Skip to content

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 35 updates#81

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-ccf9dcfda9
Open

chore(deps)(deps): bump the minor-and-patch group across 1 directory with 35 updates#81
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-ccf9dcfda9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 35 updates in the / directory:

Package From To
@vitest/coverage-v8 4.1.9 4.1.10
turbo 2.9.18 2.10.4
vitest 4.1.9 4.1.10
@hono/node-server 2.0.5 2.0.8
@langchain/core 1.2.0 1.2.2
@langchain/openai 1.5.1 1.5.5
better-auth 1.6.20 1.6.23
deepagents 1.10.5 1.10.7
hono 4.12.26 4.12.30
mongodb 7.3.0 7.5.0
mongoose 9.7.1 9.7.4
tsx 4.22.4 4.23.1
@astrojs/starlight 0.40.0 0.41.3
sharp 0.35.2 0.35.3
starlight-image-zoom 0.14.2 0.15.0
@playwright/test 1.61.0 1.61.1
@tanstack/react-query 5.101.0 5.101.2
@tanstack/react-router 1.170.16 1.170.17
@xyflow/react 12.11.0 12.11.2
lucide-react 1.21.0 1.24.0
recharts 3.8.1 3.9.2
@tailwindcss/postcss 4.3.1 4.3.2
@tanstack/router-plugin 1.168.18 1.168.19
@vitejs/plugin-react 6.0.2 6.0.3
postcss 8.5.15 8.5.18
tailwindcss 4.3.1 4.3.2
vite 8.0.16 8.1.4
bullmq 5.79.1 5.80.2
@langchain/anthropic 1.5.0 1.5.1
isomorphic-git 1.38.5 1.38.7
langchain 1.5.0 1.5.3
@radix-ui/react-label 2.1.10 2.1.11
@radix-ui/react-separator 1.1.10 1.1.11
@radix-ui/react-tooltip 1.2.10 1.2.12
radix-ui 1.6.0 1.6.2

Updates @vitest/coverage-v8 from 4.1.9 to 4.1.10

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.10

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates turbo from 2.9.18 to 2.10.4

Release notes

Sourced from turbo's releases.

Turborepo v2.10.4

What's Changed

Changelog

... (truncated)

Commits
  • 1506a11 publish 2.10.4 to registry
  • 11a68c7 fix: Stop flagging relative imports that resolve into node_modules in boundar...
  • 947b478 fix: Raise the open-file soft limit at startup (#13282)
  • ddc584d feat: Make turbo prune Cargo-aware (#13281)
  • ff0d508 perf: Skip dependency-closure assembly for toolchains that derive nothing (#1...
  • 39d623e feat: Make turbo watch Cargo-aware (#13280)
  • af01fdf fix: Collapse nested package-manager fallback conditional (#13279)
  • 7e02f94 release(turborepo): 2.10.4-canary.2 (#13278)
  • 8e3a59f release(library): 0.0.1-canary.23 (#13276)
  • ce18f0a test: Add end-to-end coverage for Cargo workspaces (#13274)
  • Additional commits viewable in compare view

Updates vitest from 4.1.9 to 4.1.10

Release notes

Sourced from vitest's releases.

v4.1.10

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • db616d2 chore: release v4.1.10 (#10718)
  • bae52b5 fix(vm): fix external module resolve error with deps optimizer query for enco...
  • See full diff in compare view

Updates @hono/node-server from 2.0.5 to 2.0.8

Release notes

Sourced from @​hono/node-server's releases.

v2.0.8

What's Changed

Full Changelog: honojs/node-server@v2.0.7...v2.0.8

v2.0.7

What's Changed

Full Changelog: honojs/node-server@v2.0.6...v2.0.7

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • 114c15e 2.0.8
  • 5db2d5d ci(release): add --no-git-checks option for pnpm stage publish (#369)
  • a528a77 2.0.7
  • b2d610c chore: bump supertest (#368)
  • 1b0040a fix(serve-static): serve precompressed files for application/octet-stream (#366)
  • ad5b13a chore: migrate to pnpm (#367)
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates @langchain/core from 1.2.0 to 1.2.2

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.2

Patch Changes

  • #11171 82bef01 Thanks @​christian-bromann! - fix(core): coerce string v1 AIMessage content to text blocks

    Prevent contentBlocks.push is not a function when constructing an AIMessage with response_metadata.output_version === "v1" and string content (common in serialized LangGraph stream payloads).

@​langchain/core@​1.2.1

Patch Changes

  • #10674 f017708 Thanks @​christian-bromann! - fix: classify provider 429s before retrying

  • #11092 7918bbd Thanks @​aolsenjazz! - fix(core): only treat arrays of content blocks as ToolMessage content

    Fix tool outputs that are arrays of plain objects being forwarded as malformed message content. An array is now only treated as message content blocks when every element is an object with a type; otherwise it is JSON-stringified.

Commits
  • cc39f56 chore: version packages (#11172)
  • 82bef01 fix(core): coerce string v1 AIMessage content to text blocks (#11171)
  • 8a7c5f8 chore: version packages (#11170)
  • 988ca7d fix(openai): emit output_text for assistant content in responses input (#11...
  • e233f41 chore: version packages (#11168)
  • 4c7a06e fix(langchain): malformed tool input schemas are unrecoverable (#11167)
  • 1a1fe3c chore(deps): bump the aws group across 1 directory with 7 updates (#11134)
  • 553155b chore(deps): bump js-yaml from 5.0.0 to 5.1.0 (#11142)
  • 24bde73 chore(deps): bump prettier from 3.8.3 to 3.9.4 in the typescript-eslint group...
  • 8db7263 fix: remove duplicate pnpm lockfile entries (#11141)
  • Additional commits viewable in compare view

Updates @langchain/openai from 1.5.1 to 1.5.5

Release notes

Sourced from @​langchain/openai's releases.

@​langchain/openai@​1.5.5

Patch Changes

@​langchain/openai@​1.5.4

Patch Changes

@​langchain/openai@​1.5.3

Patch Changes

@​langchain/openai@​1.5.2

Patch Changes

  • #11045 05936ab Thanks @​jackjin1997! - fix(openai): omit empty id and content on reasoning items in Responses API input

    Reasoning blocks reassembled from streaming chunks (e.g. via streamEvents) never carry an id, since OpenAI's streaming protocol only includes it in non-streaming responses. When such a message was replayed as Responses API input on the next turn, the reasoning item was emitted with id: "", which OpenAI rejects with 400 Invalid 'input[n].id': ''. The id field is now omitted when absent.

    A second error surfaced immediately after that fix: the same converter set a populated content array on the reasoning input item, which the Responses API also rejects (400 Invalid 'input[n].content': array too long. Expected an array with maximum length 0). Reasoning input items only carry summary, so content is no longer forwarded. Thanks to @​csrujanreddy for catching the second issue and verifying both fixes against the live API.

  • #11065 798cb70 Thanks @​rxits! - fix(openai): route standard url file blocks to native input_file in Responses API

  • #11090 80c790b Thanks @​nikhilpakhloo! - fix(openai): stream built-in tool progress events

Commits
  • f51f338 chore: version packages (#11176)
  • 09e7f6d fix(openai): drop tool_call content blocks from chat completions input (#11...
  • a9f123a fix(openai): filter out content blocks the chat completions api rejects as in...
  • cc39f56 chore: version packages (#11172)
  • 82bef01 fix(core): coerce string v1 AIMessage content to text blocks (#11171)
  • 8a7c5f8 chore: version packages (#11170)
  • 988ca7d fix(openai): emit output_text for assistant content in responses input (#11...
  • e233f41 chore: version packages (#11168)
  • 4c7a06e fix(langchain): malformed tool input schemas are unrecoverable (#11167)
  • 1a1fe3c chore(deps): bump the aws group across 1 directory with 7 updates (#11134)
  • Additional commits viewable in compare view

Updates better-auth from 1.6.20 to 1.6.23

Release notes

Sourced from better-auth's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.23

Patch Changes

  • #9138 8581f97 Thanks @​vladflotsky! - Add a pre-configured Yandex provider helper for the generic OAuth plugin.

  • Updated dependencies [930b260]:

    • @​better-auth/drizzle-adapter@​1.6.23
    • @​better-auth/core@​1.6.23
    • @​better-auth/kysely-adapter@​1.6.23
    • @​better-auth/memory-adapter@​1.6.23
    • @​better-auth/mongo-adapter@​1.6.23
    • @​better-auth/prisma-adapter@​1.6.23
    • @​better-auth/telemetry@​1.6.23

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

... (truncated)

Commits

Updates deepagents from 1.10.5 to 1.10.7

Release notes

Sourced from deepagents's releases.

deepagents@1.10.7

Patch Changes

  • #659 8efde93 Thanks @​Kowshik4593! - Fix: Normalize path to file_path in filesystem tools (read_file, write_file, and edit_file) and align the prompt documentation examples to prevent validation schema failures on weaker/custom models.

deepagents@1.10.6

Patch Changes

  • #608 d7ecab2 Thanks @​aolsenjazz! - fix(deepagents): forward subagent results as text

    Fixed a 400 invalid_request_error that occurred when a subagent used an Anthropic server-side tool (web search, web fetch, or code execution): the subagent's server_tool_use/*_tool_result blocks were forwarded to the parent agent as tool_result content, which the API rejects. Subagent results are now passed back to the parent as their text content (matching the Python implementation), which resolves the error and also handles a trailing empty end_turn message.

  • #656 1a2b2df Thanks @​colifran! - fix(deepagents): default unknown file extensions to text/plain

  • #611 42f34b6 Thanks @​aolsenjazz! - feat(deepagents): add bedrockPromptCachingMiddleware to default stack

    Add bedrockPromptCachingMiddleware to default middleware stack. This automatically opts-in to Bedrock prompt caching for Nova and Anthropic models

  • #613 0ae10d7 Thanks @​christian-bromann! - fix(deepagents): declare LangChain runtime packages as peer dependencies

    Move @langchain/core, @langchain/langgraph, @langchain/langgraph-sdk, and langchain from dependencies to peerDependencies, and also declare @langchain/langgraph-checkpoint as a peer (its BaseCheckpointSaver/BaseStore types are part of the public API), so they resolve to a single shared instance in the consumer's tree. Previously they were bundled as regular dependencies, which let a consumer end up with two copies of @langchain/core (e.g. 1.2.0 vs 1.2.1). Because these packages ship classes with private/ protected fields, the duplicate copies are treated as nominally distinct types, producing errors like passing a ChatOpenAI model to createDeepAgent or a compiled graph to the local protocol helpers. As peers, the app controls the version and bumping @langchain/core no longer requires a deepagents release.

Commits
  • 3eab2ca chore: version packages (#660)
  • 8efde93 feat(deepagents): implement filesystem state management middleware with atomi...
  • ff8cc5c chore: version packages (#607)
  • 1a2b2df fix(deepagents): default unknown file extensions to text/plain (#656)
  • 5f93c11 fix(modal): modal sandboxes fail to upload files (#657)
  • ff7d82a build(deps): bump the minor-deps-updates-main group with 8 updates (#640)
  • 88986a2 build(deps): bump the major-deps-updates-main group with 3 updates (#641)
  • 9217edd build(deps): bump the patch-deps-updates-main group with 15 updates (#639)
  • 4f1b6cf build(deps): bump actions/checkout from 6.0.1 to 7.0.0 in the major-deps-upda...
  • 1cca3d3 build(deps): bump actions/setup-python from 6.2.0 to 6.3.0 in the minor-deps-...
  • Additional commits viewable in compare view

Updates hono from 4.12.26 to 4.12.30

Release notes

Sourced from hono's releases.

v4.12.30

What's Changed

Full Changelog: honojs/hono@v4.12.29...v4.12.30

v4.12.29

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.28...v4.12.29

v4.12.28

What's Changed

New Contributors

…with 35 updates

Bumps the minor-and-patch group with 35 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.9` | `4.1.10` |
| [turbo](https://github.com/vercel/turborepo) | `2.9.18` | `2.10.4` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.9` | `4.1.10` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.8` |
| [@langchain/core](https://github.com/langchain-ai/langchainjs) | `1.2.0` | `1.2.2` |
| [@langchain/openai](https://github.com/langchain-ai/langchainjs) | `1.5.1` | `1.5.5` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.20` | `1.6.23` |
| [deepagents](https://github.com/langchain-ai/deepagentsjs) | `1.10.5` | `1.10.7` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.30` |
| [mongodb](https://github.com/mongodb/node-mongodb-native) | `7.3.0` | `7.5.0` |
| [mongoose](https://github.com/Automattic/mongoose) | `9.7.1` | `9.7.4` |
| [tsx](https://github.com/privatenumber/tsx) | `4.22.4` | `4.23.1` |
| [@astrojs/starlight](https://github.com/withastro/starlight/tree/HEAD/packages/starlight) | `0.40.0` | `0.41.3` |
| [sharp](https://github.com/lovell/sharp) | `0.35.2` | `0.35.3` |
| [starlight-image-zoom](https://github.com/HiDeoo/starlight-image-zoom/tree/HEAD/packages/starlight-image-zoom) | `0.14.2` | `0.15.0` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.61.0` | `1.61.1` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.101.0` | `5.101.2` |
| [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) | `1.170.16` | `1.170.17` |
| [@xyflow/react](https://github.com/xyflow/xyflow/tree/HEAD/packages/react) | `12.11.0` | `12.11.2` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.21.0` | `1.24.0` |
| [recharts](https://github.com/recharts/recharts) | `3.8.1` | `3.9.2` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.1` | `4.3.2` |
| [@tanstack/router-plugin](https://github.com/TanStack/router/tree/HEAD/packages/router-plugin) | `1.168.18` | `1.168.19` |
| [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) | `6.0.2` | `6.0.3` |
| [postcss](https://github.com/postcss/postcss) | `8.5.15` | `8.5.18` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.1` | `4.3.2` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.16` | `8.1.4` |
| [bullmq](https://github.com/taskforcesh/bullmq) | `5.79.1` | `5.80.2` |
| [@langchain/anthropic](https://github.com/langchain-ai/langchainjs) | `1.5.0` | `1.5.1` |
| [isomorphic-git](https://github.com/isomorphic-git/isomorphic-git) | `1.38.5` | `1.38.7` |
| [langchain](https://github.com/langchain-ai/langchainjs) | `1.5.0` | `1.5.3` |
| [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.10` | `2.1.11` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/separator) | `1.1.10` | `1.1.11` |
| [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.10` | `1.2.12` |
| [radix-ui](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radix-ui) | `1.6.0` | `1.6.2` |



Updates `@vitest/coverage-v8` from 4.1.9 to 4.1.10
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/coverage-v8)

Updates `turbo` from 2.9.18 to 2.10.4
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.18...v2.10.4)

Updates `vitest` from 4.1.9 to 4.1.10
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/vitest)

Updates `@hono/node-server` from 2.0.5 to 2.0.8
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.8)

Updates `@langchain/core` from 1.2.0 to 1.2.2
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core@1.2.0...@langchain/core@1.2.2)

Updates `@langchain/openai` from 1.5.1 to 1.5.5
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/openai@1.5.1...@langchain/openai@1.5.5)

Updates `better-auth` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/better-auth)

Updates `deepagents` from 1.10.5 to 1.10.7
- [Release notes](https://github.com/langchain-ai/deepagentsjs/releases)
- [Commits](https://github.com/langchain-ai/deepagentsjs/compare/deepagents@1.10.5...deepagents@1.10.7)

Updates `hono` from 4.12.26 to 4.12.30
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.30)

Updates `mongodb` from 7.3.0 to 7.5.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v7.3.0...v7.5.0)

Updates `mongoose` from 9.7.1 to 9.7.4
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@9.7.1...9.7.4)

Updates `tsx` from 4.22.4 to 4.23.1
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.22.4...v4.23.1)

Updates `@astrojs/starlight` from 0.40.0 to 0.41.3
- [Release notes](https://github.com/withastro/starlight/releases)
- [Changelog](https://github.com/withastro/starlight/blob/main/packages/starlight/CHANGELOG.md)
- [Commits](https://github.com/withastro/starlight/commits/@astrojs/starlight@0.41.3/packages/starlight)

Updates `sharp` from 0.35.2 to 0.35.3
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.35.2...v0.35.3)

Updates `starlight-image-zoom` from 0.14.2 to 0.15.0
- [Release notes](https://github.com/HiDeoo/starlight-image-zoom/releases)
- [Changelog](https://github.com/HiDeoo/starlight-image-zoom/blob/main/packages/starlight-image-zoom/CHANGELOG.md)
- [Commits](https://github.com/HiDeoo/starlight-image-zoom/commits/starlight-image-zoom@0.15.0/packages/starlight-image-zoom)

Updates `@playwright/test` from 1.61.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.61.0...v1.61.1)

Updates `@tanstack/react-query` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `@tanstack/react-router` from 1.170.16 to 1.170.17
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.170.17/packages/react-router)

Updates `@xyflow/react` from 12.11.0 to 12.11.2
- [Release notes](https://github.com/xyflow/xyflow/releases)
- [Changelog](https://github.com/xyflow/xyflow/blob/main/packages/react/CHANGELOG.md)
- [Commits](https://github.com/xyflow/xyflow/commits/@xyflow/react@12.11.2/packages/react)

Updates `lucide-react` from 1.21.0 to 1.24.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.24.0/packages/lucide-react)

Updates `recharts` from 3.8.1 to 3.9.2
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v3.8.1...v3.9.2)

Updates `@tailwindcss/postcss` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss)

Updates `@tanstack/router-plugin` from 1.168.18 to 1.168.19
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/router-plugin/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/router-plugin@1.168.19/packages/router-plugin)

Updates `@vitejs/plugin-react` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

Updates `postcss` from 8.5.15 to 8.5.18
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.15...8.5.18)

Updates `tailwindcss` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss)

Updates `vite` from 8.0.16 to 8.1.4
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.4/packages/vite)

Updates `bullmq` from 5.79.1 to 5.80.2
- [Release notes](https://github.com/taskforcesh/bullmq/releases)
- [Commits](taskforcesh/bullmq@v5.79.1...v5.80.2)

Updates `@langchain/anthropic` from 1.5.0 to 1.5.1
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/anthropic@1.5.0...@langchain/anthropic@1.5.1)

Updates `isomorphic-git` from 1.38.5 to 1.38.7
- [Release notes](https://github.com/isomorphic-git/isomorphic-git/releases)
- [Commits](isomorphic-git/isomorphic-git@v1.38.5...v1.38.7)

Updates `langchain` from 1.5.0 to 1.5.3
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/langchain@1.5.0...langchain@1.5.3)

Updates `@radix-ui/react-label` from 2.1.10 to 2.1.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label)

Updates `@radix-ui/react-separator` from 1.1.10 to 1.1.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/separator/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/separator)

Updates `@radix-ui/react-tooltip` from 1.2.10 to 1.2.12
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip)

Updates `radix-ui` from 1.6.0 to 1.6.2
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radix-ui/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radix-ui)

---
updated-dependencies:
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: turbo
  dependency-version: 2.10.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/core"
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@langchain/openai"
  dependency-version: 1.5.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: better-auth
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: deepagents
  dependency-version: 1.10.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: hono
  dependency-version: 4.12.30
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: mongodb
  dependency-version: 7.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: mongoose
  dependency-version: 9.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@astrojs/starlight"
  dependency-version: 0.41.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: sharp
  dependency-version: 0.35.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: starlight-image-zoom
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-router"
  dependency-version: 1.170.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@xyflow/react"
  dependency-version: 12.11.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: lucide-react
  dependency-version: 1.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: recharts
  dependency-version: 3.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/router-plugin"
  dependency-version: 1.168.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: postcss
  dependency-version: 8.5.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vite
  dependency-version: 8.1.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: bullmq
  dependency-version: 5.80.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@langchain/anthropic"
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: isomorphic-git
  dependency-version: 1.38.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: langchain
  dependency-version: 1.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: radix-ui
  dependency-version: 1.6.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings: none.

Reviewed the changed files (apps/*/package.json, packages/*/package.json, root package.json, and pnpm-lock.yaml) against the requested threat surfaces. This PR only bumps existing dependency versions; it does not change MCP routes, execute_query handling, Better Auth setup, Hono route validation, environment files, or source code that logs/returns secrets.

Dependency exposure check: no new top-level dependencies were added. I ran pnpm audit --prod on both the PR head and base commit; both report the same 15 advisories with 0 added and 0 removed, so this PR does not introduce a new audited vulnerability. The existing advisories are pre-existing on main.

Open in Web View Automation 

Sent by Cursor Automation: archmax Security Review

@github-actions

Copy link
Copy Markdown

Docker image ready

docker pull ghcr.io/archmaxai/archmax:pr-81

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants