Skip to content

chore: bump the npm-non-major group across 1 directory with 14 updates#1018

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-non-major-5012b6a562
Open

chore: bump the npm-non-major group across 1 directory with 14 updates#1018
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-non-major-5012b6a562

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-non-major group with 14 updates in the / directory:

Package From To
@arborium/arborium 2.18.0 2.18.1
@sentry/react 10.58.0 10.61.0
@tanstack/react-query 5.101.0 5.101.1
@tanstack/react-query-devtools 5.101.0 5.101.1
@vanilla-extract/css 1.20.1 1.21.0
@vanilla-extract/vite-plugin 5.2.2 5.2.3
dompurify 3.4.10 3.4.11
framer-motion 12.40.0 12.42.0
katex 0.16.47 0.17.0
react-aria 3.49.0 3.50.0
@cloudflare/vite-plugin 1.41.0 1.42.3
oxfmt 0.45.0 0.56.0
oxlint 1.70.0 1.71.0
wrangler 4.101.0 4.105.0

Updates @arborium/arborium from 2.18.0 to 2.18.1

Commits

Updates @sentry/react from 10.58.0 to 10.61.0

Release notes

Sourced from @​sentry/react's releases.

10.61.0

Important Changes

  • feat(core): Enable streamGenAiSpans by default (#21732)

    The SDK now extracts all gen_ai spans out of a transaction and sends them as v2 envelope items by default. This prevents gen_ai spans from being dropped when the transaction payload exceeds size limits. Because they are no longer constrained by transaction size limits, AI message data is also no longer truncated by default. Set enableTruncation: true on the respective AI integration to re-enable truncation. To keep the previous behavior, set streamGenAiSpans: false.

    Self-hosted Sentry users should opt out with streamGenAiSpans: false, since streamed gen_ai spans may not be ingested by their Sentry instance.

Other Changes

  • feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#21292)
  • feat(cloudflare): Instrument SQL API in sqlite durable objects (#21656)
  • feat(core): Add db.query.summary functionality (#21670)
  • feat(core): Add top-level Sentry.setAttribute(s) APIs (#21705)
  • fix(hono): Name transactions after the matched route handler (#21700)
  • fix(react-router): Bump peerDependencies for react-router 8 (#21762)
  • fix(replays): Record replay trace_ids with span streaming (#21714)
  • build: add rollup plugin for compile-time ESM/CJS code branching (#21715)
  • chore: Fix version bump for bundler plugin fixtures (#21707)
  • chore(node-integration-tests): Improve node test runner naming (#21685)
  • docs: Update contributing guide for E2E tests (#21763)
  • feat: Adopt bindTracingChannelToSpan across runtimes (#21642)
  • feat: Remove Otel from fsIntegration (#21654)
  • feat(deps): Bump http-proxy-middleware from 2.0.9 to 2.0.10 (#21709)
  • feat(server-utils): Add tracingChannel-to-span binding (#21641)
  • fix(tests): Add dedicated route for Hono query_string tests (#21731)
  • ref: Export SPAN_KIND from core and drop OTel SpanKind imports (#21668)
  • test: Make bundler plugins tests work after release
  • test: Remove duplicated test (#21699)
  • test: retry npm install on network hiccups (#21689)
  • test(cloudflare): Increase node count for memory tests (#21719)
  • test(e2e): Add sentry-sdk-init measure and marks (#21687)
  • test(e2e): Add more lighthouse react e2e test SDK init modes (#21711)
  • test(node): Add esm/cjs specific test runner utils (#21729)
  • test(node): Increase cron integration test timeout to 60s (#21704)
  • test(node): Streamline amqplib tests (#21723)
  • test(node): Update mysql tests for better coverage and correctness (#21684)
  • test(node): Use different ports for redis tests (#21727)

Bundle size 📦

Path Size

... (truncated)

Changelog

Sourced from @​sentry/react's changelog.

10.61.0

Important Changes

  • feat(core): Enable streamGenAiSpans by default (#21732)

    The SDK now extracts all gen_ai spans out of a transaction and sends them as v2 envelope items by default. This prevents gen_ai spans from being dropped when the transaction payload exceeds size limits. Because they are no longer constrained by transaction size limits, AI message data is also no longer truncated by default. Set enableTruncation: true on the respective AI integration to re-enable truncation. To keep the previous behavior, set streamGenAiSpans: false.

    Self-hosted Sentry users should opt out with streamGenAiSpans: false, since streamed gen_ai spans may not be ingested by their Sentry instance.

Other Changes

  • feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#21292)
  • feat(cloudflare): Instrument SQL API in sqlite durable objects (#21656)
  • feat(core): Add db.query.summary functionality (#21670)
  • feat(core): Add top-level Sentry.setAttribute(s) APIs (#21705)
  • fix(hono): Name transactions after the matched route handler (#21700)
  • fix(react-router): Bump peerDependencies for react-router 8 (#21762)
  • fix(replays): Record replay trace_ids with span streaming (#21714)
  • build: add rollup plugin for compile-time ESM/CJS code branching (#21715)
  • chore: Fix version bump for bundler plugin fixtures (#21707)
  • chore(node-integration-tests): Improve node test runner naming (#21685)
  • docs: Update contributing guide for E2E tests (#21763)
  • feat: Adopt bindTracingChannelToSpan across runtimes (#21642)
  • feat: Remove Otel from fsIntegration (#21654)
  • feat(deps): Bump http-proxy-middleware from 2.0.9 to 2.0.10 (#21709)
  • feat(server-utils): Add tracingChannel-to-span binding (#21641)
  • fix(tests): Add dedicated route for Hono query_string tests (#21731)
  • ref: Export SPAN_KIND from core and drop OTel SpanKind imports (#21668)
  • test: Make bundler plugins tests work after release
  • test: Remove duplicated test (#21699)
  • test: retry npm install on network hiccups (#21689)
  • test(cloudflare): Increase node count for memory tests (#21719)
  • test(e2e): Add sentry-sdk-init measure and marks (#21687)
  • test(e2e): Add more lighthouse react e2e test SDK init modes (#21711)
  • test(node): Add esm/cjs specific test runner utils (#21729)
  • test(node): Increase cron integration test timeout to 60s (#21704)
  • test(node): Streamline amqplib tests (#21723)
  • test(node): Update mysql tests for better coverage and correctness (#21684)
  • test(node): Use different ports for redis tests (#21727)

10.60.0

Other Changes

... (truncated)

Commits
  • a5f654b release: 10.61.0
  • c3f2b30 Merge pull request #21774 from getsentry/prepare-release/10.61.0
  • fcf3dc9 meta(changelog): Update changelog for 10.61.0
  • 28cffd1 docs: Update contributing guide for E2E tests (#21763)
  • b72a360 feat(cloudflare): Instrument SQL API in sqlite durable objects (#21656)
  • a8de444 fix(react-router): Bump peerDependencies for react-router 8 (#21762)
  • 2905c3a feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#21292)
  • b31ef48 fix(tests): Add dedicated route for Hono query_string tests (#21731)
  • ce6f731 test(node): Update mysql tests for better coverage and correctness (#21684)
  • ff4c9ba chore(github): Add cron schedule for "track framework updates" (#21754)
  • Additional commits viewable in compare view

Updates @tanstack/react-query from 5.101.0 to 5.101.1

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-next-experimental@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-persist-client@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query@​5.101.1

Patch Changes

  • Updated dependencies [9eff92e]:
    • @​tanstack/query-core@​5.101.1
Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.1

Patch Changes

  • Updated dependencies [9eff92e]:
    • @​tanstack/query-core@​5.101.1
Commits
  • b809297 ci: Version Packages (#10977)
  • ccc843e test({react,preact}-query/useQueries): move type-only tests to 'useQueries.te...
  • 4154613 test({react,preact}-query/useMutation): split 'should handle conditional logi...
  • 8bb5fde test({react,preact}-query/useMutation): split 'should pass meta to mutation' ...
  • 87426a3 test(react-query): replace deprecated 'toBeCalledTimes' with 'toHaveBeenCalle...
  • feb1efd test(*): move 'vi.useRealTimers' to the end of 'afterEach' so cleanup runs un...
  • See full diff in compare view

Updates @tanstack/react-query-devtools from 5.101.0 to 5.101.1

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1
Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1
Commits

Updates @vanilla-extract/css from 1.20.1 to 1.21.0

Release notes

Sourced from @​vanilla-extract/css's releases.

