Skip to content

fix(deps): update prod minor+patch#101

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/prod-minor+patch
Open

fix(deps): update prod minor+patch#101
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/prod-minor+patch

Conversation

@renovate

@renovate renovate Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@floating-ui/dom (source) ^1.7.6^1.8.0 age confidence
@radix-ui/react-alert-dialog (source) ^1.1.18^1.1.19 age confidence
@radix-ui/react-avatar (source) ^1.2.1^1.2.2 age confidence
@radix-ui/react-context-menu (source) ^2.3.2^2.3.3 age confidence
@radix-ui/react-dialog (source) ^1.1.18^1.1.19 age confidence
@radix-ui/react-dropdown-menu (source) ^2.1.19^2.1.20 age confidence
@radix-ui/react-popover (source) ^1.1.18^1.1.19 age confidence
@radix-ui/react-select (source) ^2.3.2^2.3.3 age confidence
@radix-ui/react-slider (source) ^1.4.2^1.4.3 age confidence
@radix-ui/react-switch (source) ^1.3.2^1.3.3 age confidence
@radix-ui/react-tabs (source) ^1.1.16^1.1.17 age confidence
@radix-ui/react-tooltip (source) ^1.2.11^1.2.12 age confidence
@tiptap/core (source) ^3.27.1^3.27.3 age confidence
@tiptap/extension-emoji (source) ^3.27.1^3.27.3 age confidence
@tiptap/pm (source) ^3.27.1^3.27.3 age confidence
@tiptap/react (source) ^3.27.1^3.27.3 age confidence
@tiptap/starter-kit (source) ^3.27.1^3.27.3 age confidence
@tiptap/suggestion (source) ^3.27.1^3.27.3 age confidence
filesize (source) ^11.0.19^11.0.22 age confidence
html-react-parser ^6.1.3^6.1.4 age confidence
lucide-react (source) ^1.23.0^1.24.0 age confidence
marked (source) ^18.0.5^18.0.6 age confidence
mediasoup (source) 3.20.103.21.0 age confidence
prosemirror-view ^1.42.0^1.42.1 age confidence
sanitize-html (source) ^2.17.5^2.17.6 age confidence

Release Notes

floating-ui/floating-ui (@​floating-ui/dom)

v1.8.0

Compare Source

Minor Changes
  • feat: add 'layoutViewport' string option to rootBoundary. Unlike the visual 'viewport' boundary, it remains stable while pinch-zooming or when a mobile software keyboard is open, and unlike a manually passed Rect of the documentElement's client size, it accounts for space reserved by scrollbar-gutter: stable.
Patch Changes
  • fix: remove redundant passive options from scroll listeners
  • fix: support explicit undefined for optional properties with exactOptionalPropertyTypes
  • fix(autoUpdate): update immediately instead of waiting for the 1s layoutShift refresh throttle when the reference moved during an observer refresh
  • fix(getClippingRect): correct clipping-ancestor filtering for fixed-position elements
  • perf(dom): reduce bundle size and skip redundant per-call work in positioning utilities
  • fix(getViewportRect): account for scrollbar-gutter: stable both-edges reserved space
  • fix(getViewportRect): don't overflow past a left-side document scrollbar
  • fix(platform): don't throw in getClientRects when a virtual element without a getClientRects method is used with the inline() middleware
  • fix(autoUpdate): refresh layout shift observer on root resize
  • Update dependencies: @floating-ui/core@1.8.0, @floating-ui/utils@0.2.12
radix-ui/primitives (@​radix-ui/react-alert-dialog)

v1.1.19

  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-dialog@1.1.19
radix-ui/primitives (@​radix-ui/react-avatar)

v1.2.2

  • Updated dependencies: @radix-ui/react-context@1.2.0
radix-ui/primitives (@​radix-ui/react-context-menu)

v2.3.3

  • Fixed ContextMenu not re-anchoring to the latest pointer position when re-triggered while already open.
  • Fixed menu items, tab triggers, toolbar links, and select items intercepting Space/Enter keys that originate from focusable descendants.
  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-menu@2.1.20
radix-ui/primitives (@​radix-ui/react-dialog)

v1.1.19

  • Updated dependencies: @radix-ui/react-dismissable-layer@1.1.15, @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-focus-scope@1.1.12, @radix-ui/react-presence@1.1.7
radix-ui/primitives (@​radix-ui/react-dropdown-menu)

v2.1.20

  • Fixed menu items, tab triggers, toolbar links, and select items intercepting Space/Enter keys that originate from focusable descendants.
  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-menu@2.1.20
radix-ui/primitives (@​radix-ui/react-popover)

v1.1.19

  • Updated dependencies: @radix-ui/react-dismissable-layer@1.1.15, @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-focus-scope@1.1.12, @radix-ui/react-presence@1.1.7, @radix-ui/react-popper@1.3.3
radix-ui/primitives (@​radix-ui/react-select)

v2.3.3

  • Fixed a bug in form control components to ensure their values are updated when their associated form's is reset. This affects RadioGroup, Slider, Select, and Switch.
  • Fixed menu items, tab triggers, toolbar links, and select items intercepting Space/Enter keys that originate from focusable descendants.
  • Updated dependencies: @radix-ui/react-dismissable-layer@1.1.15, @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-focus-scope@1.1.12, @radix-ui/react-presence@1.1.7, @radix-ui/react-collection@1.1.12, @radix-ui/react-popper@1.3.3
radix-ui/primitives (@​radix-ui/react-slider)

v1.4.3

  • Fixed a bug in form control components to ensure their values are updated when their associated form's is reset. This affects RadioGroup, Slider, Select, and Switch.
  • Fixed keyboard stepping skipping a valid value when the current value is off the step grid (eg, a defaultValue that isn't a multiple of step from min). Stepping now snaps to the next step-aligned value in the direction of travel, matching native <input type="range"> behavior.
  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-collection@1.1.12
radix-ui/primitives (@​radix-ui/react-switch)

v1.3.3

  • Fixed a bug in form control components to ensure their values are updated when their associated form's is reset. This affects RadioGroup, Slider, Select, and Switch.
  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0
radix-ui/primitives (@​radix-ui/react-tabs)

v1.1.17

  • Fixed menu items, tab triggers, toolbar links, and select items intercepting Space/Enter keys that originate from focusable descendants.
  • Updated dependencies: @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-roving-focus@1.1.15, @radix-ui/react-presence@1.1.7
radix-ui/primitives (@​radix-ui/react-tooltip)

v1.2.12

  • Updated dependencies: @radix-ui/react-dismissable-layer@1.1.15, @radix-ui/primitive@1.1.5, @radix-ui/react-context@1.2.0, @radix-ui/react-presence@1.1.7, @radix-ui/react-popper@1.3.3
ueberdosis/tiptap (@​tiptap/core)

v3.27.3

Compare Source

Patch Changes
  • 023f98c: Fix deleteSelection to delete content across all selection ranges instead of only the first range. This restores multi-cell table selections and other custom selections with multiple ranges.

v3.27.2

Compare Source

Patch Changes
ueberdosis/tiptap (@​tiptap/extension-emoji)

v3.27.3

Compare Source

Patch Changes

v3.27.2

Compare Source

Patch Changes
  • eb19977: Fix arrow key navigation past emoji nodes in Firefox. Previously, pressing ArrowLeft with the cursor adjacent to an inline non-selectable emoji node at a paragraph boundary would not move the cursor in Firefox. The cursor now correctly skips over emoji nodes in both directions.
  • Updated dependencies [ceebb31]
ueberdosis/tiptap (@​tiptap/pm)

v3.27.3

Compare Source

v3.27.2

Compare Source

Patch Changes
  • ceebb31: Updated all ProseMirror packages to the latest publicly available versions
ueberdosis/tiptap (@​tiptap/react)

v3.27.3

Compare Source

Patch Changes

v3.27.2

Compare Source

Patch Changes
ueberdosis/tiptap (@​tiptap/starter-kit)

v3.27.3

Compare Source

Patch Changes

v3.27.2

Compare Source

Patch Changes
ueberdosis/tiptap (@​tiptap/suggestion)

v3.27.3

Compare Source

Patch Changes

v3.27.2

Compare Source

Patch Changes
avoidwork/filesize.js (filesize)

v11.0.22

Compare Source

  • fix: keep plural fullform name with a comma decimal separator #312

v11.0.21

Compare Source

9 July 2026

  • chore: release v11.0.21 #311
  • fix: honor the pad option for zero values #308
  • fix: return the final exponent from output 'exponent' #307
  • chore: update dependencies #310

