chore(deps): bump the production-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the production-dependencies group with 11 updates in the / directory:

Package	From	To
@turf/turf	7.3.4	7.3.5
i18next	26.0.3	26.0.6
lucide-react	1.7.0	1.8.0
maplibre-gl	5.21.1	5.23.0
proj4	2.20.5	2.20.8
protobufjs	8.0.0	8.0.1
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-hook-form	7.72.0	7.72.1
react-i18next	17.0.2	17.0.4
react-resizable-panels	4.8.0	4.10.0

Updates @turf/turf from 7.3.4 to 7.3.5

Release notes

Sourced from @​turf/turf's releases.

v7.3.5

What's Changed

Main goal of this release was to revert a build breaking performance improvement introduced in v7.3.2 that was affecting CommonJS environments.

• Reverted performance related improvement to clusters-dbscan that broke builds by @​smallsaucepan in Turfjs/turf#3049

Other bug fixes and new functionality:

• Add @​turf/directional-mean to @​turf/turf by @​mfedderly in Turfjs/turf#3002
• Mark old nearest-point-on-line properties as deprecated by @​EmilJunker in Turfjs/turf#3005

Housekeeping and behind the scenes changes:

• Introduced tstyche for type checking and to guard against unintentional API changes by @​smallsaucepan in Turfjs/turf#3020
• Remove unused scripts by @​mfedderly in Turfjs/turf#3036
• Update generate-readme script by @​mfedderly in Turfjs/turf#3037

Full Changelog: Turfjs/turf@v7.3.4...v7.3.5

Commits

• a33ca38 v7.3.5
• fbfa6a7 Reverted performance related improvement that broke builds. While faster, kdb...
• 6a2f567 Update generate-readme script (#3037)
• 6d9a78e Add @​turf/directional-mean to @​turf/turf (#3002)
• 80cda0e Remove unused scripts (#3036)
• 9a3043e Mark old nearest-point-on-line properties as deprecated (#3005)
• 1fed227 Introduced tstyche for type checking and to guard against unintentional API c...
• 9428e7c Merge pull request #3021 from Turfjs/releases/7.3.4
• See full diff in compare view

Updates i18next from 26.0.3 to 26.0.6

Release notes

Sourced from i18next's releases.

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

Changelog

Sourced from i18next's changelog.

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

Commits

• 9d0ed9f 26.0.6
• 8c82564 security: hardening for 26.0.6 — nesting-options warning, regexEscape unescap...
• 0cb018c chore: bump devDependencies
• ab4633f 26.0.5
• bae3b8b fix: cloneInstance().changeLanguage() no longer fails to update language st...
• 9e64c75 26.0.4
• cd1f15f fix(types): inline formatting options #2378
• 660c785 ts: test todo hint
• 7d2b638 ts repro test
• 29e07bf ts repro test
• See full diff in compare view

Updates lucide-react from 1.7.0 to 1.8.0

Release notes

Sourced from lucide-react's releases.

Version 1.8.0

What's Changed

• docs(packages/angular): add packageDirname for @​lucide/angular by @​rhutchison in lucide-icons/lucide#4211
• chore(icons): Username change knarlix to RajnishKMehta by @​RajnishKMehta in lucide-icons/lucide#4208
• ci(@​lucide/angular): Fix publishing problem by @​ericfennis in lucide-icons/lucide#4213
• docs: fix broken links in pull_request_template.md (got 404 page) by @​whoisBugsbunny in lucide-icons/lucide#4224
• fix(lucide-static): add viewBox to sprite symbol elements by @​TomaTV in lucide-icons/lucide#4223
• docs: Fix link to icon design principles in statement by @​whoisBugsbunny in lucide-icons/lucide#4225
• feat(docs): add Zephyr Cloud to Hero Backers tier by @​karsa-mistmere in lucide-icons/lucide#4226
• fix(icons): fixes gap issues in radio-off.svg by @​karsa-mistmere in lucide-icons/lucide#4227
• fix(icons): renamed text-select to square-dashed-text by @​jguddas in lucide-icons/lucide#3943
• fix(docs): improve mobile layout of v1 banner by @​karsa-mistmere in lucide-icons/lucide#4254
• fix(@​lucide/svelte): aria-hidden="true" was never set by @​blt-r in lucide-icons/lucide#4234
• fix(icons): remove ui/ux tag from heart-minus, add delete instead by @​karsa-mistmere in lucide-icons/lucide#4266
• chore(deps-dev): bump vite from 7.3.1 to 7.3.2 by @​dependabot[bot] in lucide-icons/lucide#4276
• chore(deps): bump lodash-es from 4.17.23 to 4.18.1 by @​dependabot[bot] in lucide-icons/lucide#4251
• chore(deps): bump vite from 5.4.21 to 6.4.2 by @​dependabot[bot] in lucide-icons/lucide#4286
• feat(docs): use initOnMounted: true for useSessionStorage in CarbonAdOverlay by @​karsa-mistmere in lucide-icons/lucide#4275
• feat(icons): added bookmark-off icon by @​ZeenatLawal in lucide-icons/lucide#4283

New Contributors

• @​rhutchison made their first contribution in lucide-icons/lucide#4211
• @​whoisBugsbunny made their first contribution in lucide-icons/lucide#4224
• @​TomaTV made their first contribution in lucide-icons/lucide#4223
• @​blt-r made their first contribution in lucide-icons/lucide#4234
• @​ZeenatLawal made their first contribution in lucide-icons/lucide#4283

Full Changelog: lucide-icons/lucide@1.7.0...1.8.0

Commits

• 7623e23 feat(docs): add Zephyr Cloud to Hero Backers tier & rework updateSponsors scr...
• See full diff in compare view

Updates maplibre-gl from 5.21.1 to 5.23.0

Release notes

Sourced from maplibre-gl's releases.

v5.23.0

✨ Features and improvements

• Add touchZoomRotate.setZoomRate() and touchZoomRotate.setZoomThreshold() to customize touch zoom speed and pinch sensitivity (#7271)
• Improve ability to communicate with imported scripts in workers and use makeRequest in workres as well (#7451) (by @​HarelM)
• Allow opacity and opacityWhenCovered in Marker and MarkerOptions to accept number in addition to string, and add maplibregl-marker-covered CSS class to Marker element when covered by 3D terrain or a globe (#7433) (by @​YuChunTsao)
• perf: add a bench for terrain rendering and fix _demMatrixCache lookup being wasted cycles by actually using the cache (#7400) (by @​CommanderStorm)

🐞 Bug fixes

• Fix polygon text label placement drifting far from center for convex polygons at high zoom due to coordinate rounding in geojson-vt (#7380) (by @​CommanderStorm)
• Ensure that a successful ArrayBuffer response from a custom protocol that is null/undefined is set to an empty ArrayBuffer (#7427) (by @​neodescis)
• Fix error in _contextRestored when map was initialized without a style (#7432) (by @​mvanhorn)
• Fix issue with the cache used for zoomLevelsToOverscale feature (#7450) (by @​HarelM)
• Update stylelint and fix old issues with the CSS (mainly change rgb to use spaces) (#7365) (by @​HarelM)

v5.22.0

✨ Features and improvements

• Make line-cap, line-miter-limit, and line-round-limit data-driven properties, allowing per-feature values (#7351) (by @​CommanderStorm)
• GPU performance optimization: early culling of transparent symbols in vertex shaders (#7364) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)
• UX: Clarify error message language so if layout and paint properties are confused in setPaintProperty or setLayoutProperty (#6954) (by @​Willjfield and @​CommanderStorm)

🐞 Bug fixes

• Fix startup crash caused by a stale async style load completing after the style was cleared or replaced (#7377)
• Make fitBounds and fitScreenCoordinates respect the zoomSnap map option by snapping the zoom level down to keep bounds fully visible (#7332 (by @​CommanderStorm)
• Make jumpTo, easeTo, and flyTo respect the zoomSnap map option by snapping the zoom level to the nearest valid increment (#7333 (by @​CommanderStorm)
• Fix setState crash when switching styles while globe projection is active (#7314) (by @​ashwinuae)
• Prevent crashes when calling map.remove() immediately after creation by canceling in-flight style URL loads (#7368) (by @​CommanderStorm)
• Fixed symbol collision flickering by adding tolerance to GridIndex AABB comparison (#7360) (by @​kkokkoejong)
• Fix fitBounds ignoring maxZoom option in vertical-perspective projection (#7372) (by @​CommanderStorm)
• Prevent stale async style loads from completing after style clear (#7378) (by @​Lievesley)
• Fix broken example for fill-pattern (#7326) (by @​k-yle)

Changelog

Sourced from maplibre-gl's changelog.

5.23.0

✨ Features and improvements

• Add touchZoomRotate.setZoomRate() and touchZoomRotate.setZoomThreshold() to customize touch zoom speed and pinch sensitivity (#7271)
• Improve ability to communicate with imported scripts in workers and use makeRequest in workres as well (#7451) (by @​HarelM)
• Allow opacity and opacityWhenCovered in Marker and MarkerOptions to accept number in addition to string, and add maplibregl-marker-covered CSS class to Marker element when covered by 3D terrain or a globe (#7433) (by @​YuChunTsao)
• perf: add a bench for terrain rendering and fix _demMatrixCache lookup being wasted cycles by actually using the cache (#7400) (by @​CommanderStorm)

🐞 Bug fixes

• Fix polygon text label placement drifting far from center for convex polygons at high zoom due to coordinate rounding in geojson-vt (#7380) (by @​CommanderStorm)
• Ensure that a successful ArrayBuffer response from a custom protocol that is null/undefined is set to an empty ArrayBuffer (#7427) (by @​neodescis)
• Fix error in _contextRestored when map was initialized without a style (#7432) (by @​mvanhorn)
• Fix issue with the cache used for zoomLevelsToOverscale feature (#7450) (by @​HarelM)
• Update stylelint and fix old issues with the CSS (mainly change rgb to use spaces) (#7365) (by @​HarelM)

5.22.0

✨ Features and improvements

• Make line-cap, line-miter-limit, and line-round-limit data-driven properties, allowing per-feature values (#7351) (by @​CommanderStorm)
• GPU performance optimization: early culling of transparent symbols in vertex shaders (#7364) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)
• UX: Clarify error message language so if layout and paint properties are confused in setPaintProperty or setLayoutProperty (#6954) (by @​Willjfield and @​CommanderStorm)

🐞 Bug fixes

• Fix startup crash caused by a stale async style load completing after the style was cleared or replaced (#7377)
• Make fitBounds and fitScreenCoordinates respect the zoomSnap map option by snapping the zoom level down to keep bounds fully visible (#7332 (by @​CommanderStorm)
• Make jumpTo, easeTo, and flyTo respect the zoomSnap map option by snapping the zoom level to the nearest valid increment (#7333 (by @​CommanderStorm)
• Fix setState crash when switching styles while globe projection is active (#7314) (by @​ashwinuae)
• Prevent crashes when calling map.remove() immediately after creation by canceling in-flight style URL loads (#7368) (by @​CommanderStorm)
• Fixed symbol collision flickering by adding tolerance to GridIndex AABB comparison (#7360) (by @​kkokkoejong)
• Fix fitBounds ignoring maxZoom option in vertical-perspective projection (#7372) (by @​CommanderStorm)
• Prevent stale async style loads from completing after style clear (#7378) (by @​Lievesley)
• Fix broken example for fill-pattern (#7326) (by @​k-yle)

Commits

• 7f61f6f Bump js version to 5.23.0 (#7455)
• 6ace141 Update geojson-vt to version 6.1.0 (#7454)
• 1cbb01c chore(deps): bump codecov/codecov-action from 5.5.3 to 6.0.0 (#7358)
• 62c11c0 chore(deps-dev): bump stylelint from 16.26.1 to 17.6.0 (#7365)
• f40a683 test (#7452)
• d5c86fe Improve ability to import scripts in workers (#7451)
• f2072c3 fix: guard against null style in _contextRestored (#7446)
• 8072fe6 feat(marker): support number for opacity options (#7442)
• 3f6b54c Fix cache key for _zoomLevelsToOverscale experimental feature (#7450)
• 8584c2e chore(deps-dev): bump basic-ftp from 5.2.1 to 5.2.2 (#7447)
• Additional commits viewable in compare view

Updates proj4 from 2.20.5 to 2.20.8

Release notes

Sourced from proj4's releases.

v2.20.8

What's Changed

• Fixes after build tool changes by @​ahocevar in proj4js/proj4js#563

Full Changelog: proj4js/proj4js@v2.20.7...v2.20.8

v2.20.7

What's Changed

• Remove grunt, use vitest for tests by @​ahocevar in proj4js/proj4js#561
• Improved publishing and release workflow by @​ahocevar in proj4js/proj4js#562

Full Changelog: proj4js/proj4js@v2.20.6...v2.20.7

v2.20.6

Full Changelog: proj4js/proj4js@v2.20.5...v2.20.6

Commits

• 6572d89 2.20.8
• b4d44b8 Merge pull request #563 from proj4js/add-back-types
• 9248571 Remove obsolete publish.sh script
• e24561a Update main branch name in PUBLISHING.md
• 3711bc8 Run action again upon pull request creation
• fc70afd Add back types to the npm package
• a3d7fb8 2.20.7
• 82b6817 Upgrade actions/checkout and actions/setup-node to v6 (Node 24)
• f580455 update changelog for 2.20.7
• 35942b5 Merge pull request #562 from proj4js/actions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for proj4 since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates protobufjs from 8.0.0 to 8.0.1

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.0.1

8.0.1 (2026-03-11)

Bug Fixes

• bump protobufjs dependency version for cli package (#2128) (549b05e)
• correct json syntax in tsconfig.json (#2120) (8065625)
• descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
• do not allow setting proto in Message constructor (#2126) (f05e3c3)
• filter invalid characters from the type name (#2127) (535df44)

Changelog

Sourced from protobufjs's changelog.

8.0.1 (2026-03-11)

Bug Fixes

• bump protobufjs dependency version for cli package (#2128) (549b05e)
• correct json syntax in tsconfig.json (#2120) (8065625)
• descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
• do not allow setting proto in Message constructor (#2126) (f05e3c3)
• filter invalid characters from the type name (#2127) (535df44)

Commits

• 6559b3d chore: release master (#2129)
• 042f81d chore(deps): update dependency tmp to v0.2.4 [security] (#2091)
• 8065625 fix: correct json syntax in tsconfig.json (#2120)
• 1cac5cf fix(descriptor): guard oneof index for non-Type parents (#2122)
• 549b05e fix: bump protobufjs dependency version for cli package (#2128)
• 535df44 fix: filter invalid characters from the type name (#2127)
• f05e3c3 fix: do not allow setting proto in Message constructor (#2126)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-hook-form from 7.72.0 to 7.72.1

Release notes

Sourced from react-hook-form's releases.

Version 7.72.1

🐞 fix: add isDirty check for numeric string keys in defaultValues (issue #13346) (#13347) 🐞 fix: prevent setValue with shouldDirty from polluting unrelated dirty fields (#13326) 🐞 fix: memoize control in HookFormControlContext to prevent render conflicts (#13272) (#13312) 🐞 fix: isNameInFieldArray should check all ancestor paths for nested field arrays (#13318) 🐞 fix: #13320 formState.isValid incorrect on Controller re-mount (#13324)

thanks to @​6810779s, @​candymask0712, @​olagokemills, @​shahmir-oscilar & @​bae080311

Commits

• 724e563 7.72.1
• ba649e9 🐞 test: add isDirty check for numeric string keys in defaultValues (issue #13...
• 2f56eb0 🛖 build(deps): bump yaml from 1.10.2 to 1.10.3 in /app (#13335)
• f29f546 👯 combine duplicated code (#13328)
• 2cfc8a5 🐞 fix: prevent setValue with shouldDirty from polluting unrelated dirty field...
• 44e8815 🐞 fix: memoize control in HookFormControlContext to prevent render conflicts ...
• 302d160 🐞 fix: isNameInFieldArray should check all ancestor paths for nested field ar...
• d7ccd70 🦾 dev deps upgrade (#13325)
• fddf779 🐞 fix: #13320 formState.isValid incorrect on Controller re-mount (#13324)
• 26ae54e 🛖 build(deps-dev): bump rollup from 4.53.3 to 4.59.0 (#13323)
• See full diff in compare view

Updates react-i18next from 17.0.2 to 17.0.4

Changelog

Sourced from react-i18next's changelog.

17.0.4

• fix: avoid React does not recognize the 'i18nIsDynamicList' prop on a DOM element warning 1915

17.0.3

• fix: avoid invalid prop on React.Fragment inside <Trans /> 1914

Commits

• a398b76 17.0.4
• c96f7bc fix: avoid `React does not recognize the i18nIsDynamicList prop on a DOM elem...
• fe111f7 17.0.3
• e7419b8 fix: avoid invalid prop on React.Fragment inside \<Trans /> #1914
• See full diff in compare view

Updates react-resizable-panels from 4.8.0 to 4.10.0

Release notes

Sourced from react-resizable-panels's releases.

4.9.0

• 702: Add disableDoubleClick prop to Separator to enable turning off the double-click size reset behavior.

Changelog

Sourced from react-resizable-panels's changelog.

4.10.0

• 705: Add data-separator="focus" state for Separator elements for more consistent custom CSS styles.

4.9.0

• 702: Add disableDoubleClick prop to Separator to enable turning off the double-click size reset behavior.

Commits

• fa27133 4.9.0 -> 4.10.0
• b58ed97 Add data-separator "focus" state (#706)
• f4e5e08 Upgrade react-lib-tools to improve site-search
• 5cf89ea Made callouts on Common Questions more consistent
• 435f953 Upgrade react-lib-tools to improve site-search
• 50f05ab 4.8.0 -> 4.9.0
• 897d576 Add disableDoubleClick prop to Separator (#702)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.