chore(deps): bump the prod-deps group across 1 directory with 11 updates

[dependabot]

Bumps the prod-deps group with 11 updates in the / directory:

Package	From	To
@ai-sdk/react	3.0.170	3.0.187
@openrouter/ai-sdk-provider	2.8.0	2.9.0
ai	6.0.168	6.0.185
framer-motion	12.38.0	12.39.0
fumadocs-core	16.8.0	16.8.11
fumadocs-ui	16.8.0	16.8.11
lucide-react	1.8.0	1.16.0
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
tailwind-merge	3.5.0	3.6.0
zod	4.3.6	4.4.3

Updates @ai-sdk/react from 3.0.170 to 3.0.187

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.187

Patch Changes

• ai@6.0.185

@​ai-sdk/react@​3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

@​ai-sdk/react@​3.0.185

Patch Changes

• ai@6.0.183

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.187

Patch Changes

• ai@6.0.185

3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

3.0.185

Patch Changes

• ai@6.0.183

3.0.184

Patch Changes

• Updated dependencies [e76a29a]
  • ai@6.0.182

3.0.183

Patch Changes

• Updated dependencies [538974a]
  • ai@6.0.181

3.0.182

Patch Changes

• Updated dependencies [253bd5a]
• Updated dependencies [57ec10f]
  • ai@6.0.180

3.0.181

Patch Changes

• ai@6.0.179

3.0.180

Patch Changes

... (truncated)

Commits

• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• 43e5359 Version Packages (#15221)
• e2f1bca Version Packages (#15216)
• d37fb1f Version Packages (#15202)
• e70aab9 Version Packages (#15138)
• e3ccdb5 Version Packages (#15094)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @openrouter/ai-sdk-provider from 2.8.0 to 2.9.0

Release notes

Sourced from @​openrouter/ai-sdk-provider's releases.

2.9.0

What's Changed

• fix: allow query strings and fragments in image URL regex (#484) by @​robert-j-y in OpenRouterTeam/ai-sdk-provider#485
• fix: allow opting out of response_format strict mode (#483) by @​robert-j-y in OpenRouterTeam/ai-sdk-provider#486
• fix: stop emitting duplicate tool-call events on trailing-whitespace deltas by @​0age in OpenRouterTeam/ai-sdk-provider#489
• Version Packages by @​github-actions[bot] in OpenRouterTeam/ai-sdk-provider#490

New Contributors

• @​0age made their first contribution in OpenRouterTeam/ai-sdk-provider#489

Full Changelog: OpenRouterTeam/ai-sdk-provider@2.8.1...2.9.0

2.8.1

What's Changed

• fix: preserve empty reasoning_details arrays in multi-turn conversations by @​louisgv in OpenRouterTeam/ai-sdk-provider#487
• Version Packages by @​github-actions[bot] in OpenRouterTeam/ai-sdk-provider#488

Full Changelog: OpenRouterTeam/ai-sdk-provider@2.8.0...2.8.1

Changelog

Sourced from @​openrouter/ai-sdk-provider's changelog.

2.9.0

Minor Changes

• #486 82e8014 Thanks @​robert-j-y! - Add structuredOutputs.strict setting to opt out of response_format.json_schema.strict (issue #483).

  Previously the SDK hardcoded strict: true whenever a JSON schema response format was used, which made it impossible to route requests to providers that don't advertise support for strict json_schema. Models like moonshotai/kimi-k2.6 (routed through Parasail/Venice/Io Net) returned HTTP 404 "No endpoints available matching your guardrail restrictions and data policy" because the strict flag eliminated every eligible endpoint.

  Users can now opt out per-model:

  const model = openrouter.chat("moonshotai/kimi-k2.6", {
    structuredOutputs: { strict: false },
  });

  The default remains strict: true for backward compatibility.

Patch Changes

• #485 bf664b1 Thanks @​robert-j-y! - Fix supportedUrls['image/*'] regex to accept image URLs with query strings or fragments (e.g. https://cdn.example.com/photo.png?height=200, .../photo.webp#frag). Previously the $ anchor on the extension caused such URLs to be treated as unsupported, forcing the AI SDK runtime to download and base64-inline them, which bloated conversation history and inflated token usage.

• #489 bb2d4cb Thanks @​0age! - fix: stop emitting duplicate tool-call events when a trailing-whitespace argument delta arrives after a complete tool call

  In the streaming chat handler, the merge-into-existing-tool-call path enqueues a tool-call stream event whenever the accumulated function.arguments is parsable JSON. Because JSON.parse accepts trailing whitespace, any subsequent argument delta for the same tool-call index (e.g. a stray space, newline, or closing-token chunk) leaves the arguments parsable and would re-trigger the emit, producing a second tool-call event with the same toolCallId. Downstream tool runners (e.g. Vercel AI SDK streamText) then execute the tool twice. Observed in production with moonshotai/kimi-k2.6 via OpenRouter, where the user-visible effect was every outbound message being delivered twice.

  src/chat/index.ts:

  • Merge-path tool-call emit is now gated on !toolCall.sent, mirroring the new-path behavior. The sent flag was already being set after the first emit but was never read on this path.

  src/chat/index.test.ts:

  • Adds a regression test that streams a complete tool call followed by a trailing-whitespace-only argument delta for the same index and asserts exactly one tool-call event is emitted.

2.8.1

Patch Changes

• #487 4588197 Thanks @​louisgv! - fix: preserve empty reasoning_details arrays in multi-turn conversations

  Some providers (notably DeepSeek V4 in thinking mode) return reasoning_details: [] on turns where they produced no visible reasoning tokens. They require this empty array to be sent back in subsequent requests to maintain conversation state; omitting it causes 4xx errors on follow-up turns.

  src/chat/index.ts:

  • Stream finish event now always sets openrouterMetadata.reasoning_details, even when the accumulated array is empty (previously guarded by length > 0).
  • Both reasoning-end emit sites now always include providerMetadata.openrouter.reasoning_details,

... (truncated)

Commits

• 5cef3c5 Version Packages (#490)
• bb2d4cb fix: stop emitting duplicate tool-call events on trailing-whitespace deltas (...
• 82e8014 fix: allow opting out of response_format strict mode (#483) (#486)
• bf664b1 fix: allow query strings and fragments in image URL regex (#484) (#485)
• 310ba3d Version Packages (#488)
• 4588197 fix: preserve empty reasoning_details arrays in multi-turn conversations (#487)
• See full diff in compare view

Updates ai from 6.0.168 to 6.0.185

Release notes

Sourced from ai's releases.

ai@6.0.185

Patch Changes

• Updated dependencies [488ef33]
  • @​ai-sdk/gateway@​3.0.116

ai@6.0.184

Patch Changes

• 40fc5e4: fix(ai): default missing embedding warnings to an empty array

ai@6.0.183

Patch Changes

• Updated dependencies [363cefe]
  • @​ai-sdk/gateway@​3.0.115

Changelog

Sourced from ai's changelog.

6.0.185

Patch Changes

• Updated dependencies [488ef33]
  • @​ai-sdk/gateway@​3.0.116

6.0.184

Patch Changes

• 40fc5e4: fix(ai): default missing embedding warnings to an empty array

6.0.183

Patch Changes

• Updated dependencies [363cefe]
  • @​ai-sdk/gateway@​3.0.115

6.0.182

Patch Changes

• e76a29a: fix(ai): download tool-result file URLs

6.0.181

Patch Changes

• 538974a: fix(ui): make input optional on output-error tool and dynamic-tool UI message parts

  validateUIMessages rejected persisted assistant messages whose output-error tool parts had no input key. This happened for any errored tool call where the SDK set input: undefined (e.g. NoSuchToolError / InvalidToolInputError): JSON serialization stripped the undefined value, and Zod 4.4+ treats a missing z.unknown() key as a validation failure (previously it was implicitly optional). The schema now matches the runtime shape produced by process-ui-message-stream, so reloading a thread that contains an errored tool call no longer throws AI_TypeValidationError.

6.0.180

Patch Changes

• 253bd5a: fix(gateway): enable retry support for gateway errors
• 57ec10f: fix URL of hero animation in README
• Updated dependencies [253bd5a]
  • @​ai-sdk/gateway@​3.0.114

6.0.179

Patch Changes

• Updated dependencies [ee4de68]
  • @​ai-sdk/gateway@​3.0.113

... (truncated)

Commits

• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• 40fc5e4 Backport: fix(ai): default missing embedding warnings (#15354)
• 2e7664b Version Packages (#15315)
• 7baadcc chore: diverge test assertions based on node version (#15326)
• 5427555 chore: fix flaky tests diverging on different node versions (#15296)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• e76a29a Backport: fix(ai): download tool-result file URLs (#15246)
• 538974a Backport: fix(ai): Fix validateUIMessages with Zod 4.4 (#15247)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates framer-motion from 12.38.0 to 12.39.0

Changelog

Sourced from framer-motion's changelog.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

Commits

• b607391 v12.39.0
• cd53178 Updating changelog
• bd07642 Merge pull request #3716 from motiondivision/worktree-fix-issue-3315
• 3f053b6 Merge branch 'main' into worktree-fix-issue-3315
• f434c42 Merge pull request #3718 from motiondivision/dependabot/npm_and_yarn/next-15....
• 5973dfb Merge pull request #3722 from motiondivision/worktree-fix-issue-2829
• cfccb03 fix(drag): Refresh root scroll before measuring ref constraints
• 16aa417 Updating changelog
• 5d627a4 Merge pull request #3720 from motiondivision/worktree-fix-issue-2831
• 63cf0d0 Merge pull request #3721 from motiondivision/worktree-fix-issue-2833
• Additional commits viewable in compare view

Updates fumadocs-core from 16.8.0 to 16.8.11

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.11

Patch Changes

• 1dc86c7: loosen the range for waku

fumadocs-core@16.8.10

Patch Changes

• 062beab: fix internal types
• 505cfe0: Add remark-block-id plugin

fumadocs-core@16.8.8

No release notes provided.

fumadocs-core@16.8.7

No release notes provided.

fumadocs-core@16.8.6

No release notes provided.

fumadocs-core@16.8.5

Patch Changes

• 79d3209: Narrow schema type for private OpenAPI properties

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

fumadocs-core@16.8.2

No release notes provided.

fumadocs-core@16.8.1

No release notes provided.

Commits

• See full diff in compare view

Updates fumadocs-ui from 16.8.0 to 16.8.11

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.11

Patch Changes

• Updated dependencies [1dc86c7]
  • fumadocs-core@16.8.11

fumadocs-ui@16.8.10

Patch Changes

• Updated dependencies [062beab]
• Updated dependencies [505cfe0]
  • fumadocs-core@16.8.10

fumadocs-ui@16.8.8

Patch Changes

• b494c8d: Support copy ID in headings
• 03626ba: [Search UI] show ctrl for Linux machines
  • fumadocs-core@16.8.8

fumadocs-ui@16.8.7

Patch Changes

• 34f37f3: hotfix TOC
  • fumadocs-core@16.8.7

fumadocs-ui@16.8.6

Patch Changes

• 1aa48d0: fix RTL layout for Clerk style
  • fumadocs-core@16.8.6

fumadocs-ui@16.8.5

Patch Changes

• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

fumadocs-ui@16.8.4

Patch Changes

• b5ff03b: Support new OG image design for Takumi
• Updated dependencies [61b15e9]
• Updated dependencies [1a5433c]
  • fumadocs-core@16.8.4

fumadocs-ui@16.8.3

Patch Changes

• 8082ef6: Add legacy/layout for versions prior to 16.2

... (truncated)

Commits

• See full diff in compare view

Updates lucide-react from 1.8.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Version 1.14.0

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in lucide-icons/lucide#3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

Version 1.13.0

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in lucide-icons/lucide#4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in lucide-icons/lucide#3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

Version 1.12.0

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in lucide-icons/lucide#4262
• docs(readme): Update readme files by @​ericfennis in lucide-icons/lucide#4320
• feat(icons): added astroid icon by @​whoisBugsbunny in lucide-icons/lucide#4217

... (truncated)

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• 50d8af5 docs(readme): Update readme files (#4320)
• 653e44b feat(packages): use .mjs for ESM bundles (#4285)
• See full diff in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Updates zod from 4.3.6 to 4.4.3

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

v4.4.2

Commits:

• 0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
• 20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
• 6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
• 4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
• bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
• cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
• 292c894a5fd2aa42e527900b83d8d7a3009a709c docs: add Zernio gold sponsor
• 1fc9f311c28dcf80d0bb5a36b177086cbc3d8eca docs: document codec inversion
• 1373c85da9aeff704a9762d27bc58699618aefb7 docs: remove AI disclosure guidance
• e20d02b473c08e3a4e557bc610b1b5fac079b649 chore: ignore triage notes
• e58ea4d91b1dfe8194b73508203213cbc7e9c936 docs: test Zod Mini tab code heights
• 905761a5d127e8d5dd2ebb3bc88c75cb0b8149ff docs: document preprocess input type narrowing
• bf64bac850d4dee2b7dde7e64909d5d796d32043 chore: tighten test guidance in AGENTS.md
• 8ec4e73f4c4693b6361ad591be40fb41eb8a9f95 chore: update play.ts scratch
• 02c2baf7d0d615872fa4528a8020603b71211702 Make z.preprocess defer optionality to inner schema (#5929)
• 88015df8e25c44fb5385eb3ef28935119cd5edea fix(docs): drop deprecated baseUrl from tsconfig
• c59d4474e3b4cad1b323462186cf607178ce8267 4.4.2

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

... (truncated)

Commits

• 1fb56a5 docs: document release procedure in AGENTS.md
• f3c9ec0 4.4.3
• c2be4f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent...
• 1cab693 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• b8dffe9 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 9195250 docs: remove Mintlify from bronze sponsors (churned)
• 2c70332 docs: normalize bronze sponsor logos to github avatar pattern
• 7391be8 docs: prune lapsed silver/bronze sponsors and add active ones
• 2aeec83 docs: prune lapsed gold sponsors and rebalance logo sizing
• 4c2fa95 docs: use Zernio primary wordmark for gold sponsor logo
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mogplex-docs	Error		May 18, 2026 10:01pm

[mogplex]

Mogplex PR Review

Status: Attention needed

This is a standard Dependabot batch dependency bump across 11 production packages. All updates are patch or minor versions from well-known, reputable maintainers. Notably, the lockfile introduces two security overrides for brace-expansion (ReDoS) and postcss (ReDoS / CVE-2025-27789) to remediate vulnerable transitive dependency versions — this is a positive security improvement. The zod upgrade (4.3.6 → 4.4.3) contains a "potentially breaking" 4.4.0 release that altered strictness for some validation patterns, which is worth flagging even though the PR itself is auto-generated. No custom code changes are present. The PR is safe to merge after verifying CI passes.

Warnings

• zod 4.4.x contains potentially breaking strictness changes (package.json)
  The zod upgrade from 4.3.6 to 4.4.3 passes through the 4.4.0 release, which its own changelog marks as containing "Potentially breaking bug fixes": it generalizes opt-in/fallback to transforms, restores preprocess on absent keys, and restores catch handling for absent object keys. These changes intentionally make Zod stricter in edge cases. If the codebase defines Zod schemas with .catch(), .preprocess(), or relies on absent-key coercion behaviour, runtime validation could silently change. Additionally, the ai@6.0.181 changelog explicitly mentions a fix for validateUIMessages that was needed because Zod 4.4+ treats missing z.unknown() keys as validation failures — indicating the Vercel AI SDK is already aware of this breaking shift.

Recommendation: Verify all Zod schemas used for request/response validation still behave as expected (especially any that use .catch(), .default(), or .preprocess()), and check that any persisted AI message threads continue to load without AI_TypeValidationError.

Suggestions

• Security overrides for brace-expansion and postcss are only in pnpm-lock.yaml, not package.json (pnpm-lock.yaml)
  The lockfile adds overrides for brace-expansion@>=5.0.0 <5.0.6 and postcss@<8.5.10 to force safe versions of vulnerable transitive dependencies. However, these overrides do not appear in package.json's pnpm.overrides (or overrides) field — they exist only in the lockfile. In a pnpm workspace this is unusual: overrides defined only in the lockfile may be lost if the lockfile is regenerated without the corresponding package.json entry, leaving the project re-exposed to the vulnerability.

Recommendation: Add the same overrides explicitly to package.json under a pnpm.overrides block (for pnpm) to ensure they survive a lockfile regeneration:

"pnpm": {
  "overrides": {
    "brace-expansion@>=5.0.0 <5.0.6": ">=5.0.6",
    "postcss@<8.5.10": ">=8.5.10"
  }
}

View check run