chore(deps): bump the web-dependencies group in /web with 21 updates

[dependabot]

Bumps the web-dependencies group in /web with 21 updates:

Package	From	To
@react-email/render	1.0.5	2.0.8
@sentry/nextjs	10.51.0	10.52.0
@supabase/ssr	0.10.2	0.10.3
@supabase/supabase-js	2.105.1	2.105.4
@types/qrcode	1.5.5	1.5.6
@vercel/og	0.6.5	0.11.1
cmdk	1.0.4	1.1.1
marked	14.1.4	18.0.3
nanoid	5.0.9	5.1.11
next	16.2.4	16.2.6
react	19.0.0	19.2.6
@types/react	19.0.7	19.2.14
react-dom	19.0.0	19.2.6
@types/react-dom	19.0.3	19.2.3
resend	4.5.1	6.12.3
shiki	1.24.0	4.0.2
zod	3.24.1	4.4.3
@types/node	22.10.5	25.6.2
eslint	9.39.4	10.3.0
eslint-config-next	16.2.4	16.2.6
typescript	5.7.3	6.0.3

Updates @react-email/render from 1.0.5 to 2.0.8

Release notes

Sourced from @​react-email/render's releases.

@​react-email/render@​2.0.8

Patch Changes

• e0e896f: Strip nul bytes from React 18 renderToPipeableStream output to prevent emails with multi-byte characters from being truncated.

@​react-email/render@​2.0.7

Patch Changes

• 7fc539d: fix export map ordering between convex and node

@​react-email/render@​2.0.7-canary.0

Patch Changes

• 7fc539d: fix export map ordering between convex and node

@​react-email/render@​2.0.6

Patch Changes

• f6cfef0: fix: await stream.allReady before reading renderToReadableStream output

@​react-email/render@​2.0.5

Patch Changes

• ecfc141: fix process crashes in client errors

@​react-email/render@​2.0.4

What's Changed

• fix(render): new ErrorBoundary breaking rendering in server components by @​gabrielmfern in resend/react-email#2871

Full Changelog: https://github.com/resend/react-email/compare/@​react-email/render@2.0.3...@​react-email/render@2.0.4

@​react-email/render@​2.0.3

What's Changed

• fix(render): client side rendering fallbacks by @​gabrielmfern in resend/react-email#2852

Full Changelog: https://github.com/resend/react-email/compare/@​react-email/render@2.0.2...@​react-email/render@2.0.3

@​react-email/render@​2.0.2

Patch Changes

• 159f6e4: fix custom selectors overwriting the ones we defined
• 12ff166: fix pipeable stream errors not being handled

Changelog

Sourced from @​react-email/render's changelog.

2.0.8

Patch Changes

• e0e896f: Strip nul bytes from React 18 renderToPipeableStream output to prevent emails with multi-byte characters from being truncated.

2.0.7

Patch Changes

• 7fc539d: fix export map ordering between convex and node

2.0.7-canary.0

Patch Changes

• 7fc539d: fix export map ordering between convex and node

2.0.6

Patch Changes

• f6cfef0: fix: await stream.allReady before reading renderToReadableStream output

2.0.5

Patch Changes

• ecfc141: fix process crashes in client errors

2.0.4

Patch Changes

• 635dc8f: fix ErrorBoundary breaking server rendering

2.0.3

Patch Changes

• 366ae71: fix render going into client side rendering and breaking emails silently

2.0.2

Patch Changes

• 159f6e4: fix custom selectors overwriting the ones we defined
• 12ff166: fix pipeable stream errors not being handled

2.0.2-canary.0

... (truncated)

Commits

• 961d1d2 chore(root): version packages (#3445)
• e0e896f fix(render): remove nul bytes when using React 18 (#3406)
• 12f4620 chore(root): version packages (#3322)
• 48daf18 chore(root): version packages (canary) (#3271)
• 7fc539d fix(render): reorder node above convex in exports map (#3276)
• 291aea4 chore(root): version packages (#3117)
• f6cfef0 fix(render): await stream.allReady before reading renderToReadableStream outp...
• 1191b35 chore(root): version packages (#3084)
• ecfc141 fix: prevent process crash by rejecting error instead of throwing in renderTo...
• 1f27dcd feat: pnpm catalogs (#3014)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​react-email/render since your current version.

Updates @sentry/nextjs from 10.51.0 to 10.52.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.52.0

Important Changes

• Beta release of the official Hono Sentry SDK

  This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

  Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

• docs(hono): Add new docs link and move to BETA release (#20666)
• feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)
• feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)
• feat(cloudflare): Capture request body via httpServerIntegration (#20614)
• feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)
• feat(cloudflare): Support tracing for queue producer (#20529)
• feat(core): Apply request data to segment spans in span streaming (#20654)
• feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• feat(deno): Add processSegmentSpan to Deno context integration (#20613)
• feat(http): Portable node:http client instrumentation (#20393)
• feat(nitro): Add unstorage tracing channel instrumentation (#20615)
• feat(node-core): Add processSegmentSpan to node context integration (#20678)
• feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)
• feat(node): Vendor ioredis, redis instrumentations (#20510)
• feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• fix: Bump fast-xml-parser to fix vulnerability (#20644)
• fix: Bump vite versions to fix vulnerability (#20646)
• fix(core): Drain buffers in flush() when there is no transport (#20207)
• fix(core): Guard against undefined chained in copyProps (#20637)
• fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)
• fix(deps): Bump transitive deps for medium security fixes (#20683)
• fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)
• fix(nextjs): Skip build modification when SRI is enabled (#20694)
• fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

• chore: Remove bundle-analyzer-scenarios dev packages (#20680)
• chore(deps): Bump @​hono/node-server from 1.19.10 to 1.19.13 (#20117)
• chore(deps): Bump @​nestjs packages to fix path-to-regexp ReDoS (#20642)
• chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)
• chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)
• chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)
• chore(deps): Bump vulnerable testem version (#20634)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.52.0

Important Changes

• Beta release of the official Hono Sentry SDK

  This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

  Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

• docs(hono): Add new docs link and move to BETA release (#20666)
• feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)
• feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)
• feat(cloudflare): Capture request body via httpServerIntegration (#20614)
• feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)
• feat(cloudflare): Support tracing for queue producer (#20529)
• feat(core): Apply request data to segment spans in span streaming (#20654)
• feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• feat(deno): Add processSegmentSpan to Deno context integration (#20613)
• feat(http): Portable node:http client instrumentation (#20393)
• feat(nitro): Add unstorage tracing channel instrumentation (#20615)
• feat(node-core): Add processSegmentSpan to node context integration (#20678)
• feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)
• feat(node): Vendor ioredis, redis instrumentations (#20510)
• feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• fix: Bump fast-xml-parser to fix vulnerability (#20644)
• fix: Bump vite versions to fix vulnerability (#20646)
• fix(core): Drain buffers in flush() when there is no transport (#20207)
• fix(core): Guard against undefined chained in copyProps (#20637)
• fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)
• fix(deps): Bump transitive deps for medium security fixes (#20683)
• fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)
• fix(nextjs): Skip build modification when SRI is enabled (#20694)
• fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

• chore: Remove bundle-analyzer-scenarios dev packages (#20680)
• chore(deps): Bump @​hono/node-server from 1.19.10 to 1.19.13 (#20117)
• chore(deps): Bump @​nestjs packages to fix path-to-regexp ReDoS (#20642)
• chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)
• chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)
• chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)

... (truncated)

Commits

• 4b911e0 release: 10.52.0
• 781f31c Merge pull request #20707 from getsentry/prepare-release/10.52.0
• 11a64f6 meta(changelog): Update changelog for 10.52.0
• e185818 feat(node-core): Add processSegmentSpan to node context integration (#20678)
• 7e49571 feat(node): use diagnostics_channel for redis >= 5.12.0 (#20573)
• a8ab715 feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
• 7efc03f feat(core): Apply request data to segment spans in span streaming (#20654)
• 01d0a70 feat(core): Migrate Vercel AI event processor to span streaming (#20608)
• 12cd3e5 fix(nextjs): Skip build modification when SRI is enabled (#20694)
• f1f534c fix(deps): Bump transitive deps for medium security fixes (#20683)
• Additional commits viewable in compare view

Updates @supabase/ssr from 0.10.2 to 0.10.3

Release notes

Sourced from @​supabase/ssr's releases.

v0.10.3

0.10.3 (2026-05-07)

Bug Fixes

• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• enable tree-shaking for browser bundles (#216) (f009d71)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

v0.10.3-rc.101

What's Changed

• fix: allow cookies encode without getAll/setAll on browser client by @​mandarini in supabase/ssr#213

Full Changelog: supabase/ssr@v0.10.3-rc.100...v0.10.3-rc.101

v0.10.3-rc.100

What's Changed

• chore: update @​supabase/supabase-js to v2.105.3 by @​supabase-libs-pr-manager[bot] in supabase/ssr#215
• fix: enable tree-shaking for browser bundles by @​mandarini in supabase/ssr#216

Full Changelog: supabase/ssr@v0.10.3-rc.98...v0.10.3-rc.100

v0.10.3-rc.98

What's Changed

• chore: update @​supabase/supabase-js to v2.105.2 by @​supabase-libs-pr-manager[bot] in supabase/ssr#214
• fix: validate base64-prefixed chunked cookies decode to valid JSON by @​mandarini in supabase/ssr#210

Full Changelog: supabase/ssr@v0.10.3-rc.96...v0.10.3-rc.98

v0.10.3-rc.96

What's Changed

• chore: update @​supabase/supabase-js to v2.103.0 by @​supabase-libs-pr-manager[bot] in supabase/ssr#199
• chore: update @​supabase/supabase-js to v2.103.2 by @​supabase-libs-pr-manager[bot] in supabase/ssr#201
• chore: update @​supabase/supabase-js to v2.104.0 by @​supabase-libs-pr-manager[bot] in supabase/ssr#203
• chore: update @​supabase/supabase-js to v2.104.1 by @​supabase-libs-pr-manager[bot] in supabase/ssr#204
• chore: update @​supabase/supabase-js to v2.105.0 by @​supabase-libs-pr-manager[bot] in supabase/ssr#206
• chore: update @​supabase/supabase-js to v2.105.1 by @​supabase-libs-pr-manager[bot] in supabase/ssr#208
• fix(tsconfig): set explicit rootDir to silence TS6059 in consumer IDEs by @​mandarini in supabase/ssr#211

Full Changelog: supabase/ssr@v0.10.2...v0.10.3-rc.96

Changelog

Sourced from @​supabase/ssr's changelog.

0.10.3 (2026-05-07)

Bug Fixes

• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• enable tree-shaking for browser bundles (#216) (f009d71)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

Commits

• 9630b33 chore(main): release 0.10.3 (#212)
• 89f3f28 fix: allow cookies encode without getAll/setAll on browser client (#213)
• f009d71 fix: enable tree-shaking for browser bundles (#216)
• 4fef7d9 chore: update @​supabase/supabase-js to v2.105.3 (#215)
• 302cc0e fix: validate base64-prefixed chunked cookies decode to valid JSON (#210)
• 8449015 chore: update @​supabase/supabase-js to v2.105.2 (#214)
• a77ee8a fix(tsconfig): set explicit rootDir to silence TS6059 in consumer IDEs (#211)
• 65453df chore: update @​supabase/supabase-js to v2.105.1 (#208)
• 2ec3349 chore: update @​supabase/supabase-js to v2.105.0 (#206)
• 0ca0031 chore: update @​supabase/supabase-js to v2.104.1 (#204)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.105.1 to 2.105.4

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.105.4

2.105.4 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)
• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.2

2.105.4-canary.2 (2026-05-08)

This was a version bump only, there were no code changes.

v2.105.4-canary.1

2.105.4-canary.1 (2026-05-08)

🩹 Fixes

• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.0

2.105.4-canary.0 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)

v2.105.3

2.105.3 (2026-05-04)

🩹 Fixes

• auth: narrow OAuth/CustomProvider types to fix downstream consumer typecheck (#2326)

v2.105.2

2.105.2 (2026-05-04)

🩹 Fixes

• auth: forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• auth: add toJSON to WebAuthnError for correct JSON serialization (#2317)
• misc: widen enum-like unions with (string & {}) for forward compat (#2303)
• misc: reduce any usage across packages (#2314)
• postgrest: unify insert/upsert signatures (#2315)

❤️ Thank You

• Muzzaiyyan Hussain @​MuzzaiyyanHussain

... (truncated)

Commits

• db53b0f chore(release): version 2.105.2 changelogs (#2323)
• 5223888 [patchback] docs(repo): @​category and @​subcategory tags across all packages (...
• 0412d0d fix(auth): forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• 42c9cbb [patchback] fix(misc): widen enum-like unions with (string & {}) for forward ...
• 7e1773c chore(release): version 2.105.1 changelogs (#2302)
• See full diff in compare view

Updates @types/qrcode from 1.5.5 to 1.5.6

Commits

• See full diff in compare view

Updates @vercel/og from 0.6.5 to 0.11.1

Updates cmdk from 1.0.4 to 1.1.1

Release notes

Sourced from cmdk's releases.

v1.1.1

What's Changed

• Fix unintended double triggering of key bindings during IME composition by @​JaeSeoKim in pacocoursey/cmdk#339

New Contributors

• @​JaeSeoKim made their first contribution in pacocoursey/cmdk#339

Full Changelog: dip/cmdk@v1.1.0...v1.1.1

v1.1.0

What's Changed

• fix useCmdk return type by @​lsmurray in pacocoursey/cmdk#329
• fix: update the type of the defaultFilter by @​muZk in pacocoursey/cmdk#338
• [Accessibility] Use id instead of children by @​UltimateGG in pacocoursey/cmdk#254
• Use @radix-ui/react-compose-refs to merge refs, save on bundle size
• Use React built-in useSyncExternalStore and remove shim. Note that React 18 has always been a required peerDependency of cmdk

New Contributors

• @​lsmurray made their first contribution in pacocoursey/cmdk#329
• @​muZk made their first contribution in pacocoursey/cmdk#338
• @​UltimateGG made their first contribution in pacocoursey/cmdk#254

Full Changelog: dip/cmdk@v1.0.4...v1.1.0

Commits

• fb4ea04 v1.1.1
• f34d463 Fix unintended double triggering of key bindings during IME composition (#339)
• 2814a00 v1.1.0
• d46ed21 use built-in React uSES
• ec02b5e use composeRefs from radix
• e5444d2 remove unused code
• 34f3074 [Accessibility] Use id instead of children (#254)
• b2d94bd fix: update the type of the defaultFilter (#338)
• 9827edf fix useCmdk return type (#329)
• See full diff in compare view

Updates marked from 14.1.4 to 18.0.3

Release notes

Sourced from marked's releases.

v18.0.3

18.0.3 (2026-05-01)

Bug Fixes

• avoid task checkbox for setext heading text (#3960) (2608e81)

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

• fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

• rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)

v18.0.0

18.0.0 (2026-04-07)

Bug Fixes

• Bump typescript from 5.9.3 to 6.0.2 (#3934) (e8efc51)
• prevent GFM table tokens from greedily capturing trailing newlines (#3926) (40f2665)
• prevent heading and def tokens from greedily capturing multiple newlines (#3925) (b379e3e)
• trim blank lines from block tokens (#3939) (b70895f)

BREAKING CHANGES

• trim trailing blank lines from block tokens
• update Typescript to v6

v17.0.6

17.0.6 (2026-04-05)

Bug Fixes

• avoid race condition in async parallel parse/parseInline with hooks (#3924) (6e96fa7)
• cli: honor positional input file (#3922) (a1c2617)
• cli: use file URL for config import (#3923) (73e1f3f)

... (truncated)

Commits

• e8dc395 chore(release): 18.0.3 [skip ci]
• 2608e81 fix: avoid task checkbox for setext heading text (#3960)
• dba76f6 chore(deps-dev): bump eslint from 10.2.0 to 10.2.1 (#3953)
• 015f1eb chore(deps-dev): bump typescript from 6.0.2 to 6.0.3 (#3954)
• 17c06e9 chore: fix building license for docs (#3952)
• 55a54b5 chore: Rename LICENSE.md to LICENSE for better compatibility with Bazel tooli...
• c4f4529 chore(release): 18.0.2 [skip ci]
• 58a52e8 fix: fix infinite loop for indented code blank line (#3947)
• 98b3824 chore(release): 18.0.1 [skip ci]
• abd907a fix(rules): ensure lookbehind regex is evaluated correctly by minifiers (#3945)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for marked since your current version.

Updates nanoid from 5.0.9 to 5.1.11

Release notes

Sourced from nanoid's releases.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking nanoid by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

5.1.7

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

5.1.6

• Fixed infinite loop on 0 size for customAlphabet.

5.1.5

• Fixed latest version on npm after 3.x release.

5.1.4

• Fixed latest version on npm after 3.x release.

5.1.3

• Fixed React Native support (by @​steida).

5.1.2

• Fixed module docs.

5.1.1

• Fixed opaque types support for non-secure generator.
• Added JSR support.

5.1.0

• Added opaque types support (by @​kossnocorp).

Changelog

Sourced from nanoid's changelog.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

5.1.7

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

5.1.6

• Fixed infinite loop on 0 size for customAlphabet.

5.1.5

• Fixed latest version on npm after 3.x release.

5.1.4

• Fixed latest version on npm after 3.x release.

5.1.3

• Fixed React Native support (by @​steida).

5.1.2

• Fixed module docs.

5.1.1

• Fixed opaque types support for non-secure generator.
• Added JSR support.

5.1.0

... (truncated)

Commits

• 5423cf5 Release 5.1.11 version
• 2183894 Backport 3.3.12 changelog
• 7087969 Limit ID even more
• 013517b Temporary add pnpm-workspace.yaml to npm ignore
• 5db09ee Release 5.1.10 version
• be7901a Fix random pool break
• 974f73b Structure tests with describe() instead of prefix
• fe3e7ec Update dependencies
• 043a7c1 Move to pnpm 11
• e52d946 Release 5.1.9 version
• Additional commits viewable in compare view

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.0.0 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (Description has been truncated