@​vanilla-extract/css@​1.21.0

Minor Changes

  • #1749 caacf56 Thanks @​bschlenk! - Allow createGlobalVar to accept a name with a leading --

    Similar to createGlobalThemeContract, createGlobalVar now trims a leading -- from the variable name. This can be useful if you want to keep the full variable name searchable in your codebase.

    EXAMPLE USAGE:

    import { createGlobalVar } from '@vanilla-extract/css';
    // Both produce var(--my-global-var)
    const a = createGlobalVar('my-global-var');
    const b = createGlobalVar('--my-global-var');

  • #1720 7bbe189 Thanks @​cahnory! - style, globalStyle: Add support for @scope rules

    EXAMPLE USAGE:

    import { style, globalStyle } from '@vanilla-extact/css';
    export const styleWithScopeRule = style({
    '@​scope': {
    '(body)': {
    ':after': { content: '"Scoped to body"' }
    }
    }
    });
    globalStyle('div', {
    '@​scope': {
    '(body)': {
    ':after': { content: '"Scoped to body"' }
    }
    }
    });

Patch Changes

  • #1731 aec0ab7 Thanks @​sashank-gogula-glean! - Fix incorrect class name substitution when composed class lists contain regex metacharacters

    Class names containing characters such as (, ), +, or . were being interpreted as regex syntax when building the substitution pattern for composed class lists, causing malformed matches. The class list is now escaped before constructing the RegExp.

  • #1740 a4b120f Thanks @​askoufis! - Fix a bug causing fallbackVar to discard an empty string passed as the fallback value

    An empty string fallback was silently dropped, producing var(--myVar) instead of the CSS empty-fallback form var(--myVar, ). fallbackVar now treats '' like any other fallback value.

Changelog

Sourced from @​vanilla-extract/css's changelog.

1.21.0

Minor Changes

  • #1749 caacf56 Thanks @​bschlenk! - Allow createGlobalVar to accept a name with a leading --

    Similar to createGlobalThemeContract, createGlobalVar now trims a leading -- from the variable name. This can be useful if you want to keep the full variable name searchable in your codebase.

    EXAMPLE USAGE:

    import { createGlobalVar } from '@vanilla-extract/css';
    // Both produce var(--my-global-var)
    const a = createGlobalVar('my-global-var');
    const b = createGlobalVar('--my-global-var');

  • #1720 7bbe189 Thanks @​cahnory! - style, globalStyle: Add support for @scope rules

    EXAMPLE USAGE:

    import { style, globalStyle } from '@vanilla-extact/css';
    export const styleWithScopeRule = style({
    '@​scope': {
    '(body)': {
    ':after': { content: '"Scoped to body"' }
    }
    }
    });
    globalStyle('div', {
    '@​scope': {
    '(body)': {
    ':after': { content: '"Scoped to body"' }
    }
    }
    });

Patch Changes

  • #1731 aec0ab7 Thanks @​sashank-gogula-glean! - Fix incorrect class name substitution when composed class lists contain regex metacharacters

    Class names containing characters such as (, ), +, or . were being interpreted as regex syntax when building the substitution pattern for composed class lists, causing malformed matches. The class list is now escaped before constructing the RegExp.

  • #1740 a4b120f Thanks @​askoufis! - Fix a bug causing fallbackVar to discard an empty string passed as the fallback value

... (truncated)

Commits

Updates @vanilla-extract/vite-plugin from 5.2.2 to 5.2.3

Release notes

Sourced from @​vanilla-extract/vite-plugin's releases.

@​vanilla-extract/vite-plugin@​5.2.3

Patch Changes

  • #1718 f9975b5 Thanks @​MagneH! - Fix No CSS for file error in Vite dev mode when virtual CSS modules are resolved through Vite's @id/ id wrapper

    This was most commonly hit with workspace .css.ts imports in pnpm monorepos on Windows, where Vite produces ids shaped like @id/C:/..., but it can also occur on macOS/Linux. The plugin now unwraps these ids before resolving the virtual CSS file so they map to the correct compiler cache entry.

  • #1748 792d5c6 Thanks @​smitev! - Fixed an issue where .css.ts files could be left untransformed

    This was most commonly hit when using module federation plugins that expose modules as their own chunks, resulting in untransformed runtime style() calls throwing Styles were unable to be assigned to a file.

