Description

Updates all safely upgradable dependencies, aligns versions with the Payload website template, and fixes audit vulnerabilities in direct dependencies.

Related Issues

N/A

Key Changes

Safe patch/minor updates:

• @react-email/components 1.0.6 → 1.0.11
• react-email / @react-email/preview-server 5.2.5 → 5.2.10
• axios 1.12.0 → 1.14.0
• pino-pretty 13.1.2 → 13.1.3
• @types/node 22.5.4 → 22.19.17
• @types/react 19.0.1 → 19.2.14
• @types/react-dom 19.0.1 → 19.2.3

Medium-risk updates:

• sharp 0.33.5 → 0.34.5
• lucide-react 0.575.0 → 1.7.0
• @vercel/og 0.8.5 → 0.11.1
• @vercel/blob 1.1.1 → 2.3.3
• @libsql/client 0.15.4 → 0.17.2
• lint-staged 15.5.0 → 16.4.0

Template alignment:

• typescript 5.7.2 → 5.7.3
• tailwind-merge 2.6.0 → 3.5.0
• react / react-dom 19.1.0 → 19.2.4

Audit fixes:

• @eslint/eslintrc 3.2.0 → 3.3.5 (minimatch ReDoS)
• @sentry/nextjs 9.39.0 → 9.47.1 (minimatch, rollup)
• isomorphic-dompurify 2.26.0 → 2.36.0 (dompurify vulns)
• lodash-es 4.17.23 → 4.18.1
• path-to-regexp 8.3.0 → 8.4.2
• posthog-js 1.257.0 → 1.364.7 (preact vuln)

Not updated (require dedicated PRs):

• Next.js 16 (major framework upgrade)
• Tailwind CSS 4 (full rewrite)
• ESLint 10, Sentry 10, TypeScript 6, Zod 4, Pino 10

How to test

• pnpm tsc — passes
• pnpm lint — passes
• pnpm test — 286 tests pass
• Verify file uploads work in admin (tests @vercel/blob v2)
• Verify OG images render (@vercel/og update)
• Spot-check icons render correctly (lucide-react 1.0)
• Verify image processing works (sharp 0.34)

Screenshots / Demo video

N/A — dependency updates only

Migration Explanation

No database migrations needed. All changes are package version bumps.

Future enhancements / Questions

Remaining audit vulnerabilities are all transitive deps blocked by major upgrades:

• next vulns → needs Next.js 16
• webpack, rollup → needs Sentry 10
• flatted, ajv → needs ESLint 10
• yaml → needs Tailwind 4
• nodemailer, esbuild → needs Payload upstream fix

🤖 Generated with Claude Code