v11.0.20

Compare Source

9 July 2026

  • chore: release v11.0.20 #309
  • fix(helpers): clamp negative forced exponent to 0 #304
  • chore(deps-dev): bump oxlint from 1.72.0 to 1.73.0 #306
  • chore(deps-dev): bump oxlint from 1.71.0 to 1.72.0 #303
  • chore(deps-dev): bump oxfmt from 0.56.0 to 0.57.0 #302
remarkablemark/html-react-parser (html-react-parser)

v6.1.4

Compare Source

Build System
lucide-icons/lucide (lucide-react)

v1.24.0: Version 1.24.0

Compare Source

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.23.0...1.24.0

markedjs/marked (marked)

v18.0.6

Compare Source

versatica/mediasoup (mediasoup)

v3.21.0

Compare Source

  • Worker: Fix new consumer regressions (PR #​1849).
  • Add NotFoundError, thrown when the referenced entity in the Worker doesn't exist (PR #​1852).
    • Expose mediasoup Node errors via mediasoup/errors (in EMS).
    • Breaking change: Rename InvalidStateError to WorkerClosedError.
apostrophecms/apostrophe (sanitize-html)

v2.17.6

Fixes
  • Allow transformTags to emit text when textFilter is set, even if the tag is initially empty. This is consistent with the documentation. Thanks to spokodev for the fix.
Security
  • Fixed an XSS/allowlist bypass in which the contents of a raw-text element (textarea or xmp) nested inside an svg or math root were re-emitted without HTML-escaping. sanitize-html treated that content as inert raw text because htmlparser2 10.x classified raw-text elements by tag name and ignored the namespace, but a real HTML5 parser treats textarea/xmp as ordinary foreign elements inside SVG/MathML and re-parses their contents as live markup. As a result, markup and event-handler attributes that the allowlist never permitted (for example <svg><textarea><img src=x onerror=alert(1)>) could survive sanitization and execute in the browser. This is now fixed on two fronts: htmlparser2 was upgraded to 12.x, which is namespace-aware and parses textarea/xmp inside SVG/MathML as ordinary elements, so their non-allowlisted children (such as the injected img) are dropped by the allowlist instead of being preserved as raw text; and any raw-text content sanitize-html still emits for these tags (at HTML integration points such as foreignObject/mtext, or outside foreign content) is always HTML-escaped. The default configuration is not affected; the precondition is an allowedTags that includes svg or math together with textarea or xmp. Thanks to khoadb175 for responsibly disclosing the vulnerability.
  • Fixed a mutation-XSS / allowedTags bypass affecting configurations that allow the textarea or xmp raw-text tags. htmlparser2 10.x did not recognize an end tag with a trailing solidus (e.g. </textarea/>) as closing the element, so it kept the following markup as raw text, but a spec-compliant browser treats </textarea/> as a valid close and parses that markup as a live element. Because raw-text content was re-emitted without escaping, a payload such as <textarea></textarea/><img src=x onerror=...> could smuggle non-allowlisted, executable markup through the sanitizer. The default configuration was not affected. This is now defended at two layers: htmlparser2 was upgraded to 12.x, whose tokenizer closes these end tags correctly, and the raw text sanitize-html emits for these tags is always escaped so no < can reopen a tag when the output is re-parsed (textarea, an RCDATA element whose entities htmlparser2 decodes, is escaped like normal text, while xmp, a raw-text element, has only its angle brackets escaped to avoid double-encoding already-encoded entities). Because htmlparser2 is ESM-only from version 11 onward, sanitize-html now requires Node.js >=22.12.0 (the first 22.x release in which require() of an ES module is available unflagged). Thanks to bibu123456 for reporting the vulnerability and Kayiz-PT for coordinating the disclosure (GHSA-jxwj-j7wr-gfrw).

Configuration

📅 Schedule: (in timezone Europe/Lisbon)

  • Branch creation
    • "before 5am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/prod-minor+patch branch from aed8359 to 12eb03d Compare July 13, 2026 20:30
@renovate renovate Bot force-pushed the renovate/prod-minor+patch branch from 12eb03d to 8edaa3e Compare July 14, 2026 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants