Skip to content

deps: bump the dependencies-minor group across 1 directory with 13 updates#18

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies-minor-741c8e827d
Open

deps: bump the dependencies-minor group across 1 directory with 13 updates#18
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies-minor-741c8e827d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Oct 22, 2025
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the dependencies-minor group with 13 updates in the / directory:

Package From To
@fontsource-variable/figtree 5.2.8 5.2.10
@fontsource/ibm-plex-mono 5.2.6 5.2.7
@hookform/resolvers 5.1.1 5.2.2
@oddbird/css-anchor-positioning 0.6.1 0.7.0
react 19.1.0 19.2.0
@types/react 19.1.8 19.2.2
react-dom 19.1.0 19.2.0
@types/react-dom 19.1.6 19.2.2
react-hook-form 7.60.0 7.65.0
zod 4.1.5 4.1.12
@playwright/test 1.54.1 1.56.1
sass 1.89.2 1.93.2
typescript 5.8.3 5.9.3

Updates @fontsource-variable/figtree from 5.2.8 to 5.2.10

Commits

Updates @fontsource/ibm-plex-mono from 5.2.6 to 5.2.7

Commits

Updates @hookform/resolvers from 5.1.1 to 5.2.2

Release notes

Sourced from @​hookform/resolvers's releases.

v5.2.2

5.2.2 (2025-09-14)

Bug Fixes

  • zod: fix output type for Zod 4 resolver (#803) (e95721d)

v5.2.1

5.2.1 (2025-07-29)

Bug Fixes

v5.2.0

5.2.0 (2025-07-25)

Features

  • ajv: add ajv-formats for ajvResolver (#797) (f040039)
Commits

Updates @oddbird/css-anchor-positioning from 0.6.1 to 0.7.0

Release notes

Sourced from @​oddbird/css-anchor-positioning's releases.

v0.7.0

What's Changed

New Contributors

Full Changelog: oddbird/css-anchor-positioning@v0.6.1...v0.7.0

Commits
  • 40f3a89 v0.7.0
  • db16313 Work with anchor and target inside same shadow root (#353)
  • b18b8ed Merge pull request #352 from oddbird/dependabot/npm_and_yarn/dev-9d451710aa
  • ea505c5 Merge pull request #351 from oddbird/dependabot/npm_and_yarn/prod-8404f4c51f
  • d4bbb67 chore(deps-dev): Bump the dev group with 13 updates
  • ae3512f chore(deps): Bump the prod group with 2 updates
  • 2f9b4c5 Merge pull request #348 from oddbird/dependabot/npm_and_yarn/npm_and_yarn-f5c...
  • 98ccee3 chore(deps-dev): Bump vite in the npm_and_yarn group across 1 directory
  • 15ebcc0 Merge pull request #346 from oddbird/dependabot/github_actions/actions/setup-...
  • 2cc99a6 Merge pull request #347 from oddbird/dependabot/github_actions/actions/setup-...
  • Additional commits viewable in compare view

Updates react from 19.1.0 to 19.2.0

Release notes

Sourced from react's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Changelog

Sourced from react's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Commits

Updates @types/react from 19.1.8 to 19.2.2

Commits

Updates react-dom from 19.1.0 to 19.2.0

Release notes

Sourced from react-dom's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Commits

Updates @types/react-dom from 19.1.6 to 19.2.2

Commits

Updates react-hook-form from 7.60.0 to 7.65.0

Release notes

Sourced from react-hook-form's releases.

Version 7.65.0

🧿 feat: <Watch /> component (#12986)

import { useForm, Watch } from 'react-hook-form';
const App = () => {
const { register, control } = useForm();
return (
<div>
<form>
<input {...register('foo')} />
<input {...register('bar')} />
</form>
{/* re-render only when value of foo changes */}
<Watch
control={control}
names={['foo']}
render={([foo]) => <span>{foo}</span>}
/>
</div>
);
};

🐞 fix: respect parent-provided useFieldArray rules (#13082) (#13083 🐞 fix: getDirtyFields submit fields with null values when using useForm (#13079)

thanks to @​tesseractjh, @​Han5991 & @​jonathanarnault

Version 7.64.0

🚏 Support optional array fields in PathValueImpl type (#13057) 🐞 fix: preserve Controller's defaultValue with shouldUnregister prop (#13063) ✂ chore: remove unused field ids ref in useFieldArray (#13066)

thanks to @​MPrieur-chaps, @​gynekolog & @​uk960214

Version 7.63.0

🥢 feat: extract form values by form state (#12936)

getValues(undefined, { dirtyFields: true }); // return only dirty fields 
getValues(undefined, { touchedFields: true });  // return only touched fields

🦍 feat: improve get dirty fields logic (#13049) 🐿️ chore: remove duplicated function isMessage (#13050) 🐞 fix: use field name to update isValidating fields (#13000) 🐞 fix: unregister previous field when switching conditional Controllers (#13041)

... (truncated)

Commits

Updates zod from 4.1.5 to 4.1.12

Release notes

Sourced from zod's releases.

v4.1.12

Commits:

  • 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237)
  • d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238)
  • c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261)
  • a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248)
  • 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
  • 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278)
  • 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289)
  • 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292)
  • fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token
  • af447384379faef28aa857fb53ef1da702c6d408 Fix lint
  • 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts
  • 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12

v4.1.11

Commits:

  • 2bed4b39760d8e4d678203b5c8fcaf24c182fc9f 4.1.11

v4.1.10

Commits:

  • 7ffedd00169d8dc2e7cb7c6d878f29b03e05b3a3 Fix shape caching (#5263)
  • 82cd717a0e7ee4e1737a783c7be278fa93fd8104 v4.1.10

v4.1.9

Commits:

  • a78716d91da7649a61016b81c27f49fd9e79a81e Update zshy (#5249)
  • 923af801fde9f033cfd7e0e753b421a554fe3be8 Publish zod@4.1.9

v4.1.8

Commits:

  • 36c4ee354d0c1f47b7311e49f6dd4b7a11de04f5 Switch back to weakmap
  • a1726d53172ba52ecf90999df73778cf416264fd 4.1.8

v4.1.7

Commits:

  • 0cca351c8b152d7c4113ab7c2a44675efb060677 Fix variable name inconsistency in coercion documentation (#5188)
  • aa78c270f1b43f4665339f4b61e7cb88037b8c84 Add copy/edit buttons
  • 76452d4119d800a722b692755c1168627bc95f0f Update button txt
  • 937f73c90cac90bd3b99b12c792c289b50416510 Fix tsconfig issue in bench
  • 976b43657d4aff6d47c73c1c86125623ea08752d v4.1.6 (#5222)
  • 4309c61304daf40aab2124b5f513abe2b4df8637 Fix cidrv6 validation - cidrv6 should reject invalid strings with multiple slashes (#5196)
  • ef95a73b6d33299743e5ff4f0645b98c1b0d6f72 feat(locales): Add Lithuanian (lt) locale (#5210)
  • 3803f3f37168212f2178e8b8deceb7bad78ed904 docs: update wrong contents in codeblocks in api.mdx (#5209)

... (truncated)

Commits

Updates @playwright/test from 1.54.1 to 1.56.1

Release notes

Sourced from @​playwright/test's releases.

v1.56.1

Highlights

#37871 chore: allow local-network-access permission in chromium #37891 fix(agents): remove workspaceFolder ref from vscode mcp #37759 chore: rename agents to test agents #37757 chore(mcp): fallback to cwd when resolving test config

Browser Versions

  • Chromium 141.0.7390.37
  • Mozilla Firefox 142.0.1
  • WebKit 26.0

v1.56.0

Playwright Agents

Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test:

  • 🎭 planner explores the app and produces a Markdown test plan
  • 🎭 generator transforms the Markdown plan into the Playwright Test files
  • 🎭 healer executes the test suite and automatically repairs failing tests

Run npx playwright init-agents with your client of choice to generate the latest agent definitions:

# Generate agent files for each agentic loop
# Visual Studio Code
npx playwright init-agents --loop=vscode
# Claude Code
npx playwright init-agents --loop=claude
# opencode
npx playwright init-agents --loop=opencode

[!NOTE] VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality!

Learn more about Playwright Agents

New APIs

UI Mode and HTML Reporter

  • Added option to 'html' reporter to disable the "Copy prompt" button
  • Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list
  • Added option to UI Mode mirroring the --update-snapshots options
  • Added option to UI Mode to run only a single worker at a time

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​playwright/test since your current version.


Updates @types/react from 19.1.8 to 19.2.2

Commits

Updates @types/react-dom from 19.1.6 to 19.2.2

Commits

Updates sass from 1.89.2 to 1.93.2

Release notes

Sourced from sass's releases.

Dart Sass 1.93.2

To install Sass 1.93.2, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • No user-visible changes.

JavaScript API

  • Fix another error in the release process for @sass/types.

See the full changelog for changes in earlier releases.

Dart Sass 1.93.1

To install Sass 1.93.1, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • No user-visible changes.

JavaScript API

  • Fix an error in the release process for @sass/types.

See the full changelog for changes in earlier releases.

Dart Sass 1.93.0

To install Sass 1.93.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • Fix a crash when a style rule contains a nested @import, and the loaded file @uses a user-defined module as well as @includes a top-level mixin which emits top-level declarations.

JavaScript API

  • Release a @sass/types package which contains the type annotations used by both the sass and sass-embedded package without any additional code or dependencies.

See the full changelog for changes in earlier releases.

Dart Sass 1.92.1

To install Sass 1.92.1, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

... (truncated)

Changelog ...

