chore(deps): bump @hocuspocus/server from 3.4.4 to 4.1.0

[dependabot]

Bumps @hocuspocus/server from 3.4.4 to 4.1.0.

Release notes

Sourced from @​hocuspocus/server's releases.

v4.1.0

What's Changed

• feat(server): add beforeHandleAwareness hook by @​dschmidt in ueberdosis/hocuspocus#1096
• fix(server): wrap awareness origin as TransactionOrigin by @​dschmidt in ueberdosis/hocuspocus#1094

New Contributors

• @​dschmidt made their first contribution in ueberdosis/hocuspocus#1094

Full Changelog: ueberdosis/hocuspocus@v4.0.0...v4.1.0

v4.0.0

Hocuspocus v4.0 Release Notes

Hocuspocus v4 is a major release that brings cross-runtime support, improved type safety, and important bug fixes. This release focuses on making Hocuspocus run beyond Node.js -- on Bun, Deno, Cloudflare Workers, and Node with uWebSockets -- while improving the developer experience with generic Context typing and structured transaction origins.

Backward Compatibility

A v3 provider can connect to a v4 server, and a v4 provider can connect to a v3 server. The wire protocol remains compatible in both directions:

• v3 provider -> v4 server: The server accepts plain document names (no session routing key), does not require Pong responses, and handles auth messages without a provider version string.
• v4 provider -> v3 server: The provider defaults to sessionAwareness: false, so it sends plain document names. The extra version string in the auth message is ignored by the v3 server as trailing data. The provider does not require server-initiated Ping messages.
• Session awareness caveat: If sessionAwareness: true is explicitly enabled on a v4 provider connecting to a v3 server, the server will treat the composite routing key (documentName\0sessionId) as a literal document name, creating unintended documents. Keep sessionAwareness: false (the default) when connecting to a v3 server.

Highlights

Cross-Runtime Support

Hocuspocus is no longer tied to the Node.js ws library. The server now uses crossws, a universal WebSocket adapter, enabling Hocuspocus to run on:

• Node.js (with ws or uWebSockets.js)
• Bun
• Deno
• Cloudflare Workers

The built-in Server class continues to work as before for Node.js users. For other runtimes, use Hocuspocus directly with handleConnection(), which now accepts any WebSocketLike object and a web-standard Request.

Generic Context Type

All core classes and hook payloads now accept a generic Context type parameter, enabling end-to-end type safety:

interface MyContext {
  userId: string;
  permissions: string[];
}
const server = Server.configure<MyContext>({
async onAuthenticate({ context, token }) {
// context is typed as MyContext
return { userId: '123', permissions: ['read', 'write'] };
</tr></table>

... (truncated)

Changelog

Sourced from @​hocuspocus/server's changelog.

4.1.0 (2026-05-20)

Bug Fixes

• server: wrap awareness origin as TransactionOrigin (#1094) (bb24de0)

Features

• server: add beforeHandleAwareness hook (#1096) (1597da8)

4.0.0 (2026-04-23)

Note: Version bump only for package hocuspocus

4.0.0-rc.7 (2026-04-22)

Bug Fixes

• provider-react ESM now emits a clean import { jsx } from "react/jsx-runtime" and zero CJS shims (e40afd9)

4.0.0-rc.6 (2026-04-20)

Bug Fixes

• react provider in strict mode (4f27b7f)

4.0.0-rc.5 (2026-04-16)

Features

... (truncated)

Commits

• 702ec72 v4.1.0
• 86b9fe6 chore: remove ws package from provider (#1098)
• 1597da8 feat(server): add beforeHandleAwareness hook (#1096)
• bbabe6b build(deps): bump next from 16.2.3 to 16.2.6 (#1093)
• bb24de0 fix(server): wrap awareness origin as TransactionOrigin (#1094)
• 3fb1c63 build(deps): bump hono from 4.12.14 to 4.12.18 (#1092)
• c9cc578 chore: inline esm-only deps (crossws) so cjs-only module loaders work fine
• 1c1b348 v4.0.0
• babfca4 chore: adds per-package readme files
• d214278 v4.0.0-rc.7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)