build(deps): Bump the npm_and_yarn group across 7 directories with 7 updates by dependabot[bot] · Pull Request #767 · wildcard/caro

dependabot · 2026-02-20T19:37:35Z

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/devrel directory: next.
Bumps the npm_and_yarn group with 3 updates in the /changelog directory: devalue, diff and h3.
Bumps the npm_and_yarn group with 3 updates in the /docs-site directory: devalue, diff and h3.
Bumps the npm_and_yarn group with 3 updates in the /landing directory: devalue, diff and h3.
Bumps the npm_and_yarn group with 2 updates in the /presentation directory: markdown-it and nanotar.
Bumps the npm_and_yarn group with 4 updates in the /website directory: devalue, diff, h3 and lodash.

Updates next from 16.1.4 to 16.1.5

Release notes

Sourced from next's releases.

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

acba4a6 v16.1.5
e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
522ed84 Sync DoS mitigations for React Flight
8cad197 [backport][cna] Ensure created app is not considered the workspace root in pn...
2718661 Backport/docs fixes (#89031)
5333625 Backport/docs fixes 16.1.5 (#88916)
See full diff in compare view

Updates next from 16.1.1 to 16.1.5

Release notes

Sourced from next's releases.

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

acba4a6 v16.1.5
e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
522ed84 Sync DoS mitigations for React Flight
8cad197 [backport][cna] Ensure created app is not considered the workspace root in pn...
2718661 Backport/docs fixes (#89031)
5333625 Backport/docs fixes 16.1.5 (#88916)
See full diff in compare view

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Commits

a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
fcf4e88 fix tests
1d8a5ea Version Packages (#131)
1175584 Merge commit from fork
e46afa6 Merge commit from fork
See full diff in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

b7b6339 v5.2.2
b5377ab Update package version to 5.2.1
7801789 Backport kpdecker/jsdiff#649
042a837 Backport kpdecker/jsdiff#647
See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

Update deps (e2462ec)

Update ci (c934599)

Add test:types script (0a4a115)

Update ci (b4dce71)

Update publish tag to 1.x (589625c)

Fix ts issue (c9ebf80)

Update deps (d18c074)

Fix more ts/lint issues (bd92b74)

🤖 CI

Fix publish tag (401c9b8)

❤️ Contributors

Pooya Parsa (@pi0)

Commits

24231b9 chore(release): v1.15.5
bd92b74 chore: fix more ts/lint issues
d18c074 chore: update deps
c9ebf80 chore: fix ts issue
618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
401c9b8 ci: fix publish tag
589625c chore: update publish tag to 1.x
b4dce71 chore: update ci
0a4a115 chore: add test:types script
c934599 chore: update ci
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Commits

a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
fcf4e88 fix tests
1d8a5ea Version Packages (#131)
1175584 Merge commit from fork
e46afa6 Merge commit from fork
See full diff in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

b7b6339 v5.2.2
b5377ab Update package version to 5.2.1
7801789 Backport kpdecker/jsdiff#649
042a837 Backport kpdecker/jsdiff#647
See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

Update deps (e2462ec)

Update ci (c934599)

Add test:types script (0a4a115)

Update ci (b4dce71)

Update publish tag to 1.x (589625c)

Fix ts issue (c9ebf80)

Update deps (d18c074)

Fix more ts/lint issues (bd92b74)

🤖 CI

Fix publish tag (401c9b8)

❤️ Contributors

Pooya Parsa (@pi0)

Commits

24231b9 chore(release): v1.15.5
bd92b74 chore: fix more ts/lint issues
d18c074 chore: update deps
c9ebf80 chore: fix ts issue
618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
401c9b8 ci: fix publish tag
589625c chore: update publish tag to 1.x
b4dce71 chore: update ci
0a4a115 chore: add test:types script
c934599 chore: update ci
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Commits

a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
fcf4e88 fix tests
1d8a5ea Version Packages (#131)
1175584 Merge commit from fork
e46afa6 Merge commit from fork
See full diff in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

b7b6339 v5.2.2
b5377ab Update package version to 5.2.1
7801789 Backport kpdecker/jsdiff#649
042a837 Backport kpdecker/jsdiff#647
See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

Update deps (e2462ec)

Update ci (c934599)

Add test:types script (0a4a115)

Update ci (b4dce71)

Update publish tag to 1.x (589625c)

Fix ts issue (c9ebf80)

Update deps (d18c074)

Fix more ts/lint issues (bd92b74)

🤖 CI

Fix publish tag (401c9b8)

❤️ Contributors

Pooya Parsa (@pi0)

Commits

24231b9 chore(release): v1.15.5
bd92b74 chore: fix more ts/lint issues
d18c074 chore: update deps
c9ebf80 chore: fix ts issue
618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
401c9b8 ci: fix publish tag
589625c chore: update publish tag to 1.x
b4dce71 chore: update ci
0a4a115 chore: add test:types script
c934599 chore: update ci
Additional commits viewable in compare view

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @ltduc147 for report.

Commits

b4a9b65 14.1.1 released
4b4bbca Fixed perf regression in linkify-it wrapper
d2782d8 Add supplementary example-driven documentation (#1092)
See full diff in compare view

Updates nanotar from 0.1.1 to 0.2.1

Release notes

Sourced from nanotar's releases.

v0.2.0

compare changes

🚀 Enhancements

parse: Support filter option (1eddc34)

parse: Support metaOnly option (181bee5)

🩹 Fixes

Return ParsedTarFileItem type after parsing (#21/#25)

parse: Handle no zero in _readString (#20)

parse: Trim mode (#18)

parse: Set data to undefined for dir entries (71917b8)

📖 Documentation

Added jsdocs to exported functions (#10)

📦 Build

Update exports field (a6ef534)

✅ Tests

Add explicit -z flag (81be39b, 090ccb3)

Update test (c481d36)

Improve inspection (944c205)

❤️ Contributors

Pooya Parsa (@pi0)

Max (@onmax)

Kricsleo (@kricsleo)

Bjorn Lu (@bluwy)

C0per (@c0per)

Changelog

Sourced from nanotar's changelog.

Changelog

v0.3.0

compare changes

🚀 Enhancements

parse: ⚠️ Support extended item types and headers (#30)

parse: Handle long file names (#31)

🩹 Fixes

Sanitise paths (#58)

🏡 Chore

release: V0.2.0 (7e35c5b)

✅ Tests

Add additional tests for different formats (f13b802)

Update fixture (6fa56df)

⚠️ Breaking Changes

parse: ⚠️ Support extended item types and headers (#30)

❤️ Contributors

Daniel Roe (@danielroe)

Pooya Parsa (@pi0)

v0.2.0

compare changes

🚀 Enhancements

parse: Support filter option (1eddc34)

parse: Support metaOnly option (181bee5)

🩹 Fixes

Return ParsedTarFileItem type after parsing (#25)

Return ParsedTarFileItem type after parsing (#21)

parse: Handle no zero in _readString (#20)

parse: Trim mode (#18)

parse: Set data to undefined for dir entries (71917b8)

... (truncated)

Commits

10b6a2a fix syntax
6326638 chore: bump 0.2
e5e68cf fix: sanitise paths (#58)
b23c4cb fix lint issue
181bee5 feat(parse): support metaOnly option
1eddc34 feat(parse): support filter option
71917b8 fix(parse): set data to undefined for dir entries
944c205 test: improve inspection
a6ef534 build: update exports field
6516d85 docs: added jsdocs to exported functions (#10)
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

Commits

a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
fcf4e88 fix tests
1d8a5ea Version Packages (#131)
1175584 Merge commit from fork
e46afa6 Merge commit from fork
See full diff in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

b7b6339 v5.2.2
b5377ab Update package version to 5.2.1
7801789 Backport kpdecker/jsdiff#649
042a837 Backport kpdecker/jsdiff#647
See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

Update deps (e2462ec)

Update ci (c934599)

Add test:types script (0a4a115)

Update ci (b4dce71)

Update publish tag to 1.x (589625c)

Fix ts issue (c9ebf80)

Update deps (d18c074)

Fix more ts/lint issues (bd92b74)

🤖 CI

Fix publish tag (401c9b8)

❤️ Contributors

Pooya Parsa (@pi0)

Commits

24231b9 chore(release): v1.15.5
bd92b74 chore: fix more ts/lint issues
d18c074 chore: update deps
c9ebf80 chore: fix ts issue
618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
401c9b8 ci: fix publish tag
589625c chore: update publish tag to 1.x
b4dce71 chore: update ci
0a4a115 chore: add test:types script
c934599 chore: update ci
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgraded dependencies across 7 packages to pick up security fixes and minor patches. Notably bumps Next.js to 16.1.5 and updates security-sensitive libraries.

Dependencies
- Next.js → 16.1.5 (root, apps/devrel). Adds images.maximumResponseBody (default 50MB) and DoS mitigations.
- h3 → 1.15.5. Fixes Transfer-Encoding handling (request smuggling risk).
- diff → 5.2.2. Security backport.
- lodash → 4.17.23. Prevents prototype pollution.
- devalue → 5.6.3. Safer parsing and sparse array handling.
- markdown-it → 14.1.1. Fixes linkify CPU regression.
- nanotar → 0.2.1. Path sanitization and parser options.
- presentation: @slidev/cli → ^52.12.0 to pull in the above transitive fixes.
Migration
- Install deps and redeploy affected apps.
- If large remote images are used with next/image, set images.maximumResponseBody as needed.

^{Written for commit b92bf92. Summary will update on new commits.}

…updates Bumps the npm_and_yarn group with 1 update in the / directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /apps/devrel directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 3 updates in the /changelog directory: [devalue](https://github.com/sveltejs/devalue), [diff](https://github.com/kpdecker/jsdiff) and [h3](https://github.com/h3js/h3). Bumps the npm_and_yarn group with 3 updates in the /docs-site directory: [devalue](https://github.com/sveltejs/devalue), [diff](https://github.com/kpdecker/jsdiff) and [h3](https://github.com/h3js/h3). Bumps the npm_and_yarn group with 3 updates in the /landing directory: [devalue](https://github.com/sveltejs/devalue), [diff](https://github.com/kpdecker/jsdiff) and [h3](https://github.com/h3js/h3). Bumps the npm_and_yarn group with 2 updates in the /presentation directory: [markdown-it](https://github.com/markdown-it/markdown-it) and [nanotar](https://github.com/unjs/nanotar). Bumps the npm_and_yarn group with 4 updates in the /website directory: [devalue](https://github.com/sveltejs/devalue), [diff](https://github.com/kpdecker/jsdiff), [h3](https://github.com/h3js/h3) and [lodash](https://github.com/lodash/lodash). Updates `next` from 16.1.4 to 16.1.5 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.4...v16.1.5) Updates `next` from 16.1.1 to 16.1.5 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.4...v16.1.5) Updates `devalue` from 5.6.1 to 5.6.3 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.1...v5.6.3) Updates `diff` from 5.2.0 to 5.2.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2) Updates `h3` from 1.15.4 to 1.15.5 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md) - [Commits](h3js/h3@v1.15.4...v1.15.5) Updates `devalue` from 5.6.1 to 5.6.3 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.1...v5.6.3) Updates `diff` from 5.2.0 to 5.2.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2) Updates `h3` from 1.15.4 to 1.15.5 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md) - [Commits](h3js/h3@v1.15.4...v1.15.5) Updates `devalue` from 5.6.1 to 5.6.3 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.1...v5.6.3) Updates `diff` from 5.2.0 to 5.2.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2) Updates `h3` from 1.15.4 to 1.15.5 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md) - [Commits](h3js/h3@v1.15.4...v1.15.5) Updates `markdown-it` from 14.1.0 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@14.1.0...14.1.1) Updates `nanotar` from 0.1.1 to 0.2.1 - [Release notes](https://github.com/unjs/nanotar/releases) - [Changelog](https://github.com/unjs/nanotar/blob/main/CHANGELOG.md) - [Commits](unjs/nanotar@v0.1.1...v0.2.1) Updates `devalue` from 5.6.1 to 5.6.3 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.1...v5.6.3) Updates `diff` from 5.2.0 to 5.2.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2) Updates `h3` from 1.15.4 to 1.15.5 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md) - [Commits](h3js/h3@v1.15.4...v1.15.5) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: next dependency-version: 16.1.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.1.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nanotar dependency-version: 0.2.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-02-20T19:37:42Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
caro-docs	Ready	Preview, Comment	Feb 20, 2026 7:39pm
caro-foss-website	Error		Feb 20, 2026 7:39pm
caro-slides	Ready	Preview, Comment	Feb 20, 2026 7:39pm
caro-storybook	Ready	Preview, Comment	Feb 20, 2026 7:39pm
cmdai	Error		Feb 20, 2026 7:39pm
cmdai-saas	Ready	Preview, Comment	Feb 20, 2026 7:39pm

greptile-apps · 2026-02-20T19:37:59Z

PR author is in the excluded authors list.

github-actions · 2026-02-20T19:38:37Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
❌ 1 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 6 package(s) with unknown licenses.
⚠️ 4 packages with OpenSSF Scorecard issues.

View full job summary

cubic-dev-ai

No issues found across 9 files

dependabot bot added dependencies Dependency updates javascript Pull requests that update javascript code labels Feb 20, 2026

dependabot bot requested a review from wildcard as a code owner February 20, 2026 19:37

dependabot bot added dependencies Dependency updates javascript Pull requests that update javascript code labels Feb 20, 2026

dependabot bot mentioned this pull request Feb 20, 2026

chore(deps): Bump the npm_and_yarn group across 3 directories with 1 update #476

Closed

github-actions bot added website Related to website dependencies Dependency updates module:website module:docs-site module:apps module:landing size/XL Extra large PR (> 500 lines) and removed dependencies Dependency updates labels Feb 20, 2026

vercel bot deployed to Preview – cmdai-saas February 20, 2026 19:38 View deployment

vercel bot had a problem deploying to Preview – caro-foss-website February 20, 2026 19:38 Failure

vercel bot had a problem deploying to Preview – cmdai February 20, 2026 19:38 Failure

vercel bot deployed to Preview – caro-docs February 20, 2026 19:38 View deployment

vercel bot deployed to Preview – caro-storybook February 20, 2026 19:38 View deployment

vercel bot deployed to Preview – caro-slides February 20, 2026 19:39 View deployment

cubic-dev-ai bot reviewed Feb 20, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): Bump the npm_and_yarn group across 7 directories with 7 updates#767

build(deps): Bump the npm_and_yarn group across 7 directories with 7 updates#767
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-c7a57e99c1

dependabot bot commented on behalf of github Feb 20, 2026 •

edited by cubic-dev-ai bot

Loading

Uh oh!

vercel bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

greptile-apps bot commented Feb 20, 2026

Uh oh!

github-actions bot commented Feb 20, 2026

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot bot commented on behalf of github Feb 20, 2026 • edited by cubic-dev-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v16.1.5

v16.1.5

v5.6.3

Patch Changes

v5.6.2

Patch Changes

5.6.3

Patch Changes

5.6.2

Patch Changes

v5.2.2 - January 2026

v5.2.1 (deprecated)

v1.15.5

🩹 Fixes

v1.15.5

🩹 Fixes

🏡 Chore

🤖 CI

❤️ Contributors

v5.6.3

Patch Changes

v5.6.2

Patch Changes

5.6.3

Patch Changes

5.6.2

Patch Changes

v5.2.2 - January 2026

v5.2.1 (deprecated)

v1.15.5

🩹 Fixes

v1.15.5

🩹 Fixes

🏡 Chore

🤖 CI

❤️ Contributors

v5.6.3

Patch Changes

v5.6.2

Patch Changes

5.6.3

Patch Changes

5.6.2

Patch Changes

v5.2.2 - January 2026

v5.2.1 (deprecated)

v1.15.5

🩹 Fixes

v1.15.5

🩹 Fixes

🏡 Chore

🤖 CI

❤️ Contributors

[14.1.1] - 2026-01-11

Security

v0.2.0

🚀 Enhancements

🩹 Fixes

📖 Documentation

📦 Build

✅ Tests

❤️ Contributors

Changelog

v0.3.0

🚀 Enhancements

🩹 Fixes

🏡 Chore

✅ Tests

⚠️ Breaking Changes

❤️ Contributors

v0.2.0

🚀 Enhancements

🩹 Fixes

v5.6.3

Patch Changes

v5.6.2

dependabot bot commented on behalf of github Feb 20, 2026 •

edited by cubic-dev-ai bot

Loading

vercel bot commented Feb 20, 2026 •

edited

Loading