Bump the production-dependencies group with 7 updates#600
Conversation
Bumps the production-dependencies group with 7 updates: | Package | From | To | | --- | --- | --- | | [@tailwindcss/typography](https://github.com/tailwindlabs/tailwindcss-typography) | `0.5.19` | `0.5.20` | | [@xyflow/react](https://github.com/xyflow/xyflow/tree/HEAD/packages/react) | `12.10.2` | `12.11.1` | | [date-fns](https://github.com/date-fns/date-fns) | `4.1.0` | `4.4.0` | | [query-string](https://github.com/sindresorhus/query-string) | `9.3.1` | `9.4.0` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.7` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.7` | | [zod](https://github.com/colinhacks/zod) | `4.3.6` | `4.4.3` | Updates `@tailwindcss/typography` from 0.5.19 to 0.5.20 - [Release notes](https://github.com/tailwindlabs/tailwindcss-typography/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss-typography/blob/main/CHANGELOG.md) - [Commits](tailwindlabs/tailwindcss-typography@v0.5.19...v0.5.20) Updates `@xyflow/react` from 12.10.2 to 12.11.1 - [Release notes](https://github.com/xyflow/xyflow/releases) - [Changelog](https://github.com/xyflow/xyflow/blob/main/packages/react/CHANGELOG.md) - [Commits](https://github.com/xyflow/xyflow/commits/@xyflow/react@12.11.1/packages/react) Updates `date-fns` from 4.1.0 to 4.4.0 - [Release notes](https://github.com/date-fns/date-fns/releases) - [Commits](date-fns/date-fns@v4.1.0...v4.4.0) Updates `query-string` from 9.3.1 to 9.4.0 - [Release notes](https://github.com/sindresorhus/query-string/releases) - [Commits](sindresorhus/query-string@v9.3.1...v9.4.0) Updates `react` from 19.2.5 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `react-dom` from 19.2.5 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `zod` from 4.3.6 to 4.4.3 - [Release notes](https://github.com/colinhacks/zod/releases) - [Commits](colinhacks/zod@v4.3.6...v4.4.3) --- updated-dependencies: - dependency-name: "@tailwindcss/typography" dependency-version: 0.5.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: "@xyflow/react" dependency-version: 12.11.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies - dependency-name: date-fns dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies - dependency-name: query-string dependency-version: 9.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: zod dependency-version: 4.4.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
bgentry
left a comment
There was a problem hiding this comment.
🤖 Codex review: Security review looks good to me.
I reviewed this as a dependency-upgrade supply-chain/security pass for the production dependency group at head 899e32a1a51a7e61f690c4663e56ebfda2b597ec.
Scope reviewed:
- Manifest and lockfile changes for
@tailwindcss/typography,@xyflow/react,date-fns,query-string,react,react-dom,zod, and the transitive@xyflow/system/@types/reactupdates. - Lockfile structure for added/removed/changed packages, lifecycle hooks, bins, native/platform packages, registry URLs, integrity algorithms, and same-version integrity rewrites.
- npm registry metadata and artifact/source diffs for the direct updates and notable generated/bundled artifacts.
- Static risk areas including install-time execution, unexpected CLIs, native/binary payloads, credential/env access, network/download behavior, and suspicious generated/minified changes.
No blocking supply-chain issue found. The lockfile has no added or changed install scripts, no new bins, no new native/platform packages, no non-registry tarballs, no non-sha512 integrities, and no same-version integrity rewrites. Registry/repository ownership signals were consistent with the expected upstream packages, and reviewed package diffs matched the release narratives.
Residual risk is mostly ordinary generated-artifact volume in packages like @xyflow/react, react-dom, date-fns, and zod; I did not line-review every generated bundle line.
Self-verification also passed locally after installing the PR dependency set with lifecycle scripts disabled:
npm run lintnpm run test:once(30 files / 205 tests)npm run build
Bumps the production-dependencies group with 7 updates:
0.5.190.5.2012.10.212.11.14.1.04.4.09.3.19.4.019.2.519.2.719.2.519.2.74.3.64.4.3Updates
@tailwindcss/typographyfrom 0.5.19 to 0.5.20Release notes
Sourced from @tailwindcss/typography's releases.
Changelog
Sourced from @tailwindcss/typography's changelog.
Commits
e3714a30.5.20f34283dUpdate tailwindcss peer dependency version (#424)543de42bump Node.js881b048Setup OIDC (#423)74a3da7Fix typo in README.md (#413)3963dfeBump js-yaml from 3.14.1 to 3.14.2 (#410)abf85ccclassName instead of classname (#406)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@tailwindcss/typographysince your current version.Updates
@xyflow/reactfrom 12.10.2 to 12.11.1Release notes
Sourced from @xyflow/react's releases.
... (truncated)
Changelog
Sourced from @xyflow/react's changelog.
... (truncated)
Commits
eedbc81chore(packages): bumpc7bdce4chore(pane): cleanupcd5ec45chore(react/pane): cleanupf919daafix(pane): do not fire pane click when connection ends on pane36c8a1achore(attribution): update link50fd4b4Merge pull request #5823 from xyflow/refactor/attribution5f1a206chore(attr): update link4710765Merge pull request #5822 from xyflow/refactor/edge-deleted-nodes503fc15Merge branch 'main' into perf/handle-config-contextae1b237refactor(edges): don't create new object when edge returns early because conn...Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@xyflow/reactsince your current version.Updates
date-fnsfrom 4.1.0 to 4.4.0Release notes
Sourced from date-fns's releases.
Commits
cd53d25Promote to v4.4.0d948ec1Preserve but deprecate CDN versions for v4, set up v5 with polyfillsee65753Add rootmise :formattask9f5bdf5Add positional argument totest/smoke.shscript651ead6Split CDN bundles into separate@date-fns/cdnpackage224c1a2Deprecate type tests as attw hangs on date-fns package7bb2842SwitchPACKAGE_OUTPUT_PATHto--distflag in the package build scriptb6ad5acAdd flags to control package build script424a783Fix docs release after moving to monorepo setupf95bcf1(docs): Add missingtsxdependencyUpdates
query-stringfrom 9.3.1 to 9.4.0Release notes
Sourced from query-string's releases.
Commits
0b047b79.4.03ac2e84Meta tweaks482b19aImprove performance5ec53f9Add tip aboutURLSearchParamsUpdates
reactfrom 19.2.5 to 19.2.7Release notes
Sourced from react's releases.
Changelog
Sourced from react's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.6Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.
Updates
react-domfrom 19.2.5 to 19.2.7Release notes
Sourced from react-dom's releases.
Changelog
Sourced from react-dom's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.6Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.
Updates
zodfrom 4.3.6 to 4.4.3Release notes
Sourced from zod's releases.
... (truncated)
Commits
1fb56a5docs: document release procedure in AGENTS.mdf3c9ec04.4.3c2be4f8fix(v4): generalize optin/fallback to transform; restore preprocess on absent...1cab693fix(v4): restore catch handling for absent object keys (#5937) (#5939)b8dffe9docs: remove Numeric and Speakeasy (2+ missed monthly cycles)9195250docs: remove Mintlify from bronze sponsors (churned)2c70332docs: normalize bronze sponsor logos to github avatar pattern7391be8docs: prune lapsed silver/bronze sponsors and add active ones2aeec83docs: prune lapsed gold sponsors and rebalance logo sizing4c2fa95docs: use Zernio primary wordmark for gold sponsor logoMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions