- Update all non-major dependencies with digest and pinDigest

[blumilk-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@tailwindcss/vite (source)	^4.1.18 -> ^4.2.2			dependencies	minor
actions/cache	v4.2.4 -> v4.3.0			action	minor
alpinejs (source)	^3.15.8 -> ^3.15.9			dependencies	patch	3.15.10
appleboy/ssh-action	v1.2.3 -> v1.2.5			action	patch
autoprefixer	^10.4.24 -> ^10.4.27			dependencies	patch
axios (source)	^1.13.5 -> ^1.13.6			dependencies	patch
axllent/mailpit (source)	v1.27.11 -> v1.29.5				minor
composer	2.8.12 -> 2.9.5			stage	minor
docker/login-action	v3.6.0 -> v3.7.0			action	minor
docker/metadata-action	v5.9.0 -> v5.10.0			action	minor
docker/setup-buildx-action	v3.11.1 -> v3.12.0			action	minor
filament/filament (source)	^3.3.48 -> ^3.3.49			require	patch
filament/spatie-laravel-media-library-plugin (source)	^3.3.48 -> ^3.3.49			require	patch
josiasmontag/laravel-recaptchav3	^1.0.4 -> ^1.0.5			require	patch
laravel/framework (source)	^11.48.0 -> ^11.51.0			require	minor
laravel/telescope	^5.17.0 -> ^5.19.0			require-dev	minor
livewire/livewire	^3.7.10 -> ^3.7.12			require	patch	3.7.13
nginx/nginx	1.29.3 -> 1.29.7				patch
node	24.11.0-bookworm-slim -> 24.11.1-bookworm-slim			stage	patch
nunomaduro/collision	^8.8.3 -> ^8.9.1			require-dev	minor	8.9.2
php	8.3.26-fpm-bookworm -> 8.3.30-fpm-bookworm			final	patch
phpunit/phpunit (source)	^11.5.53 -> ^11.5.55			require-dev	patch
postcss (source)	^8.5.6 -> ^8.5.8			dependencies	patch
postgres	17.6 -> 17.9			final	minor
registry.blumilk.pl/internal-public/lmt-postgres	992f43a -> 234ae47				digest
registry.blumilk.pl/internal-public/lmt-postgres	1ccbba8 -> cf30f96				digest
shivammathur/setup-php	2.35.5 -> 2.37.0			action	minor
tailwindcss (source)	^4.1.17 -> ^4.1.18			dependencies	patch
xdebug/xdebug	3.4.7 -> 3.5.1				minor

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)
• Resolve tsconfig paths to allow for @import '@​/path/to/file'; when using @tailwindcss/vite (#​19803)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

v4.2.0

Compare Source

Added

• Add mauve, olive, mist, and taupe color palettes to the default theme (#​19627)
• Add @tailwindcss/webpack package to run Tailwind CSS as a webpack plugin (#​19610)
• Add pbs-* and pbe-* utilities for padding-block-start and padding-block-end (#​19601)
• Add mbs-* and mbe-* utilities for margin-block-start and margin-block-end (#​19601)
• Add scroll-pbs-* and scroll-pbe-* utilities for scroll-padding-block-start and scroll-padding-block-end (#​19601)
• Add scroll-mbs-* and scroll-mbe-* utilities for scroll-margin-block-start and scroll-margin-block-end (#​19601)
• Add border-bs-* and border-be-* utilities for border-block-start and border-block-end (#​19601)
• Add inline-*, min-inline-*, max-inline-* utilities for inline-size, min-inline-size, and max-inline-size (#​19612)
• Add block-*, min-block-*, max-block-* utilities for block-size, min-block-size, and max-block-size (#​19612)
• Add inset-s-*, inset-e-*, inset-bs-*, inset-be-* utilities for inset-inline-start, inset-inline-end, inset-block-start, and inset-block-end (#​19613)
• Add font-features-* utility for font-feature-settings (#​19623)

Fixed

• Prevent double @supports wrapper for color-mix values (#​19450)
• Allow whitespace around @source inline() argument (#​19461)
• Emit comment when source maps are saved to files when using @tailwindcss/cli (#​19447)
• Detect utilities containing capital letters followed by numbers (#​19465)
• Fix class extraction for Rails' strict locals (#​19525)
• Align @utility name validation with Oxide scanner rules (#​19524)
• Fix infinite loop when using @variant inside @custom-variant (#​19633)
• Allow multiples of .25 in aspect-* fractions (e.g. aspect-8.5/11) (#​19688)
• Ensure changes to external files listed via @source trigger a full page reload when using @tailwindcss/vite (#​19670)
• Improve performance of Oxide scanner in bigger projects by reducing file system walks (#​19632)
• Ensure import aliases in Astro v5 work without crashing when using @tailwindcss/vite (#​19677)
• Allow escape characters in @utility names to improve support with formatters such as Biome (#​19626)
• Fix incorrect canonicalization results when canonicalizing multiple times (#​19675)
• Add .jj to default ignored content directories (#​19687)

