Bump the minor-and-patch group across 1 directory with 21 updates by dependabot[bot] · Pull Request #27 · akshitkrnagpal/edgepush

dependabot · 2026-06-14T06:05:36Z

Bumps the minor-and-patch group with 21 updates in the / directory:

Package	From	To
turbo	`2.9.14`	`2.9.18`
better-auth	`1.6.11`	`1.6.18`
hono	`4.12.19`	`4.12.25`
@cloudflare/vitest-pool-workers	`0.16.6`	`0.16.15`
@cloudflare/workers-types	`4.20260517.1`	`4.20260613.1`
vitest	`4.1.6`	`4.1.8`
wrangler	`4.92.0`	`4.100.0`
@tanstack/react-query	`5.100.10`	`5.101.0`
next	`16.2.6`	`16.2.9`
react	`19.2.6`	`19.2.7`
@types/react	`19.2.14`	`19.2.17`
react-dom	`19.2.6`	`19.2.7`
@opennextjs/cloudflare	`1.19.10`	`1.19.11`
@tailwindcss/postcss	`4.3.0`	`4.3.1`
@types/node	`25.8.0`	`25.9.3`
eslint-config-next	`16.2.6`	`16.2.9`
tailwindcss	`4.3.0`	`4.3.1`
@astrojs/cloudflare	`13.5.1`	`13.7.0`
@astrojs/sitemap	`3.7.2`	`3.7.3`
astro	`6.3.3`	`6.4.6`
@orpc/server	`1.14.3`	`1.14.6`

Updates turbo from 2.9.14 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

release(turborepo): 2.9.17 by @github-actions[bot] in vercel/turborepo#13047

ci: Fetch version.txt via API in docs alias failure notification by @anthonyshew in vercel/turborepo#13050

fix: Harden cache archive symlink restore by @anthonyshew in vercel/turborepo#13051

chore: Remove web UI mode by @anthonyshew in vercel/turborepo#13052

fix: Harden query server file access by @anthonyshew in vercel/turborepo#13053

fix: Confine prune patch paths by @anthonyshew in vercel/turborepo#13054

fix: Prevent git argument injection in SCM refs by @anthonyshew in vercel/turborepo#13055

fix: Strip special mode bits from cache restore by @anthonyshew in vercel/turborepo#13056

fix: Contain incremental cache outputs by @anthonyshew in vercel/turborepo#13057

fix(turborepo): Normalize Windows daemon path hash by @Balance8 in vercel/turborepo#13020

fix: Preserve vt100 cell byte counts by @anthonyshew in vercel/turborepo#13058

fix: Separate artifact signature fields by @anthonyshew in vercel/turborepo#13059

fix: Validate OidHash hex buffers by @anthonyshew in vercel/turborepo#13060

fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @anthonyshew in vercel/turborepo#13061

New Contributors

@Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

fix: Keep non-PTY stdin alive for persistent tasks by @anthonyshew in vercel/turborepo#12972

release(turborepo): 2.9.16 by @github-actions[bot] in vercel/turborepo#12970

release(turborepo): 2.9.17-canary.1 by @github-actions[bot] in vercel/turborepo#12973

fix: Add auth HTTP timeouts by @anthonyshew in vercel/turborepo#12976

fix: Detect affected root tasks in query by @anthonyshew in vercel/turborepo#12977

fix: Wait for Windows graceful shutdown by @anthonyshew in vercel/turborepo#12979

release(turborepo): 2.9.17-canary.2 by @github-actions[bot] in vercel/turborepo#12980

test: Skip installs for JSON output fixtures by @anthonyshew in vercel/turborepo#12981

feat: Add Rsbuild examples by @Nsttt in vercel/turborepo#12942

test: Skip installs for single package dry runs by @anthonyshew in vercel/turborepo#12982

test: Skip Corepack setup without installs by @anthonyshew in vercel/turborepo#12983

test: Skip installs for metadata-only Rust tests by @anthonyshew in vercel/turborepo#12985

test: Skip remaining unnecessary fixture installs by @anthonyshew in vercel/turborepo#12986

test: Add final hash contract snapshots by @anthonyshew in vercel/turborepo#12984

test: Trim run logging integration matrix by @anthonyshew in vercel/turborepo#12987

test: Trim affected query integration matrix by @anthonyshew in vercel/turborepo#12988

test: Narrow Windows integration test group by @anthonyshew in vercel/turborepo#12989

test: Trim task dependency integration coverage by @anthonyshew in vercel/turborepo#12990

test: Trim affected integration coverage by @anthonyshew in vercel/turborepo#12991

test: Collapse integration test matrices by @anthonyshew in vercel/turborepo#12992

