5.9 to 5.8.0

Release notes

Sourced from fast-xml-parser's releases.

update strnum, FXB. Use xml-naming for DOCTYPE

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is by deault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

</tr></table> 

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• 4bcee44 for release
• 8a287bf release info
• 50b01dc Use "@​byspec/xml" for testing
• 816b652 update typings to mark validator use deprecated
• 8ad0e65 update fast-xml-builder and strnum
• 58e967e integrate xml-naming
• 42fa3c3 separate XML validator, UPDATE DOCS
• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• Additional commits viewable in compare view

Updates icu-minify from 4.9.1 to 4.12.0

Release notes

Sourced from icu-minify's releases.

v4.12.0

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

⚠️ A small config change is required for useExtracted users to upgrade, please see amannn/next-intl#2316 for details.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

v4.11.0

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

v4.10.1

This was reverted in https://github.com/amannn/next-intl/releases/tag/v4.11.2

---

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

⚠️ If you're using a setup behind a reverse proxy and your proxy sets x-forwarded-port, make sure the value is correct (typically 443).

v4.10.0

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

... (truncated)

Changelog

Sourced from icu-minify's changelog.

4.12.0 (2026-05-13)

Features

• Improvements for useExtracted (#2316) (bff2f96) – by @​amannn

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

4.9.2 (2026-04-27)

Bug Fixes

• Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @​amannn

Commits

• d7bf7af v4.12.0
• bff2f96 feat: Improvements for useExtracted (#2316)
• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• e68a591 v4.11.0
• 3666aa8 feat: Add displayName to useFormatter (#2285)
• 11d9ce8 v4.10.1
• Additional commits viewable in compare view

Updates postcss from 8.4.31 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

... (truncated)

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• Additional commits viewable in compare view

Updates protobufjs from 8.0.1 to 8.4.0

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.4.0

8.4.0 (2026-05-18)

Features

• Support BigInt conversions (#2257) (36873e6)

protobufjs: v8.3.0

8.3.0 (2026-05-13)

Features

• Improve generated typings (#2244) (faa424e)

protobufjs: v8.2.1

8.2.1 (2026-05-13)

Bug Fixes

• Consolidate depth limit checks (#2246) (9050289)
• Preserve explicit enum zero if not the default (#2249) (9621b35)

Performance Improvements

• Slightly optimize generated code (#2242) (c41160c)

protobufjs: v8.2.0

8.2.0 (2026-05-09)

Features

• Add finishInto() for zero-copy serialization into existing buffers (#2196) (657d6f1)
• Add textformat extension (#2233) (4639e29)
• cli: Add optional protoc-gen-pbjs plugin (#2231) (c9b6a2d)
• cli: Align json-module with static-module output (#2227) (a015091)
• Roundtrip unknown fields (#2209) (76fa03c)

Bug Fixes

• Accept URL-safe base64 input (#2207) (57a3821)
• Also resolve common definitions by file name (#2218) (e533950)
• Apply oneof last-value wins during decode (#2193) (cf35cdc)
• Consistently handle scalar map keys (#2186) (29b1183)
• Consistently reject truncated strings (#2205) (689e911)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.4.0 (2026-05-18)

Features

• Support BigInt conversions (#2257) (36873e6)

8.3.0 (2026-05-13)

Features

• Improve generated typings (#2244) (faa424e)

8.2.1 (2026-05-13)

Bug Fixes

• Consolidate depth limit checks (#2246) (9050289)
• Preserve explicit enum zero if not the default (#2249) (9621b35)

Performance Improvements

• Slightly optimize generated code (#2242) (c41160c)

8.2.0 (2026-05-09)

Features

• Add finishInto() for zero-copy serialization into existing buffers (#2196) (657d6f1)
• Add textformat extension (#2233) (4639e29)
• cli: Add optional protoc-gen-pbjs plugin (#2231) (c9b6a2d)
• cli: Align json-module with static-module output (#2227) (a015091)
• Roundtrip unknown fields (#2209) (76fa03c)

Bug Fixes

• Accept URL-safe base64 input (#2207) (57a3821)
• Also resolve common definitions by file name (#2218) (e533950)
• Apply oneof last-value wins during decode (#2193) (cf35cdc)
• Consistently handle scalar map keys (#2186) (29b1183)
• Consistently reject truncated strings (#2205) (689e911)
• Correct parsedOptions TypeScript types (#2217) (dbe8d77)
• Decode bool values from full varints (#2192) (7b8d5c1)
• Decode fields by full wire tag (#2197) (f6264b1)
• Decode missing map message values as empty messages (#2206) (51c1a4f)

... (truncated)

Commits

• 7c6e6f4 chore: release master (#2259)
• 36873e6 feat: Support BigInt conversions (#2257)
• f4c4385 docs: Share JSDoc patch with API docs (#2252)
• a799376 chore: release master (#2251)
• faa424e feat: Improve generated typings (#2244)
• c1251d9 chore: release master (#2243)
• cb44b9b deps: Update CLI peer depdedency
• 9621b35 fix: Preserve explicit enum zero if not the default (#2249)
• bddae34 chore: Add FUNDING.yml
• 9050289 fix: Consolidate depth limit checks (#2246)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin	Ready	Preview, Comment	May 18, 2026 7:38pm