Changelog

Sourced from @​vanilla-extract/vite-plugin's changelog.

5.2.3

Patch Changes

  • #1718 f9975b5 Thanks @​MagneH! - Fix No CSS for file error in Vite dev mode when virtual CSS modules are resolved through Vite's @id/ id wrapper

    This was most commonly hit with workspace .css.ts imports in pnpm monorepos on Windows, where Vite produces ids shaped like @id/C:/..., but it can also occur on macOS/Linux. The plugin now unwraps these ids before resolving the virtual CSS file so they map to the correct compiler cache entry.

  • #1748 792d5c6 Thanks @​smitev! - Fixed an issue where .css.ts files could be left untransformed

    This was most commonly hit when using module federation plugins that expose modules as their own chunks, resulting in untransformed runtime style() calls throwing Styles were unable to be assigned to a file.

Commits
  • bc8b51c Version Packages (#1736)
  • 792d5c6 fix(vite-plugin): await compiler creation in transform to fix race with concu...
  • f9975b5 fix(vite-plugin): normalize absolute Vite ids on Windows (#1718)
  • See full diff in compare view

Updates dompurify from 3.4.10 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible
Commits

Updates framer-motion from 12.40.0 to 12.42.0

Changelog

Sourced from framer-motion's changelog.

[12.42.0] 2026-06-24

Changed

  • animateView: Layers are automatically grouped to match their DOM-hierarchy. New .group(false) method opts-out.

Fixed

  • animateView: Auto-crop is now aspect-ratio aware, disabling crops for matching aspect-ratios.
  • animateView: Disabled automatic border-radius animation.

[12.41.0] 2026-06-23

Added

  • animateView: Moves from Motion+ Early Access and alpha to main library.
  • animateView: .add() resolves a CSS selector or Element to automatically generate, apply and remove view-transition-name.
  • animateView: .new() and .old() configures values to animate on new and old layers.
  • animateView: .layout() can set a custom transition on the size/position animation of the currently selected elements.
  • animateView: Group layers now automatically crop with children set to cover, with border-radius animating from old radius to new. .crop(false) disables this behaviour.
  • animateView: .class(name) tags currently selected elements with a view-transition-class as a custom CSS hook.

Fixed

  • AnimatePresence: Prevent stuck exit animations when children interrupt.
  • drag: Child e.stopPropagation() no longer break drag end.
  • Fixing Next.js OOM on Windows when importing via motion package.
  • animateLayout: Improve handling of parallel/interleaved calls.

Changed

  • animateView: .enter() and .exit() now refer specifically to new and old layers where there are no matching old or new layers.
  • animateView: Interrupted transition setups now return resolved animation rather than throwing.
Commits
  • 9c84145 v12.42.0
  • 60d7c72 Add view-transition group nesting and aspect-aware cropping
  • 6437276 Updating
  • f0f893e v12.41.0
  • c0c53cb Updating changelog
  • 18c3e3e Removing plans
  • 378fc4c Merge pull request #3761 from motiondivision/worktree-view-target
  • 94ea505 Merge branch 'main' into worktree-view-target
  • de65f6b Fade auto morph crossfades over the spring's visual duration
  • f8af239 Let an explicit duration override the inherited spring on a view layer
  • Additional commits viewable in compare view

Updates katex from 0.16.47 to 0.17.0

Release notes

Sourced from katex's releases.

v0.17.0

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.
Changelog

Sourced from katex's changelog.

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.
Commits
  • 3dec549 chore(release): 0.17.0 [ci skip]
  • fb604e6 perf: simplify defineFunction to avoid destructuring, improve typing (#4222)
  • 6caa636 refactor: tighten ParseNode types (#4219)
  • afed784 docs: make first supportive organizations logos bigger (#4216)
  • b02d9ac chore(deps): update dependency webpack-dev-server to v5.2.4 [security] (#4220)
  • See full diff in compare view

Updates react-aria from 3.49.0 to 3.50.0

Commits
  • 1c84a49 Publish
  • 208099b chore: omit isNonModal from ContextualHelpPopover (#10224)
  • a064c19 docs: add S2 audit skill (#10160)
  • 0594914 chore: update chat story prompts to be more realistic (#10223)
  • b8b0688 chore: Audit style props in AI package (#10218)
  • cb43c8c docs: add CenterBaseline to style macro docs (#10216)
  • 003d04d chore: remove horizontal card from ai export (#10217)
  • 358d6d8 chore: make sure Tree keyboard navigation docs example renders fully on small...
  • edceb07 chore: Expose keyboardNavigationBehavior="tab" in S2 (#10206)
  • 6e132fb Revert "fix: preserve selection anchor for multi-Select range selection (#101...
  • Additional commits viewable in compare view

Updates @cloudflare/vite-plugin from 1.41.0 to 1.42.3

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.42.3

Patch Changes

@​cloudflare/vite-plugin@​1.42.2

Patch Changes

  • #14358 4ef872f Thanks @​gabivlj! - Fix container egress interception on arm64 Docker runtimes

    Both wrangler dev and the Cloudflare Vite plugin no longer force the proxy-everything sidecar image to pull as linux/amd64, allowing Docker to select the native image from the multi-platform manifest. Set MINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORM to force a specific platform when needed.

  • Updated dependencies [a085dec, 9a0de8f, fab565f, 3f02864, 4ef872f, 2a02858, e312dec]:

    • miniflare@4.20260623.0
    • wrangler@4.104.0

@​cloudflare/vite-plugin@​1.42.1

Patch Changes

  • #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

    • wrangler@4.103.0
    • miniflare@4.20260617.1

@​cloudflare/vite-plugin@​1.42.0

Minor Changes

  • #14339 aa49856 Thanks @​jamesopstad! - Add a build command to the experimental, internal cf-vite delegate binary

    cf-vite build runs Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained .cloudflare/output/v0/ directory. It forces experimental.newConfig and experimental.newConfig.cfBuildOutput on, so a cloudflare.config.ts is required at the project root.

Patch Changes

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14351 6c7df19 Thanks @​jamesopstad! - Force the experimental new config on by default in the cf-vite dev delegate

  • #14218 4eed569 Thanks @​matingathani! - Allow resolve.external containing only Node.js built-ins in Worker environments

    Vitest 4 automatically sets resolve.external to the full list of Node.js built-in modules for non-standard Vite environments via its internal runnerTransform plugin. Previously, the Cloudflare Vite plugin rejected any non-empty resolve.external array, throwing an incompatibility error on startup when used alongside Vitest 4.

... (truncated)

Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.42.3

Patch Changes

1.42.2

Patch Changes

  • #14358 4ef872f Thanks @​gabivlj! - Fix container egress interception on arm64 Docker runtimes

    Both wrangler dev and the Cloudflare Vite plugin no longer force the proxy-everything sidecar image to pull as linux/amd64, allowing Docker to select the native image from the multi-platform manifest. Set MINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORM to force a specific platform when needed.

  • Updated dependencies [a085dec, 9a0de8f, fab565f, 3f02864, 4ef872f, 2a02858, e312dec]:

    • miniflare@4.20260623.0
    • wrangler@4.104.0

1.42.1

Patch Changes

  • #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

    • wrangler@4.103.0
    • miniflare@4.20260617.1

1.42.0

Minor Changes

  • #14339 aa49856 Thanks @​jamesopstad! - Add a build command to the experimental, internal cf-vite delegate binary

    cf-vite build runs Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained .cloudflare/output/v0/ directory. It forces experimental.newConfig and experimental.newConfig.cfBuildOutput on, so a cloudflare.config.ts is required at the project root.

Patch Changes

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14351 6c7df19 Thanks @​jamesopstad! - Force the experimental new config on by default in the cf-vite dev delegate

... (truncated)

Commits

Updates oxfmt from 0.45.0 to 0.56.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

[0.55.0] - 2026-06-15

🚀 Features

  • 9a2788b linter/unicorn: Implement prefer-export-from rule (#22935) (AliceLanniste)

[0.54.0] ...

Description has been truncated

@dependabot dependabot Bot added the internal label Jul 1, 2026
@dependabot dependabot Bot requested review from 7w1 and hazre as code owners July 1, 2026 01:31
@dependabot dependabot Bot added the internal label Jul 1, 2026
Bumps the npm-non-major group with 14 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@arborium/arborium](https://github.com/bearcove/arborium/tree/HEAD/packages/arborium) | `2.18.0` | `2.18.1` |
| [@sentry/react](https://github.com/getsentry/sentry-javascript) | `10.58.0` | `10.61.0` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.101.0` | `5.101.1` |
| [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) | `5.101.0` | `5.101.1` |
| [@vanilla-extract/css](https://github.com/vanilla-extract-css/vanilla-extract/tree/HEAD/packages/css) | `1.20.1` | `1.21.0` |
| [@vanilla-extract/vite-plugin](https://github.com/vanilla-extract-css/vanilla-extract/tree/HEAD/packages/vite-plugin) | `5.2.2` | `5.2.3` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.10` | `3.4.11` |
| [framer-motion](https://github.com/motiondivision/motion) | `12.40.0` | `12.42.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.47` | `0.17.0` |
| [react-aria](https://github.com/adobe/react-spectrum) | `3.49.0` | `3.50.0` |
| [@cloudflare/vite-plugin](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vite-plugin-cloudflare) | `1.41.0` | `1.42.3` |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.45.0` | `0.56.0` |
| [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.70.0` | `1.71.0` |
| [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.101.0` | `4.105.0` |



Updates `@arborium/arborium` from 2.18.0 to 2.18.1
- [Commits](https://github.com/bearcove/arborium/commits/v2.18.1/packages/arborium)

Updates `@sentry/react` from 10.58.0 to 10.61.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.58.0...10.61.0)

Updates `@tanstack/react-query` from 5.101.0 to 5.101.1
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.1/packages/react-query)

Updates `@tanstack/react-query-devtools` from 5.101.0 to 5.101.1
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.101.1/packages/react-query-devtools)

Updates `@vanilla-extract/css` from 1.20.1 to 1.21.0
- [Release notes](https://github.com/vanilla-extract-css/vanilla-extract/releases)
- [Changelog](https://github.com/vanilla-extract-css/vanilla-extract/blob/master/packages/css/CHANGELOG.md)
- [Commits](https://github.com/vanilla-extract-css/vanilla-extract/commits/@vanilla-extract/css@1.21.0/packages/css)

Updates `@vanilla-extract/vite-plugin` from 5.2.2 to 5.2.3
- [Release notes](https://github.com/vanilla-extract-css/vanilla-extract/releases)
- [Changelog](https://github.com/vanilla-extract-css/vanilla-extract/blob/master/packages/vite-plugin/CHANGELOG.md)
- [Commits](https://github.com/vanilla-extract-css/vanilla-extract/commits/@vanilla-extract/vite-plugin@5.2.3/packages/vite-plugin)

Updates `dompurify` from 3.4.10 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.10...3.4.11)

Updates `framer-motion` from 12.40.0 to 12.42.0
- [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md)
- [Commits](motiondivision/motion@v12.40.0...v12.42.0)

Updates `katex` from 0.16.47 to 0.17.0
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](KaTeX/KaTeX@v0.16.47...v0.17.0)

Updates `react-aria` from 3.49.0 to 3.50.0
- [Release notes](https://github.com/adobe/react-spectrum/releases)
- [Commits](https://github.com/adobe/react-spectrum/compare/react-aria@3.49.0...react-aria@3.50.0)

Updates `@cloudflare/vite-plugin` from 1.41.0 to 1.42.3
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vite-plugin-cloudflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vite-plugin@1.42.3/packages/vite-plugin-cloudflare)

Updates `oxfmt` from 0.45.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `oxlint` from 1.70.0 to 1.71.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.71.0/npm/oxlint)

Updates `wrangler` from 4.101.0 to 4.105.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.105.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: "@arborium/arborium"
  dependency-version: 2.18.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: "@cloudflare/vite-plugin"
  dependency-version: 1.42.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: "@sentry/react"
  dependency-version: 10.60.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: "@tanstack/react-query-devtools"
  dependency-version: 5.101.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: "@vanilla-extract/css"
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: "@vanilla-extract/vite-plugin"
  dependency-version: 5.2.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: framer-motion
  dependency-version: 12.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: katex
  dependency-version: 0.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: oxlint
  dependency-version: 1.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: react-aria
  dependency-version: 3.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: wrangler
  dependency-version: 4.104.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-non-major-5012b6a562 branch from 6572b82 to 1d79ccb Compare July 3, 2026 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants