chore(deps): bump the production-minor-patch group across 1 directory with 11 updates

[dependabot]

Bumps the production-minor-patch group with 9 updates in the / directory:

Package	From	To
nanoid	5.1.7	5.1.11
express-rate-limit	8.3.1	8.5.1
ansis	4.2.0	4.3.0
typeorm	0.3.28	0.3.29
next	16.2.2	16.2.6
next-intl	4.9.0	4.11.2
react-dom	19.2.4	19.2.6
joi	18.1.2	18.2.1
nodemailer	8.0.4	8.0.7

Updates nanoid from 5.1.7 to 5.1.11

Release notes

Sourced from nanoid's releases.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking nanoid by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

Changelog

Sourced from nanoid's changelog.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

Commits

• 5423cf5 Release 5.1.11 version
• 2183894 Backport 3.3.12 changelog
• 7087969 Limit ID even more
• 013517b Temporary add pnpm-workspace.yaml to npm ignore
• 5db09ee Release 5.1.10 version
• be7901a Fix random pool break
• 974f73b Structure tests with describe() instead of prefix
• fe3e7ec Update dependencies
• 043a7c1 Move to pnpm 11
• e52d946 Release 5.1.9 version
• Additional commits viewable in compare view

Updates express-rate-limit from 8.3.1 to 8.5.1

Release notes

Sourced from express-rate-limit's releases.

v8.5.1

You can view the changelog here.

v8.5.0

You can view the changelog here.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

v8.3.2

You can view the changelog here.

Commits

• 50cc3f6 8.5.1
• 92c8e3e chore: bump ip-address library to latest (#626)
• 807e383 8.5.0
• b844137 v8.5.0 changelog
• ceaffab feat: async store init (#621)
• 69568d4 8.4.1
• c686acd v8.4.1 changelog
• ba71353 test: bump timeout in flakey skipFailedRequests test (#618)
• dd4c894 feat: allow usage of custom logger (#616)
• 2bb343c resolve Jest timeout for server-based tests (#617)
• Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

• See full diff in compare view

Updates ansis from 4.2.0 to 4.3.0

Changelog

Sourced from ansis's changelog.

4.3.0 (2026-05-11)

• feat: add support for OSC 8 hyperlink: link(url, text)
• feat: add constructor overload to pass a mock globalThis object for controlled color auto-detection

  import { Ansis } from 'ansis';
  const color = new Ansis({
  process: {
  env: { FORCE_COLOR: '1' },
  argv: ['node', 'app.js'],
  stdout: { isTTY: false },
  platform: 'linux',
  },
  });
  console.log(color.level); // 1

• fix(color-support): correctly handle edge cases using ENV variables and CLI flags

Fixed edge case	Old behavior (bug)	New behavior (correct)
FORCE_COLOR=1, NO_COLOR=1	disable color	enable color (FORCE_COLOR takes precedence over NO_COLOR)
NO_COLOR=1, --color	disable color	enable color (CLI color flags take precedence over NO_COLOR)
FORCE_COLOR=1, --no-color	disable color	enable color (FORCE_COLOR has the highest priority)
--no-color --color	disable color	enable color (last flag wins)
--color with no detected colors	truecolor	16 colors (auto-detect fallback uses the minimum color level, not truecolor)

Commits

• See full diff in compare view

Updates typeorm from 0.3.28 to 0.3.29

Release notes

Sourced from typeorm's releases.

0.3.29

What's Changed

• fix: fix up aggregate methods ambiguous column by @​Cprakhar in typeorm/typeorm#11822
• fix: prevent eager-loaded entities from overwriting manual relations by @​LeviHeber in typeorm/typeorm#11267
• fix: release query runner when there is no migration to revert by @​mjr128 in typeorm/typeorm#11232
• fix: add async to the method using setFindOptions() by @​bindon in typeorm/typeorm#10787
• chore: disable eslint errors for chai assertions by @​alumni in typeorm/typeorm#11833
• ci(tests): Remove limitation of branches to run on by @​OSA413 in typeorm/typeorm#11794
• ci: upgrade actions to v6 by @​pkuczynski in typeorm/typeorm#11844
• docs(v0.3): add version dropdown (stable/dev) by @​naorpeled in typeorm/typeorm#11863
• fix(sap): QueryBuilder parameter of type JS Date not escaped correctly by @​alumni in typeorm/typeorm#11867
• feat(sap): add pool timeout by @​alumni in typeorm/typeorm#11868
• feat(qodo): enable new review experience in v0.3 by @​naorpeled in typeorm/typeorm#11910
• feat: add returning option to update/upsert operations by @​naorpeled in typeorm/typeorm#11782
• test: enable repository-returning test by @​gioboa in typeorm/typeorm#11913
• chore(qodo): disable in progress notification in v0.3 by @​naorpeled in typeorm/typeorm#11928
• ci(docs): add deploy Github Action to v0.3 branch by @​naorpeled in typeorm/typeorm#11929
• chore(qodo): disable persistent comments and inline code suggestions in v0.3 by @​naorpeled in typeorm/typeorm#11989
• chore(deps): update all dependencies to the latest minor version by @​alumni in typeorm/typeorm#12015
• fix(redis): redis cache version detection by @​mguida22 in typeorm/typeorm#11936
• ci: remove summary comments location policy by @​naorpeled in typeorm/typeorm#12117
• ci(qodo): remove /improve from pr and push commands by @​naorpeled in typeorm/typeorm#12129
• ci: migrate from npm to pnpm by @​pkuczynski in typeorm/typeorm#12193
• ci(qodo): sync qodo pr agent config from master by @​naorpeled in typeorm/typeorm#12265
• ci: remove docs indexing by @​alumni in typeorm/typeorm#12435
• fix(security): validate limit() in Update/SoftDelete query builders by @​smith-xyz in typeorm/typeorm#12437
• chore(deps): update all minor by @​alumni in typeorm/typeorm#12443
• chore(release): release 0.3.29 by @​michaelbromley in typeorm/typeorm#12442

New Contributors

• @​LeviHeber made their first contribution in typeorm/typeorm#11267
• @​mjr128 made their first contribution in typeorm/typeorm#11232
• @​bindon made their first contribution in typeorm/typeorm#10787

Full Changelog: typeorm/typeorm@0.3.28...0.3.29

Changelog

Sourced from typeorm's changelog.

0.3.29 (2026-05-08)

Bug Fixes

• add async to the method using setFindOptions() (#10787) (cc07c90)
• change import for process dependency (#11248) (1c67c3b)
• cli: init command loading non-existing package.json (#11947) (4d9d1a6)
• fix up aggregate methods ambiguous column (#11822) (6e34756)
• fix up limit with joins (#11987) (3657db8)
• getPendingMigrations unnecessarily creating migrations table (#11672) (1dbc224)
• postgres: execute queries sequentially to avoid pg 8.19.0 deprecation warning (#12105) (79829a0)
• prevent columns with select false from being returned (#11944) (6b20831)
• prevent eager-loaded entities from overwriting manual relations (#11267) (2d8c515)
• propagate schema and database to closure junction table (#12110) (58b403f)
• redis: redis cache version detection (#11936) (f22c7a2)
• release query runner when there is no migration to revert (#11232) (a46eb0a)
• sap: QueryBuilder parameter of type JS Date not escaped correctly (#11867) (5153436)
• security: validate limit() in Update/SoftDelete query builders (#12437) (0d7991a)
• virtual property handling in schema builder (#11000) (5bd3255)

Features

• add returning option to update/upsert operations (#11782) (11d9767)
• sap: add pool timeout (#11868) (b4e2ad2)
• sap: support locking in select (#11996) (86a9e3e)

Commits

• 0ed009a ci: add npm environment to publish job for trusted publishing
• 6ede38b chore: enable trusted publishing in publish workflow
• 578d9e9 chore: fix pnpm publish for v0.3
• 253f060 chore: disable git check on pnpm publish for v0.3
• 1b5476f chore: set pnpm publish branch for v0.3
• 17c6ec2 chore(release): release 0.3.29 (#12442)
• 0ac8092 chore(deps): update all minor (#12443)
• 0d7991a fix(security): validate limit() in Update/SoftDelete query builders (#12437)
• c38c754 ci: remove docs indexing (#12435)
• 1b66c44 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for typeorm since your current version.

Updates next from 16.2.2 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-intl from 4.9.0 to 4.11.2

Release notes

Sourced from next-intl's releases.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

v4.11.0

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

v4.10.1

This was reverted in https://github.com/amannn/next-intl/releases/tag/v4.11.2

---

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

⚠️ If you're using a setup behind a reverse proxy and your proxy sets x-forwarded-port, make sure the value is correct (typically 443).

v4.10.0

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

v4.9.2

4.9.2 (2026-04-27)

Bug Fixes

• Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @​amannn

v4.9.1

... (truncated)

Changelog

Sourced from next-intl's changelog.

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

4.11.0 (2026-04-28)

Features

• Add displayName to useFormatter (#2285) (3666aa8) – by @​roderickhsiao

4.10.1 (2026-04-28)

Bug Fixes

• Set redirect domain if x-forwarded-host header exists (#2281) (70d35db) – by @​FourwingsY

4.10.0 (2026-04-28)

Features

• Add per-domain localePrefix override support (#2273) (3e9febf) – by @​frankmatheron

4.9.2 (2026-04-27)

Bug Fixes

• Prototype safety guards for precompile: true (#2307) (c0bf0ee) – by @​amannn

4.9.1 (2026-04-10)

Bug Fixes

• Improve middleware pathname validation (#2304) (1c80b66) – by @​amannn

Commits

• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• e68a591 v4.11.0
• 3666aa8 feat: Add displayName to useFormatter (#2285)
• 11d9ce8 v4.10.1
• 70d35db fix: Set redirect domain if x-forwarded-host header exists (#2281)
• d4648b8 v4.10.0
• Additional commits viewable in compare view

Updates react-dom from 19.2.4 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates joi from 18.1.2 to 18.2.1

Commits

• 048fe05 18.2.1
• 2392713 Merge pull request #3113 from hapijs/fix/link-max-call-stack
• fc146a6 fix: protect link recursion from max call stack
• f4e97e0 18.2.0
• 626893d Merge pull request #3111 from hapijs/feat/link-maxRecursion
• 9c7a443 feat: add maxRecursion limit to links
• See full diff in compare view

Updates nodemailer from 8.0.4 to 8.0.7

Release notes

Sourced from nodemailer's releases.

v8.0.7

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

v8.0.6

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

Changelog

Sourced from nodemailer's changelog.

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

Commits

• 1997040 chore(master): release 8.0.7 (#1815)
• 9b9c545 chore: drop nodemailer-ntlm-auth devDependency (#1816)
• 22bf90c Bumped dev deps
• 66d4ecb fix: keep domain as UTF-8 when local part is non-ASCII (#1814)
• 6a4a01e Fix/base64 wrap trailing crlf (#1813)
• a22efbc chore(master): release 8.0.6 (#1812)
• b1ae6c1 fix: restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1...
• 202cfb3 chore(master): release 8.0.5 (#1809)
• b634abf docs: add CLAUDE.md with project conventions and release process
• 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.