Description has been truncated

@dependabot
deps: bump the dependencies-minor group across 1 directory with 13 up…
6625125 
…dates

Bumps the dependencies-minor group with 13 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@fontsource-variable/figtree](https://github.com/fontsource/font-files/tree/HEAD/fonts/variable/figtree) | `5.2.8` | `5.2.10` |
| [@fontsource/ibm-plex-mono](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/ibm-plex-mono) | `5.2.6` | `5.2.7` |
| [@hookform/resolvers](https://github.com/react-hook-form/resolvers) | `5.1.1` | `5.2.2` |
| [@oddbird/css-anchor-positioning](https://github.com/oddbird/css-anchor-positioning) | `0.6.1` | `0.7.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.1.0` | `19.2.0` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.1.8` | `19.2.2` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.1.0` | `19.2.0` |
| [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom) | `19.1.6` | `19.2.2` |
| [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.60.0` | `7.65.0` |
| [zod](https://github.com/colinhacks/zod) | `4.1.5` | `4.1.12` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.54.1` | `1.56.1` |
| [sass](https://github.com/sass/dart-sass) | `1.89.2` | `1.93.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.3` |



Updates `@fontsource-variable/figtree` from 5.2.8 to 5.2.10
- [Changelog](https://github.com/fontsource/font-files/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/variable/figtree)

Updates `@fontsource/ibm-plex-mono` from 5.2.6 to 5.2.7
- [Changelog](https://github.com/fontsource/font-files/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/ibm-plex-mono)

Updates `@hookform/resolvers` from 5.1.1 to 5.2.2
- [Release notes](https://github.com/react-hook-form/resolvers/releases)
- [Commits](react-hook-form/resolvers@v5.1.1...v5.2.2)

Updates `@oddbird/css-anchor-positioning` from 0.6.1 to 0.7.0
- [Release notes](https://github.com/oddbird/css-anchor-positioning/releases)
- [Changelog](https://github.com/oddbird/css-anchor-positioning/blob/main/CHANGELOG.md)
- [Commits](oddbird/css-anchor-positioning@v0.6.1...v0.7.0)

Updates `react` from 19.1.0 to 19.2.0
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.0/packages/react)

Updates `@types/react` from 19.1.8 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.1.0 to 19.2.0
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.0/packages/react-dom)

Updates `@types/react-dom` from 19.1.6 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

Updates `react-hook-form` from 7.60.0 to 7.65.0
- [Release notes](https://github.com/react-hook-form/react-hook-form/releases)
- [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md)
- [Commits](react-hook-form/react-hook-form@v7.60.0...v7.65.0)

Updates `zod` from 4.1.5 to 4.1.12
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v4.1.5...v4.1.12)

Updates `@playwright/test` from 1.54.1 to 1.56.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.54.1...v1.56.1)

Updates `@types/react` from 19.1.8 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `@types/react-dom` from 19.1.6 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

Updates `sass` from 1.89.2 to 1.93.2
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](sass/dart-sass@1.89.2...1.93.2)

Updates `typescript` from 5.8.3 to 5.9.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](microsoft/TypeScript@v5.8.3...v5.9.3)

---
updated-dependencies:
- dependency-name: "@fontsource-variable/figtree"
  dependency-version: 5.2.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies-minor
- dependency-name: "@fontsource/ibm-plex-mono"
  dependency-version: 5.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies-minor
- dependency-name: "@hookform/resolvers"
  dependency-version: 5.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: "@oddbird/css-anchor-positioning"
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: react
  dependency-version: 19.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: "@types/react"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: react-dom
  dependency-version: 19.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: "@types/react-dom"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: react-hook-form
  dependency-version: 7.65.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: zod
  dependency-version: 4.1.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies-minor
- dependency-name: "@playwright/test"
  dependency-version: 1.56.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: "@types/react"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: "@types/react-dom"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: sass
  dependency-version: 1.93.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
- dependency-name: typescript
  dependency-version: 5.9.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 22, 2025
@fossabot
Copy link
Copy Markdown

fossabot bot commented Oct 22, 2025

fossabot Analysis Failed
You have no credits left. Reach out to autoupdates@fossa.com and we'll top you up.

Credits are consumed when dependency updates are reviewed or proposed.

Re-run with @fossabot analyze.

@socket-security
Copy link
Copy Markdown

socket-security bot commented Oct 22, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​types/​react-dom@​19.1.6 ⏵ 19.2.2100 +110075 +194100
Updated@​types/​react@​19.1.8 ⏵ 19.2.21001007995100
Updated@​fontsource-variable/​figtree@​5.2.8 ⏵ 5.2.1084 +510081 +292 +890
Updatedreact@​19.1.0 ⏵ 19.2.0100 +110084 +197100
Updated@​fontsource/​ibm-plex-mono@​5.2.6 ⏵ 5.2.7100 +110086 +290 +790
Updated@​hookform/​resolvers@​5.1.1 ⏵ 5.2.2100100100 +189 -1100
Updatedtypescript@​5.8.3 ⏵ 5.9.3100 +110090 +19990
Updatedreact-dom@​19.1.0 ⏵ 19.2.0100 +110092 +197100
Updated@​oddbird/​css-anchor-positioning@​0.6.1 ⏵ 0.7.098 +2100100 +193 +6100
Updatedreact-hook-form@​7.60.0 ⏵ 7.65.0100 +1100100 +194100
Updatedsass@​1.89.2 ⏵ 1.93.2100 +110010096100
Updatedzod@​4.1.5 ⏵ 4.1.12100 +1100100 +196100
Updated@​playwright/​test@​1.54.1 ⏵ 1.56.110010010099100

View full report

@fossabot
Copy link
Copy Markdown

fossabot bot commented Mar 24, 2026
edited
Loading

fossabot is Thinking

@fossabot
Copy link
Copy Markdown

fossabot bot commented Mar 24, 2026
edited
Loading

Needs Review

I recommend reviewing this upgrade before merging because it introduces active security vulnerabilities in the target React version that are not fixed until a later patch: specifically, a critical unauthenticated Remote Code Execution flaw (CVSS 10.0) and multiple high-severity Denial of Service vulnerabilities affecting React Server Components — which Next.js exposes internally — that all remain present in the target version and require a higher patch release for full remediation. In addition, the upgraded @​playwright/test version targets webkit and Mobile Safari in playwright.config.ts (lines 37–48) but lands on a version with a known WebKit test regression tracked upstream, which threatens the project's cross-browser visual regression suite. All other breaking changes detected across sass, @​oddbird/css-anchor-positioning, and the ESLint flat-config change were verified against the codebase and found to be non-impacting: the project uses only plain CSS (no .scss files), the polyfill usage in PopoverTarget.tsx relies on explicit CSS anchor-name properties rather than the removed HTML anchor attribute, and no local ESLint config is present. The @​hookform/resolvers Zod v4 resolver type fix in the target version correctly aligns the generic signature with the application's straightforward z.object() schemas.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 4 fixable issues in this upgrade.

  • Upgrade react, react-dom, @​types/react, and @​types/react-dom to at least 19.2.4 to address CVE-2025-55182 (RCE, CVSS 10.0), CVE-2025-55184 (DoS), CVE-2026-23864 (DoS), CVE-2025-67779 (DoS), and CVE-2025-55183 (source exposure). In package.json, change: 'react' from '19.2.0' to '19.2.4', 'react-dom' from '19.2.0' to '19.2.4', '@​types/react' from '19.2.2' to the latest 19.x types, '@​types/react-dom' from '19.2.2' to the latest 19.x types. Then run 'npm install' or 'pnpm install' to update the lockfile.
    Run: cd . && sed -i 's/"react": "19.2.0"/"react": "19.2.4"/' package.json && sed -i 's/"react-dom": "19.2.0"/"react-dom": "19.2.4"/' package.json
    Files: package.json
  • Downgrade @​playwright/test from 1.56.1 to 1.55.1 to avoid the known WebKit test regression ([Bug]: WebKit crashes after page reload in 1.56 microsoft/playwright#37766). The project configures both 'Desktop Safari' (webkit) and 'Mobile Safari' (iPhone 12) in playwright.config.ts, which are directly affected. In package.json, change '@​playwright/test' from '1.56.1' to '1.55.1'. Then run 'npx playwright install' to update browser binaries.
    Run: cd . && sed -i 's/"@​playwright\/test": "1.56.1"/"@​playwright\/test": "1.55.1"/' package.json
    Files: package.json, playwright.config.ts
  • After upgrading react to 19.2.4, update visual regression screenshot baselines because React 19.2.x changes the useId prefix format from '«r»' to 'r'. Even though no direct useId calls exist in app code, React and Next.js internals emit IDs in the rendered DOM which may appear in screenshots. Run the Playwright screenshot update command to regenerate baselines: 'npx playwright test --update-snapshots'
    Run: cd . && npx playwright test --update-snapshots
    Files: tests/screenshots.test.ts
  • Review whether the project's Next.js version needs to be upgraded alongside React 19.2.4 to ensure compatibility. Check the Next.js changelog/releases for a version that officially supports React 19.2.4 and bundles patched react-server-dom-webpack. Run 'npm ls react-server-dom-webpack' or 'pnpm ls react-server-dom-webpack' to verify which version Next.js bundles internally, and confirm it is >= 19.2.4 (the patched version). If Next.js bundles an older react-server-dom-webpack, the CVEs remain exploitable regardless of the top-level react version.
    Files: package.json

AI Assistant Prompt

Copy prompt for AI assistant 
Help me fix dependency upgrade issues in this Next.js project (PR #18). The PR attempted to upgrade several dependencies but introduces critical security vulnerabilities and a test regression. Apply the following fixes in order:

## Context
This is a Next.js app using react-hook-form + zod for forms, @​playwright/test for visual regression testing (screenshots across all routes including WebKit/Safari), and @​oddbird/css-anchor-positioning as a polyfill in the popover UI.

---

## Fix 1 (CRITICAL — Security): Upgrade React to 19.2.4+

The PR targets react 19.2.0, which has **4 known CVEs** including a CVSS 10.0 Remote Code Execution (CVE-2025-55182). All are fixed in 19.2.4.

**File:** `package.json`

Change these dependency versions:
- `"react"`: from `"19.2.0"` → `"19.2.4"`
- `"react-dom"`: from `"19.2.0"` → `"19.2.4"`
- `"@​types/react"`: from `"19.2.2"` → latest `19.x` (e.g. `"19.2.4"` or newer)
- `"@​types/react-dom"`: from `"19.2.2"` → latest `19.x` (e.g. `"19.2.4"` or newer)

After editing, run:
```
npm install
```

---

## Fix 2 (Test Regression): Downgrade @​playwright/test to 1.55.1

The PR targets @​playwright/test 1.56.1, which has a known WebKit regression (microsoft/playwright#37766). This project configures both `Desktop Safari` (webkit) and `Mobile Safari` (iPhone 12) in `playwright.config.ts` (lines 37–48), and `tests/screenshots.test.ts` uses `toHaveScreenshot` across all routes — so this regression directly impacts the test suite.

**File:** `package.json`

Change:
- `"@​playwright/test"`: from `"1.56.1"` → `"1.55.1"`

After editing, run:
```
npx playwright install
```

---

## Fix 3 (Post-upgrade): Regenerate screenshot baselines

React 19.2.x changes the `useId` prefix format from `«r»` to `_r_`. Even without direct `useId` calls in app code, React/Next.js internals emit IDs in the rendered DOM that may appear in pixel-level screenshot comparisons.

**After Fixes 1 and 2 are applied**, run:
```
npx playwright test --update-snapshots
```

Then commit the updated snapshot files in the test screenshots directory.

---

## Important: Manual verification needed (do NOT auto-fix)

After applying the above fixes, I need to manually verify one thing:

**Next.js + react-server-dom-webpack compatibility:** The critical CVEs (especially CVE-2025-55182 RCE) affect `react-server-dom-webpack`, which Next.js bundles internally. Simply upgrading `react`/`react-dom` in `package.json` may not be sufficient. I will need to:
1. Run `npm ls react-server-dom-webpack` to check what version Next.js bundles
2. Verify it is >= 19.2.4 (the patched version)
3. If not, upgrade Next.js to a version that bundles patched `react-server-dom-webpack`

---

## Non-issues (verified safe, no action needed)
- **sass** breaking changes: Project uses only plain CSS (no `.scss` files) — not impacted
- **@​oddbird/css-anchor-positioning**: Project uses explicit CSS `anchor-name` in `components/PopoverTarget.tsx`, not the removed HTML `anchor` attribute — not impacted
- **ESLint flat-config change**: No local ESLint config present — not impacted
- **@​hookform/resolvers** Zod v4 type fix: Aligns correctly with the project's `z.object()` schemas in `app/signup/schema.ts` and `app/sensitive-info/schema.ts` — not impacted

---

Please apply Fixes 1 and 2 to `package.json` now, then run the install commands. Do not modify any other dependency versions.

What we checked

  • CVE-2025-55182 (CVSS 10.0): Unauthenticated Remote Code Execution in React Server Components. Affects react-server-dom-webpack at target version 19.2.0. Fixed in 19.2.1. Next.js 15 bundles react-server-dom-webpack internally, making this relevant even though it is not a direct dependency in package.json. [1]
  • CVE-2025-55184 (CVSS 7.5): Denial of Service via infinite loop in React Server Components triggered by specially crafted HTTP requests. Affects react-server-dom-* packages at versions through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. [2]
  • CVE-2026-23864 (CVSS 7.5): Further Denial of Service vulnerability in React Server Components, disclosed January 2026. Affects react-server-dom-* packages through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. [3]
  • CVE-2025-67779 (CVSS 7.5): Additional DoS case in React Server Components representing a missing scenario from prior patches. Affects react-server-dom-* packages through 19.2.3. Full fix requires 19.2.4. [4]
  • CVE-2025-55183 (CVSS 5.3): Server Function source code exposure in React Server Components. Affects react-server-dom-* packages through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. [5]
  • Target react version is 19.2.0. CVE-2025-55182 (RCE, CVSS 10.0) is fixed in 19.2.1, and the DoS CVEs (CVE-2025-55184, CVE-2025-67779, CVE-2026-23864) require 19.2.4 for full remediation. The project should target at minimum 19.2.4 to be clear of all known CVEs. [6]
  • Target react-dom version is 19.2.0, co-versioned with react. Same CVE exposure as the react package above applies here. [7]
  • Target @​playwright/test version is 1.56.1, which has a documented WebKit test regression tracked at [Bug]: WebKit crashes after page reload in 1.56 microsoft/playwright#37766. The Apache Zeppelin project issued a hotfix downgrading to 1.55.1 to resolve it. [8]
  • The webkit project (Desktop Safari) is explicitly configured. The known WebKit regression in @​playwright/test 1.56.1 directly threatens this test target. [9]
  • The Mobile Safari project (iPhone 12) is also configured with WebKit. Both Safari targets are at risk from the 1.56.1 WebKit regression. [10]
  • Upstream WebKit regression in @​playwright/test 1.56.1 causing multiple test cases to fail on WebKit. Community workaround is to downgrade to 1.55.1. [11]
  • Visual regression tests use toHaveScreenshot across all routes including WebKit. A useId prefix format change in the React upgrade (from «r» to _r_) combined with the WebKit regression creates compound risk for screenshot test stability. No direct useId call was found in app code, but React and Next.js internals may emit IDs in the rendered DOM. [12]
  • The @​oddbird/css-anchor-positioning polyfill is loaded via dynamic import from @​oddbird/css-anchor-positioning/fn. The 0.7.0 breaking change removes support for implicit anchors via the HTML anchor attribute. This component does NOT use that attribute; it calls polyfill(true) directly, so this breaking change is not impactful here. [13]
  • The .hamburger-menu class uses anchor-name: --navigation-popover-anchor (explicit CSS anchor), and lines 237–238 use anchor(--navigation-popover-anchor bottom/right) — explicit CSS anchor references. The @​oddbird/css-anchor-positioning 0.7.0 breaking change only removes the HTML anchor attribute implicit approach, which is not used here. [14]
  • sass is a devDependency at 1.93.2 (target). The Sass breaking changes (mixed declarations order, @​function type reservation) are irrelevant: no .scss or .sass files exist in the project — all stylesheets are plain .css files. [15]
  • zodResolver(formSchema) is used with a simple z.object() schema where input and output types are identical (no transforms). The @​hookform/resolvers 5.2.2 package source confirms the Zod v4 resolver type signature was corrected in this target version. The straightforward schema definition means the type fix does not introduce a new incompatibility here. [16]
  • zodResolver(formSchema) is used with z.string().email() — a pure string validation schema with identical input/output types. The corrected resolver typing in @​hookform/resolvers 5.2.2 is compatible with this usage. [17]
  • zodResolver(emptyFormSchema) is used with z.object({}) — an empty schema. Fully compatible with the resolver type fix in the target @​hookform/resolvers version. [18]

Dependency Usage

This Next.js application centers its core UI functionality around three interconnected form components — SuppportForm.tsx, RLForm.tsx, and EmailForm.tsx — which together constitute the primary user-facing data-capture layer, using react-hook-form, zod, and @​hookform/resolvers as a tightly integrated validation stack where Zod schemas (defined in app/signup/schema.ts and app/sensitive-info/schema.ts) enforce type-safe input rules at runtime. Beyond forms, the UI layer relies on react hooks and utility types to power navigation, popovers, and dashboard compositions, while @​fontsource-variable/figtree (imported globally via styles/styles.css) and @​fontsource/ibm-plex-mono establish the application's branded typographic identity, and @​oddbird/css-anchor-positioning is dynamically lazy-loaded as a polyfill inside components/PopoverTarget.tsx to ensure cross-browser support for modern CSS anchor positioning used in the popover UI. Quality assurance is handled end-to-end through @​playwright/test, configured in playwright.config.ts and exercised in tests/screenshots.test.ts, while sass underpins the project's stylesheet compilation pipeline — together reflecting a production-ready architecture that prioritizes type safety, accessible UI patterns, and automated visual regression testing.

  • The webkit project (Desktop Safari) is explicitly configured. The known WebKit regression in @​playwright/test 1.56.1 directly threatens this test target.
    playwright.config.ts:40
  • The Mobile Safari project (iPhone 12) is also configured with WebKit. Both Safari targets are at risk from the 1.56.1 WebKit regression.
    playwright.config.ts:47
View 6 more usages
  • Visual regression tests use toHaveScreenshot across all routes including WebKit. A useId prefix format change in the React upgrade (from «r» to _r_) combined with the WebKit regression creates compound risk for screenshot test stability. No direct useId call was found in app code, but React and Next.js internals may emit IDs in the rendered DOM.
    tests/screenshots.test.ts:17
  • The @​oddbird/css-anchor-positioning polyfill is loaded via dynamic import from @​oddbird/css-anchor-positioning/fn. The 0.7.0 breaking change removes support for implicit anchors via the HTML anchor attribute. This component does NOT use that attribute; it calls polyfill(true) directly, so this breaking change is not impactful here.
    components/PopoverTarget.tsx:16
  • The .hamburger-menu class uses anchor-name: --navigation-popover-anchor (explicit CSS anchor), and lines 237–238 use anchor(--navigation-popover-anchor bottom/right) — explicit CSS anchor references. The @​oddbird/css-anchor-positioning 0.7.0 breaking change only removes the HTML anchor attribute implicit approach, which is not used here.
    styles/styles.css:209
  • zodResolver(formSchema) is used with a simple z.object() schema where input and output types are identical (no transforms). The @​hookform/resolvers 5.2.2 package source confirms the Zod v4 resolver type signature was corrected in this target version. The straightforward schema definition means the type fix does not introduce a new incompatibility here.
    components/SuppportForm.tsx:15
  • zodResolver(formSchema) is used with z.string().email() — a pure string validation schema with identical input/output types. The corrected resolver typing in @​hookform/resolvers 5.2.2 is compatible with this usage.
    components/EmailForm.tsx:18
  • zodResolver(emptyFormSchema) is used with z.object({}) — an empty schema. Fully compatible with the resolver type fix in the target @​hookform/resolvers version.
    components/RLForm.tsx:15
Less Important Usages (20)

These usages were analyzed but no breaking changes were detected:

@​hookform/resolvers

  • components/SuppportForm.tsx:3
  • components/RLForm.tsx:3
  • components/EmailForm.tsx:3

react

  • components/RLForm.tsx:4
  • components/PopoverTarget.tsx:3
  • components/NavLink.tsx:5
  • components/icons/ArrowExternal.tsx:1
  • components/compositions/VisitDashboard.tsx:2
  • ...and 2 more

react-hook-form

  • components/SuppportForm.tsx:5
  • components/RLForm.tsx:5
  • components/EmailForm.tsx:5

zod

  • app/signup/schema.ts:1
  • app/sensitive-info/schema.ts:1
  • components/SuppportForm.tsx:6
  • components/RLForm.tsx:6
  • components/EmailForm.tsx:6

@​playwright/test

  • playwright.config.ts:1
  • tests/screenshots.test.ts:1

Changes

This update includes 1 security-relevant hardening change in react/react-dom — additional DoS mitigations were added to Server Actions and Server Components. There are also breaking changes requiring immediate attention: react and react-dom now require Node.js 18+; sass now emits CSS declarations in source order (interleaved with nested rules), reserves the function name type() for plain CSS, and changes meta.inspect() number precision; and @​playwright/test drops Chromium extension manifest v2 support.

  • Fixed Zod v4 resolver type signature - changed return type from Resolver<z4.input, Context, z4.output> to Resolver<z4.input, Context, z4.input>. The third generic parameter now correctly reflects the actual return type (validated input) instead of the Zod output type. This is a breaking change for code that explicitly types the resolver with the old signature. (v5.2.2, package source)
  • Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (v19.2.0, release notes)
  • Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (v19.2.0, release notes)
View 1553 more changes
  • Updated bundled Figtree variable font from v8 to v9 (v5.2.9, package source)
  • Updated metadata last modification date from 2025-05-13 to 2025-09-11 (v5.2.9, package source)
  • Updated license attribution from 'Google Inc.' to 'Copyright 2022 The Figtree Project Authors' to accurately reflect the font's actual authors (v5.2.10, package source)
  • Updated OFL license URL from http://scripts.sil.org/OFL to https://openfontlicense.org in LICENSE file, README.md, and metadata.json (v5.2.10, package source)
  • Updated README.md licensing section with correct copyright attribution for Figtree font authors (v5.2.10, package source)
  • Updated metadata.json with corrected license attribution and URL (v5.2.10, package source)
  • Corrected license attribution metadata from 'Google Inc.' to 'Copyright 2017 IBM Corp. All rights reserved.' with full copyright details for all font variants (v5.2.7, package source)
  • Updated license URL from 'http://scripts.sil.org/OFL' to 'https://openfontlicense.org' for better accessibility and HTTPS security (v5.2.7, package source)
  • Updated IBM Plex Mono font files from version v19 to v20 - includes binary updates to all font variants (cyrillic, latin, vietnamese) in both woff and woff2 formats (v5.2.7, package source)
  • Updated package metadata lastModified date from '2025-05-30' to '2025-09-16' to reflect font source updates (v5.2.7, package source)
  • ajv: add ajv-formats for ajvResolver (#797) (f040039) (v5.1.1-5.2.0, release notes)
  • discriminated union for zod v4 mini (#784) (49a0d7b) (v5.2.0-5.2.1, release notes)
  • zod v4 peer deps (#798) (2d28e6a) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#801) (bc09647) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#803) (e95721d) (v5.2.1-5.2.2, release notes)
  • Add ajv-formats support to ajvResolver (v5.1.1-5.2.0, commit)
  • Fix discriminated union support for Zod v4 (v5.2.0-5.2.1, commit)
  • Fix output type for Zod v4 resolver (v5.2.0-5.2.1, commit)
  • Fix Zod v4 peer dependencies (v5.2.0-5.2.1, commit)
  • Fix output type for Zod 4 resolver (v5.2.1-5.2.2, commit)
  • Fixed potential runtime error in union error handling by adding length check - added condition 'error.errors.length > 0' to prevent accessing undefined array elements when handling invalid_union errors (v5.2.1, package source)
  • Corrected Zod v4 resolver return type from input to output - changed Resolver<z4.input, Context, z4.input> to Resolver<z4.input, Context, z4.output> for type accuracy (v5.2.1, package source)
  • Added AJV format validation support via ajv-formats integration. The AJV resolver now validates common formats like email, date, time, URI, etc. through the new addFormats() plugin (v5.2.0, package source)
  • Added support for Zod v4.0.0 alongside v3.x - the zod peerDependency now accepts ^3.25.0 || ^4.0.0 (v5.2.1, package source)
  • Added ajv-formats ^2.1.1 as a dependency in AJV resolver package (v5.2.0, package source)
  • Added @​biomejs/biome ^1.8.3 as a dev dependency for linting (v5.2.0, package source)
  • Updated lint script to use biome directly instead of bunx @​biomejs/biome (removed bunx wrapper) (v5.2.0, package source)
  • Added test fixtures for Zod v4 discriminatedUnion feature to support improved schema testing capabilities (v5.2.1, package source)
  • 🚀 Work with anchor and target inside same shadow root by @​wkillerud in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • 🏠 INTERNAL: Upgrade dependencies (v0.6.1-0.7.0, release notes)
  • @​wkillerud made their first contribution in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • Fixed polyfill to support querying anchors and targets across shadow DOM roots, enabling shadow root support as documented in Anchors and targets in shadow dom oddbird/css-anchor-positioning#191 (v0.7.0, package source)
  • Added new roots option to AnchorPositioningPolyfillOptions to support shadow DOM roots - allows configuring one or more shadow roots where the polyfill should apply (defaults to [document]) (v0.7.0, package source)
  • Exported new AnchorPositioningRoot type definition (Document | HTMLElement) for type-safe configuration of root elements (v0.7.0, package source)
  • Exported new querySelectorAllRoots() utility function for querying elements across multiple root elements (v0.7.0, package source)
  • Updated documentation to clarify that anchors and targets in separate shadow roots are now supported via the new roots option (v0.7.0, package source)
  • Updated production dependencies: @​floating-ui/dom (^1.7.1 → ^1.7.4), @​types/css-tree (^2.3.10 → ^2.3.11), nanoid (^5.1.5 → ^5.1.6) (v0.7.0, package source)
  • Updated development dependencies including @​eslint/js, @​vitest/*, typescript, vite, vitest, and other build tools to latest versions (v0.7.0, package source)
  • Minor code quality fix: corrected comment typo from 'Current' to 'Currently' (v0.7.0, package source)
  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (v19.1.1, changelog)
  • Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277) (v19.1.1-19.1.2, changelog)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (v19.2.0, changelog)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (v19.2.0, changelog)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (v19.2.0, changelog)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (v19.2.0, changelog)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (v19.2.0, changelog)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (v19.2.0, changelog)
  • Fix a wrong missing key warning (@​unstubbable #34350) (v19.2.0, changelog)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (v19.2.0, changelog)
  • <Activity>: A new API to hide and restore the UI and internal state of its children. (v19.2.0, changelog)
  • Added resume APIs for partial pre-rendering with Web Streams: (v19.2.0, changelog)
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (v19.2.0, changelog)
  • Add cacheSignal (@​sebmarkbage #33557) (v19.2.0, changelog)
  • Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (v19.2.0, changelog)
  • Add support for .mjs file extension in Webpack (@​jennyscript #33028) (v19.2.0, changelog)
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (v19.2.0, changelog)
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (v19.2.0, changelog)
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (v19.2.0, changelog)
  • resume: to resume a prerender to a stream. (v19.2.0, changelog)
  • resumeAndPrerender: to resume a prerender to HTML. (v19.2.0, changelog)
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (v19.2.0, changelog)
  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (v19.2.0, changelog)
  • Use underscore instead of : IDs generated by useId (v19.2.0, changelog)
  • <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (v19.2.0, changelog)
  • Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (v19.2.0, changelog)
  • Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (v19.2.0, changelog)
  • Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (v19.2.0, changelog)
  • Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (v19.2.0, changelog)
  • Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (v19.2.0, changelog)
  • Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (v19.2.0, changelog)
  • Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, https://redirect.github.com/facebook/react/pull/33342#33099, #33422) (v19.2.0, changelog)
  • Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (v19.2.0, changelog)
  • Allow nonce to be used on hoistable styles (@​Andarist #32461) (v19.2.0, changelog)
  • Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (v19.2.0, changelog)
  • s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (v19.2.0, changelog)
  • Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (v19.2.0, changelog)
  • Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (v19.2.0, changelog)
  • Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (v19.2.0, changelog)
  • Log error if production elements are rendered during development (@​eps1lon #34189) (v19.2.0, changelog)
  • Pass line/column to filterStackFrame (@​eps1lon #33707) (v19.2.0, changelog)
  • Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (v19.2.0, changelog)
  • createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (v19.2.0, changelog)
  • Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345) (v19.1.2-19.1.3, release notes)
  • Add extra loop protection to React Server Functions (@​sebmarkbage #35351) (v19.1.3-19.1.4, release notes)
  • Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable) (v19.1.4-19.1.5, release notes)
  • New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (v19.2.0, release notes)
  • New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (v19.2.0, release notes)
  • Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (v19.2.0, release notes)
  • Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (v19.2.0, release notes)
  • Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #35290) (v19.1.2-19.1.3, release notes)
  • Only check if IO was previously removed if its removal failed in DevTools (v19.2.0, commit)
  • Add @​tanstack/react-virtual to known incompatible libraries in compiler (v19.2.0, commit)
  • Detect and handle known incompatible libraries in compiler (v19.2.0, commit)
  • Fix: rename bottom stack frame (v19.1.1, commit)
  • Bring ReactFlightClient fixes to FlightReplyServer (v19.1.1-19.1.2, commit)
  • Patch Promise cycles and toString on Server Functions (v19.1.2-19.1.3, commit)
  • Fix host instance highlighting in DevTools (v19.2.0, commit)

View 1456 more changes in the full analysis

References (18)

[1]: CVE-2025-55182 (CVSS 10.0): Unauthenticated Remote Code Execution in React Server Components. Affects react-server-dom-webpack at target version 19.2.0. Fixed in 19.2.1. Next.js 15 bundles react-server-dom-webpack internally, making this relevant even though it is not a direct dependency in package.json. (source link)

[2]: CVE-2025-55184 (CVSS 7.5): Denial of Service via infinite loop in React Server Components triggered by specially crafted HTTP requests. Affects react-server-dom-* packages at versions through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. (source link)

[3]: CVE-2026-23864 (CVSS 7.5): Further Denial of Service vulnerability in React Server Components, disclosed January 2026. Affects react-server-dom-* packages through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. (source link)

[4]: CVE-2025-67779 (CVSS 7.5): Additional DoS case in React Server Components representing a missing scenario from prior patches. Affects react-server-dom-* packages through 19.2.3. Full fix requires 19.2.4. (source link)

[5]: CVE-2025-55183 (CVSS 5.3): Server Function source code exposure in React Server Components. Affects react-server-dom-* packages through 19.2.3, including the target 19.2.0. Full fix requires 19.2.4. (source link)

[6]: Target react version is 19.2.0. CVE-2025-55182 (RCE, CVSS 10.0) is fixed in 19.2.1, and the DoS CVEs (CVE-2025-55184, CVE-2025-67779, CVE-2026-23864) require 19.2.4 for full remediation. The project should target at minimum 19.2.4 to be clear of all known CVEs.

example-nextjsu/package.json

Line 42 in 6625125

"react": "19.2.0",

[7]: Target react-dom version is 19.2.0, co-versioned with react. Same CVE exposure as the react package above applies here.

example-nextjsu/package.json

Line 43 in 6625125

"react-dom": "19.2.0",

[8]: Target @​playwright/test version is 1.56.1, which has a documented WebKit test regression tracked at microsoft/playwright#37766. The Apache Zeppelin project issued a hotfix downgrading to 1.55.1 to resolve it.

example-nextjsu/package.json

Line 48 in 6625125

"@playwright/test": "1.56.1",

[9]: The webkit project (Desktop Safari) is explicitly configured. The known WebKit regression in @​playwright/test 1.56.1 directly threatens this test target.

example-nextjsu/playwright.config.ts

Line 40 in 6625125

name: "webkit",

[10]: The Mobile Safari project (iPhone 12) is also configured with WebKit. Both Safari targets are at risk from the 1.56.1 WebKit regression.

example-nextjsu/playwright.config.ts

Line 47 in 6625125

use: { ...devices["Pixel 5"] },

[11]: Upstream WebKit regression in @​playwright/test 1.56.1 causing multiple test cases to fail on WebKit. Community workaround is to downgrade to 1.55.1. (source link)

[12]: Visual regression tests use toHaveScreenshot across all routes including WebKit. A useId prefix format change in the React upgrade (from «r» to _r_) combined with the WebKit regression creates compound risk for screenshot test stability. No direct useId call was found in app code, but React and Next.js internals may emit IDs in the rendered DOM.

example-nextjsu/tests/screenshots.test.ts

Line 17 in 6625125

await expect(page).toHaveScreenshot({

[13]: The @​oddbird/css-anchor-positioning polyfill is loaded via dynamic import from @​oddbird/css-anchor-positioning/fn. The 0.7.0 breaking change removes support for implicit anchors via the HTML anchor attribute. This component does NOT use that attribute; it calls polyfill(true) directly, so this breaking change is not impactful here.

example-nextjsu/components/PopoverTarget.tsx

Line 16 in 6625125

const { default: polyfill } = await import(

[14]: The .hamburger-menu class uses anchor-name: --navigation-popover-anchor (explicit CSS anchor), and lines 237–238 use anchor(--navigation-popover-anchor bottom/right) — explicit CSS anchor references. The @​oddbird/css-anchor-positioning 0.7.0 breaking change only removes the HTML anchor attribute implicit approach, which is not used here.

example-nextjsu/styles/styles.css

Line 209 in 6625125

anchor-name: --navigation-popover-anchor;

[15]: sass is a devDependency at 1.93.2 (target). The Sass breaking changes (mixed declarations order, @​function type reservation) are irrelevant: no .scss or .sass files exist in the project — all stylesheets are plain .css files.

example-nextjsu/package.json

Line 52 in 6625125

"sass": "1.93.2",

[16]: zodResolver(formSchema) is used with a simple z.object() schema where input and output types are identical (no transforms). The @​hookform/resolvers 5.2.2 package source confirms the Zod v4 resolver type signature was corrected in this target version. The straightforward schema definition means the type fix does not introduce a new incompatibility here.

example-nextjsu/components/SuppportForm.tsx

Line 15 in 6625125

resolver: zodResolver(formSchema),

[17]: zodResolver(formSchema) is used with z.string().email() — a pure string validation schema with identical input/output types. The corrected resolver typing in @​hookform/resolvers 5.2.2 is compatible with this usage.

example-nextjsu/components/EmailForm.tsx

Line 18 in 6625125

resolver: zodResolver(formSchema),

[18]: zodResolver(emptyFormSchema) is used with z.object({}) — an empty schema. Fully compatible with the resolver type fix in the target @​hookform/resolvers version.

example-nextjsu/components/RLForm.tsx

Line 15 in 6625125

resolver: zodResolver(emptyFormSchema),

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web

@fossabot
Copy link
Copy Markdown

fossabot bot commented Mar 25, 2026

fossabot Analysis Paused

App impact analysis skipped — out of credits

Breaking change detection completed but more credits are needed to enable usage detection, impact analysis, fix suggestions, and get your final upgrade determination.

@fontsource-variable/figtree 5.2.85.2.10

View more changes for @fontsource-variable/figtree
  • Updated bundled Figtree variable font from v8 to v9 (v5.2.9, package source)
  • Updated metadata last modification date from 2025-05-13 to 2025-09-11 (v5.2.9, package source)
  • Updated license attribution from 'Google Inc.' to 'Copyright 2022 The Figtree Project Authors' to accurately reflect the font's actual authors (v5.2.10, package source)
  • Updated OFL license URL from http://scripts.sil.org/OFL to https://openfontlicense.org in LICENSE file, README.md, and metadata.json (v5.2.10, package source)
  • Updated README.md licensing section with correct copyright attribution for Figtree font authors (v5.2.10, package source)
  • Updated metadata.json with corrected license attribution and URL (v5.2.10, package source)

@fontsource/ibm-plex-mono 5.2.65.2.7

View more changes for @fontsource/ibm-plex-mono
  • Corrected license attribution metadata from 'Google Inc.' to 'Copyright 2017 IBM Corp. All rights reserved.' with full copyright details for all font variants (v5.2.7, package source)
  • Updated license URL from 'http://scripts.sil.org/OFL' to 'https://openfontlicense.org' for better accessibility and HTTPS security (v5.2.7, package source)
  • Updated IBM Plex Mono font files from version v19 to v20 - includes binary updates to all font variants (cyrillic, latin, vietnamese) in both woff and woff2 formats (v5.2.7, package source)
  • Updated package metadata lastModified date from '2025-05-30' to '2025-09-16' to reflect font source updates (v5.2.7, package source)

@hookform/resolvers 5.1.15.2.2

We found 1 breaking change.

  • Fixed Zod v4 resolver type signature - changed return type from Resolver<z4.input, Context, z4.output> to Resolver<z4.input, Context, z4.input>. The third generic parameter now correctly reflects the actual return type (validated input) instead of the Zod output type.... (v5.2.2, package source)
View more changes for @hookform/resolvers
  • ajv: add ajv-formats for ajvResolver (#797) (f040039) (v5.1.1-5.2.0, release notes)
  • discriminated union for zod v4 mini (#784) (49a0d7b) (v5.2.0-5.2.1, release notes)
  • zod v4 peer deps (#798) (2d28e6a) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#801) (bc09647) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#803) (e95721d) (v5.2.1-5.2.2, release notes)
  • Add ajv-formats support to ajvResolver (v5.1.1-5.2.0, commit)
  • Fix discriminated union support for Zod v4 (v5.2.0-5.2.1, commit)
  • Fix output type for Zod v4 resolver (v5.2.0-5.2.1, commit)
  • Fix Zod v4 peer dependencies (v5.2.0-5.2.1, commit)
  • Fix output type for Zod 4 resolver (v5.2.1-5.2.2, commit)

...and 8 more in the full analysis

@oddbird/css-anchor-positioning 0.6.10.7.0

View more changes for @oddbird/css-anchor-positioning
  • 🚀 Work with anchor and target inside same shadow root by @​wkillerud in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • 🏠 INTERNAL: Upgrade dependencies (v0.6.1-0.7.0, release notes)
  • @​wkillerud made their first contribution in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • Fixed polyfill to support querying anchors and targets across shadow DOM roots, enabling shadow root support as documented in Anchors and targets in shadow dom oddbird/css-anchor-positioning#191 (v0.7.0, package source)
  • Added new roots option to AnchorPositioningPolyfillOptions to support shadow DOM roots - allows configuring one or more shadow roots where the polyfill should apply (defaults to [document]) (v0.7.0, package source)
  • Exported new AnchorPositioningRoot type definition (Document | HTMLElement) for type-safe configuration of root elements (v0.7.0, package source)
  • Exported new querySelectorAllRoots() utility function for querying elements across multiple root elements (v0.7.0, package source)
  • Updated documentation to clarify that anchors and targets in separate shadow roots are now supported via the new roots option (v0.7.0, package source)
  • Updated production dependencies: @​floating-ui/dom (^1.7.1 → ^1.7.4), @​types/css-tree (^2.3.10 → ^2.3.11), nanoid (^5.1.5 → ^5.1.6) (v0.7.0, package source)
  • Updated development dependencies including @​eslint/js, @​vitest/*, typescript, vite, vitest, and other build tools to latest versions (v0.7.0, package source)

...and 1 more in the full analysis

react 19.1.019.2.0

We found 5 breaking changes and 1 deprecation.

View more changes for react
  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (v19.1.1, changelog)
  • Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277) (v19.1.1-19.1.2, changelog)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (v19.2.0, changelog)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (v19.2.0, changelog)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (v19.2.0, changelog)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (v19.2.0, changelog)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (v19.2.0, changelog)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (v19.2.0, changelog)
  • Fix a wrong missing key warning (@​unstubbable #34350) (v19.2.0, changelog)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (v19.2.0, changelog)

...and 308 more in the full analysis

@types/react 19.1.819.2.2

We found 8 breaking changes.

  • Removed unstable_Activity component from experimental.d.ts - previously available as unstable API (v19.1.13, package source)
  • Removed experimental_useEffectEvent from experimental module - this API has been moved to the canary module as useEffectEvent (v19.1.14, package source)
  • Removed ts5.0/v18 directory containing React v18 backward compatibility type definitions - projects relying on these legacy type paths will need to update their type imports or use @​types/react@​18 (v19.1.15, package source)
View more changes for @types/react
  • Improved type safety for SVG dominantBaseline attribute by replacing generic number | string with specific string literals: 'auto', 'use-script', 'no-change', 'reset-size', 'ideographic', 'alphabetic', 'hanging', 'mathematical', 'central', 'middle', 'text-after-edge', 'text-before-edge', 'inherit' (v19.1.11, package source)
  • Improved type safety for SVG textAnchor attribute by replacing generic string with specific string literals: 'start', 'middle', 'end', 'inherit' (v19.1.11, package source)
  • Added CacheSignal interface for React's experimental caching API (v19.1.9, package source)
  • Added cacheSignal() function that returns null or CacheSignal for cache invalidation control (v19.1.9, package source)
  • Added optional 'name' property to Activity boundary component for instrumentation purposes. The name helps identify the boundary in React DevTools. (v19.1.10, package source)
  • Added fetchPriority attribute to script elements with values 'high', 'low', or 'auto' for resource loading prioritization (v19.1.11, package source)
  • Added stable Activity component to canary.d.ts with ActivityProps interface for managing component visibility boundaries (v19.1.13, package source)
  • Activity component supports 'mode' prop with 'hidden' or 'visible' values (defaults to 'visible') for controlling visibility state (v19.1.13, package source)
  • Activity component supports optional 'name' prop for instrumentation and React DevTools identification (v19.1.13, package source)
  • Added useEffectEvent hook to canary module with signature useEffectEvent(callback: T): T for creating stable event callbacks that don't trigger effect re-runs (v19.1.14, package source)

...and 28 more in the full analysis

react-dom 19.1.019.2.0

We found 5 breaking changes and 1 deprecation.

  • Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (v19.1.5-19.2.0, release notes)
  • Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (v19.1.5-19.2.0, release notes)
  • Only check if previously removed IO if its removal failed in DevTools (v19.1.5-19.2.0, commit)
View more changes for react-dom
  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (v19.1.0-19.1.1, changelog)
  • Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277) (v19.1.1-19.1.2, changelog)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (v19.1.5-19.2.0, changelog)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (v19.1.5-19.2.0, changelog)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (v19.1.5-19.2.0, changelog)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (v19.1.5-19.2.0, changelog)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (v19.1.5-19.2.0, changelog)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (v19.1.5-19.2.0, changelog)
  • Fix a wrong missing key warning (@​unstubbable #34350) (v19.1.5-19.2.0, changelog)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (v19.1.5-19.2.0, changelog)

...and 325 more in the full analysis

@types/react-dom 19.1.619.2.2

We found 4 breaking changes.

  • Updated peer dependency requirement from @​types/react ^19.0.0 to ^19.2.0 (v19.2.0, package source)
  • Removed ViewTransitionPseudoElement and ViewTransitionInstance interfaces from experimental.d.ts module declaration - these have been moved to canary.d.ts (v19.2.1, package source)
  • Removed FragmentInstance interface from experimental.d.ts module declaration - this has been moved to canary.d.ts (v19.2.1, package source)
View more changes for @types/react-dom
  • Renamed ImportMap type to ReactImportMap in PrerenderOptions.importMap property (v19.2.0, package source)
  • Added CacheSignal interface extending AbortSignal in React module declarations for improved cache control typing (v19.1.7, package source)
  • Added formState optional parameter to renderToPipeableStream options - allows passing ReactFormState for server-side form handling (v19.1.8, package source)
  • Added formState optional parameter to renderToReadableStream options - enables form state management in streaming SSR (v19.1.8, package source)
  • Imported ReactFormState type from client module in server.d.ts - provides type definitions for form state management (v19.1.8, package source)
  • Added experimental_scrollIntoView(alignToTop?: boolean) method to RefAttributes interface for experimental React DOM features (v19.1.9, package source)
  • Added PostponedState interface in react-dom/static module - an opaque, JSON-serializable type for storing postponed rendering state (v19.1.10, package source)
  • Added ResumeOptions interface with nonce, signal, and onError properties for configuring resume operations (v19.1.10, package source)
  • Added PrerenderResult interface with postponed property to return prerender results (v19.1.10, package source)
  • Added resumeAndPrerender() function in react-dom/static for resuming and prerendering React nodes with postponed state (v19.1.10, package source)

...and 41 more in the full analysis

react-hook-form 7.60.07.65.0

We found 1 breaking change.

  • Chore: major dev dependencies upgrade (v7.62.0-7.63.0, commit)
View more changes for react-hook-form
  • Fix watch return type based on defaultValue (v7.60.0-7.61.0, release notes)
  • Fix subscribe with latest defaultValues (v7.60.0-7.61.0, release notes)
  • Remove React wildcard import to resolve ESM build issues (v7.60.0-7.61.0, release notes)
  • Reverted fix for watch return type based on defaultValue (PR #12896) (v7.61.0-7.61.1, release notes)
  • Fix sync of two defaultValues after reset with new defaultValues (#12990) (v7.61.1-7.62.0, release notes)
  • Fix: do not override prototype of data in cloneObject (#12985) (v7.61.1-7.62.0, release notes)
  • Fix field name type conflict in nested FieldErrors (#12972) (v7.61.1-7.62.0, release notes)
  • Fix: preserve Controller's defaultValue with shouldUnregister prop (#13063) (v7.63.0-7.64.0, release notes)
  • fix: respect parent-provided useFieldArray rules (#13082, #13083) (v7.64.0-7.65.0, release notes)
  • fix: getDirtyFields submit fields with null values when using useForm (#13079) (v7.64.0-7.65.0, release notes)

...and 101 more in the full analysis

zod 4.1.54.1.12

We found 1 breaking change, 1 security fix, and 2 deprecations.

  • Changed default() method signature to require non-undefined values - now accepts util.NoUndefined<core.output> instead of core.output for the non-function overload (v4.1.6, package source)
  • Fixed potential prototype pollution vulnerability in ZodError.flatten() by using Object.create(null) instead of {} for fieldErrors object initialization (v4.1.12, package source)
View more changes for zod
  • 0cca351c8b152d7c4113ab7c2a44675efb060677 Fix variable name inconsistency in coercion documentation (#5188) (v4.1.6-4.1.7, release notes)
  • 937f73c90cac90bd3b99b12c792c289b50416510 Fix tsconfig issue in bench (v4.1.6-4.1.7, release notes)
  • 4309c61304daf40aab2124b5f513abe2b4df8637 Fix cidrv6 validation - cidrv6 should reject invalid strings with multiple slashes (#5196) (v4.1.6-4.1.7, release notes)
  • c27a294f5b792f47b8e9dbb293a8ff8cfb287a3a Fix two tiny grammatical errors in the docs. (#5193) (v4.1.6-4.1.7, release notes)
  • 23a2d6692398e3dd1ad1cdb0491b271a9f989380 docs: fix broken links in async refinements and transforms references (#5190) (v4.1.6-4.1.7, release notes)
  • 845a230bb06bff679b5f00e10153f4dbbd50d2b6 fix(locales): Add type name translations to Spanish locale (#5187) (v4.1.6-4.1.7, release notes)
  • a8a52b3ba370b761be76953fa3986aa43c4172a4 fix(v4): fix Khmer and Ukrainian locales (#5177) (v4.1.6-4.1.7, release notes)
  • e1f19482bbed3fbaa563a0d8e09f1a577cc58ac7 fix(v4): ensure array defaults are shallow-cloned (#5173) (v4.1.6-4.1.7, release notes)
  • 9f650385644ae319f806a965b83f79ebd252e497 docs(ecosystem): add DRZL; fix Prisma Zod Generator placement (#5215) (v4.1.6-4.1.7, release notes)
  • aa6f0f02c2a92a266ff1495a8d2541ae46012fcb More fixes (#5223) (v4.1.6-4.1.7, release notes)

...and 75 more in the full analysis

@playwright/test 1.54.11.56.1

We found 6 breaking changes and 2 deprecations.

  • ⚠️ Dropped support for Chromium extension manifest v2. (v1.54.2-1.55.0, release notes)
  • Undo non-breaking spaces in markdown report (v1.54.2-1.55.0, commit)
  • Removed custom dark mode scrollbar theming from UI (v1.55.1-1.56.0, commit)
View more changes for @playwright/test
  • Fixed regression: Codegen unable to launch in Administrator Terminal on Windows (ProtocolError) (v1.54.1-1.54.2, release notes)
  • Fixed regression: Starting Codegen with target language not working (v1.54.1-1.54.2, release notes)
  • Fix regression: "step id not found" internal error (v1.55.0-1.55.1, release notes)
  • Fix regression: HTML reporter displays broken chip link when there are no projects (v1.55.0-1.55.1, release notes)
  • Revert "fix(a11y): track inert elements as hidden" (v1.55.0-1.55.1, release notes)
  • Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method [browserContext.backgroundPages()](https://playwright.... (v1.55.1-1.56.0, release notes)
  • New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles. (v1.54.2-1.55.0, release notes)
  • Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI. (v1.54.2-1.55.0, release notes)
  • Added support for Debian 13 "Trixie". (v1.54.2-1.55.0, release notes)
  • New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page (v1.55.1-1.56.0, release notes)

...and 468 more in the full analysis

sass 1.89.21.93.2

We found 3 breaking changes and 6 deprecations.

  • Breaking change: Emit declarations, childless at-rules, and comments in the order they appear in the source even when they're interleaved with nested rules. This obsoletes the mixed-decls deprecation. (v1.91.0-1.92.0, release notes)
  • Breaking change: The function name type() is now fully reserved for the plain CSS function. This means that @​function definitions with the name type will produce errors, while function calls will be parsed as special function strings. (v1.91.0-1.92.0, release notes)
  • Potentially breaking change: meta.inspect() (as well as other systems that use it such as @​debug and certain error messages) now emits numbers with as high precision as is available instead of rounding to the nearest 1e⁻¹⁰ as we do when serializing to CSS.... (v1.90.0-1.91.0, changelog)
View more changes for sass
  • Fix a performance regression that was introduced in 1.92.0. (v1.91.0-1.92.0, changelog)
  • Fix a bug where variable definitions from one imported, forwarded module would not be passed as implicit configuration to a later imported, forwarded module. (v1.92.0-1.92.1, changelog)
  • Fix a crash when a style rule contains a nested @​import, and the loaded file @​uses a user-defined module as well as @​includes a top-level mixin which emits top-level declarations. (v1.92.1-1.93.0, changelog)
  • Fix an error in the release process for @​sass/types. (v1.93.0-1.93.1, changelog)
  • Fix another error in the release process for @​sass/types. (v1.93.1-1.93.2, changelog)
  • Passing a rest argument ($arg...) before a positional or named argument when calling a function or mixin is now deprecated. This was always outside the specified syntax, but it was historically treated the same as passing the rest argument at the end of the argument list whether or not that... (v1.90.0-1.91.0, changelog)
  • Release a @​sass/types package which contains the type annotations used by both the sass and sass-embedded package without any additional code or dependencies. (v1.92.1-1.93.0, changelog)
  • Allow a @​forwarded module to be loaded with a configuration when that module has already been loaded with a different configuration and the module doesn't define any variables that would have been configured anyway. (v1.89.2-1.90.0, changelog)
  • No user-visible changes. (v1.93.0-1.93.1, changelog)
  • No user-visible changes. (v1.93.1-1.93.2, changelog)

...and 56 more in the full analysis

You have no credits left. Reach out to autoupdates@fossa.com and we'll top you up.

Credits are consumed when dependency updates are reviewed or proposed.

Re-run with @fossabot analyze.

Mute out-of-credit notifications until next month (expires 2026-04-01T00:00:00.000Z)

1 similar comment
@fossabot
Copy link
Copy Markdown

fossabot bot commented Mar 26, 2026

fossabot Analysis Paused

App impact analysis skipped — out of credits

Breaking change detection completed but more credits are needed to enable usage detection, impact analysis, fix suggestions, and get your final upgrade determination.

@fontsource-variable/figtree 5.2.85.2.10

View more changes for @fontsource-variable/figtree
  • Updated bundled Figtree variable font from v8 to v9 (v5.2.9, package source)
  • Updated metadata last modification date from 2025-05-13 to 2025-09-11 (v5.2.9, package source)
  • Updated license attribution from 'Google Inc.' to 'Copyright 2022 The Figtree Project Authors' to accurately reflect the font's actual authors (v5.2.10, package source)
  • Updated OFL license URL from http://scripts.sil.org/OFL to https://openfontlicense.org in LICENSE file, README.md, and metadata.json (v5.2.10, package source)
  • Updated README.md licensing section with correct copyright attribution for Figtree font authors (v5.2.10, package source)
  • Updated metadata.json with corrected license attribution and URL (v5.2.10, package source)

@fontsource/ibm-plex-mono 5.2.65.2.7

View more changes for @fontsource/ibm-plex-mono
  • Corrected license attribution metadata from 'Google Inc.' to 'Copyright 2017 IBM Corp. All rights reserved.' with full copyright details for all font variants (v5.2.7, package source)
  • Updated license URL from 'http://scripts.sil.org/OFL' to 'https://openfontlicense.org' for better accessibility and HTTPS security (v5.2.7, package source)
  • Updated IBM Plex Mono font files from version v19 to v20 - includes binary updates to all font variants (cyrillic, latin, vietnamese) in both woff and woff2 formats (v5.2.7, package source)
  • Updated package metadata lastModified date from '2025-05-30' to '2025-09-16' to reflect font source updates (v5.2.7, package source)

@hookform/resolvers 5.1.15.2.2

We found 1 breaking change.

  • Fixed Zod v4 resolver type signature - changed return type from Resolver<z4.input, Context, z4.output> to Resolver<z4.input, Context, z4.input>. The third generic parameter now correctly reflects the actual return type (validated input) instead of the Zod output type.... (v5.2.2, package source)
View more changes for @hookform/resolvers
  • ajv: add ajv-formats for ajvResolver (#797) (f040039) (v5.1.1-5.2.0, release notes)
  • discriminated union for zod v4 mini (#784) (49a0d7b) (v5.2.0-5.2.1, release notes)
  • zod v4 peer deps (#798) (2d28e6a) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#801) (bc09647) (v5.2.0-5.2.1, release notes)
  • zod: fix output type for Zod 4 resolver (#803) (e95721d) (v5.2.1-5.2.2, release notes)
  • Add ajv-formats support to ajvResolver (v5.1.1-5.2.0, commit)
  • Fix discriminated union support for Zod v4 (v5.2.0-5.2.1, commit)
  • Fix output type for Zod v4 resolver (v5.2.0-5.2.1, commit)
  • Fix Zod v4 peer dependencies (v5.2.0-5.2.1, commit)
  • Fix output type for Zod 4 resolver (v5.2.1-5.2.2, commit)

...and 8 more in the full analysis

@oddbird/css-anchor-positioning 0.6.10.7.0

View more changes for @oddbird/css-anchor-positioning
  • 🚀 Work with anchor and target inside same shadow root by @​wkillerud in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • 🏠 INTERNAL: Upgrade dependencies (v0.6.1-0.7.0, release notes)
  • @​wkillerud made their first contribution in https://redirect.github.com/oddbird/css-anchor-positioning/pull/353 (v0.6.1-0.7.0, release notes)
  • Fixed polyfill to support querying anchors and targets across shadow DOM roots, enabling shadow root support as documented in Anchors and targets in shadow dom oddbird/css-anchor-positioning#191 (v0.7.0, package source)
  • Added new roots option to AnchorPositioningPolyfillOptions to support shadow DOM roots - allows configuring one or more shadow roots where the polyfill should apply (defaults to [document]) (v0.7.0, package source)
  • Exported new AnchorPositioningRoot type definition (Document | HTMLElement) for type-safe configuration of root elements (v0.7.0, package source)
  • Exported new querySelectorAllRoots() utility function for querying elements across multiple root elements (v0.7.0, package source)
  • Updated documentation to clarify that anchors and targets in separate shadow roots are now supported via the new roots option (v0.7.0, package source)
  • Updated production dependencies: @​floating-ui/dom (^1.7.1 → ^1.7.4), @​types/css-tree (^2.3.10 → ^2.3.11), nanoid (^5.1.5 → ^5.1.6) (v0.7.0, package source)
  • Updated development dependencies including @​eslint/js, @​vitest/*, typescript, vite, vitest, and other build tools to latest versions (v0.7.0, package source)

...and 1 more in the full analysis

react 19.1.019.2.0

We found 5 breaking changes and 1 deprecation.

View more changes for react
  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (v19.1.1, changelog)
  • Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277) (v19.1.1-19.1.2, changelog)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (v19.2.0, changelog)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (v19.2.0, changelog)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (v19.2.0, changelog)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (v19.2.0, changelog)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (v19.2.0, changelog)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (v19.2.0, changelog)
  • Fix a wrong missing key warning (@​unstubbable #34350) (v19.2.0, changelog)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (v19.2.0, changelog)

...and 308 more in the full analysis

@types/react 19.1.819.2.2

We found 8 breaking changes.

  • Removed unstable_Activity component from experimental.d.ts - previously available as unstable API (v19.1.13, package source)
  • Removed experimental_useEffectEvent from experimental module - this API has been moved to the canary module as useEffectEvent (v19.1.14, package source)
  • Removed ts5.0/v18 directory containing React v18 backward compatibility type definitions - projects relying on these legacy type paths will need to update their type imports or use @​types/react@​18 (v19.1.15, package source)
View more changes for @types/react
  • Improved type safety for SVG dominantBaseline attribute by replacing generic number | string with specific string literals: 'auto', 'use-script', 'no-change', 'reset-size', 'ideographic', 'alphabetic', 'hanging', 'mathematical', 'central', 'middle', 'text-after-edge', 'text-before-edge', 'inherit' (v19.1.11, package source)
  • Improved type safety for SVG textAnchor attribute by replacing generic string with specific string literals: 'start', 'middle', 'end', 'inherit' (v19.1.11, package source)
  • Added CacheSignal interface for React's experimental caching API (v19.1.9, package source)
  • Added cacheSignal() function that returns null or CacheSignal for cache invalidation control (v19.1.9, package source)
  • Added optional 'name' property to Activity boundary component for instrumentation purposes. The name helps identify the boundary in React DevTools. (v19.1.10, package source)
  • Added fetchPriority attribute to script elements with values 'high', 'low', or 'auto' for resource loading prioritization (v19.1.11, package source)
  • Added stable Activity component to canary.d.ts with ActivityProps interface for managing component visibility boundaries (v19.1.13, package source)
  • Activity component supports 'mode' prop with 'hidden' or 'visible' values (defaults to 'visible') for controlling visibility state (v19.1.13, package source)
  • Activity component supports optional 'name' prop for instrumentation and React DevTools identification (v19.1.13, package source)
  • Added useEffectEvent hook to canary module with signature useEffectEvent(callback: T): T for creating stable event callbacks that don't trigger effect re-runs (v19.1.14, package source)

...and 28 more in the full analysis

react-dom 19.1.019.2.0

We found 5 breaking changes and 1 deprecation.

  • Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (v19.1.5-19.2.0, release notes)
  • Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (v19.1.5-19.2.0, release notes)
  • Only check if previously removed IO if its removal failed in DevTools (v19.1.5-19.2.0, commit)
View more changes for react-dom
  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (v19.1.0-19.1.1, changelog)
  • Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277) (v19.1.1-19.1.2, changelog)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (v19.1.5-19.2.0, changelog)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (v19.1.5-19.2.0, changelog)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (v19.1.5-19.2.0, changelog)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (v19.1.5-19.2.0, changelog)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (v19.1.5-19.2.0, changelog)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (v19.1.5-19.2.0, changelog)
  • Fix a wrong missing key warning (@​unstubbable #34350) (v19.1.5-19.2.0, changelog)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (v19.1.5-19.2.0, changelog)

...and 325 more in the full analysis

@types/react-dom 19.1.619.2.2

We found 4 breaking changes.

  • Updated peer dependency requirement from @​types/react ^19.0.0 to ^19.2.0 (v19.2.0, package source)
  • Removed ViewTransitionPseudoElement and ViewTransitionInstance interfaces from experimental.d.ts module declaration - these have been moved to canary.d.ts (v19.2.1, package source)
  • Removed FragmentInstance interface from experimental.d.ts module declaration - this has been moved to canary.d.ts (v19.2.1, package source)
View more changes for @types/react-dom
  • Renamed ImportMap type to ReactImportMap in PrerenderOptions.importMap property (v19.2.0, package source)
  • Added CacheSignal interface extending AbortSignal in React module declarations for improved cache control typing (v19.1.7, package source)
  • Added formState optional parameter to renderToPipeableStream options - allows passing ReactFormState for server-side form handling (v19.1.8, package source)
  • Added formState optional parameter to renderToReadableStream options - enables form state management in streaming SSR (v19.1.8, package source)
  • Imported ReactFormState type from client module in server.d.ts - provides type definitions for form state management (v19.1.8, package source)
  • Added experimental_scrollIntoView(alignToTop?: boolean) method to RefAttributes interface for experimental React DOM features (v19.1.9, package source)
  • Added PostponedState interface in react-dom/static module - an opaque, JSON-serializable type for storing postponed rendering state (v19.1.10, package source)
  • Added ResumeOptions interface with nonce, signal, and onError properties for configuring resume operations (v19.1.10, package source)
  • Added PrerenderResult interface with postponed property to return prerender results (v19.1.10, package source)
  • Added resumeAndPrerender() function in react-dom/static for resuming and prerendering React nodes with postponed state (v19.1.10, package source)

...and 41 more in the full analysis

react-hook-form 7.60.07.65.0

We found 1 breaking change.

  • Chore: major dev dependencies upgrade (v7.62.0-7.63.0, commit)
View more changes for react-hook-form
  • Fix watch return type based on defaultValue (v7.60.0-7.61.0, release notes)
  • Fix subscribe with latest defaultValues (v7.60.0-7.61.0, release notes)
  • Remove React wildcard import to resolve ESM build issues (v7.60.0-7.61.0, release notes)
  • Reverted fix for watch return type based on defaultValue (PR #12896) (v7.61.0-7.61.1, release notes)
  • Fix sync of two defaultValues after reset with new defaultValues (#12990) (v7.61.1-7.62.0, release notes)
  • Fix: do not override prototype of data in cloneObject (#12985) (v7.61.1-7.62.0, release notes)
  • Fix field name type conflict in nested FieldErrors (#12972) (v7.61.1-7.62.0, release notes)
  • Fix: preserve Controller's defaultValue with shouldUnregister prop (#13063) (v7.63.0-7.64.0, release notes)
  • fix: respect parent-provided useFieldArray rules (#13082, #13083) (v7.64.0-7.65.0, release notes)
  • fix: getDirtyFields submit fields with null values when using useForm (#13079) (v7.64.0-7.65.0, release notes)

...and 101 more in the full analysis

zod 4.1.54.1.12

We found 1 breaking change, 1 security fix, and 2 deprecations.

  • Changed default() method signature to require non-undefined values - now accepts util.NoUndefined<core.output> instead of core.output for the non-function overload (v4.1.6, package source)
  • Fixed potential prototype pollution vulnerability in ZodError.flatten() by using Object.create(null) instead of {} for fieldErrors object initialization (v4.1.12, package source)
View more changes for zod
  • 0cca351c8b152d7c4113ab7c2a44675efb060677 Fix variable name inconsistency in coercion documentation (#5188) (v4.1.6-4.1.7, release notes)
  • 937f73c90cac90bd3b99b12c792c289b50416510 Fix tsconfig issue in bench (v4.1.6-4.1.7, release notes)
  • 4309c61304daf40aab2124b5f513abe2b4df8637 Fix cidrv6 validation - cidrv6 should reject invalid strings with multiple slashes (#5196) (v4.1.6-4.1.7, release notes)
  • c27a294f5b792f47b8e9dbb293a8ff8cfb287a3a Fix two tiny grammatical errors in the docs. (#5193) (v4.1.6-4.1.7, release notes)
  • 23a2d6692398e3dd1ad1cdb0491b271a9f989380 docs: fix broken links in async refinements and transforms references (#5190) (v4.1.6-4.1.7, release notes)
  • 845a230bb06bff679b5f00e10153f4dbbd50d2b6 fix(locales): Add type name translations to Spanish locale (#5187) (v4.1.6-4.1.7, release notes)
  • a8a52b3ba370b761be76953fa3986aa43c4172a4 fix(v4): fix Khmer and Ukrainian locales (#5177) (v4.1.6-4.1.7, release notes)
  • e1f19482bbed3fbaa563a0d8e09f1a577cc58ac7 fix(v4): ensure array defaults are shallow-cloned (#5173) (v4.1.6-4.1.7, release notes)
  • 9f650385644ae319f806a965b83f79ebd252e497 docs(ecosystem): add DRZL; fix Prisma Zod Generator placement (#5215) (v4.1.6-4.1.7, release notes)
  • aa6f0f02c2a92a266ff1495a8d2541ae46012fcb More fixes (#5223) (v4.1.6-4.1.7, release notes)

...and 75 more in the full analysis

@playwright/test 1.54.11.56.1

We found 6 breaking changes and 2 deprecations.

  • ⚠️ Dropped support for Chromium extension manifest v2. (v1.54.2-1.55.0, release notes)
  • Undo non-breaking spaces in markdown report (v1.54.2-1.55.0, commit)
  • Removed custom dark mode scrollbar theming from UI (v1.55.1-1.56.0, commit)
View more changes for @playwright/test
  • Fixed regression: Codegen unable to launch in Administrator Terminal on Windows (ProtocolError) (v1.54.1-1.54.2, release notes)
  • Fixed regression: Starting Codegen with target language not working (v1.54.1-1.54.2, release notes)
  • Fix regression: "step id not found" internal error (v1.55.0-1.55.1, release notes)
  • Fix regression: HTML reporter displays broken chip link when there are no projects (v1.55.0-1.55.1, release notes)
  • Revert "fix(a11y): track inert elements as hidden" (v1.55.0-1.55.1, release notes)
  • Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method [browserContext.backgroundPages()](https://playwright.... (v1.55.1-1.56.0, release notes)
  • New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles. (v1.54.2-1.55.0, release notes)
  • Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI. (v1.54.2-1.55.0, release notes)
  • Added support for Debian 13 "Trixie". (v1.54.2-1.55.0, release notes)
  • New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page (v1.55.1-1.56.0, release notes)

...and 468 more in the full analysis

sass 1.89.21.93.2

We found 3 breaking changes and 6 deprecations.

  • Breaking change: Emit declarations, childless at-rules, and comments in the order they appear in the source even when they're interleaved with nested rules. This obsoletes the mixed-decls deprecation. (v1.91.0-1.92.0, release notes)
  • Breaking change: The function name type() is now fully reserved for the plain CSS function. This means that @​function definitions with the name type will produce errors, while function calls will be parsed as special function strings. (v1.91.0-1.92.0, release notes)
  • Potentially breaking change: meta.inspect() (as well as other systems that use it such as @​debug and certain error messages) now emits numbers with as high precision as is available instead of rounding to the nearest 1e⁻¹⁰ as we do when serializing to CSS.... (v1.90.0-1.91.0, changelog)
View more changes for sass
  • Fix a performance regression that was introduced in 1.92.0. (v1.91.0-1.92.0, changelog)
  • Fix a bug where variable definitions from one imported, forwarded module would not be passed as implicit configuration to a later imported, forwarded module. (v1.92.0-1.92.1, changelog)
  • Fix a crash when a style rule contains a nested @​import, and the loaded file @​uses a user-defined module as well as @​includes a top-level mixin which emits top-level declarations. (v1.92.1-1.93.0, changelog)
  • Fix an error in the release process for @​sass/types. (v1.93.0-1.93.1, changelog)
  • Fix another error in the release process for @​sass/types. (v1.93.1-1.93.2, changelog)
  • Passing a rest argument ($arg...) before a positional or named argument when calling a function or mixin is now deprecated. This was always outside the specified syntax, but it was historically treated the same as passing the rest argument at the end of the argument list whether or not that... (v1.90.0-1.91.0, changelog)
  • Release a @​sass/types package which contains the type annotations used by both the sass and sass-embedded package without any additional code or dependencies. (v1.92.1-1.93.0, changelog)
  • Allow a @​forwarded module to be loaded with a configuration when that module has already been loaded with a different configuration and the module doesn't define any variables that would have been configured anyway. (v1.89.2-1.90.0, changelog)
  • No user-visible changes. (v1.93.0-1.93.1, changelog)
  • No user-visible changes. (v1.93.1-1.93.2, changelog)

...and 56 more in the full analysis

You have no credits left. Reach out to autoupdates@fossa.com and we'll top you up.

Credits are consumed when dependency updates are reviewed or proposed.

Re-run with @fossabot analyze.

Mute out-of-credit notifications until next month (expires 2026-04-01T00:00:00.000Z)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants