chore(deps): bump the patch-updates group with 9 updates

[dependabot]

Bumps the patch-updates group with 9 updates:

Package	From	To
vite	8.0.12	8.0.13
better-auth	1.6.10	1.6.11
@vitejs/plugin-react	6.0.1	6.0.2
express-rate-limit	8.5.1	8.5.2
@ai-sdk/react	3.0.179	3.0.186
ai	6.0.177	6.0.184
fumadocs-core	16.8.9	16.8.11
fumadocs-mdx	15.0.5	15.0.6
fumadocs-ui	16.8.9	16.8.11

Updates vite from 8.0.12 to 8.0.13

Release notes

Sourced from vite's releases.

v8.0.13

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

Commits

• a46f11a release: v8.0.13
• d9b18e0 fix(ssr): avoid rewriting labels that collide with imports (#22451)
• 4f0949f feat(bundled-dev): add lazy bundling support (#21406)
• 158e8ae fix(build): copy public directory after building same environment with `write...
• 47071ce feat(optimizer): improve the esbuild plugin converter to pass some properties...
• 8e59c97 fix(css): keep deprecated name/originalFileName in synthetic `assetFileNa...
• a576326 fix: make isBundled per environment (#22257)
• 8c766a6 feat: update rolldown to 1.0.1 (#22444)
• b7edcb7 fix(css): await sass/less/styl worker disposal on teardown (fix #22274) (#22275)
• fcdc87c chore: update changelog (#22413)
• Additional commits viewable in compare view

Updates better-auth from 1.6.10 to 1.6.11

Release notes

Sourced from better-auth's releases.

v1.6.11

better-auth

Bug Fixes

• Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
• Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
• Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
• Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
• Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
• Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
• Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
• Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
• Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
• Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed an invalid import list in the instrumentation module (#9582)
• Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

• Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
• Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
• Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.11

Patch Changes

• #9568 0cbddb8 Thanks @​gustavovalverde! - Add internalAdapter.consumeVerificationValue(identifier): atomically consume a verification row keyed by identifier. The first concurrent caller receives the row; later racers receive null. Backed by a new DBAdapter.consumeOne primitive implemented natively per adapter (memory, mongo, drizzle, kysely, prisma), with a transaction(findMany + delete) factory fallback. SecondaryStorage.getAndDelete is added as an optional companion; Redis ships it via an atomic Lua get-and-delete operation for compatibility with Redis versions before 6.2.

• #9162 a26333b Thanks @​ping-maxwell! - fix: cleanup sessions when admin, anonymous, or SCIM deletes a user

• #9573 99a254a Thanks @​gustavovalverde! - fix(device-authorization): require verify-time ownership claim for approve/deny

  Pending device codes were not bound to the user who entered the code on the verification page until approval, leaving a window where any authenticated user could approve or deny another user's pending code by knowing the user_code. GET /device now claims the pending row for the calling session, and POST /device/approve and POST /device/deny require the calling session to match the claimed owner. Custom verification pages must be served to an authenticated session for the flow to succeed.

• #8948 ee93485 Thanks @​ping-maxwell! - fix: add error code to change-email-disabled

• #9572 5f09d56 Thanks @​gustavovalverde! - Fix race condition in the magic-link plugin's verify handler that allowed two concurrent requests to mint two sessions from the same single-use token. The handler now consumes the verification row atomically via internalAdapter.consumeVerificationValue, so a given magic link mints at most one session regardless of concurrency. The allowedAttempts option is retained for backward compatibility but no longer multiplies successful redemptions; tokens are single-use. The second-redeem error code changes from ATTEMPTS_EXCEEDED to INVALID_TOKEN (the token no longer exists after consumption).

• b4bc65a Thanks @​gustavovalverde! - Fix race condition in the OAuth authorization-code grant: two concurrent token-exchange requests sharing the same code could both pass the find step before either delete completed and each mint an independent access/refresh/id token set. The authorization_code handler in @better-auth/oauth-provider, plus the legacy oidc-provider and mcp plugins in better-auth, now consume the verification row atomically via internalAdapter.consumeVerificationValue. The first caller mints tokens; concurrent racers receive invalid_grant (RFC 6749 §5.2). Malformed-verification-value branches in @better-auth/oauth-provider previously returned a project-specific invalid_verification code; those are now invalid_grant so spec-compliant clients can branch on the standard code.

• #9578 da7e50b Thanks @​gustavovalverde! - handleOAuthUserInfo (used by every social provider, generic-oauth, oauth-proxy, SSO OIDC and SAML, and idToken sign-in) implicitly linked a returning OAuth identity into a local user row whenever the IdP's email_verified claim was true or the provider was trusted. The local row's own emailVerified flag was read only to flip it after linking, never as a precondition. POST /sign-up/email creates rows with emailVerified: false for any caller, so an attacker who pre-registered a victim's email at the application could wait for the legitimate user's first OAuth sign-in: the IdP's verified claim was treated as ownership proof, and the victim's IdP identity was linked into the attacker-owned row.

  The implicit-link gate now requires dbUser.user.emailVerified === true in addition to the provider trust check by default. A new account.accountLinking.requireLocalEmailVerified option (default true) is the public surface for this gate. Apps whose users sign up via OAuth without verifying their email locally can opt back into the legacy behavior with account: { accountLinking: { requireLocalEmailVerified: false } }; understand the takeover risk before doing so. The option is @deprecated; a FIXME at each gate site points at the next-minor follow-up on next that drops the option and makes the gate unconditional.

  The one-tap plugin honored its own copy of the gate and was updated identically: requireLocalEmailVerified and accountLinking.disableImplicitLinking both apply on /one-tap/callback. The email_verified claim from the Google ID token is now normalized via toBoolean so a string "false" is treated as falsy.

  Test fixtures across admin, oidc-provider, mcp, generic-oauth, last-login-method, and oauth-provider suites now mark users emailVerified: true via a databaseHooks.user.create.before hook (or the disableTestUser opt-in on the oauth-provider RP) so the suites continue to exercise their role/flow logic rather than the new gate.

• #9507 a1c9f3c Thanks @​GautamBytes! - Preserve exact access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript.

• #9577 23094a6 Thanks @​gustavovalverde! - The organization plugin's invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) treated invitation.email.toLowerCase() === session.user.email.toLowerCase() as proof that the calling user owned the invited address. A session-authenticated user whose email matched but was never verified passed the gate, so anyone who could pre-register an unverified account at a victim's email could accept invitations addressed to that email. The requireEmailVerificationOnInvitation opt-in option closed the gap only when explicitly enabled and did not protect getInvitation or listUserInvitations at all.

  The gate is now applied on all four recipient endpoints and the requireEmailVerificationOnInvitation option default flips from false to true so existing apps are secure by default. Apps that intentionally accept invitations from unverified accounts can keep the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }), but they should understand the takeover risk before doing so. Server-side calls to listUserInvitations with ctx.query.email and no session continue to bypass the gate (the caller is trusted).

  The option is @deprecated. The next-minor release on next removes it entirely and makes the gate unconditional.

• #9548 142b86c Thanks @​dipan-ck! - anonymous plugin now correctly calls onLinkAccount when email verification triggers auto sign-in

• #9576 1f2ff42 Thanks @​gustavovalverde! - fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant and harden secret comparison

  Refresh-token grants on the legacy oidc-provider and mcp plugins now require the registered client_secret from confidential clients, matching the authorization_code path. Public clients (where code_verifier substitutes for the secret on the auth-code grant) continue to skip secret validation. Secret comparisons across both plugins now use constant-time equality. The /mcp/token endpoint no longer emits a wildcard CORS Access-Control-Allow-Origin: * header.

  These plugins are deprecated in favor of @better-auth/oauth-provider, which is unaffected. New deployments should adopt the replacement; this patch keeps existing deployments protected while migrating.

• #9575 699b09a Thanks @​gustavovalverde! - fix(oidc-provider, mcp): drop "none" from advertised signing algorithms, default allowPlainCodeChallengeMethod to false, and reject missing PKCE method

  The legacy oidc-provider and mcp plugins now follow OAuth 2.1 (RFC 9700) on three protocol gates:

  • id_token_signing_alg_values_supported (oidc-provider, mcp) and resource_signing_alg_values_supported (mcp) no longer include "none". Relying parties that negotiate from this list will no longer be steered toward unsigned tokens.
  • allowPlainCodeChallengeMethod defaults to false. Callers who need plain PKCE must opt in explicitly.
  • Under the secure default the authorize endpoint no longer silently rewrites a missing code_challenge_method to "plain" before the allowlist check. A request that provides code_challenge without code_challenge_method is now rejected with invalid_request; the inverse case (code_challenge_method without code_challenge) is also rejected so no inconsistent PKCE state is persisted on the authorization code record.

  Non-breaking for callers who never relied on "none" advertisement or the plain default. Callers who explicitly set allowPlainCodeChallengeMethod: true keep plain on the allowlist and retain the legacy "missing method defaults to plain" behavior for backward compatibility, so existing integrations that opted into plain PKCE continue to work. The next-minor on next will drop both the plain allowlist entry and this fallback; until then, the option is the single explicit knob for legacy behavior. Migrate to @better-auth/oauth-provider for the canonical, spec-aligned implementation.

... (truncated)

Commits

• f41514e chore: release v1.6.11 (#9532)
• 699b09a fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject miss...
• b4bc65a Merge commit from fork
• a1c9f3c fix(access): preserve exact role statement types (#9507)
• da7e50b fix(oauth): block OAuth linking to unverified local accounts (#9578)
• 23094a6 fix(organization): default-on requireEmailVerificationOnInvitation & extend...
• 1f2ff42 fix(oidc-provider, mcp): authenticate confidential clients on refresh_token g...
• 5f09d56 fix(magic-link): consume verification token atomically on verify (#9572)
• 99a254a fix(device-authorization): bind approval to verifier session (#9573)
• 0cbddb8 refactor(db): rename claimOne adapter primitive to consumeOne (#9568)
• Additional commits viewable in compare view

Updates @vitejs/plugin-react from 6.0.1 to 6.0.2

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@6.0.2

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

Changelog

Sourced from @​vitejs/plugin-react's changelog.

6.0.2 (2026-05-14)

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

Commits

• 6535b55 release: plugin-react@6.0.2
• bf0e43b feat(react): whitelist debugging-options (#1189)
• 3bd1f08 feat: use carets for rolldown versions (#1216)
• 2b8df67 fix(deps): update all non-major dependencies (#1218)
• 8fa9619 fix(deps): update react 19.2.6 (#1211)
• a4296ad fix(deps): update all non-major dependencies (#1209)
• 323ccd7 fix(deps): update all non-major dependencies (#1196)
• a7506e1 chore(deps): update vite 8.0.10 (#1198)
• 02cff2a fix(deps): update all non-major dependencies (#1184)
• 4b9c890 fix(deps): update react 19.2.5 (#1181)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.5.1 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

Commits

• 9774693 8.5.2
• 0e94cc0 v8.5.2 changelog
• 9a583c5 feat: simplify IPv6 key generation (#633)
• 4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
• 3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
• 18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
• dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
• 486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
• See full diff in compare view

Updates @ai-sdk/react from 3.0.179 to 3.0.186

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

@​ai-sdk/react@​3.0.185

Patch Changes

• ai@6.0.183

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

3.0.185

Patch Changes

• ai@6.0.183

3.0.184

Patch Changes

• Updated dependencies [e76a29a]
  • ai@6.0.182

3.0.183

Patch Changes

• Updated dependencies [538974a]
  • ai@6.0.181

3.0.182

Patch Changes

• Updated dependencies [253bd5a]
• Updated dependencies [57ec10f]
  • ai@6.0.180

3.0.181

Patch Changes

• ai@6.0.179

3.0.180

Patch Changes

• Updated dependencies [ac6f27e]
  • ai@6.0.178

Commits

• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• 43e5359 Version Packages (#15221)
• e2f1bca Version Packages (#15216)
• d37fb1f Version Packages (#15202)
• See full diff in compare view

Updates ai from 6.0.177 to 6.0.184

Release notes

Sourced from ai's releases.

ai@6.0.184

Patch Changes

• 40fc5e4: fix(ai): default missing embedding warnings to an empty array

ai@6.0.183

Patch Changes

• Updated dependencies [363cefe]
  • @​ai-sdk/gateway@​3.0.115

Changelog

Sourced from ai's changelog.

6.0.184

Patch Changes

• 40fc5e4: fix(ai): default missing embedding warnings to an empty array

6.0.183

Patch Changes

• Updated dependencies [363cefe]
  • @​ai-sdk/gateway@​3.0.115

6.0.182

Patch Changes

• e76a29a: fix(ai): download tool-result file URLs

6.0.181

Patch Changes

• 538974a: fix(ui): make input optional on output-error tool and dynamic-tool UI message parts

  validateUIMessages rejected persisted assistant messages whose output-error tool parts had no input key. This happened for any errored tool call where the SDK set input: undefined (e.g. NoSuchToolError / InvalidToolInputError): JSON serialization stripped the undefined value, and Zod 4.4+ treats a missing z.unknown() key as a validation failure (previously it was implicitly optional). The schema now matches the runtime shape produced by process-ui-message-stream, so reloading a thread that contains an errored tool call no longer throws AI_TypeValidationError.

6.0.180

Patch Changes

• 253bd5a: fix(gateway): enable retry support for gateway errors
• 57ec10f: fix URL of hero animation in README
• Updated dependencies [253bd5a]
  • @​ai-sdk/gateway@​3.0.114

6.0.179

Patch Changes

• Updated dependencies [ee4de68]
  • @​ai-sdk/gateway@​3.0.113

6.0.178

Patch Changes

• ac6f27e: fix(ai): update opentelemetry pinned version

Commits

• f8d3003 Version Packages (#15356)
• 40fc5e4 Backport: fix(ai): default missing embedding warnings (#15354)
• 2e7664b Version Packages (#15315)
• 7baadcc chore: diverge test assertions based on node version (#15326)
• 5427555 chore: fix flaky tests diverging on different node versions (#15296)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• e76a29a Backport: fix(ai): download tool-result file URLs (#15246)
• 538974a Backport: fix(ai): Fix validateUIMessages with Zod 4.4 (#15247)
• 43e5359 Version Packages (#15221)
• Additional commits viewable in compare view

Updates fumadocs-core from 16.8.9 to 16.8.11

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.11

Patch Changes

• 1dc86c7: loosen the range for waku

fumadocs-core@16.8.10

Patch Changes

• 062beab: fix internal types
• 505cfe0: Add remark-block-id plugin

Commits

• See full diff in compare view

Updates fumadocs-mdx from 15.0.5 to 15.0.6

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@15.0.6

Patch Changes

• da4a81a: Update vite configs

Commits

• 56fb65d Version Packages (#3292)
• da4a81a OpenAPI: Bundle ajv
• 9ca0e2b Version Packages (#3291)
• e84da60 OpenAPI: bundle cjs deps
• 8455f0c Docs: add more details on notebook
• f5ff884 chore: bump deps
• See full diff in compare view

Updates fumadocs-ui from 16.8.9 to 16.8.11

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.11

Patch Changes

• Updated dependencies [1dc86c7]
  • fumadocs-core@16.8.11

fumadocs-ui@16.8.10

Patch Changes

• Updated dependencies [062beab]
• Updated dependencies [505cfe0]
  • fumadocs-core@16.8.10

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectui-demo	Ready	Preview, Comment	May 18, 2026 0:26am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
objectui	Ignored		May 18, 2026 0:26am

[github-actions]

✅ Console Performance Budget

Metric	Value	Budget
Main entry (gzip)	94.7 KB	350 KB
Entry file	index-BaXPMlQr.js	—
Status	PASS	—

---

📦 Bundle Size Report

Package	Size	Gzipped
app-shell (index.js)	3.41KB	1.13KB
app-shell (types.js)	0.01KB	0.04KB
auth (AuthContext.js)	0.31KB	0.24KB
auth (AuthGuard.js)	1.17KB	0.53KB
auth (AuthProvider.js)	14.08KB	2.92KB
auth (ForgotPasswordForm.js)	4.91KB	1.66KB
auth (LoginForm.js)	5.10KB	1.68KB
auth (PreviewBanner.js)	0.90KB	0.50KB
auth (RegisterForm.js)	6.96KB	1.89KB
auth (SocialSignInButtons.js)	8.74KB	3.58KB
auth (UserMenu.js)	3.40KB	1.22KB
auth (createAuthClient.js)	15.32KB	3.45KB
auth (createAuthenticatedFetch.js)	2.47KB	0.95KB
auth (index.js)	1.28KB	0.55KB
auth (types.js)	0.59KB	0.35KB
auth (useAuth.js)	3.60KB	0.74KB
collaboration (CommentThread.js)	18.38KB	4.49KB
collaboration (LiveCursors.js)	3.17KB	1.27KB
collaboration (PresenceAvatars.js)	3.65KB	1.42KB
collaboration (index.js)	1.16KB	0.50KB
collaboration (useCommentSearch.js)	1.98KB	0.88KB
collaboration (useConflictResolution.js)	7.75KB	1.86KB
collaboration (useMentionNotifications.js)	1.81KB	0.68KB
collaboration (usePresence.js)	6.33KB	1.84KB
collaboration (useRealtimeSubscription.js)	7.91KB	2.01KB
components (index.js)	349.60KB	70.83KB
core (index.js)	1.41KB	0.53KB
create-plugin (index.js)	10.13KB	3.17KB
data-objectstack (index.js)	64.06KB	16.10KB
fields (index.js)	126.00KB	29.91KB
i18n (i18n.js)	2.54KB	1.02KB
i18n (index.js)	2.27KB	0.91KB
i18n (provider.js)	4.63KB	1.47KB
i18n (useObjectLabel.js)	15.26KB	3.58KB
i18n (useSafeTranslation.js)	1.63KB	0.57KB
layout (index.js)	28.85KB	7.90KB
mobile (MobileProvider.js)	0.92KB	0.49KB
mobile (ResponsiveContainer.js)	0.94KB	0.38KB
mobile (breakpoints.js)	1.51KB	0.70KB
mobile (createOfflineDataSource.js)	5.61KB	1.74KB
mobile (index.js)	1.50KB	0.62KB
mobile (offlineQueue.js)	3.91KB	1.35KB
mobile (pwa.js)	0.97KB	0.49KB
mobile (serviceWorker.js)	1.48KB	0.62KB
mobile (serviceWorkerSource.js)	3.41KB	1.48KB
mobile (useBreakpoint.js)	1.54KB	0.65KB
mobile (useGesture.js)	4.42KB	1.27KB
mobile (useOfflineSync.js)	1.99KB	0.72KB
mobile (usePullToRefresh.js)	2.53KB	0.85KB
mobile (useResponsive.js)	0.71KB	0.42KB
mobile (useResponsiveConfig.js)	1.36KB	0.63KB
mobile (useSpecGesture.js)	1.77KB	0.77KB
mobile (useTouchTarget.js)	1.01KB	0.54KB
permissions (PermissionContext.js)	0.31KB	0.25KB
permissions (PermissionGuard.js)	0.89KB	0.45KB
permissions (PermissionProvider.js)	3.11KB	0.87KB
permissions (evaluator.js)	4.00KB	1.23KB
permissions (index.js)	0.85KB	0.40KB
permissions (store.js)	0.91KB	0.42KB
permissions (useFieldPermissions.js)	1.28KB	0.52KB
permissions (usePermissions.js)	0.99KB	0.49KB
plugin-aggrid (index.js)	28.09KB	7.07KB
plugin-ai (index.js)	15.71KB	3.79KB
plugin-calendar (index.js)	45.94KB	12.63KB
plugin-charts (index.js)	32.48KB	9.30KB
plugin-chatbot (index.js)	35.28KB	8.29KB
plugin-dashboard (index.js)	83.55KB	19.70KB
plugin-designer (index.js)	231.64KB	44.54KB
plugin-detail (index.js)	130.64KB	30.24KB
plugin-editor (index.js)	2.38KB	1.06KB
plugin-form (index.js)	53.88KB	12.02KB
plugin-gantt (index.js)	27.28KB	7.50KB
plugin-grid (index.js)	88.54KB	23.92KB
plugin-kanban (index.js)	45.32KB	12.03KB
plugin-list (index.js)	72.23KB	17.22KB
plugin-map (index.js)	16.02KB	4.98KB
plugin-markdown (index.js)	2.62KB	1.18KB
plugin-report (index.js)	67.48KB	13.94KB
plugin-timeline (index.js)	24.29KB	6.91KB
plugin-view (index.js)	140.02KB	28.74KB
plugin-workflow (index.js)	69.35KB	14.42KB
providers (DataSourceProvider.js)	0.75KB	0.39KB
providers (MetadataProvider.js)	1.37KB	0.59KB
providers (ThemeProvider.js)	1.55KB	0.67KB
providers (UploadProvider.js)	7.81KB	2.56KB
providers (index.js)	0.41KB	0.21KB
providers (types.js)	0.01KB	0.04KB
react (LazyPluginLoader.js)	3.77KB	1.33KB
react (SchemaRenderer.js)	10.94KB	3.47KB
react (index.js)	0.76KB	0.42KB
tenant (TenantContext.js)	0.31KB	0.25KB
tenant (TenantGuard.js)	1.04KB	0.43KB
tenant (TenantProvider.js)	2.76KB	0.98KB
tenant (TenantScopedQuery.js)	0.77KB	0.44KB
tenant (index.js)	0.75KB	0.38KB
tenant (resolver.js)	2.64KB	0.76KB
tenant (useTenant.js)	0.50KB	0.32KB
tenant (useTenantBranding.js)	0.62KB	0.39KB
types (ai.js)	0.20KB	0.17KB
types (api-types.js)	0.20KB	0.18KB
types (app.js)	2.87KB	0.99KB
types (base.js)	0.20KB	0.18KB
types (blocks.js)	0.20KB	0.18KB
types (complex.js)	0.20KB	0.18KB
types (crud.js)	0.20KB	0.18KB
types (data-display.js)	0.20KB	0.18KB
types (data-protocol.js)	0.20KB	0.19KB
types (data.js)	0.20KB	0.18KB
types (designer.js)	0.77KB	0.41KB
types (disclosure.js)	0.20KB	0.18KB
types (feedback.js)	0.20KB	0.18KB
types (field-types.js)	0.20KB	0.18KB
types (form.js)	0.20KB	0.18KB
types (index.js)	1.25KB	0.58KB
types (layout.js)	0.20KB	0.18KB
types (mobile.js)	0.20KB	0.18KB
types (navigation.js)	0.20KB	0.18KB
types (objectql.js)	0.20KB	0.18KB
types (overlay.js)	0.20KB	0.18KB
types (permissions.js)	0.20KB	0.18KB
types (plugin-scope.js)	0.20KB	0.18KB
types (record-components.js)	0.20KB	0.19KB
types (registry.js)	0.20KB	0.18KB
types (reports.js)	0.20KB	0.18KB
types (tenant.js)	0.20KB	0.18KB
types (theme.js)	0.20KB	0.18KB
types (ui-action.js)	0.20KB	0.18KB
types (views.js)	0.20KB	0.18KB
types (widget.js)	0.20KB	0.18KB
types (workflow.js)	0.20KB	0.18KB

Size Limits

• ✅ Core packages should be < 50KB gzipped
• ✅ Component packages should be < 100KB gzipped
• ⚠️ Plugin packages should be < 150KB gzipped