chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@axe-core/playwright	4.11.1 → 4.11.3
@changesets/changelog-github (source)	0.6.0 → 0.7.0
@changesets/cli (source)	2.30.0 → 2.31.0
@internationalized/date (source)	3.12.0 → 3.12.1
@internationalized/number	3.6.5 → 3.6.6
@next/eslint-plugin-next (source)	16.2.2 → 16.2.6
@playwright/test (source)	1.59.1 → 1.60.0
@sveltejs/kit (source)	2.57.1 → 2.60.1
@sveltejs/vite-plugin-svelte (source)	7.0.0 → 7.1.2
@swc/core (source)	1.15.21 → 1.15.33
@tanstack/react-virtual (source)	3.13.23 → 3.13.24
@types/node (source)	25.5.0 → 25.9.0
axe-core (source)	4.11.2 → 4.11.4
dotenv	17.3.1 → 17.4.2
eslint (source)	10.1.0 → 10.4.0
eslint-config-next (source)	16.2.2 → 16.2.6
lint-staged	17.0.4 → 17.0.5
lucide-react (source)	1.7.0 → 1.16.0
match-sorter	8.2.0 → 8.3.0
pnpm (source)	10.33.2 → 10.33.4
preact (source)	10.29.0 → 10.29.2
prettier (source)	3.8.1 → 3.8.3
prettier-plugin-svelte	3.5.1 → 3.5.2
react (source)	19.2.4 → 19.2.6
react-dom (source)	19.2.4 → 19.2.6
solid-js (source)	1.9.12 → 1.9.13
svelte (source)	5.55.7 → 5.55.8
tsx (source)	4.21.0 → 4.22.2
typescript (source)	6.0.2 → 6.0.3
typescript-eslint (source)	8.59.3 → 8.59.4
uqr	0.1.2 → 0.1.3
vite (source)	8.0.5 → 8.0.13
vitest (source)	4.1.2 → 4.1.6
vue (source)	3.5.31 → 3.5.34

---

Release Notes

dequelabs/axe-core-npm (@​axe-core/playwright)

v4.11.3

Compare Source

v4.11.2: Release 4.11.2

Compare Source

Bug Fixes

• Update axe-core to v4.11.3 (#​1306) (71c4179)
• wdio: support v9 wdio switchFrame and switchWindow (#​1302) (4689273), closes #​1164

changesets/changesets (@​changesets/changelog-github)

v0.7.0

Compare Source

Minor Changes

• #​1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

adobe/react-spectrum (@​internationalized/date)

v3.12.1

Compare Source

adobe/react-spectrum (@​internationalized/number)

v3.6.6

Compare Source

vercel/next.js (@​next/eslint-plugin-next)

v16.2.6

Compare Source

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

Compare Source

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#​92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#​92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#​92580)
• Compiler: Support boolean and number primtives in next.config defines (#​92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#​92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#​92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#​92828)
• Adding more system info to the 'initialize project' trace (#​92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

Compare Source

[!NOTE]
This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#​92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#​91981 through #​92273)
• Deduplicate output assets and detect content conflicts on emit (#​92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#​92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#​92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

sveltejs/kit (@​sveltejs/kit)

v2.60.1

Compare Source

Patch Changes

• chore: bump svelte and devalue (#​15836)

• fix: prevent query.batch cross-talk (dadaefc)

v2.60.0

Compare Source

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#​15802)

• feat: warn on unread form remote function validation issues (#​15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#​15811)

• fix: skip refreshing queries on full-page reload form submissions (#​15803)

v2.59.1

Compare Source

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#​15793)

v2.59.0

Compare Source

Minor Changes

• feat: support query.batch in requested(...) (#​15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#​15705)

• feat: experimental query.live function (#​15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#​15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#​15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#​15752)

• fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#​15753)

• fix: make sure queries always get started correctly (#​15705)

• fix: allow plain functions as overrides in updates (#​15705)

v2.58.0

Compare Source

Minor Changes

• breaking: require limit in requested (as originally intended) (#​15739)

• feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#​15739)

• breaking: requested now yields { arg, query } entries instead of the validated argument (#​15739)

Patch Changes

• fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#​15699)

• fix: prevent deep_set crash on nullish nested values (#​15600)

• fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#​15723)

• fix: don't warn about removed SSI comments in transformPageChunk (#​15695)

  Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

• Change enhance function return type from void to MaybePromise. (#​15710)

• fix: throw an error when resolve is called with an external URL (#​15733)

• fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#​15718)

• fix: reset form result on redirect (#​15724)

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte)

v7.1.2

Compare Source

Patch Changes

• fix: correctly resolve compiled CSS on the server for dependencies with Svelte files (#​1342)

v7.1.1

Compare Source

Patch Changes

• fix: pass typescript.onlyRemoveTypeImports to transformWithOxc in vitePreprocess so that value imports are not dropped when they are only referenced in Svelte template markup (#​1326)

• fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#​1336)

v7.1.0

Compare Source

Minor Changes

• feat: enable optimizer for server environments during dev (#​1328)

swc-project/swc (@​swc/core)

v1.15.33

Compare Source

Bug Fixes

• (ci) Update rand lockfile entries (#​11827) (7988966)

• (es/minifier) Fold unary bool nullish coalescing (#​11826) (e39ae3d)

• (es/minifier) Preserve for-init sequence order (#​11837) (16a56d0)

• (es/parser) Parse empty Flow exact object type (#​11836) (3d18a26)

Features

• Move swc ast explorer into workspace (#​11831) (02a8f81)

v1.15.32

Compare Source

Bug Fixes

• (es/flow) Fix Flow type-only modules in script transforms (#​11817) (be38316)

• (es/flow) Avoid restoring module context when flow syntax is enabled (#​11819) (3ed7243)

• (es/minifier) Preserve frozen spread registry keys (#​11825) (347181c)

• (es/parser) Align Flow generic arrow JSX disambiguation (#​11821) (28a7fad)

Features

• (es) Add jsc.preserveSymlinks to swc::Options (#​11813) (fe38342)

v1.15.30

Compare Source

Bug Fixes

• (deploy) Fix musl binding test workflow (#​11804) (c30a522)

• (deploy) Build package ts before Linux GNU binding tests (#​11806) (a3d3ef3)

• (es/jsx) Preserve quoted JSX attribute newlines (#​11796) (9fe56c8)

• (es/minifier) Support full ES version parsing in minify (#​11800) (af1f08f)

• (es/module) Add opt-in symlink-preserving resolver (#​11801) (6028240)

• (es/parser) Allow return type annotation on Flow constructors (#​11790) (d66b29c)

• (es/parser) Support Flow anonymous keyof indexers (#​11792) (452c4e5)

• (es/parser) Add Flow strip RN and RNW regression corpus (#​11799) (23a9109)

Documentation

• Require PR template for pull requests (#​11793) (3a1084a)

Features

• (es/minify) Support extracting comments (#​11798) (5986411)

v1.15.26

Compare Source

v1.15.24

Compare Source

TanStack/virtual (@​tanstack/react-virtual)

v3.13.24

Compare Source

Patch Changes

• Updated dependencies [97a204d]:
  • @​tanstack/virtual-core@​3.14.0

dequelabs/axe-core (axe-core)

v4.11.4

Compare Source

v4.11.3

Compare Source

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

v17.4.1

Compare Source

v17.4.0

Compare Source

eslint/eslint (eslint)

v10.4.0

Compare Source

v10.3.0

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

vercel/next.js (eslint-config-next)

v16.2.6

Compare Source

v16.2.5

Compare Source

v16.2.4

Compare Source

v16.2.3

Compare Source

lint-staged/lint-staged (lint-staged)

v17.0.5

Compare Source

Patch Changes

• #​1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

lucide-icons/lucide (lucide-react)

v1.16.0: Version 1.16.0

Compare Source

What's Changed

• feat(icons): added blender icon by @​rrod497 in #​3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

v1.15.0

Compare Source

v1.14.0: Version 1.14.0

Compare Source

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in #​3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

v1.13.0: Version 1.13.0

Compare Source

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in #​4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in #​3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

v1.12.0: Version 1.12.0

Compare Source

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in #​4262
• docs(readme): Update readme files by @​ericfennis in [#​4320](https://redirect.github.com/lucide-icons/lucide/pull/432

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9039030

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
zag-nextjs	Ready	Preview	May 18, 2026 9:47pm
zag-solid	Ready	Preview	May 18, 2026 9:47pm
zag-svelte	Ready	Preview	May 18, 2026 9:47pm
zag-vue	Ready	Preview	May 18, 2026 9:47pm
zag-website	Ready	Preview	May 18, 2026 9:47pm