build(deps): bump the production-dependencies group across 1 directory with 60 updates

[dependabot]

Bumps the production-dependencies group with 60 updates in the / directory:

Package	From	To
@ai-sdk/openai	3.0.26	3.0.63
@ai-sdk/react	3.0.80	3.0.179
@aws-sdk/client-s3	3.984.0	3.1045.0
@aws-sdk/s3-request-presigner	3.984.0	3.1045.0
@fumadocs/content-collections	1.2.6	1.2.9
@hono/zod-openapi	1.2.1	1.4.0
@hono/zod-validator	0.7.6	0.8.0
@next/third-parties	16.1.6	16.2.6
@paralleldrive/cuid2	2.3.1	3.3.0
@prisma/client	7.3.0	7.8.0
@react-email/components	0.0.41	1.0.12
@react-email/render	1.4.0	2.0.8
@scalar/hono-api-reference	0.9.40	0.10.14
@tanstack/react-query	5.90.20	5.100.9
@tiptap/extension-dropcursor	3.19.0	3.23.1
@tiptap/extension-image	3.19.0	3.23.1
@tiptap/extension-placeholder	3.19.0	3.23.1
@tiptap/react	3.19.0	3.23.1
@tiptap/starter-kit	3.19.0	3.23.1
@uiw/react-md-editor	4.0.11	4.1.0
ai	6.0.78	6.0.177
better-auth	1.4.18	1.6.9
boring-avatars	1.11.2	2.0.4
dompurify	3.3.1	3.4.2
fumadocs-core	16.5.2	16.8.8
fumadocs-ui	16.5.2	16.8.8
geist	1.5.1	1.7.0
hono	4.11.8	4.12.18
hono-openapi	0.4.8	1.3.0
isomorphic-dompurify	2.35.0	3.12.0
jotai	2.12.3	2.20.0
lucide-react	0.542.0	1.14.0
nanoid	5.1.6	5.1.11
next	16.2.4	16.2.6
next-intl	4.8.3	4.11.1
nodemailer	7.0.13	8.0.7
nuqs	2.8.8	2.8.9
openai	6.19.0	6.37.0
react	19.2.4	19.2.6
react-day-picker	9.13.0	10.0.0
react-dom	19.2.4	19.2.6
react-dropzone	14.4.0	15.0.0
react-hook-form	7.71.1	7.75.0
react-qr-code	2.0.18	2.0.21
react-resizable-panels	3.0.6	4.11.0
recharts	2.15.4	3.8.1
sharp	0.34.4	0.34.5
slugify	1.6.6	1.6.9
stripe	18.5.0	22.1.1
tailwind-merge	3.4.0	3.5.0
tencentcloud-sdk-nodejs	4.1.184	4.1.227
ufo	1.6.3	1.6.4
use-debounce	10.1.0	10.1.1
use-intl	4.8.2	4.11.1
uuid	11.1.0	14.0.0
zod	4.3.6	4.4.3
zustand	5.0.11	5.0.13
@prisma/adapter-pg	7.3.0	7.8.0
pg	8.18.0	8.20.0
ws	8.19.0	8.20.0

Updates @ai-sdk/openai from 3.0.26 to 3.0.63

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.63

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

3.0.62

Patch Changes

• 65edcca: feat: add allowedTools provider option for OpenAI Responses

3.0.61

Patch Changes

• b93f9b4: feat(provider/openai): forward imageDetail providerOptions on tool-result image content

3.0.60

Patch Changes

• 6dcd8e6: feat(openai): add GPT-5.5 chat model IDs

3.0.59

Patch Changes

• 38966ab: fix(openai, openai-compatible): only send null content for assistant messages with tool calls

3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

3.0.56

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

... (truncated)

Commits

• e3ccdb5 Version Packages (#15094)
• bf9de31 Version Packages (#15046)
• 65edcca Backport: feat(openai): add allowedTools provider option for Responses (#15044)
• ee37690 Version Packages (#15020)
• b93f9b4 Backport: feat(provider/openai): forward imageDetail providerOptions on tool-...
• c706111 Version Packages (#14971)
• 6dcd8e6 Backport: feat(openai): add GPT-5.5 chat model IDs (#14965)
• a1dddcc Version Packages (#14954)
• 38966ab backport v6: fix(openai, openai-compatible): only send null content for assis...
• 0129eb6 Version Packages (#14912)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates @ai-sdk/react from 3.0.80 to 3.0.179

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.179

Patch Changes

• ai@6.0.177

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.179

Patch Changes

• ai@6.0.177

3.0.178

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27
  • ai@6.0.176

3.0.177

Patch Changes

• ai@6.0.175

3.0.176

Patch Changes

• ai@6.0.174

3.0.175

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • ai@6.0.173

3.0.174

Patch Changes

• ai@6.0.172

3.0.173

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

... (truncated)

Commits

• e70aab9 Version Packages (#15138)
• e3ccdb5 Version Packages (#15094)
• 3015153 Version Packages (#14960)
• 0129eb6 Version Packages (#14912)
• 8a46a3c Version Packages (#14875)
• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 7ab1e18 Version Packages (#14815)
• 77a4e05 Version Packages (#14802)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @aws-sdk/client-s3 from 3.984.0 to 3.1045.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1045.0

3.1045.0(2026-05-07)

Documentation Changes

• client-guardduty: This is a documentation update (1484574c)

New Features

• clients: update client endpoints as of 2026-05-07 (81310767)
• client-bcm-data-exports: With this release, customers can configure their data exports to generate additional integration artifacts for Athena and Redshift. (238da2c1)
• client-invoicing: Updated ListInvoiceSummaries API to add new ReceiverRole filter in Request and Response (60a448cb)
• client-bedrock-agentcore: Launching AgentCore payments - a capability that provides secure, instant microtransaction payments for AI agents to access paid APIs, MCP servers, and content. It handles payment processing for x402 protocol, payment limits, and 3P wallet integrations with Coinbase CDP and Stripe (Privy). (1e1031a7)
• client-ec2: DescribeInstanceTypes now accepts an IncludeUnsupportedInRegion parameter. When set, the response also lists instance types that are not available in the current Region. Each instance type includes a SupportedInRegion field indicating its regional availability. (70262433)
• client-bedrock-agentcore-control: Launching AgentCore payments - a capability that provides secure, instant microtransaction payments for AI agents to access paid APIs, MCP servers, and content. It handles payment processing for x402 protocol, payment limits, and 3P wallet integrations with Coinbase CDP and Stripe (Privy). (fe5861ae)
• client-route53resolver: Adds supports for DNS64 on inbound endpoints and IPv6 forwarding through the internet gateway (IGW) on outbound endpoints, making it easier to manage hybrid DNS across IPv4 and IPv6 networks. (8e6e18c6)

---

For list of updated packages, view updated-packages.md in assets-3.1045.0.zip

v3.1044.0

3.1044.0(2026-05-06)

New Features

• client-securityhub: Release GenerateRecommendedPolicyV2 and GetRecommendedPolicyV2 APIs. This supports generating and retrieving policy recommendations to remediate unused permissions findings that are now being supported on Security Hub. (772b8629)
• client-sagemaker: Amazon SageMaker HyperPod now returns ImageVersionStatus in DescribeCluster, DescribeClusterNode, and ListClusterNodes responses, indicating whether cluster instances are running the latest available image version. (2be7e6b4)
• client-glue: Adds support for a CustomLogGroupPrefix parameter in StartDataQualityRulesetEvaluationRun to specify custom CloudWatch log group paths, and a RulesetName filter in ListDataQualityRulesetEvaluationRuns to filter evaluation runs by ruleset name. (b95d850b)
• client-lex-models-v2: Amazon Lex V2 introduces audio filler support for speech-to-speech bots. Configure melody or typing sounds that play during backend processing to reduce perceived latency and maintain a natural conversational experience for callers. (01426f8e)
• client-bedrock-agentcore-control: Adds support for bring-your-own file system in AgentCore Runtime. Developers can mount Amazon S3 Files and Amazon EFS access points directly into agent sessions using filesystemConfigurations. (e20f24d9)
• client-s3: Validate outpost access point resource name (bee88a56)
• client-mwaa: Amazon MWAA now supports a PublicAndPrivate webserver access mode. The Airflow web server is accessible over both public and private endpoints, enabling workers in VPCs without internet access to reach the Task API privately while retaining public access to the Airflow UI. (3a6054ef)
• client-imagebuilder: The ImportDiskImage API now enforces a maximum character limit of 128 characters on the image name field. (7fc2565c)

