Skip to content

build(deps): bump the production-dependencies group across 1 directory with 32 updates#979

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-90d9c71372
Open

build(deps): bump the production-dependencies group across 1 directory with 32 updates#979
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-90d9c71372

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 32 updates in the / directory:

Package From To
@blockaid/client 1.4.0 1.5.0
@noble/hashes 1.8.0 2.2.0
@stellar/stellar-sdk 13.3.0 16.0.1
date-fns 4.3.0 4.4.0
i18next 24.2.3 26.3.6
lucide-react 0.344.0 1.25.0
react 18.3.1 19.2.7
react-dom 18.3.1 19.2.7
react-error-boundary 4.1.2 6.1.2
react-i18next 15.7.4 17.0.10
react-router-dom 6.30.3 7.18.1
zustand 5.0.13 5.0.14
react-native 0.76.9 0.86.0
react-native-screens 4.25.2 4.26.2
stream-browserify 1.0.0 3.0.0
readable-stream 1.0.33 4.7.0
@reown/walletkit 1.5.5 1.5.6
@walletconnect/types 2.23.9 2.23.10
@walletconnect/utils 2.23.9 2.23.10
zod 3.25.76 4.4.3
@ledgerhq/hw-transport-webhid 6.35.4 6.36.0
@ledgerhq/hw-app-str 7.7.4 7.7.6
@noble/ed25519 2.3.0 3.1.0
ed25519-hd-key 1.3.0 2.0.0
@hookform/resolvers 3.10.0 5.4.0
@radix-ui/react-slot 1.2.4 1.3.0
react-hook-form 7.76.1 7.81.0
react-icons 5.6.0 5.7.0
tailwind-merge 2.6.1 3.6.0
express 4.22.2 5.2.1
@opentelemetry/sdk-node 0.219.0 0.220.0
express-rate-limit 7.5.1 8.6.0

Updates @blockaid/client from 1.4.0 to 1.5.0

Release notes

Sourced from @​blockaid/client's releases.

v1.5.0

1.5.0 (2026-07-11)

Full Changelog: v1.4.0...v1.5.0

Features

Bug Fixes

  • ci: bump @​arethetypeswrong/cli to ^0.18.0 and run CI workflows on Node 24 (400d428)

Chores

  • internal: codegen related update (78b52a5)
Changelog

Sourced from @​blockaid/client's changelog.

1.5.0 (2026-07-11)

Full Changelog: v1.4.0...v1.5.0

Features

Bug Fixes

  • ci: bump @​arethetypeswrong/cli to ^0.18.0 and run CI workflows on Node 24 (400d428)

Chores

  • internal: codegen related update (78b52a5)
Commits
  • b148dd4 Merge pull request #488 from blockaid-official/release-please--branches--main...
  • b121cba release: 1.5.0
  • 400d428 fix(ci): bump @​arethetypeswrong/cli to ^0.18.0 and run CI workflows on Node 24
  • 78b52a5 chore(internal): codegen related update
  • 3c30c7b feat(api): api update
  • cd879d5 codegen metadata
  • 09a39cf codegen metadata
  • 74969f4 feat(api): api update
  • 277e134 codegen metadata
  • f4adbd0 codegen metadata
  • Additional commits viewable in compare view

Updates @noble/hashes from 1.8.0 to 2.2.0

Release notes

Sourced from @​noble/hashes's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • Fix: dkLen=0 handling in pbkdf2, blake2, turboshake, kt
    • Fix: parallelHash with blockLen=0
    • Fix: argon2 progress callback now reaches 100%
    • Improve: digestInto no longer returns a value (better performance)
    • Improve: argon2, blake2 support non-4-divisible dkLen
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • sha3: speed-up by up to 50%. Contributed by @​ChALkeR in paulmillr/noble-hashes#126
  • Fix compilation issues on TypeScript v6
  • Make package Big Endian friendly. All tests pass on s390x
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-hashes@2.0.1...2.2.0

2.0.1

  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers
    • This was planned for 2.0.0, but was accidentally left out
  • package.json: specify exported submodules to ensure typescript autocompletion
  • scrypt: Fix error message for maxmem check by @​ChALkeR in paulmillr/noble-hashes#121
  • scrypt: 4% speed-up by @​ChALkeR in paulmillr/noble-hashes#122

Full Changelog: paulmillr/noble-hashes@2.0.0...2.0.1

2.0.0

High-level

  • The package is now ESM-only. ESM can finally be loaded from common.js on node v20.19+
    • Node v20.19 is now the minimum required version
    • Package imports now work correctly in bundler-less environments, such as browsers
    • Reduces npm package size (traffic consumed): 152KB => 136KB
    • Reduces unpacked npm size (on-disk space): 1.1MB => 669KB
  • Make bundle sizes smaller, compared to v1.x
  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers

Changes

... (truncated)

Commits
  • 81983c2 Release 2.2.0.
  • 8883d32 Minor syntax fixes
  • e5fedba Run prettier format on tests
  • 72e2083 Changes related to March 2026 audit (new tests)
  • fd9f580 Changes related to March 2026 audit (typed arrays)
  • 9a216b5 Changes related to March 2026 audit
  • 85e35d5 Clarify sha3.
  • cc8ea40 Merge pull request #126 from ChALkeR/chalker/unroll/sha3/0/chi
  • 46c3129 Bump typescript to 6.0.2
  • ca90465 Bump devdeps.
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/hashes since your current version.


Updates @stellar/stellar-sdk from 13.3.0 to 16.0.1

Release notes

Sourced from @​stellar/stellar-sdk's releases.

v16.0.1

v16.0.1

Fixed

  • Fixed the ESM library build so the inlined @stellar/js-xdr source resolves correctly under Yarn PnP (and Node's native ESM resolver). Because the build preserves modules, Rollup emits js-xdr's source into a nested package scope, but js-xdr does not declare type: "module", so Node and Yarn PnP parsed those preserved files as CommonJS and failed to resolve them. Rollup now marks the emitted js-xdr package as type: "module" so its source is parsed as ESM #1484.

Full Changelog: stellar/js-stellar-sdk@v16.0.0...v16.0.1

v16.0.0

v16.0.0

Migration guide

There are a few major updates in this release:

  • JS Stellar Base (@stellar/stellar-base) was rewritten in TypeScript, which provides proper type definitions and fixes inconsistencies caused by manual type declarations. (#1399)
  • JS Stellar Base is now merged into the JS Stellar SDK. Everything lives in one place now. (#1399)
  • The JS SDK now has better tree-shaking, which should result in a lighter bundle size. (#1397)
  • Protocol 27 support: the XDR was regenerated for CAP-71, and the Soroban authorization helpers can build and sign the new address-bound (SOROBAN_CREDENTIALS_ADDRESS_V2) and delegated (SOROBAN_CREDENTIALS_ADDRESS_WITH_DELEGATES) credential types. The legacy SOROBAN_CREDENTIALS_ADDRESS (V1) credential remains the default; ADDRESS_V2 is opt-in (see below), as it is only valid on networks that have activated CAP-71. (#1429, #1450)

1. Breaking Changes

These break code, builds, or installs until you change something.

Install & runtime

  • Drop @stellar/stellar-base from your dependencies if you were importing it manually. It is now bundled into @stellar/stellar-sdk. Remove the package and switch all imports from @stellar/stellar-base to @stellar/stellar-sdk. (#1399)
  • Upgrade to Node 22 or later. engines.node is now >=22.0.0; CI tests against [22, 24]. (#1408)

... (truncated)

Changelog

Sourced from @​stellar/stellar-sdk's changelog.

v16.0.1

Fixed

  • Fixed the ESM library build so the inlined @stellar/js-xdr source resolves correctly under Yarn PnP (and Node's native ESM resolver). Because the build preserves modules, Rollup emits js-xdr's source into a nested package scope, but js-xdr does not declare type: "module", so Node and Yarn PnP parsed those preserved files as CommonJS and failed to resolve them. Rollup now marks the emitted js-xdr package as type: "module" so its source is parsed as ESM #1484.

v16.0.0

There are a few major updates in this release:

  • JS Stellar Base (@stellar/stellar-base) was rewritten in TypeScript, which provides proper type definitions and fixes inconsistencies caused by manual type declarations. (#1399)
  • JS Stellar Base is now merged into the JS Stellar SDK. Everything lives in one place now. (#1399)
  • The JS SDK now has better tree-shaking, which should result in a lighter bundle size. (#1397)
  • Protocol 27 support: the XDR was regenerated for CAP-71, and the Soroban authorization helpers can build and sign the new address-bound (SOROBAN_CREDENTIALS_ADDRESS_V2) and delegated (SOROBAN_CREDENTIALS_ADDRESS_WITH_DELEGATES) credential types. The legacy SOROBAN_CREDENTIALS_ADDRESS (V1) credential remains the default; ADDRESS_V2 is opt-in (see below), as it is only valid on networks that have activated CAP-71. (#1429, #1450)

1. Breaking Changes

These break code, builds, or installs until you change something.

