chore(deps)(deps): bump the production-dependencies group with 8 updates

[dependabot]

Bumps the production-dependencies group with 8 updates:

Package	From	To
lucide-react	0.575.0	0.577.0
@oclif/core	4.8.2	4.8.3
@hono/node-server	1.19.9	1.19.11
better-auth	1.5.0	1.5.4
hono	4.12.3	4.12.5
fumadocs-core	16.6.8	16.6.12
fumadocs-ui	16.6.8	16.6.12
react-resizable-panels	4.7.0	4.7.2

Updates lucide-react from 0.575.0 to 0.577.0

Release notes

Sourced from lucide-react's releases.

Version 0.577.0

What's Changed

• chore(deps): bump rollup from 4.53.3 to 4.59.0 by @​dependabot[bot] in lucide-icons/lucide#4106
• fix(repo): correctly ignore docs/releaseMetadata via .gitignore by @​bhavberi in lucide-icons/lucide#4100
• feat(icons): added ellipse icon by @​KISHORE-KUMAR-S in lucide-icons/lucide#3749

New Contributors

• @​bhavberi made their first contribution in lucide-icons/lucide#4100
• @​KISHORE-KUMAR-S made their first contribution in lucide-icons/lucide#3749

Full Changelog: lucide-icons/lucide@0.576.0...0.577.0

Version 0.576.0

What's Changed

• Added zodiac signs by @​karsa-mistmere in lucide-icons/lucide#712
• fix(icons): fixes guideline violations in package-* icons. by @​karsa-mistmere in lucide-icons/lucide#4074
• fix(icons): changed receipt icon by @​karsa-mistmere in lucide-icons/lucide#4075
• fix(icons): updated cuboid icon tags and categories by @​karsa-mistmere in lucide-icons/lucide#4095
• fix(icons): changed cuboid icon by @​jamiemlaw in lucide-icons/lucide#4098
• fix(lucide-font, lucide-static): Fixing stable code points by @​ericfennis in lucide-icons/lucide#3894
• feat(icons): added fishing-rod icon by @​7ender in lucide-icons/lucide#3839

Full Changelog: lucide-icons/lucide@0.575.0...0.576.0

Commits

• f6c0d06 chore(deps): bump rollup from 4.53.3 to 4.59.0 (#4106)
• See full diff in compare view

Updates @oclif/core from 4.8.2 to 4.8.3

Release notes

Sourced from @​oclif/core's releases.

4.8.3

Bug Fixes

• expanded process title checks for windows shell identification @​W-21239801@ (d2c1913)

Changelog

Sourced from @​oclif/core's changelog.

4.8.3 (2026-03-02)

Bug Fixes

• expanded process title checks for windows shell identification @​W-21239801@ (d2c1913)

Commits

• 43d9214 chore(release): 4.8.3 [skip ci]
• dc3fda4 Merge pull request #1548 from oclif/d/W-21239801-b
• d2c1913 fix: expanded process title checks for windows shell identification @​W-21239801@
• 9e0b028 Merge pull request #1546 from oclif/dependabot-npm_and_yarn-eslint-config-ocl...
• e77238b chore(dev-deps): bump eslint-config-oclif from 6.0.140 to 6.0.144
• See full diff in compare view

Updates @hono/node-server from 1.19.9 to 1.19.11

Release notes

Sourced from @​hono/node-server's releases.

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• See full diff in compare view

Updates better-auth from 1.5.0 to 1.5.4

Release notes

Sourced from better-auth's releases.

v1.5.4

   🐞 Bug Fixes

• Move adapter packages to dependencies to fix missing module errors  -  by @​himself65 in better-auth/better-auth#8401 (56857)
• expo: Handle origin override across mutable and immutable requests  -  by @​NathanColosimo, Taesu and @​bytaesu in better-auth/better-auth#8405 (b7a31)

    View changes on GitHub

v1.5.3

   🐞 Bug Fixes

• account: Use accountId instead of id in accountInfo endpoint  -  by @​NathanColosimo and @​himself65 in better-auth/better-auth#8346 (efcc2)
• sso: Use internalAdapter for verification operations  -  by @​himself65 in better-auth/better-auth#8353 (e3bc6)

    View changes on GitHub

v1.5.2

   🐞 Bug Fixes

• Access control indexing type  -  by @​YevheniiKotyrlo and @​himself65 in better-auth/better-auth#8155 (5d7dd)
• Prevent double encoded cookie  -  by @​Oluwatobi-Mustapha and @​himself65 in better-auth/better-auth#8133 (55dd0)
• cookies:
  • Use lookahead heuristic for splitting Set-Cookie headers  -  by @​bytaesu in better-auth/better-auth#8301 (8959c)
• oauth-provider:
  • Allow localhost subdomains in isLocalhost function  -  by @​sicarius97 and @​himself65 in better-auth/better-auth#8286 (4b974)
  • CustomIdTokenClaims should override standard claims  -  by @​gustavovalverde in better-auth/better-auth#7865 (7425f)
• prisma-adapter:
  • Use deleteMany when deleting by non-unique field  -  by @​himself65 in better-auth/better-auth#8314 (e3ff2)
• sso:
  • Prefer UserInfo endpoint over ID token and map sub claim correctly  -  by @​himself65 and Copilot in better-auth/better-auth#8276 (f88bc)

    View changes on GitHub

v1.5.1

   🐞 Bug Fixes

• client: Use direct imports to fix bundler re-export type resolution  -  by @​himself65 in better-auth/better-auth#8261 (63bb7)
• core: Revive date strings in safeJSONParse for pre-parsed objects  -  by @​himself65 in better-auth/better-auth#8248 (56db7)
• db: Support verification operations with secondary storage  -  by @​himself65 in better-auth/better-auth#8247 (8a047)
• expo: Avoid shim require  -  by @​himself65 in better-auth/better-auth#8253 (977bf)
• generic-oauth: Use discovery userinfo endpoint instead of hardcoded URLs  -  by @​himself65 in better-auth/better-auth#8223 (58940)

    View changes on GitHub

v1.5.1-beta.3

   🐞 Bug Fixes

• cookies: Use lookahead heuristic for splitting Set-Cookie headers  -  by @​bytaesu in better-auth/better-auth#8301 (add7b)

    View changes on GitHub

... (truncated)

Commits

• cb9e1bc chore: release v1.5.4
• 56857d6 fix: move adapter packages to dependencies to fix missing module errors (#8401)
• 8e1ddc3 chore: release v1.5.3
• efcc238 fix(account): use accountId instead of id in accountInfo endpoint (#8346)
• 318f827 chore: move adapter packages from deps to optional peer deps (#8303)
• 54c8493 chore: release v1.5.2
• 55dd06e fix: prevent double encoded cookie (#8133)
• 5d7dd9e fix: access control indexing type (#8155)
• 8959cb9 fix(cookies): use lookahead heuristic for splitting Set-Cookie headers (#8301)
• 3715137 chore: release v1.5.1
• Additional commits viewable in compare view

Updates hono from 4.12.3 to 4.12.5

Release notes

Sourced from hono's releases.

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in honojs/hono#4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in honojs/hono#4779

New Contributors

• @​agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

Commits

• 18cc595 4.12.5
• 5d59ac7 chore(eslint): upgrade @hono/eslint-config (#4781)
• b8cff18 fix(jsx): Fix "Invalid state: Controller is already closed" (#4770)
• 8c4d7f3 fix(jwt): validate token format in decode and decodeHeader functions (#4752)
• 0f49915 fix(request): return string | undefined from param() when path type is any ...
• 19d20d2 4.12.4
• 44ae0c8 Merge commit from fork
• f4123ed Merge commit from fork
• 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
• 6a0607a Merge commit from fork
• Additional commits viewable in compare view

Updates fumadocs-core from 16.6.8 to 16.6.12

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.6.12

Patch Changes

• ddb0f81: require explicit import for new search clients

fumadocs-core@16.6.11

Patch Changes

• d35f30c: deprecate highlight on content highlighter
• ae3e742: Support flexsearch server & client
• 269dfb3: Redesign search client adapter interface

Commits

• af5738a Version Packages (#3080)
• ddb0f81 Core: require explicit import for new search clients
• 418f475 Version Packages (#3077)
• 9c110f1 Core: support tag filter in Flexsearch
• 269dfb3 Core: Redesign search client adapter interface
• d35f30c Core: deprecate highlight on content highlighter
• 9ba67d3 Flexsearch: add highlight
• ae3e742 Core: Support flexsearch server & client
• 3fa6eaf Chore: bump deps
• ab774b3 improve landing page
• Additional commits viewable in compare view

Updates fumadocs-ui from 16.6.8 to 16.6.12

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.6.12

Patch Changes

• Updated dependencies [ddb0f81]
  • fumadocs-core@16.6.12

fumadocs-ui@16.6.11

Patch Changes

• Updated dependencies [d35f30c]
• Updated dependencies [ae3e742]
• Updated dependencies [269dfb3]
  • fumadocs-core@16.6.11

Commits

• af5738a Version Packages (#3080)
• ddb0f81 Core: require explicit import for new search clients
• 418f475 Version Packages (#3077)
• 9c110f1 Core: support tag filter in Flexsearch
• 269dfb3 Core: Redesign search client adapter interface
• d35f30c Core: deprecate highlight on content highlighter
• 9ba67d3 Flexsearch: add highlight
• ae3e742 Core: Support flexsearch server & client
• 3fa6eaf Chore: bump deps
• ab774b3 improve landing page
• Additional commits viewable in compare view

Updates react-resizable-panels from 4.7.0 to 4.7.2

Release notes

Sourced from react-resizable-panels's releases.

4.7.2

• 683: Don't scroll separator when setting focus

4.7.1

• 678: Change default overflow styles to support shadows

Changelog

Sourced from react-resizable-panels's changelog.

4.7.2

• 683: Don't scroll separator when setting focus

4.7.1

• 678: Change default overflow styles to support shadows

Commits

• af7038c 4.7.1 -> 4.7.2
• 8510531 Don't scroll separator when setting focus (#683)
• 31831c3 4.7.0 -> 4.7.1
• fdf9d0b Support overflowing content like drop-shadows (#678)
• f7ed878 Update react-lib-tools dep
• c236e74 Update react-lib-tools dep
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-play	Ready	Preview, Comment	Mar 9, 2026 2:37am
spec	Ready	Preview, Comment	Mar 9, 2026 2:37am