You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Always yield to event loop before nextTick for async versions (#164) (1211e9a2213e0b3ee232a204b3ce899beebce31a)
v3.0.2
Bug fixes
Use upstream fix to emit interop helpers (28e510389374f5736c447395443d4a6687325048)
v3.0.1
Bug fixes
Separate ESM and UMD type definitions (e7055caf0c723cbcf8bc3f0784b8c30ee332380f)
v3.0.0
Breaking changes
Modernize project structure (2f45985738604c743c4b8cc8464e3e7d3e04c73d)
The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
Generate 2b hashes by default (d36bfb42fa642b6d6986a84ce106a7110e5824db)
This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.
Features
Add helper to check for password input length (d5656b39e2e368c87724a312e4e454456a4e5d1b)
Fix Node.js version in CI (1b54cc48d4120b50e1d9058e5a67f326102fd744)
Backlog from v2
Added externs to .npmignore (#124) (7e2e93af99df2952253f9cf32db29aefa8f272f7)
The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
Make sure the bin script uses LF (684fac6814a81d974c805a15e22fd69922c7ca6e)
Post-merge; Clean up a bit (b09f7f266a7015456b7b36deeb026dc636f64542)
... (truncated)
Commits
1211e9a fix: Always yield to event loop before nextTick for async versions (#164)
28e5103 fix: Use upstream fix to emit interop helpers
e7055ca fix: Separate ESM and UMD type definitions
Updated prerender APIs to return a postponed state that can be passed to the resume APIs.
Notable changes
React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
Use underscore instead of : IDs generated by useId
All Changes
React
<Activity /> was developed over many years, starting before ClassComponent.setState (@acdlite@sebmarkbage and many others)
Stringify context as "SomeContext" instead of "SomeContext.Provider" (@kassens#33507)
Include stack of cause of React instrumentation errors with %o placeholder (@eps1lon#34198)
Fix infinite useDeferredValue loop in popstate event (@acdlite#32821)
Fix a bug when an initial value was passed to useDeferredValue (@acdlite#34376)
Updated prerender APIs to return a postponed state that can be passed to the resume APIs.
Notable changes
React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
Use underscore instead of : IDs generated by useId
All Changes
React
<Activity /> was developed over many years, starting before ClassComponent.setState (@acdlite@sebmarkbage and many others)
Stringify context as "SomeContext" instead of "SomeContext.Provider" (@kassens#33507)
Include stack of cause of React instrumentation errors with %o placeholder (@eps1lon#34198)
Fix infinite useDeferredValue loop in popstate event (@acdlite#32821)
Fix a bug when an initial value was passed to useDeferredValue (@acdlite#34376)
c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md
v4.4.2
Commits:
0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor
v4.4.0
4.4.0
This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.
Potentially breaking bug fixes
... (truncated)
Commits
1fb56a5 docs: document release procedure in AGENTS.md
This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR cannot be merged in its current state as it attempts to update dependencies to non-existent versions (e.g., Next.js 16.2.6, Zod 4.4.3), which will lead to immediate installation and build failures. Additionally, the PR bundles four major version upgrades into a single 'chore' commit, significantly increasing the risk of regressions. Specific breaking changes in Resend 6.x regarding peer dependencies and new Node.js requirements for Next.js must also be addressed in the environment and package configuration.
About this PR
Bundling multiple major version upgrades (bcryptjs, next, resend, zod) into a single PR makes it difficult to isolate regressions. Consider splitting these into individual PRs to ensure stability and easier rollbacks.
Test suggestions
Verify that existing password hashes ($2a$) still verify correctly after the bcryptjs upgrade to v3
Verify that all Zod schemas pass validation with the stricter v4 rules (assuming valid version is targeted)
Ensure the build and deployment pipeline is using Node.js >= 20.9.0
Confirm that email rendering still works and @react-email/render is correctly resolved
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that existing password hashes ($2a$) still verify correctly after the bcryptjs upgrade to v3
2. Verify that all Zod schemas pass validation with the stricter v4 rules (assuming valid version is targeted)
3. Ensure the build and deployment pipeline is using Node.js >= 20.9.0
4. Confirm that email rendering still works and @react-email/render is correctly resolved
Low confidence findings
Bcryptjs v3 defaults to $2b$ hashes for new entries. Verify if existing system logic or automated tests rely on strict string-prefix checks for the older $2a$ format.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
The upgrade to Resend v6.12.3 changed @react-email/render into a peer dependency, which the lockfile shows has been removed. If this project uses React templates for emails, you must add '@react-email/render' explicitly to your dependencies in package.json to avoid runtime rendering failures.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
Several dependencies (Next.js 16.2.6, Zod 4.4.3, React 19.2.6, tailwind-merge 3.6.0) refer to non-existent or hallucinated versions that do not exist on the public npm registry. Attempting to install these will result in 404 errors. Additionally, upgrading to Next.js 16 requires Node.js >= 20.9.0; ensure CI/CD environments and runners are updated accordingly.
The reason will be displayed to describe this comment to others. Learn more.
⚪ LOW RISK
Suggestion: The @types/bcryptjs package is now a stub because bcryptjs provides its own type definitions in newer versions. This dependency is redundant and should be removed from devDependencies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
Bot
added
chore
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
dependabot
Bot
deleted the
dependabot/npm_and_yarn/Development/production-deps-76da616593
branch
Bumps the production-deps group with 7 updates:
2.4.33.0.315.5.1816.2.619.0.019.2.619.0.019.2.64.8.06.12.32.6.13.6.03.25.764.4.3Updates
bcryptjsfrom 2.4.3 to 3.0.3Release notes
Sourced from bcryptjs's releases.
... (truncated)
Commits
1211e9afix: Always yield to event loop before nextTick for async versions (#164)28e5103fix: Use upstream fix to emit interop helperse7055cafix: Separate ESM and UMD type definitions2a9bea9Update publish workflowd5656b3Add helper to check for password input lengthe09eb9aAdd note on using the ESM variant in the browser58333a1Update types2e3b176Merge lint and test workflowsec02e8aFix tests9db275fUpdate legacy fallback to handle crypto dependencyUpdates
nextfrom 15.5.18 to 16.2.6Release notes
Sourced from next's releases.
... (truncated)
Commits
ee6e79bv16.2.6afa053dTurbopack: Match proxy matchers with webpack implementation (#93594)97a154eTurbopack: Fix middleware matcher suffix (#93590)83899bc[backport] Disable build caches for production/staging/force-preview deploys ...7b222b9[backport][test] Pin package manager to patch versions (#93595)a8dc24f[backport] Turbopack: more strict vergen setup (#93587)766148fv16.2.50dd9483fix: add explicit checks for RSC header (#83) (#98)d166096fix proxy matching for segment prefetch URLs (#89) (#96)9d50c0bStrip next-resume header from incoming requests (#92)Updates
reactfrom 19.0.0 to 19.2.6Release notes
Sourced from react's releases.
... (truncated)
Changelog
Sourced from react's changelog.
... (truncated)
Commits
eaf3e95Version 19.2.623f4f9f19.2.590ab3f8Version 19.2.4612e371Version 19.2.3b910fc1Version 19.2.2053df4eVersion 19.2.15667a41Bump next prerelease version numbers (#34639)8bb7241Bump useEffectEvent to Canary (#34610)e3c9656Ensure Performance Track are Clamped and Don't overlap (#34509)68f00c9Release Activity in Canary (#34374)Updates
react-domfrom 19.0.0 to 19.2.6Release notes
Sourced from react-dom's releases.
... (truncated)
Changelog
Sourced from react-dom's changelog.
... (truncated)
Commits
eaf3e95Version 19.2.623f4f9f19.2.590ab3f8Version 19.2.4612e371Version 19.2.3b910fc1Version 19.2.2053df4eVersion 19.2.18618113Bump scheduler version (#34671)1bd1f01Ship partial-prerendering APIs to Canary (#34633)2f0649a[Fizz] Removenonceoption from resume-and-prerender APIs (#34664)5667a41Bump next prerelease version numbers (#34639)Updates
resendfrom 4.8.0 to 6.12.3Release notes
Sourced from resend's releases.
... (truncated)
Commits
3f41290chore: bump sdk version to 6.12.3 (#947)2679c32chore: add missing suppressed event to resend node sdk interface (#946)08cb7a1chore(deps): update dependency@biomejs/biometo v2.4.14 (#943)20741e3chore(deps): update dependency tsdown to v0.21.10 (#929)4e26bc0fix: correctpaylaodintopayloadtypo in contacts overload signatures (#...9ca7487chore(deps): upgradesvixto silence GHSA-w5hq-g745-h8pq (#942)6759d31chore(deps): update pnpm to v10.33.2 (#940)b514002fix: add new domain statuses (#936)1c10dbefeat: add missing domain types: domains can be partially_verified/partially_f...168443afix(deps): update dependency next to v16.2.4 (#911)Maintainer changes
This version was pushed to npm by gabrielmfern, a new releaser for resend since your current version.
Updates
tailwind-mergefrom 2.6.1 to 3.6.0Release notes
Sourced from tailwind-merge's releases.
... (truncated)
Commits
d54f7e5v3.6.0638871aUpdate README to add info about Tailwind CSS v4.3 support39fc7b5Revert "v3.6.0"bd8390fv3.6.0802877cadd v3.6.0 changeloga35fedaMerge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x940389cMerge pull request #667 from dcastil/renovate/release-drafter-release-drafter...005af6dpin to specific version5816cedimplement breaking changes17041e1Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...Updates
zodfrom 3.25.76 to 4.4.3Release notes
Sourced from zod's releases.
... (truncated)
Commits
1fb56a5docs: document release procedure in AGENTS.mdf3c9ec04.4.3c2be4f8fix(v4): generalize optin/fallback to transform; restore preprocess on absent...1cab693fix(v4): restore catch handling for absent object keys (#5937) (#5939)b8dffe9docs: remove Numeric and Speakeasy (2+ missed monthly cycles)9195250docs: remove Mintlify from bronze sponsors (churned)2c70332docs: normalize bronze sponsor logos to github avatar pattern7391be8docs: prune lapsed silver/bronze sponsors and add active ones2aeec83docs: prune lapsed gold sponsors and rebalance logo sizing4c2fa95docs: use Zernio primary wordmark for gold sponsor logoMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)Description has been truncated