chore(deps)(deps): Bump the patch-and-minor group across 1 directory with 26 updates

[dependabot]

Bumps the patch-and-minor group with 24 updates in the /app directory:

Package	From	To
@radix-ui/react-slot	1.2.4	1.3.0
@rgrove/parse-xml	4.2.0	4.2.1
@tanstack/react-query	5.100.14	5.101.2
@trpc/client	11.17.0	11.18.0
@trpc/react-query	11.17.0	11.18.0
axios	1.16.1	1.18.1
date-fns	4.2.1	4.4.0
lucide-react	1.16.0	1.22.0
next	16.2.6	16.2.9
papaparse	5.5.3	5.5.4
pg	8.21.0	8.22.0
react	19.2.6	19.2.7
@types/react	19.2.14	19.2.17
react-dom	19.2.6	19.2.7
sanitize-html	2.17.4	2.17.5
stripe	22.1.1	22.3.0
@tailwindcss/postcss	4.3.0	4.3.1
@types/node	22.19.19	22.20.0
autoprefixer	10.5.0	10.5.2
eslint-config-next	16.2.6	16.2.9
eslint-plugin-sonarjs	4.0.3	4.1.0
prettier	3.8.3	3.9.3
ts-jest	29.4.10	29.4.11
typescript-eslint	8.59.4	8.62.0

Updates @radix-ui/react-slot from 1.2.4 to 1.3.0

Changelog

Sourced from @​radix-ui/react-slot's changelog.

1.3.0

Added generic type arguments for SlotProps and createSlot

SlotProps and createSlot now accept generic type arguments to specify the type of element a slot should render, as well as its props.

const Slot = createSlot<HTMLButtonElement, MyCustomButtonProps>("Slot");

1.2.5

• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
• Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
• Added repository.directory to all package.json files
• Improved error messages for invalid slot children
• Updated dependencies: @radix-ui/react-compose-refs@1.1.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slot since your current version.

Updates @rgrove/parse-xml from 4.2.0 to 4.2.1

Release notes

Sourced from @​rgrove/parse-xml's releases.

v4.2.1

Fixed

• A character reference for a carriage return (
 / &[#13](https://github.com/rgrove/parse-xml/issues/13);) in element text content is now correctly preserved as a literal \r rather than being normalized to \n. #41 (@​spokodev)

New Contributors

• @​spokodev made their first contribution in rgrove/parse-xml#41

Full Changelog: rgrove/parse-xml@v4.2.0...v4.2.1

Changelog

Sourced from @​rgrove/parse-xml's changelog.

4.2.1 (2026-06-27)

Fixed

• A character reference for a carriage return (
 / &[#13](https://github.com/rgrove/parse-xml/issues/13);) in element text content is now correctly preserved as a literal \r rather than being normalized to \n. #41 (@​spokodev)

Commits

• 91455f7 Release 4.2.1
• 386e1d1 Unignore pnpm-lock.yaml
• 475f468 Use pnpm 11.9.0
• 1cb75dd Update action workflows
• 88c18ad Update test matrix
• 427697f Update changelog
• 5454796 Merge branch 'fix/cr-char-ref-in-content'
• b99e593 Fix time-traveling typo
• 76595dc fix: do not line-end-normalize a CR character reference in content
• 3b10000 Use a different npm badge
• See full diff in compare view

Updates @tanstack/react-query from 5.100.14 to 5.101.2

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.2

Patch Changes

• Updated dependencies [f5bf180, 25cdd97, ecd89c8, 01c7634, 49012db]:
  • @​tanstack/query-devtools@​5.101.2
  • @​tanstack/react-query@​5.101.2

@​tanstack/react-query-next-experimental@​5.101.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.101.2

@​tanstack/react-query-persist-client@​5.101.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.2
  • @​tanstack/react-query@​5.101.2

@​tanstack/react-query@​5.101.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.2

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.101.1
  • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-next-experimental@​5.101.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-persist-client@​5.101.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.1
  • @​tanstack/react-query@​5.101.1

@​tanstack/react-query@​5.101.1

Patch Changes

• Updated dependencies [9eff92e]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.2

5.101.1

Patch Changes

• Updated dependencies [9eff92e]:
  • @​tanstack/query-core@​5.101.1

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

Commits

• 610e8d1 ci: Version Packages (#10996)
• 1f84256 docs: document the select typing caveat for parallel-queries hooks (#10984)
• b809297 ci: Version Packages (#10977)
• ccc843e test({react,preact}-query/useQueries): move type-only tests to 'useQueries.te...
• 4154613 test({react,preact}-query/useMutation): split 'should handle conditional logi...
• 8bb5fde test({react,preact}-query/useMutation): split 'should pass meta to mutation' ...
• 87426a3 test(react-query): replace deprecated 'toBeCalledTimes' with 'toHaveBeenCalle...
• feb1efd test(*): move 'vi.useRealTimers' to the end of 'afterEach' so cleanup runs un...
• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• See full diff in compare view

