chore(deps): bump the server-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the server-dependencies group with 6 updates in the /apps/server directory:

Package	From	To
@aws-sdk/client-s3	3.1037.0	3.1073.0
@hocuspocus/server	4.1.0	4.3.0
marked	18.0.4	18.0.5
meilisearch	0.57.0	0.58.0
node-cron	4.2.1	4.5.0
yjs	13.6.30	13.6.31

Updates @aws-sdk/client-s3 from 3.1037.0 to 3.1073.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1073.0

3.1073.0(2026-06-19)

New Features

• client-glue: Adds the SearchAssets operation for discovering assets in the AWS Glue Data Catalog using full-text search and filters. Minor naming refinements across the Glossary Terms and Attachment APIs for consistency. (ef204650)
• client-connect: This is the release for point based scoring system and the evaluation form validation project (b19c162a)
• client-bedrock-agent: Add support for metadata-only retrieval on GetFlow, GetFlowVersion, and GetPrompt APIs. (c9d5fb33)
• client-appstream: Amazon WorkSpaces Agent Access now supports domain-joined fleets for enterprise identity integration, real-time agent observation with instant stop controls, and MCP tool forwarding for lower-latency, cost-effective desktop tool access. (d9c25f0b)
• client-opensearch: This release introduces data source attachment APIs, enabling users to attach and detach Amazon OpenSearch Service domains and Amazon OpenSearch Serverless collections to an OpenSearch application. (6cce3d69)

---

For list of updated packages, view updated-packages.md in assets-3.1073.0.zip

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes

• client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)

New Features

• client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
• client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
• client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
• client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
• client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
• client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
• client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
• client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
• client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
• client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
• client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
• client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

---

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features

• client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
• client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1073.0 (2026-06-19)

Note: Version bump only for package @​aws-sdk/client-s3

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/client-s3

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/client-s3

3.1070.0 (2026-06-16)

Features

• client-s3: Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata. (c555874)

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• ee71adc Publish v3.1073.0
• 501cd33 Publish v3.1072.0
• 3ce820a Publish v3.1071.0
• 4f2cfe1 Publish v3.1070.0
• c555874 feat(client-s3): Added support for annotations. You can now attach up to 1000...
• 7058d13 Publish v3.1069.0
• 67981c5 chore(scripts): tuning the build graph (#8095)
• 0632f6d Publish v3.1068.0
• 0a3246f Publish v3.1067.0
• 4b11912 Publish v3.1066.0
• Additional commits viewable in compare view

Updates @hocuspocus/server from 4.1.0 to 4.3.0

Release notes

Sourced from @​hocuspocus/server's releases.

v4.3.0

What's Changed

• feat: add afterHandleMessage hook to run after message handling completion by @​janthurau in ueberdosis/hocuspocus#1112
• feat: enforce pre-auth resource limits to safeguard server stability by @​janthurau in ueberdosis/hocuspocus#1113

Full Changelog: ueberdosis/hocuspocus@v4.2.0...v4.3.0

v4.2.0

What's Changed

• feat: add unloadImmediately option to disconnect() for configurable document persistence behavior by @​janthurau in ueberdosis/hocuspocus#1111

Full Changelog: ueberdosis/hocuspocus@v4.1.2...v4.2.0

v4.1.2

What's Changed

• fix: delete debouncer timer entry before awaiting the in-flight execution by @​patrick-atticus in ueberdosis/hocuspocus#1110

New Contributors

• @​patrick-atticus made their first contribution in ueberdosis/hocuspocus#1110

Full Changelog: ueberdosis/hocuspocus@v4.1.1...v4.1.2

v4.1.1

What's Changed

• fix: client-initiated broadcastStateless by @​janthurau in ueberdosis/hocuspocus#1103
• Fix memory leak: destroy scratch Awareness objects in MessageReceiver by @​Copilot in ueberdosis/hocuspocus#1109
• Feature: expose sessionAwareness in provider-react HocuspocusRoom by @​t-schorn in ueberdosis/hocuspocus#1104

New Contributors

• @​t-schorn made their first contribution in ueberdosis/hocuspocus#1104

Full Changelog: ueberdosis/hocuspocus@v4.1.0...v4.1.1

Changelog

Sourced from @​hocuspocus/server's changelog.

4.3.0 (2026-06-18)

Features

• add afterHandleMessage hook to run after message handling completion (#1112) (abec66d)
• enforce pre-auth resource limits to safeguard server stability (#1113) (6e1a932)

4.2.0 (2026-06-12)

Features

• add unloadImmediately option to disconnect() for configurable document persistence behavior (#1111) (eeb4696)

4.1.2 (2026-06-11)

Bug Fixes

• delete debouncer timer entry before awaiting the in-flight execution (#1110) (f05f1d0), closes #1014

4.1.1 (2026-06-10)

Bug Fixes

• client-initiated broadcastStateless (#1103) (6872d08)

Commits

• 1129ae0 v4.3.0
• 6e1a932 feat: enforce pre-auth resource limits to safeguard server stability (#1113)
• abec66d feat: add afterHandleMessage hook to run after message handling completion ...
• 94fa0c7 v4.2.0
• eeb4696 feat: add unloadImmediately option to disconnect() for configurable docum...
• f3d761d v4.1.2
• f05f1d0 fix: delete debouncer timer entry before awaiting the in-flight execution (#1...
• a07826a v4.1.1
• 5e3dd91 Feature: expose sessionAwareness in provider-react HocuspocusRoom (#1104)
• 79e9fe7 build(deps): bump hono from 4.12.18 to 4.12.21 (#1106)
• Additional commits viewable in compare view

Updates marked from 18.0.4 to 18.0.5

Release notes

Sourced from marked's releases.

v18.0.5

18.0.5 (2026-06-04)

Bug Fixes

• parse empty list item with trailing space (#3984) (b55410f)

Commits

• 4063c63 chore(release): 18.0.5 [skip ci]
• b55410f fix: parse empty list item with trailing space (#3984)
• c6e667b chore(deps-dev): bump eslint from 10.4.0 to 10.4.1 (#3986)
• 95f98ec chore(deps-dev): bump @​arethetypeswrong/cli from 0.18.2 to 0.18.3 (#3985)
• c1a86f0 Add Node.js usage example to README (#3983)
• 763f729 chore(deps-dev): bump marked-man from 2.1.0 to 2.1.1 (#3978)
• 2cf1fd0 chore(deps-dev): bump markdown-it from 14.1.1 to 14.2.0 (#3977)
• See full diff in compare view

Updates meilisearch from 0.57.0 to 0.58.0

Release notes

Sourced from meilisearch's releases.

v0.58.0

🚀 Enhancements

• Add dynamic search rules (#2171) @​Strift

⚙️ Maintenance/misc

• build(deps-dev): bump lint-staged from 16.2.7 to 16.4.0 (#2166) @dependabot[bot]
• build(deps-dev): bump typedoc from 0.28.15 to 0.28.18 (#2165) @dependabot[bot]
• build(deps-dev): bump the vitest group across 1 directory with 2 updates (#2161) @dependabot[bot]
• build(deps-dev): bump @​types/node from 24.10.13 to 24.12.0 (#2164) @dependabot[bot]
• build(deps-dev): bump the eslint group across 1 directory with 2 updates (#2159) @dependabot[bot]
• build(deps): bump codecov/codecov-action from 5 to 6 (#2160) @dependabot[bot]
• Make tests compatible with Meilisearch v1.42.0 (#2169) @​Strift
• build(deps-dev): bump vite from 8.0.0 to 8.0.5 (#2177) @dependabot[bot]

Thanks again to @​Strift, @​curquiza, @​dependabot[bot], and dependabot[bot]! 🎉

Commits

• 70ac04b Update version for the next release (v0.58.0) in package.json
• 6dd94ea build(deps-dev): bump vite from 8.0.0 to 8.0.5
• 17343bc Update experimental features test
• 133e1d0 Update experimental features
• deee206 Rename files
• c4d11a9 Check presence of expected fields only
• e2ec121 Update types
• f0d7a23 Add dynamic search rules
• c162ca3 Make tests compatible with v1.42.0
• 1d7221b chore: remove unused code samples
• Additional commits viewable in compare view

Updates node-cron from 4.2.1 to 4.5.0

Release notes

Sourced from node-cron's releases.

v4.5.0

Added

• lastRun() introspection getter on ScheduledTask: returns { date, result } after a successful execution, { date, error } after a failed one, or null before the first run.
• Extended day-of-week tokens: <weekday>#<nth> (nth weekday of the month, e.g. 1#1 for the first Monday) and <weekday>L (last weekday of the month, e.g. 5L for the last Friday).

Performance

• Cache Intl.DateTimeFormat instances per timezone instead of rebuilding on every call.
• Parse the cron expression once per TimeMatcher instead of re-parsing in MatcherWalker.
• Compute the GMT offset lazily (only when formatting ISO strings, not during the next-run search).
• Replace crypto.randomBytes with crypto.randomUUID for internal ID generation.
• Skip setTimeout jitter wrapper when maxRandomDelay is zero.
• Bundle dist into flat files instead of preserving the module tree (reduces import time).

Fixed

• Flaky should schedule a task test: poll for the first execution instead of asserting an exact count after a fixed sleep.

Changed

• Renamed internal functions interprete to interpret and appendSeccondExpression to appendSecondExpression.
• Rewritten README and package metadata to surface scheduling capabilities (overlap prevention, distributed coordination, background tasks).

v4.4.1

Patch release.

Changed

• Renamed the distributedTtl task option to distributedLease (same meaning: the safety lease, in ms, for lease-based run coordinators). distributedTtl was the only abbreviation in the options API and shipped just days ago in 4.4.0, so it's removed without an alias. If you adopted distributedTtl from 4.4.0, rename it to distributedLease. (#551)

Full Changelog: node-cron/node-cron@v4.4.0...v4.4.1

v4.4.0

Features

• Distributed run coordination — opt-in distributed: true runs a task on a single instance per fire across a fleet (the #477 use case). Ships a built-in NODE_CRON_RUN env-var default (one designated runner, no dependencies) and a pluggable RunCoordinator (via setRunCoordinator, or the per-task runCoordinator option) for high-availability, per-fire coordination (e.g. a Redis lock). Adds the distributedTtl option and an execution:skipped event carrying a reason ('not-elected' | 'coordinator-error'). Works for inline and background tasks. (#549, closes #477)
• Task introspection on ScheduledTask: getNextRuns(n) (preview the next N run times), match(date), msToNext(), isBusy(), runsLeft() and getPattern(). (#547)
• cron.parse(expression) and cron.validateDetailed(expression) — decompose an expression into its fields, or get every field-level problem (without throwing) for tooling and richer error messages. (#548)

Fixes

• getNextMatch no longer scans every time of day on a day that matches the day-of-month but not the weekday. A dense expression constrained by both (e.g. * * * 15 * 1) could take minutes to resolve; it is now instant. (#542)

Internal

• Cleanups with no public API change: fixed the milisecond → millisecond spelling and the convertion/ → conversion/ directory name. (#543)

Docs

• New Distributed Coordination guide, plus pages for task introspection and parse/validateDetailed, at nodecron.com.

Full Changelog: node-cron/node-cron@v4.3.0...v4.4.0

v4.3.0

Features

• L (last day of month) in the day-of-month field — e.g. 0 0 12 L * *, leap-year aware, and combinable with explicit days (15,L). (#396, closes #147 — thanks @​antonidasyang)
• missedExecutionTolerance option (ms, default 1000): a heartbeat that wakes a little late still runs its slot instead of being reported as missed. Always capped to the gap to the next slot. (#534, closes #485)
• startTimeout option for background tasks (ms, default 5000). (#535)

... (truncated)

Changelog

Sourced from node-cron's changelog.

[4.5.0] - 2026-06-21

Added

• lastRun() introspection getter on ScheduledTask: returns { date, result } after a successful execution, { date, error } after a failed one, or null before the first run. (#557)
• Extended day-of-week tokens: <weekday>#<nth> (nth weekday of the month, e.g. 1#1 for the first Monday) and <weekday>L (last weekday of the month, e.g. 5L for the last Friday). (#560)

Performance

• Cache Intl.DateTimeFormat instances per timezone instead of rebuilding on every call. (#561)
• Parse the cron expression once per TimeMatcher instead of re-parsing in MatcherWalker. (#562)
• Compute the GMT offset lazily (only when formatting ISO strings, not during the next-run search). (#563)
• Replace crypto.randomBytes with crypto.randomUUID for internal ID generation. (#564)
• Skip setTimeout jitter wrapper when maxRandomDelay is zero. (#565)
• Bundle dist into flat files instead of preserving the module tree (reduces import time). (#566)

Fixed

• Flaky should schedule a task test: poll for the first execution instead of asserting an exact count after a fixed sleep.

Changed

• Renamed internal functions interprete to interpret and appendSeccondExpression to appendSecondExpression. (#567)
• Rewritten README and package metadata to surface scheduling capabilities (overlap prevention, distributed coordination, background tasks). (#568)

[4.4.1] - 2026-06-18

Changed

• Renamed the distributedTtl option to distributedLease (same meaning: the safety lease, in ms, for lease-based coordinators). The old name was the only abbreviation in the options API; the new one groups with distributed. distributedTtl was introduced in 4.4.0 and is removed without an alias.

[4.4.0] - 2026-06-17

Added

• Task introspection on ScheduledTask: getNextRuns(n) (preview the next N run times), match(date), msToNext(), isBusy(), runsLeft() and getPattern(). (#547)
• cron.parse(expression) and cron.validateDetailed(expression): decompose an expression into its fields, or get every field-level problem (without throwing) for tooling and richer error messages. (#548)

... (truncated)

Commits

• cd9a5a7 chore(release): 4.5.0 (#569)
• fbdd883 Rewrite README to surface scheduling capabilities (#568)
• c80a396 perf(build): bundle dist into flat files instead of preserving modules (#566)
• b71b9b1 Fix typos in internal function names (#567)
• 7c5015c perf(id): drop crypto.randomBytes from internal id generation (#564)
• dd0a2a9 perf(pattern): parse cron expression once per TimeMatcher (#562)
• cf69f32 perf(time): cache Intl.DateTimeFormat instances per timezone (#561)
• dad56e1 perf(runner): run inline when no random delay is configured (#565)
• a309d5f perf(time): compute the GMT offset lazily (#563)
• c2db9d1 feat: support extended day-of-week tokens (# nth weekday and L last weekday) ...
• Additional commits viewable in compare view

Updates yjs from 13.6.30 to 13.6.31

Release notes

Sourced from yjs's releases.

v13.6.31

• Merge branch 'ppiotrowicz-fix/757-undo-attr-redo' into v13 1ddba7e4
• fix #757 in v13 d9aaff72
• fix undoing setAttribute combined with delete corrupts remote state - closes #757 67c809ee

---

yjs/yjs@v13.6.30...v13.6.31

Commits

• 2713308 13.6.31
• 1ddba7e Merge branch 'ppiotrowicz-fix/757-undo-attr-redo' into v13
• d9aaff7 fix #757 in v13
• 67c809e fix undoing setAttribute combined with delete corrupts remote state - closes ...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: server. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.