Skip to content

build(deps): bump the npm_and_yarn group across 5 directories with 12 updates#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/clients/npm_and_yarn-629d25bd6c
Open

build(deps): bump the npm_and_yarn group across 5 directories with 12 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/clients/npm_and_yarn-629d25bd6c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 3 updates in the /clients directory: next, postcss and yaml.
Bumps the npm_and_yarn group with 2 updates in the /server/polar/backoffice directory: postcss and picomatch.
Bumps the npm_and_yarn group with 6 updates in the /server/emails directory:

Package From To
brace-expansion 2.0.2 2.1.0
minimatch 5.1.6 5.1.9
picomatch 4.0.3 4.0.4
rollup 4.53.5 4.60.3
tar 7.5.2 7.5.14
socket.io-parser 4.2.4 4.2.6

Bumps the npm_and_yarn group with 7 updates in the /handbook directory:

Package From To
yaml 2.8.2 2.8.4
brace-expansion 1.1.12 1.1.14
fast-xml-parser 5.3.9 5.7.3
follow-redirects 1.15.11 1.16.0
picomatch 2.3.1 2.3.2
socket.io-parser 4.2.5 4.2.6
basic-ftp 5.2.0 5.3.1

Bumps the npm_and_yarn group with 7 updates in the /docs directory:

Package From To
yaml 2.8.2 2.8.4
brace-expansion 1.1.12 1.1.14
fast-xml-parser 4.5.3 4.5.6
follow-redirects 1.15.11 1.16.0
picomatch 2.3.1 2.3.2
socket.io-parser 4.2.5 4.2.6
basic-ftp 5.1.0 5.3.1

Updates next from 16.2.0 to 16.2.3

Release notes

Sourced from next's releases.

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

  • Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
  • Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
  • Deduplicate output assets and detect content conflicts on emit (#92292)
  • Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
  • turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • backport: Move expanded adapters docs to API reference (#92115) (#92129)
  • Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
  • [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
  • next.config.js: Accept an option for serverFastRefresh (#91968)
  • Turbopack: enable server HMR for app route handlers (#91466)
  • Turbopack: exclude metadata routes from server HMR (#92034)
  • Fix CI for glibc linux builds
  • Backport: disable bmi2 in qfilter #92177
  • [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • docs: post release amends (#91715)
  • docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
  • Fix adapter outputs for dynamic metadata routes (#91680)
  • Turbopack: fix webpack loader runner layer (#91727)
  • Fix server actions in standalone mode with cacheComponents (#91711)
  • turbo-persistence: remove Unmergeable mmap advice (#91713)
  • Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
  • Turbopack: lazy require metadata and handle TLA (#91705)
  • [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

... (truncated)

Commits
  • d5f649b v16.2.3
  • 2873928 [16.x] Avoid consuming cyclic models multiple times (#75)
  • d7c7765 [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...
  • c573e8c fix(server-hmr): metadata routes overwrite page runtime HMR handler (#92273)
  • 57b8f65 next-core: deduplicate output assets and detect content conflicts on emit (#9...
  • f158df1 Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
  • 356d605 turbo-tasks-backend: stability fixes for task cancellation and error handling...
  • 3b77a6e Fix DashMap read-write self-deadlock in task_cache causing hangs (#92210)
  • b2f208a Backport: new view-transitions guide, update and fixes (#92264)
  • 52faae3 v16.2.2
  • Additional commits viewable in compare view

Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)
Commits
  • ce14587 2.8.3
  • 1e84ebb fix: Catch stack overflow during node composition
  • 6b24090 ci: Include Prettier check in lint action
  • 9424dee chore: Refresh lockfile
  • d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
  • 4321509 ci: Drop the branch filter from GitHub PR actions
  • 47207d0 chore: Update docs-slate
  • 5212fae chore: Update docs-slate
  • See full diff in compare view

Updates fast-xml-parser from 5.4.1 to 5.7.3

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to use entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

  • No API change
  • No change in performance for basic usage
  • No typing change
  • No config change
  • new dependency
  • breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

  • fix typo in CJS typing file

5.7.0 / 2026-04-17

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to user entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

  • fix: entity replacement for numeric entities
  • use @​nodable/entities to replace entities
    • this may change some error messages related to entities expansion limit or inavlid use
    • post check would be exposed in future version

5.5.12 / 2026-04-13

  • Performance Improvement: update path-expression-matcher
    • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

  • Performance Improvement
    • integrate ExpressionSet for stopNodes

... (truncated)

Commits
  • d6d8042 update to release
  • d263370 remove dev dependency 'he'
  • f9c9a2c update builder to 1.1.7
  • b65da87 update changelog and mark addEntity deprecated
  • c2ca631 update fxb
  • da75191 fix stop node expression when ns prefix is removed
  • 31bbc99 fix: alwaysCreateTextNode should create text node when attributes are present...
  • dab327a remove unnecessary
  • ab04eeb update docs
  • 383cb3f Revise security information for v6 release
  • Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates brace-expansion from 2.0.2 to 2.1.0

Commits

Updates minimatch from 5.1.6 to 5.1.9

Commits

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates rollup from 4.53.5 to 4.60.3

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

  • Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

... (truncated)

Commits
  • b47bdab 4.60.3
  • 15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
  • 12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
  • b74aa39 Migrate instructions to AGENTS.md
  • aa5a377 fix(deps): update minor/patch updates (#6365)
  • 197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
  • cded70a fix(deps): update swc monorepo (major) (#6366)
  • bb2b8a5 docs: add missing backticks in plugin-development (#6368)
  • 20af1c4 chore(deps): lock file maintenance (#6367)
  • a6be82b 4.60.2
  • Additional commits viewable in compare view

Updates tar from 7.5.2 to 7.5.14

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates socket.io-parser from 4.2.4 to 4.2.6

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

  • add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits
  • 522edcd chore(release): socket.io-parser@4.2.6
  • 3fff7ca fix(parser): add a limit to the number of binary attachments
  • 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
  • ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
  • 84c2fb7 chore(release): engine.io@6.6.6
  • 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
  • 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
  • da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
  • 74599a6 fix(types): properly import http module
  • d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.


Updates yaml from 2.8.2 to 2.8.4

Release notes

Sourced from yaml's releases.

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)
Commits
  • ce14587 2.8.3
  • 1e84ebb fix: Catch stack overflow during node composition
  • 6b24090 ci: Include Prettier check in lint action
  • 9424dee chore: Refresh lockfile
  • d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
  • 4321509 ci: Drop the branch filter from GitHub PR actions
  • 47207d0 chore: Update docs-slate
  • 5212fae chore: Update docs-slate
  • See full diff in compare view

Updates brace-expansion from 1.1.12 to 1.1.14

Commits

Updates fast-xml-parser from 5.3.9 to 5.7.3

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix

… updates

Bumps the npm_and_yarn group with 3 updates in the /clients directory: [next](https://github.com/vercel/next.js), [postcss](https://github.com/postcss/postcss) and [yaml](https://github.com/eemeli/yaml).
Bumps the npm_and_yarn group with 2 updates in the /server/polar/backoffice directory: [postcss](https://github.com/postcss/postcss) and [picomatch](https://github.com/micromatch/picomatch).
Bumps the npm_and_yarn group with 6 updates in the /server/emails directory:

| Package | From | To |
| --- | --- | --- |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `2.0.2` | `2.1.0` |
| [minimatch](https://github.com/isaacs/minimatch) | `5.1.6` | `5.1.9` |
| [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` |
| [rollup](https://github.com/rollup/rollup) | `4.53.5` | `4.60.3` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.2` | `7.5.14` |
| [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.4` | `4.2.6` |

Bumps the npm_and_yarn group with 7 updates in the /handbook directory:

| Package | From | To |
| --- | --- | --- |
| [yaml](https://github.com/eemeli/yaml) | `2.8.2` | `2.8.4` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.14` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `5.3.9` | `5.7.3` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.5` | `4.2.6` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.2.0` | `5.3.1` |

Bumps the npm_and_yarn group with 7 updates in the /docs directory:

| Package | From | To |
| --- | --- | --- |
| [yaml](https://github.com/eemeli/yaml) | `2.8.2` | `2.8.4` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.14` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `4.5.3` | `4.5.6` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.5` | `4.2.6` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.1.0` | `5.3.1` |



Updates `next` from 16.2.0 to 16.2.3
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.0...v16.2.3)

Updates `postcss` from 8.5.8 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.10)

Updates `yaml` from 2.8.2 to 2.8.3
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.3)

Updates `fast-xml-parser` from 5.4.1 to 5.7.3
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.9...v5.7.3)

Updates `postcss` from 8.5.6 to 8.5.14
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.10)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `brace-expansion` from 2.0.2 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.2...v2.1.0)

Updates `minimatch` from 5.1.6 to 5.1.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v5.1.6...v5.1.9)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `rollup` from 4.53.5 to 4.60.3
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.53.5...v4.60.3)

Updates `tar` from 7.5.2 to 7.5.14
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.2...v7.5.14)

Updates `socket.io-parser` from 4.2.4 to 4.2.6
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6)

Updates `yaml` from 2.8.2 to 2.8.4
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.3)

Updates `brace-expansion` from 1.1.12 to 1.1.14
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.2...v2.1.0)

Updates `fast-xml-parser` from 5.3.9 to 5.7.3
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.9...v5.7.3)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `socket.io-parser` from 4.2.5 to 4.2.6
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6)

Updates `basic-ftp` from 5.2.0 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.3.1)

Updates `yaml` from 2.8.2 to 2.8.4
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.3)

Updates `brace-expansion` from 1.1.12 to 1.1.14
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.2...v2.1.0)

Updates `fast-xml-parser` from 4.5.3 to 4.5.6
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.9...v5.7.3)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `socket.io-parser` from 4.2.5 to 4.2.6
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6)

Updates `basic-ftp` from 5.1.0 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.3.1)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.7.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 5.1.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io-parser
  dependency-version: 4.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.8.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.7.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io-parser
  dependency-version: 4.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.8.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 4.5.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io-parser
  dependency-version: 4.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 6, 2026

@llamapreview llamapreview Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Request Changes
This PR updates multiple npm dependencies across five directories, including critical patches to Next.js 16.2.3 that fix HMR and styled-jsx bugs. However, four directories have lock file changes without corresponding package.json updates, risking version drift, and minor bumps (e.g., zod, fast-xml-parser) may introduce breaking changes.

Priority File Category Impact Summary Anchors
P1 clients/apps/web/package.json Bug Patch bump fixes HMR and styled-jsx bugs
P2 clients/apps/web/package.json Maintainability Missing package.json updates for 4 directories
P2 clients/apps/web/package.json Maintainability Minor version bump may cause typing changes
⚠️ **Unanchored Suggestions (Manual Review Recommended)**

The following suggestions could not be precisely anchored to a specific line in the diff. This can happen if the code is outside the changed lines, has been significantly refactored, or if the suggestion is a general observation. Please review them carefully in the context of the full file.


📁 File: clients/apps/web/package.json

Speculative: The PR correctly updates package.json for clients/apps/web and clients/packages/mdx, but the file changes show that for the handbook, docs, server/emails, and server/polar/backoffice directories only pnpm-lock.yaml files were modified, not their respective package.json files. This is inconsistent because lock files are generated from package.json constraints. If the package.json constraints remain at the old versions, the lock file updates may be stale or incorrect, leading to potential version drift, unpinned dependencies in CI/CD, or failed audits. The snippet above demonstrates the expected pattern where both package.json and the lock file are updated together. The absence of package.json changes for these four directories indicates either an incomplete PR or that the package.json updates were committed separately – either outcome risks breaking the reproducibility of builds in those subprojects.

Related Code:



💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

"markdown-to-jsx": "^8.0.0",
"nanoid": "^5.1.7",
"next": "^16.2.0",
"next": "^16.2.3",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 | Confidence: High

The update of next from 16.2.0 to 16.2.3 is a patch bump within a widely-used framework. However, the changelog (visible in the PR description) includes several critical fixes such as “manifest.ts breaks HMR in Next.js 16.2” and “Fix styled-jsx race condition: styles lost due to concurrent rendering.” If the project uses manifest.ts files, HMR, or styled-jsx, these fixes resolve real runtime bugs that could cause incorrect behavior (e.g., missing styles or broken HMR loops). While this is a positive change, the PR does not include any explicit test modifications or regression checks to confirm the fixes don’t introduce new issues in the project’s specific configuration. Additionally, the lock file for clients shows massive updates (1591 additions, 735 deletions), which includes transitive dependencies that may have changed in ways not covered by the package.json bumps. I recommend running the full end-to-end test suite for the clients directory and verifying that the Next.js build and development server work as expected, especially HMR and style-related behaviour.

"tailwindcss-radix": "^4.0.2",
"tw-animate-css": "^1.4.0",
"zod": "^4.3.6"
"zod": "^4.4.3"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 | Confidence: Medium

Speculative: The update of zod from ^4.3.6 to ^4.4.3 is a minor version bump. Zod 4.x has undergone significant changes (e.g., schema definition syntax, pipe API). While ^4.4.3 is within the same major range, minor versions can introduce deprecations or subtle behavior changes. Without related context on how Zod is used in the codebase (e.g., z.object, custom types, transformers), there is a risk of runtime type-checking failures or subtle logic errors if the project relies on now-deprecated APIs. The same concern applies to other minor bumps in this PR (e.g., yaml from 2.8.2 to 2.8.3, fast-xml-parser from 5.3.9 to 5.7.3 in handbook – note: fast-xml-parser 5.7.0 introduced breaking entity-processing changes). I recommend reviewing the changelogs of all minor-version upgrades and verifying that the project's test suite (especially type-system and integration tests) still passes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants