chore(deps): bump the npm-minor-patch group across 1 directory with 21 updates

[dependabot]

Bumps the npm-minor-patch group with 19 updates in the /web-ui directory:

Package	From	To
@radix-ui/react-alert-dialog	1.1.15	1.1.17
@radix-ui/react-checkbox	1.3.3	1.3.5
@radix-ui/react-progress	1.1.8	1.1.10
@radix-ui/react-scroll-area	1.2.10	1.2.12
@radix-ui/react-select	2.2.6	2.3.1
@radix-ui/react-tabs	1.1.13	1.1.15
@radix-ui/react-tooltip	1.2.8	1.2.10
@tailwindcss/typography	0.5.19	0.5.20
@xterm/addon-fit	0.10.0	0.11.0
axios	1.16.0	1.18.0
next	16.2.6	16.2.9
react	19.2.4	19.2.7
@types/react	19.2.11	19.2.17
react-dom	19.2.4	19.2.7
swr	2.4.0	2.4.1
@eslint/eslintrc	3.3.3	3.3.5
@next/eslint-plugin-next	16.1.6	16.2.9
@playwright/test	1.58.2	1.61.0
msw	2.12.8	2.14.6

Updates @radix-ui/react-alert-dialog from 1.1.15 to 1.1.17

Changelog

Sourced from @​radix-ui/react-alert-dialog's changelog.

1.1.17

• Removed dev-only warnings for dialogs when title and/or description is not rendered.
• Updated dependencies: @radix-ui/react-dialog@1.1.17, @radix-ui/react-primitive@2.1.6

1.1.16

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-dialog@1.1.16, @radix-ui/react-slot@1.2.5, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-alert-dialog since your current version.

Updates @radix-ui/react-checkbox from 1.3.3 to 1.3.5

Changelog

Sourced from @​radix-ui/react-checkbox's changelog.

1.3.5

• Updated dependencies: @radix-ui/react-primitive@2.1.6

1.3.4

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-checkbox since your current version.

Updates @radix-ui/react-dialog from 1.1.15 to 1.1.17

Changelog

Sourced from @​radix-ui/react-dialog's changelog.

1.1.17

• Removed dev-only warnings for dialogs when title and/or description is not rendered.
• Fixed Dismissable Layer so outside interactions stopped by extension UI overlays do not dismiss dialogs or popovers.
• Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-focus-scope@1.1.10, @radix-ui/react-portal@1.1.12

1.1.16

• Fixed disabled pointer events in closed dialogs
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dialog since your current version.

Updates @radix-ui/react-progress from 1.1.8 to 1.1.10

Changelog

Sourced from @​radix-ui/react-progress's changelog.

1.1.10

• Updated dependencies: @radix-ui/react-primitive@2.1.6

1.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-progress since your current version.

Updates @radix-ui/react-scroll-area from 1.2.10 to 1.2.12

Changelog

Sourced from @​radix-ui/react-scroll-area's changelog.

1.2.12

• Stabilized the viewport style tag unless the nonce changes.
• Fixed Duplicate index signature errors that surfaced when consuming multiple packages together.
• Updated dependencies: @radix-ui/react-primitive@2.1.6

1.2.11

• Fixed missing data-state attribute for Scroll Area scrollbars
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-layout-effect@1.1.2

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-scroll-area since your current version.

Updates @radix-ui/react-select from 2.2.6 to 2.3.1

Changelog

Sourced from @​radix-ui/react-select's changelog.

2.3.1

• Allowed a Select.Item with an empty string value to act as a "clear" option. Selecting it resets the selection back to the placeholder, restoring the native <select> behavior for optional selects.
• Fixed a bug where typeahead search resulted in focusing an element that no longer exists.
• Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-popper@1.3.1, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-collection@1.1.10, @radix-ui/react-focus-scope@1.1.10, @radix-ui/react-portal@1.1.12, @radix-ui/react-visually-hidden@1.2.6

2.3.0

• Added unstable Provider and BubbleInput parts to Select. Select.unstable_Provider sets up Select's context and state without implicitly rendering the hidden native select, and Select.unstable_BubbleInput exposes that previously internal native select so consumers can recompose it explicitly. Select continues to render both by default.
• Added support for presence-based exit animations in Select
• Fixed Select hidden input so it submits empty string when no value is selected
• Fixed placeholder rendering when a controlled Select is reset to an empty value
• Added missing __selectScope prop to PopperContent component
• Fixed Select closing unexpectedly after touch-scrolling its content when rendered inside an open shadow DOM
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Fixed SelectValue logging invalid prop errors when used with both asChild and a placeholder
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-select since your current version.

