Bump the minor-and-patch group across 1 directory with 20 updates by dependabot[bot] · Pull Request #29 · akshitkrnagpal/edgepush

dependabot · 2026-06-21T06:03:48Z

Bumps the minor-and-patch group with 20 updates in the / directory:

Package	From	To
turbo	`2.9.14`	`2.9.18`
better-auth	`1.6.11`	`1.6.20`
hono	`4.12.19`	`4.12.26`
@cloudflare/vitest-pool-workers	`0.16.6`	`0.16.18`
@cloudflare/workers-types	`4.20260517.1`	`4.20260621.1`
vitest	`4.1.6`	`4.1.9`
wrangler	`4.92.0`	`4.103.0`
@tanstack/react-query	`5.100.10`	`5.101.0`
next	`16.2.6`	`16.2.9`
react	`19.2.6`	`19.2.7`
@types/react	`19.2.14`	`19.2.17`
react-dom	`19.2.6`	`19.2.7`
@opennextjs/cloudflare	`1.19.10`	`1.19.11`
@tailwindcss/postcss	`4.3.0`	`4.3.1`
eslint-config-next	`16.2.6`	`16.2.9`
tailwindcss	`4.3.0`	`4.3.1`
@astrojs/cloudflare	`13.5.1`	`13.7.0`
@astrojs/sitemap	`3.7.2`	`3.7.3`
astro	`6.3.3`	`6.4.8`
@orpc/server	`1.14.3`	`1.14.6`

Updates turbo from 2.9.14 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

release(turborepo): 2.9.17 by @github-actions[bot] in vercel/turborepo#13047

ci: Fetch version.txt via API in docs alias failure notification by @anthonyshew in vercel/turborepo#13050

fix: Harden cache archive symlink restore by @anthonyshew in vercel/turborepo#13051

chore: Remove web UI mode by @anthonyshew in vercel/turborepo#13052

fix: Harden query server file access by @anthonyshew in vercel/turborepo#13053

fix: Confine prune patch paths by @anthonyshew in vercel/turborepo#13054

fix: Prevent git argument injection in SCM refs by @anthonyshew in vercel/turborepo#13055

fix: Strip special mode bits from cache restore by @anthonyshew in vercel/turborepo#13056

fix: Contain incremental cache outputs by @anthonyshew in vercel/turborepo#13057

fix(turborepo): Normalize Windows daemon path hash by @Balance8 in vercel/turborepo#13020

fix: Preserve vt100 cell byte counts by @anthonyshew in vercel/turborepo#13058

fix: Separate artifact signature fields by @anthonyshew in vercel/turborepo#13059

fix: Validate OidHash hex buffers by @anthonyshew in vercel/turborepo#13060

fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @anthonyshew in vercel/turborepo#13061

New Contributors

@Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

fix: Keep non-PTY stdin alive for persistent tasks by @anthonyshew in vercel/turborepo#12972

release(turborepo): 2.9.16 by @github-actions[bot] in vercel/turborepo#12970

release(turborepo): 2.9.17-canary.1 by @github-actions[bot] in vercel/turborepo#12973

fix: Add auth HTTP timeouts by @anthonyshew in vercel/turborepo#12976

fix: Detect affected root tasks in query by @anthonyshew in vercel/turborepo#12977

fix: Wait for Windows graceful shutdown by @anthonyshew in vercel/turborepo#12979

release(turborepo): 2.9.17-canary.2 by @github-actions[bot] in vercel/turborepo#12980

test: Skip installs for JSON output fixtures by @anthonyshew in vercel/turborepo#12981

feat: Add Rsbuild examples by @Nsttt in vercel/turborepo#12942

test: Skip installs for single package dry runs by @anthonyshew in vercel/turborepo#12982

test: Skip Corepack setup without installs by @anthonyshew in vercel/turborepo#12983

test: Skip installs for metadata-only Rust tests by @anthonyshew in vercel/turborepo#12985

test: Skip remaining unnecessary fixture installs by @anthonyshew in vercel/turborepo#12986

test: Add final hash contract snapshots by @anthonyshew in vercel/turborepo#12984

test: Trim run logging integration matrix by @anthonyshew in vercel/turborepo#12987

test: Trim affected query integration matrix by @anthonyshew in vercel/turborepo#12988

test: Narrow Windows integration test group by @anthonyshew in vercel/turborepo#12989

test: Trim task dependency integration coverage by @anthonyshew in vercel/turborepo#12990

test: Trim affected integration coverage by @anthonyshew in vercel/turborepo#12991

test: Collapse integration test matrices by @anthonyshew in vercel/turborepo#12992

... (truncated)

Commits

3bdce32 publish 2.9.18 to registry
2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
da8e348 fix: Validate OidHash hex buffers (#13060)
3018717 fix: Separate artifact signature fields (#13059)
34514e2 fix: Preserve vt100 cell byte counts (#13058)
24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
16dc881 fix: Contain incremental cache outputs (#13057)
92e1f8e fix: Strip special mode bits from cache restore (#13056)
f46f896 fix: Prevent git argument injection in SCM refs (#13055)
7f353ca fix: Confine prune patch paths (#13054)
Additional commits viewable in compare view

Updates better-auth from 1.6.11 to 1.6.20

Release notes

Sourced from better-auth's releases.

v1.6.20

better-auth

Bug Fixes

Fixed account-linking logs to route through the configured logger (#10121)

Fixed TypeScript inference errors by declaring inherited APIError properties (#8734)

Fixed refresh cookie Max-Age to be capped at expiresIn (#9621)

For detailed changes, see CHANGELOG

@better-auth/i18n

Bug Fixes

Fixed English language fallback behavior and improved i18n documentation (#9872)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@adityachaudhary99, @dipan-ck, @sleepe229, @WilsonnnTan

Full changelog: v1.6.19...v1.6.20

v1.6.19

better-auth

Features

Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

Fixed headerless session checks (#10053)

Fixed cookie cache fallback lookup (#9348)

Fixed sendVerificationEmail errors not being surfaced to the client (#8863)

Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)

Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)

Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)

Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)

Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)

Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.20

Patch Changes

#10121 21448b1 Thanks @adityachaudhary99! - OAuth account-linking and create-user error logs now respect a custom logger configured in betterAuth(), instead of always being written to the default console logger.

#9621 8ecf238 Thanks @dipan-ck! - Session refresh no longer emits a cookie Max-Age above the browser's 400-day ceiling when using a database without fractional-second precision.

#8734 930f534 Thanks @sleepe229! - declare inherited APIError properties to fix TypeScript inference errors

Updated dependencies []:

@better-auth/core@1.6.20

@better-auth/drizzle-adapter@1.6.20

@better-auth/kysely-adapter@1.6.20

@better-auth/memory-adapter@1.6.20

@better-auth/mongo-adapter@1.6.20

@better-auth/prisma-adapter@1.6.20

@better-auth/telemetry@1.6.20

1.6.19

Patch Changes

#10088 de4aa52 Thanks @bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

#9995 b4b0266 Thanks @ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

#10086 5bd5e1c Thanks @gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

@better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

#9319 581f827 Thanks @ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

#10067 8407885 Thanks @bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

#9555 c1a8a64 Thanks @ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

#10071 635f190 Thanks @gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

#10070 a787e0b Thanks @gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

#9348 c2f718f Thanks @ping-maxwell! - fix: cookie cache fallback lookup

#8863 7d18175 Thanks @ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

Updated dependencies [0895993, 5bd5e1c, a787e0b]:

... (truncated)

Commits

c342f42 chore: release v1.6.20 (#10108)
21448b1 fix: route account-linking logs through the configured logger (#10121)
8ecf238 fix(session): cap refresh cookie Max-Age at expiresIn (#9621)
ac4d81d chore: release v1.6.19 (#10034)
1e69725 docs: clarify stateless Cognito token refresh (#10092)
de4aa52 fix(cookies): chunk session and account cookies near the browser size limit (...
5bd5e1c fix: make guarded state transitions portable on Prisma (#10086)
36f345b revert: fix: allow headerless get session checks (#10053) (#10074)
635f190 fix(client): name auth client return types (#10071)
d009dae fix: allow headerless get session checks (#10053)
Additional commits viewable in compare view

Updates hono from 4.12.19 to 4.12.26

Release notes

Sourced from hono's releases.

v4.12.26

What's Changed

fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @yusukebe in honojs/hono#5013

ci: publish to npm from CI with OIDC trusted publishing by @yusukebe in honojs/hono#5028

chore: remove unused devcontainer and gitpod configs by @yusukebe in honojs/hono#5029

chore: replace arg and glob with Bun native APIs in build script by @yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

docs(contribution): simplifyAI Usage Policy by @yusukebe in honojs/hono#4972

chore: remove @types/glob by @rtritto in honojs/hono#4978

fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in honojs/hono#4987

refactor(language): Test/improve tests on languages middleware by @iNeoO in honojs/hono#4980

fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in honojs/hono#4973

fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982

refactor(timing): Test/add test for middleware timing by @iNeoO in honojs/hono#4991

fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

... (truncated)

Commits

27b7992 4.12.26
d29982c chore: replace arg and glob with Bun native APIs in build script
16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
c574cf1 ci: publish to npm from CI with OIDC trusted publishing (#5028)
e50df01 fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding (#5...
fce483e 4.12.25
751ba41 Merge commit from fork
f0b094d Merge commit from fork
fa5f9bf Merge commit from fork
3892a6c Merge commit from fork
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates @cloudflare/vitest-pool-workers from 0.16.6 to 0.16.18

Release notes

Sourced from @cloudflare/vitest-pool-workers's releases.

@cloudflare/vitest-pool-workers@0.16.18

Patch Changes

Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

wrangler@4.103.0

miniflare@4.20260617.1

@cloudflare/vitest-pool-workers@0.16.17

Patch Changes

#14347 673b09e Thanks @jamesopstad! - Update undici from 7.24.8 to 7.28.0

#14314 5c3bb11 Thanks @harryzcy! - Bump esbuild to 0.28.1

This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

miniflare@4.20260617.0

wrangler@4.102.0

@cloudflare/vitest-pool-workers@0.16.16

Patch Changes

Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, ecfdd5a, 604be26, 1fb7ba5, 208b3bb, 41f391f, 32f9307, 8b2ce41, 3578919, ee82c76, 41f391f, 21dbc12, 7e63948, 035917f]:

miniflare@4.20260616.0

wrangler@4.101.0

@cloudflare/vitest-pool-workers@0.16.15

Patch Changes

Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

wrangler@4.100.0

miniflare@4.20260611.0

@cloudflare/vitest-pool-workers@0.16.14

Patch Changes

Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:

wrangler@4.99.0

miniflare@4.20260609.0

@cloudflare/vitest-pool-workers@0.16.13

Patch Changes

Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:

wrangler@4.98.0

miniflare@4.20260603.0

@cloudflare/vitest-pool-workers@0.16.12

Patch Changes

... (truncated)

Changelog

Sourced from @cloudflare/vitest-pool-workers's changelog.

0.16.18

Patch Changes

Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

wrangler@4.103.0

miniflare@4.20260617.1

0.16.17

Patch Changes

#14347 673b09e Thanks @jamesopstad! - Update undici from 7.24.8 to 7.28.0

#14314 5c3bb11 Thanks @harryzcy! - Bump esbuild to 0.28.1

This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

miniflare@4.20260617.0

wrangler@4.102.0

0.16.16

Patch Changes

Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, ecfdd5a, 604be26, 1fb7ba5, 208b3bb, 41f391f, 32f9307, 8b2ce41, 3578919, ee82c76, 41f391f, 21dbc12, 7e63948, 035917f]:

miniflare@4.20260616.0

wrangler@4.101.0

0.16.15

Patch Changes

Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

wrangler@4.100.0

miniflare@4.20260611.0

0.16.14

Patch Changes

Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:

wrangler@4.99.0

miniflare@4.20260609.0

0.16.13

Patch Changes

... (truncated)

Commits

4d8ffcb Version Packages (#14353)
dd7e101 Version Packages (#14327)
89a753e Version Packages (#14274)
341bd13 Version Packages (#14237)
8a4bfe5 Version Packages (#14179)
c8c366e Version Packages (#14159)
0b60424 Version Packages (#14142)
3d7992e [vitest-pool-workers] Fix module resolution for paths with spaces (#14152)
da8e306 [vitest-pool-workers] Preserve Durable Object handler order (for hibernated D...
0998725 Set disallowTypeAnnotations to false in `@typescript-eslint/consistent-ty...
Additional commits viewable in compare view

Updates @cloudflare/workers-types from 4.20260517.1 to 4.20260621.1

Commits

See full diff in compare view

Updates vitest from 4.1.6 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)

browser:

Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)

Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)

mocker:

Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)

pool:

Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

v4.1.8

🐞 Bug Fixes

browser:

Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in

Bumps the minor-and-patch group with 20 updates in the / directory: | Package | From | To | | --- | --- | --- | | [turbo](https://github.com/vercel/turborepo) | `2.9.14` | `2.9.18` | | [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.11` | `1.6.20` | | [hono](https://github.com/honojs/hono) | `4.12.19` | `4.12.26` | | [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers) | `0.16.6` | `0.16.18` | | [@cloudflare/workers-types](https://github.com/cloudflare/workerd) | `4.20260517.1` | `4.20260621.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.6` | `4.1.9` | | [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.92.0` | `4.103.0` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.10` | `5.101.0` | | [next](https://github.com/vercel/next.js) | `16.2.6` | `16.2.9` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.6` | `19.2.7` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.6` | `19.2.7` | | [@opennextjs/cloudflare](https://github.com/opennextjs/opennextjs-cloudflare/tree/HEAD/packages/cloudflare) | `1.19.10` | `1.19.11` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.0` | `4.3.1` | | [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.6` | `16.2.9` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [@astrojs/cloudflare](https://github.com/withastro/astro/tree/HEAD/packages/integrations/cloudflare) | `13.5.1` | `13.7.0` | | [@astrojs/sitemap](https://github.com/withastro/astro/tree/HEAD/packages/integrations/sitemap) | `3.7.2` | `3.7.3` | | [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `6.3.3` | `6.4.8` | | [@orpc/server](https://github.com/middleapi/orpc/tree/HEAD/packages/server) | `1.14.3` | `1.14.6` | Updates `turbo` from 2.9.14 to 2.9.18 - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md) - [Commits](vercel/turborepo@v2.9.14...v2.9.18) Updates `better-auth` from 1.6.11 to 1.6.20 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md) - [Commits](https://github.com/better-auth/better-auth/commits/v1.6.20/packages/better-auth) Updates `hono` from 4.12.19 to 4.12.26 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.19...v4.12.26) Updates `@cloudflare/vitest-pool-workers` from 0.16.6 to 0.16.18 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md) - [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.16.18/packages/vitest-pool-workers) Updates `@cloudflare/workers-types` from 4.20260517.1 to 4.20260621.1 - [Release notes](https://github.com/cloudflare/workerd/releases) - [Changelog](https://github.com/cloudflare/workerd/blob/main/RELEASE.md) - [Commits](https://github.com/cloudflare/workerd/commits) Updates `vitest` from 4.1.6 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest) Updates `wrangler` from 4.92.0 to 4.103.0 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.103.0/packages/wrangler) Updates `@tanstack/react-query` from 5.100.10 to 5.101.0 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.0/packages/react-query) Updates `next` from 16.2.6 to 16.2.9 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.6...v16.2.9) Updates `react` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `@opennextjs/cloudflare` from 1.19.10 to 1.19.11 - [Release notes](https://github.com/opennextjs/opennextjs-cloudflare/releases) - [Changelog](https://github.com/opennextjs/opennextjs-cloudflare/blob/main/packages/cloudflare/CHANGELOG.md) - [Commits](https://github.com/opennextjs/opennextjs-cloudflare/commits/@opennextjs/cloudflare@1.19.11/packages/cloudflare) Updates `@tailwindcss/postcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `eslint-config-next` from 16.2.6 to 16.2.9 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](https://github.com/vercel/next.js/commits/v16.2.9/packages/eslint-config-next) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `@astrojs/cloudflare` from 13.5.1 to 13.7.0 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/cloudflare/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/@astrojs/cloudflare@13.7.0/packages/integrations/cloudflare) Updates `@astrojs/sitemap` from 3.7.2 to 3.7.3 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/sitemap/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/@astrojs/sitemap@3.7.3/packages/integrations/sitemap) Updates `astro` from 6.3.3 to 6.4.8 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/astro@6.4.8/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.4.8/packages/astro) Updates `@orpc/server` from 1.14.3 to 1.14.6 - [Release notes](https://github.com/middleapi/orpc/releases) - [Commits](https://github.com/middleapi/orpc/commits/v1.14.6/packages/server) --- updated-dependencies: - dependency-name: turbo dependency-version: 2.9.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: better-auth dependency-version: 1.6.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: hono dependency-version: 4.12.26 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@cloudflare/vitest-pool-workers" dependency-version: 0.16.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@cloudflare/workers-types" dependency-version: 4.20260621.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: wrangler dependency-version: 4.103.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.101.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: next dependency-version: 16.2.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@opennextjs/cloudflare" dependency-version: 1.19.11 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: eslint-config-next dependency-version: 16.2.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@astrojs/cloudflare" dependency-version: 13.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@astrojs/sitemap" dependency-version: 3.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: astro dependency-version: 6.4.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@orpc/server" dependency-version: 1.14.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-21T06:03:49Z

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the minor-and-patch group across 1 directory with 20 updates#29

Bump the minor-and-patch group across 1 directory with 20 updates#29
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-6cc0435100

dependabot Bot commented on behalf of github Jun 21, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 21, 2026

Turborepo v2.9.18

What's Changed

Changelog

New Contributors

Turborepo v2.9.17

What's Changed

Changelog

v1.6.20

better-auth

Bug Fixes

@better-auth/i18n

Bug Fixes

Contributors

v1.6.19

better-auth

Features

Bug Fixes

auth

1.6.20

Patch Changes

1.6.19

Patch Changes

v4.12.26

What's Changed

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

v4.12.24

What's Changed

v4.12.23

What's Changed

@​cloudflare/vitest-pool-workers@​0.16.18

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.17

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.16

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.15

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.14

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.13

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

0.16.18

Patch Changes

0.16.17

Patch Changes

0.16.16

Patch Changes

0.16.15

Patch Changes

0.16.14

Patch Changes

0.16.13

Patch Changes

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

🐞 Bug Fixes

Uh oh!

dependabot Bot commented on behalf of github Jun 21, 2026

Labels

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

`better-auth`

`@better-auth/i18n`

`better-auth`

`auth`

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

`@cloudflare/vitest-pool-workers@0`.16.18

`@cloudflare/vitest-pool-workers@0`.16.17

`@cloudflare/vitest-pool-workers@0`.16.16

`@cloudflare/vitest-pool-workers@0`.16.15

`@cloudflare/vitest-pool-workers@0`.16.14

`@cloudflare/vitest-pool-workers@0`.16.13

`@cloudflare/vitest-pool-workers@0`.16.12