chore(deps): bump the npm-minor-patch group across 1 directory with 13 updates

[dependabot]

Bumps the npm-minor-patch group with 13 updates in the / directory:

Package	From	To
@opennextjs/cloudflare	1.19.2	1.19.9
@tailwindcss/postcss	4.2.2	4.3.0
next	15.5.15	15.5.18
posthog-js	1.369.3	1.373.4
react	19.2.0	19.2.6
@types/react	19.2.2	19.2.14
react-dom	19.2.0	19.2.6
@types/react-dom	19.2.2	19.2.3
tailwindcss	4.2.2	4.3.0
zod	4.3.6	4.4.3
prettier-plugin-tailwindcss	0.7.2	0.8.0
sharp	0.34.4	0.34.5
wrangler	4.84.0	4.90.1

Updates @opennextjs/cloudflare from 1.19.2 to 1.19.9

Release notes

Sourced from @​opennextjs/cloudflare's releases.

@​opennextjs/cloudflare@​1.19.9

Patch Changes

• #1259 3b35c6e Thanks @​vicb! - chore: bump Next.js to 15.5.18 / 16.2.6 and @​opennextjs/aws to 4.0.2

@​opennextjs/cloudflare@​1.19.8

Patch Changes

• #1256 9696cd0 Thanks @​vicb! - bump @opennextjs/aws to 4.0.1

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v4.0.1

@​opennextjs/cloudflare@​1.19.7

Patch Changes

• #1252 29fe15d Thanks @​vicb! - bump the number of retries for r2 cache uploads

  Increase the retry count from 5 to 15 with a capped exponential backoff to improve resilience against transient R2 write failures during cache population.

• #1255 364b7d9 Thanks @​vicb! - Bump react and next

@​opennextjs/cloudflare@​1.19.6

Patch Changes

• #1246 5d2014f Thanks @​vicb! - fix: do not log expected expected D1 errors

  The populateCache command adds columns to the D1 tag cache for SWR support. This is required for older deployments made before those column were added. SQLite errors when the columns exist and we should not log those errors.

• #1244 01babce Thanks @​tahmid-23! - fix: drop streaming wasm calls in Turbopack runtime

  Turbopack replaces wasm imports using WebAssembly.compileStreaming and WebAssembly.instantiateStreaming. These functions are not available in the workerd runtime.

  We add a helper loadWasmChunkFn. This is a generated switch statement that contains an import for each wasm chunk. We use static strings for all imports to ensure that all necessary wasm chunks will be detected and bundled for the final build.

  The Turbopack patcher replaces the invocations in loadWebAssembly and loadWebAssemblyModule, using the synchronous WebAssembly.instantiate and redirecting to loadWasmChunkFn.

• #1243 1c815de Thanks @​tahmid-23! - fix: detect object-valued conditions

  The pre-existing build condition transform logic had subtle errors:

  • failed to recognize object conditions

... (truncated)

Changelog

Sourced from @​opennextjs/cloudflare's changelog.

1.19.9

Patch Changes

• #1259 3b35c6e Thanks @​vicb! - chore: bump Next.js to 15.5.18 / 16.2.6 and @​opennextjs/aws to 4.0.2

1.19.8

Patch Changes

• #1256 9696cd0 Thanks @​vicb! - bump @opennextjs/aws to 4.0.1

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v4.0.1

1.19.7

Patch Changes

• #1252 29fe15d Thanks @​vicb! - bump the number of retries for r2 cache uploads

  Increase the retry count from 5 to 15 with a capped exponential backoff to improve resilience against transient R2 write failures during cache population.

• #1255 364b7d9 Thanks @​vicb! - Bump react and next

1.19.6

Patch Changes

• #1246 5d2014f Thanks @​vicb! - fix: do not log expected expected D1 errors

  The populateCache command adds columns to the D1 tag cache for SWR support. This is required for older deployments made before those column were added. SQLite errors when the columns exist and we should not log those errors.

• #1244 01babce Thanks @​tahmid-23! - fix: drop streaming wasm calls in Turbopack runtime

  Turbopack replaces wasm imports using WebAssembly.compileStreaming and WebAssembly.instantiateStreaming. These functions are not available in the workerd runtime.

  We add a helper loadWasmChunkFn. This is a generated switch statement that contains an import for each wasm chunk. We use static strings for all imports to ensure that all necessary wasm chunks will be detected and bundled for the final build.

  The Turbopack patcher replaces the invocations in loadWebAssembly and loadWebAssemblyModule, using the synchronous WebAssembly.instantiate and redirecting to loadWasmChunkFn.

• #1243 1c815de Thanks @​tahmid-23! - fix: detect object-valued conditions

... (truncated)

Commits

• f07200e Version Packages (#1260)
• 3b35c6e Bump Next.js (#1259)
• 8786774 Version Packages (#1257)
• 9696cd0 bump @opennextjs/aws to 4.0.1 (#1256)
• 08b3d3c Version Packages (#1253)
• 364b7d9 Bump react and next (#1255)
• 29fe15d bump the number of retries for r2 cache uploads (#1252)
• 975833d Version Packages (#1245)
• 5d2014f fix: do not log expected expected D1 errors (#1246)
• 01babce fix: drop streaming wasm calls in Turbopack runtime (#1244)
• Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.2.2 to 4.3.0

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)

... (truncated)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalization for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)

... (truncated)

Commits

• 588bd73 4.3.0 (#20023)
• 12eb5ae Cleanup noisy test output (#20015)
• 4255671 Improve snapshot tests (#20013)
• 52f94c7 Improve codebase quality (#19999)
• d194d4c docs: fix various typos in comments and documentation (#19878)
• bfb5732 Fall back to the plugin base when PostCSS has no from option (#19980)
• 3a890c3 Bump dependencies (#19957)
• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.

Updates next from 15.5.15 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• 9ff92ce v15.5.18
• 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
• 62c97ab v15.5.17
• 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
• fa78739 Turbopack: Fix middleware matcher suffix (#93590)
• 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
• 36589b5 [backport][test] Pin package manager to patch versions (#93596)
• ad6fd4e v15.5.16
• 79d7dff Ignore malformed CSP nonce headers (#103)
• c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates posthog-js from 1.369.3 to 1.373.4

Release notes

Sourced from posthog-js's releases.

posthog-js@1.373.4

1.373.4

Patch Changes

• #3602 4b895bf Thanks @​marandaneto! - Validate gzip request bodies at the browser send boundary and fall back to JSON if the outgoing body is not gzip data. (2026-05-12)
• Updated dependencies [4b895bf]:
  • @​posthog/core@​1.29.1
  • @​posthog/types@​1.373.4

posthog-js@1.373.3

1.373.3

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0
  • @​posthog/types@​1.373.3

posthog-js@1.373.2

1.373.2

Patch Changes

• #3568 223d925 Thanks @​marandaneto! - Validate native gzip output before sending requests and fall back when CompressionStream returns malformed data. (2026-05-11)
• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7
  • @​posthog/types@​1.373.2

posthog-js@1.373.1

1.373.1

Patch Changes

• #3566 7d027bc Thanks @​dustinbyrne! - Prevent browser log capture from throwing when console arguments contain unreadable properties. (2026-05-11)
• Updated dependencies []:
  • @​posthog/types@​1.373.1
  • @​posthog/core@​1.28.6

posthog-js@1.373.0

1.373.0

Minor Changes

• #3547 4c0c7d9 Thanks @​williamchong! - capture() now accepts an optional uuid on CaptureOptions. (2026-05-11)

... (truncated)

Commits

• 50480eb chore: update versions and lockfile [version bump]
• 4b895bf fix: validate gzip body before browser send (#3602)
• db56be8 ci: add notice for edits to auto-generated files (#3603)
• 417765c chore: update versions and lockfile [version bump]
• 4a4cf7e Revert reference files changes (#3601)
• ad60818 feat(node): expose UUID v7 and cookie helpers (#3599)
• 04e168f chore: update versions and lockfile [version bump]
• 223d925 fix: validate native gzip output (#3568)
• 5efb512 chore: update versions and lockfile [version bump]
• 7d027bc fix: handle unreadable console log properties (#3566)
• Additional commits viewable in compare view

Updates react from 19.2.0 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

Changelog

Sourced from react's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• 053df4e Version 19.2.1
• See full diff in compare view

Updates @types/react from 19.2.2 to 19.2.14

Commits

• See full diff in compare view

Updates react-dom from 19.2.0 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

Changelog

Sourced from react-dom's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• 053df4e Version 19.2.1
• See full diff in compare view

Updates @types/react-dom from 19.2.2 to 19.2.3

Commits

• See full diff in compare view

Updates tailwindcss from 4.2.2 to 4.3.0

Release notes

Sourced from tailwindcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)

... (truncated)

Changelog

Sourced from tailwindcss's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-*Description has been truncated

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	docs-preview	3ce291f	Commit Preview URL Branch Preview URL	May 13 2026, 02:23 PM

[jrphilo]

Ralphie verified this — ready to merge.

Verification

• lint: ✓
• build: ✓ (Next.js type-check + bundle, 11/11 static pages)
• check:links: ✓ (39 files, 3 internal links, 0 broken)

Changelog highlights

• next 15.5.15 → 15.5.18 lands 13 security advisories (middleware bypass, WebSocket SSRF, RSC cache poisoning, DoS, XSS) — see Vercel security releases on github.com/vercel/next.js/security/advisories.
• @opennextjs/cloudflare 1.19.2 → 1.19.9 — R2 retry, D1 logs, Turbopack wasm chunk loader (Turbopack only).
• tailwindcss / @tailwindcss/postcss 4.2.2 → 4.3.0 — additive utilities only (@container-size, scrollbar-*, zoom-*, tab-*).
• react / react-dom 19.2.0 → 19.2.6 — RSC hardening / DoS mitigations.
• zod 4.3.6 → 4.4.3, posthog-js 1.369.3 → 1.373.4, wrangler 4.84.0 → 4.90.1, sharp 0.34.4 → 0.34.5, prettier-plugin-tailwindcss 0.7.2 → 0.8.0, and @types/* patch bumps — minor/patch with no API churn affecting this repo.

Investigation

• Ownership: same maintainers — Vercel for next, tailwindlabs for tailwind, Meta for React, PostHog for posthog-js, Cloudflare for wrangler/@opennextjs/cloudflare. Dependabot's "new releaser" note refers to CI bot accounts, not org changes.
• Auth/secrets: none — no release in the group touches auth, secret loading, or token handling.
• Security advisory: 13 referenced — all on next 15.5.18 — investigated → strong reason to land. This repo runs App Router with a custom src/middleware.ts (PostHog proxy + X-Robots-Tag for non-apex hosts), so the middleware-bypass and WebSocket-upgrade SSRF advisories are in-scope. No Pages Router, no i18n, no beforeInteractive scripts, so the i18n-router-bypass and CSP-nonce XSS advisories don't apply but are cleared by the bump anyway.
• Deprecations: none we'd hit. Tailwind 4.3 only adds utilities. The next lint deprecation notice is pre-existing on main and unchanged by this bump.
• Breaking API: none. @opennextjs/cloudflare 1.19.6's loadWasmChunkFn change is Turbopack-only — this repo builds with plain next build (see package.json's build:preview / build:production scripts), so it's a no-op for us. React 19.2.x changes are server-component error-surface hardening; no API shape change.

Recommendation

Merge — primarily a Next.js security bump that closes in-scope middleware advisories for this repo's src/middleware.ts, with the rest of the group being routine minor/patch upkeep. Verification clean.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.