Deprecated

• Deprecate start-* and end-* utilities in favor of inset-s-* and inset-e-* utilities (#​19613)

actions/cache (actions/cache)

v4.3.0

Compare Source

What's Changed

• Add note on runner versions by @​GhadimiR in #​1642
• Prepare v4.3.0 release by @​Link- in #​1655

New Contributors

• @​GhadimiR made their first contribution in #​1642

Full Changelog: actions/cache@v4...v4.3.0

alpinejs/alpine (alpinejs)

v3.15.9

Compare Source

What's Changed

• fix(morph): close dialogs properly when removing open attribute by @​calebporzio in #​4739
• Update tabbable and focus-trap dependencies in focus plugin by @​joshhanley in #​4737
• feat(x-anchor): allow dynamic reference to be used with x-anchor by @​maximbelyayev in #​4735
• Handle all types of whitespace in class lists, not just spaces by @​calebporzio in #​4743
• docs: clearer variable name in x-bind example by @​calebporzio in #​4742
• Fix x-model.parent when inside of x-teleport by @​willrowe in #​4676
• feat: x-on.passive.false modifier by @​hirasso in #​4610
• Add support for Set objects in x-for loop function by @​alfanzain in #​4672
• Add support for custom options and cancelable $dispatch by @​nicolagianelli in #​4608
• Fix how x-html handles undefined by @​willrowe in #​4555
• move dependencies from monorepo root to correct packages by @​Igloczek in #​4550
• Don't assign the normalEvaluator per default by @​JeroenBoersma in #​4548
• Fix class setters invocation on nested x-data by @​helio3197 in #​4528
• 🐛 Masks model updates by @​ekwoka in #​4175
• Allow debouncing/throttling x-model when using x-modelable by @​Spitfire972 in #​4186
• UI x-radio: fix keyboard navigation when value of first/last radio option is null by @​gdebrauwer in #​4308
• Improve handling of autocomplete values in X-Mask by @​robertmarney in #​4260
• ⚡ Improves x-for performance by @​ekwoka in #​4361
• Fix x-ref crash during child-element morph by @​calebporzio in #​4748
• Fix $watch oldValue for objects by @​calebporzio in #​4749
• Escape attribute values in morph setAttribute patch by @​joshhanley in #​4770
• Fix x-model setting .value instead of .checked on checkboxes by @​ganyicz in #​4779
• Fix x-model.blur crash when input is removed from a form by @​joshhanley in #​4783

New Contributors

• @​maximbelyayev made their first contribution in #​4735
• @​hirasso made their first contribution in #​4610
• @​alfanzain made their first contribution in #​4672
• @​nicolagianelli made their first contribution in #​4608
• @​Igloczek made their first contribution in #​4550
• @​JeroenBoersma made their first contribution in #​4548
• @​helio3197 made their first contribution in #​4528
• @​Spitfire972 made their first contribution in #​4186
• @​robertmarney made their first contribution in #​4260

Full Changelog: alpinejs/alpine@v3.15.8...v3.15.9

appleboy/ssh-action (appleboy/ssh-action)

v1.2.5

Compare Source

Changelog

Refactor

• 0ff4204: refactor: streamline output handling for GITHUB_OUTPUT in workflows (#​404) (@​appleboy)

Documentation updates

• 23bd972: docs: update README and assets for new SSH agent workflow (@​appleboy)
• 8e460a2: docs: improve documentation table formatting for output descriptions (@​appleboy)

v1.2.4

Compare Source

Changelog

Enhancements

• 4e3535e: chore: bump default DRONE_SSH_VERSION to 1.8.2 (@​appleboy)

Build process updates

• 823bd89: ci: trigger GitHub Actions workflows only on version tags (@​appleboy)

Documentation updates

• 652a0be: docs: update CI documentation and workflow references (@​appleboy)
• f6208e0: docs: document and demonstrate capturing and using command output (@​appleboy)

postcss/autoprefixer (autoprefixer)

v10.4.27

Compare Source

• Removed development key from package.json.

v10.4.26

Compare Source

• Reduced package size.

v10.4.25

Compare Source

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

axios/axios (axios)

v1.13.6

Compare Source

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#​5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#​7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#​7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#​7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#​7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#​7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#​7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#​7424)
• Documentation: Added missing JSDoc comments to utilities. (#​7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#​7386)
• @​ybbus (#​7392)
• @​Shiwaangee (#​7324)
• @​skrtheboss (#​7403)
• @​Janaka66 (#​7427)
• @​moh3n9595 (#​5764)
• @​digital-wizard48 (#​7424)

Full Changelog: v1.13.5...v1.13.6

axllent/mailpit (axllent/mailpit)

v1.29.5

Compare Source

Security

• Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers)

Feature

• Add option to disable auto-VACUUMing of the SQLite database (#​661)

Chore

• Update Go dependencies
• Update node dependencies

v1.29.4

Compare Source

Feature

• Add filter functionality to message headers tab

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#​656)

v1.29.3

Compare Source

Security

• Enhance CORS origin handling to respect host:port distinctions
• Limit proxy requests to 50MB to prevent OOM attacks
• Enhance HTML sanitization in message view
• Enhance HTML sanitization in screenshot generation
• Escape ContentID in HTML replacement to prevent regex injection

Chore

• Use last release + git hash in Docker edge versions
• Bump minimatch from 10.2.2 to 10.2.4
• Refactor code with go fix
• Switch to math/rand/v2
• Refactor API send authentication logic
• Refactor events websocket middleware
• Set timeout for HTTP client in webhook Send function
• Use local hostname for EHLO/HELO in SMTP communication
• Simplify HTML decoding function in screenshot generation using DOMParser
• Set margin & padding to HTML screenshot to prevent transparent top/left border
• Replace localStorage retrieval with a dedicated function for default release addresses
• Limit subject length to 100 characters in browser notifications
• Improve transaction handling in pruneMessages and fix loop continuation in InitDB
• Update Content-Disposition header to use inline display and escape filename
• Refactor timezone handling in searchQueryBuilder
• Update Go dependencies
• Update node dependencies

Fix

• Update SQL query to use tenant when using is:tagged filter

v1.29.2

Compare Source

Security

• Prevent Server-Side Request Forgery (SSRF) via Link Check API (GHSA-mpf7-p9x7-96r3)

Chore

• Upgrade eslint JavaScript linting
• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Update install instructions when setting INSTALL_PATH
• Include 8BITMIME in SMTPD EHLO response (#​648)

v1.29.1

Compare Source

Chore

• Add CORS error logging and update error messages for failed CORS requests
• Bump axios from 1.13.4 to 1.13.5
• Update Go dependencies
• Update node dependencies

Fix

• Enable "Mark all read" button (Inbox) when new message is received

v1.29.0

Compare Source

Feature

• Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary
• Option to display/hide attachment information in message view in web UI including checksums, content type & disposition

Chore

• Add support for multi-origin CORS settings and apply to events websocket (#​630)
• Add support for webhook delay (#​627)
• Update Go dependencies
• Update node dependencies

Test

• Add CORS tests
• Add message summary attachment checksum tests

v1.28.4

Compare Source

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#​620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL FROM as per RFC 5321 (#​621)
• Prevent nested MAIL command during an active SMTP transaction (#​623)
• Avoid error on image type assertion in thumbnail generation

v1.28.3

Compare Source

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#​614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#​594)
• Correctly detect macOS group in install.sh (#​619)
• Auto-tagging using SMTP username using plain auth (#​617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for address compliancy (RFC 5322) and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)

v1.28.2

Compare Source

Security

• Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689

Feature

• Allow default mail addresses to be set when releasing message (#​594)

Chore

• Remove webkit warnings about missing template / render functions
• Avoid empty URL query parameter when returning to inbox from message view

v1.28.1

Compare Source

Security

• Restrict screenshot proxy to only support asset links contained in messages CVE-2026-21859

Chore

• Bump actions/checkout from 5 to 6 (#​610)
• Bump actions/cache from 4 to 5 (#​607)
• Bump actions/stale from 10.0.0 to 10.1.1 (#​604)
• Bump actions/setup-node from 5 to 6 (#​598)
• Bump esbuild from 0.25.12 to 0.27.2 (#​611)
• Update Go dependencies
• Update node dependencies

Test

• Add inline message tests
• Increase swagger test timeout

v1.28.0

Compare Source

Feature

• Optionally propagate SMTP errors (#​588)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

docker/metadata-action (docker/metadata-action)

v5.10.0

Compare Source

• Bump @​docker/actions-toolkit from 0.66.0 to 0.68.0 in #​559 #​569
• Bump js-yaml from 3.14.1 to 3.14.2 in #​564

