chore(deps): bump the npm-production group across 1 directory with 10 updates

[dependabot]

Bumps the npm-production group with 10 updates in the / directory:

Package	From	To
@fortawesome/react-fontawesome	3.3.0	3.3.1
@napi-rs/canvas	0.1.97	1.0.0
@supabase/supabase-js	2.101.1	2.105.4
@upstash/redis	1.37.0	1.38.0
@vercel/blob	2.3.2	2.3.3
axios	1.15.0	1.16.0
next	16.2.3	16.2.6
react	19.2.4	19.2.6
react-dom	19.2.4	19.2.6
react-tooltip	5.30.0	6.0.2

Updates @fortawesome/react-fontawesome from 3.3.0 to 3.3.1

Release notes

Sourced from @​fortawesome/react-fontawesome's releases.

v3.3.1

3.3.1 (2026-04-20)

Just a few dependency bumps to close off CVEs (not that our lib is really affected anyway).

Chores

• deps-dev: bump handlebars from 4.7.8 to 4.7.9 (f1d6d94)
• deps-dev: bump lodash-es from 4.17.23 to 4.18.1 (212496a)
• deps-dev: bump picomatch from 2.3.1 to 2.3.2 (557ceaf)
• deps: bump lodash from 4.17.23 to 4.18.1 (2d06890)
• deps: node 22.22.2, bump all dev dependencies (99ba500)

Changelog

Sourced from @​fortawesome/react-fontawesome's changelog.

3.3.1 (2026-04-20)

Chores

• deps-dev: bump handlebars from 4.7.8 to 4.7.9 (f1d6d94)
• deps-dev: bump lodash-es from 4.17.23 to 4.18.1 (212496a)
• deps-dev: bump picomatch from 2.3.1 to 2.3.2 (557ceaf)
• deps: bump lodash from 4.17.23 to 4.18.1 (2d06890)
• deps: node 22.22.2, bump all dev dependencies (99ba500)

Commits

• 75b30aa chore(release): 3.3.1 [skip ci]
• 99ba500 chore(deps): node 22.22.2, bump all dev dependencies
• 31a2676 Merge pull request #639 from FortAwesome/dependabot/npm_and_yarn/lodash-4.18.1
• 2d06890 chore(deps): bump lodash from 4.17.23 to 4.18.1
• 741a193 Merge pull request #638 from FortAwesome/dependabot/npm_and_yarn/lodash-es-4....
• 212496a chore(deps-dev): bump lodash-es from 4.17.23 to 4.18.1
• 8deeceb Merge pull request #636 from FortAwesome/dependabot/npm_and_yarn/handlebars-4...
• 5df5ade Merge pull request #635 from FortAwesome/dependabot/npm_and_yarn/picomatch-2.3.2
• f1d6d94 chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9
• 557ceaf chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2
• See full diff in compare view

Updates @napi-rs/canvas from 0.1.97 to 1.0.0

Release notes

Sourced from @​napi-rs/canvas's releases.

v1.0.0

What's Changed

We have achieved ~11m/week downloads, and the API is stable, so we have decided to release version 1.0 at this time. There are no breaking changes; it's safe for everyone to upgrade.

Full Changelog: Brooooooklyn/canvas@v0.1.100...v1.0.0

v0.1.100

What's Changed

• chore(deps): update debian docker tag to bullseye-20260421 by @​renovate[bot] in Brooooooklyn/canvas#1254
• chore(deps): update dependency oxlint-tsgolint to ^0.22.0 by @​renovate[bot] in Brooooooklyn/canvas#1256
• fix(image): loadImage settles on invalid input by @​Brooooooklyn in Brooooooklyn/canvas#1257

Full Changelog: Brooooooklyn/canvas@v0.1.99...v0.1.100

v0.1.99

What's Changed

• chore(deps): update yarn to v4.14.0 by @​renovate[bot] in Brooooooklyn/canvas#1249
• chore(deps): update yarn to v4.14.1 by @​renovate[bot] in Brooooooklyn/canvas#1251
• fix: drawImage gray halo on transparent PNG edges with imageSmoothingEnabled by @​Brooooooklyn in Brooooooklyn/canvas#1252
• Allow canvas package postinstall script for benchmark CI by @​Claude in Brooooooklyn/canvas#1253