Updates @radix-ui/react-slot from 1.2.4 to 1.3.0

Changelog

Sourced from @​radix-ui/react-slot's changelog.

1.3.0

Added generic type arguments for SlotProps and createSlot

SlotProps and createSlot now accept generic type arguments to specify the type of element a slot should render, as well as its props.

const Slot = createSlot<HTMLButtonElement, MyCustomButtonProps>("Slot");

1.2.5

• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
• Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
• Added repository.directory to all package.json files
• Improved error messages for invalid slot children
• Updated dependencies: @radix-ui/react-compose-refs@1.1.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slot since your current version.

Updates @radix-ui/react-tabs from 1.1.13 to 1.1.15

Changelog

Sourced from @​radix-ui/react-tabs's changelog.

1.1.15

• Updated dependencies: @radix-ui/react-primitive@2.1.6, @radix-ui/react-roving-focus@1.1.13

1.1.14

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tabs since your current version.

Updates @radix-ui/react-tooltip from 1.2.8 to 1.2.10

Changelog

Sourced from @​radix-ui/react-tooltip's changelog.

1.2.10

• Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-popper@1.3.1, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-portal@1.1.12, @radix-ui/react-visually-hidden@1.2.6

1.2.9

• Fixed runtime error when event target is non-Node
• Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tooltip since your current version.

Updates @tailwindcss/typography from 0.5.19 to 0.5.20

Release notes

Sourced from @​tailwindcss/typography's releases.

v0.5.20

Fixed

• Support installing with stable versions of Tailwind CSS v4 (#424)

Changelog

Sourced from @​tailwindcss/typography's changelog.

[0.5.20] - 2026-06-08

Fixed

• Support installing with stable versions of Tailwind CSS v4 (#424)

Commits

• e3714a3 0.5.20
• f34283d Update tailwindcss peer dependency version (#424)
• 543de42 bump Node.js
• 881b048 Setup OIDC (#423)
• 74a3da7 Fix typo in README.md (#413)
• 3963dfe Bump js-yaml from 3.14.1 to 3.14.2 (#410)
• abf85cc className instead of classname (#406)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/typography since your current version.

Updates @xterm/addon-fit from 0.10.0 to 0.11.0

Commits

• ce1d788 Bumped bower version to 0.11
• 01e48b7 Revamped the attach addon
• a1717fd Update docs index
• c9f5f23 Started documenting methods
• 21dde3c Updated version, in docs
• 73bf6d1 Started documenting events
• See full diff in compare view

Updates axios from 1.16.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits

• 2d06f96 chore(release): prepare release 1.18.0 (#11003)
• 32fc489 fix: malformed http urls (#11000)
• b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
• fe964f9 docs: mark proxy config as Node.js only (#10995)
• 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
• fae9d4e docs: clarify package update PR policy (#10992)
• 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
• a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
• 614f455 docs: publish v1.17.0 release notes (#10988)
• 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
• Additional commits viewable in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates @types/react from 19.2.11 to 19.2.17

Commits

• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates swr from 2.4.0 to 2.4.1

Commits

• 5fa2952 2.4.1
• 825092b fix: Fix #4221 (#4223)
• acd241e Remove deprecated downlevelIteration option (#4216)
• See full diff in compare view

Updates @eslint/eslintrc from 3.3.3 to 3.3.5

Release notes

Sourced from @​eslint/eslintrc's releases.

eslintrc: v3.3.5

3.3.5 (2026-03-04)

Bug Fixes

• update dependency minimatch to ^3.1.5 (#227) (3dc2381)

eslintrc: v3.3.4

3.3.4 (2026-02-22)

Bug Fixes

• update ajv to 6.14.0 to address security vulnerabilities (#221) (9139140)
• update minimatch to 3.1.3 to address security vulnerabilities (#224) (30339d0)

Changelog

Sourced from @​eslint/eslintrc's changelog.

3.3.5 (2026-03-04)

Bug Fixes

• update dependency minimatch to ^3.1.5 (#227) (3dc2381)

3.3.4 (2026-02-22)

Bug Fixes

• update ajv to 6.14.0 to address security vulnerabilities (#221) (9139140)
• update minimatch to 3.1.3 to address security vulnerabilities (#224) (30339d0)

Commits

• 5135df1 chore: release 3.3.5 🚀 (#228)
• c109d69 docs: Update README sponsors
• 3dc2381 fix: update dependency minimatch to ^3.1.5 (#227)
• 81385b6 ci: pin Node.js 25.6.1 (#226)
• 4c45e24 chore: release 3.3.4 🚀 (#223)
• 30339d0 fix: update minimatch to 3.1.3 to address security vulnerabilities (#224)
• 9139140 fix: update ajv to 6.14.0 to address security vulnerabilities (#221)
• 245ada5 docs: Update README sponsors
• 78b1a0e docs: Update README sponsors
• df32fff docs: Update README sponsors
• Additional commits viewable in compare view

Updates @next/eslint-plugin-next from 16.1.6 to 16.2.9

Release notes

Sourced from @​next/eslint-plugin-next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• 6f16804 v16.2.8
• 411c455 v16.2.7
• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/eslint-plugin-next since your current version.

Updates @playwright/test from 1.58.2 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• a...

  Description has been truncated

[claude]

PR #696 Review -- Dependabot npm minor/patch bump (web-ui, 19 packages)

Overview: Routine automated dependency update across the web-ui directory. Only package.json and package-lock.json are changed -- no application code is touched.

Notable Updates:

• next: 16.2.6 to 16.2.9 (Low - patch)
• react / react-dom: 19.2.4 to 19.2.7 (Low - patch)
• swr: 2.2.4 to 2.4.1 (Low - minor)
• axios: 1.16.0 to 1.18.0 (Low - minor, security fixes included)
• msw: 2.1.5 to 2.14.6 (Medium - large minor jump, see below)
• @playwright/test: 1.58.2 to 1.61.0 (Low - minor)
• @xterm/addon-fit: 0.10.0 to 0.11.0 (Low - minor)
• Radix UI 7 packages: various patches (Low)

Points to Note:

1. MSW transitive deps raised Node.js minimum requirements

msw 2.14.6 pulls in updated @inquirer/* packages (from 1.x/5.x to 2.x/6.x), mute-stream (2.x to 3.x), and headers-polyfill (4.x to 5.x). The new @inquirer/* packages require node >=23.5.0 or ^22.13.0 or ^20.17.0, up from the previous requirement of simply >=18. If CI or any dev environment uses Node 18-20.16, msw CLI prompts (e.g., npx msw init) would fail. Since msw is in devDependencies only and @InQuirer packages are used only for msw's interactive setup script (not the actual test harness), this is unlikely to break tests -- but worth confirming your CI Node version is >=20.17 or >=22.13.

2. swr 2.2.4 to 2.4.1 skips 2.3.x

This is expected -- package.json uses ^2.2.4 so Dependabot correctly picks the latest 2.x. No breaking changes are expected in this range.

3. axios 1.18 includes security-related fixes

Updating axios is a positive change. No API breaking changes in this minor range.

4. @xterm/addon-fit 0.10 to 0.11

This project uses XTerm.js for interactive agent sessions (/sessions/[id]). The fit addon handles terminal resizing. The 0.10 to 0.11 bump is minor but should be smoke-tested against terminal resize behavior in the sessions UI if not already covered by automated tests.

5. peer flag changes in package-lock.json

Several packages (react, react-dom, tailwindcss, zod, typescript) have had their peer: true flag added or removed. This reflects npm correctly re-resolving the dependency graph and is expected in a lock file refresh -- not a concern.

Test Coverage Assessment:

CLAUDE.md specifies these must pass before merging:

• cd web-ui && npm test
• cd web-ui && npm run build

The frontend-tests CI job should cover both gates. No application code changed, so unit test logic is unaffected. Safe to merge once CI passes.

Security: No known CVEs are introduced. The axios and msw updates include bug and security fixes that improve overall posture.

Verdict: Approve once CI is green. One action item: confirm the CI Node.js version is >=20.17 (to satisfy the updated @inquirer/* constraint pulled in by msw's transitive deps) and that frontend-tests passes.