chore(deps): bump the web-deps group across 1 directory with 13 updates

[dependabot]

Bumps the web-deps group with 12 updates in the /web directory:

Package	From	To
@sentry/nextjs	8.51.0	10.52.0
next	15.5.15	16.2.6
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
@axe-core/playwright	4.10.0	4.11.3
@next/bundle-analyzer	15.5.15	16.2.6
@tailwindcss/postcss	4.2.4	4.3.0
@types/node	22.19.17	25.6.2
@vitejs/plugin-react	4.7.0	6.0.1
happy-dom	15.11.7	20.9.0
typescript	5.9.3	6.0.3
vitest	2.1.9	4.1.6

Updates @sentry/nextjs from 8.51.0 to 10.52.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.52.0

Important Changes

• Beta release of the official Hono Sentry SDK

  This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

  Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

• docs(hono): Add new docs link and move to BETA release (#20666)
• feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)
• feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)
• feat(cloudflare): Capture request body via httpServerIntegration (#20614)
• feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)
• feat(cloudflare): Support tracing for queue producer (#20529)
• feat(core): Apply request data to segment spans in span streaming (#20654)
• feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• feat(deno): Add processSegmentSpan to Deno context integration (#20613)
• feat(http): Portable node:http client instrumentation (#20393)
• feat(nitro): Add unstorage tracing channel instrumentation (#20615)
• feat(node-core): Add processSegmentSpan to node context integration (#20678)
• feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)
• feat(node): Vendor ioredis, redis instrumentations (#20510)
• feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• fix: Bump fast-xml-parser to fix vulnerability (#20644)
• fix: Bump vite versions to fix vulnerability (#20646)
• fix(core): Drain buffers in flush() when there is no transport (#20207)
• fix(core): Guard against undefined chained in copyProps (#20637)
• fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)
• fix(deps): Bump transitive deps for medium security fixes (#20683)
• fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)
• fix(nextjs): Skip build modification when SRI is enabled (#20694)
• fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

• chore: Remove bundle-analyzer-scenarios dev packages (#20680)
• chore(deps): Bump @​hono/node-server from 1.19.10 to 1.19.13 (#20117)
• chore(deps): Bump @​nestjs packages to fix path-to-regexp ReDoS (#20642)
• chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)
• chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)
• chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)
• chore(deps): Bump vulnerable testem version (#20634)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.52.0

Important Changes

• Beta release of the official Hono Sentry SDK

  This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

  Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

• docs(hono): Add new docs link and move to BETA release (#20666)
• feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)
• feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)
• feat(cloudflare): Capture request body via httpServerIntegration (#20614)
• feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)
• feat(cloudflare): Support tracing for queue producer (#20529)
• feat(core): Apply request data to segment spans in span streaming (#20654)
• feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• feat(deno): Add processSegmentSpan to Deno context integration (#20613)
• feat(http): Portable node:http client instrumentation (#20393)
• feat(nitro): Add unstorage tracing channel instrumentation (#20615)
• feat(node-core): Add processSegmentSpan to node context integration (#20678)
• feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)
• feat(node): Vendor ioredis, redis instrumentations (#20510)
• feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• fix: Bump fast-xml-parser to fix vulnerability (#20644)
• fix: Bump vite versions to fix vulnerability (#20646)
• fix(core): Drain buffers in flush() when there is no transport (#20207)
• fix(core): Guard against undefined chained in copyProps (#20637)
• fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)
• fix(deps): Bump transitive deps for medium security fixes (#20683)
• fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)
• fix(nextjs): Skip build modification when SRI is enabled (#20694)
• fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

• chore: Remove bundle-analyzer-scenarios dev packages (#20680)
• chore(deps): Bump @​hono/node-server from 1.19.10 to 1.19.13 (#20117)
• chore(deps): Bump @​nestjs packages to fix path-to-regexp ReDoS (#20642)
• chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)
• chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)
• chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)

... (truncated)

Commits

• 4b911e0 release: 10.52.0
• 781f31c Merge pull request #20707 from getsentry/prepare-release/10.52.0
• 11a64f6 meta(changelog): Update changelog for 10.52.0
• e185818 feat(node-core): Add processSegmentSpan to node context integration (#20678)
• 7e49571 feat(node): use diagnostics_channel for redis >= 5.12.0 (#20573)
• a8ab715 feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• 7efc03f feat(core): Apply request data to segment spans in span streaming (#20654)
• 01d0a70 feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• 12cd3e5 fix(nextjs): Skip build modification when SRI is enabled (#20694)
• f1f534c fix(deps): Bump transitive deps for medium security fixes (#20683)
• Additional commits viewable in compare view

Updates next from 15.5.15 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates @axe-core/playwright from 4.10.0 to 4.11.3

Release notes

Sourced from @​axe-core/playwright's releases.

v4.11.3

What's Changed

• chore: add create-release workflow by @​Garbee in dequelabs/axe-core-npm#1326
• chore: merge master into develop by @​attest-team-ci in dequelabs/axe-core-npm#1324
• fix: Update axe-core to v4.11.4 by @​attest-team-ci in dequelabs/axe-core-npm#1330
• chore: RC v4.11.3 by @​github-actions[bot] in dequelabs/axe-core-npm#1332
• chore: release v4.11.3 by @​axe-core in dequelabs/axe-core-npm#1335

New Contributors

• @​axe-core made their first contribution in dequelabs/axe-core-npm#1335

Full Changelog: dequelabs/axe-core-npm@v4.11.2...v4.11.3

Release 4.11.2

Bug Fixes

• Update axe-core to v4.11.3 (#1306) (71c4179)
• wdio: support v9 wdio switchFrame and switchWindow (#1302) (4689273), closes #1164

Release 4.11.1

Bug Fixes

• reorder exports to place types first (#1261) (40d22e3), closes #1243
• Update axe-core to v4.11.1 (#1271) (77f577e)

Release 4.11.0

Bug Fixes

• Optimize AxeBuilder memory usage. (#1154) (e53cd36), closes /github.com/bensenescu/axe-core-npm/blob/develop/packages/puppeteer/src/axePuppeteer.ts#L59 /github.com/bensenescu/axe-core-npm/blob/develop/packages/puppeteer/src/utils.ts#L34
• Update axe-core to v4.10.3 (#1155) (f8e3a14)
• wdio: resolve blank navigation issue in WDIO v9 (#1169) (6505560)

Features

• Update axe-core to v4.11.0 (#1233) (2758476)

Release 4.10.2

• Optimize AxeBuilder memory usage in #1154
• Update axe-core to v4.10.3 in #1155
• wdio: resolve blank navigation issue in WDIO v9 in #1169
• chore: RC v4.10.2

Release 4.10.1

What's Changed

• chore: merge master into develop by @​attest-team-ci in dequelabs/axe-core-npm#1111
• chore: bump axios from 1.7.3 to 1.7.7 by @​dependabot in dequelabs/axe-core-npm#1118
• chore: bump express from 4.19.2 to 4.20.0 by @​dependabot in dequelabs/axe-core-npm#1117

... (truncated)

Changelog

Sourced from @​axe-core/playwright's changelog.

Change Log

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

4.11.2 (2026-04-14)

Bug Fixes

• Update axe-core to v4.11.3 (#1306) (71c4179)
• wdio: support v9 wdio switchFrame and switchWindow (#1302) (4689273), closes #1164

4.11.1 (2026-01-09)

Bug Fixes

• reorder exports to place types first (#1261) (40d22e3), closes #1243
• Update axe-core to v4.11.1 (#1271) (77f577e)

4.11.0 (2025-10-14)

Bug Fixes

• Optimize AxeBuilder memory usage. (#1154) (e53cd36), closes /github.com/bensenescu/axe-core-npm/blob/develop/packages/puppeteer/src/axePuppeteer.ts#L59 /github.com/bensenescu/axe-core-npm/blob/develop/packages/puppeteer/src/utils.ts#L34
• Update axe-core to v4.10.3 (#1155) (f8e3a14)
• wdio: resolve blank navigation issue in WDIO v9 (#1169) (6505560)

Features

• Update axe-core to v4.11.0 (#1233) (2758476)

4.10.2 (2025-05-12)

... (truncated)

Commits

• 25fbfd2 chore: release v4.11.3 (#1335)
• dad3572 chore: RC v4.11.3 (#1332)
• 582a7fc chore: RC v4.11.3
• eed87f5 fix: Update axe-core to v4.11.4 (#1330)
• 57c5437 chore: merge master into develop (#1324)
• da56b5d chore: add create-release workflow (#1326)
• 310de0a chore: Release 4.11.2 (#1323)
• 39d9967 chore: RC v4.11.2 (#1317)
• 7eb0bf2 chore: RC v4.11.2
• 71c4179 fix: Update axe-core to v4.11.3 (#1306)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​axe-core/playwright since your current version.

Updates @next/bundle-analyzer from 15.5.15 to 16.2.6

Release notes

Sourced from @​next/bundle-analyzer's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/bundle-analyzer since your current version.

Updates @tailwindcss/postcss from 4.2.4 to 4.3.0

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

Commits

• 588bd73 4.3.0 (#20023)
• 12eb5ae Cleanup noisy test output (#20015)
• 4255671 Improve snapshot tests (#20013)
• 52f94c7 Improve codebase quality (#19999)
• d194d4c docs: fix various typos in comments and documentation (#19878)
• bfb5732 Fall back to the plugin base when PostCSS has no from option (#19980)
• 3a890c3 Bump dependencies (#19957)
• See full diff in compare view

Updates @types/node from 22.19.17 to 25.6.2

Commits

• See full diff in compare view

Updates @vitejs/plugin-react from 4.7.0 to 6.0.1

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@6.0.1

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

plugin-react@6.0.0

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [

react({

 babel: {



   plugins: ['babel-plugin-react-compiler'],



 },


}),


react(),
babel({

 presets: [reactCompilerPreset()]



</tr></table>

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react's changelog.

6.0.1 (2026-03-13)

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

6.0.0 (2026-03-12)

6.0.0-beta.0 (2026-03-03)

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [

react({

 babel: {



   plugins: ['babel-plugin-react-compiler'],



 },



</tr></table>

... (truncated)

Commits

• 1e94c06 release: plugin-react@6.0.1
• 77c00c0 feat(plugin-react): expand @rolldown/plugin-babel peer dep range (#1146)
• dcc9012 release: plugin-react@6.0.0
• 3a17886 docs: add a link to the Oxlint rule for component exports alongside the ESLin...
• f812135 fix(deps): update all non-major dependencies (