deps: bump the minor-and-patch group across 1 directory with 25 updates

[dependabot]

Bumps the minor-and-patch group with 25 updates in the / directory:

Package	From	To
@ai-sdk/google	3.0.75	3.0.83
@arcjet/next	1.4.0	1.5.0
@hookform/resolvers	5.2.2	5.4.0
@radix-ui/react-dialog	1.1.15	1.1.17
@radix-ui/react-dropdown-menu	2.1.16	2.1.18
@radix-ui/react-label	2.1.8	2.1.10
@radix-ui/react-navigation-menu	1.2.14	1.2.16
@radix-ui/react-slot	1.2.4	1.3.0
@radix-ui/react-tabs	1.1.13	1.1.15
@radix-ui/react-tooltip	1.2.8	1.2.10
ai	6.0.184	6.0.208
arcjet	1.4.0	1.5.0
motion	12.38.0	12.40.0
next	16.2.6	16.2.9
react	19.2.6	19.2.7
@types/react	19.2.14	19.2.17
react-dom	19.2.6	19.2.7
react-hook-form	7.76.0	7.80.0
@next/eslint-plugin-next	16.2.6	16.2.9
@playwright/test	1.60.0	1.61.0
@tailwindcss/postcss	4.3.0	4.3.1
@tailwindcss/typography	0.5.19	0.5.20
eslint-config-next	16.2.6	16.2.9
prettier	3.8.3	3.8.4
tailwindcss	4.3.0	4.3.1

Updates @ai-sdk/google from 3.0.75 to 3.0.83

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.83

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.82

Patch Changes

• 3258f22: fix(google): prevent prototype pollution when streaming tool args

• bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

  Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

  A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

• Updated dependencies [bfa5864]

• Updated dependencies [f42aa79]

  • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

3.0.80

Patch Changes

• f62ffe0: fix(google): auto-inject skip_thought_signature_validator for Gemini 3 tool-call replays without a signature

  Gemini 3 models reject requests when an assistant functionCall part lacks a thoughtSignature with HTTP 400 "Function call is missing a thought_signature in functionCall parts." This is easy to hit when application code persists/serializes messages and drops providerOptions.google.thoughtSignature (custom DB schemas, useChat server routes that rebuild messages, synthetic tool-call injection).

  The provider now detects this case (Gemini 3 model + missing signature under google, googleVertex, and vertex namespaces) and injects the documented skip_thought_signature_validator sentinel into the outbound functionCall, plus surfaces a one-shot warning per request listing the affected tool names so the developer can find and fix the upstream serialization. Non-Gemini-3 models are unaffected, and real signatures take precedence when present.

3.0.79

Patch Changes

• cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

• cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

... (truncated)

Commits

• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
• bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
• 9ef2c3c Version Packages (#15998)
• 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
• 661127c Version Packages (#15622)
• f62ffe0 fix(google): auto-inject skip_thought_signature_validator on Gemini 3 tool-ca...
• fc83fa3 Version Packages (#15532)
• cfa0cb2 Backport: feat(provider/google): support Google search grounding when using `...
• Additional commits viewable in compare view

Updates @arcjet/next from 1.4.0 to 1.5.0

Release notes

Sourced from @​arcjet/next's releases.

v1.5.0

1.5.0 (2026-06-09)

🚀 New Features

• support proxy services such as Cloudflare for client IP detection (#6060) (f77ead5)

🪲 Bug Fixes

• redact detectPromptInjectionMessage from report calls (#6041) (b490fc7)
• update @​bufbuild/protobuf to 2.12.0 and add root override to fix Bun build (#6014) (ba8f1a3)

📝 Documentation

• clarify label/bucket slug validation in @​arcjet/guard types (#6043) (81293b3)
• refresh root, next, and guard READMEs for guards release (#6017) (994232c)

🧹 Miscellaneous Chores

• configure release-please to use GitHub App Token (#6019) (571b1b7)
• remove redundant esbuild and flatted overrides (#6020) (ca2ad5a)

🔨 Build System

• deps-dev: bump astro from 6.1.2 to 6.1.6 (#6003) (6730508)
• deps-dev: bump astro from 6.1.6 to 6.1.10 (#6031) (ea8963d)
• deps-dev: bump fast-uri from 3.1.0 to 3.1.2 (#6023) (1d000d3)
• deps-dev: bump fast-uri from 3.1.0 to 3.1.2 in /examples/nestjs (#6024) (f830a47)
• deps-dev: bump fastify from 5.8.4 to 5.8.5 (#6000) (fe37f56)
• deps-dev: bump ip-address from 10.1.0 to 10.2.0 in /examples/express-newman (#6021) (11dd637)
• deps-dev: bump next from 16.2.4 to 16.2.6 (#6029) (dcf85e1)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /arcjet-next (#6028) (082c20f)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /nosecone-next (#6027) (29f3de1)
• deps: bump @​astrojs/node from 10.0.4 to 10.0.5 in /examples/astro (#6008) (cdffb7d)
• deps: bump astro from 6.1.4 to 6.1.8 in /examples/astro (#6001) (69b4198)
• deps: bump astro from 6.1.8 to 6.3.2 in /examples/astro (#6032) (6397074)
• deps: bump brace-expansion from 5.0.5 to 5.0.6 in /examples/nuxt (#6039) (dac76d1)
• deps: bump devalue from 5.6.4 to 5.8.1 (#6034) (def151d)
• deps: bump devalue from 5.6.4 to 5.8.1 in /examples/astro (#6038) (c683d82)
• deps: bump devalue from 5.6.4 to 5.8.1 in /examples/nuxt (#6035) (9203466)
• deps: bump fast-uri from 3.1.0 to 3.1.2 in /examples/fastify (#6026) (c7bffe1)
• deps: bump nitropack from 2.13.3 to 2.13.4 in /examples/nuxt (#6022) (ecacd00)
• deps: bump nuxt and @​nuxt/nitro-server to 4.4.6 in examples/nuxt (#6055) (74573e3)
• deps: bump qs to 6.15.2 in examples (#6051) (f784256)
• deps: bump simple-git from 3.33.0 to 3.36.0 in /examples/nuxt (#6025) (bff84fb)

... (truncated)

Changelog

Sourced from @​arcjet/next's changelog.

1.5.0 (2026-06-09)

🚀 New Features

• support proxy services such as Cloudflare for client IP detection (#6060) (f77ead5)

📝 Documentation

• refresh root, next, and guard READMEs for guards release (#6017) (994232c)

🔨 Build System

• deps-dev: bump next from 16.2.4 to 16.2.6 (#6029) (dcf85e1)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /arcjet-next (#6028) (082c20f)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /nosecone-next (#6027) (29f3de1)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​arcjet/body bumped from 1.4.0 to 1.5.0
    • @​arcjet/env bumped from 1.4.0 to 1.5.0
    • @​arcjet/headers bumped from 1.4.0 to 1.5.0
    • @​arcjet/ip bumped from 1.4.0 to 1.5.0
    • @​arcjet/logger bumped from 1.4.0 to 1.5.0
    • @​arcjet/protocol bumped from 1.4.0 to 1.5.0
    • @​arcjet/transport bumped from 1.4.0 to 1.5.0
    • arcjet bumped from 1.4.0 to 1.5.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.4.0 to 1.5.0
    • @​arcjet/rollup-config bumped from 1.4.0 to 1.5.0

Commits

• e435007 chore: Release 1.5.0 (#6004)
• e3d955b deps: periodic dependency update (#6064)
• f77ead5 feat: support proxy services such as Cloudflare for client IP detection (#6060)
• dcf85e1 build(deps-dev): bump next from 16.2.4 to 16.2.6 (#6029)
• 994232c docs: refresh root, next, and guard READMEs for guards release (#6017)
• f6df4e9 deps: periodic dependency update (#6013)
• See full diff in compare view

Updates @hookform/resolvers from 5.2.2 to 5.4.0

Release notes

Sourced from @​hookform/resolvers's releases.

v5.4.0

5.4.0 (2026-05-21)

Features

• feat: add ata-validator resolver (#845)

Fixes

• fix issue with toNestErrors.ts (#848)

• add guidance on passing context to yupResolver (useForm context) (#835) (3d29924)

Commits

• 3d29924 feat: add guidance on passing context to yupResolver (useForm context) (#835)
• 56b68f3 feat: 5.3.0
• cf8562d update readme on ata-validator
• 5e5b610 fix issue with toNestErrors.ts (#848)
• 72aacf8 Revise supported versions in SECURITY.md
• ad89a20 feat: add ata-validator resolver (#845)
• 02286db ci: updated publish workflow to use node 24 (#838)
• 2e9bc7c Fix(zodResolver): error paths in complex unions #787 (#819)
• See full diff in compare view

Updates @radix-ui/react-dialog from 1.1.15 to 1.1.17

Changelog

Sourced from @​radix-ui/react-dialog's changelog.

1.1.17

• Removed dev-only warnings for dialogs when title and/or description is not rendered.
• Fixed Dismissable Layer so outside interactions stopped by extension UI overlays do not dismiss dialogs or popovers.
• Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-focus-scope@1.1.10, @radix-ui/react-portal@1.1.12

1.1.16

• Fixed disabled pointer events in closed dialogs
• Fixed a bug where iOS text selection and editing on HTML inputs within react-dialog were broken
• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-slot@1.2.5, @radix-ui/react-focus-guards@1.1.4, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-focus-scope@1.1.9, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dialog since your current version.

Updates @radix-ui/react-dropdown-menu from 2.1.16 to 2.1.18

Changelog

Sourced from @​radix-ui/react-dropdown-menu's changelog.

2.1.18

• Fixed a bug where menus and submenus remained open after a window loses focus.
• Updated dependencies: @radix-ui/react-menu@2.1.18, @radix-ui/react-primitive@2.1.6

2.1.17

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-menu@2.1.17, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-dropdown-menu since your current version.

Updates @radix-ui/react-label from 2.1.8 to 2.1.10

Changelog

Sourced from @​radix-ui/react-label's changelog.

2.1.10

• Updated dependencies: @radix-ui/react-primitive@2.1.6

2.1.9

• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-primitive@2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-label since your current version.

Updates @radix-ui/react-navigation-menu from 1.2.14 to 1.2.16

Changelog

Sourced from @​radix-ui/react-navigation-menu's changelog.

1.2.16

• Fixed Duplicate index signature errors that surfaced when consuming multiple packages together.
• Updated dependencies: @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-collection@1.1.10, @radix-ui/react-visually-hidden@1.2.6

1.2.15

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-callback-ref@1.1.2, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-navigation-menu since your current version.

Updates @radix-ui/react-slot from 1.2.4 to 1.3.0

Changelog

Sourced from @​radix-ui/react-slot's changelog.

1.3.0

Added generic type arguments for SlotProps and createSlot

SlotProps and createSlot now accept generic type arguments to specify the type of element a slot should render, as well as its props.

const Slot = createSlot<HTMLButtonElement, MyCustomButtonProps>("Slot");

1.2.5

• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render
• Added support for nested Slottable via a render prop, so a slotted element can be wrapped while still merging Slot props and refs onto it
• Added repository.directory to all package.json files
• Improved error messages for invalid slot children
• Updated dependencies: @radix-ui/react-compose-refs@1.1.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slot since your current version.

Updates @radix-ui/react-tabs from 1.1.13 to 1.1.15

Changelog

Sourced from @​radix-ui/react-tabs's changelog.

1.1.15

• Updated dependencies: @radix-ui/react-primitive@2.1.6, @radix-ui/react-roving-focus@1.1.13

1.1.14

• Fixed triggers referencing a non-existent element via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR)
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-direction@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-primitive@2.1.5, @radix-ui/react-roving-focus@1.1.12, @radix-ui/react-use-controllable-state@1.2.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tabs since your current version.

Updates @radix-ui/react-tooltip from 1.2.8 to 1.2.10

Changelog

Sourced from @​radix-ui/react-tooltip's changelog.

1.2.10

• Updated dependencies: @radix-ui/react-slot@1.3.0, @radix-ui/react-popper@1.3.1, @radix-ui/react-dismissable-layer@1.1.13, @radix-ui/react-primitive@2.1.6, @radix-ui/react-portal@1.1.12, @radix-ui/react-visually-hidden@1.2.6

1.2.9

• Fixed runtime error when event target is non-Node
• Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.
• Added repository.directory to all package.json files
• Updated dependencies: @radix-ui/react-presence@1.1.6, @radix-ui/react-popper@1.3.0, @radix-ui/react-slot@1.2.5, @radix-ui/react-dismissable-layer@1.1.12, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-id@1.1.2, @radix-ui/react-portal@1.1.11, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-visually-hidden@1.2.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-tooltip since your current version.

Updates ai from 6.0.184 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

ai@6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

• Updated dependencies [6160ced]
• Updated dependencies [c9b8abd]
  • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

• Updated dependencies [c5d4716]
  • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

• f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

  validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

... (truncated)

Commits

• 3270146 Version Packages (#16243)
• f994df3 Backport: Serialize undefined tool output to null in UI message chunks (#16240)
• 8261640 Backport: fix(ai): handle partial unicode escapes in fixJson (#16233)
• caebb44 Version Packages (#16157)
• 779f5cd Backport: fix(provider-utils): cancel response body on download rejection to ...
• 5623117 Version Packages (#16134)
• 5548672 Version Packages (#16097)
• 63b3f60 Version Packages (#16086)
• bae9bab Version Packages (#16026)
• b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
• Additional commits viewable in compare view

Updates arcjet from 1.4.0 to 1.5.0

Release notes

Sourced from arcjet's releases.

v1.5.0

1.5.0 (2026-06-09)

🚀 New Features

• support proxy services such as Cloudflare for client IP detection (#6060) (f77ead5)

🪲 Bug Fixes

• redact detectPromptInjectionMessage from report calls (#6041) (b490fc7)
• update @​bufbuild/protobuf to 2.12.0 and add root override to fix Bun build (#6014) (ba8f1a3)

📝 Documentation

• clarify label/bucket slug validation in @​arcjet/guard types (#6043) (81293b3)
• refresh root, next, and guard READMEs for guards release (#6017) (994232c)

🧹 Miscellaneous Chores

• configure release-please to use GitHub App Token (#6019) (571b1b7)
• remove redundant esbuild and flatted overrides (#6020) (ca2ad5a)

🔨 Build System

• deps-dev: bump astro from 6.1.2 to 6.1.6 (#6003) (6730508)
• deps-dev: bump astro from 6.1.6 to 6.1.10 (#6031) (ea8963d)
• deps-dev: bump fast-uri from 3.1.0 to 3.1.2 (#6023) (1d000d3)
• deps-dev: bump fast-uri from 3.1.0 to 3.1.2 in /examples/nestjs (#6024) (f830a47)
• deps-dev: bump fastify from 5.8.4 to 5.8.5 (#6000) (fe37f56)
• deps-dev: bump ip-address from 10.1.0 to 10.2.0 in /examples/express-newman (#6021) (11dd637)
• deps-dev: bump next from 16.2.4 to 16.2.6 (#6029) (dcf85e1)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /arcjet-next (#6028) (082c20f)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /nosecone-next (#6027) (29f3de1)
• deps: bump @​astrojs/node from 10.0.4 to 10.0.5 in /examples/astro (#6008) (cdffb7d)
• deps: bump astro from 6.1.4 to 6.1.8 in /examples/astro (#6001) (69b4198)
• deps: bump astro from 6.1.8 to 6.3.2 in /examples/astro (#6032) (6397074)
• deps: bump brace-expansion from 5.0.5 to 5.0.6 in /examples/nuxt (#6039) (dac76d1)
• deps: bump devalue from 5.6.4 to 5.8.1 (#6034) (def151d)
• deps: bump devalue from 5.6.4 to 5.8.1 in /examples/astro (#6038) (c683d82)
• deps: bump devalue from 5.6.4 to 5.8.1 in /examples/nuxt (#6035) (9203466)
• deps: bump fast-uri from 3.1.0 to 3.1.2 in /examples/fastify (#6026) (c7bffe1)
• deps: bump nitropack from 2.13.3 to 2.13.4 in /examples/nuxt (#6022) (ecacd00)
• deps: bump nuxt and @​nuxt/nitro-server to 4.4.6 in examples/nuxt (#6055) (74573e3)
• deps: bump qs to 6.15.2 in examples (#6051) (f784256)
• deps: bump simple-git from 3.33.0 to 3.36.0 in /examples/nuxt (#6025) (bff84fb)

... (truncated)

Changelog

Sourced from arcjet's changelog.

1.5.0 (2026-06-09)

🪲 Bug Fixes

• redact detectPromptInjectionMessage from report calls (#6041) (b490fc7)

🔨 Build System

• deps-dev: bump next from 16.2.4 to 16.2.6 in /arcjet-next (#6028) (082c20f)
• deps-dev: bump next from 16.2.4 to 16.2.6 in /nosecone-next (#6027) (29f3de1)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​arcjet/analyze bumped from 1.4.0 to 1.5.0
    • @​arcjet/cache bumped from 1.4.0 to 1.5.0
    • @​arcjet/duration bumped from 1.4.0 to 1.5.0
    • @​arcjet/headers bumped from 1.4.0 to 1.5.0
    • @​arcjet/protocol bumped from 1.4.0 to 1.5.0
    • @​arcjet/runtime bumped from 1.4.0 to 1.5.0
    • @​arcjet/stable-hash bumped from 1.4.0 to 1.5.0
  • devDependencies
    • @​arcjet/eslint-config bumped from 1.4.0 to 1.5.0
    • @​arcjet/rollup-config bumped from 1.4.0 to 1.5.0

Commits

• e435007 chore: Release 1.5.0 (#6004)
• e3d955b deps: periodic dependency update (#6064)
• b490fc7 fix: redact detectPromptInjectionMessage from report calls (#6041)
• f6df4e9 deps: periodic dependency update (#6013)
• See full diff in compare view

Updates motion from 12.38.0 to 12.40.0

Changelog

Sourced from motion's changelog.

[12.40.0] 2026-05-21

Added

• path option to transition.
• arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• 38ebb94 v12.40.0
• b1f766c Latest
• bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
• f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
• b4aaba0 pathRotation: non-destructive orientToPath rotation channel
• 8604ef3 Make arcs injectable via transition.path = arc()
• f90fe29 add orientToPath
• 9ebe999 fix: test
• bc2107e Revert "no should"
• 6eeb92d no should
• Additional commits viewable in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• Description has been truncated