fix(deps): update non-major updates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@eslint/js (source)	9.39.1 → 9.39.4			devDependencies	patch
@hookform/resolvers (source)	5.2.2 → 5.4.0			dependencies	minor
@livekit/components-react (source)	2.9.17 → 2.9.21			dependencies	patch
@playwright/test (source)	1.57.0 → 1.61.0			devDependencies	minor
@reduxjs/toolkit (source)	2.10.1 → 2.12.0			dependencies	minor
@types/node (source)	24.10.1 → 24.13.2			devDependencies	minor
@types/react (source)	19.2.5 → 19.2.17			devDependencies	patch
@vitejs/plugin-react (source)	5.1.1 → 5.2.0			devDependencies	minor
BCrypt.Net-Next	4.0.3 → 4.2.0			nuget	minor
DotNetEnv	3.1.1 → 3.2.0			nuget	minor
Livekit.Server.Sdk.Dotnet	1.0.8 → 1.2.2			nuget	minor
Microsoft.AspNetCore.Authentication.JwtBearer (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.AspNetCore.OpenApi (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.AspNetCore.SignalR.StackExchangeRedis (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.EntityFrameworkCore.Design (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.EntityFrameworkCore.InMemory (source)	9.0.0 → 9.0.17			nuget	patch
Microsoft.EntityFrameworkCore.SqlServer (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.EntityFrameworkCore.Tools (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore (source)	9.0.10 → 9.0.17			nuget	patch
Microsoft.NET.Test.Sdk	17.12.0 → 17.14.1			nuget	minor
Minio	6.0.3 → 6.0.5			nuget	patch
StackExchange.Redis (source)	2.9.32 → 2.13.17			nuget	minor
System.IdentityModel.Tokens.Jwt	8.10.0 → 8.19.1			nuget	minor
actions/checkout	v6.0.1 → v6.0.3			action	patch
actions/setup-dotnet	v5.0.1 → v5.3.0			action	minor
actions/setup-node	v6.1.0 → v6.4.0			action	minor
appleboy/ssh-action	v1.2.4 → v1.2.5			action	patch
autoprefixer	10.4.22 → 10.5.0			devDependencies	minor
axios (source)	1.16.0 → 1.18.0			dependencies	minor
coturn/coturn	161cedd → 6a1d1a2				digest
coverlet.collector	6.0.2 → 6.0.4			nuget	patch
docker/build-push-action	v6.18.0 → v6.19.2			action	minor
docker/login-action	v3.6.0 → v3.7.0			action	minor
eslint (source)	9.39.1 → 9.39.4			devDependencies	patch
eslint-plugin-react-hooks (source)	7.0.1 → 7.1.1			devDependencies	minor
eslint-plugin-react-refresh	^0.4.24 → ^0.5.0			devDependencies	minor
lint-staged	16.2.7 → 16.4.0			devDependencies	minor
livekit-client	2.16.1 → 2.19.2			dependencies	minor
lucide-react (source)	^0.553.0 → ^0.577.0			dependencies	minor
nginx	8b1e787 → d565d19			final	digest
playwright (source)	1.57.0 → 1.61.0			devDependencies	minor
postcss (source)	8.5.10 → 8.5.15			devDependencies	patch
react (source)	19.2.0 → 19.2.7			dependencies	patch
react-dom (source)	19.2.0 → 19.2.7			dependencies	patch
react-hook-form (source)	7.66.0 → 7.79.0			dependencies	minor
react-redux	9.2.0 → 9.3.0			dependencies	minor
react-router-dom (source)	7.9.6 → 7.18.0			dependencies	minor
tailwind-merge	3.4.0 → 3.6.0			dependencies	minor
tailwindcss (source)	3.4.0 → 3.4.19			devDependencies	patch
typescript-eslint (source)	8.46.4 → 8.61.1			devDependencies	minor
xunit	2.9.2 → 2.9.3			nuget	patch
zod (source)	4.1.12 → 4.4.3			dependencies	minor

---

Release Notes

eslint/eslint (@​eslint/js)

v9.39.4

Compare Source

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

v9.39.2

Compare Source

react-hook-form/resolvers (@​hookform/resolvers)

v5.4.0

Compare Source

Features

• feat: add ata-validator resolver (#​845)

Fixes

• fix issue with toNestErrors.ts (#​848)

• add guidance on passing context to yupResolver (useForm context) (#​835) (3d29924)

livekit/components-js (@​livekit/components-react)

v2.9.21

Compare Source

Patch Changes

• Invalidate tokens originating from a cached token source after first usage - #​1309 (@​lukasIO)

• Adds new "encryption" field to useSession - #​1317 (@​1egoman)

• fix and simplify agent attribute update hook with direct participant reference - #​1307 (@​chenghao-mou)

• Handle renamed e2ee -> encryption key in room options serializer - dd9a4f4d27d0d1462265e9fc83704d161eac06a2 (@​afgarcia86)

• Add new useRpc hook - #​1314 (@​1egoman)

v2.9.20

Compare Source

Patch Changes

• Remove misleading useIsMuted docs example - #​1281 (@​1egoman)

• Updated dependencies [f40ba89c44b57ca8004d0ccc45ab3e63de0cd4e5, 176749aa10fc9807da985ec41b7442761c56f83b]:

  • @​livekit/components-core@​0.12.13

v2.9.19

Patch Changes

• Revert unintentional classname change on BarVisualizer - #​1271 (@​thomasyuill-livekit)

microsoft/playwright (@​playwright/test)

v1.61.0

Compare Source

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();

// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
  id: credentialId,
  userHandle,
  privateKey,
  publicKey,
});
await context.credentials.install();

const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.
• New -G command line shorthand for --grep-invert.

🛠️ Other improvements

• Playwright now supports Ubuntu 26.04.
• HAR and trace recordings now include WebSocket requests.

Browser Versions

• Chromium 149.0.7827.55
• Mozilla Firefox 151.0
• WebKit 26.5

This version was also tested against the following stable channels:

• Google Chrome 149
• Microsoft Edge 149

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

v1.59.1

Compare Source

v1.59.0

Compare Source

v1.58.2

Compare Source

v1.58.1

Compare Source

Highlights

#​39036 fix(msedge): fix local network permissions
#​39037 chore: update cft download location
#​38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

Compare Source

reduxjs/redux-toolkit (@​reduxjs/toolkit)

v2.12.0

Compare Source

This feature release adds RTK usage skills files (via TanStack Intent) exports the RTK Query hook options types for reusability, fixes issues with infinite query status flags and batching handling, and makes some small TS improvements.

Changelog

Skills Files

We've generated agent skill files that are now included in the RTK package itself in a skills folder. They cover using and migrating to modern RTK, client and server state management, and handling side effects. You can point your agent at these skills yourself, or use TanStack Intent to pick them up.

TypeScript Improvements

The types for our RTK Query hook options are now exported, which lets you stop using Parameters to extract those types for use in your own code.

The types for listener middleware matchers were tweaked to allow interface-based type guards, not just type-based definitions.

The internal IgnorePaths type was renamed to IgnoredPaths for consistency.

We now use the built-in NoInfer util that comes with TS 5.4+.

Fixes

We fixed handling of the isSuccess status flag when switching infinite query cache entries. This should prevent accidental UI flashes that were occurring due to this flag accidentally flipping.

We've added a 100ms timeout fallback to the autoBatch enhancer's requestAnimationFrame timer. We had several reports that rAF didn't work correctly when used in background tabs / opened windows, and that RTK never updated the UI. This should ensure that the updates flush correctly.

What's Changed

• Export hook options types for RTK Query hooks by @​veeceey in #​5218
• Add TanStack Intent skills for Redux Toolkit by @​phryneas in #​5249
• Keep isSuccess: true when switching infinite query cache entries by @​riqts in #​5268
• fix: allow interface-based type guards as listener matcher by @​riqts in #​5269
• fix: add setTimeout fallback to raf autoBatch strategy for background tabs by @​riqts in #​5273
• chore(toolkit): rename IgnorePaths type to IgnoredPaths by @​Ri5ha6h in #​5284
• feat(toolkit)!: switch to native NoInfer utility type by @​aryaemami59 in #​5289

Full Changelog: reduxjs/redux-toolkit@v2.11.2...v2.12.0

v2.11.2

Compare Source

v2.11.1

Compare Source

This bugfix release fixes an issue with our internal AbortSignal handling that was reported as causing an error in a rare reset situation. We've also restructured our publishing process to use NPM Trusted Publishing, and updated our TS support matrix to only support TS 5.4+.

Changelog

Publishing Changes

We've previously done most of our releases semi-manually locally, with various release process CLI tools. With the changes to NPM publishing security and the recent wave of NPM attacks, we've updated our publishing process to solely use NPM Trusted Publishing via workflows. We've also done a hardening pass on our own CI setup.

We had done a couple releases via CI workflows previously, and later semi-manual releases caused PNPM to warn that RTK was no longer trusted. This release should be trusted and will resolve that issue.

Thanks to the e18e folks and their excellent guide at https://e18e.dev/docs/publishing for making this process easier!

TS Support Matrix Updates

We've previously mentioned rolling changes to our TS support matrix in release notes, but didn't officially document our support policy. We've added a description of the support policy (last 2 years of TS releases, matching DefinitelyTyped) and the current oldest TS version we support in the docs:

• https://redux-toolkit.js.org/introduction/getting-started#typescript
• https://redux-toolkit.js.org/usage/usage-with-typescript#introduction

As of today, we've updated the support matrix to be TS 5.4+ . As always, it's possible RTK will work if you're using an earlier version of TS, but we don't test against earlier versions and don't support any issues with those versions.

We have run an initial test with the upcoming TS 7.0 native tsgo release. We found a couple minor issues with our own TS build and test setup, but no obvious issues with using RTK with TS 7.0.

Bug Fixes

A user reported a rare edge case where the combination of resetApiState and retry() could lead to an error calling an AbortController. We've restructured our AbortController handling logic to avoid that (and simplified a bit of our internals in the process).

What's Changed

• Use trusted publishing and harden workflows by @​markerikson in #​5152
• Update TS typecheck matrix and add TS native job by @​markerikson in #​5155
• Officially document TS support by @​markerikson in #​5158
• Tweaks to AbortSignal logic by @​EskiMojo14 in #​5150

Full Changelog: reduxjs/redux-toolkit@v2.11.0...v2.11.1

v2.11.0

Compare Source

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.2.0

Compare Source

v5.1.4

Compare Source

Fix canSkipBabel not accounting for babel.overrides (#​1098)

When configuring babel.overrides without top-level plugins or presets, Babel was incorrectly skipped. The canSkipBabel function now checks for overrides.length to ensure override configurations are processed.

v5.1.3

Compare Source

v5.1.2

Compare Source

BcryptNet/bcrypt.net (BCrypt.Net-Next)

v4.2.0: - Maintenance Release

• Drops dotnet 2.0 / 3.5 support (as msft ripped it out of windows 11 and set the new standalone installers minimum windows version to an inside release https://devblogs.microsoft.com/dotnet/dotnet-framework-3-5-moves-to-standalone-deployment-in-new-versions-of-windows/)
• Renames assembly-name to remove dots as it causes PRI249 warning

Full Changelog: BcryptNet/bcrypt.net@v4.1.0...v4.2.0

v4.1.0: - Maintenance Release Net10.0 on 4x branch

What's Changed

• Bump xunit.runner.visualstudio from 2.4.3 to 2.4.4 by @​dependabot[bot] in #​107
• Bump xunit.runner.visualstudio from 2.4.4 to 2.4.5 by @​dependabot[bot] in #​108
• Bump Microsoft.NET.Test.Sdk from 17.1.0 to 17.2.0 by @​dependabot[bot] in #​109
• Bump System.Memory from 4.5.4 to 4.5.5 by @​dependabot[bot] in #​113
• Bump Microsoft.NET.Test.Sdk from 17.2.0 to 17.3.0 by @​dependabot[bot] in #​115
• Bump xunit from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​114
• Bump Microsoft.NET.Test.Sdk from 17.3.0 to 17.3.1 by @​dependabot[bot] in #​118
• Bump BenchmarkDotNet from 0.13.2 to 0.13.4 by @​dependabot[bot] in #​129
• Bump Microsoft.NET.Test.Sdk from 17.3.1 to 17.4.1 by @​dependabot[bot] in #​126
• Use License Expression for NuGet Package and add URLs by @​mus65 in #​128
• Bump BenchmarkDotNet from 0.13.4 to 0.13.5 by @​dependabot[bot] in #​131
• Bump Microsoft.NET.Test.Sdk from 17.4.1 to 17.5.0 by @​dependabot[bot] in #​133
• Bump Microsoft.NET.Test.Sdk from 17.5.0 to 17.6.0 by @​dependabot[bot] in #​134
• Bump Microsoft.NET.Test.Sdk from 17.6.0 to 17.6.1 by @​dependabot[bot] in #​135
• Bump xunit.runner.visualstudio from 2.4.5 to 2.5.0 by @​dependabot[bot] in #​140
• Bump Microsoft.NET.Test.Sdk from 17.6.1 to 17.6.3 by @​dependabot[bot] in #​138
• Bump BenchmarkDotNet from 0.13.5 to 0.13.6 by @​dependabot[bot] in #​141
• Bump Microsoft.Windows.Compatibility from 6.0.0 to 6.0.6 in /IntegrationTest/TestVariousVersionsOfDotNet/WindowsFormAppViaDotnetTools by @​dependabot[bot] in #​137
• Bump xunit from 2.4.2 to 2.5.1 by @​dependabot[bot] in #​148
• Bump BenchmarkDotNet from 0.13.6 to 0.13.8 by @​dependabot[bot] in #​146
• Bump Microsoft.NET.Test.Sdk from 17.6.3 to 17.7.2 by @​dependabot[bot] in #​145
• Bump xunit.runner.visualstudio from 2.5.0 to 2.5.1 by @​dependabot[bot] in #​147
• Bump xunit from 2.5.1 to 2.5.3 by @​dependabot[bot] in #​152
• Bump Microsoft.NET.Test.Sdk from 17.7.2 to 17.9.0 by @​dependabot[bot] in #​171
• Bump xunit from 2.5.3 to 2.8.0 by @​dependabot[bot] in #​174

New Contributors

• @​mus65 made their first contribution in #​128

Full Changelog: BcryptNet/bcrypt.net@4.0.3...v4.1.0

tonerdo/dotnet-env (DotNetEnv)

v3.2.0

• Switch parsing to Superpower (from Sprache)
• Fix utf8 parsing
• Interpolated variables parsing

pabloFuente/livekit-server-sdk-dotnet (Livekit.Server.Sdk.Dotnet)

v1.2.0

Compare Source

• Update livekit/protocol to v1.44.0.
• Support for Phone Number APIs, custom Token Sources and Connectors for WhatsApp and Twilio.

v1.1.0

Compare Source

Allow configuring a custom HttpClient (of package System.Net.Http) when creating any service client. This allows setting custom headers, proxy configuration, timeouts, or other HttpClient settings. See Using a custom HttpClient.

v1.0.14

Compare Source

• Update livekit/protocol to v1.43.0
• Allow subpaths in the base URL when connecting to LiveKit server API. Before, all petitions were routed to the root path /twirp (e.g., https://my-livekit-server.com/twirp). Now, subpaths are also supported (e.g., https://my-livekit-server.com/my-subpath/twirp). PR #​32

v1.0.13

Compare Source

Update livekit/protocol to v1.42.0

v1.0.12

Compare Source

Update livekit/protocol to v1.41.0

[v1.0.11](https://redirect.github.com/pabloFuente/livekit-server-sdk-dotnet/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Istanbul)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.