chore(deps): bump the npm-deps group across 3 directories with 24 updates

[dependabot]

Bumps the npm-deps group with 23 updates in the /frontend/app directory:

Package	From	To
@tanstack/react-query-devtools	5.85.3	5.96.2
@tanstack/react-router	1.141.0	1.168.10
@tanstack/react-router-devtools	1.141.0	1.166.11
axios	1.13.5	1.14.0
dompurify	3.2.6	3.3.3
jotai	2.13.1	2.19.0
js-confetti	0.12.0	0.13.1
lodash	4.17.23	4.18.1
@types/lodash	4.17.20	4.17.24
monaco-themes	0.4.6	0.4.8
posthog-js	1.298.1	1.364.7
react-hook-form	7.62.0	7.72.1
react-icons	5.5.0	5.6.0
use-debounce	10.0.6	10.1.1
@trivago/prettier-plugin-sort-imports	6.0.0	6.0.2
@types/dagre	0.7.53	0.7.54
@types/qs	6.14.0	6.15.0
autoprefixer	10.4.21	10.4.27
eslint-plugin-prettier	5.5.4	5.5.5
eslint-plugin-react-refresh	0.4.20	0.5.2
postcss	8.5.6	8.5.8
prettier	3.6.2	3.8.1
tsx	4.20.4	4.21.0

Bumps the npm-deps group with 1 update in the /frontend/docs directory: posthog-js.
Bumps the npm-deps group with 1 update in the /sdks/typescript directory: eslint.

Updates @tanstack/react-query-devtools from 5.85.3 to 5.96.2

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.96.2
  • @​tanstack/react-query@​5.96.2

@​tanstack/react-query-devtools@​5.96.1

Patch Changes

• fix(build): exclude config files from production DTS rollup to prevent @types/node type pollution (#10358)

• Updated dependencies []:

  • @​tanstack/query-devtools@​5.96.1
  • @​tanstack/react-query@​5.96.1

@​tanstack/react-query-devtools@​5.96.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.96.0
  • @​tanstack/react-query@​5.96.0

Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.96.2
  • @​tanstack/react-query@​5.96.2

5.96.1

Patch Changes

• fix(build): exclude config files from production DTS rollup to prevent @types/node type pollution (#10358)

• Updated dependencies []:

  • @​tanstack/query-devtools@​5.96.1
  • @​tanstack/react-query@​5.96.1

5.96.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.96.0
  • @​tanstack/react-query@​5.96.0

5.95.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.95.2
  • @​tanstack/react-query@​5.95.2

5.95.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.95.1
  • @​tanstack/react-query@​5.95.1

5.95.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.95.0
  • @​tanstack/react-query@​5.95.0

... (truncated)

Commits

• 5ca721f ci: Version Packages (#10379)
• 75052a7 ci: Version Packages (#10370)
• 4a3275c fix(build): exclude config files from production DTS rollup (#10358)
• 73e783b ci: Version Packages (#10364)
• 1047cdc ci: Version Packages (#10326)
• 5806444 ci: Version Packages (#10324)
• 4d7de83 ci: Version Packages (#10317)
• 8fe71e4 ci: Version Packages (#10313)
• c613c22 ci: Version Packages (#10309)
• 67cf8b6 ref: ts cutoff (#10253)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​tanstack/react-query-devtools since your current version.

Updates @tanstack/react-router from 1.141.0 to 1.168.10

Release notes

Sourced from @​tanstack/react-router's releases.

v1.166.7

Version 1.166.7 - 3/10/26, 7:24 PM

Changes

Fix

• router-core: null prototype input/output objects (#6882) (dadf7e9) by @​Sheraff

Chore

• eslint: remove package-level unused-vars overrides (#6782) (d306d58) by @​Sheraff

Packages

• @​tanstack/router-core@​1.166.7
• @​tanstack/solid-router@​1.166.7
• @​tanstack/react-router@​1.166.7
• @​tanstack/vue-router@​1.166.7
• @​tanstack/solid-router-ssr-query@​1.166.7
• @​tanstack/react-router-ssr-query@​1.166.7
• @​tanstack/vue-router-ssr-query@​1.166.7
• @​tanstack/router-ssr-query-core@​1.166.7
• @​tanstack/zod-adapter@​1.166.7
• @​tanstack/valibot-adapter@​1.166.7
• @​tanstack/arktype-adapter@​1.166.7
• @​tanstack/router-devtools@​1.166.7
• @​tanstack/solid-router-devtools@​1.166.7
• @​tanstack/react-router-devtools@​1.166.7
• @​tanstack/vue-router-devtools@​1.166.7
• @​tanstack/router-devtools-core@​1.166.7
• @​tanstack/router-generator@​1.166.7
• @​tanstack/router-cli@​1.166.7
• @​tanstack/router-plugin@​1.166.7
• @​tanstack/router-vite-plugin@​1.166.7
• @​tanstack/solid-start@​1.166.7
• @​tanstack/solid-start-client@​1.166.7
• @​tanstack/solid-start-server@​1.166.7
• @​tanstack/vue-start@​1.166.7
• @​tanstack/vue-start-client@​1.166.7
• @​tanstack/vue-start-server@​1.166.7
• @​tanstack/start-client-core@​1.166.7
• @​tanstack/start-server-core@​1.166.7
• @​tanstack/start-storage-context@​1.166.7
• @​tanstack/react-start@​1.166.7
• @​tanstack/react-start-client@​1.166.7
• @​tanstack/react-start-server@​1.166.7
• @​tanstack/start-plugin-core@​1.166.7
• @​tanstack/start-static-server-functions@​1.166.7

... (truncated)

Changelog

Sourced from @​tanstack/react-router's changelog.

1.168.10

Patch Changes

• Preserve component-thrown notFound() errors through framework error boundaries so route notFoundComponent handlers render without requiring an explicit routeId. (#7077)

• Updated dependencies [796406d]:

  • @​tanstack/router-core@​1.168.9

1.168.9

Patch Changes

• Updated dependencies [2d1ec86]:
  • @​tanstack/router-core@​1.168.8

1.168.8

Patch Changes

• Updated dependencies [6ee0e79]:
  • @​tanstack/router-core@​1.168.7

1.168.7

Patch Changes

• Updated dependencies [42c3f3b]:
  • @​tanstack/router-core@​1.168.6

1.168.6

Patch Changes

• Remove the extra SSR sentinel tag used for onRendered in React Router while (#7054) preserving the client-side render timing needed for scroll restoration and onRendered subscribers.

1.168.5

Patch Changes

• fix: scroll restoration without throttling (#7042)

• Updated dependencies [cf5f554]:

  • @​tanstack/router-core@​1.168.5

1.168.4

Patch Changes

... (truncated)

Commits

• 5a81726 ci: changeset release
• 796406d fix: preserve render-thrown notFound errors (#7077)
• d117417 ci: changeset release
• 7b9faae test: cover lazy errorComponent behavior across frameworks (#7068)
• 9368c5f ci: changeset release
• 21bd992 ci: changeset release
• 5c5a435 ci: changeset release
• 5ca661c fix: dont use script tag for OnRendered (#7054)
• a1ab264 fix: unexported ShouldBlockFnLocation interface causes TS4023 (#7037)
• e1b019c ci: changeset release
• Additional commits viewable in compare view

Updates @tanstack/react-router-devtools from 1.141.0 to 1.166.11

Release notes

Sourced from @​tanstack/react-router-devtools's releases.

v1.166.7

Version 1.166.7 - 3/10/26, 7:24 PM

Changes

Fix

• router-core: null prototype input/output objects (#6882) (dadf7e9) by @​Sheraff

Chore

• eslint: remove package-level unused-vars overrides (#6782) (d306d58) by @​Sheraff

Packages

• @​tanstack/router-core@​1.166.7
• @​tanstack/solid-router@​1.166.7
• @​tanstack/react-router@​1.166.7
• @​tanstack/vue-router@​1.166.7
• @​tanstack/solid-router-ssr-query@​1.166.7
• @​tanstack/react-router-ssr-query@​1.166.7
• @​tanstack/vue-router-ssr-query@​1.166.7
• @​tanstack/router-ssr-query-core@​1.166.7
• @​tanstack/zod-adapter@​1.166.7
• @​tanstack/valibot-adapter@​1.166.7
• @​tanstack/arktype-adapter@​1.166.7
• @​tanstack/router-devtools@​1.166.7
• @​tanstack/solid-router-devtools@​1.166.7
• @​tanstack/react-router-devtools@​1.166.7
• @​tanstack/vue-router-devtools@​1.166.7
• @​tanstack/router-devtools-core@​1.166.7
• @​tanstack/router-generator@​1.166.7
• @​tanstack/router-cli@​1.166.7
• @​tanstack/router-plugin@​1.166.7
• @​tanstack/router-vite-plugin@​1.166.7
• @​tanstack/solid-start@​1.166.7
• @​tanstack/solid-start-client@​1.166.7
• @​tanstack/solid-start-server@​1.166.7
• @​tanstack/vue-start@​1.166.7
• @​tanstack/vue-start-client@​1.166.7
• @​tanstack/vue-start-server@​1.166.7
• @​tanstack/start-client-core@​1.166.7
• @​tanstack/start-server-core@​1.166.7
• @​tanstack/start-storage-context@​1.166.7
• @​tanstack/react-start@​1.166.7
• @​tanstack/react-start-client@​1.166.7
• @​tanstack/react-start-server@​1.166.7
• @​tanstack/start-plugin-core@​1.166.7
• @​tanstack/start-static-server-functions@​1.166.7

... (truncated)

Changelog

Sourced from @​tanstack/react-router-devtools's changelog.

1.166.11

Patch Changes

• Updated dependencies [c9e1855]:
  • @​tanstack/router-devtools-core@​1.167.1
  • @​tanstack/react-router@​1.168.2
  • @​tanstack/router-core@​1.168.2

1.166.10

Patch Changes

• Updated dependencies [0545239]:
  • @​tanstack/router-devtools-core@​1.167.0
  • @​tanstack/react-router@​1.168.0
  • @​tanstack/router-core@​1.168.0

1.166.9

Patch Changes

• build: update to vite-config 5.x (rolldown) (#6926)

• Updated dependencies [838b0eb]:

  • @​tanstack/router-devtools-core@​1.166.9
  • @​tanstack/react-router@​1.167.2
  • @​tanstack/router-core@​1.167.2

1.166.8

Patch Changes

• fix: build with @​tanstack/vite-config 0.4.3 (#6923)

• Updated dependencies [ef9b241]:

  • @​tanstack/router-devtools-core@​1.166.8
  • @​tanstack/react-router@​1.167.1
  • @​tanstack/router-core@​1.167.1

Commits

• 67d9e69 ci: changeset release
• 423be8a ci: changeset release
• a0a6aa8 ci: changeset release
• 91d1085 ci: changeset release
• ef9b241 build: update to @​tanstack/vite-config v0.4.3 (#6923)
• 7706e3f release: v1.166.7
• 964cae0 release: v1.166.6
• 6438c03 release: v1.166.4
• 88fcbec release: v1.166.3
• 861f319 release: v1.166.2
• Additional commits viewable in compare view

Updates axios from 1.13.5 to 1.14.0

Release notes

Sourced from axios's releases.

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (#7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (#7533, #10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (#7484, #7489, #7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. (#7508, #7509, #7522)
• Documentation: Clarified JSON parsing and adapter-related docs/comments. (#7398, #7460, #7478)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​aviu16 (#7456)
• @​NETIZEN-11 (#7460)
• @​fedotov (#7457)
• @​nthbotast (#7478)
• @​veeceey (#7398)
• @​penkzhou (#7515)

Full Changelog: v1.13.6...v1.14.0

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:
  • Fixed module exports for React Native and Browserify environments. (#7386)

... (truncated)

Commits

• 46bee3d chore(release): prepare release 1.14.0 (#10563)
• 518aff5 chore: add AI Moderator workflow for spam detection (#10551)
• b7dfda3 chore(sponsor): update sponsor block (#10557)
• 9aa34d5 fix: updated release flow to match the current flows (#10562)
• e9e5ebe Update packages to latest version (#10556)
• 4d8931c fix: formidable dependency vulnerable to arbitrary (#7533)
• 3a6f5c1 chore(deps-dev): bump @​babel/preset-env (#7531)
• bcfd299 fix: bug axios breaks commonjs compatibility main entry (#7532)
• d6dcbfd fix: dependabot uses the correct labels (#7530)
• 5dd7ba7 chore: upgrade to latest ts (#7522)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates dompurify from 3.2.6 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates jotai from 2.13.1 to 2.19.0

Release notes

Sourced from jotai's releases.

v2.19.0

We improved the core to enable atom caching for performance for some cases.

What's Changed

• fix(react): deprecate delay option by @​dai-shi in pmndrs/jotai#3264
• feat: improve store.get performance when atoms are not mutated by @​dmaskasky in pmndrs/jotai#3265 thanks to @​edkimmel

New Contributors

• @​composite made their first contribution in pmndrs/jotai#3268

Full Changelog: pmndrs/jotai@v2.18.1...v2.19.0

v2.18.1

This release fixes a regression introduced in v2.12.1, which affects an uncommon edge case.

What's Changed

• fix(vanilla): subscriber not notified when derived read calls store.set by @​dmaskasky in pmndrs/jotai#3245
• fix(vanilla/utils/atomWithObservable): add 'Symbol.observable' type support to 'ObservableLike' by @​sukvvon in pmndrs/jotai#3253
• refactor(vanilla/utils/atomWithStorage): use optional chaining for 'storage.subscribe' by @​sukvvon in pmndrs/jotai#3260

Full Changelog: pmndrs/jotai@v2.18.0...v2.18.1

v2.18.0

We moved jotai/babel to jotai-babel.

Migration Guide

If you use the preset:

  {
-   "presets": ["jotai/babel/preset"]
+   "presets": ["jotai-babel/preset"]
  }

If you use a plugin:

  {
-   "plugins": ["jotai/babel/plugin-debug-label"]
+   "plugins": ["jotai-babel/plugin-debug-label"]
  }

What's Changed

• refactor(internals): simplify promise handing by @​dai-shi in pmndrs/jotai#3232
• feat: deprecate jotai/babel in favor of jotai-babel by @​dai-shi in pmndrs/jotai#3236
• fix: keep reactivity if get is called in a different atom by @​dai-shi in pmndrs/jotai#3241

... (truncated)

Commits

• c21f519 2.19.0
• b534406 chore(deps): update dev dependencies (#3273)
• ef85ceb feat: improve store.get performance when atoms are not mutated (#3265)
• c6180c5 fix(react): deprecate delay option (#3264)
• 258b1df docs(examples): improve todo example wording (#3272)
• c3db721 docs: use real fetch URLs in async examples (#3270)
• 3ee4fcb docs: improve devtools for Vite 8 instructions (#3268)
• 1a32e5a test(react/vanilla-utils/atomWithObservable): add test for write error on non...
• 72bb449 2.18.1
• f9fac47 chore: update dev dependencies (#3263)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jotai since your current version.

Updates js-confetti from 0.12.0 to 0.13.1

Commits

• See full diff in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates @types/lodash from 4.17.20 to 4.17.24

Commits

• See full diff in compare view

Updates monaco-themes from 0.4.6 to 0.4.8

Commits

• See full diff in compare view

Updates posthog-js from 1.298.1 to 1.364.7

Release notes

Sourced from posthog-js's releases.

posthog-js@1.364.7

1.364.7

Patch Changes

• #3319 b25b689 Thanks @​dustinbyrne! - fix: send $groupidentify for new groups even when no properties are provided (2026-04-03)
• Updated dependencies []:
  • @​posthog/types@​1.364.7

posthog-js@1.364.6

1.364.6

Patch Changes

• #3316 68cd4e5 Thanks @​dustinbyrne! - Fix slim bundle + extension bundles crash caused by inconsistent property mangling (2026-04-02)
• Updated dependencies [a01a3d5]:
  • @​posthog/core@​1.24.6
  • @​posthog/types@​1.364.6

posthog-js@1.364.5

1.364.5

Patch Changes

• #3309 197eeda Thanks @​marandaneto! - Extract CLI and sourcemap utilities from @​posthog/core into @​posthog/plugin-utils to remove cross-spawn from React Native dependencies (2026-04-01)

• #3312 c5feb5c Thanks @​TueHaulund! - Bump @​posthog/rrweb-* to 0.0.52 — adds error recovery to the canvas FPS snapshot pipeline, preventing canvas recording from permanently stopping when createImageBitmap or the worker encounters an error (2026-04-01)

• #3315 7b944fc Thanks @​TueHaulund! - Bump @​posthog/rrweb-* to 0.0.53 — fixes infinite recursion crash ("Maximum call stack size exceeded") when calling posthog.reset() or restarting the recorder on pages with shadow DOM elements (e.g. CometChat) (2026-04-01)

• Updated dependencies [197eeda]:

  • @​posthog/core@​1.24.5
  • @​posthog/types@​1.364.5

posthog-js@1.364.4

1.364.4

Patch Changes

• #3298 2365df5 Thanks @​TueHaulund! - fix: skip deep copy for snapshot/exception events to prevent stack overflow on deeply nested DOM trees (2026-03-31)
• Updated dependencies []:
  • @​posthog/types@​1.364.4

posthog-js@1.364.3

1.364.3

... (truncated)

Commits

• 09b5562 chore: update versions and lockfile [version bump]
• b25b689 fix(browser): send $groupidentify for new groups even without properties (#3319)
• efc9d6f ci: upload posthog-js dist to S3 on release (#3307)
• ca91e01 fix(convex): remove "use node" directive from Convex examples (#3321)
• 8571c13 chore: update versions and lockfile [version bump]
• bd4b0ac feat(next): read PostHog tracing headers in getPostHog and getServerSidePostH...
• a01a3d5 fix: send $groupidentify for new groups even without properties (core SDK) (#...
• 274632c test(browser): add sendBeacon Content-Type test coverage (#3317)
• 68cd4e5 fix(browser): fix slim bundle + extension bundles crash from inconsistent pro...
• 356fb33 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates react-hook-form from 7.62.0 to 7.72.1

Release notes

Sourced from react-hook-form's releases.

Version 7.72.1

🐞 fix: add isDirty check for numeric string keys in defaultValues (issue #13346) (#13347) 🐞 fix: prevent setValue with shouldDirty from polluting unrelated dirty fields (#13326) 🐞 fix: memoize control in HookFormControlContext to prevent render conflicts (#13272) (#13312) 🐞 fix: isNameInFieldArray should check all ancestor paths for nested field arrays (#13318) 🐞 fix: #13320 formState.isValid incorrect on Controller re-mount (#13324)

thanks to @​6810779s, @​candymask0712, @​olagokemills, @​shahmir-oscilar & Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hatchet-docs	Ready	Preview, Comment	Apr 7, 2026 2:15pm

[gregfurman]

Reject updating react-router to 1.168.10 as this breaks cypress e2e tests