New Contributors

• @​Claude made their first contribution in Brooooooklyn/canvas#1253

Full Changelog: Brooooooklyn/canvas@v0.1.98...v0.1.99

v0.1.98

What's Changed

• chore(deps): update cssparser to 0.37 and cssparser-color to 0.5 by @​Copilot in Brooooooklyn/canvas#1230
• chore(deps): update dependency canvaskit-wasm to ^0.41.0 by @​renovate[bot] in Brooooooklyn/canvas#1231
• chore(deps): update yarn to v4.13.0 by @​renovate[bot] in Brooooooklyn/canvas#1233
• chore(deps): update nick-fields/retry action to v4 by @​renovate[bot] in Brooooooklyn/canvas#1235
• chore(deps): update dependency typescript to v6 by @​renovate[bot] in Brooooooklyn/canvas#1236
• chore(deps): update debian docker tag to bullseye-20260316 by @​renovate[bot] in Brooooooklyn/canvas#1237
• chore(deps): update dependency oxlint-tsgolint to ^0.18.0 by @​renovate[bot] in Brooooooklyn/canvas#1238
• chore(deps): update dependency oxlint-tsgolint to ^0.19.0 by @​renovate[bot] in Brooooooklyn/canvas#1239
• chore(deps): lock file maintenance by @​renovate[bot] in Brooooooklyn/canvas#1240
• chore(deps): update dependency @​oxc-node/core to ^0.1.0 by @​renovate[bot] in Brooooooklyn/canvas#1242
• chore(deps): update dependency @​oxc-node/cli to ^0.1.0 by @​renovate[bot] in Brooooooklyn/canvas#1241
• chore(deps): update dependency oxlint-tsgolint to ^0.20.0 by @​renovate[bot] in Brooooooklyn/canvas#1243
• chore(deps): update debian docker tag to bullseye-20260406 by @​renovate[bot] in Brooooooklyn/canvas#1244
• chore(deps): update softprops/action-gh-release action to v3 by @​renovate[bot] in Brooooooklyn/canvas#1245
• chore(deps): update dependency oxlint-tsgolint to ^0.21.0 by @​renovate[bot] in Brooooooklyn/canvas#1247
• chore: upgrade Rust to 1.94.1 by @​Brooooooklyn in Brooooooklyn/canvas#1246
• feat: chrome m148 by @​Brooooooklyn in Brooooooklyn/canvas#1248

Full Changelog: Brooooooklyn/canvas@v0.1.97...v0.1.98

Changelog

Sourced from @​napi-rs/canvas's changelog.

1.0.0 (2026-05-04)

0.1.100 (2026-04-26)

Bug Fixes

• loadImage settles on invalid input (#1257) (bed5c31)

0.1.99 (2026-04-18)

Bug Fixes

• drawImage gray halo on transparent PNG edges with imageSmoothingEnabled (#1252) (a748f3f)

0.1.98 (2026-04-15)

Features

• chrome m148 (#1248) (9b96c19)

Commits

• bf18e8a 1.0.0
• d1d1ad5 chore: update rust (#1260)
• d0a7886 chore(deps): update dependency ava to v8 (#1259)
• db33789 0.1.100
• bed5c31 fix: loadImage settles on invalid input (#1257)
• 45fda8f chore(deps): update dependency oxlint-tsgolint to ^0.22.0 (#1256)
• a4c3f9d chore(deps): update debian docker tag to bullseye-20260421 (#1254)
• 0372a4a 0.1.99
• adc6e17 ci: allow canvas package postinstall script for benchmark CI (#1253)
• a748f3f fix: drawImage gray halo on transparent PNG edges with imageSmoothingEnabled ...
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.101.1 to 2.105.4

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.105.4

2.105.4 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)
• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.2

2.105.4-canary.2 (2026-05-08)

This was a version bump only, there were no code changes.

v2.105.4-canary.1

2.105.4-canary.1 (2026-05-08)

🩹 Fixes

• realtime: guard sessionStorage access in restricted-storage browsers (#2339)

v2.105.4-canary.0

2.105.4-canary.0 (2026-05-08)

🩹 Fixes

• auth: return null from getItemAsync on JSON parse failure (#2336)
• postgrest: restore non-Error abort detection in fetch catch (#2335)

v2.105.3

2.105.3 (2026-05-04)

🩹 Fixes

• auth: narrow OAuth/CustomProvider types to fix downstream consumer typecheck (#2326)

v2.105.2

2.105.2 (2026-05-04)

🩹 Fixes

• auth: forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• auth: add toJSON to WebAuthnError for correct JSON serialization (#2317)
• misc: widen enum-like unions with (string & {}) for forward compat (#2303)
• misc: reduce any usage across packages (#2314)
• postgrest: unify insert/upsert signatures (#2315)

❤️ Thank You

• Muzzaiyyan Hussain @​MuzzaiyyanHussain

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.105.1 (2026-04-28)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.105.0 (2026-04-27)

🚀 Features

• auth: add passkey support with WebAuthn registration, authentication, and management (#2283)
• realtime: Realtime deferred disconnect (#2282)

2.104.1 (2026-04-23)

🩹 Fixes

• supabase: propagate custom fetch to realtime client (#2267)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.104.0 (2026-04-20)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.3 (2026-04-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.2 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.1 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.0 (2026-04-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.102.1 (2026-04-07)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.102.0 (2026-04-07)

🚀 Features

• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)

... (truncated)

Commits

• db53b0f chore(release): version 2.105.2 changelogs (#2323)
• 5223888 [patchback] docs(repo): @​category and @​subcategory tags across all packages (...
• 0412d0d fix(auth): forward lockAcquireTimeout to SupabaseAuthClient (#2309)
• 42c9cbb [patchback] fix(misc): widen enum-like unions with (string & {}) for forward ...
• 7e1773c chore(release): version 2.105.1 changelogs (#2302)
• ca8c418 chore(release): version 2.105.0 changelogs (#2290)
• d19e6d3 [patchback] docs(misc): rename anon key → publishable key and service role ke...
• c420456 [patchback] feat(auth): add passkey support with WebAuthn registration, authe...
• bfb18bc [patchback] feat(realtime): Realtime deferred disconnect (#2282)
• ed49eed chore(release): version 2.104.1 changelogs (#2273)
• Additional commits viewable in compare view

Updates @upstash/redis from 1.37.0 to 1.38.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

Commits

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• See full diff in compare view

Updates @vercel/blob from 2.3.2 to 2.3.3

Release notes

Sourced from @​vercel/blob's releases.

@​vercel/blob@​2.3.3

Patch Changes

• d2ea7cf: Enforce maximumSizeInBytes client-side for multipart uploads. Bodies with a known size (Blob, File, Buffer) are now checked before the upload starts, avoiding wasted API calls.
• 949e994: Fix multipart upload hanging forever on empty streams, and fix createChunkTransformStream bypassing backpressure by removing incorrect queueMicrotask wrapping.

Changelog

Sourced from @​vercel/blob's changelog.

2.3.3

Patch Changes

• d2ea7cf: Enforce maximumSizeInBytes client-side for multipart uploads. Bodies with a known size (Blob, File, Buffer) are now checked before the upload starts, avoiding wasted API calls.
• 949e994: Fix multipart upload hanging forever on empty streams, and fix createChunkTransformStream bypassing backpressure by removing incorrect queueMicrotask wrapping.

Commits

• 690b293 Version Packages (#1038)
• 949e994 fix(blob): resolve multipart deadlock on empty streams, fix TransformStream b...
• d2ea7cf fix(blob): enforce maximumSizeInBytes client-side for multipart uploads (#1036)
• 7f34f12 chore(deps): update dependency ts-jest to v29.4.9 (#1035)
• See full diff in compare view

Updates axios from 1.15.0 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Commits

• df53d7d chore(release): prepare release 1.16.0 (#10834)
• 9d92bcd fix: gadgets and smaller issues (#10833)
• 5107ee6 fix: prevent undefined error codes in settle (#7276)
• e573499 fix(fetch): defer global access in fetch adapter (#7260)
• ad68e1a fix(http): honor timeout during connect without redirects (#10819)
• 2a51828 fix(http): decode URL basic auth credentials (#10825)
• 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
• 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
• 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
• cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
• Additional commits viewable in compare view

Updates next from 16.2.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch ver...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
trailhead-banner	Ready	Preview, Comment	May 10, 2026 8:15am

[github-actions]

✅ Banner Preview

Commit 0dcff85 · Workflow run · 6/6 generated

Username	Status	1st call	2nd call (cached)	Cache hits	Warnings
nabondance	✅ OK	1080ms	489ms	6/6	✅ 0
anna	✅ OK	617ms	493ms	6/6	✅ 0
stevemo	✅ OK	333ms	328ms	5/5	✅ 0
gauravkheterpal	✅ OK	1389ms	582ms	6/6	✅ 0
babup	✅ OK	463ms	479ms	5/5	✅ 0
mrousseaux	✅ OK	502ms	452ms	7/7	✅ 0

---

nabondance

---

anna

---

stevemo

---

gauravkheterpal

---

babup

---

mrousseaux

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	7		0	0	0.51s
✅ CSS	stylelint	1		0	0	1.8s
✅ JAVASCRIPT	prettier	83		0	0	3.18s
✅ JSON	npm-package-json-lint	yes		no	no	0.58s
✅ JSON	prettier	13		0	0	0.59s
✅ JSON	v8r	13		0	0	12.94s
✅ MARKDOWN	markdownlint	14		0	0	0.88s
✅ REPOSITORY	gitleaks	yes		no	no	0.69s
❌ REPOSITORY	grype	yes		4	no	44.22s
✅ REPOSITORY	syft	yes		no	no	5.59s
✅ YAML	prettier	16		0	0	0.94s
✅ YAML	v8r	16		0	0	10.61s
✅ YAML	yamllint	16		0	0	1.33s

Detailed Issues

❌ REPOSITORY / grype - 4 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME      INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS          RISK   
fast-uri  3.1.0      3.1.1     npm   GHSA-q3j6-qgpj-74h6  High      < 0.1% (8th)  < 0.1  
fast-uri  3.1.0      3.1.2     npm   GHSA-v39h-62p7-jpjc  High      < 0.1% (8th)  < 0.1  
postcss   8.4.31     8.5.10    npm   GHSA-qx2v-qp2m-jg93  Medium    < 0.1% (9th)  < 0.1  
postcss   8.5.8      8.5.10    npm   GHSA-qx2v-qp2m-jg93  Medium    < 0.1% (9th)  < 0.1
[0044] ERROR discovered vulnerabilities at or above the severity threshold

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository