Bump the prod-minor-updates group across 1 directory with 12 updates by dependabot[bot] · Pull Request #628 · Lokowitz/pangolin

dependabot · 2026-04-30T10:14:40Z

Bumps the prod-minor-updates group with 12 updates in the / directory:

Package	From	To
@asteasolutions/zod-to-openapi	`8.4.1`	`8.5.0`
@aws-sdk/client-s3	`3.1011.0`	`3.1039.0`
@faker-js/faker	`10.3.0`	`10.4.0`
@tanstack/react-query	`5.90.21`	`5.100.6`
axios	`1.13.5`	`1.15.2`
express-rate-limit	`8.3.0`	`8.4.1`
next-intl	`4.8.3`	`4.11.0`
posthog-node	`5.28.0`	`5.31.0`
react-hook-form	`7.71.2`	`7.74.0`
resend	`6.9.2`	`6.12.2`
ws	`8.19.0`	`8.20.0`
zod	`4.3.6`	`4.4.1`

Updates @asteasolutions/zod-to-openapi from 8.4.1 to 8.5.0

Release notes

Sourced from @asteasolutions/zod-to-openapi's releases.

v8.5.0

What's Changed

fix: allow nested discriminated unions as they are supported in Zod v4 (#239)

Full Changelog: asteasolutions/zod-to-openapi@v8.4.3...v8.5.0

v8.4.3

What's Changed

Bump rollup from 4.22.4 to 4.59.0

Full Changelog: asteasolutions/zod-to-openapi@v8.4.2...v8.4.3

v8.4.2

What's Changed

Bump minimatch

Full Changelog: asteasolutions/zod-to-openapi@v8.4.1...v8.4.2

Commits

2fb24b0 Release 8.5.0
edf336e Merge pull request #367 from dirkluijk/support-discriminated-unions
2318125 fix: allow nested discriminated unions as they are supported in Zod v4
34953fa Release 8.4.3
d2c22df Merge pull request #364 from asteasolutions/dependabot/npm_and_yarn/rollup-4....
b4f6a66 Release 8.4.2
ab21ef4 Bump rollup from 4.22.4 to 4.59.0
6a115de Merge pull request #365 from asteasolutions/dependabot/npm_and_yarn/multi-acd...
fad449a Bump minimatch
See full diff in compare view

Updates @aws-sdk/client-s3 from 3.1011.0 to 3.1039.0

Release notes

Sourced from @aws-sdk/client-s3's releases.

v3.1039.0

3.1039.0(2026-04-29)

Chores

codegen:

smithy-aws-typescript-codegen 0.49.0 (#7972) (799fdc7b)

sync for adaptive retry fixes (#7970) (3dfb72b7)

xml-builder: manual version bump for 3.972.21 release (#7969) (99bfb4b8)

Documentation Changes

client-ecr: Removes support for registry policy V1 (0fc28e9f)

New Features

clients: update client endpoints as of 2026-04-29 (2c0c0979)

client-workspaces-web: Allow admins to configure IPv6 ranges on IP Access Settings. (a1d8beb2)

client-account: Adds AccountState in the response for the GetAccountInformation API. Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes. (dc283531)

client-gamelift: Amazon GameLift Servers adds a new DescribeContainerGroupPortMappings API for container fleets, making it easy to discover which connection ports map to your container ports without needing to remotely access the compute. (71e95d8f)

client-transfer: This launch will increase the limits for customers to list the contents from the remote directories from 10k to 200k. (58052c95)

client-cloudfront: Amazon CloudFront now supports cache tag. Tag objects via response headers and invalidate all matching objects in a single request, replacing manual URL tracking and broad wildcards. (fac83987)

client-mediapackagev2: This feature adds configuration for specifying SCTE marker handling and allow greater control over generated manifest and segment URIs (cd814f6b)

client-bedrock-agentcore-control: Adds configuration bundles for versioned, immutable agent configuration snapshots with branch-based lineage (480b6517)

client-bedrock-agentcore: Adds batch evaluation for running evaluators against multiple agent sessions with server-side orchestration, AI-powered recommendations for optimizing system prompts and tool descriptions, and AB testing with controlled traffic splitting and statistical significance reporting (c9db8716)

client-deadline: Adds support for rtx-pro-server-6000 GPU accelerator for service-managed fleets. (86aab769)

Bug Fixes

xml-builder: inline nodable/entities for dist format compatibility (#7968) (02b6be6b)

Tests

client-dynamodb:

enable verbose e2e test mode (#7974) (97d9277e)

e2e test table cleanup (#7971) (8009782e)

For list of updated packages, view updated-packages.md in assets-3.1039.0.zip

v3.1038.0

3.1038.0(2026-04-27)

Chores

codegen: sync for typed waiter-result values (#7965) (e9f8d8a9)

Documentation Changes

... (truncated)

Changelog

Sourced from @aws-sdk/client-s3's changelog.

3.1039.0 (2026-04-29)

Note: Version bump only for package @aws-sdk/client-s3

3.1038.0 (2026-04-27)

Bug Fixes

xml-builder: use xml 1.1 parsing behavior for entities (#7964) (7a30bce)

3.1037.0 (2026-04-24)

Note: Version bump only for package @aws-sdk/client-s3

3.1036.0 (2026-04-23)

Note: Version bump only for package @aws-sdk/client-s3

3.1035.0 (2026-04-22)

Bug Fixes

client-s3: retry errors with 200 status code (#7945) (7d9d8d1)

Features

client-s3: This release adds five additional checksum algorithms for S3 data integrity (MD5, SHA-512, XXHash3, XXHash64, XXHash128) and support for S3 Inventory on directory buckets (S3 Express One Zone). (41a6a59)

... (truncated)

Commits

51c8215 Publish v3.1039.0
3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
3fbf6c5 Publish v3.1038.0
e9f8d8a chore(codegen): sync for typed waiter-result values (#7965)
7a30bce fix(xml-builder): use xml 1.1 parsing behavior for entities (#7964)
7babd8b Publish v3.1037.0
46e4ac5 Publish v3.1036.0
107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
d8fbfbc Publish v3.1035.0
41a6a59 feat(client-s3): This release adds five additional checksum algorithms for S3...
Additional commits viewable in compare view

Updates @faker-js/faker from 10.3.0 to 10.4.0

Release notes

Sourced from @faker-js/faker's releases.

v10.4.0

What's Changed

feat(locale): add Norwegian (nb_NO) country definition by @TomSchrier in faker-js/faker#3714

refactor(docs): share refreshable code logic by @ST-DDT in faker-js/faker#3739

feat(locale): add Japanese cat breed definitions by @atzzCokeK in faker-js/faker#3716

feat(food): add plant-based dish variety by @stuckvgn in faker-js/faker#3745

fix(locales): correct typos and capitalization in es_MX street names by @quserforgitp in faker-js/faker#3737

feat(locale): add Japanese bear definitions by @atzzCokeK in faker-js/faker#3720

feat: fi locale phone numbers by @andeke07 in faker-js/faker#3747

refactor(hacker): use helpers.fake() instead of helpers.mustache() in phrase() by @atzzCokeK in faker-js/faker#3736

chore(deps): update all non-major dependencies by @renovate[bot] in faker-js/faker#3752

chore(deps): update dependency @vitest/eslint-plugin to v1.6.9 by @renovate[bot] in faker-js/faker#3749

chore(deps): update eslint by @renovate[bot] in faker-js/faker#3751

feat(locale): add Japanese cattle breed definitions by @atzzCokeK in faker-js/faker#3717

feat(locale): add Japanese bird definitions by @atzzCokeK in faker-js/faker#3719

feat(locale): add Japanese fish definitions by @atzzCokeK in faker-js/faker#3721

chore(deps): lock file maintenance by @renovate[bot] in faker-js/faker#3738

chore(deps): update devdependencies by @renovate[bot] in faker-js/faker#3750

chore(deps): update all non-major dependencies by @renovate[bot] in faker-js/faker#3754

refactor(locale): filter and cleanup PersonEntryDefintions data by @ST-DDT in faker-js/faker#3266

feat(locale): add Japanese horse breed definitions by @atzzCokeK in faker-js/faker#3718

docs: migrate vitepress from v1 to v2.0.0-alpha.17 by @Shinigami92 in faker-js/faker#3757

chore(deps): update devdependencies by @renovate[bot] in faker-js/faker#3755

chore(deps): lock file maintenance by @renovate[bot] in faker-js/faker#3756

chore(deps): update mcr.microsoft.com/devcontainers/typescript-node:24 docker digest to 3ff0e3f by @renovate[bot] in faker-js/faker#3762

chore(deps): update eslint by @renovate[bot] in faker-js/faker#3763

chore(deps): update devdependencies by @renovate[bot] in faker-js/faker#3764

chore(deps): update vitest by @renovate[bot] in faker-js/faker#3765

chore(deps): update pnpm/action-setup action to v5 by @renovate[bot] in faker-js/faker#3766

chore(deps): update all non-major dependencies by @renovate[bot] in faker-js/faker#3767

chore(deps): lock file maintenance by @renovate[bot] in faker-js/faker#3758

chore(release): 10.4.0 by @fakerjs-bot in faker-js/faker#3768

New Contributors

@stuckvgn made their first contribution in faker-js/faker#3745

@quserforgitp made their first contribution in faker-js/faker#3737

@andeke07 made their first contribution in faker-js/faker#3747

Full Changelog: faker-js/faker@v10.3.0...v10.4.0

Changelog

Sourced from @faker-js/faker's changelog.

10.4.0 (2026-03-23)

New Locales

locale: add Japanese bear definitions (#3720) (2a4b15c)

locale: add Japanese bird definitions (#3719) (dc31ff8)

locale: add Japanese cat breed definitions (#3716) (54af8a8)

locale: add Japanese cattle breed definitions (#3717) (c2c7342)

locale: add Japanese fish definitions (#3721) (15fc361)

locale: add Japanese horse breed definitions (#3718) (e02536e)

locale: add Norwegian (nb_NO) country definition (#3714) (614b4e9)

Features

fi locale phone numbers (#3747) (7afa8b5)

food: add plant-based dish variety (#3745) (41edf49)

Changed Locales

locale: filter and cleanup PersonEntryDefintions data (#3266) (67defc8)

Bug Fixes

locales: correct typos and capitalization in es_MX street names (#3737) (2b32c28)

Commits

b8abfc6 chore(release): 10.4.0 (#3768)
7108155 chore(deps): lock file maintenance (#3758)
5e6cf2b chore(deps): update all non-major dependencies (#3767)
91c944b chore(deps): update pnpm/action-setup action to v5 (#3766)
cb18595 chore(deps): update vitest (#3765)
af25d6b chore(deps): update devdependencies (#3764)
2e72c27 chore(deps): update eslint (#3763)
9a18091 chore(deps): update mcr.microsoft.com/devcontainers/typescript-node:24 docker...
aa7b6c0 chore(deps): lock file maintenance (#3756)
89ba345 chore(deps): update devdependencies (#3755)
Additional commits viewable in compare view

Updates @tanstack/react-query from 5.90.21 to 5.100.6

Release notes

Sourced from @tanstack/react-query's releases.

@tanstack/react-query-devtools@5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.6

@tanstack/react-query@5.100.6

@tanstack/react-query-next-experimental@5.100.6

Patch Changes

Updated dependencies []:

@tanstack/react-query@5.100.6

@tanstack/react-query-persist-client@5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.100.6

@tanstack/react-query@5.100.6

@tanstack/react-query@5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.6

@tanstack/react-query-devtools@5.100.5

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.5

@tanstack/react-query@5.100.5

@tanstack/react-query-next-experimental@5.100.5

Patch Changes

Updated dependencies []:

@tanstack/react-query@5.100.5

@tanstack/react-query-persist-client@5.100.5

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.100.5

@tanstack/react-query@5.100.5

@tanstack/react-query@5.100.5

Patch Changes

Updated dependencies [a53ef97]:

... (truncated)

Changelog

Sourced from @tanstack/react-query's changelog.

