build(deps): bump the npm_and_yarn group across 11 directories with 10 updates by dependabot[bot] · Pull Request #106 · neynarxyz/farcaster-examples

dependabot · 2026-03-26T12:50:17Z

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 1 update in the /archiver-script directory: minimatch.
Bumps the npm_and_yarn group with 4 updates in the /cast-action directory: minimatch, hono, @hono/node-server and rollup.
Bumps the npm_and_yarn group with 2 updates in the /fc2x directory: next and flatted.
Bumps the npm_and_yarn group with 1 update in the /frames-bot directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /gm-bot directory: minimatch.
Bumps the npm_and_yarn group with 2 updates in the /managed-signers directory: next and minimatch.
Bumps the npm_and_yarn group with 3 updates in the /wownar directory: next, flatted and immutable.
Bumps the npm_and_yarn group with 1 update in the /wownar-react-native/client directory: yaml.
Bumps the npm_and_yarn group with 1 update in the /wownar-react-native/server directory: picomatch.
Bumps the npm_and_yarn group with 3 updates in the /wownar-react-sdk directory: next, flatted and immutable.

Updates next from 16.1.6 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

[Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)

Apply server actions transform to node_modules in route handlers (#89380)

ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)

Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)

Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Commits

bdf3e35 v16.1.7
dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
c68d62d Backport documentation fixes for 16.1.x (#90655)
5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
c95e357 Backport/docs fixes 16.1.x (#90125)
cba6144 [backport] Apply server actions transform to node_modules in route handlers...
3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Updates hono from 4.11.4 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates @hono/node-server from 1.19.6 to 1.19.11

Release notes

Sourced from @hono/node-server's releases.

v1.19.11

What's Changed

fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

fix(globals): Stop overwriting global.fetch by @usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

docs: add guide for listening to UNIX domain socket by @TransparentLC in honojs/node-server#292

fix(serve-static): Use Readable.toWeb in serveStatic by @otya128 in honojs/node-server#293

New Contributors

@TransparentLC made their first contribution in honojs/node-server#292

@otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @tshmieldev in honojs/node-server#290

chore: add configVersion to bun.lock by @yusukebe in honojs/node-server#291

New Contributors

@tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

Commits

ecd4d6b 1.19.11
c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
2f8ca36 1.19.10
455015b Merge commit from fork
cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
b1daa4c docs(readme): add @usualoma as an author (#300)
26f5e89 1.19.9
2d729e7 fix(globals): Stop overwriting global.fetch (#295)
9b72ddf 1.19.8
Additional commits viewable in compare view

Updates rollup from 4.53.3 to 4.60.0

Release notes

Sourced from rollup's releases.

v4.60.0

4.60.0

2026-03-22

Features

Support source phase imports as long as they are external (#6279)

Pull Requests

#6279: feat: external only Source Phase imports support (@guybedford, @lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

v4.59.0

4.59.0

2026-02-22

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.0

2026-03-22

Features

Support source phase imports as long as they are external (#6279)

Pull Requests

#6279: feat: external only Source Phase imports support (@guybedford, @lukastaegert)

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

... (truncated)

Commits

6ecd69f 4.60.0
6b725b9 feat: external only Source Phase imports support (#6279)
0cba9e0 4.59.1
4eeea29 Pin Vite
1cd49ae fix: fix chunk assignment for deoptimized module with dynamic import (#6306)
c9dabc3 Downgrade Vite
d46200f chore(deps): update dependency vite to v8 (#6309)
aa6c853 chore(deps): update dependency lru-cache to v11 (#6308)
4208811 chore(deps): lock file maintenance (#6312)
5348a82 chore(deps): lock file maintenance (#6311)
Additional commits viewable in compare view

Updates next from 16.1.6 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

[Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)

Apply server actions transform to node_modules in route handlers (#89380)

ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)

Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)

Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Commits

bdf3e35 v16.1.7
dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
c68d62d Backport documentation fixes for 16.1.x (#90655)
5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
c95e357 Backport/docs fixes 16.1.x (#90125)
cba6144 [backport] Apply server actions transform to node_modules in route handlers...
3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Updates next from 16.1.6 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

[Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)

Apply server actions transform to node_modules in route handlers (#89380)

ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)

Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)

Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Commits

bdf3e35 v16.1.7
dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
c68d62d Backport documentation fixes for 16.1.x (#90655)
5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
c95e357 Backport/docs fixes 16.1.x (#90125)
cba6144 [backport] Apply server actions transform to node_modules in route handlers...
3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Updates next from 16.1.6 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

[Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)

Apply server actions transform to node_modules in route handlers (#89380)

ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)

Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)

Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Commits

bdf3e35 v16.1.7
dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
c68d62d Backport documentation fixes for 16.1.x (#90655)
5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
c95e357 Backport/docs fixes 16.1.x (#90125)
cba6144 [backport] Apply server actions transform to node_modules in route handlers...

…0 updates Bumps the npm_and_yarn group with 1 update in the / directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /archiver-script directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 4 updates in the /cast-action directory: [minimatch](https://github.com/isaacs/minimatch), [hono](https://github.com/honojs/hono), [@hono/node-server](https://github.com/honojs/node-server) and [rollup](https://github.com/rollup/rollup). Bumps the npm_and_yarn group with 2 updates in the /fc2x directory: [next](https://github.com/vercel/next.js) and [flatted](https://github.com/WebReflection/flatted). Bumps the npm_and_yarn group with 1 update in the /frames-bot directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /gm-bot directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 2 updates in the /managed-signers directory: [next](https://github.com/vercel/next.js) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 3 updates in the /wownar directory: [next](https://github.com/vercel/next.js), [flatted](https://github.com/WebReflection/flatted) and [immutable](https://github.com/immutable-js/immutable-js). Bumps the npm_and_yarn group with 1 update in the /wownar-react-native/client directory: [yaml](https://github.com/eemeli/yaml). Bumps the npm_and_yarn group with 1 update in the /wownar-react-native/server directory: [picomatch](https://github.com/micromatch/picomatch). Bumps the npm_and_yarn group with 3 updates in the /wownar-react-sdk directory: [next](https://github.com/vercel/next.js), [flatted](https://github.com/WebReflection/flatted) and [immutable](https://github.com/immutable-js/immutable-js). Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.1...v10.2.4) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.1...v10.2.4) Updates `hono` from 4.11.4 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.4...v4.12.7) Updates `@hono/node-server` from 1.19.6 to 1.19.11 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.6...v1.19.11) Updates `rollup` from 4.53.3 to 4.60.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.3...v4.60.0) Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.1...v10.2.4) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.1...v10.2.4) Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.1.1...v10.2.4) Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `immutable` from 5.1.3 to 5.1.5 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v5.1.3...v5.1.5) Updates `yaml` from 2.8.1 to 2.8.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.1...v2.8.3) Updates `fast-xml-parser` from 5.3.4 to 5.5.9 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/commits) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `immutable` from 5.1.3 to 5.1.5 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v5.1.3...v5.1.5) --- updated-dependencies: - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 5.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 2.8.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-xml-parser dependency-version: 5.5.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 5.1.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-03-26T12:50:22Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
wownar	Ready	Preview, Comment	Mar 26, 2026 0:52am
wownar-react-sdk	Ready	Preview, Comment	Mar 26, 2026 0:52am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fc2x	Ignored	Preview	Mar 26, 2026 0:52am

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 26, 2026

vercel Bot deployed to Preview – wownar March 26, 2026 12:51 View deployment

vercel Bot deployed to Preview – wownar-react-sdk March 26, 2026 12:52 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 11 directories with 10 updates#106

build(deps): bump the npm_and_yarn group across 11 directories with 10 updates#106
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-5e4b79f50c

dependabot Bot commented on behalf of github Mar 26, 2026

Uh oh!

vercel Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 26, 2026

v16.1.7

Core Changes

Credits

change log

10.2

10.1

10.0

9.0

8.0

7.4

7.3

7.2

7.1

change log

10.2

10.1

10.0

9.0

8.0

7.4

7.3

7.2

7.1

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

v1.19.11

What's Changed

v1.19.10

Security Fix

v1.19.9

What's Changed

v1.19.8

What's Changed

New Contributors

v1.19.7

What's Changed

New Contributors

v4.60.0

4.60.0

Features

Pull Requests

v4.59.1

4.59.1

Bug Fixes

Pull Requests

v4.59.0

4.59.0

4.60.0

Features

Pull Requests

4.59.1

Bug Fixes

Pull Requests

4.59.0

Features

v16.1.7

Core Changes

Credits

change log

10.2

10.1

10.0

9.0

8.0

7.4

7.3

7.2

7.1

Cookie Attribute Injection in `setCookie()`

vercel Bot commented Mar 26, 2026 •

edited

Loading