Install & runtime

  • Drop @stellar/stellar-base from your dependencies if you were importing it manually. It is now bundled into @stellar/stellar-sdk. Remove the package and switch all imports from @stellar/stellar-base to @stellar/stellar-sdk. (#1399)
  • Upgrade to Node 22 or later. engines.node is now >=22.0.0; CI tests against [22, 24]. (#1408)
  • Stop using the default import. import StellarBase from '@stellar/stellar-sdk' no longer works. Use import * as StellarBase or named imports. (#1396)
  • Adjust deep lib/ imports. Library output paths moved:
    • ESM at lib/esm/,
    • CJS at lib/cjs/,
    • axios variants at lib/axios/esm/ and lib/axios/cjs/,
    • type declarations alongside the ESM output at lib/esm/ (e.g.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​stellar/stellar-sdk since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates date-fns from 4.3.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

  • DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

  • Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

Commits
  • cd53d25 Promote to v4.4.0
  • d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
  • ee65753 Add root mise :format task
  • 9f5bdf5 Add positional argument to test/smoke.sh script
  • 651ead6 Split CDN bundles into separate @​date-fns/cdn package
  • 224c1a2 Deprecate type tests as attw hangs on date-fns package
  • 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
  • b6ad5ac Add flags to control package build script
  • 424a783 Fix docs release after moving to monorepo setup
  • See full diff in compare view

Updates i18next from 24.2.3 to 26.3.6

Release notes

Sourced from i18next's releases.

v26.3.6

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. The published types are TS7-compatible as-is: every test/typescript suite produces identical results under 6.0 and 7.0.2. Reported in react-i18next#1927, thanks @​andikapradanaarif.

v26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.

v26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

v26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

v26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

v26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

v26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

  • fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
  • chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
  • chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)

... (truncated)

Changelog

Sourced from i18next's changelog.

26.3.6

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. The published types are TS7-compatible as-is: every test/typescript suite produces identical results under 6.0 and 7.0.2. Reported in react-i18next#1927, thanks @​andikapradanaarif.

26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.

26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

... (truncated)

Commits
  • e1c60d4 26.3.6
  • 04da43e fix: allow typescript 7 in optional peerDependencies range (react-i18next#1927)
  • 8eed4ac build
  • 573ae73 26.3.5
  • cc54b05 docs(changelog): 26.3.5 — multiline $t() options, replace mutation, escaped-l...
  • 3180d67 fix: skip interpolation of placeholders inside escaped values (#2442)
  • d16f5a2 fix: stop mutating the passed replace object when returning details (#2441)
  • bed56c1 fix: parse $t() nesting options block that spans multiple lines (#2440)
  • c19e458 docs(changelog): link GHSA advisory for deepExtend fix
  • 7bb87d0 docs(changelog): reference security advisory for deepExtend fix
  • Additional commits viewable in compare view...

    Description has been truncated

@dependabot @github

dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

…y with 32 updates

Bumps the production-dependencies group with 32 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@blockaid/client](https://github.com/blockaid-official/blockaid-client-node) | `1.4.0` | `1.5.0` |
| [@noble/hashes](https://github.com/paulmillr/noble-hashes) | `1.8.0` | `2.2.0` |
| [@stellar/stellar-sdk](https://github.com/stellar/js-stellar-sdk) | `13.3.0` | `16.0.1` |
| [date-fns](https://github.com/date-fns/date-fns) | `4.3.0` | `4.4.0` |
| [i18next](https://github.com/i18next/i18next) | `24.2.3` | `26.3.6` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.344.0` | `1.25.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `18.3.1` | `19.2.7` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `18.3.1` | `19.2.7` |
| [react-error-boundary](https://github.com/bvaughn/react-error-boundary) | `4.1.2` | `6.1.2` |
| [react-i18next](https://github.com/i18next/react-i18next) | `15.7.4` | `17.0.10` |
| [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `6.30.3` | `7.18.1` |
| [zustand](https://github.com/pmndrs/zustand) | `5.0.13` | `5.0.14` |
| [react-native](https://github.com/facebook/react-native/tree/HEAD/packages/react-native) | `0.76.9` | `0.86.0` |
| [react-native-screens](https://github.com/software-mansion/react-native-screens) | `4.25.2` | `4.26.2` |
| [stream-browserify](https://github.com/browserify/stream-browserify) | `1.0.0` | `3.0.0` |
| [readable-stream](https://github.com/nodejs/readable-stream) | `1.0.33` | `4.7.0` |
| [@reown/walletkit](https://github.com/reown-com/reown-walletkit-js/tree/HEAD/packages/walletkit) | `1.5.5` | `1.5.6` |
| [@walletconnect/types](https://github.com/WalletConnect/walletconnect-monorepo/tree/HEAD/packages/types) | `2.23.9` | `2.23.10` |
| [@walletconnect/utils](https://github.com/WalletConnect/walletconnect-monorepo/tree/HEAD/packages/utils) | `2.23.9` | `2.23.10` |
| [zod](https://github.com/colinhacks/zod) | `3.25.76` | `4.4.3` |
| [@ledgerhq/hw-transport-webhid](https://github.com/LedgerHQ/ledger-live) | `6.35.4` | `6.36.0` |
| [@ledgerhq/hw-app-str](https://github.com/LedgerHQ/ledger-live) | `7.7.4` | `7.7.6` |
| [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) | `2.3.0` | `3.1.0` |
| [ed25519-hd-key](https://github.com/alepop/ed25519-hd-key) | `1.3.0` | `2.0.0` |
| [@hookform/resolvers](https://github.com/react-hook-form/resolvers) | `3.10.0` | `5.4.0` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.4` | `1.3.0` |
| [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.76.1` | `7.81.0` |
| [react-icons](https://github.com/react-icons/react-icons) | `5.6.0` | `5.7.0` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `2.6.1` | `3.6.0` |
| [express](https://github.com/expressjs/express) | `4.22.2` | `5.2.1` |
| [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js) | `0.219.0` | `0.220.0` |
| [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `7.5.1` | `8.6.0` |



Updates `@blockaid/client` from 1.4.0 to 1.5.0
- [Release notes](https://github.com/blockaid-official/blockaid-client-node/releases)
- [Changelog](https://github.com/blockaid-official/blockaid-client-node/blob/main/CHANGELOG.md)
- [Commits](blockaid-official/blockaid-client-node@v1.4.0...v1.5.0)

Updates `@noble/hashes` from 1.8.0 to 2.2.0
- [Release notes](https://github.com/paulmillr/noble-hashes/releases)
- [Commits](paulmillr/noble-hashes@1.8.0...2.2.0)

Updates `@stellar/stellar-sdk` from 13.3.0 to 16.0.1
- [Release notes](https://github.com/stellar/js-stellar-sdk/releases)
- [Changelog](https://github.com/stellar/js-stellar-sdk/blob/main/CHANGELOG.md)
- [Commits](stellar/js-stellar-sdk@v13.3.0...v16.0.1)

Updates `date-fns` from 4.3.0 to 4.4.0
- [Release notes](https://github.com/date-fns/date-fns/releases)
- [Commits](date-fns/date-fns@v4.3.0...v4.4.0)

Updates `i18next` from 24.2.3 to 26.3.6
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v24.2.3...v26.3.6)

Updates `lucide-react` from 0.344.0 to 1.25.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.25.0/packages/lucide-react)

Updates `react` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `react-dom` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `react-error-boundary` from 4.1.2 to 6.1.2
- [Release notes](https://github.com/bvaughn/react-error-boundary/releases)
- [Commits](bvaughn/react-error-boundary@4.1.2...6.1.2)

Updates `react-i18next` from 15.7.4 to 17.0.10
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/react-i18next@v15.7.4...v17.0.10)

Updates `react-router-dom` from 6.30.3 to 7.18.1
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/react-router-dom@7.18.1/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.18.1/packages/react-router-dom)

Updates `zustand` from 5.0.13 to 5.0.14
- [Release notes](https://github.com/pmndrs/zustand/releases)
- [Commits](pmndrs/zustand@v5.0.13...v5.0.14)

Updates `react-native` from 0.76.9 to 0.86.0
- [Release notes](https://github.com/facebook/react-native/releases)
- [Changelog](https://github.com/react/react-native/blob/main/CHANGELOG-0.7x.md)
- [Commits](https://github.com/facebook/react-native/commits/v0.86.0/packages/react-native)

Updates `react-native-screens` from 4.25.2 to 4.26.2
- [Release notes](https://github.com/software-mansion/react-native-screens/releases)
- [Commits](software-mansion/react-native-screens@4.25.2...4.26.2)

Updates `stream-browserify` from 1.0.0 to 3.0.0
- [Release notes](https://github.com/browserify/stream-browserify/releases)
- [Changelog](https://github.com/browserify/stream-browserify/blob/master/CHANGELOG.md)
- [Commits](browserify/stream-browserify@1.0.0...v3.0.0)

Updates `readable-stream` from 1.0.33 to 4.7.0
- [Release notes](https://github.com/nodejs/readable-stream/releases)
- [Commits](nodejs/readable-stream@v1.0.33...v4.7.0)

Updates `@reown/walletkit` from 1.5.5 to 1.5.6
- [Release notes](https://github.com/reown-com/reown-walletkit-js/releases)
- [Changelog](https://github.com/reown-com/reown-walletkit-js/blob/main/packages/walletkit/CHANGELOG.md)
- [Commits](https://github.com/reown-com/reown-walletkit-js/commits/@reown/walletkit@1.5.6/packages/walletkit)

Updates `@walletconnect/types` from 2.23.9 to 2.23.10
- [Release notes](https://github.com/WalletConnect/walletconnect-monorepo/releases)
- [Changelog](https://github.com/WalletConnect/walletconnect-monorepo/blob/v2.0/packages/types/CHANGELOG.md)
- [Commits](https://github.com/WalletConnect/walletconnect-monorepo/commits/@walletconnect/types@2.23.10/packages/types)

Updates `@walletconnect/utils` from 2.23.9 to 2.23.10
- [Release notes](https://github.com/WalletConnect/walletconnect-monorepo/releases)
- [Changelog](https://github.com/WalletConnect/walletconnect-monorepo/blob/v2.0/packages/utils/CHANGELOG.md)
- [Commits](https://github.com/WalletConnect/walletconnect-monorepo/commits/@walletconnect/utils@2.23.10/packages/utils)

Updates `zod` from 3.25.76 to 4.4.3
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v3.25.76...v4.4.3)

Updates `@ledgerhq/hw-transport-webhid` from 6.35.4 to 6.36.0
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/compare/@ledgerhq/hw-transport-webhid@6.35.4...@ledgerhq/hw-transport-webhid@6.36.0)

Updates `@ledgerhq/hw-app-str` from 7.7.4 to 7.7.6
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/commits)

Updates `@noble/ed25519` from 2.3.0 to 3.1.0
- [Release notes](https://github.com/paulmillr/noble-ed25519/releases)
- [Commits](paulmillr/noble-ed25519@2.3.0...3.1.0)

Updates `ed25519-hd-key` from 1.3.0 to 2.0.0
- [Commits](https://github.com/alepop/ed25519-hd-key/commits/v2.0.0)

Updates `@hookform/resolvers` from 3.10.0 to 5.4.0
- [Release notes](https://github.com/react-hook-form/resolvers/releases)
- [Commits](react-hook-form/resolvers@v3.10.0...v5.4.0)

Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot)

Updates `react-hook-form` from 7.76.1 to 7.81.0
- [Release notes](https://github.com/react-hook-form/react-hook-form/releases)
- [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md)
- [Commits](react-hook-form/react-hook-form@v7.76.1...v7.81.0)

Updates `react-icons` from 5.6.0 to 5.7.0
- [Release notes](https://github.com/react-icons/react-icons/releases)
- [Commits](react-icons/react-icons@v5.6.0...v5.7.0)

Updates `tailwind-merge` from 2.6.1 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v2.6.1...v3.6.0)

Updates `express` from 4.22.2 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v4.22.2...v5.2.1)

Updates `@opentelemetry/sdk-node` from 0.219.0 to 0.220.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.219.0...experimental/v0.220.0)

Updates `express-rate-limit` from 7.5.1 to 8.6.0
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v7.5.1...v8.6.0)

---
updated-dependencies:
- dependency-name: "@blockaid/client"
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@hookform/resolvers"
  dependency-version: 5.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@ledgerhq/hw-app-str"
  dependency-version: 7.7.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@ledgerhq/hw-transport-webhid"
  dependency-version: 6.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@noble/ed25519"
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@noble/hashes"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.220.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@reown/walletkit"
  dependency-version: 1.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@stellar/stellar-sdk"
  dependency-version: 16.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@walletconnect/types"
  dependency-version: 2.23.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@walletconnect/utils"
  dependency-version: 2.23.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: date-fns
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: ed25519-hd-key
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express-rate-limit
  dependency-version: 8.6.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: i18next
  dependency-version: 26.3.6
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: lucide-react
  dependency-version: 1.25.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: react-error-boundary
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: react-hook-form
  dependency-version: 7.81.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: react-i18next
  dependency-version: 17.0.10
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: react-icons
  dependency-version: 5.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: react-native
  dependency-version: 0.86.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: react-native-screens
  dependency-version: 4.26.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: react-router-dom
  dependency-version: 7.18.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: readable-stream
  dependency-version: 4.7.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: stream-browserify
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: zod
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: zustand
  dependency-version: 5.0.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-90d9c71372 branch from 136a0cb to c151b98 Compare July 17, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants