chore(deps)(deps): bump the production-minor-patch group across 1 directory with 33 updates

[dependabot]

Bumps the production-minor-patch group with 33 updates in the / directory:

Package	From	To
@apollo/server	5.4.0	5.5.0
@graphql-tools/schema	10.0.31	10.0.33
graphql	16.13.0	16.13.2
zod	4.4.0-canary.20260125T215152	4.4.3
@graphql-tools/graphql-file-loader	8.1.10	8.1.14
@graphql-tools/load	8.1.8	8.1.10
@graphql-tools/utils	11.0.0	11.1.0
graphql-ws	6.0.7	6.0.8
jose	6.1.3	6.2.3
mathjs	15.1.1	15.2.0
ws	8.19.0	8.20.0
@apollo/client-integration-nextjs	0.14.4	0.14.5
@auth/prisma-adapter	2.11.1	2.11.2
@nosecone/next	1.1.0	1.4.0
@sentry/nextjs	10.40.0	10.51.0
@serwist/next	9.5.6	9.5.11
@tanstack/react-virtual	3.13.19	3.13.24
@vercel/analytics	2.0.0-canary.1	2.0.1
framer-motion	12.34.3	12.38.0
immer	11.1.4	11.1.6
katex	0.16.33	0.16.45
next	16.2.0-canary.69	16.2.4
next-intl	4.8.3	4.11.0
nosecone	1.1.0	1.4.0
tailwindcss	4.2.1	4.2.4
three	0.183.2	0.184.0
zustand	5.0.11	5.0.12
hono	4.12.3	4.12.16
@cf-wasm/resvg	0.3.3	0.3.4
modern-pdf-lib	0.15.1	0.26.0
@neondatabase/serverless	1.0.2	1.1.0
@prisma/adapter-neon	7.5.0-dev.33	7.8.0
@prisma/client	7.5.0-dev.33	7.8.0

Updates @apollo/server from 5.4.0 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• See full diff in compare view

Updates @graphql-tools/schema from 10.0.31 to 10.0.33

Changelog

Sourced from @​graphql-tools/schema's changelog.

10.0.33

Patch Changes

• Updated dependencies [a4b7dce]:
  • @​graphql-tools/utils@​11.1.0
  • @​graphql-tools/merge@​9.1.9

10.0.32

Patch Changes

• Updated dependencies [ae36a0e]:
  • @​graphql-tools/utils@​11.0.1
  • @​graphql-tools/merge@​9.1.8

Commits

• 4aa9156 chore(release): update monorepo packages versions (#8145)
• 14066f9 chore(release): update monorepo packages versions (#8118)
• 5d6bcc4 Remove skipLibCheck (#8019)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​graphql-tools/schema since your current version.

Updates graphql from 16.13.0 to 16.13.2

Release notes

Sourced from graphql's releases.

v16.13.2 (2026-03-24)

Docs 📝

• #4611 add dev mode docs (@​yaacovCR)

Polish 💅

• #4631 Use Object.create(null) over {} to avoid prototype issues - v16 (@​benjie)

Internal 🏠

• #4626 backport: internal: streamline release process (#4615) (@​yaacovCR)

Committers: 2

• Benjie(@​benjie)
• Yaacov Rydzinski (@​yaacovCR)

v16.13.1 (2026-03-04)

First 16.x.x release with trusted publishing and provenance, see: https://docs.npmjs.com/trusted-publishers for additional information.

Docs 📝

• #4433 docs: move migrate from express graphql guide to graphqlJS docs (@​sarahxsanders)

Internal 🏠

• #4608 internal: backport new release flow from 17.x.x (@​yaacovCR)
• #4610 internal: pin node version for release action (@​yaacovCR)

Committers: 2

• Sarah Sanders(@​sarahxsanders)
• Yaacov Rydzinski (@​yaacovCR)

Commits

• 123e958 chore(release): v16.13.2 (#4632)
• 13f130d Use Object.create(null) over {} to avoid prototype issues - v16 (#4631)
• 6ca59e1 backport: internal: streamline release process (#4615) (#4626)
• df8c53f docs: dev mode for v17 (#4611)
• 3b5c3f9 internal: pin node version for release action (#4610)
• 6dee435 chore(release): v16.13.1 (#4609)
• c2ad5c6 internal: backport new release flow from 17.x.x (#4608)
• adff4e6 docs: move migrate from express graphql guide to graphqlJS docs (#4433)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for graphql since your current version.

Updates zod from 4.4.0-canary.20260125T215152 to 4.4.3

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

v4.4.2

Commits:

• 0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
• 20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
• 6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
• 4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
• bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
• cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
• 292c894a5fd2aa42e527900b83d8d7a3009a709c docs: add Zernio gold sponsor
• 1fc9f311c28dcf80d0bb5a36b177086cbc3d8eca docs: document codec inversion
• 1373c85da9aeff704a9762d27bc58699618aefb7 docs: remove AI disclosure guidance
• e20d02b473c08e3a4e557bc610b1b5fac079b649 chore: ignore triage notes
• e58ea4d91b1dfe8194b73508203213cbc7e9c936 docs: test Zod Mini tab code heights
• 905761a5d127e8d5dd2ebb3bc88c75cb0b8149ff docs: document preprocess input type narrowing
• bf64bac850d4dee2b7dde7e64909d5d796d32043 chore: tighten test guidance in AGENTS.md
• 8ec4e73f4c4693b6361ad591be40fb41eb8a9f95 chore: update play.ts scratch
• 02c2baf7d0d615872fa4528a8020603b71211702 Make z.preprocess defer optionality to inner schema (#5929)
• 88015df8e25c44fb5385eb3ef28935119cd5edea fix(docs): drop deprecated baseUrl from tsconfig
• c59d4474e3b4cad1b323462186cf607178ce8267 4.4.2

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Updates @graphql-tools/graphql-file-loader from 8.1.10 to 8.1.14

Changelog

Sourced from @​graphql-tools/graphql-file-loader's changelog.

8.1.14

Patch Changes

• Updated dependencies [a4b7dce]:
  • @​graphql-tools/utils@​11.1.0
  • @​graphql-tools/import@​7.1.14

8.1.13

Patch Changes

• Updated dependencies [ae36a0e]:
  • @​graphql-tools/utils@​11.0.1
  • @​graphql-tools/import@​7.1.13

8.1.12

Patch Changes

• Updated dependencies [5d6bcc4]:
  • @​graphql-tools/import@​7.1.12

8.1.11

Patch Changes

• Updated dependencies [417d875, 0e4d00e]:
  • @​graphql-tools/import@​7.1.11

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​graphql-tools/graphql-file-loader since your current version.

Updates @graphql-tools/load from 8.1.8 to 8.1.10

Changelog

Sourced from @​graphql-tools/load's changelog.

8.1.10

Patch Changes

• Updated dependencies [a4b7dce]:
  • @​graphql-tools/utils@​11.1.0
  • @​graphql-tools/schema@​10.0.33

8.1.9

Patch Changes

• Updated dependencies [ae36a0e]:
  • @​graphql-tools/utils@​11.0.1
  • @​graphql-tools/schema@​10.0.32

Commits

• 4aa9156 chore(release): update monorepo packages versions (#8145)
• 14066f9 chore(release): update monorepo packages versions (#8118)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​graphql-tools/load since your current version.

Updates @graphql-tools/utils from 11.0.0 to 11.1.0

Changelog

Sourced from @​graphql-tools/utils's changelog.

11.1.0

Minor Changes

• #8144 a4b7dce Thanks @​enisdenjo! - Deep merge and preserve non-enumerable symbols

11.0.1

Patch Changes

• ae36a0e Thanks @​mattkrick! - Handle enum values correctly if they are arguments of directives defined in the extensions

Commits

• 4aa9156 chore(release): update monorepo packages versions (#8145)
• a4b7dce Deep merge and preserve non-enumerable symbols (#8144)
• c097bc9 build(deps): bump the actions-deps group across 1 directory with 9 updates (#...
• 14066f9 chore(release): update monorepo packages versions (#8118)
• ae36a0e fix: coerce enum directive arguments to internal values when printing (#8117)
• a831489 build(deps): bump the actions-deps group with 7 updates (#8105)
• fe413ee Revert unnecessary changes
• 4dd39fa fix(mergeDeep): do not concatenate arrays while merging
• a91a765 build(deps): bump the actions-deps group with 8 updates (#8056)
• 3929728 build(deps): bump the actions-deps group across 1 directory with 2 updates (#...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​graphql-tools/utils since your current version.

Updates graphql-ws from 6.0.7 to 6.0.8

Release notes

Sourced from graphql-ws's releases.

v6.0.8

Patch Changes

• #667 fc03004 Thanks @​endigma! - Fix the server sending a Complete message after an Error message for subscriptions.

  Previously, when a subscription's async iterable threw an error, the server would send:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  {"id":"1","type":"complete"}
  

  Per the protocol spec:

  Error: This message terminates the operation and no further messages will be sent.

  Complete (Server → Client): If the server dispatched the Error message relative to the original Subscribe message, no Complete message will be emitted.

  The server now correctly sends only the Error message:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  

  Clients that correctly follow the spec should be unaffected, as they are expected to ignore messages for operations they consider already completed.

Changelog

Sourced from graphql-ws's changelog.

6.0.8

Patch Changes

• #667 fc03004 Thanks @​endigma! - Fix the server sending a Complete message after an Error message for subscriptions.

  Previously, when a subscription's async iterable threw an error, the server would send:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  {"id":"1","type":"complete"}
  

  Per the protocol spec:

  Error: This message terminates the operation and no further messages will be sent.

  Complete (Server → Client): If the server dispatched the Error message relative to the original Subscribe message, no Complete message will be emitted.

  The server now correctly sends only the Error message:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  

  Clients that correctly follow the spec should be unaffected, as they are expected to ignore messages for operations they consider already completed.

Commits

• 2cbe0ed Upcoming Release Changes (#668)
• fc03004 fix: do not send Complete after Error for subscriptions (#667)
• See full diff in compare view

Updates jose from 6.1.3 to 6.2.3

Release notes

Sourced from jose's releases.

v6.2.3

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

v6.2.2

Fixes

• reject failed decompression with JWEInvalid error (043b181)

v6.2.1

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Changelog

Sourced from jose's changelog.

6.2.3 (2026-04-27)

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

6.2.2 (2026-03-18)

Fixes

• reject failed decompression with JWEInvalid error (043b181)

6.2.1 (2026-03-09)

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

6.2.0 (2026-03-05)

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

Commits

• 41ad7e9 chore(release): 6.2.3
• 988e90f chore: account for commit-and-tag-version instead of standard-version
• 4b24656 chore: update CHANGELOG.md header
• 0cdb851 refactor: cleanly reject invalid PBES2 p2c
• a0b261e test: update Bun expectations
• b39dc1a chore: use fs.globSync
• 0675be1 build: replace rollup umd build with a custom esbuild iife wrap
• 9b03323 chore: bump packages
• 914b73d chore(deps-dev): bump lodash
• 9dce817 chore: bump packages
• Additional commits viewable in compare view

Updates mathjs from 15.1.1 to 15.2.0

Changelog

Sourced from mathjs's changelog.

unpublished changes since 15.2.0

• Docs: fix the browser example rocket_trajectory_optimization.html (#3654). Thanks @​dvd101x.

2026-04-07, 15.2.0

• Feat: Add amp-hour charge unit Ah (#3617). Thanks @​adrfantini.
• Feat: #3595 implement num and den functions returning the parts of a fraction (#3605). Thanks @​AnslemHack.
• Fix: Provide TypeScript types for [and/or]TransformDependencies (#3639). Thanks @​NilsDietrich.
• Fix: two security vulnerabilities that allowed executing arbitrary JavaScript via the expression parser. Thanks @​CykuTW for finding and reporting them.

Commits

• fee4561 chore: publish v15.2.0
• 139dcab chore: update history
• 0aee2f6 fix: two security vulnerabilities allowing execution of arbitrary JavaScript ...
• f7c10b1 feat: Fraction numerator and denominator helper functions (#3605)
• 2066220 feat: Add Ah charge unit (#3617)
• 685da0f chore: Add andTransformDependencies and orTransformDependencies to index.d.ts...
• 8fe12e5 docs: update links to TestMu AI
• See full diff in compare view

Updates ws from 8.19.0 to 8.20.0

Release notes

Sourced from ws's releases.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

Commits

• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• ca533a5 [pkg] Update globals to version 17.0.0
• See full diff in compare view

Updates @apollo/client-integration-nextjs from 0.14.4 to 0.14.5

Release notes

Sourced from @​apollo/client-integration-nextjs's releases.

@​apollo/client-integration-nextjs@​0.14.5

Patch Changes

• Updated dependencies [077a94e]
  • @​apollo/client-react-streaming@​0.14.5

Commits

• 15eda44 Version Packages (#548)
• 0f58188 Update Docs
• 077a94e Avoid warning when using fragments in preloadQuery. (#536)
• 43b0a18 Add Apollo Client skill to README files (#539)
• 23bc7b6 Use Apollo Client skill in Copilot Agents
• 01467a2 post-version script: also update CHANGELOG.md
• bc9984a enforce publishing one package at a time, not in parallel
• See full diff in compare view

Updates @auth/prisma-adapter from 2.11.1 to 2.11.2

Release notes

Sourced from @​auth/prisma-adapter's releases.

@​auth/prisma-adapter@​2.11.2

Other

• @​auth/core: dependency update (67f2b168)

Commits

• af9daa8 chore(release): bump package version(s) [skip ci]
• d4dab3d chore: sync package versions with npm registry (#13414)
• 8a23c5b chore: fix lockfile (#13411)
• 2018202 docs: fix TypeScript type mismatch in refresh token rotation example (#13396)
• 0eba7e4 adapter-kysely: Update kysely for CVE-2026-33468 (#13407)
• 67f2b16 fix(providers): add issuer to GitHub provider for RFC 9207 compliance (#13410)
• f457068 docs: update middleware.ts references to proxy.ts for Next.js 16 (#13373)
• c7c2cfa docs: update Better Auth migration guide (#13334)
• b4ef14a chore(release): bump version [skip ci]
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for @​auth/prisma-adapter since your current version.

Updates @nosecone/next from 1.1.0 to 1.4.0

Release notes

Sourced from @​nosecone/next's releases.

v1.4.0

1.4.0 (2026-04-14)

🚀 New Features

Introducing Arcjet Guard - protect AI agent tool calls, background jobs, and anything beyond HTTP. @arcjet/guard is a new API built for the agentic era: rate limit by any key, detect prompt injection, and catch PII.

• guard: promote @​arcjet/guard from experimental to stable release (#5996) (f511f44)

📝 Documentation

• add @​arcjet/guard documentation to root README (#5993) (4be39c8)
• add MCP server mentions to @​arcjet/guard (#5974) (cd398c0)

🧹 Miscellaneous Chores

• add .claude/ to .gitignore (#5988) (6f0f922)
• always trigger workflows on release-please branch (#5998) (6554cd1)
• delete astro-5 example (#5995) (38487cb)
• Deprecate score and threshold fields in detectPromptInjection (#5987) (de46cb7)
• examples: Add Astro 5 example, upgrade main Astro example to v6 (#5975) (a77c077)
• guard: add legacy type resolution for typescript@<=5 (#5978) (fd6ad6d)
• guard: introduce arcjet guard js (#5957) (53ff2e2)
• guard: update protobuf (#5986) (25f0e9e)
• proto: sync generated proto (#5994) (25b11fe)
• regenerate wasm binaries after aws-lc-rs update (#5969) (bda5448)

🔨 Build System

• deps-dev: bump vite from 7.3.1 to 7.3.2 (#5980) (8a253f6)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router (#5982) (ddf3416)
• deps-dev: bump vite from 7.3.1 to 7.3.2 in /examples/react-router-middleware (#5985) (e36cf35)
• deps: bump @​nestjs/core from 11.1.17 to 11.1.18 in /examples/nestjs (#5983) (514ae8b)
• deps: bump unhead and @​unhead/vue in /examples/nuxt (#5989) (6add894)
• deps: bump vite from 7.3.1 to 7.3.2 in /examples/nuxt (#5981) (97138bc)
• deps: bump vite in /examples/remix-express (#5977) (3b97d6f)

v1.3.1

1.3.1 (2026-03-30)

🪲 Bug Fixes

• filter: update wasm and add tests for len() on absent map fields (#5929) (d2a3161)
• install command & pricing references (#5959) (7e54cbd)

... (truncated)

Changelog

Sourced from @​nosecone/next's changelog.

1.4.0 (2026-04-14)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.3.1 to 1.4.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.3.1 to 1.4.0
    • @​arcjet/rollup-config bumped from 1.3.1 to 1.4.0

1.3.1 (2026-03-30)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.3.0 to 1.3.1
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.3.0 to 1.3.1
    • @​arcjet/rollup-config bumped from 1.3.0 to 1.3.1

1.3.0 (2026-03-12)

🧹 Miscellaneous Chores

• @​nosecone/next: Synchronize arcjet-js versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • nosecone bumped from 1.2.0 to 1.3.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.2.0 to 1.3.0
    • @​arcjet/rollup-config bumped from 1.2.0 to 1.3.0

... (truncated)

Commits

• b4337ec chore: Release 1.4.0 (#5972)
• ddcad58 chore: Release 1.3.1 (#5926)
• b3f76ef deps: periodic dependency update and security update (#5965)
• 9ddc395 deps(dev): update dependency @​rollup/wasm-node to v4.59.0 (#5935)
• 682a80e chore: Release 1.3.0 (#5912)
• 9992ba4 chore: Release 1.2.0 (#5802)
• a56c62b deps: periodic dependency update (#5892)
• See full diff in compare view

Updates @sentry/nextjs from 10.40.0 to 10.51.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextcalc-pro	Error		May 4, 2026 5:31pm