Full Changelog: docker/metadata-action@v5.9.0...v5.10.0

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

filamentphp/panels (filament/filament)

v3.3.49

Compare Source

filamentphp/spatie-laravel-media-library-plugin (filament/spatie-laravel-media-library-plugin)

v3.3.49

Compare Source

josiasmontag/laravel-recaptchav3 (josiasmontag/laravel-recaptchav3)

v1.0.5

Compare Source

Laravel 13

laravel/framework (laravel/framework)

v11.51.0

Compare Source

• [11.x] schedule:list display expression in the correct timezone by @​xiCO2k in #​59340

v11.50.0

Compare Source

v11.49.0

Compare Source

• [11.x] Fix PHPUnit compatibility by @​crynobone in #​58735
• [11.x] Fix MySQL inRandomOrder default seed regression by @​laraib15 in #​58969
• [11.x] Deduplicate paths in view:cache by @​ganyicz in #​59146
• [11.x] Test Improvements by @​crynobone in #​59248

laravel/telescope (laravel/telescope)

v5.19.0

Compare Source

• Update Symfony console and var-dumper versions to support v8 by @​HichemTab-tech in #​1699
• Fix: Hardcoded config in Service Provider by @​webard in #​1702
• [5.x] Fix workflow YAML syntax and Laravel 13 CSRF test failures by @​JoshSalway in #​1703

v5.18.0

Compare Source

• Reduce risks of localStorage collision by @​meduzen in #​1687
• Bump immutable from 5.1.2 to 5.1.5 by @​dependabot[bot] in #​1689

livewire/livewire (livewire/livewire)

v3.7.12

Compare Source

What's Changed

• [3.x] Enable smart wire keys for @for and @while loops by @​joshhanley in #​10084
• [3.x] Fix dynamic property deprecation on TestResponse when using withoutDeprecationHandling() by @​joshhanley in #​10081
• [4.x] Fix lazy components loading when reactive prop changes by @​joshhanley in #​10079

Full Changelog: livewire/livewire@v3.7.11...v3.7.12

v3.7.11

Compare Source

What's Changed

• [3.x] Fix diff() not detecting key order changes by @​People-Sea in #​10001
• [3.x] Fix child component :key expression overwriting foreach $key variable by @​joshhanley in #​10025
• [3.x] Add Laravel 13 support by @​joshhanley in #​10032

Full Changelog: livewire/livewire@v3.7.10...v3.7.11

nginx/nginx (nginx/nginx)

v1.29.7

Compare Source

nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Version bump 1.29.7. by @​arut in #​1181
• Proxy authentication definitions. by @​arut in #​1178
• Proxy: reset pending control frames on HTTP/2 upstream reinit. by @​devnexen in #​1135
• gRPC: reset buffer chains on upstream reinit. by @​devnexen in #​1136
• Multipath TCP support by @​pluknet in #​931
• Logs: added COMPAT padding to ngx_log_t. by @​dplotnikov-f5 in #​1196
• Upstream keepalive: enabled keepalive module by default. by @​roman-f5 in #​1080
• Upstream keepalive: fixed parameter parsing. by @​arut in #​1207
• Mp4: avoid zero size buffers in output. by @​arut in #​1149
• Mp4: fixed possible integer overflow on 32-bit platforms. by @​arut in #​1209
• Dav: destination length validation for COPY and MOVE. by @​arut in #​1210
• Mail: host validation. by @​arut in #​1211
• Mail: fixed clearing s->passwd in auth http requests. by @​arut in #​1212
• Stream: fixed client certificate validation with OCSP. by @​arut in #​1213
• nginx-1.29.7-RELEASE by @​arut in #​1215

New Contributors

• @​devnexen made their first contribution in #​1135

Full Changelog: nginx/nginx@release-1.29.6...release-1.29.7

v1.29.6

Compare Source

nginx-1.29.6 mainline version has been released, featuring sticky sessions support for upstreams.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Version bump. by @​arut in #​1120
• Proxy: fixed HTTP/2 upstream with caching enabled. by @​hongzhidao in #​1119
• Fixed separator in parsing header lines with multiple values. by @​VadimZhestikov in #​1056
• SCGI: fixed passing CONTENT_LENGTH in unbuffered mode. by @​pluknet in #​1118
• Mp4: validate sync sample values in stss atom. by @​CodeByMoriarty in #​1147
• Resolver: fixed off-by-one read in ngx_resolver_copy(). by @​arut in #​1152
• QUIC Stateless Reset improvements by [@​pluknet](https://re

---

Configuration

📅 Schedule: Branch creation - On day 1 of the month, every 3 months ( * * 1 */3 * ) in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.