Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

... (truncated)

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801
• chore: Release 2.9.13 by @​anthonyshew in vercel/turborepo#12803

New Contributors

• @​dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in vercel/turborepo#12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in vercel/turborepo#12770
• release(turborepo): 2.9.11 by @​github-actions[bot] in vercel/turborepo#12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in vercel/turborepo#12773
• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801

... (truncated)

• fc62fe0 publish 2.9.14 to registry
• fb8c9ae chore: Release 2.9.13 (#12803)
• e8e629d fix: Avoid project-local Yarn during detection (#12801)
• 91c90cb fix: Harden VS Code extension command execution (#12800)
• 84f4508 fix: Validate auth callback state (#12802)
• 1779ad7 Removed unneeded import form hash creation script in docs (#12799)
• 71f8c90 test: Validate lockfiles without dependency downloads (#12789)
• 5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
• 4cf9fab ci: Use pull_request for PR title linting (#12787)
• 859c629 fix: Restore docs mobile menu (#12782)
• Additional commits viewable in compare view

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

• Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• See full diff in compare view

Sourced from pg's changelog.

pg@8.21.0

• Handle SASL SCRAM server error responses properly.
• Add support for node@26.
• Add scramMaxIterations config option.
• Add client.getTransactionStatus() method.

• 544b1ce Publish
• cc03fa5 Add scramMaxIterations option to limit SCRAM iteration count (#3677)
• f776327 Remove compatibility code for unsupported versions of Node (<16) (#3678)
• f252870 cleanup: pg utils (#3675)
• c8da6ab Assorted test cleanup (#3673)
• fa47e73 fix: Client#end callback being called multiple times when first is no-op (#...
• 88a7e60 cleanup: Move declaration to more natural place
• 2095247 cleanup: Combine duplicated code in Client#query and avoid unneeded early n...
• 0ac3edd fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 (#3669)
• be880d4 Assorted test fixes and cleanup (#3672)
• Additional commits viewable in compare view

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Sourced from @​auth/drizzle-adapter's releases.

@​auth/drizzle-adapter@​1.11.2

Other

• @​auth/core: dependency update (67f2b168)

• af9daa8 chore(release): bump package version(s) [skip ci]
• d4dab3d chore: sync package versions with npm registry (#13414)
• 8a23c5b chore: fix lockfile (#13411)
• 2018202 docs: fix TypeScript type mismatch in refresh token rotation example (#13396)
• 0eba7e4 adapter-kysely: Update kysely for CVE-2026-33468 (#13407)
• 67f2b16 fix(providers): add issuer to GitHub provider for RFC 9207 compliance (#13410)
• f457068 docs: update middleware.ts references to proxy.ts for Next.js 16 (#13373)
• c7c2cfa docs: update Better Auth migration guide (#13334)
• b4ef14a chore(release): bump version [skip ci]
• See full diff in compare view

This version was pushed to npm by better-gustavo, a new releaser for @​auth/drizzle-adapter since your current version.

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.38.0

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a result, mixed read/write Promise.all batches may now be split across multiple pipeline HTTP requests instead of a single request, and read-after-write ordering may no longer be preserved within those mixed batches.

@upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

What's Changed

• DX-2506: add redis search into skills by @​CahidArda in upstash/redis-js#1427
• fix: rename redis search analytics demo by @​CahidArda in upstash/redis-js#1428
• DX-2555: add supply chain security settings by @​CahidArda in upstash/redis-js#1429
• fix: add version sync to ci by @​alitariksahin in upstash/redis-js#1430

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.37.0...@​upstash/redis@1.38.0-canary-20260505130836-8b3b33ccd367ba9ddb5b7f5ca33eb32ccf7e940d

• 7607549 chore: version packages (#1433)
• c71f581 DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...
• e3a23ab fix: add version sync to ci (#1430)
• 12e9a9e DX-2555: add supply chain security settings (#1429)
• f59fa75 fix: docs link
• c88b8e5 fix: rename redis search analytics demo (#1428)
• 5d8abc1 feat: add redis search into skills (#1427)
• See full diff in compare view

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

• See full diff in compare view

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Sourced from resend's releases.

v6.12.3

What's Changed

• chore(deps): update pnpm to v10.33.2 by @​renovate[bot] in resend/resend-node#940
• chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq by @​ulrichstark in resend/resend-node#942
• fix: correct paylaod into payload typo in contacts overload signatures by @​wesleyramalho in resend/resend-node#902
• chore(deps): update dependency tsdown to v0.21.10 by @​renovate[bot] in resend/resend-node#929
• chore(deps): update dependency @​biomejs/biome to v2.4.14 by @​renovate[bot] in resend/resend-node#943
• chore: add missing suppressed event to resend node sdk interface by @​dielduarte in resend/resend-node#946
• chore: bump sdk version to 6.12.3 by @​dielduarte in resend/resend-node#947

New Contributors

• @​ulrichstark made their first contribution in resend/resend-node#942
• @​wesleyramalho made their first contribution in resend/resend-node#902
• @​dielduarte made their first contribution in resend/resend-node#946

Full Changelog: resend/resend-node@v6.12.2...v6.12.3

v6.12.2

What's Changed

• fix: add new domain statuses by @​rehanvdm in resend/resend-node#936

Full Changelog: resend/resend-node@v6.12.1...v6.12.2

v6.12.1

What's Changed

• chore(deps): update dependency typescript to v6.0.3 by @​renovate[bot] in resend/resend-node#935
• chore(deps): update dependency dotenv to v17.4.2 by @​renovate[bot] in resend/resend-node#927
• chore(deps): update dependency @​biomejs/biome to v2.4.12 by @​renovate[bot] in resend/resend-node#916
• fix(deps): update dependency next to v16.2.4 by @​renovate[bot] in resend/resend-node#911
• feat: add missing domain types: domains can be partially_verified/partially_failed by @​CarolinaMoraes in resend/resend-node#937

Full Changelog: resend/resend-node@v6.12.0...v6.12.1

v6.12.0

What's Changed

• chore(ci): use depot by @​gabrielmfern in resend/resend-node#931
• feat: preview tracking domains in resend/resend-node#932

Full Changelog: resend/resend-node@v6.11.0...v6.12.0

v6.11.0

What's Changed

• chore(ci): migrate from BuildJet to Blacksmith runners by @​lucasfcosta in resend/resend-node#907
• chore(deps): update dependency vitest to v4.1.3 by @​renovate[bot] in resend/resend-node#894
• chore(deps): update dependency @​types/node to v24.12.2 by @​renovate[bot] in resend/resend-node#906
• fix(deps): update dependency svix to v1.90.0 by @​renovate[bot] in resend/resend-node#892

... (truncated)

• 3f41290 chore: bump sdk version to 6.12.3 (#947)
• 2679c32 chore: add missing suppressed event to resend node sdk interface (#946)
• 08cb7a1 chore(deps): update dependency @​biomejs/biome to v2.4.14 (#943)
• 20741e3 chore(deps): update dependency tsdown to v0.21.10 (#929)
• 4e26bc0 fix: correct paylaod into payload typo in contacts overload signatures (#...
• 9ca7487 chore(deps): upgrade svix to silence GHSA-w5hq-g745-h8pq (#942)
• 6759d31 chore(deps): update pnpm to v10.33.2 (#940)
• b514002 fix: add new domain statuses (#936)
• 1c10dbe feat: add missing domain types: domains can be partially_verified/partially_f...
• 168443a fix(deps): update dependency next to v16.2.4 (#911)
• Additional commits viewable in compare view

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (