chore(deps): bump the patch-updates group with 10 updates

[dependabot]

Bumps the patch-updates group with 10 updates:

Package	From	To
@objectstack/spec	4.0.4	4.0.5
vite	8.0.10	8.0.12
better-auth	1.6.9	1.6.10
fs-extra	11.3.4	11.3.5
@objectstack/client	4.0.4	4.0.5
@ai-sdk/react	3.0.176	3.0.179
ai	6.0.174	6.0.177
fumadocs-core	16.8.7	16.8.9
fumadocs-ui	16.8.7	16.8.9
next	16.2.4	16.2.6

Updates @objectstack/spec from 4.0.4 to 4.0.5

Release notes

Sourced from @​objectstack/spec's releases.

@​objectstack/spec@​4.0.5

Patch Changes

• 15e0df6: chore: unify all package versions to a single patch release

Changelog

Sourced from @​objectstack/spec's changelog.

4.0.5

Patch Changes

• 15e0df6: chore: unify all package versions to a single patch release

Commits

• c065346 Refactor code structure for improved readability and maintainability
• 8cb7c37 refactor: remove quickFilters from various views and schemas
• 46bc5c5 i18n
• 8310995 Update files
• bbf8d44 feat: integrate cron and template expression schemas across various modules
• 060b60f Update files
• 1a78ad0 Update files
• b7bacab Update files
• 64c4f9b fix(serverless): fall back to /tmp instead of crashing when partial DB envs
• 6d32cc6 Lock down better-auth managed identity tables; fix RLS null tenant + 403 mapping
• Additional commits viewable in compare view

Updates vite from 8.0.10 to 8.0.12

Release notes

Sourced from vite's releases.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.12 (2026-05-11)

Features

• update rolldown to 1.0.0 (#22401) (cf0ff41)

Bug Fixes

• create-vite: pass react framework to TanStack CLI (#22397) (18f0f90)
• deps: update all non-major dependencies (#22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#22400) (b675c7b)
• worker: apply build.target to worker bundle (#22404) (3c93fde)
• worker: forward define to worker bundle transform (#22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#22421) (66b9eb3)

8.0.11 (2026-05-07)

Features

• update rolldown to 1.0.0-rc.18 (#22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#22334) (672c962)
• deps: update all non-major dependencies (#22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#22306) (30028f9)
• make separate object instance for each environment (#22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#22325) (2151f70)
• mention native config loader in CLI options (#22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#22333) (3b51e05)
• deps: update rolldown-related dependencies (#22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#22316) (86aee62)

Code Refactoring

• devtools integration (#22312) (3c8bf06)
• remove unnecessary async (#22296) (b31fd35)
• show direct path type in bad character warning (#22339) (0c162e9)

Tests

... (truncated)

Commits

• 4dce8b4 release: v8.0.12
• b675c7b fix: refer to rolldownOptions instead of deprecated rollupOptions in mess...
• 66b9eb3 chore(deps): update rolldown-related dependencies (#22421)
• 2fe7bd2 chore(deps): update dependency eslint-plugin-n to v18 (#22423)
• 2be6000 fix(deps): update all non-major dependencies (#22420)
• d4838a0 fix(worker): forward define to worker bundle transform (#22408)
• cf0ff41 feat: update rolldown to 1.0.0 (#22401)
• 3c93fde fix(worker): apply build.target to worker bundle (#22404)
• f5a22e6 fix(module-runner): prevent partial-exports race on concurrent imports of in-...
• 66f3194 release: v8.0.11
• Additional commits viewable in compare view

Updates better-auth from 1.6.9 to 1.6.10

Release notes

Sourced from better-auth's releases.

v1.6.10

better-auth

Bug Fixes

• Exposed refreshUserSessions on the internal adapter (#7764)
• Fixed organization invitation roles to accept dynamic access control roles (#9437)
• Improved link accessibility (#9521)
• Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
• Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
• Added a warning when the cookie plugin is placed last in the plugins array (#9484)
• Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
• Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
• Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
• Fixed captcha plugin breaking the email-otp flow (#8339)
• Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
• Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
• Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
• Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
• Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
• Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
• Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
• Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
• Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
• Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
• Fixed stale prompt=login consent continuations not completing after a forced login
• Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
• Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
• Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
• Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
• Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
• Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
• Renamed internal subscription webhook variables for clarity (#9355)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.10

Patch Changes

• #8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

• #9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

• #9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

• #9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in callbacks and magic-link verification) no longer emit each Set-Cookie entry twice on the response.

