chore(deps): bump the minor-and-patch group across 1 directory with 11 updates

[dependabot]

Bumps the minor-and-patch group with 10 updates in the / directory:

Package	From	To
@next/mdx	16.2.6	16.2.7
@sentry/nextjs	10.53.1	10.55.0
better-auth	1.6.11	1.6.13
next	16.2.6	16.2.7
react	19.2.6	19.2.7
react-dom	19.2.6	19.2.7
@next/eslint-plugin-next	16.2.6	16.2.7
@types/node	25.8.0	25.9.1
@vitest/coverage-v8	4.1.6	4.1.8
eslint-plugin-prettier	5.5.5	5.5.6

Updates @next/mdx from 16.2.6 to 16.2.7

Release notes

Sourced from @​next/mdx's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• 9bd3c26 v16.2.7
• See full diff in compare view

Updates @sentry/nextjs from 10.53.1 to 10.55.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.55.0

Important Changes

• feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#21208)

  The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

• docs(tanstackstart-react): Promote SDK status to beta (#21175)

  This release promotes the @sentry/tanstackstart-react SDK to beta. For details on how to use it, check out the Sentry TanStack Start SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(hono): Add shouldHandleError option to sentry() middleware (#21205)

  The sentry() middleware now accepts a shouldHandleError callback to control which errors are captured and sent to Sentry. By default, 3xx/4xx HTTP errors are ignored and 5xx errors and plain Error objects are captured. Return true from the callback to capture an error, false to suppress it.

  app.use(
    sentry(app, {
      dsn: '__DSN__',
      shouldHandleError(error) {
        const status = (error as { status?: number })?.status;
        // Capture 401/403 in addition to the default 5xx errors
        return status === 401 || status === 403 || typeof status !== 'number' || status >= 500;
      },
    }),
  );

• test(tanstackstart-react): Move initialization to client entry point (#21161)

  Change the recommended setup for the SDK to do Sentry.init() in the client entry file to capture telemetry that is emitted ahead of page hydration.

• feat(tanstackstart-react): Add distributed tracing (#21144)

  Server and client traces are now automatically connected, allowing you to see the full request lifecycle from server-side rendering through client-side hydration in a single trace.

• feat(tanstackstart-react): Add server-side route parametrization (#21147)

  Server transaction names are now parametrized automatically (e.g., GET /users/123 becomes GET /users/$userId), improving transaction grouping in Sentry.

• feat(tanstackstart-react): Show readable server function names in traces (#21190)

  Server function spans now show human-readable names (e.g., GET /_serverFn/greet instead of GET /_serverFn/a10e70b3...). The tanstackstart.function.hash.sha256 span attribute has been renamed to tanstackstart.function.id.

Other Changes

• feat(core): Migrate request data to dataCollection (#21071)
• feat(hono): Add warning in Bun for double init (#21195)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.55.0

Important Changes

• feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration (#21208)

  The @sentry/hono SDK is now stable. See the Sentry Hono SDK docs to get started.

• docs(tanstackstart-react): Promote SDK status to beta (#21175)

  This release promotes the @sentry/tanstackstart-react SDK to beta. For details on how to use it, check out the Sentry TanStack Start SDK docs. Please reach out on GitHub if you have any feedback or concerns.

• feat(hono): Add shouldHandleError option to sentry() middleware (#21205)

  The sentry() middleware now accepts a shouldHandleError callback to control which errors are captured and sent to Sentry. By default, 3xx/4xx HTTP errors are ignored and 5xx errors and plain Error objects are captured. Return true from the callback to capture an error, false to suppress it.

  app.use(
    sentry(app, {
      dsn: '__DSN__',
      shouldHandleError(error) {
        const status = (error as { status?: number })?.status;
        // Capture 401/403 in addition to the default 5xx errors
        return status === 401 || status === 403 || typeof status !== 'number' || status >= 500;
      },
    }),
  );

• test(tanstackstart-react): Move initialization to client entry point (#21161)

  Change the recommended setup for the SDK to do Sentry.init() in the client entry file to capture telemetry that is emitted ahead of page hydration.

• feat(tanstackstart-react): Add distributed tracing (#21144)

  Server and client traces are now automatically connected, allowing you to see the full request lifecycle from server-side rendering through client-side hydration in a single trace.

• feat(tanstackstart-react): Add server-side route parametrization (#21147)

  Server transaction names are now parametrized automatically (e.g., GET /users/123 becomes GET /users/$userId), improving transaction grouping in Sentry.

• feat(tanstackstart-react): Show readable server function names in traces (#21190)

  Server function spans now show human-readable names (e.g., GET /_serverFn/greet instead of GET /_serverFn/a10e70b3...). The tanstackstart.function.hash.sha256 span attribute has been renamed to tanstackstart.function.id.

Other Changes

• feat(core): Migrate request data to dataCollection (#21071)

... (truncated)

Commits

• acd7b57 release: 10.55.0
• d5323d2 Merge pull request #21216 from getsentry/prepare-release/10.55.0
• 2fb1929 meta(changelog): Update changelog for 10.55.0
• 556bcb3 feat(hono): Add shouldHandleError as middleware option (#21205)
• 7a67ea4 feat(hono): Promote @sentry/hono to stable and deprecate honoIntegration ...
• cead7f9 fix(e2e): Fix astro-6 e2e test build by relaxing astro version range (#21211)
• 75fd1d5 chore(changelog): clarify array attributes impact on beforeSend* callbacks ...
• 8a2a490 fix(cloudflare): Use original waitUntil to not create a deadlock (#21197)
• f7b506d feat(metrics): Migrate metrics to use dataCollection instead of `sendDefaul...
• f55fc30 feat(core): Migrate request data to dataCollection (#21071)
• Additional commits viewable in compare view

Updates better-auth from 1.6.11 to 1.6.13

Release notes

Sourced from better-auth's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13

... (truncated)

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• d3919dc feat(account): support server-side accountInfo calls without session header...
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• c0c574e chore: release v1.6.12 (#9590)
• c5b9f93 fix(generic-oauth): add accessTokenExpiresIn for providers that omit `expir...
• Additional commits viewable in compare view

Updates next from 16.2.6 to 16.2.7

Release notes

Sourced from next's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• 9bd3c26 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• f126e72 [backport] Fix "type: module" in project dir when using standalone or adapter...
• bda3e2a [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• 7e16e07 [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• 6139f4b [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• c021d10 [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• 9184ddb [backport] Fix catch-all router.query corruption with basePath + `rewrite...
• Additional commits viewable in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates @next/eslint-plugin-next from 16.2.6 to 16.2.7

Release notes

Sourced from @​next/eslint-plugin-next's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• 9bd3c26 v16.2.7
• See full diff in compare view

Updates @types/node from 25.8.0 to 25.9.1

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.6 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• See full diff in compare view

Updates eslint-plugin-prettier from 5.5.5 to 5.5.6

Release notes

Sourced from eslint-plugin-prettier's releases.

v5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Changelog

Sourced from eslint-plugin-prettier's changelog.

5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Commits

• 4f33ea5 chore: release eslint-plugin-prettier (#792)
• 4745b54 ci: declare workflow-level contents: read on 2 workflows (#790)
• b5c96a3 chore: bump all (dev)Dependencies (#791)
• e867680 chore(deps): update all dependencies (#766)
• e8e2f7f chore: testing eslint v10 (#779)
• ca076d9 chore: update dev dependencies (#780)
• 42e6369 build(deps): Bump the actions group with 2 updates (#778)
• 53ff214 Remove empty NPM_TOKEN from release.yml
• See full diff in compare view

Updates vitest from 4.1.6 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions