chore(deps): bump the production-minor-patch group across 1 directory with 7 updates

[dependabot]

Bumps the production-minor-patch group with 6 updates in the / directory:

Package	From	To
nanoid	5.1.7	5.1.9
express-rate-limit	8.3.1	8.3.2
next	16.2.2	16.2.4
next-intl	4.9.0	4.9.1
react-dom	19.2.4	19.2.5
nodemailer	8.0.4	8.0.5

Updates nanoid from 5.1.7 to 5.1.9

Release notes

Sourced from nanoid's releases.

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

Changelog

Sourced from nanoid's changelog.

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

Commits

• e52d946 Release 5.1.9 version
• 2c0eec6 Remove docs from npm package
• 11c05dc Release 5.1.8 version (#586)
• 94953df Fix comment 80 columsn limit (#585)
• e646618 Update benchmark (#584)
• d3030b7 Improve comments (#583)
• e1acf37 Use full byte range in customAlphabet (+ ~75% ops / sec optimisation) (#582)
• f4e7fbe Re-use var in the price of extra 4 bytes of JS bundle size (#581)
• 234a6c3 Remove redundant browser step cast (#578)
• 7720742 Do not calculate expression twice in Node.js where size is not important (#580)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.3.1 to 8.3.2

Release notes

Sourced from express-rate-limit's releases.

v8.3.2

You can view the changelog here.

Commits

• c4dbb42 8.3.2
• 8f1cc66 v8.3.2 changelog
• 601b87f Fix skipFailedRequests for for connections that close very early (#611)
• 014c2f3 chore(deps-dev): bump the development-dependencies group with 6 updates (#612)
• 4e8b18b Remove Zuplo sponsorship details from README (#613)
• 31dab19 test: use numeric range for reset timestamp assertion (#610)
• f82ad13 chore(deps-dev): bump the development-dependencies group with 2 updates (#609)
• fa0b098 docs: fix broken link
• See full diff in compare view

Updates next from 16.2.2 to 16.2.4

Release notes

Sourced from next's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

Commits

• 2275bd8 v16.2.4
• e073983 Adding more system info to the 'initialize project' trace (#92427)
• 8a540b5 Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92...
• 2f5343f Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• 2ad9d3f turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during ...
• 6f3808e Compiler: Support boolean and number primtives in next.config defines (#92731)
• fbc7684 Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• 805d758 Turbopack: fix filesystem watcher config not applying follow_symlinks(false) ...
• 1056fae chore: Bump reqwest to 0.13.2 (#92713)
• d5f649b v16.2.3
• Additional commits viewable in compare view

Updates next-intl from 4.9.0 to 4.9.1

Release notes

Sourced from next-intl's releases.

v4.9.1

4.9.1 (2026-04-10)

Bug Fixes

• Improve middleware pathname validation (#2304) (1c80b66) – by @​amannn

Changelog

Sourced from next-intl's changelog.

4.9.1 (2026-04-10)

Bug Fixes

• Improve middleware pathname validation (#2304) (1c80b66) – by @​amannn

Commits

• b4aa538 v4.9.1
• 1c80b66 fix: Improve middleware pathname validation (#2304)
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates nodemailer from 8.0.4 to 8.0.5

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

Commits

• 202cfb3 chore(master): release 8.0.5 (#1809)
• b634abf docs: add CLAUDE.md with project conventions and release process
• 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
• 0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
• 08e59e6 chore: update dev dependencies
• See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.