chore(deps)(deps): bump the production-minor-patch group across 1 directory with 21 updates

[dependabot]

Bumps the production-minor-patch group with 21 updates in the / directory:

Package	From	To
@apollo/server	5.4.0	5.5.0
graphql	16.13.0	16.13.2
@graphql-tools/graphql-file-loader	8.1.10	8.1.12
graphql-ws	6.0.7	6.0.8
jose	6.1.3	6.2.2
ws	8.19.0	8.20.0
@nosecone/next	1.1.0	1.3.0
@sentry/nextjs	10.40.0	10.46.0
@serwist/next	9.5.6	9.5.7
@tanstack/react-virtual	3.13.19	3.13.23
@vercel/analytics	2.0.0-canary.1	2.0.1
framer-motion	12.34.3	12.38.0
katex	0.16.33	0.16.44
next	16.2.0-canary.69	16.2.1
nosecone	1.1.0	1.3.0
tailwindcss	4.2.1	4.2.2
zustand	5.0.11	5.0.12
hono	4.12.3	4.12.9
modern-pdf-lib	0.15.1	0.26.0
@prisma/adapter-neon	7.5.0-dev.33	7.6.0
@prisma/client	7.5.0-dev.33	7.6.0

Updates @apollo/server from 5.4.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• See full diff in compare view

Updates graphql from 16.13.0 to 16.13.2

Release notes

Sourced from graphql's releases.

v16.13.2 (2026-03-24)

Docs 📝

• #4611 add dev mode docs (@​yaacovCR)

Polish 💅

• #4631 Use Object.create(null) over {} to avoid prototype issues - v16 (@​benjie)

Internal 🏠

• #4626 backport: internal: streamline release process (#4615) (@​yaacovCR)

Committers: 2

• Benjie(@​benjie)
• Yaacov Rydzinski (@​yaacovCR)

v16.13.1 (2026-03-04)

First 16.x.x release with trusted publishing and provenance, see: https://docs.npmjs.com/trusted-publishers for additional information.

Docs 📝

• #4433 docs: move migrate from express graphql guide to graphqlJS docs (@​sarahxsanders)

Internal 🏠

• #4608 internal: backport new release flow from 17.x.x (@​yaacovCR)
• #4610 internal: pin node version for release action (@​yaacovCR)

Committers: 2

• Sarah Sanders(@​sarahxsanders)
• Yaacov Rydzinski (@​yaacovCR)

Commits

• 123e958 chore(release): v16.13.2 (#4632)
• 13f130d Use Object.create(null) over {} to avoid prototype issues - v16 (#4631)
• 6ca59e1 backport: internal: streamline release process (#4615) (#4626)
• df8c53f docs: dev mode for v17 (#4611)
• 3b5c3f9 internal: pin node version for release action (#4610)
• 6dee435 chore(release): v16.13.1 (#4609)
• c2ad5c6 internal: backport new release flow from 17.x.x (#4608)
• adff4e6 docs: move migrate from express graphql guide to graphqlJS docs (#4433)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for graphql since your current version.

Updates @graphql-tools/graphql-file-loader from 8.1.10 to 8.1.12

Changelog

Sourced from @​graphql-tools/graphql-file-loader's changelog.

8.1.12

Patch Changes

• Updated dependencies [5d6bcc4]:
  • @​graphql-tools/import@​7.1.12

8.1.11

Patch Changes

• Updated dependencies [417d875, 0e4d00e]:
  • @​graphql-tools/import@​7.1.11

Commits

• 309c14a chore(release): update monorepo packages versions (#8020)
• 66cee43 Ranged
• 9410e77 chore(release): update monorepo packages versions (#7881)
• 1b1b51f chore(release): update monorepo packages versions (#7841)
• 7417ceb chore(release): update monorepo packages versions (#7754)
• 7b17d1f chore(release): update monorepo packages versions (#7722)
• 946c496 chore(release): update monorepo packages versions (#7699)
• 8e2f481 chore(release): update monorepo packages versions (#7684)
• 53fdba6 chore(release): update monorepo packages versions (#7680)
• 5b26b6d chore(release): update monorepo packages versions (#7655)
• Additional commits viewable in compare view

Updates graphql-ws from 6.0.7 to 6.0.8

Release notes

Sourced from graphql-ws's releases.

v6.0.8

Patch Changes

• #667 fc03004 Thanks @​endigma! - Fix the server sending a Complete message after an Error message for subscriptions.

  Previously, when a subscription's async iterable threw an error, the server would send:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  {"id":"1","type":"complete"}
  

  Per the protocol spec:

  Error: This message terminates the operation and no further messages will be sent.

  Complete (Server → Client): If the server dispatched the Error message relative to the original Subscribe message, no Complete message will be emitted.

  The server now correctly sends only the Error message:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  

  Clients that correctly follow the spec should be unaffected, as they are expected to ignore messages for operations they consider already completed.

Changelog

Sourced from graphql-ws's changelog.

6.0.8

Patch Changes

• #667 fc03004 Thanks @​endigma! - Fix the server sending a Complete message after an Error message for subscriptions.

  Previously, when a subscription's async iterable threw an error, the server would send:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  {"id":"1","type":"complete"}
  

  Per the protocol spec:

  Error: This message terminates the operation and no further messages will be sent.

  Complete (Server → Client): If the server dispatched the Error message relative to the original Subscribe message, no Complete message will be emitted.

  The server now correctly sends only the Error message:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  

  Clients that correctly follow the spec should be unaffected, as they are expected to ignore messages for operations they consider already completed.

Commits

• 2cbe0ed Upcoming Release Changes (#668)
• fc03004 fix: do not send Complete after Error for subscriptions (#667)
• See full diff in compare view

Updates jose from 6.1.3 to 6.2.2

Release notes

Sourced from jose's releases.

v6.2.2

Fixes

• reject failed decompression with JWEInvalid error (043b181)

v6.2.1

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Changelog

Sourced from jose's changelog.

6.2.2 (2026-03-18)

Fixes

• reject failed decompression with JWEInvalid error (043b181)

6.2.1 (2026-03-09)

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

6.2.0 (2026-03-05)

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Commits

• 9c86586 chore(release): 6.2.2
• 4984b5c chore(deps): bump the actions group with 4 updates
• 043b181 fix: reject failed decompression with JWEInvalid error
• 867cc2c chore(deps-dev): bump undici
• f4e20e7 chore(deps-dev): bump tar in the npm_and_yarn group across 1 directory
• d0505bf chore: cleanup after release
• d491aa9 chore(release): 6.2.1
• d4231f9 refactor: reorganize internals, less files, smaller footprint
• 7b22ba8 test: use playwright instead of testcafe
• 00965b4 chore: bump packages
• Additional commits viewable in compare view

Updates ws from 8.19.0 to 8.20.0

Release notes

Sourced from ws's releases.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

Commits

• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• ca533a5 [pkg] Update globals to version 17.0.0
• See full diff in compare view

Updates @nosecone/next from 1.1.0 to 1.3.0

Release notes

Sourced from @​nosecone/next's releases.

v1.3.0

1.3.0 (2026-03-12)

🚀 New Features

• add botnet category and IP abuser detection (#5913) (d307e26)
• graduate experimental_detectPromptInjection to detectPromptInjection (#5920) (0e0e4c1)
• set minimum timeout when detectPromptInjection rule present (#5922) (36ec27e)

🧹 Miscellaneous Chores

• publish packages in topological dependency order (#5911) (3068548)

🔨 Build System

• deps-dev: bump tar from 7.5.10 to 7.5.11 in /examples/nextjs-app-dir-validate-email (#5916) (22784d4)
• deps-dev: bump tar from 7.5.10 to 7.5.11 in /examples/nextjs-ip-details (#5914) (e7f14ee)
• deps-dev: bump tar from 7.5.10 to 7.5.11 in /examples/nextjs-pages-wrap (#5915) (46a94ee)

v1.2.0

1.2.0 (2026-03-06)

🚀 New Features

• add detect_prompt_injection rule (#5871) (b801a6b)
• filter: add support for local filter fields (#5819) (42e1a06)

🪲 Bug Fixes

• arcjet: better protectSignup error messages (#5797) (06267d9)
• arcjet: better error w/o rules (#5799) (57be82b)

🧹 Miscellaneous Chores

• add new bots to well-known bots list (#5801) (b4d3c32)
• remove nextjs-14-nextauth-4 example (#5820) (216543f)
• rename to reasonPromptInjection (#5902) (7b78000)

📚 Tests

• arcjet: remove unneeded type casts (#5798) (42616a9)

Changelog

Sourced from @​nosecone/next's changelog.

1.3.0 (2026-03-12)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.2.0 to 1.3.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.2.0 to 1.3.0
    • @​arcjet/rollup-config bumped from 1.2.0 to 1.3.0

1.2.0 (2026-03-06)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.1.0 to 1.2.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.1.0 to 1.2.0
    • @​arcjet/rollup-config bumped from 1.1.0 to 1.2.0

Commits

• 682a80e chore: Release 1.3.0 (#5912)
• 9992ba4 chore: Release 1.2.0 (#5802)
• a56c62b deps: periodic dependency update (#5892)
• See full diff in compare view

Updates @sentry/nextjs from 10.40.0 to 10.46.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.46.0

Important Changes

• feat(elysia): @sentry/elysia - Alpha Release (#19509)

  New Sentry SDK for the Elysia web framework, supporting both Bun and Node.js runtimes.

  Note: This is an alpha release. Please report any issues or feedback on GitHub.

  Features

  • Automatic error capturing — 5xx errors captured via global onError hook; 3xx/4xx ignored by default. Customizable with shouldHandleError.
  • Automatic tracing — Lifecycle spans for every Elysia phase (Request, Parse, Transform, BeforeHandle, Handle, AfterHandle, MapResponse, AfterResponse, Error) with parameterized route names (e.g. GET /users/:id).
  • Distributed tracing — sentry-trace and baggage headers propagated automatically on incoming/outgoing requests.

  Usage

  import * as Sentry from '@sentry/elysia';
  import { Elysia } from 'elysia';
  Sentry.init({ dsn: 'DSN', tracesSampleRate: 1.0 });
  const app = Sentry.withElysia(new Elysia());
  app.get('/', () => 'Hello World');
  app.listen(3000);

Other Changes

• feat(nuxt): Conditionally use plugins based on Nitro version (v2/v3) (#19955)
• fix(cloudflare): Forward ctx argument to Workflow.do user callback (#19891)
• fix(cloudflare): Send correct events in local development (#19900)
• fix(core): Do not overwrite user provided conversation id in Vercel (#19903)
• fix(core): Preserve .withResponse() on Anthropic instrumentation (#19935)
• fix(core): Send internal_error as span status for Vercel error spans (#19921)
• fix(core): Truncate content array format in Vercel (#19911)
• fix(deps): bump fast-xml-parser to 5.5.8 in @​azure/core-xml chain (#19918)
• fix(deps): bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 (#19880)
• fix(nestjs): Add node to nest metadata (#19875)
• fix(serverless): Add node to metadata (#19878)

• chore(ci): Fix "Gatbsy" typo in issue package label workflow (#19905)
• chore(claude): Enable Claude Code Intelligence (LSP) (#19930)
• chore(deps): bump mongodb-memory-server-global from 10.1.4 to 11.0.1 (#19888)
• chore(deps-dev): bump @​react-router/node from 7.13.0 to 7.13.1 (#19544)
• chore(deps-dev): bump effect from 3.19.19 to 3.20.0 (#19926)
• chore(deps-dev): bump qunit-dom from 3.2.1 to 3.5.0 (#19546)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.46.0

Important Changes

• feat(elysia): @sentry/elysia - Alpha Release (#19509)

  New Sentry SDK for the Elysia web framework, supporting both Bun and Node.js runtimes.

  Note: This is an alpha release. Please report any issues or feedback on GitHub.

  Features

  • Automatic error capturing — 5xx errors captured via global onError hook; 3xx/4xx ignored by default. Customizable with shouldHandleError.
  • Automatic tracing — Lifecycle spans for every Elysia phase (Request, Parse, Transform, BeforeHandle, Handle, AfterHandle, MapResponse, AfterResponse, Error) with parameterized route names (e.g. GET /users/:id).
  • Distributed tracing — sentry-trace and baggage headers propagated automatically on incoming/outgoing requests.

  Usage

  import * as Sentry from '@sentry/elysia';
  import { Elysia } from 'elysia';
  Sentry.init({ dsn: 'DSN', tracesSampleRate: 1.0 });
  const app = Sentry.withElysia(new Elysia());
  app.get('/', () => 'Hello World');
  app.listen(3000);

Other Changes

• feat(nuxt): Conditionally use plugins based on Nitro version (v2/v3) (#19955)
• fix(cloudflare): Forward ctx argument to Workflow.do user callback (#19891)
• fix(cloudflare): Send correct events in local development (#19900)
• fix(core): Do not overwrite user provided conversation id in Vercel (#19903)
• fix(core): Preserve .withResponse() on Anthropic instrumentation (#19935)
• fix(core): Send internal_error as span status for Vercel error spans (#19921)
• fix(core): Truncate content array format in Vercel (#19911)
• fix(deps): bump fast-xml-parser to 5.5.8 in @​azure/core-xml chain (#19918)
• fix(deps): bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 (#19880)
• fix(nestjs): Add node to nest metadata (#19875)
• fix(serverless): Add node to metadata (#19878)

• chore(ci): Fix "Gatbsy" typo in issue package label workflow (#19905)
• chore(claude): Enable Claude Code Intelligence (LSP) (#19930)
• chore(deps): bump mongodb-memory-server-global from 10.1.4 to 11.0.1 (#19888)
• chore(deps-dev): bump @​react-router/node from 7.13.0 to 7.13.1 (#19544)
• chore(deps-dev): bump effect from 3.19.19 to 3.20.0 (#19926)

... (truncated)

Commits

• e5fdc9d release: 10.46.0
• c01fe86 release: 10.46.0
• 0f1171b Merge pull request #19973 from getsentry/prepare-release/10.46.0
• 6f48cc4 meta(changelog): Update changelog for 10.46.0
• 54abb35 refactor(elysia): drop @​elysiajs/opentelemetry dependency (#19947)
• a54de04 ref(core): Remove duplicate buildMethodPath utility from openai (#19969)
• 0156846 feat(nuxt): Conditionally use plugins based on Nitro version (v2/v3) (#19955)
• 18a624e feat(elysia): Elysia SDK (#19509)
• c9812ae test(cloudflare): Enable multi-worker tests for CF integration tests (#19938)
• 83cabf3 fix(core): Preserve .withResponse() on Anthropic instrumentation (#19935)
• Additional commits viewable in compare view

Updates @serwist/next from 9.5.6 to 9.5.7

Release notes

Sourced from @​serwist/next's releases.

@​serwist/next@​9.5.7

Patch Changes

• Updated dependencies []:
  • @​serwist/build@​9.5.7
  • @​serwist/cli@​9.5.7
  • @​serwist/utils@​9.5.7
  • @​serwist/webpack-plugin@​9.5.7
  • @​serwist/window@​9.5.7
  • serwist@9.5.7

Commits

• f22ca21 chore(packages): publish packages (#347)
• 9e649b3 chore(deps): updated deps & removed ESLint
• d813c3b fix(turbo): resolve default.default issue breaking bun build (#344)
• f88382b feat(turbo): add option to rebuild sw.js on content change (#346)
• See full diff in compare view

Updates @tanstack/react-virtual from 3.13.19 to 3.13.23

Release notes

Sourced from @​tanstack/react-virtual's releases.

@​tanstack/react-virtual@​3.13.23

Patch Changes

• Updated dependencies [7ece2d5]:
  • @​tanstack/virtual-core@​3.13.23

@​tanstack/react-virtual@​3.13.22

Patch Changes

• Updated dependencies [54d771a, d3416c3]:
  • @​tanstack/virtual-core@​3.13.22

@​tanstack/react-virtual@​3.13.21

Patch Changes

• Updated dependencies [be89e29]:
  • @​tanstack/virtual-core@​3.13.21

@​tanstack/react-virtual@​3.13.20

Patch Changes

• Updated dependencies [ff83e94]:
  • @​tanstack/virtual-core@​3.13.20

Changelog

Sourced from @​tanstack/react-virtual's changelog.

3.13.23

Patch Changes

• Updated dependencies [7ece2d5]:
  • @​tanstack/virtual-core@​3.13.23

3.13.22

Patch Changes

• Updated dependencies [54d771a, d3416c3]:
  • @​tanstack/virtual-core@​3.13.22

3.13.21

Patch Changes

• Updated dependencies [be89e29]:
  • @​tanstack/virtual-core@​3.13.21

3.13.20

Patch Changes

• Updated dependencies [ff83e94]:
  • @​tanstack/virtual-core@​3.13.20

Commits

• 9394e13 ci: Version Packages (#1149)
• 7ece2d5 fix(virtual-core): remove incorrect elementsCache cleanup using getItemKey (#...
• c2f1c39 ci: Version Packages (#1139)
• fc3c733 perf(virtual-core): skip sync DOM reads during normal scrolling (#1144)
• c4da5cb ci: Version Packages (#1137)
• be89e29 fix(virtual-core): smooth scrolling for dynamic item sizes (#1108)
• d2a9995 ci: Version Packages (#1136)
• ff83e94 fix(virtual-core): early return in _measureElement for disconnected nodes (#1...
• See full diff in compare view

Updates @vercel/analytics from 2.0.0-canary.1 to 2.0.1

Release notes

Sourced from @​vercel/analytics's releases.

v2.0.1

What's Changed

• fix(nuxt): set nuxt as optional dependency by @​CHC383 in vercel/analytics#193

New Contributors

• @​CHC383 made their first contribution in vercel/analytics#193

Full Changelog: vercel/analytics@v2.0.0...v2.0.1

v2.0.0

What's Changed

Breaking Changes

• License changed from MPL-2.0 to MIT (#170)
• Nuxt: introduce module support. If you need to configure it, load injectAnalytics() from @vercel/analytics/nuxt/runtime (#183)

Features

• feat: load dynamic configuration (#184) — analytics config can now be loaded dynamically

Bug Fixes

• fix: src and endpoint paths do not work when relative (#186)

Full Changelog: vercel/speed-insights@1.6.1...2.0.0

Commits

• 0d69416 chore: bump version to v2.0.1 (#195)
• c7f3c37 fix(nuxt): set nuxt as optional dependency (#193)
• c3e3805 chore: bump version to v2.0.0
• 425a797 chore: bump version to v2.0.0-canary.1
• 22888e3 fix: src and endpoint paths do not work when relative (#186)
• 3879f57 feat: load dynamic configuration (#184)
• 95f8914 feat(nuxt)!: Add support for injectAnalytics() and Nuxt module (#183)
• e407489 feat!: change license to MIT (#170)
• See full diff in compare view

Updates framer-motion from 12.34.3 to 12.38.0

Changelog

Sourced from framer-motion's changelog.

[12.38.0] 2026-03-16

Added

• Added layoutAnchor prop to configure custom anchor point for resolving relative projection boxes.

Fixed

• Reorder: Fix axis switching after window resize.
• Reorder: Fix with virtualised lists.
• AnimatePresence: Ensure children are removed when exit animation matches current values.

[12.37.0] 2026-03-16

Added

• Support for hardware accelerating "start" and "end" offsets in scroll and useScroll.
• Support for oklch, oklab, lab, lch, color, color-mix, light-dark color types.

Fixed

• Fix whileInView with client-side navigation.
• Fix draggable elements when layout updates due to surrounding element re-renders.
• Improved memory pressure of layout animations.
• Ensure motion value returned from useSpring reports correct isAnimating().

[12.36.0] 2026-03-09

Added

• Allow dragSnapToOrigin to accept "x" or "y" for per-axis snapping.
• Added axis-locked layout animations with layout="x" and layout="y".
• Added skipInitialAnimation to useSpring.

Fixed

• Fixed height and width: auto animations with box-sizing: border-box.
• Reset component values when exit animation finishes.
• Ensure anticipate easing returns 1 at p === 1.
• Fix @emotion/is-prop-valid resolve error in Storybook.
• Remove data-pop-layout-id from exiting elements when animation interrupted.
• Ensure we skip WAAPI for non-animatable keyframes.
• Ensure we skip WAAPI for SVG transforms.
• Ensure MotionValue props are not passed to SVG.
• AnimatePresence: Prevent mode="wait" elements from getting stuck when switched rapidly.

[12.35.2] 2026-03-09

Fixed

... (truncated)

Commits

• 0bfc9fe v12.38.0
• 343cb0c Updating layoutAnchor
• ee99ad2 Updating changelog
• 062660b Updating changgelog
• 303da7d Updating readme
• b075adc Merge pull request #3647 from motiondivision/feat/layout-anchor
• f0991d6 Add missing layoutAnchor !== false guard in attemptToResolveRelativeTarget
• b5798e9 Merge pull request #3642 from motiondivision/worktree-fix-issue-3078
• 7686c19 Merge pull request #3636 from motiondivision/worktree-fix-issue-3061
• a95c487 Fix auto-scroll in reorder-virtualized test page
• Additional commits viewable in

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextcalc-pro	Ready	Preview, Comment	Mar 30, 2026 2:43pm

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.