deps(npm): bump the ui-dependencies group across 1 directory with 21 updates

[dependabot]

Bumps the ui-dependencies group with 20 updates in the / directory:

Package	From	To
@tabler/icons-react	3.36.1	3.44.0
@types/mdx	2.0.13	2.0.14
fumadocs-core	16.5.1	16.9.3
fumadocs-mdx	14.2.6	15.0.11
jotai	2.17.1	2.20.0
lru-cache	11.2.5	11.5.1
lucide-react	0.563.0	1.17.0
next	16.1.6	16.2.7
radix-ui	1.4.3	1.5.0
react	19.2.4	19.2.7
@types/react	19.2.13	19.2.17
react-dom	19.2.4	19.2.7
tailwind-merge	3.4.0	3.6.0
@tailwindcss/postcss	4.1.18	4.3.0
@types/node	25.2.1	25.9.2
eslint	9.39.2	10.4.1
eslint-config-next	16.1.6	16.2.7
pagefind	1.4.0	1.5.2
prettier	3.8.1	3.8.3
typescript	5.9.3	6.0.3

Updates @tabler/icons-react from 3.36.1 to 3.44.0

Release notes

Sourced from @​tabler/icons-react's releases.

Release 3.44.0

18 new icons:

• outline/code-ai
• outline/email-stamp
• outline/foodsteps
• outline/git-pull-request-conflict
• outline/noise-reduction
• outline/photo-alt
• outline/pointer-2
• outline/pointer-collaboration-2
• outline/pointer-collaboration
• outline/roulette
• outline/scan-cube
• outline/sketching
• outline/sparkle-2
• outline/sparkle-highlight
• outline/sparkle
• outline/sphere-2
• outline/text-scan-ai
• outline/vignette

Fixed icons: outline/air-balloon, outline/body-scan, outline/chart-sankey, outline/ear-scan, outline/grid-scan, outline/line-scan, outline/object-scan, outline/photo-scan, outline/route-scan, outline/scan-eye, outline/scan-letter-a, outline/scan-letter-t, outline/scan-position, outline/scan-traces, outline/scan, outline/text-scan-2, outline/user-scan, outline/zoom-scan

Release 3.43.0

18 new icons:

• outline/acorn
• outline/acrobatic
• outline/banana
• outline/brand-audible
• outline/building-eiffel-tower
• outline/car-door
• outline/car-lifter
• outline/chocolate
• outline/dumbbell
• outline/exercise-ball
• outline/flood
• outline/hula-hoop
• outline/leaf-maple
• outline/notdef
• outline/rugby
• outline/taiwan-dollar
• outline/target-2
• outline/unicycle

... (truncated)

Commits

• 6d128ed Release 3.44.0
• e40738b Release 3.43.0
• 076f4a9 Release 3.42.0
• 9b27b65 Release 3.41.1
• ebad60b Update homepage links in documentation and package files to point to the new ...
• 8ed617b Update README files to wrap images in anchor tags linking to the Tabler Icons...
• ef6e875 Update dependencies in pnpm-lock.yaml and package.json files (#1497)
• 6cbe885 Release 3.41.0
• 19d735e Add JSDoc with previews in icons-react (#1472)
• e4ca377 Release 3.40.0
• Additional commits viewable in compare view

Updates @types/mdx from 2.0.13 to 2.0.14

Commits

• See full diff in compare view

Updates fumadocs-core from 16.5.1 to 16.9.3

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.9.3

Patch Changes

• 42f0255: Support invalidate & revalidate on dynamic loader
• a807798: Improve source API utils & types

fumadocs-core@16.9.1

Patch Changes

• e77b9b3: Introduce pagesIndex property to explicitly define the index page for folder
• 334c8fd: [i18n] support different orders of preset() calls

fumadocs-core@16.8.12

Patch Changes

• 768b676: Standardize structuredData in page data

fumadocs-core@16.8.11

Patch Changes

• 1dc86c7: loosen the range for waku

fumadocs-core@16.8.10

Patch Changes

• 062beab: fix internal types
• 505cfe0: Add remark-block-id plugin

fumadocs-core@16.8.8

No release notes provided.

fumadocs-core@16.8.7

No release notes provided.

fumadocs-core@16.8.6

No release notes provided.

fumadocs-core@16.8.5

Patch Changes

• 79d3209: Narrow schema type for private OpenAPI properties

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

Commits

• See full diff in compare view

Updates fumadocs-mdx from 14.2.6 to 15.0.11

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@15.0.11

Patch Changes

• 2d65ceb: Support hot reload in source.config.ts with Vite plugin

fumadocs-mdx@15.0.10

Patch Changes

• d35d0d6: Respect root in Vite config
• Updated dependencies [42f0255]
• Updated dependencies [a807798]
  • fumadocs-core@16.9.3

fumadocs-mdx@15.0.9

Patch Changes

• cd04425: Support _fumadocs_skipViteConfig internal flag

fumadocs-mdx@15.0.8

Patch Changes

• dca5b49: Fix compatibility with ?raw query string
• Updated dependencies [e77b9b3]
• Updated dependencies [334c8fd]
  • fumadocs-core@16.9.1

fumadocs-mdx@15.0.7

Patch Changes

• 768b676: Standardize structuredData in page data
• Updated dependencies [768b676]
  • fumadocs-core@16.8.12

fumadocs-mdx@15.0.6

Patch Changes

• da4a81a: Update vite configs

fumadocs-mdx@15.0.5

Patch Changes

• 1fb6a61: Support custom base directory for content sources

fumadocs-mdx@15.0.4

Patch Changes

• 819b6ec: Support Rolldown integration

fumadocs-mdx@15.0.3

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Updates jotai from 2.17.1 to 2.20.0

Release notes

Sourced from jotai's releases.

v2.20.0

This release improves performance in high-throughput scenarios. Huge kudos to @​dmaskasky!

What's Changed

• breaking(internals): avoid getInternalBuildingBlock function by @​dai-shi in pmndrs/jotai#3293
• refactor(internals): Rev3 type narrowing for onMount hooks by @​dmaskasky in pmndrs/jotai#3311
• fix(internals): guard atomOnInit hook with hasOnInit by @​dmaskasky in pmndrs/jotai#3312
• refactor(internals): lazy hooks in ensureAtomState for new atom state by @​dmaskasky in pmndrs/jotai#3313

Full Changelog: pmndrs/jotai@v2.19.1...v2.20.0

v2.19.1

This release includes several small refactors to improve performance.

What's Changed

• fix(vanilla/utils/atomWithObservable): use symbol index signature to avoid 'Symbol.observable' type reference by @​sukvvon in pmndrs/jotai#3274
• refactor(internals): replace nextDeps with prevDeps by @​dmaskasky in pmndrs/jotai#3278
• refactor(internals): reduce recomputeInvalidatedAtoms overhead (performance) by @​dmaskasky in pmndrs/jotai#3284
• refactor(internals): reduce flushPending overhead (performance) by @​dmaskasky in pmndrs/jotai#3285
• fix(internals): check if atom has dependencies before doing mountDependencies work (performance) by @​dmaskasky in pmndrs/jotai#3290
• fix(internals): check if atom has onMount property before queueing processOnMount callback (performance) by @​dmaskasky in pmndrs/jotai#3291
• refactor(types): prefer no-any by @​dai-shi in pmndrs/jotai#3304

New Contributors

• @​aio39 made their first contribution in pmndrs/jotai#3277

Full Changelog: pmndrs/jotai@v2.19.0...v2.19.1

v2.19.0

We improved the core to enable atom caching for performance for some cases.

What's Changed

• fix(react): deprecate delay option by @​dai-shi in pmndrs/jotai#3264
• feat: improve store.get performance when atoms are not mutated by @​dmaskasky in pmndrs/jotai#3265 thanks to @​edkimmel

New Contributors

• @​composite made their first contribution in pmndrs/jotai#3268

Full Changelog: pmndrs/jotai@v2.18.1...v2.19.0

v2.18.1

This release fixes a regression introduced in v2.12.1, which affects an uncommon edge case.

What's Changed

• fix(vanilla): subscriber not notified when derived read calls store.set by @​dmaskasky in pmndrs/jotai#3245
• fix(vanilla/utils/atomWithObservable): add 'Symbol.observable' type support to 'ObservableLike' by @​sukvvon in pmndrs/jotai#3253
• refactor(vanilla/utils/atomWithStorage): use optional chaining for 'storage.subscribe' by @​sukvvon in pmndrs/jotai#3260

... (truncated)

Commits

• bdbc766 2.20.0
• 64181cc chore(deps): update dev dependencies (#3317)
• e2aa859 refactor(internals): lazy hooks in ensureAtomState for new atom state (#3313)
• 26f3e9c fix(internals): guard atomOnInit hook with hasOnInit (#3312)
• e923843 refactor(internals): Rev3 type narrowing for onMount hooks (#3311)
• 4b63111 breaking(internals): avoid getInternalBuildingBlock function (#3293)
• 1fae772 2.19.1
• 7924a8b chore(deps): update dev dependencies (#3306)
• aa61ef5 test: add spec for #3296 (#3305)
• 91ffe6d refactor(types): prefer no-any (#3304)
• Additional commits viewable in compare view

Updates lru-cache from 11.2.5 to 11.5.1

Changelog

Sourced from lru-cache's changelog.

cringe lorg

11.5

• Add backgroundFetchSize option, defaulting to 1, to set an effective size for provisional background fetch objects while in flight, if they do not shadow an existing stale entry.

11.4

• Add cache property to status objects, in order to differentiate which cache is emitting the metric or trace.
• Several small bugs regarding fetch behavior edge cases.
  • onInsert does not fire for background fetch internal promises.
  • dispose() and disposeAfter() now fire for the stale value left behind when an in-process background fetch is pre-empted by eviction.
  • fetchMethod that returns a non-Promise value is handled correctly.
  • No Error is created, or abort() signaled, when a background fetch promise is resolved. (Presumably the implementation is done by that point.)

11.3

• Add observability features, expand the coverage of LRUCache.Status objects.

11.2

• Add the perf option to specify performance, Date, or any other object with a now() method that returns a number.

11.1

• Add the onInsert method

11.0

• Drop support for node less than v20

10.4

• Accidental minor update, should've been patch.

10.3

• add forceFetch() method
• set disposeReason to 'expire' when it's the result of a TTL

... (truncated)

Commits

• cd98065 11.5.1
• 281f49d work with exactOptionalPropertyTypes
• 0adc7a5 11.5.0
• 4708153 add backgroundFetchSize option
• 9bed6db formatting changelog
• cd8f37b test: loosen test on onInsert
• c440996 11.4.0
• fdab191 changelog 11.4
• fbd958d add cache to status type
• 451737c fix several bugs related to background fetch edge cases
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates lucide-react from 0.563.0 to 1.17.0

Release notes

Sourced from lucide-react's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

... (truncated)

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• 50d8af5 docs(readme): Update readme files (#4320)
• 653e44b feat(packages): use .mjs for ESM bundles (#4285)
• 7623e23 feat(docs): add Zephyr Cloud to Hero Backers tier & rework updateSponsors scr...
• dada0a8 fix(lucide-react): Fix dynamic imports (#4210)
• a6e648a fix(lucide-react): correct client directives in RSC files (#4189)
• 1f010a3 fix(lucide-react): Fixes provider export and RSC render issues (#4175)
• 484f2c9 docs(version-1): Version 1 website (#4142)
• a0e202d feat(packages/angular): add new @​lucide/angular package (#3897)
• c5b155e Merge branch 'main' of https://github.com/lucide-icons/lucide into next
• Additional commits viewable in compare view

Updates next from 16.1.6 to 16.2.7

Release notes

Sourced from next's releases.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

... (truncated)

Commits

• 9bd3c26 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• f126e72 [backport] Fix "type: module" in project dir when using standalone or adapter...
• bda3e2a [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• 7e16e07 [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• 6139f4b [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• c021d10 [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• 9184ddb [backport] Fix catch-all router.query corruption with basePath + `rewrite...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates radix-ui from 1.4.3 to 1.5.0

Changelog

Sourced from radix-ui's changelog.

1.5.0

Context Menu

• Added support for a controlled open prop on ContextMenu.Root. This is intended for reading the open state and closing the menu programmatically, though we discourage opening the menu programmatically since opening the menu depends on user interaction to position the menu.

  function ControlledContextMenu() {
    const [open, setOpen] = React.useState(false);
    return (
      <ContextMenu.Root open={open} onOpenChange={setOpen}>
        <ContextMenu.Trigger>Open</ContextMenu.Trigger>
        <ContextMenu.Content>
          <button type="button" onClick={() => setOpen(false)}>
            Close me
          </button>
          <ContextMenu.Item>Item 1</ContextMenu.Item>
          <ContextMenu.Item>Item 2</ContextMenu.Item>
        </ContextMenu.Content>
      </ContextMenu.Root>
    );
  }

• Fixed a bug in where submenus remained expanded after re-opening on long-press touch events.

Dialog

• Fixed a bug where iOS text selection and editing on HTML inputs within dialogs were broken.
• Fixed a bug causing disabled pointer events in closed dialogs.

One-Time Password Field

• Fixed pasting into One-Time Password Field in environments that do not support the legacy "Text" clipboard format by reading the pasted value as "text/plain".
• Fixed issues with focus management in React 19.2+.
• Fixed a bug to ensure that pasted values exceeding the field length are truncated.

Popper

• Fixed a "Maximum update depth exceeded" bug for pages with a large number of popper instances.
• Exposed data-side and data-align on PopperAnchor element

Presence

• Fixed a "Maximum update depth exceeded" bug in React 19 that could occur when Presence was given a child with an unstable ref.

Radio Group

• Added unstable RadioGroupItemProvider, RadioGroupItemTrigger and RadioGroupItemBubbleInput parts. These expose the previously internal composition of a radio item that included a visually hidden input so consumers can directly access and recompose them. The RadioGroupItem component continues to render them by default.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for radix-ui since your current version.

Updates react from 19.2.4 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates @types/react from 19.2.13 to 19.2.17

Commits

• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates tailwind-merge from 3.4.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.5.0

New Features

• Add support for Tailwind CSS v4.2 by @​dcastil in dcastil/tailwind-merge#651

Full Changelog: dcastil/tailwind-merge@v3.4.1...v3.5.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.1

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in dcastil/tailwind-merge#635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.1.18 to 4.3.0

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.1.6 ⏵ 16.2.7	+13	+75	+1
	eslint-config-next@​16.1.6 ⏵ 16.2.7				+1
	fumadocs-mdx@​14.2.6 ⏵ 15.0.11
	@​types/​mdx@​2.0.13 ⏵ 2.0.14
	fumadocs-core@​16.5.1 ⏵ 16.9.3	+1		+2	-1
	@​types/​react@​19.2.13 ⏵ 19.2.17
	lucide-react@​0.563.0 ⏵ 1.17.0	+1		+2		-19
	radix-ui@​1.4.3 ⏵ 1.5.0	+1
	@​types/​node@​25.2.1 ⏵ 25.9.2	+1		+1
	tailwindcss@​4.1.18 ⏵ 4.3.0	+1		+1
	react@​19.2.4 ⏵ 19.2.7
	tailwind-merge@​3.4.0 ⏵ 3.6.0	+1		+1
	pagefind@​1.4.0 ⏵ 1.5.2			+1
	jotai@​2.17.1 ⏵ 2.20.0	-11
	@​tabler/​icons-react@​3.36.1 ⏵ 3.44.0			+1	-2
	typescript@​5.9.3 ⏵ 6.0.3	+1		+1
	react-dom@​19.2.4 ⏵ 19.2.7
	lru-cache@​11.2.5 ⏵ 11.5.1	+1
	prettier@​3.8.1 ⏵ 3.8.3	+1		+1
	eslint@​9.39.2 ⏵ 10.4.1	+1
	@​tailwindcss/​postcss@​4.1.18 ⏵ 4.3.0	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/eslint-config-next@16.2.7 → npm/@typescript-eslint/eslint-plugin@8.61.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm es-abstract is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/eslint-config-next@16.2.7 → npm/es-abstract@1.24.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm jotai is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/jotai@2.20.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jotai@2.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/fumadocs-core@16.9.3 → npm/fumadocs-mdx@15.0.11 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report