fix(deps): bump the production-deps group across 1 directory with 14 updates

[dependabot]

Bumps the production-deps group with 14 updates in the / directory:

Package	From	To
@aws-sdk/client-s3	3.1057.0	3.1068.0
@nestjs/common	11.1.24	11.1.26
@nestjs/core	11.1.24	11.1.26
@nestjs/platform-express	11.1.24	11.1.26
ioredis	5.11.0	5.11.1
nodemailer	8.0.10	8.0.11
pdfkit	0.18.0	0.19.1
sanitize-html	2.17.4	2.17.5
lucide-react	1.17.0	1.18.0
next	16.2.6	16.2.9
radix-ui	1.4.3	1.5.0
react	19.2.6	19.2.7
react-dom	19.2.6	19.2.7
react-hook-form	7.77.0	7.78.0

Updates @aws-sdk/client-s3 from 3.1057.0 to 3.1068.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1068.0

3.1068.0(2026-06-12)

Documentation Changes

• client-iam: Updating documentation for select service-specific credential APIs (f572228a)

New Features

• clients: update client endpoints as of 2026-06-12 (3f89d039)
• client-acm: Certificate transparency logging opt-out is no longer available. Per compliance requirements, all public ACM certificates are automatically recorded in certificate transparency logs. The CertificateTransparencyLoggingPreference option is deprecated. (ca60b0f9)
• client-eks: Patches missing enum values for EKS updates (c2df34dc)
• client-sagemaker-runtime: Added support for inline request payloads to the InvokeEndpointAsync operation to allow users to provide the inference payload directly in the request Body (up to 128,000 bytes) as an alternative to uploading the payload to Amazon S3 and passing InputLocation. (c4e229dd)
• client-glue: Adds support for retrieving Apache Iceberg table metadata via GetTable. Use the new AttributesToGet parameter with LATEST ICEBERG METADATA to receive schema, partition specs, sort orders, and table properties in the response. (f45445f9)
• client-firehose: Update KeyARN in DeliveryStreamEncryptionConfigurationInput to accept KMS key ARNs only (not alias ARNs), matching service behavior. (80837cd3)
• client-bedrock-agentcore: Added tagging and CMK support across optimization, an explanation field in recommendation output, and an insights feature to identify failure patterns, extract user intents, and summarize execution behavior (1c06496f)
• client-devops-agent: Adds support for Trigger CRUD APIs (CreateTrigger, GetTrigger, UpdateTrigger, DeleteTrigger, ListTriggers) for managing schedule-based automation triggers in DevOps Agent agent spaces. (7139cf1e)
• client-bedrock-agentcore-control: Added tagging and CMK support for optimizations and an insights feature to identify failure patterns, extract user intents, and summarize execution behavior (571ac1e7)

---

For list of updated packages, view updated-packages.md in assets-3.1068.0.zip

v3.1067.0

3.1067.0(2026-06-11)

Documentation Changes

• suggest UndiciHttpHandler as an alternative request handler (#8092) (bd18a9f0)

New Features

• client-eks: Introduce new CreateCluster parameters for Amazon EKS local clusters on AWS Outposts. Added etcdInstanceType for configuring the EC2 instance type for dedicated etcd instances, and spreadLevel for configuring the placement group spread level for Kubernetes control plane and etcd instances. (383363d5)
• client-omics: Adds support for workflowName in the ListRuns API response. (fa2f4604)
• client-neptune: Amazon Neptune now supports IPv6 dual-stack networking. You can create and manage Neptune DB clusters accessible over both IPv4 and IPv6 by specifying NetworkType as DUAL in CreateDBCluster, ModifyDBCluster, RestoreDBClusterFromSnapshot, and RestoreDBClusterToPointInTime API operations (ae089f94)
• client-bedrock-agentcore: Adds support to perform cross account data plane actions on an AgentCore Memory resource (8d92e480)
• client-healthlake: Adds the UpdateFHIRDatastore API and adds analytics, NLP, and profile configuration support to CreateFHIRDatastore and DescribeFHIRDatastore. (c74ab005)
• client-bedrock-agentcore-control: Supports deterministic metadata for AgentCore Memory (af7a995a)
• client-support: Adding new BDD representation of endpoint ruleset (cd9dac21)

---

For list of updated packages, view updated-packages.md in assets-3.1067.0.zip

v3.1066.0

3.1066.0(2026-06-10)

New Features

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

3.1067.0 (2026-06-11)

Note: Version bump only for package @​aws-sdk/client-s3

3.1066.0 (2026-06-10)

Note: Version bump only for package @​aws-sdk/client-s3

3.1065.0 (2026-06-09)

Note: Version bump only for package @​aws-sdk/client-s3

3.1064.0 (2026-06-08)

Note: Version bump only for package @​aws-sdk/client-s3

3.1063.0 (2026-06-05)

Note: Version bump only for package @​aws-sdk/client-s3

3.1062.0 (2026-06-04)

... (truncated)

Commits

• 0632f6d Publish v3.1068.0
• 0a3246f Publish v3.1067.0
• 4b11912 Publish v3.1066.0
• e4ef6c5 test: use crypto.randomUUID for resource names in e2e tests (#8091)
• 62daf07 Publish v3.1065.0
• bac7175 Publish v3.1064.0
• 86792c5 chore(scripts): update pkg json linting (#8082)
• 85dabf4 Publish v3.1063.0
• 9bd1a86 chore: update author URL in package.json (#8080)
• f5235bb Publish v3.1062.0
• Additional commits viewable in compare view

Updates @nestjs/common from 11.1.24 to 11.1.26

Release notes

Sourced from @​nestjs/common's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• 1634915 test(common): Add unit tests for cli-colors utility
• 380bf5c Merge pull request #17058 from Se3do/test/extend-metadata
• af4542b test(common): Add unit tests for assignCustomParameterMetadata
• b67aea1 test(common): Add unit tests for extendArrayMetadata
• e1e4014 test(common): Tighten throw assertions in validateModuleKeys spec
• 6b97771 test(common): Add unit tests for validateModuleKeys
• 5a57222 test(common): add unit test for Optional decorator
• deed1b3 docs(common): add @​see reference to Res alias JSDoc
• Additional commits viewable in compare view

Updates @nestjs/core from 11.1.24 to 11.1.26

Release notes

Sourced from @​nestjs/core's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 0f398fd test: fix broken unit test
• d152eec fix(core): post sse endpoint empty response #17098
• 02f8041 chore(release): publish v11.1.25 release
• e2ad4e2 Update package.json
• 396cf81 refactor(core): avoid duplicating sse intercept call
• 55cd699 fix(core): preserve deferred SSE handlers
• 7b5ca83 fix(core): register SSE close listener before async setup
• See full diff in compare view

Updates @nestjs/platform-express from 11.1.24 to 11.1.26

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• See full diff in compare view

Updates ioredis from 5.11.0 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

• cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
• parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

Commits

• fb224a7 chore(release): 5.11.1 [skip ci]
• 131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
• c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
• See full diff in compare view

Updates nodemailer from 8.0.10 to 8.0.11

Release notes

Sourced from nodemailer's releases.

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

• apply the transport-level newline option in stream and sendmail transports (cb4f904)
• include icalEvent path/href content in the application/ics attachment (b801c48)
• parse Ethereal response props without polynomial regex backtracking (067aebe)
• resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
• return the promise from every resolveContent branch (07ffe8c)
• strip the url scheme from List-ID header values (77e5885)
• tag AWS SES transport errors with the ESES code (efa647a)

Changelog

Sourced from nodemailer's changelog.

8.0.11 (2026-06-10)

Bug Fixes

• apply the transport-level newline option in stream and sendmail transports (cb4f904)
• include icalEvent path/href content in the application/ics attachment (b801c48)
• parse Ethereal response props without polynomial regex backtracking (067aebe)
• resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
• return the promise from every resolveContent branch (07ffe8c)
• strip the url scheme from List-ID header values (77e5885)
• tag AWS SES transport errors with the ESES code (efa647a)

Commits

• e3b1bda chore(master): release 8.0.11 (#1826)
• 4358caf refactor: remove dead checks flagged by Code Quality analysis
• cf5195c chore: harden workflow token permissions and update GitHub Actions
• 067aebe fix: parse Ethereal response props without polynomial regex backtracking
• 0cee4fe chore: add CodeQL code scanning workflow
• cb9da47 chore: update dev dependencies
• e0a4928 chore: format CLAUDE.md with prettier
• 8620f2f docs: correct stale timeout defaults in SMTPConnection options JSDoc
• efa647a fix: tag AWS SES transport errors with the ESES code
• 07ffe8c fix: return the promise from every resolveContent branch
• Additional commits viewable in compare view

Updates pdfkit from 0.18.0 to 0.19.1

Release notes

Sourced from pdfkit's releases.

0.19.1

• Fix RGB JPEG embedded as DeviceGray (0.19.0 regression) (#1734)

0.19.0

Highlights in this release are the bump in minimum supported environments (quite conservative), reduce of Node js specific dependencies (EventEmitter, Buffer), more granular image transparency and roundedRect options and the usual quality of life fixes

• [BREAKING] Bump node version requirement to 20+
• [BREAKING] Bump minimum supported browsers to Firefox 115, iOS/Safari 16
• Fix text with input x as null
• Add opacity option to doc.image() to control image transparency
• Fix corrupted PDF when mixing standard and embedded fonts that share postscript name
• Fix PDF/UA compliance issues in kitchen-sink-accessible example
• Add bbox and placement options to PDFStructureElement for PDF/UA compliance
• Extend roundedRect with borderRadius as number for all corners or per-corner array (CSS order)
• Fix accessibility: scope in TH element
• Fix PDF Name escaping for spot colors with spaces (#1644)

Changelog

Sourced from pdfkit's changelog.

[v0.19.1] - 2026-06-10

• Fix RGB JPEG embedded as DeviceGray (0.19.0 regression) (#1734)

[v0.19.0] - 2026-06-07

• Bump node version requirement to 20+
• Bump minimum supported browsers to Firefox 115, iOS/Safari 16
• Fix text with input x as null
• Add opacity option to doc.image() to control image transparency
• Fix corrupted PDF when mixing standard and embedded fonts that share postscript name
• Fix PDF/UA compliance issues in kitchen-sink-accessible example
• Add bbox and placement options to PDFStructureElement for PDF/UA compliance
• Extend roundedRect with borderRadius as number for all corners or per-corner array (CSS order)
• Fix accessibility: scope in TH element
• Fix PDF Name escaping for spot colors with spaces (#1644)

Commits

• f9992a2 v0.19.1
• b5b2547 Fix RGB JPEG embedded as DeviceGray (0.19.0 regression) (#1734)
• 8a8971e Bump minimatch from 3.1.2 to 3.1.5 (#1696)
• 44d5be7 Bump pbkdf2 from 3.1.2 to 3.1.6 (#1731)
• 96cd9c7 Bump qs from 6.14.0 to 6.15.2 (#1730)
• f51c5a4 Bump tar from 7.5.2 to 7.5.11 (#1701)
• f3f0d48 Bump flatted from 3.3.3 to 3.4.2 (#1708)
• e779e40 Bump picomatch from 2.3.1 to 2.3.2 (#1711)
• f4c32de Bump brace-expansion from 1.1.11 to 1.1.13 (#1712)
• b4a9e5b Bump lodash from 4.17.21 to 4.18.1 (#1713)
• Additional commits viewable in compare view

Updates sanitize-html from 2.17.4 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

• Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
• Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

Commits

• 2427508 release and changelog edits (#5465)
• 5a88e96 Latest security q2 (#5464)
• 958d162 merge main to latest (#5460)
• See full diff in compare view

Updates lucide-react from 1.17.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

• chore(site): Remove survey from site by @​ericfennis in lucide-icons/lucide#4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in lucide-icons/lucide#4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in lucide-icons/lucide#4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in lucide-icons/lucide#4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in lucide-icons/lucide#4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in lucide-icons/lucide#4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in lucide-icons/lucide#4085
• feat(icons): added webcam-off icon by @​jordan-burnett in lucide-icons/lucide#4242

New Contributors

• @​alecglassford made their first contribution in lucide-icons/lucide#4432
• @​jordan-burnett made their first contribution in lucide-icons/lucide#4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Commits

• See full diff in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates radix-ui from 1.4.3 to 1.5.0

Changelog

Sourced from radix-ui's changelog.

1.5.0

Context Menu

• Added support for a controlled open prop on ContextMenu.Root. This is intended for reading the open state and closing the menu programmatically, though we discourage opening the menu programmatically since opening the menu depends on user interaction to position the menu.

  function ControlledContextMenu() {
    const [open, setOpen] = React.useState(false);
    return (
      <ContextMenu.Root open={open} onOpenChange={setOpen}>
        <ContextMenu.Trigger>Open</ContextMenu.Trigger>
        <ContextMenu.Content>
          <button type="button" onClick={() => setOpen(false)}>
            Close me
          </button>
          <ContextMenu.Item>Item 1</ContextMenu.Item>
          <ContextMenu.Item>Item 2</ContextMenu.Item>
        </ContextMenu.Content>
      </ContextMenu.Root>
    );
  }

• Fixed a bug in where submenus remained expanded after re-opening on long-press touch events.

Dialog

• Fixed a bug where iOS text selection and editing on HTML inputs within dialogs were broken.
• Fixed a bug causing disabled pointer events in closed dialogs.

One-Time Password Field

• Fixed pasting into One-Time Password Field in environments that do not support the legacy "Text" clipboard format by reading the pasted value as "text/plain".
• Fixed issues with focus management in React 19.2+.
• Fixed a bug to ensure that pasted values exceeding the field length are truncated.

Popper

• Fixed a "Maximum update depth exceeded" bug for pages with a large number of popper instances.
• Exposed data-side and data-align on PopperAnchor element

Presence

• Fixed a "Maximum update depth exceeded" bug in React 19 that could occur when Presence was given a child with an unstable ref.

Radio Group

• Added unstable RadioGroupItemProvider, RadioGroupItemTrigger and RadioGroupItemBubbleInput parts. These expose the previously internal composition of a radio item that included a visually hidden input so consumers can directly access and recompose them. The RadioGroupItem component continues to render them by default.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for radix-ui since your current version.

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates react-hook-form from 7.77.0 to 7.78.0

Release notes

Sourced from react-hook-form's releases.

Version 7.78.0

🦷 update type dirtyFields typing for field arrays with undefined entries (#13492) 🐞 fix: recover Controller fields after reset without rerender (RN issue #13455) (#13497) 🐞 fix useFormState().isDirty race with async resolver in onChange mode (#13495) 🐞 fix: use reactive values prop over defaultValues when shouldUnregister is true (#13485) 🐞 fix deepEqual for empty non-plain objects (#13493)

thanks to @​cyphercodes

Changelog

Sourced from react-hook-form's changelog.

[7.78.0] - 2026-06-08

Fixed

• Recover Controller fields after reset without rerender (RN issue #13455)
• useFormState().isDirty race with async resolver in onChange mode
• Use reactive values prop over defaultValues when shouldUnregister is true
• deepEqual for empty non-plain objects

Types

• Update dirtyFields typing for field arrays with undefined entries

Commits

• 23ab3a7 7.78.0
• 29fbd7d 🪭 close #13506 add regression test for useFormState
• b000509 📝 test: fix "allow to" grammar in test descriptions (#13504)
• 76187c3 🧪 add unit test for regression render submit with useWatch #13035
• 16c35fb 🫡 add regression coverage for dynamic Controller names with keepDirtyValues/k...
• 0bd39fa 🐞 fix: recover Controller fields after reset without rerender (RN issue #1345...
• 6a501e0 🦷 update type dirtyFields typing for field arrays with undefined entries (#13...
• d681dc5 🐞 fix useFormState().isDirty race with async resolver in onChange mode (#...
• a9b8a6f 🐞 fix: use reactive values prop over defaultValues when shouldUnregister is t...
• 686da3f 🐞 fix deepEqual for empty non-plain objects (#13493)
• Additional commits viewable in compare view