chore(deps): bump the production-minor-patch group across 1 directory with 10 updates

[dependabot]

Bumps the production-minor-patch group with 9 updates in the / directory:

Package	From	To
nanoid	5.1.9	5.1.11
express-rate-limit	8.4.1	8.5.1
fast-xml-parser	5.7.2	5.7.3
ansis	4.2.0	4.3.0
typeorm	0.3.28	0.3.29
next	16.2.4	16.2.6
next-intl	4.11.0	4.11.2
react-dom	19.2.5	19.2.6
joi	18.1.2	18.2.1

Updates nanoid from 5.1.9 to 5.1.11

Release notes

Sourced from nanoid's releases.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking nanoid by requesting big ID (by @​alanzabihi).

Changelog

Sourced from nanoid's changelog.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

Commits

• 5423cf5 Release 5.1.11 version
• 2183894 Backport 3.3.12 changelog
• 7087969 Limit ID even more
• 013517b Temporary add pnpm-workspace.yaml to npm ignore
• 5db09ee Release 5.1.10 version
• be7901a Fix random pool break
• 974f73b Structure tests with describe() instead of prefix
• fe3e7ec Update dependencies
• 043a7c1 Move to pnpm 11
• See full diff in compare view

Updates express-rate-limit from 8.4.1 to 8.5.1

Release notes

Sourced from express-rate-limit's releases.

v8.5.1

You can view the changelog here.

v8.5.0

You can view the changelog here.

Commits

• 50cc3f6 8.5.1
• 92c8e3e chore: bump ip-address library to latest (#626)
• 807e383 8.5.0
• b844137 v8.5.0 changelog
• ceaffab feat: async store init (#621)
• See full diff in compare view

Updates fast-xml-parser from 5.7.2 to 5.7.3

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• b65da87 update changelog and mark addEntity deprecated
• c2ca631 update fxb
• da75191 fix stop node expression when ns prefix is removed
• 31bbc99 fix: alwaysCreateTextNode should create text node when attributes are present...
• dab327a remove unnecessary
• ab04eeb update docs
• 383cb3f Revise security information for v6 release
• See full diff in compare view

Updates ansis from 4.2.0 to 4.3.0

Changelog

Sourced from ansis's changelog.

4.3.0 (2026-05-11)

• feat: add support for OSC 8 hyperlink: link(url, text)
• feat: add constructor overload to pass a mock globalThis object for controlled color auto-detection

  import { Ansis } from 'ansis';
  const color = new Ansis({
  process: {
  env: { FORCE_COLOR: '1' },
  argv: ['node', 'app.js'],
  stdout: { isTTY: false },
  platform: 'linux',
  },
  });
  console.log(color.level); // 1

• fix(color-support): correctly handle edge cases using ENV variables and CLI flags

Fixed edge case	Old behavior (bug)	New behavior (correct)
FORCE_COLOR=1, NO_COLOR=1	disable color	enable color (FORCE_COLOR takes precedence over NO_COLOR)
NO_COLOR=1, --color	disable color	enable color (CLI color flags take precedence over NO_COLOR)
FORCE_COLOR=1, --no-color	disable color	enable color (FORCE_COLOR has the highest priority)
--no-color --color	disable color	enable color (last flag wins)
--color with no detected colors	truecolor	16 colors (auto-detect fallback uses the minimum color level, not truecolor)

Commits

• See full diff in compare view

Updates typeorm from 0.3.28 to 0.3.29

Release notes

Sourced from typeorm's releases.

0.3.29

What's Changed

• fix: fix up aggregate methods ambiguous column by @​Cprakhar in typeorm/typeorm#11822
• fix: prevent eager-loaded entities from overwriting manual relations by @​LeviHeber in typeorm/typeorm#11267
• fix: release query runner when there is no migration to revert by @​mjr128 in typeorm/typeorm#11232
• fix: add async to the method using setFindOptions() by @​bindon in typeorm/typeorm#10787
• chore: disable eslint errors for chai assertions by @​alumni in typeorm/typeorm#11833
• ci(tests): Remove limitation of branches to run on by @​OSA413 in typeorm/typeorm#11794
• ci: upgrade actions to v6 by @​pkuczynski in typeorm/typeorm#11844
• docs(v0.3): add version dropdown (stable/dev) by @​naorpeled in typeorm/typeorm#11863
• fix(sap): QueryBuilder parameter of type JS Date not escaped correctly by @​alumni in typeorm/typeorm#11867
• feat(sap): add pool timeout by @​alumni in typeorm/typeorm#11868
• feat(qodo): enable new review experience in v0.3 by @​naorpeled in typeorm/typeorm#11910
• feat: add returning option to update/upsert operations by @​naorpeled in typeorm/typeorm#11782
• test: enable repository-returning test by @​gioboa in typeorm/typeorm#11913
• chore(qodo): disable in progress notification in v0.3 by @​naorpeled in typeorm/typeorm#11928
• ci(docs): add deploy Github Action to v0.3 branch by @​naorpeled in typeorm/typeorm#11929
• chore(qodo): disable persistent comments and inline code suggestions in v0.3 by @​naorpeled in typeorm/typeorm#11989
• chore(deps): update all dependencies to the latest minor version by @​alumni in typeorm/typeorm#12015
• fix(redis): redis cache version detection by @​mguida22 in typeorm/typeorm#11936
• ci: remove summary comments location policy by @​naorpeled in typeorm/typeorm#12117
• ci(qodo): remove /improve from pr and push commands by @​naorpeled in typeorm/typeorm#12129
• ci: migrate from npm to pnpm by @​pkuczynski in typeorm/typeorm#12193
• ci(qodo): sync qodo pr agent config from master by @​naorpeled in typeorm/typeorm#12265
• ci: remove docs indexing by @​alumni in typeorm/typeorm#12435
• fix(security): validate limit() in Update/SoftDelete query builders by @​smith-xyz in typeorm/typeorm#12437
• chore(deps): update all minor by @​alumni in typeorm/typeorm#12443
• chore(release): release 0.3.29 by @​michaelbromley in typeorm/typeorm#12442

