chore(deps): June 2026 refresh — next 16.2.7 (security), TS 6.0.3#389
Merged
Conversation
Range edits: - next 16.2.1 -> 16.2.7 in apps/editor + apps/ifc-converter. 16.2.5/16.2.6 fixed six high-severity advisories (middleware bypass, DoS, SSRF, XSS, RSC cache poisoning); 16.2.7 is bugfix backports. No API/config changes. - typescript 6.0.2 -> 6.0.3 everywhere, including aligning the 5.9.3 stragglers (@pascal-app/mcp, @repo/ui, @repo/eslint-config) that date from the original scaffold and were never intentionally held back. - @types/node in @pascal-app/mcp: ^25.5.0 -> ^22.19.20 — mcp was the only workspace typed against non-LTS node 25; 22 matches the release workflow's node and every other workspace. - @number-flow/react ^0.5.14 -> ^0.6.0 (packages/editor, apps/editor); the only breaking change (removed --number-flow-char-height CSS var) is unused here. - agentation ^2.3.2 -> ^3.0.2 (apps/editor devtool; v3 is a drop-in for the props-less <Agentation /> usage, additions are opt-in). - Root overrides: @types/react 19.2.14 -> 19.2.17, @types/three 0.184.0 -> 0.184.1 (types-only fixes). Lockfile refresh within existing ranges picks up react 19.2.7 (pairs with next 16.2.7 — 19.2.6 had a server-action FormData regression), motion 12.40.0, three-mesh-bvh 0.9.10, @react-three/uikit-lucide 1.0.73, the June radix wave, lucide-react 1.17.0, zustand 5.0.14, tailwind-merge 3.6.0, geist 1.7.2 (fixes Geist Mono ligature regression), react-grab 0.1.44, biome 2.4.16 + ultracite 7.8.2, turbo 2.9.17. Held: three stays 0.184.0 (npm latest; single-instance constraint), tailwindcss 4.3.0 + lightningcss 1.32.0 already match the pinned optionalDependencies native binaries, eslint 10 major not taken (@repo/ui is unconsumed legacy scaffold). Verified: turbo build, check-types, biome check, and 931 package tests green; bun.lock stays lockfileVersion 1 (CI bun 1.3.0 compatible); single next/three resolution confirmed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
…pe three - next 16.2.7 -> 16.2.6 in both apps. 16.2.7 regresses Turbopack dev route matching for API routes nested below a dynamic segment (probed in the private repo: /api/items/[id]/fork, /api/scenes/[id]/events 404 with the router's HTML not-found; production builds unaffected; bisected 16.2.6 good / 16.2.7 bad). 16.2.6 carries all the 16.2.5/16.2.6 security fixes — only the bugfix backports are forgone. - Remove @react-three/uikit-lucide from @pascal-app/editor dependencies: zero imports in this repo or private-editor; dead weight in every npm consumer's install. - Pin @visual-json/react "latest" -> "^0.4.0" (current resolution; "latest" in a published package's deps is unreproducible and was inconsistent with private-editor's ^0.4.0). - Add root override three: 0.184.0, mirroring private-editor's dedupe — drops the nested stats-gl three@0.170.0 so the lockfile resolves a single three (the stated single-instance invariant now holds here too). Verified: build, check-types, biome check, 931 package tests green; lockfile resolves one next (16.2.6) and one three (0.184.0); oxide/lightningcss optionalDependency pins still match resolutions. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Dependabot-style dependency refresh of the whole workspace, with changelogs reviewed for every moved package, followed by a second review pass (multi-agent + codex adversarial review) whose fixes are the second commit.
Range edits
next devroute matching for API routes nested below a dynamic segment (bisected against the private repo:/api/items/[id]/forketc. return the router's HTML 404; production builds unaffected; 16.2.6 good, 16.2.7 bad).@pascal-app/mcpand@repo/uiat 5.9.3,@repo/eslint-configat ^5.9.2) that date from the original mcp scaffold and were never intentionally held back.@pascal-app/mcp: ^25.5.0 → ^22.19.20 — the only workspace typed against non-LTS node 25; node 22 matches the release workflow and every other workspace.--number-flow-char-heightCSS var, unused here (re-verified against release notes); aligns with private-editor's community app already on ^0.6.0.<Agentation />unchanged, 3.0.1 is a version-string republish, 3.0.2 is CSS-only.three: 0.184.0override — mirrors private-editor's dedupe and removes the nestedstats-gl/three@0.170.0so this repo's lockfile also resolves a single three.Review-pass cleanups (second commit)
@pascal-app/editordependencies — zero imports in this repo or private-editor; dead weight for every npm consumer."latest"→"^0.4.0"— "latest" in a published package's deps is unreproducible and was inconsistent with private-editor's ^0.4.0.Lockfile refresh (within existing ranges): react/react-dom 19.2.7 (react 19.2.6 had a server-action FormData regression), motion 12.40.0, three-mesh-bvh 0.9.10, June radix wave (slider 1.4.0, switch 1.3.0, select/context-menu 2.3.0, …), lucide-react 1.17.0 (no renamed icons used here), zustand 5.0.14, tailwind-merge 3.6.0, geist 1.7.2 (fixes Geist Mono ligature regression), react-grab 0.1.44, react-scan 0.5.7, biome 2.4.16 + ultracite 7.8.2, turbo 2.9.17.
Deliberately not taken: eslint 10 major (
@repo/uiis unconsumed legacy scaffold; eslint never runs in CI), tailwindcss/lightningcss already match the exact-pinnedoptionalDependenciesnative binaries.How to test
bun install --frozen-lockfile— passes (lockfile stayslockfileVersion: 1).bun run build && bun run check-types && bun run check— all green locally (run twice: after each commit).cd packages/core && bun test, same forpackages/mcpandpackages/nodes— 931 tests pass (492/281/158).grep -o '"next@[0-9][^"]*"' bun.lock | sort -u→ exactlynext@16.2.6;grep -o '"three@[0-9][^"]*"' bun.lock | sort -u→ exactlythree@0.184.0;grep -c uikit bun.lock→ 0.bun devand click around: number inputs/sliders (number-flow 0.6), context menus/selects (radix wave), Geist Mono rendering.Screenshots / screen recording
N/A — dependency bump, no intentional visual change.
Checklist
bun devbun checkto verify)mainbranch🤖 Generated with Claude Code