Tests

• scripts: include type symbols in api snapshot test (#7985) (02f86176)

---

For list of updated packages, view updated-packages.md in assets-3.1044.0.zip

v3.1043.0

3.1043.0(2026-05-05)

New Features

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/client-s3

3.1044.0 (2026-05-06)

Features

• client-s3: Validate outpost access point resource name (bee88a5)

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/client-s3

3.1042.0 (2026-05-04)

Note: Version bump only for package @​aws-sdk/client-s3

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/client-s3

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• bee88a5 feat(client-s3): Validate outpost access point resource name
• 96baad9 Publish v3.1043.0
• d942e31 Publish v3.1042.0
• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
• 3fbf6c5 Publish v3.1038.0
• Additional commits viewable in compare view

Updates @aws-sdk/s3-request-presigner from 3.984.0 to 3.1045.0

Release notes

Sourced from @​aws-sdk/s3-request-presigner's releases.

v3.1045.0

3.1045.0(2026-05-07)

Documentation Changes

• client-guardduty: This is a documentation update (1484574c)

New Features

• clients: update client endpoints as of 2026-05-07 (81310767)
• client-bcm-data-exports: With this release, customers can configure their data exports to generate additional integration artifacts for Athena and Redshift. (238da2c1)
• client-invoicing: Updated ListInvoiceSummaries API to add new ReceiverRole filter in Request and Response (60a448cb)
• client-bedrock-agentcore: Launching AgentCore payments - a capability that provides secure, instant microtransaction payments for AI agents to access paid APIs, MCP servers, and content. It handles payment processing for x402 protocol, payment limits, and 3P wallet integrations with Coinbase CDP and Stripe (Privy). (1e1031a7)
• client-ec2: DescribeInstanceTypes now accepts an IncludeUnsupportedInRegion parameter. When set, the response also lists instance types that are not available in the current Region. Each instance type includes a SupportedInRegion field indicating its regional availability. (70262433)
• client-bedrock-agentcore-control: Launching AgentCore payments - a capability that provides secure, instant microtransaction payments for AI agents to access paid APIs, MCP servers, and content. It handles payment processing for x402 protocol, payment limits, and 3P wallet integrations with Coinbase CDP and Stripe (Privy). (fe5861ae)
• client-route53resolver: Adds supports for DNS64 on inbound endpoints and IPv6 forwarding through the internet gateway (IGW) on outbound endpoints, making it easier to manage hybrid DNS across IPv4 and IPv6 networks. (8e6e18c6)

---

For list of updated packages, view updated-packages.md in assets-3.1045.0.zip

v3.1044.0

3.1044.0(2026-05-06)

New Features

• client-securityhub: Release GenerateRecommendedPolicyV2 and GetRecommendedPolicyV2 APIs. This supports generating and retrieving policy recommendations to remediate unused permissions findings that are now being supported on Security Hub. (772b8629)
• client-sagemaker: Amazon SageMaker HyperPod now returns ImageVersionStatus in DescribeCluster, DescribeClusterNode, and ListClusterNodes responses, indicating whether cluster instances are running the latest available image version. (2be7e6b4)
• client-glue: Adds support for a CustomLogGroupPrefix parameter in StartDataQualityRulesetEvaluationRun to specify custom CloudWatch log group paths, and a RulesetName filter in ListDataQualityRulesetEvaluationRuns to filter evaluation runs by ruleset name. (b95d850b)
• client-lex-models-v2: Amazon Lex V2 introduces audio filler support for speech-to-speech bots. Configure melody or typing sounds that play during backend processing to reduce perceived latency and maintain a natural conversational experience for callers. (01426f8e)
• client-bedrock-agentcore-control: Adds support for bring-your-own file system in AgentCore Runtime. Developers can mount Amazon S3 Files and Amazon EFS access points directly into agent sessions using filesystemConfigurations. (e20f24d9)
• client-s3: Validate outpost access point resource name (bee88a56)
• client-mwaa: Amazon MWAA now supports a PublicAndPrivate webserver access mode. The Airflow web server is accessible over both public and private endpoints, enabling workers in VPCs without internet access to reach the Task API privately while retaining public access to the Airflow UI. (3a6054ef)
• client-imagebuilder: The ImportDiskImage API now enforces a maximum character limit of 128 characters on the image name field. (7fc2565c)

Tests

• scripts: include type symbols in api snapshot test (#7985) (02f86176)

---

For list of updated packages, view updated-packages.md in assets-3.1044.0.zip

v3.1043.0

3.1043.0(2026-05-05)

New Features

... (truncated)

Changelog

Sourced from @​aws-sdk/s3-request-presigner's changelog.

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1044.0 (2026-05-06)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1042.0 (2026-05-04)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1039.0 (2026-04-29)

... (truncated)

Commits

• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• 96baad9 Publish v3.1043.0
• d942e31 Publish v3.1042.0
• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3fbf6c5 Publish v3.1038.0
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• Additional commits viewable in compare view

Updates @fumadocs/content-collections from 1.2.6 to 1.2.9

Commits

• fa60913 Version Packages (#3202)
• 2d8f596 Chore: fix npm pack skipping nested node_modules
• b5af621 Merge pull request #3200 from fuma-nama/changeset-release/dev
• 79995e9 fix tsdown warnings
• 9518cc8 OpenAPI: remove openapi-sampler dep
• 335b9c1 Chore: bundle more deps
• 498425b UI: pre-calculate TOC item positions
• 7cdde7c UI: improve TOC performance
• 690ddb9 Chore: bundle more deps
• 8999346 Version Packages (#3198)
• Additional commits viewable in compare view

Updates @hono/zod-openapi from 1.2.1 to 1.4.0

Release notes

Sourced from @​hono/zod-openapi's releases.

@​hono/zod-openapi@​1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

@​hono/zod-openapi@​1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

@​hono/zod-openapi@​1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

@​hono/zod-openapi@​1.2.3

Patch Changes

... (truncated)

Changelog

Sourced from @​hono/zod-openapi's changelog.

1.4.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

  @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

• Updated dependencies [e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67]:
  • @​hono/zod-validator@​0.8.0

1.3.0

Minor Changes

• #1752 fe0f8e4b44ca8e78d2ed60ed8591f415cd85eaa9 Thanks @​destroSunRay! - This PR adds two new utilities to improve route definition and registration in @hono/zod-openapi:

  • defineOpenAPIRoute: Provides explicit type safety for route definitions
  • openapiRoutes: Enables batch registration of multiple routes with full type safety
  • Registering many routes individually was repetitive and verbose
  • Type inference for complex route configurations was challenging
  • Organizing routes across multiple files was difficult
  • No built-in support for conditional route registration
  • RPC type safety was hard to maintain across scattered route registrations
  • defineOpenAPIRoute: Wraps route definitions with explicit types for better IDE support and type checking
  • openapiRoutes: Accepts an array of route definitions and registers them all at once
  • Supports addRoute flag for conditional registration
  • Maintains full type safety and RPC support through recursive type merging
  • Enables clean modular organization of routes
  • ✅ Reduced boilerplate code
  • ✅ Better type inference and IDE autocomplete
  • ✅ Easier code organization and maintainability
  • ✅ Declarative conditional routes
  • ✅ Full backward compatibility

  See the updated README for usage examples.

  • All existing tests pass (102/102)
  • Added tests for new functionality
  • Verified type inference works correctly
  • Updated package README with usage examples

1.2.4

Patch Changes

• #1831 40ede9c55abe672798deca6970ef60b945382d34 Thanks @​yusukebe! - fix: publish to JSR

1.2.3

... (truncated)

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• 5eeca71 Version Packages (#1849)
• fe0f8e4 feat(zod-openapi): add defineOpenAPIRoute and openapiRoutes for batch route r...
• a6f4ef5 Version Packages (#1832)
• 40ede9c fix(zod-openapi): publish to JSR (#1831)
• 38993fa Version Packages (#1811)
• db8fd16 fix(zod-openapi): bump @​asteasolutions/zod-to-openapi to allow nested discrim...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 27d8981 Version Packages (#1749)
• Additional commits viewable in compare view

Updates @hono/zod-validator from 0.7.6 to 0.8.0

Release notes

Sourced from @​hono/zod-validator's releases.

@​hono/zod-validator@​0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Changelog

Sourced from @​hono/zod-validator's changelog.

0.8.0

Minor Changes

• #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-validator): surface the default 400 failure response so it propagates to the RPC schema (refs honojs/hono#3746).
  • Widen the no-hook overload return type to MiddlewareHandler<E, P, V, TypedResponse<ZodValidatorFailureBody<T>, 400, 'json'>>, so the default c.json(result, 400) body reaches MergeMiddlewareResponse<M_k> on the Hono side and shows up in hc<typeof app> as a typed 400 branch.
  • Intersect the inferred middleware response with Response (Response & TypedResponse<...>) in both ZodValidatorFailureResponse<T> and ExtractValidationResponse<VF> so a zValidator(...) middleware remains assignable to a plain MiddlewareHandler (avoids a TS2322 regression caused by bare TypedResponse).
  • Collapse the no-hook overload to also accept undefined for the hook parameter together with the options.validationFunction, allowing zValidator(target, schema, undefined, { validationFunction }) to match the typed-failure path.
  • Bump peerDependencies.hono to >=4.10.0 because this PR now relies on the 4-argument MiddlewareHandler<E, P, I, R> signature introduced in Hono v4.10.0; on hono <4.10.0, MiddlewareHandler only accepts 3 type arguments and consumers would hit TS2707 even though peer ranges currently allow it.

Commits

• a08b023 Version Packages (#1887)
• e90e4fb feat(zod-validator): surface the default 400 on the no-hook overload and keep...
• e762ac0 feat(eslint): ignoring variables and parameters prefixed with _ (#1772)
• 475cd12 chore: update typescript to 5.9.3 (#1741)
• 96ae310 chore: update Zod/Valibot import examples to use namespace imports in docs an...
• fbec266 chore(deps-dev): bump hono from 4.11.3 to 4.11.4 (#1710)
• c7edf1e chore(deps-dev): upgrade @cloudflare/vitest-pool-workers and vitest (#1714)
• 03a28c5 fix: less strict template expressions (#1681)
• 1f8372e chore(typescript): add @tsconfig/strictest (#1679)
• 49db969 chore(eslint): update suppressions (#1678)
• Additional commits viewable in compare view

Updates @next/third-parties from 16.1.6 to 16.2.6

Release notes

Sourced from @​next/third-parties's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @paralleldrive/cuid2 from 2.3.1 to 3.3.0

Changelog

Sourced from @​paralleldrive/cuid2's changelog.

[3.3.0] - 2026-01-25

Fixed

• Fix typo in package.json exports field: ./package.json path was incorrectly specified
• Fix TypeScript compilation error (TS1203) by replacing export = with named exports in index.d.ts

Updated

• Update AI development framework (aidd) to v2.5.0 for enhanced security reviews
• Update all devDependencies to latest versions (@​types/node, @​types/react, eslint, eslint-config-next, eslint-config-prettier, eslint-plugin-prettier, next, prettier, react, react-dom, release-it, riteway, updtr, watch)

[3.0.2] - 2025-10-27

Changed

• Remove collision-test from pre-commit hook to unblock release process

Fixed

• Replace BigInt with bignumber.js for broader browser support (legacy browsers)
• Add export module field to package.json for better ESM compatibility

Added

• Implement CSPRNG using crypto.getRandomValues for enhanced security
• Add validation to throw error when length > 32

Documentation

• Fix typo: Change "Pseudo" to "Pseudo" in README.md
• Update link for PleaseRobMe.com

[3.0.0] - 2025-10-18

⚠️ BREAKING CHANGES

• Convert entire project from CommonJS to ES modules
  • Changed from require()/module.exports to import/export
  • Added "type": "module" to package.json
  • Users must use ESM imports or upgrade to this version carefully
  • For CommonJS compatibility, use v2.3.1 instead

Commits

• 2275e80 chore(release): v3.3.0
Description has been truncated