Skip to content

chore(deps): bump next-safe-action from 7.10.5 to 8.5.5 in /webapp#158

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/webapp/next-safe-action-8.5.5
Open

chore(deps): bump next-safe-action from 7.10.5 to 8.5.5 in /webapp#158
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/webapp/next-safe-action-8.5.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps next-safe-action from 7.10.5 to 8.5.5.

Release notes

Sourced from next-safe-action's releases.

next-safe-action@8.5.5

Patch Changes

  • #461 77a81bb Thanks @​TheEdoRan! - Harden validation-error building against prototype pollution. buildValidationErrors walks the (potentially client-controlled) Standard Schema issue paths to build the nested errors object: with a record/catchall schema, an input like {"constructor":{"prototype":{...}}} produced an issue path that walked the prototype chain and wrote to Object.prototype. Paths are now traversed with Object.hasOwn and written with own-property descriptors, so hostile keys (__proto__, constructor, prototype) are stored as plain own properties and can never reach the global prototype. As defense-in-depth, flattenValidationErrors assigns field keys the same safe way, the validation payload recovered from the error digest is parsed with a __proto__-stripping reviver, and returnValidationErrors now throws a clear error when given a non-JSON-serializable payload instead of leaking a raw TypeError.

  • #461 77a81bb Thanks @​TheEdoRan! - Fix returnValidationErrors being reported as a generic server error when called inside a Next.js 'use cache' scope (cacheComponents enabled). Crossing the RSC boundary strips the thrown error's class identity, so the instanceof check failed and the client received DEFAULT_SERVER_ERROR_MESSAGE instead of the validation errors. The errors are now encoded on the error digest (the only channel Next.js preserves across the boundary, the same mechanism used to detect redirect/notFound) and correctly returned as validationErrors, matching the behavior when cacheComponents is disabled.

next-safe-action@8.5.4

Patch Changes

  • #455 8ffa7f5 Thanks @​LouisCuvelier! - Fix hook callbacks re-firing when a page is restored from the Next.js router bfcache (React <Activity>, enabled by cacheComponents): onExecute/onSuccess/onError/onSettled/onNavigation now fire once per action execution instead of replaying on every restore.

next-safe-action@8.5.3

Patch Changes

  • #450 edf9dd6 Thanks @​TheEdoRan! - Remove the deepmerge-ts runtime dependency by inlining the small subset of deep-merge logic the library actually uses into an internal deep-merge.ts. Behavior is unchanged (records merged recursively, arrays concatenated, Sets/Maps combined, otherwise last value wins, with a __proto__ pollution guard), and the package now ships with zero runtime dependencies.

next-safe-action@8.5.2

Patch Changes

  • #448 c10b464 Thanks @​TheEdoRan! - Add the pkg.pr.new badge to README. Documentation-only change, no runtime impact.

next-safe-action@8.5.1

Patch Changes

  • #446 6b1e3f6 Thanks @​TheEdoRan! - Filter out undefined entries from the callback promises array before awaiting Promise.all, to satisfy the stricter await-thenable rule in the latest oxlint-tsgolint. No runtime behavior change.

next-safe-action@8.5.0

Minor Changes

  • #444 adea4c6 Thanks @​TheEdoRan! - Narrow SafeActionResult into a discriminated union so that checking one field narrows the others to undefined.

    Previously, data, serverError, and validationErrors were all independently optional on the result type, which meant TypeScript could not infer that they are mutually exclusive. Now:

    const { data, serverError, validationErrors } = await myAction(input);
    if (data) {
    // TypeScript knows serverError and validationErrors are undefined here
    }
    if (serverError) {
    // TypeScript knows data and validationErrors are undefined here
    }

    Destructured narrowing works end-to-end: checking any one of the three fields propagates to the other two. No hook API changes are required — useAction().result narrows automatically.

    Runtime behavior change (compound-error precedence)

... (truncated)

Commits
  • 04bced2 Version Packages (#462)
  • 77a81bb fix: returnValidationErrors with "use cache" (#461)
  • ef4ad3f docs(form-actions): document passing a safe action directly to the form actio...
  • 5d8a87a feat(docs): add LLM page actions (copy as Markdown, llms.txt) (#458)
  • af63777 Version Packages (#456)
  • 8ffa7f5 fix(hooks): don't replay callbacks when restored from the router bfcache (Rea...
  • 9d54c79 Version Packages (#451)
  • edf9dd6 inline deepmerge logic (#450)
  • 25455e4 bump pnpm to 11.1.0
  • 745ba86 enforce harden-runner egress policy across workflows
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next-safe-action since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webapp/next-safe-action-8.5.5 branch from eec9e03 to 0cb57fe Compare June 19, 2026 09:47
Bumps [next-safe-action](https://github.com/next-safe-action/next-safe-action) from 7.10.5 to 8.5.5.
- [Release notes](https://github.com/next-safe-action/next-safe-action/releases)
- [Commits](https://github.com/next-safe-action/next-safe-action/compare/v7.10.5...next-safe-action@8.5.5)

---
updated-dependencies:
- dependency-name: next-safe-action
  dependency-version: 8.5.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webapp/next-safe-action-8.5.5 branch from 0cb57fe to 351b323 Compare June 26, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants