chore: Update Web dependencies#2016
Merged
Merged
Conversation
renovate
Bot
added
dependencies
Contributor
Dependency ReviewThe following issues were found:
License Issues.github/package-lock.json
site/package-lock.json
web/package-lock.json
web/package.json
OpenSSF ScorecardScorecard details
Scanned Files
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Merging this PR will not alter performance
Comparing 
Footnotes
|
renovate
Bot
force-pushed
the
renovate/web
branch
from
1a36e41 to
14abe56
Compare
Aureliolo
approved these changes
May 19, 2026
Owner
Aureliolo
left a comment
Aureliolo
left a comment
There was a problem hiding this comment.
Decision: Minor/patch-only web dependency bump (11 packages, no major); CI fully green (Dashboard Test/Lint/Type-Check/Storybook/Lighthouse/visual-e2e all SUCCESS); the single BREAKING changelog item is confirmed unused; no actionable items.
Changelog digest:
- Covered: @base-ui/react 1.4.1->1.5.0, @eslint-react/eslint-plugin 5.7.9->5.8.2, @fontsource-variable/geist 5.2.8->5.2.9, geist-mono 5.2.7->5.2.8, @tanstack/react-query 5.100.10->5.100.11, @types/node 25.8.0->25.9.1, @types/react 19.2.14->19.2.15, astro 6.3.3->6.3.5, motion 12.38.0->12.39.0, typescript-eslint 8.59.3->8.59.4, wrangler 4.92.0->4.93.0.
- Relevant (improvements/bugfixes, no action): base-ui 1.5.0 improves mount perf (interaction splitting), fixes focus-steal and RTL behaviour for Popover/Select/ScrollArea/NavMenu (used across 24+ component files) - pure benefit; motion 12.39.0 fixes React 19 reorder-drag and LazyMotion CJS context sharing; astro 6.3.5 fixes the
position-prop CSP break + dev-server stale content (site/).
- Reviewed but not relevant: base-ui 1.5.0 BREAKING renames OTP Field sanitizeValue()->normalizeValue() - grep confirms zero OTP-field usage in web/src; the Tabs onValueChange auto-selection fire is benign for our only base-ui Tabs.Root (controlled value={activeTab}, idempotent react-router navigate); wrangler 4.93.0 new
ai models/--containers-rollout=nonecommands unused (static Pages deploy, no Workers AI/containers); react-query patch is a dep-bump-only; @types/* + typescript-eslint + eslint-react (docs-only) + fontsource are trivial.
Follow-ups: none.
Aureliolo
temporarily deployed
to
cloudflare-preview
GitHub Actions
Inactive
Aureliolo
pushed a commit
that referenced
this pull request
May 19, 2026
<!-- HIGHLIGHTS_START --> ## Highlights > _AI-generated summary (model: `openai/gpt-4.1-mini` via GitHub Models). Commit-based changelog below._ ### What you'll notice - Multi-agent coordination is now active immediately on startup for smoother operation. - Governance rules are fully enforced during use, ensuring compliance at all times. - Coordination metrics update live, giving real-time insights into system activity. - Review agents are now reliably processed, preventing silent drops in tasks. - Sandbox containers can be reused for agents and tasks, speeding up execution and reducing overhead. ### What's new - Agents support online runtime with a minimal safety framework to improve stability. - Recorded LLM interactions can be deterministically replayed at the provider interface. - Distributed path validation has been enhanced for more robust data routing. - A client-simulation runtime was added for end-to-end testing of the IntakeEngine. - A new work pipeline spine architecture has been introduced to streamline task processing. ### Under the hood - Infrastructure, Python, and web dependencies have all been updated to latest versions. - Updated apko lockfiles in the CI/CD pipeline improve build consistency. <!-- HIGHLIGHTS_END --> :robot: I have created a release *beep* *boop* --- ## [0.8.6](v0.8.5...v0.8.6) (2026-05-19) ### Features * agent runtime online + minimal safety spine (runtime root) ([#2003](#2003)) ([e5eef1a](e5eef1a)), closes [#1956](#1956) * deterministic recorded-LLM cassette replay at the provider chokepoint ([#2010](#2010)) ([cabf55d](cabf55d)) * distributed path validation + hardening ([#2011](#2011)) ([a382e4a](a382e4a)), closes [#1966](#1966) * wire IntakeEngine via boot client-simulation runtime (e2e test harness) ([#2006](#2006)) ([6a9c0aa](6a9c0aa)), closes [#1961](#1961) * work pipeline spine ([#1960](#1960)) ([#2013](#2013)) ([29b64e3](29b64e3)) ### Bug Fixes * bring the multi-agent coordinator online at boot ([#2007](#2007)) ([180b38a](180b38a)), closes [#1958](#1958) * full governance enforcement online ([#1957](#1957)) ([#2005](#2005)) ([4140fc5](4140fc5)) * harden anti-ghost-wiring gate and fix silently-dropped review agents ([#2000](#2000)) ([89b57ce](89b57ce)) * make coordination metrics live ([#1959](#1959)) ([#2012](#2012)) ([c4775e2](c4775e2)) * sandbox lifecycle dispatch (per-agent / per-task container reuse) ([#2008](#2008)) ([03d2587](03d2587)), closes [#1965](#1965) ### Documentation * add GitButler concept-only concurrency research ([#1978](#1978)) ([#2009](#2009)) ([9e4f5c1](9e4f5c1)) * honest-hybrid refresh of README, site, and design specs ([#2001](#2001)) ([f485bea](f485bea)) ### CI/CD * update apko lockfiles ([#2004](#2004)) ([e2b9eee](e2b9eee)) ### Maintenance * Update Infrastructure dependencies ([#2014](#2014)) ([0b16bdf](0b16bdf)) * Update Python dependencies ([#2015](#2015)) ([a7224bb](a7224bb)) * Update Web dependencies ([#2016](#2016)) ([7a7fe76](7a7fe76)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: synthorg-repo-bot[bot] <279117679+synthorg-repo-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.4.1→1.5.05.7.9→5.8.25.2.8→5.2.95.2.7→5.2.85.100.10→5.100.1125.8.0→25.9.119.2.14→19.2.156.3.3→6.3.512.38.0→12.39.08.59.3→8.59.44.92.0→4.93.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
mui/base-ui (@base-ui/react)
v1.5.0Compare Source
May 19, 2026
General changes
Math.random()inuseStableCallback()(#4732) by @michaldudakAlert Dialog
Autocomplete
FormDatafor popup inputs (#4725) by @lunaxisluCheckbox
Combobox
closeQuerywhen closing multiple input-inside-popup combobox (#4715) by @mj12albertDialog
openprop for open state detection (#4712) by @michaldudakDrawer
styleprop in<Drawer.Viewport>(#4841) by @atomiksField
flushSyncduring validation (#4685) by @atomiksForm
flushSyncduring validation (#4685) by @atomiksMenu
keepMountedportals (#4723) by @twillhorn<Menu.GroupLabel>in<Menu.RadioGroup>(#4826) by @nami8824openprop for open state detection (#4712) by @michaldudakNavigation Menu
keepMountedcontent sizing (#4817) by @atomiksNumber Field
OTP Field
sanitizeValue()tonormalizeValue()and allow composing with validation (#4717) by @atomiksflushSyncduring validation (#4685) by @atomiksonValueComplete()for full paste (#4690) by @atomiksPopover
openprop for open state detection (#4712) by @michaldudakPreview Card
openprop for open state detection (#4712) by @michaldudakScroll Area
Select
data-popup-sideto trigger (#4671) by @mj12albertTabs
onValueChange()for automatic tab selection (#4704) by @michaldudakToast
getElementTransform()and remove local implementation (#4749) by @sai6855Tooltip
openprop for open state detection (#4712) by @michaldudakAll contributors of this release in alphabetical order: @aeterno-caspian, @arturbien, @atomiks, @flaviendelangle, @Janpot, @lunaxislu, @lyzno1, @mattrothenberg, @michaldudak, @mj12albert, @nami8824, @sai6855, @stefee, @twillhorn
Rel1cx/eslint-react (@eslint-react/eslint-plugin)
v5.8.2Compare Source
📝 Documentation
usehook guidance toerror-boundaries,rules-of-hooks, andno-use-contextdocs.eslint-plugin-react-xrule documentation with scenario-based examples, Troubleshooting sections, and Further Reading links across 48 rule docs (#1786).^^^) from documentation examples for better readability (#1785).eslint-plugin-reactwith additional details.🏗️ Internal
pnpm-lock.yaml: bumpednxto 22.7.2 andbrace-expansionto 5.0.5.Full Changelog: Rel1cx/eslint-react@v5.8.1...v5.8.2
v5.8.1Compare Source
📝 Documentation
eslint-plugin-react-x,eslint-plugin-react-dom,eslint-plugin-react-jsx,eslint-plugin-react-web-api,eslint-plugin-react-naming-convention,eslint-plugin-react-debug,eslint-plugin-react-rsc) from theCommon Violations / Invalid / Validformat to the newExamples / scenario-based / Troubleshooting / Further Readingformat (#1784).🏗️ Internal
scripts/scaffold-rule.tsand the rule request issue template to match the new documentation structure (#1782).Full Changelog: Rel1cx/eslint-react@v5.8.0...v5.8.1
v5.8.0Compare Source
🪄 Improvements
react-jsx/no-children-prop,react-jsx/no-children-prop-with-children: Added support forcreateElementcalls in addition to JSX elements (#1780).📝 Documentation
eslint-plugin-perfectionistto the third-party plugins documentation page (#1778).🏗️ Internal
import-integrity-lintto 1.0.1.typescript-eslintandimport-integrity-lintin the workspace (#1776).minimumReleaseAgeto 3 days and updated lockfile (#1779)..reposdirectory references from config files (#1773).create-spec-alignment-issues.sh,migrate-labels.sh) (#1777).eslint-plugin-fast-importwithimport-integrity-lint(#1774).Full Changelog: Rel1cx/eslint-react@v5.7.10...v5.8.0
v5.7.10🐞 Fixes
react-x/no-leaked-conditional-rendering,react-x/set-state-in-effect: Added cycle detection to prevent stack overflow in recursive function analysis (#1769).📝 Documentation
third-party-plugins.mdxdocumentation page.react-x/globalsrule.🏗️ Internal
react-x/error-boundaries: SimplifiedgetEnclosingTryBlockimplementation.minimumReleaseAgeandminimumReleaseAgeExcludeentries topnpm-workspace.yaml.fumadocs-coreandfumadocs-uito 16.8.11.facebook/reactas git subtree under.repos" in v5.7.9 (re-released as v5.7.10, closes #1772).Full Changelog: Rel1cx/eslint-react@v5.7.8...v5.7.10
fontsource/font-files (@fontsource-variable/geist)
v5.2.9Compare Source
fontsource/font-files (@fontsource-variable/geist-mono)
v5.2.8Compare Source
TanStack/query (@tanstack/react-query)
v5.100.11Patch Changes
withastro/astro (astro)
v6.3.5Compare Source
Patch Changes
#16771
07c8805Thanks @ematipico! - Fixespositionprop on<Image>and<Picture>components breaking Content Security Policy (CSP).#16593
50924ceThanks @yanthomasdev! - Improves error messages with more consistent and correct writing.#16757
5d661cdThanks @astrobot-houston! - Fixes dev server serving stale content when SSR-only modules change (e.g..astrofiles outside the project root in a monorepo, or dynamically imported components).Previously, the
astro:hmr-reloadplugin returned an empty array after detecting SSR-only module changes, which prevented Vite'supdateModulesfrom propagating the invalidation to the SSR module runner. The runner's evaluated module cache stayed stale, so subsequent requests continued returning old content.Now the plugin returns the SSR-only modules so Vite can process them through
updateModules, which properly invalidates the module runner's cache and ensures fresh content on the next request.v6.3.4Compare Source
Patch Changes
#16723
0f10bfeThanks @matthewp! - AddsfetchFileoption toexperimental.advancedRoutingto customize or disable the entrypoint file#16723
0f10bfeThanks @matthewp! - Fixes Honocache()middleware to follow the standard wrapper pattern#16723
0f10bfeThanks @matthewp! - AddsApp.Providersinterface for typing custom context providers onAstroandctx#16723
0f10bfeThanks @matthewp! - AddsFetchState.responseproperty, set automatically afterpages()ormiddleware()completes#16723
0f10bfeThanks @matthewp! - AddsFetchabletype export for typing the advanced routing entrypoint#16572
4a5a077Thanks @DORI2001! - Suppresses[WARN] Vite warning: unused imports from "@​astrojs/internal-helpers/remote"during prerender builds. The package is now bundled alongsideastroin the prerender environment, matching how it is handled in the SSR environment.#16756
b6ee23dThanks @astrobot-houston! - Fixes styles from Markdoc/MDX custom components not being extracted to<head>in the dev server when using the Cloudflare adapter withprerenderEnvironment: 'node'and rendering content through a wrapper component.#16747
904d19aThanks @astrobot-houston! - Fixes Astro action requests failing inastro devwhen using the Cloudflare adapter withprerenderEnvironment: 'node'alongside a prerendered catch-all route such as[...page].astro.Actions and other SSR POST endpoints now continue to work in dev instead of returning an HTTP 500 error.
#16701
3495ce4Thanks @demaisj! - FixMapandSetinstances saved in a content collection being broken when retrieving entries.#16614
fca1c32Thanks @Eptagone! - Fixesentry.datatype inference when a live collection is configured without a schema.#16661
03b8f7fThanks @ocavue! - Updatestypescriptto v6. No changes are needed from users.#16681
c22770aThanks @dotnetCarpenter! - Fixes an issue where SVG images withwidth="0"orheight="0"incorrectly threw aNoImageMetadataerror instead of being treated as valid dimensions.motiondivision/motion (motion)
v12.39.0Compare Source
Added
repeatTypeandrepeatDelayin animation sequences.Fixed
dragSnapToOriginno longer leaves the drag transform stranded after a layout swap.LazyMotion: Share React contexts between theframer-motionandframer-motion/m(and thereforemotion/reactandmotion/react-m) CJS bundles so that<m.div>from the/msubpath picks up features loaded by<LazyMotion>from the main entry point.useScroll: Support hydratingtargetandcontainerrefs from anywhere in the tree.<AnimatePresence initial={false} />.dragConstraints, when set as viewport-relative ref, no longer break on scroll.§visualElementhydration order.useAnimate: Now respectsskipAnimations.AnimatePresence: Fix object-forminitialvalues not applied on re-entry after exit completes.scroll: Fixed callback progress when tracking an element.useScroll: Fix hardware acceleration when tracking an element.typescript-eslint/typescript-eslint (typescript-eslint)
v8.59.4Compare Source
🩹 Fixes
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
cloudflare/workers-sdk (wrangler)
v4.93.0Compare Source
Minor Changes
#13901
aac7ca0Thanks @bghira! - Addwrangler ai models schemacommand for fetching model schemasYou can now run
wrangler ai models schema <model>to fetch the input and output schema for a Workers AI model from the public model catalog schema endpoint.#12656
ae047eeThanks @mikenomitch! - Add--containers-rollout=noneThis allows you to skip deploying a container. This is useful if you know that your container is not going to be updated or you don't have Docker locally, but still want to make changes to your Worker.
#13901
aac7ca0Thanks @bghira! - Addwrangler ai models listcommand for querying the Workers AI model catalogwrangler ai models listaccepts--search,--task,--author,--source, and--hide-experimental, matching the public model catalog search endpoint.Patch Changes
#13948
b25dc0dThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13882
a4f22bcThanks @matingathani! - Throw a clear error when a D1 migration is cancelled instead of silently returning#13950
f78d435Thanks @dario-piotrowicz! - Improve the Docker CLI error message to be more actionable.Include a link to Docker installation docs, platform-specific instructions for starting the daemon, and guidance for alternative Docker-compatible CLIs.
#11896
c5c9e20Thanks @staticpayload! - Surface remote proxy session errorsWhen remote bindings fail to start, include the controller reason and root cause in the error message to make failures like missing
cloudflaredclearer.#13932
ebf4b24Thanks @zebp! - Fix local Workflow startup when compatibility flags includeexperimentalMiniflare now deduplicates compatibility flags for the internal Workflow engine service. This prevents
wrangler devfrom failing withCompatibility flag specified multiple times: experimentalwhen the user's Worker already enables that flag.#13929
895baf5Thanks @Caio-Nogueira! - Prompt to provision a workers.dev subdomain before deploying WorkflowsWrangler now checks for the account-level workers.dev subdomain when deploying Workflows, even if the Worker is not being published to workers.dev. If the subdomain has not been registered yet, Wrangler prompts to create one before calling the Workflows deploy API so users avoid an opaque server-side deployment failure.
#13930
7bcdf45Thanks @shiminshen! - Sweep stale.wrangler/tmp/*dirs left behind by abnormal exitsA
wrangler devsession creates.wrangler/tmp/bundle-*and.wrangler/tmp/dev-*directories at startup and removes them via asignal-exithook on graceful shutdown. When the process exited abnormally (SIGKILL, OOM, host crash) those directories were left behind and accumulated across sessions, slowing down dependency-walking tools that follow the bundle-emitted absolute-path imports.wranglernow sweeps entries in.wrangler/tmp/older than 24 hours when a new temporary directory is requested, bounding the leak regardless of how prior sessions exited.Updated dependencies [
b25dc0d,ebf4b24,b27eb18]:Configuration
📅 Schedule: (in timezone Etc/UTC)
* 0-6 * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.