... (truncated)

Commits

3bdce32 publish 2.9.18 to registry
2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
da8e348 fix: Validate OidHash hex buffers (#13060)
3018717 fix: Separate artifact signature fields (#13059)
34514e2 fix: Preserve vt100 cell byte counts (#13058)
24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
16dc881 fix: Contain incremental cache outputs (#13057)
92e1f8e fix: Strip special mode bits from cache restore (#13056)
f46f896 fix: Prevent git argument injection in SCM refs (#13055)
7f353ca fix: Confine prune patch paths (#13054)
Additional commits viewable in compare view

Updates better-auth from 1.6.11 to 1.6.18

Release notes

Sourced from better-auth's releases.

v1.6.18

better-auth

Bug Fixes

Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.

Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.

Fixed one-time tokens from being redeemable multiple times under concurrent requests.

Fixed password reset tokens from changing a password more than once under concurrent requests.

Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.

Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.

Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.

Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.

Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.

Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.

Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).

Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.

Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.

Fixed expected authentication validation failures to log as warnings instead of errors.

Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.

Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)

Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)

Fixed a memory leak where the JWKS cache could grow on every access token verification.

Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.

Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.

Fixed account cookie preservation when switching users in the same browser session.

Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.

Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.

Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.

Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.

Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.

Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.

Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.

Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.

Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.18

Patch Changes

#9315 9ef7240 Thanks @GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

#9583 b21a5f7 Thanks @GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

Updated dependencies [b21a5f7]:

@better-auth/core@1.6.18

@better-auth/drizzle-adapter@1.6.18

@better-auth/kysely-adapter@1.6.18

@better-auth/memory-adapter@1.6.18

@better-auth/mongo-adapter@1.6.18

@better-auth/prisma-adapter@1.6.18

@better-auth/telemetry@1.6.18

1.6.17

Patch Changes

#9993 baeaa00 Thanks @gustavovalverde! - When a team had a single open slot, accepting an invitation into it was wrongly rejected as over the member limit and left a dangling membership record. Two invitations accepted into a nearly-full team at the same time could also push it past its limit. Both are fixed.

#9482 3e99e6c Thanks @bytaesu! - admin.setUserPassword now creates a credential account when the target user does not have one, matching the behavior of resetPassword. Previously the call returned status: true without doing anything for users without an existing credential account (e.g., social-only or magic-link signups), so admins migrating users from another auth system or assigning an initial password to a social-only user can now do so directly without poking the account table.

96c78c3 Thanks @GautamBytes! - Downgrade expected auth validation failures from error logs to warnings.

#9993 baeaa00 Thanks @gustavovalverde! - Captcha provider verification requests now time out after 10 seconds and fail closed, so a slow or unreachable captcha provider can no longer tie up a request indefinitely.

#9993 baeaa00 Thanks @gustavovalverde! - A delete-account confirmation link can no longer delete the account more than once when its callback is opened concurrently.

#9991 0c3856f Thanks @gustavovalverde! - Completing account deletion through /delete-user/callback now fails when the session has been revoked server-side, instead of proceeding within the cookie-cache window. Deployments that keep sessions only in the cookie are unaffected.

#9993 baeaa00 Thanks @gustavovalverde! - Polling for a device-authorization token can no longer redeem the same approved device code more than once when several polls arrive together.

#9993 baeaa00 Thanks @gustavovalverde! - Submitting the same email OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

#10002 ed7b6c9 Thanks @gustavovalverde! - Adding a member to a team that is already at its maximumMembersPerTeam limit is now rejected on every path. addMember with a teamId and add-team-member previously skipped the limit that invitation acceptance enforced, so they could push a team over its cap. A rejected addMember no longer creates the organization member.

#9677 e0a768c Thanks @GautamBytes! - Refactor role.authorize control flow while preserving existing authorization behavior.

#9987 7343284 Thanks @bytaesu! - Generic OAuth sign-in works again for providers whose userinfo response has no sub or id field when mapProfileToUser derives the account id. An empty id field now falls back to sub.

#9991 0c3856f Thanks @gustavovalverde! - getCookieCache now returns null for an expired session instead of the stale session data. Middleware that calls it to gate access no longer treats an expired signed cookie as a live session.

#9993 baeaa00 Thanks @gustavovalverde! - The Have I Been Pwned plugin now checks submitted passwords against the breach database on more password-setting endpoints by default, including the email-OTP and phone-number reset-password routes and the admin create-user and set-user-password routes. A breached password can no longer be set through those routes when the plugin is enabled with its default paths.

#9987 7343284 Thanks @bytaesu! - Preserve the fresh account cookie issued while switching users in the same browser instead of expiring it from stale request cookie state.

#9991 0c3856f Thanks @gustavovalverde! - Expired MCP access tokens are no longer accepted. A protected MCP resource now rejects a bearer token once it has expired, both on the server and through the remote client. A refresh token is accepted only when the original authorization included the offline_access scope.

... (truncated)

Commits

04debbf chore: release v1.6.18 (#10026)
9ef7240 fix(open-api): serialize zod request schemas accurately (#9315)
b21a5f7 fix(client): preserve plugin inference in composite monorepos (#9583)
0d8b238 chore: release v1.6.17 (#9984)
eff3c99 test(next-js): verify nextCookies forwards all set-cookie headers (#10013)
e0a768c refactor(access): flatten access plugin role authorization logic (#9677)
3310ebc fix(open-api): mark model ids as required (#9704)
59e0ccb fix(client): updateSession should infer session additional fields (#9777)
96c78c3 fix(logger): downgrade validation logs level to warn
5c289b5 fix(account): resolve stateless account cookies across instances (#9979)
Additional commits viewable in compare view

Updates hono from 4.12.19 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

docs(contribution): simplifyAI Usage Policy by @yusukebe in honojs/hono#4972

chore: remove @types/glob by @rtritto in honojs/hono#4978

fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in honojs/hono#4987

refactor(language): Test/improve tests on languages middleware by @iNeoO in honojs/hono#4980

fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in honojs/hono#4973

fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982

refactor(timing): Test/add test for middleware timing by @iNeoO in honojs/hono#4991

fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962

feat(context): export the Context class publicly by @BlankParticle in honojs/hono#4543

docs(contribution): add AI Usage Policy by @yusukebe in honojs/hono#4970

feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @na-trium-144 in honojs/hono#4961

fix(utils/ipaddr): do not compress a single 0 group to :: by @yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

fce483e 4.12.25
751ba41 Merge commit from fork
f0b094d Merge commit from fork
fa5f9bf Merge commit from fork
3892a6c Merge commit from fork
74c2cf8 test(aws-lambda): update integration tests (#5012)
7ae7cba Merge commit from fork
1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
5fdde5a 4.12.24
c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
Additional commits viewable in compare view

Updates @cloudflare/vitest-pool-workers from 0.16.6 to 0.16.15

Release notes

Sourced from @cloudflare/vitest-pool-workers's releases.

@cloudflare/vitest-pool-workers@0.16.15

Patch Changes

Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

wrangler@4.100.0

miniflare@4.20260611.0

@cloudflare/vitest-pool-workers@0.16.14

Patch Changes

Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:

wrangler@4.99.0

miniflare@4.20260609.0

@cloudflare/vitest-pool-workers@0.16.13

Patch Changes

Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:

wrangler@4.98.0

miniflare@4.20260603.0

@cloudflare/vitest-pool-workers@0.16.12

Patch Changes

#14152 3d7992e Thanks @petebacondarwin! - Fix module resolution failing when project path contains spaces

When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

#14105 337e912 Thanks @dario-piotrowicz! - Remove trailing periods from URLs in terminal output

URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

#14112 3a746ac Thanks @penalosa! - Pin non-bundled runtime dependencies to exact versions

Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

#14061 da8e306 Thanks @Vardiak! - Preserve Durable Object WebSocket handler invocation order

Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

wrangler@4.97.0

miniflare@4.20260601.0

@cloudflare/vitest-pool-workers@0.16.11

Patch Changes

#14070 96ae856 Thanks @dmmulroy! - Fix Durable Object RPC dispatch for constructors that return proxies

... (truncated)

Changelog

Sourced from @cloudflare/vitest-pool-workers's changelog.

0.16.15

Patch Changes

Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

wrangler@4.100.0

miniflare@4.20260611.0

0.16.14

Patch Changes

Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:

wrangler@4.99.0

miniflare@4.20260609.0

0.16.13

Patch Changes

Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:

wrangler@4.98.0

miniflare@4.20260603.0

0.16.12

Patch Changes

#14152 3d7992e Thanks @petebacondarwin! - Fix module resolution failing when project path contains spaces

When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

#14105 337e912 Thanks @dario-piotrowicz! - Remove trailing periods from URLs in terminal output

URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

#14112 3a746ac Thanks @penalosa! - Pin non-bundled runtime dependencies to exact versions

Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

#14061 da8e306 Thanks @Vardiak! - Preserve Durable Object WebSocket handler invocation order

Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

wrangler@4.97.0

miniflare@4.20260601.0

... (truncated)

Commits

341bd13 Version Packages (#14237)
8a4bfe5 Version Packages (#14179)
c8c366e Version Packages (#14159)
0b60424 Version Packages (#14142)
3d7992e [vitest-pool-workers] Fix module resolution for paths with spaces (

Bumps the minor-and-patch group with 21 updates in the / directory: | Package | From | To | | --- | --- | --- | | [turbo](https://github.com/vercel/turborepo) | `2.9.14` | `2.9.18` | | [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.11` | `1.6.18` | | [hono](https://github.com/honojs/hono) | `4.12.19` | `4.12.25` | | [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers) | `0.16.6` | `0.16.15` | | [@cloudflare/workers-types](https://github.com/cloudflare/workerd) | `4.20260517.1` | `4.20260613.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.6` | `4.1.8` | | [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.92.0` | `4.100.0` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.10` | `5.101.0` | | [next](https://github.com/vercel/next.js) | `16.2.6` | `16.2.9` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.6` | `19.2.7` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.6` | `19.2.7` | | [@opennextjs/cloudflare](https://github.com/opennextjs/opennextjs-cloudflare/tree/HEAD/packages/cloudflare) | `1.19.10` | `1.19.11` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.0` | `4.3.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.8.0` | `25.9.3` | | [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.6` | `16.2.9` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [@astrojs/cloudflare](https://github.com/withastro/astro/tree/HEAD/packages/integrations/cloudflare) | `13.5.1` | `13.7.0` | | [@astrojs/sitemap](https://github.com/withastro/astro/tree/HEAD/packages/integrations/sitemap) | `3.7.2` | `3.7.3` | | [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `6.3.3` | `6.4.6` | | [@orpc/server](https://github.com/middleapi/orpc/tree/HEAD/packages/server) | `1.14.3` | `1.14.6` | Updates `turbo` from 2.9.14 to 2.9.18 - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md) - [Commits](vercel/turborepo@v2.9.14...v2.9.18) Updates `better-auth` from 1.6.11 to 1.6.18 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md) - [Commits](https://github.com/better-auth/better-auth/commits/v1.6.18/packages/better-auth) Updates `hono` from 4.12.19 to 4.12.25 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.19...v4.12.25) Updates `@cloudflare/vitest-pool-workers` from 0.16.6 to 0.16.15 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md) - [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.16.15/packages/vitest-pool-workers) Updates `@cloudflare/workers-types` from 4.20260517.1 to 4.20260613.1 - [Release notes](https://github.com/cloudflare/workerd/releases) - [Changelog](https://github.com/cloudflare/workerd/blob/main/RELEASE.md) - [Commits](https://github.com/cloudflare/workerd/commits) Updates `vitest` from 4.1.6 to 4.1.8 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest) Updates `wrangler` from 4.92.0 to 4.100.0 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.100.0/packages/wrangler) Updates `@tanstack/react-query` from 5.100.10 to 5.101.0 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.0/packages/react-query) Updates `next` from 16.2.6 to 16.2.9 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.6...v16.2.9) Updates `react` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.6 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `@opennextjs/cloudflare` from 1.19.10 to 1.19.11 - [Release notes](https://github.com/opennextjs/opennextjs-cloudflare/releases) - [Changelog](https://github.com/opennextjs/opennextjs-cloudflare/blob/main/packages/cloudflare/CHANGELOG.md) - [Commits](https://github.com/opennextjs/opennextjs-cloudflare/commits/@opennextjs/cloudflare@1.19.11/packages/cloudflare) Updates `@tailwindcss/postcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss) Updates `@types/node` from 25.8.0 to 25.9.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `eslint-config-next` from 16.2.6 to 16.2.9 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](https://github.com/vercel/next.js/commits/v16.2.9/packages/eslint-config-next) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `@astrojs/cloudflare` from 13.5.1 to 13.7.0 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/cloudflare/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/@astrojs/cloudflare@13.7.0/packages/integrations/cloudflare) Updates `@astrojs/sitemap` from 3.7.2 to 3.7.3 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/integrations/sitemap/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/@astrojs/sitemap@3.7.3/packages/integrations/sitemap) Updates `astro` from 6.3.3 to 6.4.6 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.4.6/packages/astro) Updates `@orpc/server` from 1.14.3 to 1.14.6 - [Release notes](https://github.com/middleapi/orpc/releases) - [Commits](https://github.com/middleapi/orpc/commits/v1.14.6/packages/server) --- updated-dependencies: - dependency-name: turbo dependency-version: 2.9.18 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: better-auth dependency-version: 1.6.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: hono dependency-version: 4.12.25 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@cloudflare/vitest-pool-workers" dependency-version: 0.16.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@cloudflare/workers-types" dependency-version: 4.20260613.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: vitest dependency-version: 4.1.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: wrangler dependency-version: 4.100.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.101.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: next dependency-version: 16.2.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@opennextjs/cloudflare" dependency-version: 1.19.11 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/node" dependency-version: 25.9.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: eslint-config-next dependency-version: 16.2.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@astrojs/cloudflare" dependency-version: 13.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@astrojs/sitemap" dependency-version: 3.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: astro dependency-version: 6.4.6 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@orpc/server" dependency-version: 1.14.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-14T06:05:37Z

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the minor-and-patch group across 1 directory with 21 updates#27

Bump the minor-and-patch group across 1 directory with 21 updates#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/minor-and-patch-60d9aade7e

dependabot Bot commented on behalf of github Jun 14, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 14, 2026

Turborepo v2.9.18

What's Changed

Changelog

New Contributors

Turborepo v2.9.17

What's Changed

Changelog

v1.6.18

better-auth

Bug Fixes

@better-auth/sso

Bug Fixes

@better-auth/memory-adapter

Bug Fixes

1.6.18

Patch Changes

1.6.17

Patch Changes

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

v4.12.24

What's Changed

v4.12.23

What's Changed

v4.12.22

What's Changed

@​cloudflare/vitest-pool-workers@​0.16.15

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.14

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.13

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.11

Patch Changes

0.16.15

Patch Changes

0.16.14

Patch Changes

0.16.13

Patch Changes

0.16.12

Patch Changes

Uh oh!

dependabot Bot commented on behalf of github Jun 14, 2026

Labels

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`better-auth`

`@better-auth/sso`

`@better-auth/memory-adapter`

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

`@cloudflare/vitest-pool-workers@0`.16.15

`@cloudflare/vitest-pool-workers@0`.16.14

`@cloudflare/vitest-pool-workers@0`.16.13

`@cloudflare/vitest-pool-workers@0`.16.12

`@cloudflare/vitest-pool-workers@0`.16.11