chore(deps): bump the production-dependencies group with 10 updates

[dependabot]

Bumps the production-dependencies group with 10 updates:

Package	From	To
@langchain/core	1.1.39	1.1.40
@langchain/openai	1.4.1	1.4.4
@sentry/nextjs	10.48.0	10.49.0
autoprefixer	10.4.27	10.5.0
inngest	4.2.1	4.2.4
langchain	1.3.1	1.3.3
next	16.2.3	16.2.4
next-auth	5.0.0-beta.30	5.0.0-beta.31
posthog-js	1.367.0	1.369.3
uuid	13.0.0	14.0.0

Updates @langchain/core from 1.1.39 to 1.1.40

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.1.40

Patch Changes

• #10694 d3e0809 Thanks @​hntrl! - refactor(core): decouple tracer-only metadata defaults from runnable metadata
  • Add tracer-scoped inheritable metadata/tag options in callback manager while keeping backward-compatible aliases.
  • Move configurable-to-tracing metadata derivation into a tracer-only path and keep ensureConfig metadata mirroring limited to model.
  • Update LangChainTracer default metadata/tag handling and add regression tests for stream events metadata behavior.

Commits

• 0c79948 chore: version packages (#10699)
• c955df4 chore(ci): use pnpm and peerDeps for pkg.pr.new previews (#10702)
• 301b086 ci: add PR title lint workflow (#10703)
• 880e396 fix(redis): harden RediSearch filter query construction (#10701)
• 71e53f1 fix(langchain): Prevent local file corruption when using LocalFileStore (#...
• d3e0809 refactor(core): decouple tracer defaults from langsmith callback naming (#10694)
• c308903 feat: add MINIMAL thinking level for Gemini 3 Flash models (#10665)
• 6845a1e chore: version packages (#10690)
• 5a6e0ab fix(agents): derive middleware hook state from invocation state (#10693)
• 607696e chore(ci): add label-gated publish-preview workflow (#10696)
• Additional commits viewable in compare view

Updates @langchain/openai from 1.4.1 to 1.4.4

Release notes

Sourced from @​langchain/openai's releases.

@​langchain/openai@​1.4.4

Patch Changes

• #10681 2301260 Thanks @​hntrl! - fix(openai): add index to streaming reasoning content blocks for proper chunk merging

@​langchain/openai@​1.4.3

Patch Changes

• #10670 6b8ef6c Thanks @​christian-bromann! - fix(openai): preserve plain string responses content

@​langchain/openai@​1.4.2

Patch Changes

• #10614 d6bf4fc Thanks @​colifran! - feat(openai): imput placeholder filenames for openai file inputs

• Updated dependencies [d3d0922]:

  • @​langchain/core@​1.1.39

Commits

• e5b6e1c chore: version packages (#10682)
• 2301260 fix(openai): add index to streaming reasoning content blocks for proper chunk...
• 9a65edf chore: version packages (#10671)
• f069365 chore(langchain): bump langgraph (#10673)
• 6b8ef6c fix(openai): preserve plain string responses content (#10670)
• 80561a0 chore: remove community package, relocate providers (#10667)
• f09cb65 fix: patch 10 critical+high security alerts (#10557)
• 47cc3ec fix: patch 16 security alerts (all severities) (#10663)
• daece6d chore: version packages (#10560)
• 9781bff fix(google): align ChatGoogle mediaResolution with Gemini scalar type (#10550)
• Additional commits viewable in compare view

Updates @sentry/nextjs from 10.48.0 to 10.49.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.49.0

Important Changes

• feat(browser): Add View Hierarchy integration (#14981)

  A new viewHierarchyIntegration captures the DOM structure when an error occurs, providing a snapshot of the page state for debugging. Enable it in your Sentry configuration:

  import * as Sentry from '@sentry/browser';
  Sentry.init({
  dsn: 'DSN',
  integrations: [Sentry.viewHierarchyIntegration()],
  });

• feat(cloudflare): Split alarms into multiple traces and link them (#19373)

  Durable Object alarms now create separate traces for each alarm invocation, with proper linking between related alarms for better observability.

• feat(cloudflare): Enable RPC trace propagation with enableRpcTracePropagation (#19991, #20345)

  A new enableRpcTracePropagation option enables automatic trace propagation for Cloudflare RPC calls via .fetch(), ensuring distributed traces flow correctly across service bindings.

• feat(core): Add enableTruncation option to AI integrations (#20167, #20181, #20182, #20183, #20184)

  All AI integrations (OpenAI, Anthropic, Google GenAI, LangChain, LangGraph) now support an enableTruncation option to control whether large AI inputs/outputs are truncated.

• feat(opentelemetry): Vendor AsyncLocalStorageContextManager (#20243)

  The OpenTelemetry context manager is now vendored internally, reducing external dependencies and ensuring consistent behavior across environments.

Other Changes

• feat(core): Export a reusable function to add tracing headers (#20076)
• feat(core): Expose rewriteSources top level option (#20142)
• feat(deps): bump defu from 6.1.4 to 6.1.6 (#20104)
• feat(node-native): Add support for V8 v14 (Node v25+) (#20125)
• feat(node): Include global scope for eventLoopBlockIntegration (#20108)
• fix(core, node): Support loading Express options lazily (#20211)
• fix(core): Set conversation_id only on gen_ai spans (#20274)
• fix(core): Use ai.operationId for Vercel AI V6 operation name mapping (#20285)
• fix(deno): Avoid inferring invalid span op from Deno tracer (#20128)
• fix(deno): Handle reader.closed rejection from releaseLock() in streaming (#20187)
• fix(nextjs): Preserve directive prologues in turbopack loaders (#20103)
• fix(nextjs): Skip custom browser tracing setup for bot user agents (#20263)
• fix(opentelemetry): Use WeakRef for context stored on scope to prevent memory leak (#20328)
• fix(replay): Use live click attributes in breadcrumbs (#20262)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.49.0

Important Changes

• feat(browser): Add View Hierarchy integration (#14981)

  A new viewHierarchyIntegration captures the DOM structure when an error occurs, providing a snapshot of the page state for debugging. Enable it in your Sentry configuration:

  import * as Sentry from '@sentry/browser';
  Sentry.init({
  dsn: 'DSN',
  integrations: [Sentry.viewHierarchyIntegration()],
  });

• feat(cloudflare): Split alarms into multiple traces and link them (#19373)

  Durable Object alarms now create separate traces for each alarm invocation, with proper linking between related alarms for better observability.

• feat(cloudflare): Enable RPC trace propagation with enableRpcTracePropagation (#19991, #20345)

  A new enableRpcTracePropagation option enables automatic trace propagation for Cloudflare RPC calls via .fetch(), ensuring distributed traces flow correctly across service bindings.

• feat(core): Add enableTruncation option to AI integrations (#20167, #20181, #20182, #20183, #20184)

  All AI integrations (OpenAI, Anthropic, Google GenAI, LangChain, LangGraph) now support an enableTruncation option to control whether large AI inputs/outputs are truncated.

• feat(opentelemetry): Vendor AsyncLocalStorageContextManager (#20243)

  The OpenTelemetry context manager is now vendored internally, reducing external dependencies and ensuring consistent behavior across environments.

Other Changes

• feat(core): Export a reusable function to add tracing headers (#20076)
• feat(core): Expose rewriteSources top level option (#20142)
• feat(deps): bump defu from 6.1.4 to 6.1.6 (#20104)
• feat(node-native): Add support for V8 v14 (Node v25+) (#20125)
• feat(node): Include global scope for eventLoopBlockIntegration (#20108)
• fix(core, node): Support loading Express options lazily (#20211)
• fix(core): Set conversation_id only on gen_ai spans (#20274)
• fix(core): Use ai.operationId for Vercel AI V6 operation name mapping (#20285)
• fix(deno): Avoid inferring invalid span op from Deno tracer (#20128)
• fix(deno): Handle reader.closed rejection from releaseLock() in streaming (#20187)
• fix(nextjs): Preserve directive prologues in turbopack loaders (#20103)
• fix(nextjs): Skip custom browser tracing setup for bot user agents (#20263)
• fix(opentelemetry): Use WeakRef for context stored on scope to prevent memory leak (#20328)
• fix(replay): Use live click attributes in breadcrumbs (#20262)

... (truncated)

Commits

• 745af79 release: 10.49.0
• 46dcef1 Merge pull request #20348 from getsentry/prepare-release/10.49.0
• bf4e188 meta(changelog): Update changelog for 10.49.0
• 5f72df5 feat(cloudflare): Enable RPC trace propagation with enableRpcTracePropagation...
• 50438f9 feat(browser): Emit web vitals as streamed spans (#19827)
• 3332fec fix(opentelemetry): Use WeakRef for context stored on scope to prevent memory...
• 684a41f ref(opentelemetry): Replace @opentelemetry/resources with inline `getSentry...
• 8b2a9dc ci: Remove Docker container for Verdaccio package publishing (#20329)
• 0007c7b ci: Extract test names for flaky test issues (#20298)
• 9b9d65c chore(ci): Bump actions/cache to v5 and actions/download-artifact to v7 (#20249)
• Additional commits viewable in compare view

Updates autoprefixer from 10.4.27 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• See full diff in compare view

Updates inngest from 4.2.1 to 4.2.4

Release notes

Sourced from inngest's releases.

inngest@4.2.4

Patch Changes

• #1466 68de9150 Thanks @​amh4r! - Fix checkpointing maxRuntime causing duplicate execution

inngest@4.2.3

Patch Changes

• #1460 ce5110de Thanks @​amh4r! - Fix multi-byte UTF-8 chars corrupted when split over chunks

• #1461 d75b59ce Thanks @​amh4r! - Fix CountQueuingStrategy erroring when stubbed in edge runtimes

inngest@4.2.2

Patch Changes

• #1366 aca72f88 Thanks @​Linell! - Fix extendProvider() for OTel SDK v2 where addSpanProcessor() was removed.

  Move @opentelemetry/auto-instrumentations-node and related imports from static top-level to dynamic await import() inside createProvider(). This prevents module-level monkey-patching side effects that broke inngest.send() when combined with host app OTel setups (e.g. Sentry). See #1324.

• #1457 d151b404 Thanks @​amh4r! - Fix using CountQueuingStrategy when not available

• #1455 15495e03 Thanks @​amh4r! - Fix dependencyInjection not working statically at function level

Changelog

Sourced from inngest's changelog.

4.2.4

Patch Changes

• #1466 68de9150 Thanks @​amh4r! - Fix checkpointing maxRuntime causing duplicate execution

4.2.3

Patch Changes

• #1460 ce5110de Thanks @​amh4r! - Fix multi-byte UTF-8 chars corrupted when split over chunks

• #1461 d75b59ce Thanks @​amh4r! - Fix CountQueuingStrategy erroring when stubbed in edge runtimes

4.2.2

Patch Changes

• #1366 aca72f88 Thanks @​Linell! - Fix extendProvider() for OTel SDK v2 where addSpanProcessor() was removed.

  Move @opentelemetry/auto-instrumentations-node and related imports from static top-level to dynamic await import() inside createProvider(). This prevents module-level monkey-patching side effects that broke inngest.send() when combined with host app OTel setups (e.g. Sentry). See #1324.

• #1457 d151b404 Thanks @​amh4r! - Fix using CountQueuingStrategy when not available

• #1455 15495e03 Thanks @​amh4r! - Fix dependencyInjection not working statically at function level

Commits

• 8d1a207 Release @​latest (#1467)
• 68de915 Fix checkpointing maxRuntime causing duplicate execution (#1466)
• 5591a0c Release @​latest (#1462)
• 5a01279 [e13n phase 2] exe-1617 propagate selectionStrategy and fix replay-path gap (...
• ce5110d Fix multi-byte UTF-8 chars corrupted when split over chunks (#1460)
• d75b59c Fix CountQueuingStrategy erroring when stubbed in edge runtimes (#1461)
• fd655ae Release @​latest (#1456)
• d151b40 Conditionally instantiate CountQueuingStrategy (#1457)
• aca72f8 OTel Improvements (#1366)
• 15495e0 Fix dependencyInjection not working statically at function level (#1455)
• See full diff in compare view

Updates langchain from 1.3.1 to 1.3.3

Release notes

Sourced from langchain's releases.

langchain@1.3.3

Patch Changes

• #9386 71e53f1 Thanks @​Josh-Engle! - Prevent local file corruption when using LocalFileStore

• Updated dependencies [d3e0809]:

  • @​langchain/core@​1.1.40

langchain@1.3.2

Patch Changes

• #10693 5a6e0ab Thanks @​hntrl! - fix(agents): derive middleware hook state from invocation state

  Prevents middleware state from leaking across threads by deriving middleware hook input state from the current invocation state instead of cross-node cached state.

Commits

• 0c79948 chore: version packages (#10699)
• c955df4 chore(ci): use pnpm and peerDeps for pkg.pr.new previews (#10702)
• 301b086 ci: add PR title lint workflow (#10703)
• 880e396 fix(redis): harden RediSearch filter query construction (#10701)
• 71e53f1 fix(langchain): Prevent local file corruption when using LocalFileStore (#...
• d3e0809 refactor(core): decouple tracer defaults from langsmith callback naming (#10694)
• c308903 feat: add MINIMAL thinking level for Gemini 3 Flash models (#10665)
• 6845a1e chore: version packages (#10690)
• 5a6e0ab fix(agents): derive middleware hook state from invocation state (#10693)
• 607696e chore(ci): add label-gated publish-preview workflow (#10696)
• Additional commits viewable in compare view

Updates next from 16.2.3 to 16.2.4

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• See full diff in compare view

Updates next-auth from 5.0.0-beta.30 to 5.0.0-beta.31

Release notes

Sourced from next-auth's releases.

next-auth@5.0.0-beta.31

Bugfixes (via @​auth/core@​0.41.2)

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13410).
  • Supports both github.com and GitHub Enterprise Server (dynamic ${baseUrl}/login/oauth).
• signin/send-token: stricter email address validation (rejects quoted, multi-@, and empty-domain inputs).

Dependency bump

• @auth/core: 0.41.0 → 0.41.2. Resolves a peer-dep inconsistency in 5.0.0-beta.30 where next-auth declared nodemailer: ^7.0.7 while pinning @auth/core@0.41.0 (which wanted ^6.8.0). Both now align at ^7.0.7.

No changes to next-auth's own source.

Commits

• dab3cfb chore(release): bump version [skip ci]
• af9daa8 chore(release): bump package version(s) [skip ci]
• d4dab3d chore: sync package versions with npm registry (#13414)
• 8a23c5b chore: fix lockfile (#13411)
• 2018202 docs: fix TypeScript type mismatch in refresh token rotation example (#13396)
• 0eba7e4 adapter-kysely: Update kysely for CVE-2026-33468 (#13407)
• 67f2b16 fix(providers): add issuer to GitHub provider for RFC 9207 compliance (#13410)
• f457068 docs: update middleware.ts references to proxy.ts for Next.js 16 (#13373)
• c7c2cfa docs: update Better Auth migration guide (#13334)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates posthog-js from 1.367.0 to 1.369.3

Release notes

Sourced from posthog-js's releases.

posthog-js@1.369.3

1.369.3

Patch Changes

• #3419 ea08727 Thanks @​haacked! - Reinstate $feature_flag_payloads and $surveys_activated in captured event properties. (2026-04-18)

• #3416 3d8b2e2 Thanks @​feliperalmeida! - Updated dependencies: - protobufjs@7.5.5 (2026-04-18)

• Updated dependencies []:

  • @​posthog/types@​1.369.3

posthog-js@1.369.2

1.369.2

Patch Changes

• #3386 4a65604 Thanks @​dustinbyrne! - Add a preview flag for versioned browser lazy bundle asset paths. (2026-04-16)
• Updated dependencies [4a65604]:
  • @​posthog/types@​1.369.2

posthog-js@1.369.1

1.369.1

Patch Changes

• #3393 85ae4d9 Thanks @​haacked! - Exclude active feature flag payloads from event properties (2026-04-16)

• #3392 00cd1ce Thanks @​haacked! - Fix unnecessary persisted config and activation properties (including product tours, surveys, and session recording config) added to captured events (2026-04-16)

• Updated dependencies []:

  • @​posthog/types@​1.369.1

posthog-js@1.369.0

1.369.0

Minor Changes

• #3342 eea5260 Thanks @​ksvat! - Account for property filters on events in recording triggers for v2 triggers (2026-04-14)

• #3281 b1fd228 Thanks @​ksvat! - Add session replay trigger groups handling (V2) (2026-04-14)

Patch Changes

• Updated dependencies []:

... (truncated)

Commits

• a652be4 chore: update versions and lockfile [version bump]
• ea08727 fix: Reinstate $feature_flag_payloads and $surveys_activated in events (#3419)
• 3d8b2e2 chore(deps): bump protobufjs from 7.5.4 to 7.5.5 (#3416)
• 657a250 docs: align contributing guides with CI checks (#3414)
• 90806e9 ci(release): update posthog-js release asset buckets (#3412)
• 363283c docs: add package contributing guides (#3413)
• 25da6bc chore: update versions and lockfile [version bump]
• f2758ef chore: bump posthog-react-native-session-replay dependency to 1.5.4 (#3402)
• 5335bb1 chore: update versions and lockfile [version bump]
• 4a65604 fix(browser): gate versioned lazy bundle paths behind preview flag (#3386)
• Additional commits viewable in compare view

Updates uuid from 13.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for uuid since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Assignees

The following users could not be added as assignees: vectorMindsAI. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.