New Contributors

• @​LeviHeber made their first contribution in typeorm/typeorm#11267
• @​mjr128 made their first contribution in typeorm/typeorm#11232
• @​bindon made their first contribution in typeorm/typeorm#10787

Full Changelog: typeorm/typeorm@0.3.28...0.3.29

Changelog

Sourced from typeorm's changelog.

0.3.29 (2026-05-08)

Bug Fixes

• add async to the method using setFindOptions() (#10787) (cc07c90)
• change import for process dependency (#11248) (1c67c3b)
• cli: init command loading non-existing package.json (#11947) (4d9d1a6)
• fix up aggregate methods ambiguous column (#11822) (6e34756)
• fix up limit with joins (#11987) (3657db8)
• getPendingMigrations unnecessarily creating migrations table (#11672) (1dbc224)
• postgres: execute queries sequentially to avoid pg 8.19.0 deprecation warning (#12105) (79829a0)
• prevent columns with select false from being returned (#11944) (6b20831)
• prevent eager-loaded entities from overwriting manual relations (#11267) (2d8c515)
• propagate schema and database to closure junction table (#12110) (58b403f)
• redis: redis cache version detection (#11936) (f22c7a2)
• release query runner when there is no migration to revert (#11232) (a46eb0a)
• sap: QueryBuilder parameter of type JS Date not escaped correctly (#11867) (5153436)
• security: validate limit() in Update/SoftDelete query builders (#12437) (0d7991a)
• virtual property handling in schema builder (#11000) (5bd3255)

Features

• add returning option to update/upsert operations (#11782) (11d9767)
• sap: add pool timeout (#11868) (b4e2ad2)
• sap: support locking in select (#11996) (86a9e3e)

Commits

• 0ed009a ci: add npm environment to publish job for trusted publishing
• 6ede38b chore: enable trusted publishing in publish workflow
• 578d9e9 chore: fix pnpm publish for v0.3
• 253f060 chore: disable git check on pnpm publish for v0.3
• 1b5476f chore: set pnpm publish branch for v0.3
• 17c6ec2 chore(release): release 0.3.29 (#12442)
• 0ac8092 chore(deps): update all minor (#12443)
• 0d7991a fix(security): validate limit() in Update/SoftDelete query builders (#12437)
• c38c754 ci: remove docs indexing (#12435)
• 1b66c44 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for typeorm since your current version.

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-intl from 4.11.0 to 4.11.2

Release notes

Sourced from next-intl's releases.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Changelog

Sourced from next-intl's changelog.

4.11.2 (2026-05-11)

Bug Fixes

• Revert x-forwarded-host redirect domain change (#2322) (eb3a6a4) – by @​amannn

4.11.1 (2026-05-08)

Bug Fixes

• Avoid watchers for detached telemetry process (#2319) (ff77a3d) – by @​amannn

Commits

• 940dfbf v4.11.2
• eb3a6a4 fix: Revert x-forwarded-host redirect domain change (#2322)
• a6a8f8f v4.11.1
• ff77a3d fix: Avoid watchers for detached telemetry process (#2319)
• 02989b6 test: Refactor extractor tests to e2e (#2312)
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates joi from 18.1.2 to 18.2.1

Commits

• 048fe05 18.2.1
• 2392713 Merge pull request #3113 from hapijs/fix/link-max-call-stack
• fc146a6 fix: protect link recursion from max call stack
• f4e97e0 18.2.0
• 626893d Merge pull request #3111 from hapijs/feat/link-maxRecursion
• 9c7a443 feat: add maxRecursion limit to links
• See full diff in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions