Bump the npm_and_yarn group across 6 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /pi-cecilia/blackroad-operator/dashboard directory: @clerk/nextjs, next and uuid.
Bumps the npm_and_yarn group with 2 updates in the /pi-lucidia/lucidia-home directory: follow-redirects and picomatch.
Bumps the npm_and_yarn group with 1 update in the /pi-lucidia/octavia-operator/dashboard directory: next.
Bumps the npm_and_yarn group with 1 update in the /pi-lucidia/octavia-operator/packages/blackroad-app-store/web directory: next.
Bumps the npm_and_yarn group with 1 update in the /pi-lucidia/octavia-operator/packages/blackroad-deploy/cli directory: tar.
Bumps the npm_and_yarn group with 1 update in the /pi-lucidia/octavia-operator/packages/roadgateway directory: hono.

Updates @clerk/nextjs from 7.0.4 to 7.2.1

Changelog

Sourced from @​clerk/nextjs's changelog.

7.2.1

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#8311) by @​nikosdouvlis

• Updated dependencies [b0b6675]:

  • @​clerk/shared@​4.8.1
  • @​clerk/backend@​3.2.11
  • @​clerk/react@​6.4.1

7.2.0

Minor Changes

• Introduce internal <OAuthConsent /> component for rendering a zero-config OAuth consent screen on an OAuth authorize redirect page. (#8289) by @​wobsoriano

  Usage example:

  import { OAuthConsent } from '@clerk/nextjs';
  export default function OAuthConsentPage() {
  return <OAuthConsent />;
  }

Patch Changes

• Updated dependencies [dc2de16]:
  • @​clerk/react@​6.4.0
  • @​clerk/shared@​4.8.0
  • @​clerk/backend@​3.2.10

7.1.0

Minor Changes

• Introduce internal useOAuthConsent() hook for fetching OAuth consent screen metadata for the signed-in user. (#8286) by @​jfoshee

Patch Changes

• Bump next devDependency to 15.5.15 to pick up the fix for CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you use the Next.js App Router, we recommend upgrading to Next.js 15.5.15 or 16.2.3. (#8257) by @​renovate

• Updated dependencies [3fd586d, f9ff9e9]:

  • @​clerk/react@​6.3.0
  • @​clerk/shared@​4.7.0
  • @​clerk/backend@​3.2.9

7.0.12

... (truncated)

Commits

• 6399251 ci(repo): Version packages (#8315)
• b0b6675 fix(shared,nextjs,astro,nuxt): normalize URL paths in createPathMatcher (#8311)
• b1f9bbe ci(repo): Version packages (#8307)
• dc2de16 feat(ui,react): Introduce OAuthConsent component (#8289)
• 4657d64 ci(repo): Version packages (#8277)
• f9ff9e9 feat(shared,nextjs,react): Introduce useOAuthConsent hook (#8286)
• 81d4df1 chore(repo): Update linting & formatting (#8271)
• 2471d41 chore(nextjs): Update next to patched versions for CVE-2026-23869 (#8281)
• e1265b0 chore(nextjs): Update dependency next to v15.5.13 [SECURITY] (#8257)
• 97735eb ci(repo): Version packages (#8252)
• Additional commits viewable in compare view

Updates next from 14.2.15 to 16.2.4

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• d5f649b v16.2.3
• Additional commits viewable in compare view

Updates @clerk/backend from 3.2.0 to 3.4.2

Release notes

Sourced from @​clerk/backend's releases.

@​clerk/backend@​3.4.2

Patch Changes

• Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#8035) by @​brkalow

• Fix Request cloning and outbound fetch to omit cross-realm AbortSignal. Node 24's bundled undici tightened the instanceof AbortSignal check on RequestInit.signal, which broke: (#8351) by @​jacekradko

  • Cloning framework-specific requests such as NextRequest in @clerk/backend's ClerkRequest.
  • Subclassed Requests passed through patchRequest in @clerk/react-router and @clerk/tanstack-react-start.
  • Frontend API proxying in @clerk/backend's clerkFrontendApiProxy, which forwarded the inbound request's signal to the upstream fetch. Abort propagation will be restored in a follow-up via an in-realm AbortController bridge.

• Updated dependencies [9b57986, a9f9b29]:

  • @​clerk/shared@​4.8.6

@​clerk/backend@​3.4.1

Patch Changes

• Updated dependencies [da76490]:
  • @​clerk/shared@​4.8.5

@​clerk/backend@​3.3.0

Minor Changes

• Add createBootstrapSignedOutState helper to @clerk/backend/internal. Returns a synthetic UnauthenticatedState<'session_token'> without requiring a publishable key or an AuthenticateContext. Intended for framework integrations that need to run authorization logic before real Clerk keys are available (e.g. the Next.js keyless bootstrap window). Accepts optional signInUrl, signUpUrl, isSatellite, domain, and proxyUrl so that createRedirect-driven flows (including cross-origin satellite sign-in with the __clerk_status=needs-sync handshake marker) behave correctly during bootstrap. (#8368) by @​jacekradko

@​clerk/backend@​3.2.13

Patch Changes

• Add path traversal protections in joinPaths (#8331) by @​dominic-clerk

@​clerk/backend@​3.2.12

Patch Changes

• Introduce samlConnection and oauthConfig into the EnterpriseConnection resource. (#8326) by @​LauraBeatris

• The JWT claims are verified after the signature to avoid leaking information through error messages on forged tokens. (#8332) by @​dominic-clerk

• Updated dependencies [c7b0f47, 34762e8]:

  • @​clerk/shared@​4.8.2

Changelog

Sourced from @​clerk/backend's changelog.

3.4.2

Patch Changes

• Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#8035) by @​brkalow

• Fix Request cloning and outbound fetch to omit cross-realm AbortSignal. Node 24's bundled undici tightened the instanceof AbortSignal check on RequestInit.signal, which broke: (#8351) by @​jacekradko

  • Cloning framework-specific requests such as NextRequest in @clerk/backend's ClerkRequest.
  • Subclassed Requests passed through patchRequest in @clerk/react-router and @clerk/tanstack-react-start.
  • Frontend API proxying in @clerk/backend's clerkFrontendApiProxy, which forwarded the inbound request's signal to the upstream fetch. Abort propagation will be restored in a follow-up via an in-realm AbortController bridge.

• Updated dependencies [9b57986, a9f9b29]:

  • @​clerk/shared@​4.8.6

3.4.1

Patch Changes

• Updated dependencies [da76490]:
  • @​clerk/shared@​4.8.5

3.4.0

Minor Changes

• Add backend query to GET organization settings for an instance. (#8367) by @​dmoerner

Patch Changes

• Updated dependencies [083c4c5, dcaf694]:
  • @​clerk/shared@​4.8.4

3.3.0

Minor Changes

• Add createBootstrapSignedOutState helper to @clerk/backend/internal. Returns a synthetic UnauthenticatedState<'session_token'> without requiring a publishable key or an AuthenticateContext. Intended for framework integrations that need to run authorization logic before real Clerk keys are available (e.g. the Next.js keyless bootstrap window). Accepts optional signInUrl, signUpUrl, isSatellite, domain, and proxyUrl so that createRedirect-driven flows (including cross-origin satellite sign-in with the __clerk_status=needs-sync handshake marker) behave correctly during bootstrap. (#8368) by @​jacekradko

3.2.14

Patch Changes

• A clock skew of 0 will not fall back to the default value anymore. (#8359) by @​dominic-clerk

• Updated dependencies [d52b311]:

  • @​clerk/shared@​4.8.3

3.2.13

Patch Changes

... (truncated)

Commits

• e85de19 ci(repo): Version packages (#8413)
• e0a63f9 chore(repo): upgrade monorepo to Node.js 24 (#8351)
• 9b57986 feat(*): auto-proxy for eligible hosts (#8035)
• 2f48ea8 ci(repo): Version packages (#8401)
• 6be2ea9 ci(repo): Version packages (#8389)
• d9011b4 feat(backend): GET organization settings (#8367)
• 8a25c6a ci(repo): Version packages (#8377)
• 93855c2 refactor(nextjs): factor runHandlerWithRequestState out of baseNextMiddleware...
• 57bca7b ci(repo): Version packages (#8363)
• abaa339 fix(backend): Clock skew of 0 should not fall back (#8359)
• Additional commits viewable in compare view

Updates @clerk/shared from 4.3.0 to 4.8.6

Release notes

Sourced from @​clerk/shared's releases.

@​clerk/shared@​4.8.6

Patch Changes

• Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#8035) by @​brkalow

• Loosen @tanstack/query-core dependency from an exact pin to a caret range (^5.90.16) so it can dedupe with consumer-installed @tanstack/react-query versions. This avoids Vite resolve.dedupe resolution failures under Bun when two divergent copies of query-core end up nested instead of hoisted. (#8417) by @​jacekradko

@​clerk/shared@​4.8.5

Patch Changes

• Generate publishable keys with unpadded Base64 encoding to match backend output. (#8400) by @​thiskevinwang

@​clerk/shared@​4.8.2

Patch Changes

• Add emailAddress, phoneNumber, and username support to signUp.update() (#8320) by @​dstaley

• Added development runtime error when mounting <OAuthconsent /> without active session. (#8335) by @​wobsoriano

@​clerk/shared@​4.8.1

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#8311) by @​nikosdouvlis

Changelog

Sourced from @​clerk/shared's changelog.

4.8.6

Patch Changes

• Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#8035) by @​brkalow

• Loosen @tanstack/query-core dependency from an exact pin to a caret range (^5.90.16) so it can dedupe with consumer-installed @tanstack/react-query versions. This avoids Vite resolve.dedupe resolution failures under Bun when two divergent copies of query-core end up nested instead of hoisted. (#8417) by @​jacekradko

4.8.5

Patch Changes

• Generate publishable keys with unpadded Base64 encoding to match backend output. (#8400) by @​thiskevinwang

4.8.4

Patch Changes

• Add publishableKeyFromHost utility for resolving the correct publishable key per hostname in multi-domain setups. Re-exported from @clerk/react/internal. (#8398) by @​wobsoriano

• Fix useOrganizationList and useOrganization briefly reporting paginated resources as isLoading: false with empty data before the query starts. (#8395) by @​jacekradko

4.8.3

Patch Changes

• Fix an authorization bypass in has(), auth.protect(), and related predicates when a single call combined conditions from more than one dimension (for example, { permission, reverification } or { feature, permission }). A dimension that should have denied the request was treated as indeterminate and ignored by the combining logic, allowing other passing dimensions to carry the result and authorize the call when it should have failed closed. (#8372) by @​nikosdouvlis

  Behavior is now:

  • When a requested dimension cannot be satisfied because the underlying session data is missing, malformed, or invalid, the call denies. Previously these cases were treated as indeterminate and ignored, which could let another passing dimension carry the call.
  • Fixed a minor bug where session.checkAuthorization() was building authorization options from the membership row id instead of the organization id.

  Single-condition role, permission, feature, and plan checks (has({ permission }), etc.) are unchanged. Single-condition reverification checks are unchanged on well-formed session data; calls with a missing or malformed factorVerificationAge payload now deny where they previously returned indeterminate. Callback-form auth.protect(has => ...) is unaffected unless the callback itself invokes the affected shapes.

  Separately, auth.protect() in @clerk/nextjs previously discarded authorization params (role, permission, feature, plan, reverification) whenever the same argument object also contained unauthenticatedUrl, unauthorizedUrl, or token. TypeScript's excess-property check caught this for inline object literals but did not apply once the argument was assigned to a variable, spread, or used from JavaScript. Mixed-shape calls like auth.protect({ role: 'org:admin', unauthorizedUrl: '/denied' }) or auth.protect({ permission: 'org:X', token: 'session_token' }) now correctly enforce the authorization check instead of silently letting every authenticated caller through.

4.8.2

Patch Changes

• Add emailAddress, phoneNumber, and username support to signUp.update() (#8320) by @​dstaley

• Added development runtime error when mounting <OAuthconsent /> without active session. (#8335) by @​wobsoriano

4.8.1

Patch Changes

• Normalize URL paths in createPathMatcher to prevent route protection bypass (#8311) by @​nikosdouvlis

... (truncated)

Commits

• e85de19 ci(repo): Version packages (#8413)
• a9f9b29 fix(shared,clerk-js): loosen @​tanstack/query-core pin to caret range (#8417)
• a6a721d test(shared): pin createPathMatcher contract surface (#8416)
• 9b57986 feat(*): auto-proxy for eligible hosts (#8035)
• 2f48ea8 ci(repo): Version packages (#8401)
• da76490 fix(shared): Generate publishable keys with unpadded Base64 encoding to match...
• 6be2ea9 ci(repo): Version packages (#8389)
• 083c4c5 chore(express,react,shared): Support dynamic options callback in clerkMiddlew...
• dcaf694 fix(shared): Correct useOrganizationList/useOrganization loading state (#8395)
• 57bca7b ci(repo): Version packages (#8363)
• Additional commits viewable in compare view

Removes uuid

Updates follow-redirects from 1.15.11 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates next from 14.2.15 to 15.5.15

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• d5f649b v16.2.3
• Additional commits viewable in compare view

Updates next from 14.2.0 to 15.5.15

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• d5f649b v16.2.3
• Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.13

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates hono from 3.12.12 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or cr...

Description has been truncated