chore(deps)(deps): bump the minor-and-patch group across 1 directory with 23 updates

[dependabot]

Bumps the minor-and-patch group with 23 updates in the / directory:

Package	From	To
js-yaml	4.1.1	4.2.0
@vitest/coverage-v8	4.1.7	4.1.8
turbo	2.9.14	2.9.16
vitest	4.1.7	4.1.8
better-auth	1.6.11	1.6.14
mongoose	9.6.2	9.6.3
tsx	4.22.3	4.22.4
@astrojs/starlight	0.39.2	0.39.3
astro	6.3.7	6.4.4
@tanstack/react-query	5.100.14	5.101.0
@tanstack/react-router	1.170.8	1.170.11
@xyflow/react	12.10.2	12.11.0
lucide-react	1.16.0	1.17.0
react	19.2.6	19.2.7
@types/react	19.2.15	19.2.16
react-dom	19.2.6	19.2.7
@tanstack/router-plugin	1.168.11	1.168.14
vite	8.0.14	8.0.16
bullmq	5.77.2	5.78.0
ioredis	5.10.1	5.11.1
isomorphic-git	1.38.1	1.38.4
langchain	1.4.0	1.4.4
date-fns	4.3.0	4.4.0

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates turbo from 2.9.14 to 2.9.16

Release notes

Sourced from turbo's releases.

Turborepo v2.9.16

What's Changed

Changelog

• release(turborepo): 2.9.15 by @​github-actions[bot] in vercel/turborepo#12955
• fix: Avoid hanging PTY shutdown by @​anthonyshew in vercel/turborepo#12958
• fix: Retry npm tlog publish failures by @​anthonyshew in vercel/turborepo#12959
• release(turborepo): 2.9.16-canary.1 by @​anthonyshew in vercel/turborepo#12960
• fix: Preserve nested Bun dependency versions by @​anthonyshew in vercel/turborepo#12963
• Revert "fix: Preserve nested Bun dependency versions" by @​anthonyshew in vercel/turborepo#12964
• release(turborepo): 2.9.16-canary.2 by @​github-actions[bot] in vercel/turborepo#12961
• fix: Preserve nested Bun dependency versions by @​anthonyshew in vercel/turborepo#12965
• fix: Don't delete existing .git when using --no-git flag by @​anthonyshew in vercel/turborepo#12968

Full Changelog: vercel/turborepo@v2.9.15...v2.9.16

Turborepo v2.9.16-canary.2

What's Changed

Changelog

• release(turborepo): 2.9.15-canary.7 by @​github-actions[bot] in vercel/turborepo#12935
• fix: Restore a few internal invariant checks by @​anthonyshew in vercel/turborepo#12933
• fix: Improve profile tracing coverage by @​anthonyshew in vercel/turborepo#12936
• fix: Use build-scale OTel duration buckets by @​anthonyshew in vercel/turborepo#12939
• fix: Preserve pnpm injected peer package entries by @​anthonyshew in vercel/turborepo#12940
• feat: Add heap allocation profiling by @​anthonyshew in vercel/turborepo#12943
• release(turborepo): 2.9.15-canary.8 by @​anthonyshew in vercel/turborepo#12945
• docs: Correct attribute presence claims in turborepo-otel by @​adityasingh2400 in vercel/turborepo#12932
• chore(turbo-codemod): Remove duplicate "in" in transforms path comment by @​mvanhorn in vercel/turborepo#12948
• chore: Switch Geist font imports to npm geist package by @​christopherkindl in vercel/turborepo#12952
• fix: Respect root gitignore during prune by @​anthonyshew in vercel/turborepo#12953
• fix: Harden OTEL endpoint validation by @​anthonyshew in vercel/turborepo#12954
• release(turborepo): 2.9.15 by @​github-actions[bot] in vercel/turborepo#12955
• fix: Avoid hanging PTY shutdown by @​anthonyshew in vercel/turborepo#12958
• fix: Retry npm tlog publish failures by @​anthonyshew in vercel/turborepo#12959
• release(turborepo): 2.9.16-canary.1 by @​anthonyshew in vercel/turborepo#12960

New Contributors

• @​adityasingh2400 made their first contribution in vercel/turborepo#12932
• @​mvanhorn made their first contribution in vercel/turborepo#12948
• @​christopherkindl made their first contribution in vercel/turborepo#12952

Full Changelog: vercel/turborepo@v2.9.15-canary.7...v2.9.16-canary.2

Turborepo v2.9.15

... (truncated)

Commits

• 5e2d466 publish 2.9.16 to registry
• b4aa626 fix: Don't delete existing .git when using --no-git flag (#12968)
• 7952b46 fix: Preserve nested Bun dependency versions (#12965)
• 5e5b248 release(turborepo): 2.9.16-canary.2 (#12961)
• 3b1b6e9 Revert "fix: Preserve nested Bun dependency versions" (#12964)
• 8d4eaf8 fix: Preserve nested Bun dependency versions (#12963)
• 2284fa9 release(turborepo): 2.9.16-canary.1 (#12960)
• 5317f65 fix: Retry npm tlog publish failures (#12959)
• 52e81bd fix: Avoid hanging PTY shutdown (#12958)
• c85d410 release(turborepo): 2.9.15 (#12955)
• Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates better-auth from 1.6.11 to 1.6.14

Release notes

Sourced from better-auth's releases.

v1.6.14

better-auth

Bug Fixes

• Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user.
• Fixed null values being rejected for optional fields in the generated database schema (#9841)
• Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session (#9806)
• Fixed redirect URI validation to work on all supported runtimes and to reject URIs containing a fragment component per RFC 6749 §3.1.2 (#9845)
• Fixed organization invitation verification to restore the normal emailed-invitation flow while enforcing stricter email verification for externally controlled or predictable invitation IDs (#9877)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to the logout handlers matching the session by ID instead of token.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​gustavovalverde

Full changelog: v1.6.13...v1.6.14

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.14

Patch Changes

• #9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

  Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

• #9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The generated input validation previously rejected null even though the column is nullable, so a nullable field could not be cleared by passing null.

• #9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

• #9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

• Updated dependencies [13abc79]:

  • @​better-auth/core@​1.6.14
  • @​better-auth/drizzle-adapter@​1.6.14
  • @​better-auth/kysely-adapter@​1.6.14
  • @​better-auth/memory-adapter@​1.6.14
  • @​better-auth/mongo-adapter@​1.6.14
  • @​better-auth/prisma-adapter@​1.6.14
  • @​better-auth/telemetry@​1.6.14

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

... (truncated)

Commits

• 5038d41 chore: release v1.6.14 (#9846)
• 2d9781a fix(organization): split invitation verification gates (#9877)
• 5a2d642 fix: accept null for optional fields in generated schema (#9841)
• 9d3450a fix(cookies): prefer __Secure- cookie in getSessionCookie (#9806)
• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• Additional commits viewable in compare view

Updates mongoose from 9.6.2 to 9.6.3

Release notes

Sourced from mongoose's releases.

9.6.3 / 2026-05-27

• fix(clone): isolate cloned arrays from source documents #16281 AbdelrahmanHafez
• fix(update): preserve user-provided $setOnInsert.createdAt with overwriteImmutable: true #16278 #15781 AbdelrahmanHafez
• fix(schema): always pass raw string value to error validators, only trim to 30 chars for maxlength validator #16238 #16236 #15550 #15571
• types: add $percentile to TypeScript aggregation expression types #16290 #16288
• docs: update default pool sizes on createConnection() #16295 torbiak-samdesk
• docs: improve code block copy button behavior and sidebar scrolling #16294 DraXx-Van
• docs: remove broken link to deleted schema example #16297 kaseken

Changelog

Sourced from mongoose's changelog.

9.6.3 / 2026-05-27

• fix(clone): isolate cloned arrays from source documents #16281 AbdelrahmanHafez
• fix(update): preserve user-provided $setOnInsert.createdAt with overwriteImmutable: true #16278 #15781 AbdelrahmanHafez
• fix(schema): always pass raw string value to error validators, only trim to 30 chars for maxlength validator #16238 #16236 #15550 #15571
• types: add $percentile to TypeScript aggregation expression types #16290 #16288
• docs: update default pool sizes on createConnection() #16295 torbiak-samdesk
• docs: improve code block copy button behavior and sidebar scrolling #16294 DraXx-Van
• docs: remove broken link to deleted schema example #16297 kaseken

8.24.0 / 2026-05-14

• feat(aggregate): add pipelineForUnionWith() helper to allow reusing pipelines with $unionWith in TypeScript #16247 #16041 #16033
• fix(connection): handle calling watch() on disconnected connection #16246 #16034
• types: handle compiling with exactOptionalPropertyTypes #16286 #16273

Commits

• f4d651d chore: release 9.6.3
• 5841200 docs: add section about Mongoose Studio to README
• 396607a Merge pull request #16297 from kaseken/fix/remove-broken-examples-link
• 912d164 docs: remove broken link to deleted examples/schema/schema.js
• dbaa16d Merge pull request #16296 from Automattic/fix/copy-code-lint-space
• 9cf3b58 style(docs): fix lint errors in copy-code.js
• cb2985e Merge pull request #16295 from torbiak-samdesk/maxPoolSize
• 83d1599 docs: update default pool sizes on createConnection()
• 5dc742b docs: show copy button when tabbing
• d2699d5 Merge pull request #16294 from DraXx-Van/fix-copy-button-scroll
• Additional commits viewable in compare view

Updates tsx from 4.22.3 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• See full diff in compare view

Updates @astrojs/starlight from 0.39.2 to 0.39.3

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.39.3

Patch Changes

• #3910 dddf405 Thanks @​andreialba! - Improves Romanian UI translations

• #3924 02f2ce1 Thanks @​BouRock! - Improves Turkish UI translations

• #3928 11a7ed2 Thanks @​delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s new diacriticSimilarity and metaWeights advanced ranking options

• #3927 e944870 Thanks @​HiDeoo! - Refactors internal file path handling for Starlight content collections.

Changelog

Sourced from @​astrojs/starlight's changelog.

0.39.3

Patch Changes

• #3910 dddf405 Thanks @​andreialba! - Improves Romanian UI translations

• #3924 02f2ce1 Thanks @​BouRock! - Improves Turkish UI translations

• #3928 11a7ed2 Thanks @​delucis! - Updates Pagefind to v1.5 and adds support for Pagefind’s new diacriticSimilarity and metaWeights advanced ranking options

• #3927 e944870 Thanks @​HiDeoo! - Refactors internal file path handling for Starlight content collections.

Commits

• 668a467 [ci] release (#3913)
• 11a7ed2 Add support for new Pagefind ranking options (#3928)
• 02f2ce1 Update Turkish translations (#3924)
• e944870 Refactor getCollectionPosixPath() (#3927)
• dddf405 fix: improve Romanian UI translations (#3910)
• 1b5f399 CI/E2E tests improvements (#3901)
• d1d7452 Fix inaccurate comment on :lang selectors (#3893)
• See full diff in compare view

Updates astro from 6.3.7 to 6.4.4

Release notes

Sourced from astro's releases.

astro@6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

astro@6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

• #16908 ef53ab9 Thanks @​florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

astro@6.4.2

Patch Changes

• #16889 b94bcfd Thanks @​Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.

• #16878 b9f6bb9 Thanks @​fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.

astro@6.4.0

Minor Changes

• #16468 4cff3a1 Thanks @​matthewp! - Adds a new preserveBuildServerDir adapter feature

  Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.

  setAdapter({

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #16899 Description has been truncated

  ---

  [!NOTE]
  Low Risk
  Version-only changes with no logic edits; validate with CI/build, with slightly more attention to auth (better-auth) and YAML parsing (js-yaml) behavior.

  Overview
  Bumps minor/patch dependency versions across the monorepo by editing package.json only—no application source changes.

  Auth & data: better-auth 1.6.11 → 1.6.14 on apps/api and apps/frontend; mongoose 9.6.2 → 9.6.3 on API and @archmax/core; js-yaml 4.1.1 → 4.2.0 at the root, API, and core (YAML used for semantic-model files and migrations).

  Apps: Frontend gets TanStack Query/Router, React 19.2.7, @xyflow/react, and matching better-auth/icons; worker gets bullmq 5.78.0 and vitest 4.1.8; docs get Astro 6.4.4 and Starlight 0.39.3.

  Shared tooling: Root turbo 2.9.16 and vitest/@vitest/coverage-v8 4.1.8; core also bumps langchain, isomorphic-git, and bullmq; @archmax/ui bumps date-fns and lucide-react.

  ^{Reviewed by} Cursor Bugbot for commit 503075b. Bugbot is set up for automated code reviews on this repo. Configure here.

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[cursor]

Security review completed for PR #65.

I found no new concrete issues in the changed files. The PR only updates existing dependency versions in the package manifests and pnpm-lock.yaml; no MCP route, query execution, auth, API handler, or secret-handling source code is changed.

Surfaces checked:

• MCP endpoint auth: verified current /mcp/:slug/* flow authenticates bearer token + project before registering/running tools, re-authenticates resumed sessions, and scopes model access through token scopes.
• Query execution sandboxing: verified execute_query still goes through AST validation before DuckDB prepare/run, materializes scoped model VIEWs, hardens the connection, enforces timeout/concurrency, and caps results at 1000 rows.
• Admin auth: verified BETTER_AUTH_SECRET remains z.string().min(32), production cookies are HttpOnly, Secure, and SameSite=Lax, and state-changing /api/* routes run CSRF/origin checks after Better Auth routes.
• API input validation and secrets: spot-checked relevant Hono routes and redaction paths; the dependency bump does not add new unvalidated input paths or secret exposure.
• Dependency exposure: ran pnpm audit --prod on both this PR and base commit 0ea0950; both report the same 12 advisories (markitdown-ts transitives plus ws/uuid), so this PR does not introduce new audit findings.

  

_{Sent by Cursor Automation: archmax Security Review}