Skip to content

chore(deps): bump the npm-minor-patch group across 1 directory with 10 updates#247

Merged
jrphilo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-c0e115dd37
May 8, 2026
Merged

chore(deps): bump the npm-minor-patch group across 1 directory with 10 updates#247
jrphilo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-c0e115dd37

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 7, 2026
edited
Loading

Bumps the npm-minor-patch group with 10 updates in the / directory:

Package From To
turbo 2.9.9 2.9.10
@instantdb/admin 1.0.23 1.0.25
@instantdb/core 1.0.23 1.0.25
@instantdb/react 1.0.23 1.0.25
next 16.2.4 16.2.6
react 19.2.5 19.2.6
react-dom 19.2.5 19.2.6
stripe 22.1.0 22.1.1
@types/node 25.6.0 25.6.2
eslint-config-next 16.2.4 16.2.6

Updates turbo from 2.9.9 to 2.9.10

Release notes

Sourced from turbo's releases.

Turborepo v2.9.10

What's Changed

Changelog

Full Changelog: vercel/turborepo@v2.9.9...v2.9.10

Turborepo v2.9.10-canary.1

What's Changed

Changelog

... (truncated)

Commits

Updates @instantdb/admin from 1.0.23 to 1.0.25

Commits

Updates @instantdb/core from 1.0.23 to 1.0.25

Commits

Updates @instantdb/react from 1.0.23 to 1.0.25

Commits

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates stripe from 22.1.0 to 22.1.1

Release notes

Sourced from stripe's releases.

v22.1.1

  • #2703 Export Decimal type from Stripe namespace

    • Added Stripe.Decimal as a usable type in the Stripe namespace, enabling type annotations like function takesDecimal(d: Stripe.Decimal).

  • #2704 Fix file upload regression: restore multipart request data processor

    • Fixed file uploads failing with StripeInvalidRequestError on the /v1/files endpoint since v22.

See the changelog for more details.

Changelog

Sourced from stripe's changelog.

22.1.1 - 2026-05-06

  • #2703 Export Decimal type from Stripe namespace

    • Added Stripe.Decimal as a usable type in the Stripe namespace, enabling type annotations like function takesDecimal(d: Stripe.Decimal).

  • #2704 Fix file upload regression: restore multipart request data processor

    • Fixed file uploads failing with StripeInvalidRequestError on the /v1/files endpoint since v22.
Commits

Updates @types/node from 25.6.0 to 25.6.2

Commits

Updates eslint-config-next from 16.2.4 to 16.2.6

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 7, 2026
@dependabot dependabot Bot requested a review from jrphilo as a code owner May 7, 2026 17:45
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 7, 2026
@jrphilo
Copy link
Copy Markdown
Contributor

jrphilo commented May 7, 2026

Ralphie verified this — ready to merge.

Verification

  • lint: ✓
  • check-types: ✓
  • test: ✓ (1471 tests / 123 files)
  • smoke: ✓

Changelog highlights

  • next 16.2.4 → 16.2.5: 12 security advisory fixes (release notes)
  • react / react-dom 19.2.5 → 19.2.6: RSC type hardening + perf (release, PR #36425)
  • stripe 22.1.0 → 22.1.1: export Stripe.Decimal type; fix file-upload regression on /v1/files (changelog)
  • @instantdb/{admin,core,react} 1.0.23 → 1.0.24: no public release notes — investigated below
  • turbo 2.9.9 → 2.9.10: security/hardening fixes (OTel, IPC, cache boundaries) (release)
  • @types/node 25.6.0 → 25.6.1, eslint-config-next 16.2.4 → 16.2.5: types and lint config bumps

Investigation

Elevated scrutiny applied: this group spans framework majors (next, react, react-dom) and security-sensitive runtime deps (stripe, @instantdb/*). All bumps are patches; investigation cleared each elevated category.

  • Ownership: same maintainers across all packages
    • @instantdb/core@1.0.24 published via the GitHub Actions trusted publisher (OIDC); npm maintainers (stopachka, nezaj, dww, drew-h) unchanged from 1.0.23
    • next / react / react-dom / stripe / turbo / @types/node / eslint-config-next: same publishers as the prior version
  • Auth/secrets: none — no patch in this group changes auth flows
    • @instantdb/* 1.0.23 → 1.0.24 was published 5 hours apart on 2026-05-05; the only commit touching client/packages/ between the two releases is #2629 (CLI refactor), confined to client/packages/cli/ plus a one-line bump in client/packages/version/src/version.ts. The @instantdb/admin / core / react runtime SDKs we use are functionally unchanged
  • Security advisory: next 16.2.5 lands fixes for 12 advisories — mapped each to our usage
  • Deprecations: none we'd hit
  • Breaking API: none
    • stripe 22.1.1's file-upload regression fix targets stripe.files.create() / /v1/files; we don't call it. Stripe usage in happyhq/ee/lib/billing/ is limited to customers.create, checkout.sessions.create, subscriptions.update, billingPortal.sessions.create. The new Stripe.Decimal type export is additive and unused by us
    • react / react-dom 19.2.6 "type hardening + perf" — type hardening surfaces at compile time (passed pnpm check-types), perf changes are non-breaking
    • next 16.2.5 release ships only the security patches above; no API changes called out
    • turbo 2.9.10 changes are internal hardening (devDep)

Recommendation

Pure security / type / perf patches across the group. Verification clean (lint, types, 1471 tests, smoke). No applicable behavior change for our codebase; the next advisory fixes are either net positive (we use the affected feature) or no-op (we don't). Safe to merge.

@jrphilo jrphilo added ralphie:ready-to-merge Ralphie verified the upgrade and the changelog; safe to merge — human clicks merge ralphie:qa-pass Ralphie QA loop verified the PR; safe to merge — human clicks merge labels May 7, 2026
@jrphilo
Copy link
Copy Markdown
Contributor

jrphilo commented May 7, 2026

QA: pass — smoke

What was checked: golden-path smoke (pnpm smoke:e2e) against this PR's branch (296adfb) — task creation with file ingestion, planning iteration, working iteration, plan/output assertions. The bundle includes elevated-scrutiny deps (next, react, react-dom, stripe, @instantdb/*), so smoke was required regardless of the PR-body evidence.

Evidence: smoke ran clean on first attempt — planning 41.5s, working 36.1s (77.6s total). plan.md (1088 chars) and outputs/haiku.md produced. Log scan clean (8 entries, no run.error / api.error / client.* events).

The Next 16.2.4 → 16.2.5 RSC/runtime, React 19.2.5 → 19.2.6 renderer, and InstantDB 1.0.23 → 1.0.24 SDKs all integrate without regression on the golden path. Stripe 22.1.0 → 22.1.1 isn't exercised by smoke (no billing path), but the rubric flagged the bundle as a unit and the unbilled surfaces are unchanged.

@dependabot dependabot Bot changed the title chore(deps): bump the npm-minor-patch group with 10 updates chore(deps): bump the npm-minor-patch group across 1 directory with 10 updates May 7, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-minor-patch-c0e115dd37 branch from 296adfb to 8015436 Compare May 7, 2026 22:17
@dependabot
chore(deps): bump the npm-minor-patch group across 1 directory with 1…
b727d75 
…0 updates

Bumps the npm-minor-patch group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [turbo](https://github.com/vercel/turborepo) | `2.9.9` | `2.9.10` |
| [@instantdb/admin](https://github.com/instantdb/instant/tree/HEAD/client/packages/admin) | `1.0.23` | `1.0.25` |
| [@instantdb/core](https://github.com/instantdb/instant/tree/HEAD/client/packages/core) | `1.0.23` | `1.0.25` |
| [@instantdb/react](https://github.com/instantdb/instant/tree/HEAD/client/packages/react) | `1.0.23` | `1.0.25` |
| [next](https://github.com/vercel/next.js) | `16.2.4` | `16.2.6` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.6` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.6` |
| [stripe](https://github.com/stripe/stripe-node) | `22.1.0` | `22.1.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.6.0` | `25.6.2` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.4` | `16.2.6` |



Updates `turbo` from 2.9.9 to 2.9.10
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.9...v2.9.10)

Updates `@instantdb/admin` from 1.0.23 to 1.0.25
- [Commits](https://github.com/instantdb/instant/commits/HEAD/client/packages/admin)

Updates `@instantdb/core` from 1.0.23 to 1.0.25
- [Commits](https://github.com/instantdb/instant/commits/HEAD/client/packages/core)

Updates `@instantdb/react` from 1.0.23 to 1.0.25
- [Commits](https://github.com/instantdb/instant/commits/HEAD/client/packages/react)

Updates `next` from 16.2.4 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.4...v16.2.6)

Updates `react` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react)

Updates `react-dom` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom)

Updates `stripe` from 22.1.0 to 22.1.1
- [Release notes](https://github.com/stripe/stripe-node/releases)
- [Changelog](https://github.com/stripe/stripe-node/blob/master/CHANGELOG.md)
- [Commits](stripe/stripe-node@v22.1.0...v22.1.1)

Updates `@types/node` from 25.6.0 to 25.6.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-config-next` from 16.2.4 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.6/packages/eslint-config-next)

---
updated-dependencies:
- dependency-name: "@instantdb/admin"
  dependency-version: 1.0.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@instantdb/core"
  dependency-version: 1.0.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@instantdb/react"
  dependency-version: 1.0.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@types/node"
  dependency-version: 25.6.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: eslint-config-next
  dependency-version: 16.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: next
  dependency-version: 16.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: react
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: react-dom
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: stripe
  dependency-version: 22.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: turbo
  dependency-version: 2.9.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-minor-patch-c0e115dd37 branch from 8015436 to b727d75 Compare May 8, 2026 00:55
@jrphilo jrphilo merged commit 3f60647 into main May 8, 2026
5 checks passed
@jrphilo jrphilo deleted the dependabot/npm_and_yarn/npm-minor-patch-c0e115dd37 branch May 8, 2026 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrphilo jrphilo Awaiting requested review from jrphilo jrphilo is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code ralphie:qa-pass Ralphie QA loop verified the PR; safe to merge — human clicks merge ralphie:ready-to-merge Ralphie verified the upgrade and the changelog; safe to merge — human clicks merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrphilo