build(deps): update patch+minor

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update	Pending
@eslint/eslintrc	3.3.3 → 3.3.4					devDependencies	patch	3.3.5
@sentry/nextjs (source)	10.39.0 → 10.40.0					dependencies	minor	10.43.0 (+2)
@storybook/addon-docs (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
@storybook/addon-links (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
@storybook/addon-themes (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
@storybook/nextjs (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
@tailwindcss/postcss (source)	4.2.0 → 4.2.1					devDependencies	patch
@types/node (source)	24.10.13 → 24.11.0					devDependencies	minor	24.12.0 (+2)
eslint-plugin-playwright	2.7.0 → 2.8.0					devDependencies	minor	2.9.0
eslint-plugin-storybook (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
github.com/getsentry/sentry-go	v0.42.0 → v0.43.0					require	minor
github.com/getsentry/sentry-go/echo	v0.42.0 → v0.43.0					require	minor
github.com/oapi-codegen/runtime	v1.1.2 → v1.2.0					require	minor
github.com/pb33f/libopenapi	v0.33.11 → v0.34.0					require	minor	v0.34.2 (+1)
github.com/pb33f/libopenapi-validator	v0.11.4 → v0.13.1					require	minor
knip (source)	5.84.1 → 5.85.0					devDependencies	minor	5.86.0
node (source)	24.13.1 → 24.14.0						minor
node (source)	24.13.1 → 24.14.0					engines	minor
pnpm (source)	10.30.1 → 10.30.3					packageManager	patch	10.32.1 (+2)
react-syntax-highlighter	16.1.0 → 16.1.1					dependencies	patch
storybook (source)	10.2.10 → 10.2.13					devDependencies	patch	10.2.19 (+5)
typescript-eslint (source)	8.56.0 → 8.56.1					devDependencies	patch	8.57.0

---

Release Notes

eslint/eslintrc (@​eslint/eslintrc)

v3.3.4

Compare Source

Bug Fixes

• update ajv to 6.14.0 to address security vulnerabilities (#​221) (9139140)
• update minimatch to 3.1.3 to address security vulnerabilities (#​224) (30339d0)

getsentry/sentry-javascript (@​sentry/nextjs)

v10.40.0

Compare Source

Important Changes

• feat(tanstackstart-react): Add global sentry exception middlewares (#​19330)

  The sentryGlobalRequestMiddleware and sentryGlobalFunctionMiddleware global middlewares capture unhandled exceptions thrown in TanStack Start API routes and server functions. Add them as the first entries in the requestMiddleware and functionMiddleware arrays of createStart():

  import { createStart } from '@​tanstack/react-start/server';
  import { sentryGlobalRequestMiddleware, sentryGlobalFunctionMiddleware } from '@​sentry/tanstackstart-react/server';
  
  export default createStart({
    requestMiddleware: [sentryGlobalRequestMiddleware, myRequestMiddleware],
    functionMiddleware: [sentryGlobalFunctionMiddleware, myFunctionMiddleware],
  });

• feat(tanstackstart-react)!: Export Vite plugin from @sentry/tanstackstart-react/vite subpath (#​19182)

  The sentryTanstackStart Vite plugin is now exported from a dedicated subpath. Update your import:

  - import { sentryTanstackStart } from '@​sentry/tanstackstart-react';
  + import { sentryTanstackStart } from '@​sentry/tanstackstart-react/vite';

• fix(node-core): Reduce bundle size by removing apm-js-collab and requiring pino >= 9.10 (#​18631)

  In order to keep receiving pino logs, you need to update your pino version to >= 9.10, the reason for the support bump is to reduce the bundle size of the node-core SDK in frameworks that cannot tree-shake the apm-js-collab dependency.

• fix(browser): Ensure user id is consistently added to sessions (#​19341)

  Previously, the SDK inconsistently set the user id on sessions, meaning sessions were often lacking proper coupling to the user set for example via Sentry.setUser().
  Additionally, the SDK incorrectly skipped starting a new session for the first soft navigation after the pageload.
  This patch fixes these issues. As a result, metrics around sessions, like "Crash Free Sessions" or "Crash Free Users" might change.
  This could also trigger alerts, depending on your set thresholds and conditions.
  We apologize for any inconvenience caused!

  While we're at it, if you're using Sentry in a Single Page App or meta framework, you might want to give the new 'page' session lifecycle a try!
  This new mode no longer creates a session per soft navigation but continues the initial session until the next hard page refresh.
  Check out the docs to learn more!

• ref!(gatsby): Drop Gatsby v2 support (#​19467)

  We drop support for Gatsby v2 (which still relies on webpack 4) for a critical security update in https://github.com/getsentry/sentry-javascript-bundler-plugins/releases/tag/5.0.0

Other Changes

• feat(astro): Add support for Astro on CF Workers (#​19265)
• feat(cloudflare): Instrument async KV API (#​19404)
• feat(core): Add framework-agnostic tunnel handler (#​18892)
• feat(deno): Export logs API from Deno SDK (#​19313)
• feat(deno): Export metrics API from Deno SDK (#​19305)
• feat(deno): instrument Deno.serve with async context support (#​19230)
• feat(deps): bump babel-loader from 8.2.5 to 10.0.0 (#​19303)
• feat(deps): bump body-parser from 1.20.4 to 2.2.2 (#​19191)
• feat(deps): Bump hono from 4.11.7 to 4.11.10 (#​19440)
• feat(deps): bump qs from 6.14.1 to 6.14.2 (#​19310)
• feat(deps): bump the opentelemetry group with 4 updates (#​19425)
• feat(feedback): Add setTheme() to dynamically update feedback widget color scheme (#​19430)
• feat(nextjs): Add sourcemaps.filesToDeleteAfterUpload as a top-level option (#​19280)
• feat(node): Add ignoreConnectSpans option to postgresIntegration (#​19291)
• feat(node): Bump to latest @​fastify/otel (#​19452)
• fix: Bump bundler plugins to v5 (#​19468)
• fix: updated the codecov config (#​19350)
• fix(aws-serverless): Prevent crash in isPromiseAllSettledResult with null/undefined array elements (#​19346)
• fix(bun) Export pinoIntegration from @​sentry/node (#​17990)
• fix(core,browser): Delete SentryNonRecordingSpan from fetch/xhr map (#​19336)
• fix(core): Explicitly flush log buffer in client.close() (#​19371)
• fix(core): Langgraph state graph invoke accepts null to resume (#​19374)
• fix(core): Wrap decodeURI in node stack trace parser to handle malformed URIs (#​19400)
• fix(deps): Bump nuxt devDependency to fix CVE-2026-24001 (#​19249)
• fix(deps): Bump to latest version of each minimatch major (#​19486)
• fix(nextjs): Apply environment from options if set (#​19274)
• fix(nextjs): Don't set sentry.drop_transaction attribute on spans when skipOpenTelemetrySetup is enabled (#​19333)
• fix(nextjs): Normalize trailing slashes in App Router route parameterization (#​19365)
• fix(nextjs): Return correct lastEventId for SSR pages (#​19240)
• fix(nextjs): Set parameterized transaction name for non-transaction events (#​19316)
• fix(node-core): Align pino mechanism type with spec conventions (#​19363)
• fix(nuxt): Use options.rootDir instead of options.srcDir (#​19343)

Internal Changes

- test(nextjs): Add bun e2e test app ([#​19318](https://redirect.github.com/getsentry/sentry-javascript/pull/19318)) - test(nextjs): Deactivate canary test for cf-workers ([#​19483](https://redirect.github.com/getsentry/sentry-javascript/pull/19483)) - tests(langchain): Fix langchain v1 internal error tests ([#​19409](https://redirect.github.com/getsentry/sentry-javascript/pull/19409)) - ref(nuxt): Remove `defineNitroPlugin` wrapper ([#​19334](https://redirect.github.com/getsentry/sentry-javascript/pull/19334)) - ref(cloudflare): Move internal files and functions around ([#​19369](https://redirect.github.com/getsentry/sentry-javascript/pull/19369)) - chore: Add external contributor to CHANGELOG.md ([#​19395](https://redirect.github.com/getsentry/sentry-javascript/pull/19395)) - chore: Add github action to notify stale PRs ([#​19361](https://redirect.github.com/getsentry/sentry-javascript/pull/19361)) - chore: add oxfmt changes to blame ignore rev list ([#​19366](https://redirect.github.com/getsentry/sentry-javascript/pull/19366)) - chore: Enhance AI integration guidelines with runtime-specific placem… ([#​19296](https://redirect.github.com/getsentry/sentry-javascript/pull/19296)) - chore: Ignore `lerna.json` for prettier ([#​19288](https://redirect.github.com/getsentry/sentry-javascript/pull/19288)) - chore: migrate to oxfmt ([#​19200](https://redirect.github.com/getsentry/sentry-javascript/pull/19200)) - chore: Revert to lerna v8 ([#​19294](https://redirect.github.com/getsentry/sentry-javascript/pull/19294)) - chore: Unignore HTML files and reformat with oxfmt ([#​19311](https://redirect.github.com/getsentry/sentry-javascript/pull/19311)) - chore(ci): Adapt max turns of triage issue agent ([#​19473](https://redirect.github.com/getsentry/sentry-javascript/pull/19473)) - chore(ci): Add `environment` to triage action ([#​19375](https://redirect.github.com/getsentry/sentry-javascript/pull/19375)) - chore(ci): Add `id-token: write` permission to triage workflow ([#​19381](https://redirect.github.com/getsentry/sentry-javascript/pull/19381)) - chore(ci): Move monorepo to nx ([#​19325](https://redirect.github.com/getsentry/sentry-javascript/pull/19325)) - chore(cursor): Add rules for fetching develop docs ([#​19377](https://redirect.github.com/getsentry/sentry-javascript/pull/19377)) - chore(deps-dev): Bump @​sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-2 ([#​19441](https://redirect.github.com/getsentry/sentry-javascript/pull/19441)) - chore(deps-dev): Bump @​sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-2-kit-tracing ([#​19446](https://redirect.github.com/getsentry/sentry-javascript/pull/19446)) - chore(deps-dev): Bump @​sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-cloudflare-pages ([#​19462](https://redirect.github.com/getsentry/sentry-javascript/pull/19462)) - chore(deps-dev): Bump @​sveltejs/kit from 2.50.1 to 2.52.2 ([#​19442](https://redirect.github.com/getsentry/sentry-javascript/pull/19442)) - chore(deps-dev): bump @​testing-library/react from 13.0.0 to 15.0.5 ([#​19194](https://redirect.github.com/getsentry/sentry-javascript/pull/19194)) - chore(deps-dev): bump @​types/ember__debug from 3.16.5 to 4.0.8 ([#​19429](https://redirect.github.com/getsentry/sentry-javascript/pull/19429)) - chore(deps-dev): bump ember-resolver from 13.0.2 to 13.1.1 ([#​19301](https://redirect.github.com/getsentry/sentry-javascript/pull/19301)) - chore(deps): Bump @​actions/glob from 0.4.0 to 0.6.1 ([#​19427](https://redirect.github.com/getsentry/sentry-javascript/pull/19427)) - chore(deps): bump agents from 0.2.32 to 0.3.10 in /dev-packages/e2e-tests/test-applications/cloudflare-mcp ([#​19326](https://redirect.github.com/getsentry/sentry-javascript/pull/19326)) - chore(deps): Bump hono from 4.11.7 to 4.11.10 in /dev-packages/e2e-tests/test-applications/cloudflare-hono ([#​19438](https://redirect.github.com/getsentry/sentry-javascript/pull/19438)) - chore(deps): Bump Sentry CLI to latest v2 ([#​19477](https://redirect.github.com/getsentry/sentry-javascript/pull/19477)) - chore(deps): Bump transitive dep `fast-xml-parser` ([#​19433](https://redirect.github.com/getsentry/sentry-javascript/pull/19433)) - chore(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960 ([#​19445](https://redirect.github.com/getsentry/sentry-javascript/pull/19445)) - chore(github): Add `allowedTools` to Claude GitHub action ([#​19386](https://redirect.github.com/getsentry/sentry-javascript/pull/19386)) - chore(github): Add workflow to trigger `triage-issue` skill ([#​19358](https://redirect.github.com/getsentry/sentry-javascript/pull/19358)) - chore(github): Add write tool for markdown report ([#​19387](https://redirect.github.com/getsentry/sentry-javascript/pull/19387)) - chore(github): Change tool permission path ([#​19389](https://redirect.github.com/getsentry/sentry-javascript/pull/19389)) - chore(llm): Add `triage-issue` skill ([#​19356](https://redirect.github.com/getsentry/sentry-javascript/pull/19356)) - chore(llm): Better defense against prompt injection in triage skill ([#​19410](https://redirect.github.com/getsentry/sentry-javascript/pull/19410)) - chore(llm): Make cross-repo search optional and remove file cleanup ([#​19401](https://redirect.github.com/getsentry/sentry-javascript/pull/19401)) - chore(node-core): Make @​sentry/opentelemetry not a peer dep in node… ([#​19308](https://redirect.github.com/getsentry/sentry-javascript/pull/19308)) - chore(repo): Allow WebFetch for Sentry docs in Claude settings ([#​18890](https://redirect.github.com/getsentry/sentry-javascript/pull/18890)) - chore(repo): Increase number of concurrently running nx tasks ([#​19443](https://redirect.github.com/getsentry/sentry-javascript/pull/19443)) - chore(skills): Add security notes for injection defense ([#​19379](https://redirect.github.com/getsentry/sentry-javascript/pull/19379)) - chore(triage-action): Fix JSON parsing ([#​19471](https://redirect.github.com/getsentry/sentry-javascript/pull/19471)) - chore(triage-issue): Improve triage prompt for accuracy ([#​19454](https://redirect.github.com/getsentry/sentry-javascript/pull/19454)) - chore(triage-skill): Add GitHub parsing python util script ([#​19405](https://redirect.github.com/getsentry/sentry-javascript/pull/19405)) - chore(triage-skill): Increase `num_turns` and add script to post summary ([#​19456](https://redirect.github.com/getsentry/sentry-javascript/pull/19456)) - ci(fix-security-vulnerability): Add id token write permission ([#​19412](https://redirect.github.com/getsentry/sentry-javascript/pull/19412)) - ci(fix-security-vulnerability): Be specific about how to fetch the alert page ([#​19414](https://redirect.github.com/getsentry/sentry-javascript/pull/19414)) - ci(fix-security-vulnerability): Run fetch alert first before executing skill ([#​19418](https://redirect.github.com/getsentry/sentry-javascript/pull/19418)) - ci(fix-security-vulnerability): Use opus 4.6 ([#​19416](https://redirect.github.com/getsentry/sentry-javascript/pull/19416)) - ci(github): Add tilde to file path to not exact-match ([#​19392](https://redirect.github.com/getsentry/sentry-javascript/pull/19392)) - ci(triage-skill): Allow `Write` and remove `rm` permission ([#​19397](https://redirect.github.com/getsentry/sentry-javascript/pull/19397)) - ci(triage-skill): Run on opened issues ([#​19423](https://redirect.github.com/getsentry/sentry-javascript/pull/19423)) - docs(nuxt): Remove duplicated setup instructions ([#​19422](https://redirect.github.com/getsentry/sentry-javascript/pull/19422)) - feat(ci): Add security vulnerability skill action ([#​19355](https://redirect.github.com/getsentry/sentry-javascript/pull/19355))

Work in this release was contributed by @​LudvigHz and @​jadengis. Thank you for your contributions!

Bundle size 📦

Path	Size
@​sentry/browser	25.02 KB
@​sentry/browser - with treeshaking flags	23.56 KB
@​sentry/browser (incl. Tracing)	41.43 KB
@​sentry/browser (incl. Tracing, Profiling)	45.98 KB
@​sentry/browser (incl. Tracing, Replay)	79.34 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	69.2 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	83.92 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	95.9 KB
@​sentry/browser (incl. Feedback)	41.43 KB
@​sentry/browser (incl. sendFeedback)	29.58 KB
@​sentry/browser (incl. FeedbackAsync)	34.51 KB
@​sentry/browser (incl. Metrics)	26.16 KB
@​sentry/browser (incl. Logs)	26.3 KB
@​sentry/browser (incl. Metrics & Logs)	26.96 KB
@​sentry/react	26.73 KB
@​sentry/react (incl. Tracing)	43.71 KB
@​sentry/vue	29.36 KB
@​sentry/vue (incl. Tracing)	43.23 KB
@​sentry/svelte	25.04 KB
CDN Bundle	27.5 KB
CDN Bundle (incl. Tracing)	42.24 KB
CDN Bundle (incl. Logs, Metrics)	28.32 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	43.06 KB
CDN Bundle (incl. Replay, Logs, Metrics)	66.49 KB
CDN Bundle (incl. Tracing, Replay)	78.25 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	79.1 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	83.64 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	84.5 KB
CDN Bundle - uncompressed	80.41 KB
CDN Bundle (incl. Tracing) - uncompressed	125.06 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	83.18 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	127.82 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	203.94 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	239.2 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	241.95 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	251.81 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	254.55 KB
@​sentry/nextjs (client)	46.07 KB
@​sentry/sveltekit (client)	41.88 KB
@​sentry/node-core	50.95 KB
@​sentry/node	169.38 KB
@​sentry/node - without tracing	95.04 KB
@​sentry/aws-serverless	110.47 KB

storybookjs/storybook (@​storybook/addon-docs)

v10.2.13

Compare Source

• Addon Pseudo-states: Process all nested css rules - #​33605, thanks @​hpohlmeyer!
• Builder-Vite: Prevent config duplication - #​33883, thanks @​copilot-swe-agent!
• CLI: Fix React native web A11y issues - #​33937, thanks @​jonniebigodes!
• Core: Avoid hanging when inferring args for recursive calls on DOM elemens - #​33922, thanks @​valentinpalkovic!
• Eslint: Fix ESLint 10 compatibility in eslint-plugin-storybook rules - #​33884, thanks @​copilot-swe-agent!
• Viewport: Prioritize story viewport globals and avoid user-global pollution - #​33849, thanks @​ia319!

v10.2.12

Compare Source

• Core: Sanitize inputs for save from controls - #​33868, thanks @​valentinpalkovic!
• Telemetry: Add project age - #​33910, thanks @​shilman!
• Webpack: Improve performance of module-mocking plugins - #​33169, thanks @​valentinpalkovic!

v10.2.11

Compare Source

• Addon-Vitest: Fix postinstall a11y installation - #​33888, thanks @​valentinpalkovic!
• Manifests: Use correct story name - #​33709, thanks @​JReinhold!
• Next.js: Handle legacyBehavior prop in Link mock component - #​33862, thanks @​yatishgoel!
• React: Fix manifest stories empty when meta has no explicit title - #​33878, thanks @​kasperpeulen!

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

mskelton/eslint-plugin-playwright (eslint-plugin-playwright)

v2.8.0

Compare Source

Bug Fixes

• Add missing test coverage and fix several minor bugs (#​434) (e3398ec)
• missing-playwright-await: Handle spread elements (df30163), closes #​430
• missing-playwright-await: Support more promise edge cases (b4cdcbd)

Features

• Auto-detect test.extend() fixtures and import aliases (#​432) (8b22ee7)

v2.7.1

Compare Source

Bug Fixes

• missing-playwirght-await: Fix false positive with promise chains (6e4f5ff)

getsentry/sentry-go (github.com/getsentry/sentry-go)

v0.43.0: 0.43.0

Compare Source

Breaking Changes 🛠

• Add support for go 1.26 by @​giortzisg in #​1193
  • bump minimum supported go version to 1.24
• change type signature of attributes for Logs and Metrics. by @​giortzisg in #​1205
  • users are not supposed to modify Attributes directly on the Log/Metric itself, but this is still is a breaking change on the type.
• Send uint64 overflowing attributes as numbers. by @​giortzisg in #​1198
  • The SDK was converting overflowing uint64 attributes to strings for slog and logrus integrations. To eliminate double types for these attributes, the SDK now sends the overflowing attribute as is, and lets the server handle the overflow appropriately.
  • It is expected that overflowing unsigned integers would now get dropped, instead of converted to strings.

New Features ✨

• Add zap logging integration by @​giortzisg in #​1184
• Log specific message for RequestEntityTooLarge by @​giortzisg in #​1185

Bug Fixes 🐛

• Improve otel span map cleanup performance by @​giortzisg in #​1200
• Ensure correct signal delivery on multi-client setups by @​giortzisg in #​1190

Internal Changes 🔧

Deps

• Bump golang.org/x/crypto to 0.48.0 by @​giortzisg in #​1196
• Use go1.24.0 by @​giortzisg in #​1195
• Bump github.com/gofiber/fiber/v2 from 2.52.9 to 2.52.11 in /fiber by @​dependabot in #​1191
• Bump getsentry/craft from 2.19.0 to 2.20.1 by @​dependabot in #​1187

Other

• Add omitzero and remove custom serialization by @​giortzisg in #​1197
• Rename Telemetry Processor components by @​giortzisg in #​1186

oapi-codegen/runtime (github.com/oapi-codegen/runtime)

v1.2.0: Parameter binding extensions, bug fixes, dependency updates

Compare Source

Notable Changes

The main change in this release is the addition of new Parameter binding and styling functions, which allow the code generator to pass in the type and format from the spec. Previously, we inferred what we wanted to do based on the destination type, however, it's not always possible to decide this without information about the specification.

🚀 New features and improvements

• feat: add BindRawQueryParameter for correct comma handling (#​92) @​mromaszewicz
• fix: add TypeHint-aware parameter binding and styling for []byte (#​97) (#​98) @​mromaszewicz
• Support array of objects parameters (#​40) @​danicc097
• Allow BindStyledParameterWithOptions to fill maps (#​72) @​JoZie

🐛 Bug fixes

• fix: bind Date and Time query params as scalar values (#​21) (#​93) @​mromaszewicz
• fix: support non-indexed deepObject array unmarshaling (#​22) (#​96) @​mromaszewicz
• fix: correct time.Time date-only fallback parsing in deepObject (#​95) @​mromaszewicz
• Refactor date parsing error handling (#​88) @​jsnfwlr
• fix: improve email validation using net/mail package (#​60) @​sniperwolf
• Fix deepObject marshalling losing json number format/precision (#​29) @​mgabeler-lee-6rs
• Fix issue 55 (#​56) @​mikhalytch
• fix(deepobject): support nested objects in deepObject arrays (#​84) @​adrianbrad

👻 Maintenance

• feat(fix): bump gin version (#​51) @​Gamawn
• Update golang.org/x/crypto to v0.32.0 (#​59) @​kojustin
• Updated Golang reference to address security vulnerability (#​57) @​ivan-manzhulin
• Fix linter errors (#​85) @​mromaszewicz
• build: capture govulncheck results as Code Scanning alerts (#​80) @​jamietanna

📦 Dependency updates

• chore(deps): update release-drafter/release-drafter action to v6 (#​31) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

pb33f/libopenapi (github.com/pb33f/libopenapi)

v0.34.0

Compare Source

Adds support for Arazzo

Docs https://pb33f.io/libopenapi/arazzo/

Configurable JSONPath lookup

#​535

Updates JSONPath lookup in utils to be configuration-aware and safe with recent https://github.com/pb33f/jsonpath behavior, especially with respect to WithLazyContextTracking().

Different lookup scenarios need different execution behavior and safety constraints. This keeps existing behavior by default while allowing explicit control and preventing incorrect cache reuse across different JSONPath engine settings.

@​andreyyudin

• Fixes #​533

New CreateSchemaProxyRefWithSchema(ref string, schema *Schema) introduced

• Fix goroutine leak in schema

@​1000p

• Also adds a new Release() method to Documents that cascades releasing cached objects to allow GC to collect them.

pb33f/libopenapi-validator (github.com/pb33f/libopenapi-validator)

v0.13.1

Compare Source

Adds support for passing compiled schemas for document validation. Prevents another compilation step, saving on compute and memory.

No breaking changes.

v0.13.0

Compare Source

Refactored SchemaValidationFailure struct fields.

This is a breaking change,

#​188
#​200

@​mjbonifacio

Also implemented a RadixTree design to speed up path lookup.

#​217

@​its-hammer-time

v0.12.1

Compare Source

Adds support for all authentication types.

@​x-delfino

v0.12.0

Compare Source

Adds XML body validation with the addition of AllowXMLBodyValidation as a configuration option. Also adds support for x-www-form-urlencoded validation.

No breaking changes.

@​ySnoopyDogy

webpro-nl/knip (knip)

v5.85.0: Release 5.85.0

Compare Source

• Fix require.context regex matching for path-aware patterns (#​1547) ([c33d93a](https://redirect.github.com/web

---

Configuration

📅 Schedule: Branch creation - "before 6:00pm on Friday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
melvin-la	Error		Mar 20, 2026 9:10am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​pb33f/​libopenapi-validator@​v0.11.4 ⏵ v0.13.1	+1
	golang/​github.com/​getsentry/​sentry-go@​v0.42.0 ⏵ v0.43.0	+2
	golang/​github.com/​pb33f/​libopenapi@​v0.33.11 ⏵ v0.34.0	+1
	npm/​@​storybook/​nextjs@​10.2.10 ⏵ 10.2.13	+1		+1
	npm/​@​types/​node@​24.10.13 ⏵ 24.11.0			+1
	npm/​@​storybook/​addon-themes@​10.2.10 ⏵ 10.2.13	+1
	npm/​@​sentry/​nextjs@​10.39.0 ⏵ 10.40.0			+1
	npm/​@​eslint/​eslintrc@​3.3.3 ⏵ 3.3.4				+2
	golang/​github.com/​oapi-codegen/​runtime@​v1.1.2 ⏵ v1.2.0
	npm/​@​tailwindcss/​postcss@​4.2.0 ⏵ 4.2.1	+1			+1
	npm/​@​storybook/​addon-docs@​10.2.10 ⏵ 10.2.13
	golang/​github.com/​getsentry/​sentry-go/​echo@​v0.42.0 ⏵ v0.43.0
	npm/​@​storybook/​addon-links@​10.2.10 ⏵ 10.2.13	+1

View full report

[renovate]

ℹ️ Artifact update notice

File name: api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.46.0 -> v0.48.0
golang.org/x/net	v0.48.0 -> v0.50.0
golang.org/x/sys	v0.39.0 -> v0.41.0