5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.6

5.100.5

Patch Changes

Updated dependencies [a53ef97]:

@tanstack/query-core@5.100.5

5.100.4

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.4

5.100.3

Patch Changes

fix(suspense): skip calling combine when queries would suspend (#10576)

Updated dependencies [f85d825]:

@tanstack/query-core@5.100.3

5.100.2

Patch Changes

Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:

@tanstack/query-core@5.100.2

5.100.1

Patch Changes

Updated dependencies [1bb0d23]:

@tanstack/query-core@5.100.1

5.100.0

Patch Changes

Updated dependencies [6540a41]:

@tanstack/query-core@5.100.0

... (truncated)

Commits

87f7ccf ci: Version Packages (#10604)
441204b ci: Version Packages (#10582)
55afb3e ci: Version Packages (#10581)
fe287cc ci: Version Packages (#10579)
f85d825 Feature/use suspense queries combine (#10576)
93b2845 ci: Version Packages (#10575)
ea4497e fix(query-core): stop wrapping persister generics in NoInfer (#10510)
2f9527e ci: Version Packages (#10568)
ad517e5 ci: Version Packages (#10567)
6540a41 feat(core): callback for retryOnMount (#10515)
Additional commits viewable in compare view

Updates axios from 1.13.5 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)

HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)

Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)

Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)

buildFullPath: Uses strict equality in the base/relative URL check. (#7252)

AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)

Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

5829343 chore(release): prepare release 1.15.2 (#10789)
4709a48 fix: added fix for memory leak in sockets (#10788)
be33360 chore: update changelog (#10781)
4791514 fix: more header pollutions (#10779)
6feafcf fix: socket issue (#10777)
302e273 docs: update docs, add a couple actions etc (#10776)
ac42446 chore(release): prepare release 1.15.1 (#10767)
908f220 docs: update threatmodel (#10765)
f93f815 docs: added docs around potential decompressions bomb (#10763)
1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates express-rate-limit from 8.3.0 to 8.4.1

Release notes

Sourced from express-rate-limit's releases.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

v8.3.2

You can view the changelog here.

v8.3.1

You can view the changelog here.

Commits

69568d4 8.4.1
c686acd v8.4.1 changelog
ba71353 test: bump timeout in flakey skipFailedRequests test (#618)
dd4c894 feat: allow usage of custom logger (#616)
2bb343c resolve Jest timeout for server-based tests (#617)
c4dbb42 8.3.2
8f1cc66 v8.3.2 changelog
601b87f Fix skipFailedRequests for for connections that close very early (#611)
014c2f3 chore(deps-dev): bump the development-dependencies group with 6 updates (#612)
4e8b18b Remove Zuplo sponsorship details from README (#613)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for express-rate-limit since your current version.

Updates next-intl from 4.8.3 to 4.11.0

Release notes

Sourced from next-intl's releases.

v4.11.0

4.11.0 (2026-04-28)

Features

Add displayName to useFormatter (#2285) (3666aa8) – by @roderickhsiao

v4.10.1

4.10.1 (2026-04-28)

Bug Fixes

Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @FourwingsY

v4.10.0

4.10.0 (2026-04-28)

Features

Add per-domain localePrefix override support (#2273) (3e9febf) – by @frankmatheron

v4.9.2

4.9.2 (2026-04-27)

Bug Fixes

Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @amannn

v4.9.1

4.9.1 (2026-04-10)

Bug Fixes

Improve middleware pathname validation (#2304) (1c80b66) – by @amannn

v4.9.0

4.9.0 (2026-04-01)

Features

Support transitionTypes on Link (#2302) (02811f5) – by @amannn

v4.8.4

4.8.4 (2026-03-31)

Bug Fixes

Remove TypeScript peer dependency and update examples to TypeScript v6 (#2293) (5e7bcd7) – by @wojtekmaj

Changelog

Sourced from next-intl's changelog.

4.11.0 (2026-04-28)

Features

Add displayName to useFormatter (#2285) (3666aa8) – by @roderickhsiao

4.10.1 (2026-04-28)

Bug Fixes

Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @FourwingsY

4.10.0 (2026-04-28)

Features

Add per-domain localePrefix override support (#2273) (3e9febf) – by @frankmatheron

4.9.2 (2026-04-27)

Bug Fixes

Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @amannn

4.9.1 (2026-04-10)

Bug Fixes

Improve middleware pathname validation (#2304) (1c80b66) – by @amannn

4.9.0 (2026-04-01)

Features

Support transitionTypes on Link (#2302) (02811f5) – by @amannn

4.8.4 (2026-03-31)

Bug Fixes

Remove TypeScript peer dependency and update examples to TypeScript v6 (#2293) (5e7bcd7) – by @wojtekmaj

Commits

e68a591 v4.11.0
3666aa8 feat: Add displayName to useFormatter (#2285)
11d9ce8 v4.10.1
70d35db fix: Set redirect domain if x-forwarded-host header exists (#2281)
d4648b8 v4.10.0
3e9febf feat: Add per-domain localePrefix override support (#2273)
e1b1825 v4.9.2
c0bf0ee fix: Prototype safety guards for precompile: true (#2307)
b4aa538 v4.9.1
1c80b66 fix: Improve middleware pathname validation (#2304)
Additional commits viewable in com...
Description has been truncated

Bumps the prod-minor-updates group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@asteasolutions/zod-to-openapi](https://github.com/asteasolutions/zod-to-openapi) | `8.4.1` | `8.5.0` | | [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1011.0` | `3.1039.0` | | [@faker-js/faker](https://github.com/faker-js/faker) | `10.3.0` | `10.4.0` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.21` | `5.100.6` | | [axios](https://github.com/axios/axios) | `1.13.5` | `1.15.2` | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.3.0` | `8.4.1` | | [next-intl](https://github.com/amannn/next-intl) | `4.8.3` | `4.11.0` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.28.0` | `5.31.0` | | [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.71.2` | `7.74.0` | | [resend](https://github.com/resend/resend-node) | `6.9.2` | `6.12.2` | | [ws](https://github.com/websockets/ws) | `8.19.0` | `8.20.0` | | [zod](https://github.com/colinhacks/zod) | `4.3.6` | `4.4.1` | Updates `@asteasolutions/zod-to-openapi` from 8.4.1 to 8.5.0 - [Release notes](https://github.com/asteasolutions/zod-to-openapi/releases) - [Commits](asteasolutions/zod-to-openapi@v8.4.1...v8.5.0) Updates `@aws-sdk/client-s3` from 3.1011.0 to 3.1039.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1039.0/clients/client-s3) Updates `@faker-js/faker` from 10.3.0 to 10.4.0 - [Release notes](https://github.com/faker-js/faker/releases) - [Changelog](https://github.com/faker-js/faker/blob/next/CHANGELOG.md) - [Commits](faker-js/faker@v10.3.0...v10.4.0) Updates `@tanstack/react-query` from 5.90.21 to 5.100.6 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.6/packages/react-query) Updates `axios` from 1.13.5 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.5...v1.15.2) Updates `express-rate-limit` from 8.3.0 to 8.4.1 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.3.0...v8.4.1) Updates `next-intl` from 4.8.3 to 4.11.0 - [Release notes](https://github.com/amannn/next-intl/releases) - [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md) - [Commits](amannn/next-intl@v4.8.3...v4.11.0) Updates `posthog-node` from 5.28.0 to 5.31.0 - [Release notes](https://github.com/PostHog/posthog-js/releases) - [Changelog](https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md) - [Commits](https://github.com/PostHog/posthog-js/commits/posthog-node@5.31.0/packages/node) Updates `react-hook-form` from 7.71.2 to 7.74.0 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](react-hook-form/react-hook-form@v7.71.2...v7.74.0) Updates `resend` from 6.9.2 to 6.12.2 - [Release notes](https://github.com/resend/resend-node/releases) - [Commits](resend/resend-node@v6.9.2...v6.12.2) Updates `ws` from 8.19.0 to 8.20.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.19.0...8.20.0) Updates `zod` from 4.3.6 to 4.4.1 - [Release notes](https://github.com/colinhacks/zod/releases) - [Commits](colinhacks/zod@v4.3.6...v4.4.1) --- updated-dependencies: - dependency-name: "@asteasolutions/zod-to-openapi" dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1039.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@faker-js/faker" dependency-version: 10.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@tanstack/react-query" dependency-version: 5.100.6 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: express-rate-limit dependency-version: 8.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: next-intl dependency-version: 4.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: posthog-node dependency-version: 5.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: react-hook-form dependency-version: 7.74.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: resend dependency-version: 6.12.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: ws dependency-version: 8.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: zod dependency-version: 4.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-04-30T10:23:39Z

