Skip to content

chore(deps): bump the dependencies group with 15 updates#162

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-3d2c831676
Jun 29, 2026
Merged

chore(deps): bump the dependencies group with 15 updates#162
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-3d2c831676

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the dependencies group with 15 updates:

Package From To
@types/node 26.0.0 26.0.1
prettier 3.8.4 3.9.1
turbo 2.9.18 2.10.0
@hono/node-server 2.0.5 2.0.6
hono 4.12.26 4.12.27
better-auth 1.6.20 1.6.22
lucide-react 1.21.0 1.22.0
recharts 3.8.1 3.9.0
shadcn 4.11.0 4.12.0
swr 2.4.1 2.4.2
@eslint-react/eslint-plugin 5.9.1 5.10.0
@playwright/test 1.61.0 1.61.1
eslint 10.5.0 10.6.0
eslint-plugin-import-x 4.16.2 4.17.1
typescript-eslint 8.61.1 8.62.0

Updates @types/node from 26.0.0 to 26.0.1

Commits

Updates prettier from 3.8.4 to 3.9.1

Release notes

Sourced from prettier's releases.

3.9.1

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.1

diff

CLI: Fix ignored file has been cached incorrectly (#19483 by @​kovsu)

Bug details prettier/prettier#18016

3.9.0

diff

🔗 Release Notes

3.8.5

diff

Flow: Support readonly as a variance annotation (#19022 by @​marcoww6)

Flow now accepts readonly as a property variance annotation, equivalent to + (covariant/read-only).

// Input
type T = {
  readonly foo: string,
};
// Prettier 3.8.4
SyntaxError
// Prettier 3.8.5
type T = {
readonly foo: string,
};

Commits

Updates turbo from 2.9.18 to 2.10.0

Release notes

Sourced from turbo's releases.

Turborepo v2.10.0

What's Changed

create-turbo

@​turbo/codemod

eslint

@​turbo/repository

@​turbo/telemetry

Examples

Changelog

... (truncated)

Commits
  • 12fb0d9 publish 2.10.0 to registry
  • a12323b release(turborepo): 2.9.19-canary.10 (#13130)
  • 65175fe fix: Hash selected dependency outputs instead of tasks (#13129)
  • 5ba8917 fix: Improve watch graceful shutdown (#13128)
  • 75ee2cc chore: Update to Rust 1.96.0 (#12974)
  • 6dccf5a fix: Restart deferred hash consumers in watch (#13127)
  • 4ebb50f feat: Add deferred hashing for task inputs (#13125)
  • 517e1a5 docs: Fix stderr debugging guidance (#13122)
  • 0220b35 fix: Respect task inputs when stopping interruptible persistent tasks in watc...
  • 6988692 fix: Add ComSpec and PATHEXT to default Windows env passthrough (#13114)
  • Additional commits viewable in compare view

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates hono from 4.12.26 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

Commits

Updates better-auth from 1.6.20 to 1.6.22

Release notes

Sourced from better-auth's releases.

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed SCIM write-path operations to be properly scoped and to correctly honor the active attribute (#10242)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Added account-level verification lockout for two-factor authentication (#10240)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​gustavovalverde

Full changelog: v1.6.21...v1.6.22

v1.6.21

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

  • #10197 816d7f9 Thanks @​Paola3stefania! - Google sign-in now accepts hd: "*" to allow any Google Workspace hosted domain while still rejecting tokens with no hosted-domain claim.

    Google One Tap now applies the configured Google hosted-domain restriction before creating a session.

  • #10192 239bcc8 Thanks @​bytaesu! - Validate PayPal user info against the verified ID token subject during social sign-in.

  • #10228 1bc370a Thanks @​gustavovalverde! - The SIWE plugin no longer binds a provided email that already belongs to another account. With anonymous set to false, /siwe/verify previously created the new account using that email even when it was already in use; it now keeps the wallet-derived address in that case, so one email cannot be attached to two accounts.

  • #10198 570267c Thanks @​rachit367! - Honor disableMigration on plugin schema tables. Tables flagged with disableMigration: true are now skipped by better-auth generate (Drizzle and Prisma output) and by the runtime migrator, instead of being emitted and created anyway. The flag was previously dropped while assembling the table list, so it had no effect.

  • #10182 461ca6f Thanks @​bytaesu! - Only store display username fallbacks as usernames when they pass username validation during email sign-up.

  • #10183 88409b0 Thanks @​bytaesu! - Require OAuth proxy profile callbacks to match an issued OAuth state before creating sessions.

  • #10203 5953157 Thanks @​bytaesu! - Rate limiting no longer trusts multi-hop X-Forwarded-For chains, preventing a client behind an appending proxy from spoofing the leftmost hop to bypass the per-IP rate limit. Single-value IP headers continue to work. To key the real client behind a proxy chain, set advanced.ipAddress.trustedProxies to your reverse-proxy IPs or CIDR ranges (the chain is walked right to left, skipping trusted hops), or point advanced.ipAddress.ipAddressHeaders at a single trusted client-IP header.

... (truncated)

Commits
  • a90d061 chore: release v1.6.22 (#10245)
  • 3a035e9 fix(two-factor): add account-level verification lockout (#10240)
  • c06a56d fix: revoke unproven credentials on magic-link/email-OTP sign-in (#10239)
  • 414169d chore: release v1.6.21 (#10184)
  • f52e1ab fix(device-authorization): make schema option optional under Zod v4 (#9939)
  • 882cf9e fix(admin): use authoritative session reads for authorization (#10187)
  • b5bec19 fix(oauth): apply user input rules to provider profiles (#10196)
  • 471f81c refactor: centralize request IP resolver in core (#10216)
  • 816d7f9 fix(one-tap): apply configured Google hosted domain (hd) on the callback (#10...
  • 1bc370a fix(siwe): reject sign-in when the provided email already belongs to another ...
  • Additional commits viewable in compare view

Updates lucide-react from 1.21.0 to 1.22.0

Release notes

Sourced from lucide-react's releases.

Version 1.22.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.21.0...1.22.0

Commits

Updates recharts from 3.8.1 to 3.9.0

Release notes

Sourced from recharts's releases.

v3.9.0

What's Changed

Animations

3.9 comes with new animations! There are several bug fixes and what's best, all animations are now fully customizable.

See the animations guide on https://recharts.github.io/en-US/guide/animations/

New features other than animations

Bugfixes

Tree-shaking

We now have focused tree-shaking tests that allow us to observe exactly which components end up in the final bundle and why. I have also removed some unnecessary loops and you should see the final bundle size decrease somewhat as a result.

... (truncated)

Commits

Updates shadcn from 4.11.0 to 4.12.0

Release notes

Sourced from shadcn's releases.

shadcn@4.12.0

Minor Changes

shadcn@4.11.1

Patch Changes

Changelog

Sourced from shadcn's changelog.

4.12.0

Minor Changes

4.11.1

Patch Changes

Commits

Updates swr from 2.4.1 to 2.4.2

Release notes

Sourced from swr's releases.

v2.4.2

Patches

Chores

New Contributors

Full Changelog: vercel/swr@v2.4.1...v2.4.2

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for swr since your current version.


Updates @eslint-react/eslint-plugin from 5.9.1 to 5.10.0

Release notes

Sourced from @​eslint-react/eslint-plugin's releases.

v5.10.0 (2026-06-28)

What's Changed

📝 Documentation

...

Description has been truncated

Bumps the dependencies group with 15 updates:

| Package | From | To |
| --- | --- | --- |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `26.0.0` | `26.0.1` |
| [prettier](https://github.com/prettier/prettier) | `3.8.4` | `3.9.1` |
| [turbo](https://github.com/vercel/turborepo) | `2.9.18` | `2.10.0` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.6` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.20` | `1.6.22` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.21.0` | `1.22.0` |
| [recharts](https://github.com/recharts/recharts) | `3.8.1` | `3.9.0` |
| [shadcn](https://github.com/shadcn-ui/ui/tree/HEAD/packages/shadcn) | `4.11.0` | `4.12.0` |
| [swr](https://github.com/vercel/swr) | `2.4.1` | `2.4.2` |
| [@eslint-react/eslint-plugin](https://github.com/Rel1cx/eslint-react/tree/HEAD/plugins/eslint-plugin) | `5.9.1` | `5.10.0` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.61.0` | `1.61.1` |
| [eslint](https://github.com/eslint/eslint) | `10.5.0` | `10.6.0` |
| [eslint-plugin-import-x](https://github.com/un-ts/eslint-plugin-import-x) | `4.16.2` | `4.17.1` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.61.1` | `8.62.0` |


Updates `@types/node` from 26.0.0 to 26.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `prettier` from 3.8.4 to 3.9.1
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.1)

Updates `turbo` from 2.9.18 to 2.10.0
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.18...v2.10.0)

Updates `@hono/node-server` from 2.0.5 to 2.0.6
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.6)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `better-auth` from 1.6.20 to 1.6.22
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.22/packages/better-auth)

Updates `lucide-react` from 1.21.0 to 1.22.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.22.0/packages/lucide-react)

Updates `recharts` from 3.8.1 to 3.9.0
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v3.8.1...v3.9.0)

Updates `shadcn` from 4.11.0 to 4.12.0
- [Release notes](https://github.com/shadcn-ui/ui/releases)
- [Changelog](https://github.com/shadcn-ui/ui/blob/main/packages/shadcn/CHANGELOG.md)
- [Commits](https://github.com/shadcn-ui/ui/commits/shadcn@4.12.0/packages/shadcn)

Updates `swr` from 2.4.1 to 2.4.2
- [Release notes](https://github.com/vercel/swr/releases)
- [Commits](vercel/swr@v2.4.1...v2.4.2)

Updates `@eslint-react/eslint-plugin` from 5.9.1 to 5.10.0
- [Release notes](https://github.com/Rel1cx/eslint-react/releases)
- [Changelog](https://github.com/Rel1cx/eslint-react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Rel1cx/eslint-react/commits/v5.10.0/plugins/eslint-plugin)

Updates `@playwright/test` from 1.61.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.61.0...v1.61.1)

Updates `eslint` from 10.5.0 to 10.6.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.5.0...v10.6.0)

Updates `eslint-plugin-import-x` from 4.16.2 to 4.17.1
- [Release notes](https://github.com/un-ts/eslint-plugin-import-x/releases)
- [Changelog](https://github.com/un-ts/eslint-plugin-import-x/blob/master/CHANGELOG.md)
- [Commits](un-ts/eslint-plugin-import-x@v4.16.2...v4.17.1)

Updates `typescript-eslint` from 8.61.1 to 8.62.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: prettier
  dependency-version: 3.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: turbo
  dependency-version: 2.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: better-auth
  dependency-version: 1.6.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: lucide-react
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: recharts
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: shadcn
  dependency-version: 4.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: swr
  dependency-version: 2.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@eslint-react/eslint-plugin"
  dependency-version: 5.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: eslint-plugin-import-x
  dependency-version: 4.17.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: typescript-eslint
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@github-actions github-actions Bot enabled auto-merge June 29, 2026 05:18
@github-actions github-actions Bot merged commit f62a841 into main Jun 29, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/dependencies-3d2c831676 branch June 29, 2026 05:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants