fix(deps): update security updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/anthropic (source)	3.0.69 → 3.0.71
@ai-sdk/google (source)	3.0.61 → 3.0.64
@ai-sdk/openai (source)	3.0.52 → 3.0.53
@ai-sdk/xai (source)	3.0.82 → 3.0.83
@​codemirror/view	6.41.0 → 6.41.1
@docusaurus/core (source)	3.9.2 → 3.10.0
@docusaurus/preset-classic (source)	3.9.2 → 3.10.0
@tailwindcss/postcss (source)	4.2.2 → 4.2.4
ai (source)	6.0.158 → 6.0.168
astro (source)	6.1.6 → 6.1.9
html-to-image	1.11.11 → 1.11.13
nanoid	5.1.7 → 5.1.9
react (source)	19.2.4 → 19.2.5
react-dom (source)	19.2.4 → 19.2.5
tailwindcss (source)	4.2.2 → 4.2.4

---

Release Notes

vercel/ai (@​ai-sdk/anthropic)

v3.0.71

Compare Source

Patch Changes

• 95b4fe0: fix(provider/anthropic): stop adding fine-grained-tool-streaming-2025-05-14 beta for claude-opus-4-7

v3.0.70

Compare Source

Patch Changes

• 2ff8d57: feat(provider/anthropic): add support for Opus 4.7 and relevant API enhancements

facebook/docusaurus (@​docusaurus/core)

v3.10.0

Compare Source

🚀 New Feature

• docusaurus-types, docusaurus
  • #​11896 feat(core): add future.v4.mdx1CompatDisabledByDefault flag (@​slorber)
  • #​11797 feat(core): promote siteConfig.storage to stable + add future.v4.siteStorageNamespacing flag [Claude] (@​slorber)
  • #​11571 feat(core): support custom html elements in head tags (@​lebalz)
• create-docusaurus
  • #​11897 feat(create-docusaurus): update init template to .mdx extension and strict MDX syntax (@​slorber)
  • #​11696 feat(create-docusaurus): Newly initialized TS sites should use "strict: true" (@​slorber)
  • #​11611 feat(create-docusaurus): enable creation in current directory (@​Mcheung7272)
• Other
  • #​11874 feat(ci): improve npm supply chain security - improve Dependabot config (@​slorber)
  • #​11712 feat(publish): Use trusted publishing (OIDC) for canary releases (@​slorber)
• create-docusaurus, docusaurus-bundler, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-pwa, docusaurus-types, docusaurus
  • #​11802 feat(core): Docusaurus Faster is stable + v4 future flag turns it on by default (@​slorber)
• docusaurus-mdx-loader, docusaurus-utils, docusaurus
  • #​11777 feat(cli): write-heading-ids CLI now supports the --syntax and --migrate options (@​slorber)
• docusaurus-mdx-loader
  • #​11755 feat(mdx-loader): add support for explicit headingId based on MD/MDX comments (@​slorber)
• docusaurus-theme-live-codeblock, docusaurus-theme-translations
  • #​11675 feat(theme-live-codeblock): reset button + wire position prop (@​NPX2218)
• docusaurus-theme-classic, docusaurus-theme-common
  • #​11734 feat(theme): Split <DocCard>, improve extensibility, better handling of emoji icons, stable classNames (@​slorber)
  • #​11733 feat(theme): Use React context for <Tabs>, allow custom <TabItem> components (@​slorber)
• docusaurus-faster, docusaurus
  • #​11715 feat(bundler): upgrade to Rspack 1.7, remove useless experimental feature flags (@​slorber)
• docusaurus-plugin-content-pages
  • #​11666 feat(pages): add support for Markdown file path links (@​VedantMadane)
• docusaurus-mdx-loader, docusaurus-theme-classic
  • #​11642 feat(mdx-loader): add admonitions directive support for class/id shortcuts (@​lebalz)
• docusaurus-theme-classic
  • #​11635 feat(theme): add MDXComponents/Li to swizzle config (@​moskalakamil)
• docusaurus-theme-search-algolia
  • #​11581 feat(theme-search-algolia): allow overriding transformSearchClient (@​hugohaggmark)
  • #​11541 feat(theme-search-algolia): add support for DocSearch v4.3.2 and new Suggested Questions (@​NatanTechofNY)
• create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
  • #​11512 feat(core): New siteConfig future.experimental_vcs API + future.experimental_faster.gitEagerVcs flag (@​slorber)

🐛 Bug Fix

• docusaurus
  • #​11844 fix(core): fix url.resolve() Node.js deprecation warning (@​slorber)
  • #​11833 fix(core): upgrade serve handler min version to for upgrade users to a secure version (@​BearAlliance)
  • #​11763 fix(cli): fix write-heading-ids CLI when no files provided (@​slorber)
  • #​11693 fix(core): Remove deprecated experiments.lazyBarrel config for RsPack (@​VedikaGupt)
  • #​11604 fix(core): webpack aliases shouldn't be created for test files and typedefs (@​slorber)
  • #​11603 fix(core): Fix openBrowser AppleScript support for Arc (@​slorber)
  • #​11579 fix(core): in isInternalUrl(), URI protocol scheme detection should implement the spec more strictly (@​slorber)
  • #​11550 fix(core): optimize i18n integration for site builds + improve inference of locale config (@​slorber)
• docusaurus-faster, docusaurus
  • #​11817 fix(faster): upgrade Rspack, fix Yarn PnP support (@​slorber)
• create-docusaurus, docusaurus-logger, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-google-gtag, docusaurus-plugin-pwa, docusaurus
  • #​11843 fix(create-docusaurus): fix support for TypeScript 6.0 + fix our CI (@​slorber)
• docusaurus-utils
  • #​11804 fix(utils): Git Eager VSC should have better DX (@​slorber)
• docusaurus-theme-classic
  • #​11796 fix(theme): restore copy-text-to-clipboard as lazy fallback for non-secure contexts (@​dmoranp)
  • #​11513 fix(a11y): add Space key support for navbar dropdowns (@​TheCyperpunk)
  • #​11565 fix(theme): Change code block line from span to div, fix Firefox text selection/copy bug (@​slorber)
• docusaurus-plugin-content-docs
  • #​11794 fix(content-docs): translate generated-index category titles in pagination links (@​dmoranp)
  • #​11743 fix(content-docs): use category key for generated-index translation lookup (@​4RH1T3CT0R7)
  • #​11616 fix(docs): breadcrumb APIs only return category/docs items, ignoring links (@​Chesars)
• docusaurus-plugin-google-gtag
  • #​11770 fix(create-docusaurus): update @​types/gtag.js to 0.0.20 (@​fresh3nough)
• docusaurus-theme-search-algolia
  • #​11683 fix(algolia): upgrade to DocSearch 4.5 + fix types (@​slorber)
  • #​11560 fix(theme-search-algolia): preserve query strings in useSearchResultUrlProcessor (@​pyrytakala)
• docusaurus-plugin-content-blog
  • #​11736 fix(content-blog): fix wrong path variable in feed XSLT CSS file validation (@​akshatsinha0)
  • #​11577 fix(blog): Fix author paginated page url: /blog/authors/<author>/page/2 (@​slorber)
  • #​11562 chore(blog): refactor blog Content, remove useless blogListPaginated attribute (@​slorber)
  • #​11559 fix(content-blog): filter unlisted posts from author pages (@​pyrytakala)
• docusaurus-theme-classic, docusaurus-theme-common
  • #​11713 fix(a11y): remove useKeyboardNavigation hook (@​nmggithub)
• docusaurus-plugin-ideal-image
  • #​11659 fix(ideal-image): <IdealImage> should forward remaining props to the underlying component (@​tempoz)
• eslint-plugin
  • #​11587 fix(eslint-plugin): specify exact type of no-untranslated-text rule options (@​andreww2012)
• docusaurus-mdx-loader
  • #​11530 fix(mdx-loader): fix url.parse deprecation warning on Node 24+ (@​kou029w)
• docusaurus-bundler, docusaurus-faster, docusaurus-theme-mermaid
  • #​11496 fix(faster): fix server build SWC / browserslist node target (@​slorber)

🏃‍♀️ Performance

• docusaurus-plugin-content-blog
  • #​11707 refactor(content-blog): decouple getTagsFile from generateBlogPosts (@​garry00107)
• create-docusaurus, docusaurus-utils, docusaurus
  • #​11684 refactor(create-docusaurus): remove useless dependencies (docusaurus-utils, execa, fs-extra) + simplify some code (@​slorber)
• create-docusaurus
  • #​11653 refactor(create-docusaurus): replace lodash with native implementation (@​torresgol10)

📝 Documentation

• docusaurus
  • #​11779 chore(website): migrate MDX heading ids to comment syntax + upgrade Crowdin parser version (@​slorber)
• Other
  • #​11784 docs(website): change recommended syntax for math equations (@​slorber)
  • #​11623 docs: Add expose-markdown-docusaurus-plugin resource (@​FlyNumber)

🤖 Dependencies

• Other
  • #​11886 chore(deps): bump react-json-view-lite from 2.3.0 to 2.5.0 (@​dependabot[bot])
  • #​11885 chore(deps): bump postcss from 8.5.4 to 8.5.8 (@​dependabot[bot])
  • #​11888 chore(deps): bump lodash from 4.17.23 to 4.18.1 (@​dependabot[bot])
  • #​11882 chore(deps): bump @​babel/core from 7.28.6 to 7.29.0 (@​dependabot[bot])
  • #​11880 chore(deps): bump fs-extra and @​types/fs-extra (@​dependabot[bot])
  • #​11861 chore(deps): bump preactjs/compressed-size-action from 2.9.0 to 2.9.1 (@​dependabot[bot])
  • #​11851 chore(deps): bump handlebars from 4.7.7 to 4.7.9 (@​dependabot[bot])
  • #​11849 chore(deps): bump convict from 6.2.4 to 6.2.5 (@​dependabot[bot])
  • #​11857 chore(deps): bump node-forge from 1.3.2 to 1.4.0 (@​dependabot[bot])
  • #​11838 chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 (@​dependabot[bot])
  • #​11822 chore(deps): bump flatted from 3.3.1 to 3.4.2 (@​dependabot[bot])
  • #​11810 chore(deps): bump marocchino/sticky-pull-request-comment from 2.9.4 to 3.0.2 (@​dependabot[bot])
  • #​11811 chore(deps): bump treosh/lighthouse-ci-action from 12.6.1 to 12.6.2 (@​dependabot[bot])
  • #​11813 chore(deps): bump socket.io-parser from 4.2.4 to 4.2.6 (@​dependabot[bot])
  • #​11806 chore(deps): bump yauzl from 3.1.3 to 3.2.1 (@​dependabot[bot])
  • #​11789 chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 (@​dependabot[bot])
  • #​11790 chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (@​dependabot[bot])
  • #​11776 chore(deps): bump dompurify from 3.2.5 to 3.3.2 (@​dependabot[bot])
  • #​11768 chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (@​dependabot[bot])
  • #​11774 chore(deps): bump svgo from 3.2.0 to 3.3.3 (@​dependabot[bot])
  • #​11762 chore(deps): bump rollup from 2.79.2 to 2.80.0 (@​dependabot[bot])
  • #​11756 chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 (@​dependabot[bot])
  • #​11692 chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (@​dependabot[bot])
  • #​11679 chore(deps): bump lodash from 4.17.21 to 4.17.23 (@​dependabot[bot])
  • #​11674 chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 (@​dependabot[bot])
  • #​11625 chore(deps): bump preactjs/compressed-size-action from 2.8.0 to 2.9.0 - pin all remaining GitHub actions (@​dependabot[bot])
  • #​11608 chore(deps): bump actions/setup-node from 6.0.0 to 6.1.0 (@​dependabot[bot])
  • #​11609 chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 (@​dependabot[bot])
  • #​11589 chore(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 (@​dependabot[bot])
  • #​11574 chore(deps): bump node-forge from 1.3.1 to 1.3.2 (@​dependabot[bot])
  • #​11557 chore(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 (@​dependabot[bot])
  • #​11569 chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (@​dependabot[bot])
  • #​11551 chore(deps): bump js-yaml from 4.1.0 to 4.1.1 (@​dependabot[bot])
  • #​11514 chore(deps): bump actions/upload-artifact from 4 to 5 (@​dependabot[bot])
  • #​11515 chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (@​dependabot[bot])
  • #​11504 chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9 (@​dependabot[bot])
  • #​11503 chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (@​dependabot[bot])
• docusaurus-bundler, docusaurus-mdx-loader
  • #​11717 chore(deps): bump webpack from 5.95.0 to 5.104.1 (@​dependabot[bot])

🔧 Maintenance

• Other
  • #​11846 chore(website): disable mdx1Compat.comments on our site (@​slorber)
  • #​11845 chore(website): Upgrade to Algolia v4.6 (@​slorber)
  • #​11795 chore(ci): canary/trusted publishing shouldn't use any caching (@​slorber)
  • #​11753 chore: Add basic AGENTS.md (@​slorber)
  • #​11639 test(jest): simplify Jest snapshotPathNormalizer.ts (@​slorber)
  • #​11626 chore(website): upgrade to DocSearch 4.4.0 + fix little website theming issues (@​slorber)
  • #​11553 chore(ci): upgrade Netlify to Node 24 (LTS) + add git backfill command (@​slorber)
• create-docusaurus, docusaurus-babel, docusaurus-bundler, docusaurus-cssnano-preset, docusaurus-faster, docusaurus-logger, docusaurus-mdx-loader, docusaurus-module-type-aliases, docusaurus-plugin-client-redirects, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-css-cascade-layers, docusaurus-plugin-debug, docusaurus-plugin-google-analytics, docusaurus-plugin-google-gtag, docusaurus-plugin-google-tag-manager, docusaurus-plugin-ideal-image, docusaurus-plugin-pwa, docusaurus-plugin-rsdoctor, docusaurus-plugin-sitemap, docusaurus-plugin-svgr, docusaurus-plugin-vercel-analytics, docusaurus-preset-classic, docusaurus-remark-plugin-npm2yarn, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-theme-live-codeblock, docusaurus-theme-mermaid, docusaurus-theme-search-algolia, docusaurus-theme-translations, docusaurus-tsconfig, docusaurus-types, docusaurus-utils-common, docusaurus-utils-validation, docusaurus-utils, docusaurus, eslint-plugin, lqip-loader, stylelint-copyright
  • #​11823 chore(ci): fixes for the npm trusted publishing workflow (@​slorber)
  • #​11819 chore(ci): add Trusted Publishing release workflow through dispatch action (@​slorber)
• docusaurus-plugin-content-docs, docusaurus-plugin-ideal-image, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-theme-mermaid, docusaurus-utils, docusaurus
  • #​11698 chore(monorepo): upgrade React packages to v19 (@​slorber)
• docusaurus-cssnano-preset, docusaurus-logger, docusaurus-mdx-loader, docusaurus-plugin-client-redirects, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-ideal-image, docusaurus-remark-plugin-npm2yarn, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-utils-validation, docusaurus-utils, docusaurus
  • #​11702 chore(monorepo): upgrade to Jest 30 (@​slorber)
• docusaurus-theme-classic, docusaurus-theme-common, docusaurus
  • #​11697 chore(monorepo): upgrade React monorepo types to v19 (@​slorber)
• docusaurus-babel
  • #​11586 chore(deps): remove unused @​babel/runtime-corejs3 dependency (@​JustinBeckwith)
• docusaurus-plugin-content-blog
  • #​11564 test(blog): Add basic tests for blog routes. (@​slorber)

🌐 Translations

• docusaurus-theme-translations
  • #​11632 feat(i18n): add Urdu (ur) default theme translations (@​hammadurrehman2006)
  • #​11533 fix(translations): complete theme translations for Algolia pt-br (@​luicfrr)

Committers: 41

• Akshat Sinha (@​akshatsinha0)
• Aleksandar Zgonjan (@​acosoft)
• Andrew Kazakov (@​andreww2012)
• Anukool Pandey (@​ANUKOOL324)
• Artem Lytkin (@​4RH1T3CT0R7)
• Balthasar Hofer (@​lebalz)
• Bhoomi Sharma (@​Bhoomi070)
• Cesar Garcia (@​Chesars)
• Denny Morán (@​dmoranp)
• Dmitriy Rotaenko (@​dmitriyrotaenko)
• Eoin Shaughnessy (@​EoinTrial)
• Gaurav Sulsule (@​garry00107)
• Gnana Eswar Gunturu (@​GnanaEswarGunturu)
• Hugo Häggmark (@​hugohaggmark)
• Ivan Torres (@​torresgol10)
• Justin Beckwith (@​JustinBeckwith)
• Kamil Moskała (@​moskalakamil)
• Kohei Watanabe (@​kou029w)
• Kuldeep Prasad Mishra (@​kmish9685)
• Kunwardeep Singh (@​work109677-sudo)
• Luiz Carlos (@​luicfrr)
• Matthew Cheung (@​Mcheung7272)
• Max Clayton Clowes (@​mcclowes)
• Misrilal (@​Misrilal-Sah)
• Muhammad Hammad ur Rehman (@​hammadurrehman2006)
• Nader Jaber (@​FlyNumber)
• Natan Yagudayev (@​NatanTechofNY)
• Neel Bansal (@​NPX2218)
• Nick Cacace (@​BearAlliance)
• Noah Gregory (@​nmggithub)
• Poetry Of Code (@​poetryofcode)
• Pyry Takala (@​pyrytakala)
• Salman Chishti (@​salmanmkc)
• Sreehari Upas (@​SreehariU)
• Sébastien Lorber (@​slorber)
• Vedant Madane (@​VedantMadane)
• Vedika Gupta (@​VedikaGupt)
• Zoey Greer (@​tempoz)
• @​TheCyperpunk
• @​snikkrs
• fre$h (@​fresh3nough

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

withastro/astro (astro)

v6.1.9

Compare Source

Patch Changes

• #​16448 99464ed Thanks @​matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

• #​16422 a3951d7 Thanks @​matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

• #​16420 e21de1d Thanks @​matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

• #​16419 f3485c3 Thanks @​matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

• #​16022 a002540 Thanks @​mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

• Updated dependencies [99464ed, f3485c3]:

  • @​astrojs/internal-helpers@​0.9.0
  • @​astrojs/markdown-remark@​7.1.1

v6.1.8

Compare Source

Patch Changes

• #​16367 a6866a7 Thanks @​ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

• #​16381 217c5b3 Thanks @​ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

• #​16348 7d26cd7 Thanks @​ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #​16317 d012bfe Thanks @​das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #​16379 5a84551 Thanks @​martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

• #​16317 d012bfe Thanks @​das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #​16282 5b0fdaa Thanks @​jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @​astrojs/telemetry@​3.3.1

v6.1.7

Compare Source

Patch Changes

• #​16027 c62516b Thanks @​fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

• #​16311 94048f2 Thanks @​Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

• #​16316 0fcd04c Thanks @​ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

bubkoo/html-to-image (html-to-image)

v1.11.13

Compare Source

Bug Fixes

• mask: add support for -webkit-mask and -webkit-mask-image (#​382) (5bdfda7)

v1.11.12

Compare Source

Bug Fixes

• add possibility to use own handling of onerror which will not en… (#​453) (04160c3)
• ensure images are totally prcoessed before using them (ios) (#​478) (51fb98f)
• Fix fontEmbedCSS incorrect sizing (#​422) (7020162)

Performance Improvements

• embed only used fonts (#​476) (09bee44)
• svg cloning optimized using deep clone (#​462) (9aac2fd)

ai/nanoid (nanoid)

v5.1.9

Compare Source

• Fixed npm package size regression.

v5.1.8

Compare Source

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

facebook/react (react)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "before 7am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.