Warning

This image may contain unchecked and breaking changes. Only use on own risk.

👋 Thanks for your PR!
Dev images for this PR are now available on docker hub:

SQLITE Image:

lokowitz75/pangolin:dev-pr628

Postgresql Image:

lokowitz75/pangolin:postgresql-dev-pr628

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 30, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the prod-minor-updates group across 1 directory with 12 updates#628

Bump the prod-minor-updates group across 1 directory with 12 updates#628
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/prod-minor-updates-ce7f4717d2

dependabot Bot commented on behalf of github Apr 30, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v8.5.0

What's Changed

v8.4.3

What's Changed

v8.4.2

What's Changed

v3.1039.0

3.1039.0(2026-04-29)

Chores

Documentation Changes

New Features

Bug Fixes

Tests

v3.1038.0

3.1038.0(2026-04-27)

Chores

Documentation Changes

3.1039.0 (2026-04-29)

3.1038.0 (2026-04-27)

Bug Fixes

3.1037.0 (2026-04-24)

3.1036.0 (2026-04-23)

3.1035.0 (2026-04-22)

Bug Fixes

Features

v10.4.0

What's Changed

New Contributors

10.4.0 (2026-03-23)

New Locales

Features

Changed Locales

Bug Fixes

@​tanstack/react-query-devtools@​5.100.6

Patch Changes

@​tanstack/react-query-next-experimental@​5.100.6

Patch Changes

@​tanstack/react-query-persist-client@​5.100.6

Patch Changes

@​tanstack/react-query@​5.100.6

Patch Changes

@​tanstack/react-query-devtools@​5.100.5

Patch Changes

@​tanstack/react-query-next-experimental@​5.100.5

Patch Changes

@​tanstack/react-query-persist-client@​5.100.5

Patch Changes

@​tanstack/react-query@​5.100.5

Patch Changes

5.100.6

Patch Changes

5.100.5

Patch Changes

5.100.4

Patch Changes

5.100.3

Patch Changes

5.100.2

Patch Changes

5.100.1

Patch Changes

5.100.0

Patch Changes

v1.15.2

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v1.15.2 - April 21, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

dependabot Bot commented on behalf of github Apr 30, 2026 •

edited

Loading

`@tanstack/react-query-devtools@5`.100.6

`@tanstack/react-query-next-experimental@5`.100.6

`@tanstack/react-query-persist-client@5`.100.6

`@tanstack/react-query@5`.100.6

`@tanstack/react-query-devtools@5`.100.5

`@tanstack/react-query-next-experimental@5`.100.5

`@tanstack/react-query-persist-client@5`.100.5

`@tanstack/react-query@5`.100.5