Updates @trpc/client from 11.17.0 to 11.18.0

Release notes

Sourced from @​trpc/client's releases.

v11.18.0

What's Changed

• fix(ci): restore tests package version and pin Bun by @​KATT in trpc/trpc#7393
• fix(tanstack-react-query): add prefix support for mutation options by @​tmkx in trpc/trpc#7370
• chore: fix duplicate "the" in unstable-core JSDoc comment by @​dfedoryshchev in trpc/trpc#7366
• feat(openapi): Add server url support by @​Nick-Lucas in trpc/trpc#7411

New Contributors

• @​dfedoryshchev made their first contribution in trpc/trpc#7366

Full Changelog: trpc/trpc@v11.17.0...v11.18.0

Commits

• 6aec157 v11.18.0
• See full diff in compare view

Updates @trpc/react-query from 11.17.0 to 11.18.0

Release notes

Sourced from @​trpc/react-query's releases.

v11.18.0

What's Changed

• fix(ci): restore tests package version and pin Bun by @​KATT in trpc/trpc#7393
• fix(tanstack-react-query): add prefix support for mutation options by @​tmkx in trpc/trpc#7370
• chore: fix duplicate "the" in unstable-core JSDoc comment by @​dfedoryshchev in trpc/trpc#7366
• feat(openapi): Add server url support by @​Nick-Lucas in trpc/trpc#7411

New Contributors

• @​dfedoryshchev made their first contribution in trpc/trpc#7366

Full Changelog: trpc/trpc@v11.17.0...v11.18.0

Commits

• See full diff in compare view

Updates @trpc/server from 11.17.0 to 11.18.0

Release notes

Sourced from @​trpc/server's releases.

v11.18.0

What's Changed

• fix(ci): restore tests package version and pin Bun by @​KATT in trpc/trpc#7393
• fix(tanstack-react-query): add prefix support for mutation options by @​tmkx in trpc/trpc#7370
• chore: fix duplicate "the" in unstable-core JSDoc comment by @​dfedoryshchev in trpc/trpc#7366
• feat(openapi): Add server url support by @​Nick-Lucas in trpc/trpc#7411

New Contributors

• @​dfedoryshchev made their first contribution in trpc/trpc#7366

Full Changelog: trpc/trpc@v11.17.0...v11.18.0

Commits

• 6aec157 v11.18.0
• f8f0c0e chore: fix duplicate "the" in unstable-core JSDoc comment (#7366)
• See full diff in compare view

Updates axios from 1.16.1 to 1.18.1

Release notes

Sourced from axios's releases.

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

• AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
• Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
• Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
• AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)

🔧 Maintenance & Chores

• Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)

• Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​webdevelopersrinu (#10913)
• @​sijie-Z (#10993)
• @​bartlomieju (#11023)
• @​JSap0914 (#11019)

Full Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)

... (truncated)

Commits

• a209bfb chore(release): prepare release 1.18.1 (#11027)
• fa6a55e chore(deps-dev): bump multer from 2.1.1 to 2.2.0 (#11026)
• 40e7be8 docs: clarifies that request data is request-specific in axios (#11025)
• a446b39 fix(AxiosURLSearchParams): use arrow function so encoder.call(this) receives ...
• cf1306a docs: add Deno to install instructions (#11023)
• b32880a fix: incorrect use of error (#11021)
• 1792eda fix: ensure maxBodyLength is explicitly passed to follow-redirects (#10993)
• 30499d6 fix: various runtime crashes and type definition mismatches (#10959)
• 20ce9c4 fix(http): defer env proxy handling to Node (#10942)
• e64bcf9 chore(deps): merge branch 'v1.x' into tests/module/cjs (#11014)
• Additional commits viewable in compare view

Updates date-fns from 4.2.1 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates lucide-react from 1.16.0 to 1.22.0

Release notes

Sourced from lucide-react's releases.

Version 1.22.0

What's Changed

• feat(icons): add 6 database variant icons by @​Barakudum in lucide-icons/lucide#4336
• ci(release.yml): Remove concurrency field to prevent release mess by @​ericfennis in lucide-icons/lucide#4485
• fix(docs): fix color input clipping by @​Hsiii in lucide-icons/lucide#4488
• docs(site): add Deno to installation instructions by @​bartlomieju in lucide-icons/lucide#4486
• chore(deps): bump esbuild from 0.25.12 to 0.28.1 by @​dependabot[bot] in lucide-icons/lucide#4459
• fix(docs): prevent private analytics token from blocking local dev by @​Hsiii in lucide-icons/lucide#4481
• docs(installation.md): Remove outdate next tag in installation by @​ericfennis in lucide-icons/lucide#4495
• fix(lucide-react-native): Fix context provider export by @​ericfennis in lucide-icons/lucide#4497
• fix(astro): add Astro v7 compatibility by @​iseraph-dev in lucide-icons/lucide#4491
• fix(icons): changed carrot icon by @​jguddas in lucide-icons/lucide#4010
• fix(icons): changed ungroup icon by @​jguddas in lucide-icons/lucide#3969
• feat(icons): added phi icon also used as golden-ratio by @​whoisBugsbunny in lucide-icons/lucide#4218

New Contributors

• @​bartlomieju made their first contribution in lucide-icons/lucide#4486

Full Changelog: lucide-icons/lucide@1.21.0...1.22.0

Version 1.21.0

What's Changed

• ci(release.yml): Remove new-version in release flow by @​ericfennis in lucide-icons/lucide#4478
• ci(release.yml): Fix workflow and remove version scripts in package scripts by @​ericfennis in lucide-icons/lucide#4479
• fix(docs): rename navigation category label by @​Hsiii in lucide-icons/lucide#4483
• feat(icons): added broken-bone icon by @​Patolord in lucide-icons/lucide#4131

New Contributors

• @​Hsiii made their first contribution in lucide-icons/lucide#4483
• @​Patolord made their first contribution in lucide-icons/lucide#4131

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

Version 1.20.0

What's Changed

• fix(icons): decreased size of arrows inside square-arrow-* icons by @​jguddas in lucide-icons/lucide#3926
• chore(tags): Add tags to search- icons by @​jamiemlaw in lucide-icons/lucide#4099
• feat(icons): added save-check icon by @​Konixy in lucide-icons/lucide#3120
• feat(icons): added tag-plus and tag-x icons by @​adam-kov in lucide-icons/lucide#3980
• feat(icons): added banknote-check icon by @​mfjramirezf in lucide-icons/lucide#3956
• feat(icons): added clock-arrow-in icon by @​jguddas in lucide-icons/lucide#2403
• feat(icons): added summary icon by @​jpjacobpadilla in lucide-icons/lucide#3114
• feat(icons): added user-round-arrow-in icon by @​jguddas in lucide-icons/lucide#2283
• feat(icons): added clock-arrow-out icon by @​jguddas in lucide-icons/lucide#2404
• docs(docs): fix broken Svelte package source link in README by @​SRKrukowski in lucide-icons/lucide#4468
• chore(deps-dev): bump @​angular/compiler from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4474
• chore(deps-dev): bump @​angular/core from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4470
• chore(deps-dev): bump vitest from 4.0.12 to 4.1.0 by @​dependabot[bot] in lucide-icons/lucide#4429
• chore(deps-dev): bump markdown-it from 14.1.1 to 14.2.0 by @​dependabot[bot] in lucide-icons/lucide#4475
• chore(deps-dev): bump @​angular/common from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4471

... (truncated)

Commits

• 5ff536e ci(release.yml): Fix workflow and remove version scripts in package scripts...
• See full diff in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates papaparse from 5.5.3 to 5.5.4

Changelog

Sourced from papaparse's changelog.

Changelog

Commits

• af51c9f Patch version bump
• a51bdc7 fix: correctly escape and quote custom quoteChar in unparse (#1124)
• cc8c801 Create CHANGELOG.md (#1119)
• b10b87e Use https on readme links (#1104)
• 565d821 Merge pull request #1102 from mholt/fix/issue-1024
• 8ecc42d confirms issue 1024 is resolveD
• 58bcb73 Mention BYTE_ORDER_MARK in documentation (#1096)
• 530357f Update Node versions (#1097)
• 08265f1 Strip BOM character from column keys when parsing header
• See full diff in compare view

Updates pg from 8.21.0 to 8.22.0

Changelog

Sourced from pg's changelog.

pg@8.22.0

• Add support for sslnegotiation=direct for PostgreSQL 17+.

Commits

• b617619 Publish
• d80b261 Update docs & changelog
• 835fb83 Fix error handling for exceptions on values parsing. (#3574)
• f49ab4a fix: correct spelling mistakes across codebase (#3692)
• d7175a4 Expand CI matrix of PG versions and add direct SSL test (#3693)
• 882fc30 Add support for sslnegotiation=direct (PostgreSQL 17) (#3688)
• See full diff in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates @types/react from 19.2.14 to 19.2.17

Commits

• See full diff in compare view

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates sanitize-html from 2.17.4 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

• Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
• Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

Commits

• 2427508 release and changelog edits (#5465)
• 5a88e96 Latest security q2 (#5464)
• 958d162 merge main to latest (#5460)
• See full diff in compare view

Updates stripe from 22.1.1 to 22.3.0

Release notes

Sourced from stripe's releases.

v22.3.0<...

Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.