• #9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging its session token into the request Cookie header. Previously the merged header could carry two entries for the same name if the request already had a stale session cookie, which would surface to downstream code that picks the first occurrence.

• #9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

  The endpoint accepted a callbackURL body field but ignored it, so authClient.signIn.username({ ..., callbackURL }) silently did nothing while authClient.signIn.email redirected as expected. The handler now sets a Location header when callbackURL is provided and returns { redirect, url } alongside token/user, matching the email flow.

• #9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

• #9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

• #9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

• #9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

• #8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

• #9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

• #9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

• #9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

• #9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

• #9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

• #9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

... (truncated)

Commits

• cbb5014 chore: release v1.6.10 (#9350)
• 09f1327 fix(api): prevent duplicate set-cookie on redirect (#9497)
• 15ff28a fix(internal-adapter): rename deleteAccount param from accountId to id (#...
• fde0432 fix: improve link accessibility issues (#9521)
• cf59136 fix(organization): re-export field types to prevent TS2742 with additionalFie...
• 8c1e917 fix: warn for cookie-plugin being last in array (#9484)
• 3a9a2c3 chore: expose refreshUserSessions on internal adapter (#7764)
• e9c978e fix(username): respect callbackURL on sign-in (#9475)
• 36ef808 fix: incorrect email casing across one-tap, email-otp & email-verification (#...
• 9a7b51d fix(credential): apply enumeration protection when autoSignIn is false (#8839)
• Additional commits viewable in compare view

Updates fs-extra from 11.3.4 to 11.3.5

Changelog

Sourced from fs-extra's changelog.

11.3.5 / 2026-05-06

• Fix ensureLink*/ensureSymlink* identical file detection on Windows (#1068)
• Fix error handling in timestamp preservation code (#1065, #1069)
• Fix potential file descriptor leak on error in synchronous timestamp preservation code (#1066)

Commits

• 8a88f58 11.3.5
• 81a1311 Mirror all utimesMillis() tests for utimesMillisSync() (#1070)
• b7ab7f8 Properly handle close errors in utimesMillis*() (#1069)
• 1c248ed Fix file descriptor leak in utimesMillisSync (#1066)
• a4000d6 Ensure all usages of areIdentical receive bigint stats (#1068)
• 1e9c57d Fix error handling in utimesMillis (#1065)
• See full diff in compare view

Updates @objectstack/client from 4.0.4 to 4.0.5

Release notes

Sourced from @​objectstack/client's releases.

@​objectstack/client@​4.0.5

Patch Changes

• 15e0df6: chore: unify all package versions to a single patch release
• Updated dependencies [15e0df6]
  • @​objectstack/spec@​4.0.5
  • @​objectstack/core@​4.0.5

@​objectstack/client-react@​4.0.5

Patch Changes

• 15e0df6: chore: unify all package versions to a single patch release
• Updated dependencies [15e0df6]
  • @​objectstack/spec@​4.0.5
  • @​objectstack/core@​4.0.5
  • @​objectstack/client@​4.0.5

Changelog

Sourced from @​objectstack/client's changelog.

4.0.5

Patch Changes

• 15e0df6: chore: unify all package versions to a single patch release
• Updated dependencies [15e0df6]
  • @​objectstack/spec@​4.0.5
  • @​objectstack/core@​4.0.5

Commits

• c065346 Refactor code structure for improved readability and maintainability
• b7bacab Update files
• 371445c feat(account): migrate user-settings to better-auth SDK + add missing features
• 284ee32 chore(deps)(deps): bump @​hono/node-server from 1.19.14 to 2.0.1
• 2c15aef Refactor code structure and remove redundant sections for improved readabilit...
• 2599fe5 Merge pull request #1222 from objectstack-ai/dependabot/npm_and_yarn/developm...
• 12e3288 feat(flow): add Flow Viewer and Flow Test Runner components with automation i...
• 97e6e74 chore(deps)(deps-dev): bump the development-dependencies group across 1 direc...
• 2fabf7c chore(deps)(deps): bump the production-dependencies group across 1 directory ...
• 0210c17 feat: restructure logger module and update build configuration for improved b...
• Additional commits viewable in compare view

Updates @ai-sdk/react from 3.0.176 to 3.0.179

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.179

Patch Changes

• ai@6.0.177

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.179

Patch Changes

• ai@6.0.177

3.0.178

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27
  • ai@6.0.176

3.0.177

Patch Changes

• ai@6.0.175

Commits

• e70aab9 Version Packages (#15138)
• e3ccdb5 Version Packages (#15094)
• 3015153 Version Packages (#14960)
• See full diff in compare view

Updates ai from 6.0.174 to 6.0.177

Release notes

Sourced from ai's releases.

ai@6.0.177

Patch Changes

• Updated dependencies [5c73af8]
  • @​ai-sdk/gateway@​3.0.112

Changelog

Sourced from ai's changelog.

6.0.177

Patch Changes

• Updated dependencies [5c73af8]
  • @​ai-sdk/gateway@​3.0.112

6.0.176

Patch Changes

• f591416: feat(ai): add toolMetadata for tool specific metdata
• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27
  • @​ai-sdk/gateway@​3.0.111

6.0.175

Patch Changes

• Updated dependencies [9a88b1d]
  • @​ai-sdk/gateway@​3.0.110

Commits

• e70aab9 Version Packages (#15138)
• e3ccdb5 Version Packages (#15094)
• f591416 Backport: feat(ai): add toolMetadata for tool specific metdata (#15053)
• 0084974 Backport: feat(mcp): deprecate name and use clientName for MCPClient (#15003)
• 3015153 Version Packages (#14960)
• See full diff in compare view

Updates fumadocs-core from 16.8.7 to 16.8.9

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.8

No release notes provided.

Commits

• See full diff in compare view

Attestation changes

This version has no provenance attestation, while the previous version (16.8.7) was attested. Review the package versions before updating.

Updates fumadocs-ui from 16.8.7 to 16.8.9

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.8

Patch Changes

• b494c8d: Support copy ID in headings
• 03626ba: [Search UI] show ctrl for Linux machines
  • fumadocs-core@16.8.8

Commits

• See full diff in compare view

Attestation changes

This version has no provenance attestation, while the previous version (16.8.7) was attested. Review the package versions before updating.

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectui-demo	Error		May 11, 2026 10:01am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
objectui	Ignored		May 11, 2026 10:01am

[github-actions]

❌ Console Performance Budget

Metric	Value	Budget
Main entry (gzip)	** KB**	KB
Entry file	``	—
Status	FAIL	—

---

📦 Bundle Size Report

Package	Size	Gzipped
create-plugin (index.js)	10.13KB	3.17KB
i18n (i18n.js)	2.54KB	1.02KB
i18n (index.js)	1.99KB	0.79KB
i18n (provider.js)	4.63KB	1.47KB
i18n (useObjectLabel.js)	12.47KB	3.25KB
i18n (useSafeTranslation.js)	1.63KB	0.57KB
types (ai.js)	0.20KB	0.17KB
types (api-types.js)	0.20KB	0.18KB
types (app.js)	2.87KB	0.99KB
types (base.js)	0.20KB	0.18KB
types (blocks.js)	0.20KB	0.18KB
types (complex.js)	0.20KB	0.18KB
types (crud.js)	0.20KB	0.18KB
types (data-display.js)	0.20KB	0.18KB
types (data-protocol.js)	0.20KB	0.19KB
types (data.js)	0.20KB	0.18KB
types (designer.js)	0.77KB	0.41KB
types (disclosure.js)	0.20KB	0.18KB
types (feedback.js)	0.20KB	0.18KB
types (field-types.js)	0.20KB	0.18KB
types (form.js)	0.20KB	0.18KB
types (index.js)	1.25KB	0.58KB
types (layout.js)	0.20KB	0.18KB
types (mobile.js)	0.20KB	0.18KB
types (navigation.js)	0.20KB	0.18KB
types (objectql.js)	0.20KB	0.18KB
types (overlay.js)	0.20KB	0.18KB
types (permissions.js)	0.20KB	0.18KB
types (plugin-scope.js)	0.20KB	0.18KB
types (record-components.js)	0.20KB	0.19KB
types (registry.js)	0.20KB	0.18KB
types (reports.js)	0.20KB	0.18KB
types (tenant.js)	0.20KB	0.18KB
types (theme.js)	0.20KB	0.18KB
types (ui-action.js)	0.20KB	0.18KB
types (views.js)	0.20KB	0.18KB
types (widget.js)	0.20KB	0.18KB
types (workflow.js)	0.20KB	0.18KB

Size Limits

• ✅ Core packages should be < 50KB gzipped
• ✅ Component packages should be < 100KB gzipped
• ⚠️ Plugin packages should be < 150KB gzipped