chore(deps): bump the minor-and-patch group across 1 directory with 15 updates

[dependabot]

Bumps the minor-and-patch group with 15 updates in the / directory:

Package	From	To
@next/mdx	16.2.6	16.2.7
@tanstack/react-virtual	3.13.26	3.14.1
better-auth	1.6.12	1.6.13
convex	1.39.1	1.40.0
fuse.js	7.4.0	7.4.1
next	16.2.6	16.2.7
react	19.2.6	19.2.7
@types/react	19.2.15	19.2.16
react-dom	19.2.6	19.2.7
sugar-high	1.2.0	1.2.1
@types/react	19.2.15	19.2.16
@vitest/coverage-v8	4.1.7	4.1.8
concurrently	10.0.0	10.0.3
shadcn	4.8.3	4.10.0
vite	8.0.14	8.0.16
vitest	4.1.7	4.1.8

Updates @next/mdx from 16.2.6 to 16.2.7

Release notes

Sourced from @​next/mdx's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• 9bd3c26 v16.2.7
• See full diff in compare view

Updates @tanstack/react-virtual from 3.13.26 to 3.14.1

Release notes

Sourced from @​tanstack/react-virtual's releases.

@​tanstack/react-virtual@​3.14.1

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

@​tanstack/react-virtual@​3.14.0

Minor Changes

• Add opt-in direct DOM updates for scroll positioning with directDomUpdates, directDomUpdatesMode, and containerRef. (#1180)

Changelog

Sourced from @​tanstack/react-virtual's changelog.

3.14.1

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

3.14.0

Minor Changes

• Add opt-in direct DOM updates for scroll positioning with directDomUpdates, directDomUpdatesMode, and containerRef. (#1180)

Commits

• c33902f ci: Version Packages (#1182)
• d789c6e ci: Version Packages (#1181)
• 73e115d feat(react-virtual): add directDomUpdates for re-render-free scroll positioni...
• See full diff in compare view

Updates better-auth from 1.6.12 to 1.6.13

Release notes

Sourced from better-auth's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13

... (truncated)

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• d3919dc feat(account): support server-side accountInfo calls without session header...
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• See full diff in compare view

Updates convex from 1.39.1 to 1.40.0

Changelog

Sourced from convex's changelog.

1.40.0

• You can now create a local deployment in a specific Convex cloud project with npx convex deployment create team-slug:project-slug:local.
• You can now move a local deployment to another cloud project using npx convex deployment select team-slug:project-slug:local. This command warns when it moves the deployment to another project.
• The CLI now shows more clearly which deployment is targeted when running commands such as npx convex dev and npx convex deploy.
• Added a new <AuthRefreshing /> helper component, used to show indicators when function calls are paused because the authentication token is refreshing.
• Removed --local and --cloud flags from npx convex dev. The behavior of these flags was misleading when a deployment was already selected. Instead, use npx convex deployment select local to use a local deployment, and npx convex deployment select dev to use your personal cloud dev deployment.
• The CLI now provides guidance when TypeScript type checking is taking too long.
• Improved the CLI command documentation to include more details and examples.
• npx convex logs: --tail is now accepted as an alias for the --history flag.
• When creating a local deployment, the CLI now skips importing the default environment variables from the Convex cloud project if you don’t have permission to view the default environment variables instead of crashing.

Commits

• See full diff in compare view

Updates fuse.js from 7.4.0 to 7.4.1

Release notes

Sourced from fuse.js's releases.

v7.4.1

Bug Fixes

• types: ship TypeScript declarations for fuse.js/worker (572ad1e), closes #828
• types: add TypeScript declarations for fuse.js/worker-script (6ef6c33), closes #828

Both worker subpaths now resolve types under node16/nodenext and bundler module resolution.

Changelog

Sourced from fuse.js's changelog.

7.4.1 (2026-06-02)

Bug Fixes

• types: add TypeScript declarations for fuse.js/worker-script (6ef6c33), closes #828
• types: ship TypeScript declarations for fuse.js/worker (572ad1e), closes #828

Commits

• ce75998 chore(release): 7.4.1
• e842baf test(types): guard that every exports subpath resolves to declarations
• 6ef6c33 fix(types): add TypeScript declarations for fuse.js/worker-script
• ef3e96d refactor(workers): type workerUrl as string | URL
• 572ad1e fix(types): ship TypeScript declarations for fuse.js/worker
• 0db224b chore: ignore .antigravitycli/
• 6f40ee5 docs(site): show current version in navbar
• c83a9c2 docs: drop stale TOKEN_SEARCH.md, link README to fusejs.io/token-search
• 7e16249 docs: drop beta callouts after 7.4.0 stable release
• b576446 chore: bump doc versions to 7.4.0
• See full diff in compare view

Updates next from 16.2.6 to 16.2.7

Release notes

Sourced from next's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• 9bd3c26 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• f126e72 [backport] Fix "type: module" in project dir when using standalone or adapter...
• bda3e2a [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• 7e16e07 [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• 6139f4b [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• c021d10 [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• 9184ddb [backport] Fix catch-all router.query corruption with basePath + `rewrite...
• Additional commits viewable in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates @types/react from 19.2.15 to 19.2.16

Commits

• See full diff in compare view

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates sugar-high from 1.2.0 to 1.2.1

Commits

• 4f5cd55 1.2.1
• d0e94d9 fix: handle in char class (#160)
• b22139e polish cards on page (#159)
• See full diff in compare view

Updates @types/react from 19.2.15 to 19.2.16

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates concurrently from 10.0.0 to 10.0.3

Release notes

Sourced from concurrently's releases.

v10.0.3

Republish of https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1 with Trusted Publishing enabled (see #595)

Full Changelog: open-cli-tools/concurrently@v10.0.2...v10.0.3

v10.0.2

Test version to restore Trusted Publishing. Not published to npm.

v10.0.1

• Ensure FlowController type is exported - #594

Full Changelog: open-cli-tools/concurrently@v10.0.0...v10.0.1

Commits

• 435f61b 10.0.3
• 5ea69c6 ci: use node 24 in the release workflow
• 18e1281 10.0.2
• e70686f 10.0.1
• a95bceb Rename flow-controller{.d -> }.ts
• ced4245 ci: configure trusted publisher flow
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for concurrently since your current version.

Updates shadcn from 4.8.3 to 4.10.0

Release notes

Sourced from shadcn's releases.

shadcn@4.10.0

Minor Changes

• #10842 7c63c467361dee9e20631b2999040912439b35d4 Thanks @​shadcn! - add support for GitHub registries. See the docs.

shadcn@4.9.0

Minor Changes

• #10834 8e2d2d1439f54260aa0c51747261c220334ec641 Thanks @​shadcn! - add npx shadcn eject

Changelog

Sourced from shadcn's changelog.

4.10.0

Minor Changes

• #10842 7c63c467361dee9e20631b2999040912439b35d4 Thanks @​shadcn! - add support for GitHub registries

4.9.0

Minor Changes

• #10834 8e2d2d1439f54260aa0c51747261c220334ec641 Thanks @​shadcn! - add npx shadcn eject

Commits

• adac7ca chore(release): version packages (#10845)
• 7c63c46 feat(registry): add GitHub registry support (#10842)
• 460ad60 chore(release): version packages (#10835)
• 8e2d2d1 feat: add shadcn eject (#10834)
• 5c84929 feat(release): add beta and rc prerelease labels (#10806)
• See full diff in compare view

Updates vite from 8.0.14 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stackmatch	Ready	Preview, Comment	Jun 2, 2026 4:45am