chore(deps)(deps): bump the production-minor-patch group across 1 directory with 12 updates

[dependabot]

Bumps the production-minor-patch group with 12 updates in the / directory:

Package	From	To
graphql	16.13.0	16.13.1
@graphql-tools/graphql-file-loader	8.1.10	8.1.12
jose	6.1.3	6.2.1
@nosecone/next	1.1.0	1.2.0
@sentry/nextjs	10.40.0	10.42.0
@tanstack/react-virtual	3.13.19	3.13.21
framer-motion	12.34.3	12.35.2
katex	0.16.33	0.16.38
lucide-react	0.575.0	0.577.0
nosecone	1.1.0	1.2.0
hono	4.12.3	4.12.5
modern-pdf-lib	0.15.1	0.26.0

Updates graphql from 16.13.0 to 16.13.1

Release notes

Sourced from graphql's releases.

v16.13.1 (2026-03-04)

First 16.x.x release with trusted publishing and provenance, see: https://docs.npmjs.com/trusted-publishers for additional information.

Docs 📝

• #4433 docs: move migrate from express graphql guide to graphqlJS docs (@​sarahxsanders)

Internal 🏠

• #4608 internal: backport new release flow from 17.x.x (@​yaacovCR)
• #4610 internal: pin node version for release action (@​yaacovCR)

Committers: 2

• Sarah Sanders(@​sarahxsanders)
• Yaacov Rydzinski (@​yaacovCR)

Commits

• 3b5c3f9 internal: pin node version for release action (#4610)
• 6dee435 chore(release): v16.13.1 (#4609)
• c2ad5c6 internal: backport new release flow from 17.x.x (#4608)
• adff4e6 docs: move migrate from express graphql guide to graphqlJS docs (#4433)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for graphql since your current version.

Updates @graphql-tools/graphql-file-loader from 8.1.10 to 8.1.12

Changelog

Sourced from @​graphql-tools/graphql-file-loader's changelog.

8.1.12

Patch Changes

• Updated dependencies [5d6bcc4]:
  • @​graphql-tools/import@​7.1.12

8.1.11

Patch Changes

• Updated dependencies [417d875, 0e4d00e]:
  • @​graphql-tools/import@​7.1.11

Commits

• 309c14a chore(release): update monorepo packages versions (#8020)
• 66cee43 Ranged
• 9410e77 chore(release): update monorepo packages versions (#7881)
• 1b1b51f chore(release): update monorepo packages versions (#7841)
• 7417ceb chore(release): update monorepo packages versions (#7754)
• 7b17d1f chore(release): update monorepo packages versions (#7722)
• 946c496 chore(release): update monorepo packages versions (#7699)
• 8e2f481 chore(release): update monorepo packages versions (#7684)
• 53fdba6 chore(release): update monorepo packages versions (#7680)
• 5b26b6d chore(release): update monorepo packages versions (#7655)
• Additional commits viewable in compare view

Updates jose from 6.1.3 to 6.2.1

Release notes

Sourced from jose's releases.

v6.2.1

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Changelog

Sourced from jose's changelog.

6.2.1 (2026-03-09)

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

6.2.0 (2026-03-05)

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Commits

• d491aa9 chore(release): 6.2.1
• d4231f9 refactor: reorganize internals, less files, smaller footprint
• 7b22ba8 test: use playwright instead of testcafe
• 00965b4 chore: bump packages
• b8f9f94 chore: cleanup after release
• 970673e chore(release): 6.2.0
• b13b446 feat: re-introduce JWE "zip" (Compression Algorithm) Header Parameter support
• c2d1dd1 test: update deno expectations
• edcaec9 chore(deps): bump actions/upload-artifact in the actions group
• 037d212 chore(deps): bump minimatch
• Additional commits viewable in compare view

Updates @nosecone/next from 1.1.0 to 1.2.0

Release notes

Sourced from @​nosecone/next's releases.

v1.2.0

1.2.0 (2026-03-06)

🚀 New Features

• add detect_prompt_injection rule (#5871) (b801a6b)
• filter: add support for local filter fields (#5819) (42e1a06)

🪲 Bug Fixes

• arcjet: better protectSignup error messages (#5797) (06267d9)
• arcjet: better error w/o rules (#5799) (57be82b)

🧹 Miscellaneous Chores

• add new bots to well-known bots list (#5801) (b4d3c32)
• remove nextjs-14-nextauth-4 example (#5820) (216543f)
• rename to reasonPromptInjection (#5902) (7b78000)

📚 Tests

• arcjet: remove unneeded type casts (#5798) (42616a9)

Changelog

Sourced from @​nosecone/next's changelog.

1.2.0 (2026-03-06)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.1.0 to 1.2.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.1.0 to 1.2.0
    • @​arcjet/rollup-config bumped from 1.1.0 to 1.2.0

Commits

• 9992ba4 chore: Release 1.2.0 (#5802)
• a56c62b deps: periodic dependency update (#5892)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by quinn-arcjet, a new releaser for @​nosecone/next since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (1.1.0) was attested. Review the package versions before updating.

Updates @sentry/nextjs from 10.40.0 to 10.42.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.42.0

• feat(consola): Enhance Consola integration to extract first-param object as searchable attributes (#19534)
• fix(astro): Do not inject withSentry into Cloudflare Pages (#19558)
• fix(core): Do not remove promiseBuffer entirely (#19592)
• fix(deps): Bump fast-xml-parser to 4.5.4 for CVE-2026-25896 (#19588)
• fix(react-router): Set correct transaction name when navigating with object argument (#19590)
• ref(nuxt): Use addVitePlugin instead of deprecated vite:extendConfig (#19464)

• chore(deps-dev): bump @​sveltejs/kit from 2.52.2 to 2.53.3 (#19571)
• chore(deps): Bump @​sveltejs/kit to 2.53.3 in sveltekit-2-svelte-5 E2E test (#19594)
• ci(deps): bump actions/checkout from 4 to 6 (#19570)

Bundle size 📦

Path	Size
@​sentry/browser	25.02 KB
@​sentry/browser - with treeshaking flags	23.57 KB
@​sentry/browser (incl. Tracing)	41.44 KB
@​sentry/browser (incl. Tracing, Profiling)	45.99 KB
@​sentry/browser (incl. Tracing, Replay)	79.35 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	69.21 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	83.93 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	95.91 KB
@​sentry/browser (incl. Feedback)	41.44 KB
@​sentry/browser (incl. sendFeedback)	29.58 KB
@​sentry/browser (incl. FeedbackAsync)	34.52 KB
@​sentry/browser (incl. Metrics)	26.17 KB
@​sentry/browser (incl. Logs)	26.31 KB
@​sentry/browser (incl. Metrics & Logs)	26.96 KB
@​sentry/react	26.74 KB
@​sentry/react (incl. Tracing)	43.72 KB
@​sentry/vue	29.37 KB
@​sentry/vue (incl. Tracing)	43.26 KB
@​sentry/svelte	25.05 KB
CDN Bundle	27.51 KB
CDN Bundle (incl. Tracing)	42.25 KB
CDN Bundle (incl. Logs, Metrics)	28.33 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	43.07 KB
CDN Bundle (incl. Replay, Logs, Metrics)	66.49 KB
CDN Bundle (incl. Tracing, Replay)	78.26 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	79.1 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	83.65 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	84.5 KB
CDN Bundle - uncompressed	80.42 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.42.0

• feat(consola): Enhance Consola integration to extract first-param object as searchable attributes (#19534)
• fix(astro): Do not inject withSentry into Cloudflare Pages (#19558)
• fix(core): Do not remove promiseBuffer entirely (#19592)
• fix(deps): Bump fast-xml-parser to 4.5.4 for CVE-2026-25896 (#19588)
• fix(react-router): Set correct transaction name when navigating with object argument (#19590)
• ref(nuxt): Use addVitePlugin instead of deprecated vite:extendConfig (#19464)

• chore(deps-dev): bump @​sveltejs/kit from 2.52.2 to 2.53.3 (#19571)
• chore(deps): Bump @​sveltejs/kit to 2.53.3 in sveltekit-2-svelte-5 E2E test (#19594)
• ci(deps): bump actions/checkout from 4 to 6 (#19570)

10.41.0

Important Changes

• feat(core,cloudflare,deno): Add instrumentPostgresJsSql instrumentation (#19566)

  Added a new instrumentation helper for the postgres (postgres.js) library, designed for SDKs that are not based on OpenTelemetry (e.g. Cloudflare, Deno). This wraps a postgres.js sql tagged template instance so that all queries automatically create Sentry spans.

  import postgres from 'postgres';
  import * as Sentry from '@sentry/cloudflare'; // or '@sentry/deno'
  export default Sentry.withSentry(env => ({ dsn: 'DSN' }), {
  async fetch(request, env, ctx) {
  const sql = Sentry.instrumentPostgresJsSql(postgres(env.DATABASE_URL));
  // All queries now create Sentry spans
  const users = await sql`SELECT * FROM users WHERE id = ${userId}`;
  return Response.json(users);
  
  },
  });

  The instrumentation is available in @sentry/core, @sentry/cloudflare, and @sentry/deno.

• feat(nextjs): Add Turbopack support for thirdPartyErrorFilterIntegration (#19542)

  We added experimental support for the thirdPartyErrorFilterIntegration with Turbopack builds.

  This feature requires Next.js 16+ and is currently behind an experimental flag:

... (truncated)

Commits

• 07c9190 release: 10.42.0
• 193a78d Merge pull request #19601 from getsentry/prepare-release/10.42.0
• 8738f9b meta(changelog): Update changelog for 10.42.0
• f870073 fix(astro): Do not inject withSentry into Cloudflare Pages (#19558)
• 552187d chore(deps): Bump @​sveltejs/kit to 2.53.3 in sveltekit-2-svelte-5 E2E test (#...
• 1ffba2c fix(core): Do not remove promiseBuffer entirely (#19592)
• 4a7c056 fix(react-router): Set correct transaction name when navigating with object a...
• 003e894 ci(deps): bump actions/checkout from 4 to 6 (#19570)
• 5d4c0eb chore(deps-dev): bump @​sveltejs/kit from 2.52.2 to 2.53.3 (#19571)
• 116c3f3 fix(deps): Bump fast-xml-parser to 4.5.4 for CVE-2026-25896 (#19588)
• Additional commits viewable in compare view

Updates @tanstack/react-virtual from 3.13.19 to 3.13.21

Release notes

Sourced from @​tanstack/react-virtual's releases.

@​tanstack/react-virtual@​3.13.21

Patch Changes

• Updated dependencies [be89e29]:
  • @​tanstack/virtual-core@​3.13.21

@​tanstack/react-virtual@​3.13.20

Patch Changes

• Updated dependencies [ff83e94]:
  • @​tanstack/virtual-core@​3.13.20

Changelog

Sourced from @​tanstack/react-virtual's changelog.

3.13.21

Patch Changes

• Updated dependencies [be89e29]:
  • @​tanstack/virtual-core@​3.13.21

3.13.20

Patch Changes

• Updated dependencies [ff83e94]:
  • @​tanstack/virtual-core@​3.13.20

Commits

• c4da5cb ci: Version Packages (#1137)
• be89e29 fix(virtual-core): smooth scrolling for dynamic item sizes (#1108)
• d2a9995 ci: Version Packages (#1136)
• ff83e94 fix(virtual-core): early return in _measureElement for disconnected nodes (#1...
• See full diff in compare view

Updates framer-motion from 12.34.3 to 12.35.2

Changelog

Sourced from framer-motion's changelog.

[12.35.2] 2026-03-09

Fixed

• Reduced filesize of styleEffect.
• Fix rounding from popLayout.
• opacity animations in React Strict Mode in development.
• Ensure useSpring is not affected by monitor framerate.
• Updating animations sequence segment types to exclude lifecycle handlers.
• Fix layout animations with parents offset by a %-based translation.
• Fix autoplay: false with WAAPI animations.
• Fix layout jump in React Strict Mode in development.
• Detect divide-by-zero in CSS calc() values before making animatable templates.

[12.35.1] 2026-03-06

Fixed

• Fixing combination of string keyframes, spring and delay.
• Gracefully handle negative scroll values.
• Fix one-frame visual gap when rapidly switching WAAPI animations.
• animation.time = 0 on a finished animation sets the playhead in a paused state.

[12.35.0] 2026-03-03

Added

• ViewTimeline support for scroll and useScroll.

[12.34.6] 2026-03-03

Fixed

• Handle % translate values in layout animations.

[12.34.5] 2026-03-03

Fixed

• Ensure final WAAPI styles are always committed synchronously to prevent flash of incorrect styles in Firefox.
• Prevent Next.js from caching typeof window checks.
• Improve projection node cleanup.
• Variant propagation fixed for asynchronously-mounted children.

[12.34.4] 2026-03-02

Fixed

• Ensure onComplete fires at the end of an animation sequence.

Commits

• 2034efc v12.35.2
• 9f080ca Updating changelog
• 31dd9bd Latest
• da23762 Merge pull request #3602 from motiondivision/worktree-fix-issue-3232
• 80b321e Merge pull request #3599 from motiondivision/worktree-fix-issue-3244
• 4e5e0ae Merge pull request #3600 from motiondivision/worktree-fix-issue-3236
• 16b83b4 Merge branch 'main' into worktree-fix-issue-3236
• f4adc2e Extract convertToZero to module level with documentation
• b793fc0 Merge pull request #3598 from motiondivision/worktree-fix-issue-3254
• e787956 Simplify transformBox and add comment for percentage re-measurement
• Additional commits viewable in compare view

Updates katex from 0.16.33 to 0.16.38

Release notes

Sourced from katex's releases.

v0.16.38

0.16.38 (2026-03-08)

Bug Fixes

• accent skew mixed with font specifiers (#4159) (aea3375), closes #4121

v0.16.37

0.16.37 (2026-03-06)

Bug Fixes

• negative-width \hphantom and symmetric \smash (#4153) (d4799ca)

v0.16.36

0.16.36 (2026-03-06)

Bug Fixes

• contrib esm bloat (#4157) (2bde1ad)

v0.16.35

0.16.35 (2026-03-05)

Bug Fixes

• version number regression (#4155) (db26b73)

v0.16.34

0.16.34 (2026-03-05)

Bug Fixes

• emoji with variation selector (#4151) (c2606e5)

Changelog

Sourced from katex's changelog.

0.16.38 (2026-03-08)

Bug Fixes

• accent skew mixed with font specifiers (#4159) (aea3375), closes #4121

0.16.37 (2026-03-06)

Bug Fixes

• negative-width \hphantom and symmetric \smash (#4153) (d4799ca)

0.16.36 (2026-03-06)

Bug Fixes

• contrib esm bloat (#4157) (2bde1ad)

0.16.35 (2026-03-05)

Bug Fixes

• version number regression (#4155) (db26b73)

0.16.34 (2026-03-05)

Bug Fixes

• emoji with variation selector (#4151) (c2606e5)

Commits

• eda872c chore(release): 0.16.38 [ci skip]
• aea3375 fix: accent skew mixed with font specifiers (#4159)
• 8c2bf2e test: fail on missing screenshot (#4158)
• 4eee63b chore(release): 0.16.37 [ci skip]
• d4799ca fix: negative-width \hphantom and symmetric \smash (#4153)
• 6ba48a4 chore: screenshotter support for Docker Desktop on Windows (#4154)
• 4128549 chore(release): 0.16.36 [ci skip]
• 2bde1ad fix: contrib esm bloat (#4157)
• de31e7f chore(release): 0.16.35 [ci skip]
• db26b73 fix: version number regression (#4155)
• Additional commits viewable in compare view

Updates lucide-react from 0.575.0 to 0.577.0

Release notes

Sourced from lucide-react's releases.

Version 0.577.0

What's Changed

• chore(deps): bump rollup from 4.53.3 to 4.59.0 by @​dependabot[bot] in lucide-icons/lucide#4106
• fix(repo): correctly ignore docs/releaseMetadata via .gitignore by @​bhavberi in lucide-icons/lucide#4100
• feat(icons): added ellipse icon by @​KISHORE-KUMAR-S in lucide-icons/lucide#3749

New Contributors

• @​bhavberi made their first contribution in lucide-icons/lucide#4100
• @​KISHORE-KUMAR-S made their first contribution in lucide-icons/lucide#3749

Full Changelog: lucide-icons/lucide@0.576.0...0.577.0

Version 0.576.0

What's Changed

• Added zodiac signs by @​karsa-mistmere in lucide-icons/lucide#712
• fix(icons): fixes guideline violations in package-* icons. by @​karsa-mistmere in lucide-icons/lucide#4074
• fix(icons): changed receipt icon by @​karsa-mistmere in lucide-icons/lucide#4075
• fix(icons): updated cuboid icon tags and categories by @​karsa-mistmere in lucide-icons/lucide#4095
• fix(icons): changed cuboid icon by @​jamiemlaw in lucide-icons/lucide#4098
• fix(lucide-font, lucide-static): Fixing stable code points by @​ericfennis in lucide-icons/lucide#3894
• feat(icons): added fishing-rod icon by @​7ender in lucide-icons/lucide#3839

Full Changelog: lucide-icons/lucide@0.575.0...0.576.0

Commits

• f6c0d06 chore(deps): bump rollup from 4.53.3 to 4.59.0 (#4106)
• See full diff in compare view

Updates nosecone from 1.1.0 to 1.2.0

Release notes

Sourced from nosecone's releases.

v1.2.0

1.2.0 (2026-03-06)

🚀 New Features

• add detect_prompt_injection rule (#5871) (b801a6b)
• filter: add support for local filter fields (#5819) (42e1a06)

🪲 Bug Fixes

• arcjet: better protectSignup error messages (#5797) (06267d9)
• arcjet: better error w/o rules (#5799) (57be82b)

🧹 Miscellaneous Chores

• add new bots to well-known bots list (#5801) (b4d3c32)
• remove nextjs-14-nextauth-4 example (#5820) (216543f)
• rename to reasonPromptInjection (#5902) (7b78000)

📚 Tests

• arcjet: remove unneeded type casts (#5798) (42616a9)

Changelog

Sourced from nosecone's changelog.

1.2.0 (2026-03-06)

🧹 Miscellaneous Chores

• nosecone: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.1.0 to 1.2.0
    • @​arcjet/rollup-config bumped from 1.1.0 to 1.2.0

Commits

• 9992ba4 chore: Release 1.2.0 (#5802)
• a56c62b deps: periodic dependency update (#5892)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by quinn-arcjet, a new releaser for nosecone since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (1.1.0) was attested. Review the package versions before updating.

Updates hono from 4.12.3 to 4.12.5

Release notes

Sourced from hono's releases.

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in honojs/hono#4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in honojs/hono#4779

New Contributors

• @​agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

Commits

• 18cc595 4.12.5
• 5d59ac7 chore(eslint): upgrade @hono/eslint-config (#4781)
• b8cff18 fix(jsx): Fix "Invalid state: Controller is already closed" (#4770)
• 8c4d7f3 fix(jwt): validate token format in decode and decodeHeader functions (#4752)
• 0f49915 fix(request): return string | undefined from param() when path type is any ...
• 19d20d2 4.12.4
• 44ae0c8 Merge commit from fork
• f4123ed Merge commit from fork
• 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
• 6a0607a Merge commit from fork
• Additional commits viewable in compare view

Updates modern-pdf-lib from 0.15.1 to 0.26.0

Release notes

Sourced from modern-pdf-lib's releases.

v0.26.0

Added

• PDF form flattening (src/form/formFlatten.ts):

  • flattenForm() — burn all form fields into page content, remove AcroForm
  • flattenField() / flattenFields() — flatten specific fields by name
  • FlattenOptions with preserveReadOnly support

• Bookmarks / Outlines API (src/core/outlines.ts):

  • addBookmark() — add nested bookmarks with bold/italic/color/position
  • getBookmarks() — return the full bookmark tree
  • removeBookmark() / removeAllBookmarks() — bookmark management

• Page labels (src/core/pageLabels.ts):

  • setPageLabels() — set label ranges (decimal, roman, alpha, custom prefix)
  • getPageLabels() / removePageLabels() — label management
  • Catalog integration with /PageLabels number tree

• AES-256 encryption (PDF 2.0, V=5 R=6):

  • Full writer integration — doc.encrypt({ algorithm: 'aes-256' }) now works end-to-end
  • Algorithm 2.B key derivation (ISO 32000-2), SASLprep password normalization
  • %PDF-2.0 header for AES-256 encrypted documents
  • Trailer /Encrypt and /ID dictionary generation

• SVG-to-PDF vector conversion (enhanced):

  • Text rendering with standard font resolution (Helvetica/Times/Courier families)
  • Fill-rule support (nonzero/evenodd → f/f*/B/B*)
  • Stroke properties: linecap, linejoin, miterlimit, dasharray, dashoffset
  • 60 new SVG conversion tests

• Redaction application (src/annotation/applyRedactions.ts):

  • applyRedactions() — apply all redaction annotations (fill area, overlay text, remove annotation)
  • applyRedaction() — apply a single redaction by page/annotation index

• Batch processing (src/batch/batchProcessor.ts):

  • processBatch() — process multiple PDFs with bounded concurrency
  • batchMerge() / batchFlatten() — parallel merge and flatten operations
  • Progress callbacks, error isolation, runtime-aware concurrency

• PDF linearization (fast web view) — complete rewrite:

  • linearizePdf() — full page classification, hint tables, xref streams
  • delinearizePdf() — convert linearized PDF back to normal
  • getLinearizationInfo() — extract linearization parameters
  • Page offset and shared object hint tables per PDF spec §F

• PDF/UA accessibility validation (src/accessibility/pdfUaValidator.ts):

  • validatePdfUa() — 12 checks: structure tree, language, title, headings, alt text, tables, lists, reading order, fonts, contrast, bookmarks, tab order
  • enforcePdfUa() — auto-fix language, title, structure tree, tab order
  • Page tab order API (setTabOrder())

... (truncated)

Changelog

Sourced from modern-pdf-lib's changelog.

[0.26.0] - 2026-03-08

Added

• PDF form flattening (src/form/formFlatten.ts):

  • flattenForm() — burn all form fields into page content, remove AcroForm
  • flattenField() / flattenFields() — flatten specific fields by name
  • FlattenOptions with preserveReadOnly support

• Bookmarks / Outlines API (src/core/outlines.ts):

  • addBookmark() — add nested bookmarks with bold/italic/color/position
  • getBookmarks() — return the full bookmark tree
  • removeBookmark() / removeAllBookmarks() — bookmark management

• Page labels (src/core/pageLabels.ts):

  • setPageLabels() — set label ranges (decimal, roman, alpha, custom prefix)
  • getPageLabels() / removePageLabels() — label management
  • Catalog integration with /PageLabels number tree

• AES-256 encryption (PDF 2.0, V=5 R=6):

  • Full writer integration — doc.encrypt({ algorithm: 'aes-256' }) now works end-to-end
  • Algorithm 2.B key derivation (ISO 32000-2), SASLprep password normalization
  • %PDF-2.0 header for AES-256 encrypted documents
  • Trailer /Encrypt and /ID dictionary generation

• SVG-to-PDF vector conversion (enhanced):

  • Text rendering with standard font resolution (Helvetica/Times/Courier families)
  • Fill-rule support (nonzero/evenodd → f/f*/B/B*)
  • Stroke properties: linecap, linejoin, miterlimit, dasharray, dashoffset
  • 60 new SVG conversion tests

• Redaction application (src/annotation/applyRedactions.ts):

  • applyRedactions() — apply all redaction annotations (fill area, overlay text, remove annotation)
  • applyRedaction() — apply a single redaction by page/annotation index

• Batch processing (src/batch/batchProcessor.ts):

  • processBatch() — process multiple PDFs with bounded concurrency
  • batchMerge() / batchFlatten() — parallel merge and flatten operations
  • Progress callbacks, error isolation, runtime-aware concurrency

• PDF linearization (fast web view) — complete rewrite:

  • linearizePdf() — full page classification, hint tables, xref streams
  • delinearizePdf() — convert linearized PDF back to normal
  • getLinearizationInfo() — extract linearization parameters
  • Page offset and shared object hint tables per PDF spec §F

• PDF/UA accessibility validation (src/accessibility/pdfUaValidator.ts):

  • validatePdfUa() — 12 checks: structure tree, language, title, headings, alt text, tables, lists, reading order, fonts, contrast, bookmarks, tab order
  • enforcePdfUa() — auto-fix language, title, structure tree, tab order
  • Page tab order API (setTabOrder())

... (truncated)

Commits

• 12a22a8 release: v0.26.0 — 9 new features, 586 new tests, comprehensive modernization
• 2514f23 release: v0.25.0 — 267 new tests, complete exports, CI/build pipeline fixes
• 24d0458 docs: regenerate TypeDoc API reference for v0.24.10
• c9a6cf2 chore: v0.24.10 — documentation update for incremental save + WebP/TIFF features
• 2ca30bb feat: v0.23.0–0.24.10 — incremental save with signature preservation, WebP + ...
• 5382fc4 fix: resolve all 4 TypeDoc warnings — export missing types, remove unused @​param
• ca8606e docs: regenerate TypeDoc API reference for v0.22.9
...

Description has been truncated

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextcalc-pro	Ready	Preview, Comment	Mar 9, 2026 2:21pm

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.