chore(deps): bump the production-minor-and-patch group with 4 updates

[dependabot]

Bumps the production-minor-and-patch group with 4 updates: @supabase/supabase-js, @supabase/ssr, sharp and @anthropic-ai/sdk.

Updates @supabase/supabase-js from 2.108.0 to 2.108.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.108.2

2.108.2 (2026-06-15)

🩹 Fixes

• auth: preserve valid session on refresh failure and cooldown repeat failures (#2436)
• realtime: clarify httpSend() 404 error and server migration note (#2444)
• release: pin Deno and bound JSR publish to survive stranded-task hangs (#2439)
• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.5

2.108.2-canary.5 (2026-06-15)

This was a version bump only, there were no code changes.

v2.108.2-canary.4

2.108.2-canary.4 (2026-06-12)

🩹 Fixes

• realtime: clarify httpSend() 404 error and server migration note (#2444)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.3

2.108.2-canary.3 (2026-06-11)

This was a version bump only, there were no code changes.

v2.108.2-canary.2

2.108.2-canary.2 (2026-06-11)

🩹 Fixes

• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.1

2.108.2-canary.1 (2026-06-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.108.2 (2026-06-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• 76f3f02 test(auth): add passkey unit and e2e coverage (#2442)
• 65fafe5 chore(release): version 2.108.0 changelogs (#2433)
• See full diff in compare view

Updates @supabase/ssr from 0.10.3 to 0.12.0

Release notes

Sourced from @​supabase/ssr's releases.

v0.12.0

0.12.0 (2026-06-09)

Features

• adds cookies.encode option allowing minimal cookie sizes (#126) (cf38b22)
• bump cookie to 1.0.2 (#113) (b4a77b4)
• cookies: add clearAuthCookiesAtScopes migration helper (#240) (4e47249)
• full rewrite using getAll and setAll cookie methods (#1) (b6ae192)
• improve cookie chunk handling via base64url+length encoding (#90) (6deb687)
• pass cache headers to setAll to prevent CDN caching of auth responses (#176) (14962d2)
• publish SSR under deprecated auth-helpers package names (#127) (e8b6102)
• release workflow RC versioning and publish reliability (#164) (81e68f4)
• update CI so it runs on release as well (#33) (4517996)
• update supabase-js to latest (#133) (d65044d)
• update supabase-js to latest (#145) (08bf7d6)
• upgrade cookie dependency and cleanup imports (#77) (9524528)

Bug Fixes

• add @​types/cookies to dependencies (#63) (47e5f16)
• add create*Client string in x-client-info (#85) (f271acc)
• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• allow use of createBrowserClient without window present (#20) (27d868d)
• auth: respect user-provided auth options in createBrowserClient (#167) (5f04837)
• check chunkedCookie is string in server client (#57) (549fe62)
• ci: remove packageManager field (#197) (6bf0226)
• cookies console warnings (#136) (64ff6b3)
• deprecate parse, serialize exports for more useful functions (#14) (0b5f881)
• enable tree-shaking for browser bundles (#216) (f009d71)
• fix createBrowserClient deprecation tsdoc (#17) (1df70ad)
• force release (#98) (66710e8)
• re-apply update CI so it runs on release as well (#49) (51d5a43)
• release: pin npm to 11.5.2 so OIDC trusted publisher works (#249) (4af89f7)
• remove optional dependencies (#41) (a48fe6f)
• remove usage of internal type params (#123) (8f3e89e)
• revert "update CI so it runs on release as well" (#44) (9d0e859)
• revert: "feat: improve cookie chunk handling via base64url+length encoding (#90)" (#100) (2ea8e23)
• set max-age default cookie option to 400 days (#54) (f4ed2e0)
• set cookies for password recovery event (#32) (7dc1837)
• set cookies when mfa challenge is verified (#27) (c217f53)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• update conventional commits ci to use main instead of master (#31) (bebce89)
• update README session docs (#159) (b859905)
• update type, remove unused imports, define AuthEvent type (#47) (4f4a375)
• use skipAutoInitialize to prevent SSR token refresh race condition (#131) (0b7be28)
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

... (truncated)

Changelog

Sourced from @​supabase/ssr's changelog.

0.12.0 (2026-06-09)

Features

• adds cookies.encode option allowing minimal cookie sizes (#126) (cf38b22)
• bump cookie to 1.0.2 (#113) (b4a77b4)
• cookies: add clearAuthCookiesAtScopes migration helper (#240) (4e47249)
• full rewrite using getAll and setAll cookie methods (#1) (b6ae192)
• improve cookie chunk handling via base64url+length encoding (#90) (6deb687)
• pass cache headers to setAll to prevent CDN caching of auth responses (#176) (14962d2)
• publish SSR under deprecated auth-helpers package names (#127) (e8b6102)
• release workflow RC versioning and publish reliability (#164) (81e68f4)
• update CI so it runs on release as well (#33) (4517996)
• update supabase-js to latest (#133) (d65044d)
• update supabase-js to latest (#145) (08bf7d6)
• upgrade cookie dependency and cleanup imports (#77) (9524528)

Bug Fixes

• add @​types/cookies to dependencies (#63) (47e5f16)
• add create*Client string in x-client-info (#85) (f271acc)
• allow cookies encode without getAll/setAll on browser client (#213) (89f3f28), closes #170
• allow use of createBrowserClient without window present (#20) (27d868d)
• auth: respect user-provided auth options in createBrowserClient (#167) (5f04837)
• check chunkedCookie is string in server client (#57) (549fe62)
• ci: remove packageManager field (#197) (6bf0226)
• cookies console warnings (#136) (64ff6b3)
• deprecate parse, serialize exports for more useful functions (#14) (0b5f881)
• enable tree-shaking for browser bundles (#216) (f009d71)
• fix createBrowserClient deprecation tsdoc (#17) (1df70ad)
• force release (#98) (66710e8)
• re-apply update CI so it runs on release as well (#49) (51d5a43)
• release: pin npm to 11.5.2 so OIDC trusted publisher works (#249) (4af89f7)
• remove optional dependencies (#41) (a48fe6f)
• remove usage of internal type params (#123) (8f3e89e)
• revert "update CI so it runs on release as well" (#44) (9d0e859)
• revert: "feat: improve cookie chunk handling via base64url+length encoding (#90)" (#100) (2ea8e23)
• set max-age default cookie option to 400 days (#54) (f4ed2e0)
• set cookies for password recovery event (#32) (7dc1837)
• set cookies when mfa challenge is verified (#27) (c217f53)
• tsconfig: set explicit rootDir to silence TS6059 in consumer IDEs (#211) (a77ee8a), closes #209
• update conventional commits ci to use main instead of master (#31) (bebce89)
• update README session docs (#159) (b859905)
• update type, remove unused imports, define AuthEvent type (#47) (4f4a375)
• use skipAutoInitialize to prevent SSR token refresh race condition (#131) (0b7be28)
• validate base64-prefixed chunked cookies decode to valid JSON (#210) (302cc0e)

0.11.0 (2026-06-05)

... (truncated)

Commits

• d8c9b60 chore(main): release 0.12.0 (#247)
• 4af89f7 fix(release): pin npm to 11.5.2 so OIDC trusted publisher works (#249)
• 164c7ab build(deps-dev): bump vitest from 1.6.1 to 4.1.0 in the npm_and_yarn group ac...
• 2fd3333 chore: update @​supabase/supabase-js to v2.108.0 (#248)
• dd766c4 chore(main): release 0.11.0 (#244)
• 932931e build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#245)
• 4e47249 feat(cookies): add clearAuthCookiesAtScopes migration helper (#240)
• 34f2b6a chore: update @​supabase/supabase-js to v2.107.0 (#243)
• 4292d04 chore: update @​supabase/supabase-js to v2.106.1 (#236)
• a6896b1 chore: update @​supabase/supabase-js to v2.106.0 (#232)
• Additional commits viewable in compare view

Updates sharp from 0.34.5 to 0.35.1

Release notes

Sourced from sharp's releases.

v0.35.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.1

• TypeScript: Ensure type definitions are published for both ESM and CJS. #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.1-rc.0

• TypeScript: Ensure type definitions are published #4537

• WebAssembly: Ensure wrapper file is published. #4538

v0.35.0

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics.

... (truncated)

Commits

• d781a2d Release v0.35.1
• 84fa853 Prerelease v0.35.1-rc.1
• 21263c3 TypeScript: Switch type defs to ESM, convert back to CJS #4537
• 8deceb4 Docs: fix link in changelog (#4541)
• c9f08eb Revert "Docs: Highlight that Windows ARM64 support is experimental" (#4540)
• 3ec892f Prerelease v0.35.1-rc.0
• fbdeac5 CI: Run packaging linter on sub-packages
• 1da92b3 WebAssembly: Ensure wrapper file is published #4538
• 32c029e Add packaging linter to help prevent regression e.g. #4537
• 98dc1df TypeScript: Ensure type definitions are published #4537
• Additional commits viewable in compare view

Updates @anthropic-ai/sdk from 0.102.0 to 0.104.1

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.104.1

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

sdk: v0.104.0

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

sdk: v0.103.0

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

Bug Fixes

• client: 3p middleware ordering (#53) (2a4c339)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

Bug Fixes

• client: 3p middleware ordering (#53) (2a4c339)

Commits

• 9a0442d chore: release main
• 1ccd401 fix(api): add frontier_llm refusal category
• 8be0232 chore: release main
• 813af32 feat(api): add support for Managed Agents deployments and environment variabl...
• 589eed1 chore: release main
• a785874 feat(api): add support for claude-mythos-5 and claude-fable-5, with support f...
• 6322a4f fix(client): 3p middleware ordering (#53)
• c2e94fc feat(middleware): add ctx.logger (#55)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions