Bump the all-dependencies group across 1 directory with 32 updates

[dependabot]

Bumps the all-dependencies group with 32 updates in the / directory:

Package	From	To
@amplitude/analytics-browser	2.23.7	2.42.4
@ledgerhq/hw-app-str	7.2.9	7.7.2
@ledgerhq/hw-transport-webhid	6.30.9	6.35.2
@next/third-parties	15.5.7	16.2.6
@sentry/nextjs	10.29.0	10.54.0
@stellar/stellar-sdk	15.0.1	15.1.0
@tanstack/react-query	5.87.4	5.100.14
@tanstack/react-query-devtools	5.87.4	5.100.14
@trezor/connect-web	9.6.4	9.7.3
bignumber.js	9.3.1	11.1.1
dompurify	3.2.6	3.4.7
html-react-parser	5.2.6	6.1.2
immer	10.1.3	11.1.8
lodash	4.17.21	4.18.1
@types/lodash	4.17.20	4.17.24
lossless-json	4.2.0	4.3.0
next	15.5.15	16.2.6
uuid	11.1.0	14.0.0
zustand-querystring	0.0.19	0.7.0
@next/eslint-plugin-next	15.5.3	16.2.6
@playwright/test	1.57.0	1.60.0
@types/node	24.3.1	25.9.1
@types/papaparse	5.3.16	5.5.2
@typescript-eslint/eslint-plugin	8.43.0	8.60.0
eslint	9.35.0	10.4.0
eslint-config-next	15.4.4	16.2.6
eslint-plugin-react-hooks	5.2.0	7.1.1
jest	30.2.0	30.4.2
lint-staged	16.1.6	17.0.5
prettier	3.6.2	3.8.3
sass	1.92.1	1.100.0
typescript	5.9.2	6.0.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.42.4

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.42.4

2.42.4 (2026-05-21)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.42.3

2.42.3 (2026-05-13)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.42.2

2.42.2 (2026-05-11)

Bug Fixes

• analytics-browser: remove plugin-session-replay-browser template (#1746) (809abdc)

@​amplitude/analytics-browser@​2.42.1

2.42.1 (2026-05-05)

Bug Fixes

• analytics-browser: make autocapture opt-in within Chrome Extension (#1710) (de5ff6e)

@​amplitude/analytics-browser@​2.42.1-sr-idb-multitab-test-rc.0

2.42.1-sr-idb-multitab-test-rc.0 (2026-05-04)

Bug Fixes

• analytics-browser: make autocapture opt-in within Chrome Extension (#1710) (de5ff6e)

@​amplitude/analytics-browser@​2.42.0

2.42.0 (2026-04-28)

Features

• remove experimental request body compression backdoor (#1699) (98ecb9d)

@​amplitude/analytics-browser@​2.39.2

2.39.2 (2026-05-06)

Bug Fixes

• analytics-browser: dummy patch (#1734) (9ebc9de)

... (truncated)

Commits

• e299163 chore(release): publish
• ab2e029 fix(analytics-react-native): use workspace:* for analytics-core dep (#1766)
• 0cdd90a fix(session-replay-browser): merge queued sends after throttle pause (SR-4286...
• 302a08f fix(session-replay-browser): drop empty batches at the store layer (SR-4284) ...
• c242dc3 feat(session-replay-browser): add flushIntervalConfig to tune rrweb event-spl...
• e28dd6b chore: add size limit gating to Amplitude (#1756)
• 90ea3f6 chore: remove Jira workflows (#1761)
• 516719a fix(analytics-browser): bump background capture version (#1750)
• 5ffe544 chore(session-replay-browser): scrub customer name from privacy e2e test (SR-...
• 4cea6b6 feat(react-native-example): integrate into pnpm workspace and add iOS smoke t...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​amplitude/analytics-browser since your current version.

Updates @ledgerhq/hw-app-str from 7.2.9 to 7.7.2

Commits

• See full diff in compare view

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.35.2

Commits

• 74f4ff1 Merge hotfix into main
• f943585 chore(hotfix): 🔥 hotfix release [skip ci]
• ccd56ec Merge pull request #17220 from LedgerHQ/fix/mise-sparse-checkout
• de61ee7 fix(ci): add .mise/tasks to mobile workflow sparse checkouts
• b931873 chore(hotfix): 🔥 hotfix prerelease [LLD(4.3.1-hotfix.0), LLM(4.3.1-hotfi...
• 44bbc5c Merge pull request #17154 from LedgerHQ/fix/live-30269
• 202cc42 fix: handle new bootloader CLA_NOT_SUPPORTED error code in LWM
• a7bbcb8 chore(hotfix) 🚀 entering hotfix mode
• d0f0192 Merge release into main
• bb2fa99 chore(release): 🚀 prepare release [skip ci]
• Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.2.6

Release notes

Sourced from @​next/third-parties's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @sentry/nextjs from 10.29.0 to 10.54.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.54.0

Important Changes

• feat(browser): Add fetchStreamPerformanceIntegration for streamed response tracking (#20778)

  A new integration that tracks the performance of streamed fetch responses. Use this to measure time-to-first-byte and streaming duration for APIs that return chunked/streamed data. This replaces the now deprecated trackFetchStreamPerformance option.

• feat(core): Add dataCollection client option (#20965)

  Adds a new dataCollection client option for controlling what data the SDK collects and sends to Sentry. This provides a centralized way to configure data collection behavior across different SDK features. In the future, this option will be used for fine-granular data filtering, while the simple sendDefaultPii boolean option will be deprecated and removed in a future release.

• feat(core): Support array attributes for spans, logs, and metrics (#20427)

  Arrays of primitive values (string, number, boolean) are now accepted as attribute values. Arrays containing non-primitive elements will be dropped and won't show up in Sentry. Note that array attributes on logs and metrics were previously stringified in certain cases and will now be sent as arrays instead.

• feat(hono): Add hono.request spans for internal .request() calls (#20843)

  The Hono SDK now creates spans for internal .request() calls, providing better visibility into request handling within Hono applications.

Other Changes

• feat(core): Add data collection filtering utilities (#20989)
• feat(core): Convert scope contexts to segment span attributes in span streaming (#20828)
• feat(core): Emit sentry.sdk.integrations on streamed segment spans (#20428)
• feat(core): HTTP server diagnostics channel utility (#20779)
• feat(core): Migrate span streaming envelope to dataCollection (#21080)
• feat(core): Migrate Supabase integration to dataCollection (#21085)
• feat(core): Migrate trpc to dataCollection (#21072)
• feat(deno): Instrument node:http on versions that support it (#21009)
• feat(ember): Extract ember-specific logic into custom browserTracingIntegration (#20702)
• feat(logs): Migrate log envelope user inference to dataCollection (#21073)
• feat(nuxt): Allow custom configuration files paths in Nuxt module (#20650)
• feat(replay): Update example worker script (#20899)
• feat(serverless): Add server-only context span attributes via processSegmentSpan hooks (#20842)
• fix(astro): Avoid injecting meta tags into <head> inside attribute values (#21089)
• fix(astro): Use explicit ResponseInit when injecting meta tags in response (#21021)
• fix(browser): Add a synthetic stack trace to DOMException with empty stack traces if attachStacktrace is true (#19988)
• fix(browser): Fix internal frame detection in minified bundles (#20802)
• fix(cloudflare): Avoid repeated flush lock wrapping (#21156)
• fix(cloudflare): Skip SDK initialization for OPTIONS/HEAD requests (#21090)
• fix(cloudflare, vercel-edge): Disable timer-based flush for serverless runtimes (#20889)
• fix(core): Sanitize lone surrogates in log body and attributes (#20245)
• fix(deno): Support Deno.serve instrumentation on Deno 2.8 (#21155)
• fix(hono): Preserve middleware handler metadata (#20954)
• fix(hono): Use generic Hono type in Bun/Node (#21060)
• fix(nextjs): Widen project option type to string | string[] (#21067)
• fix(node): Improve http.client double-wrap message (#20705)
• fix(node): Preserve CallbackManager handlers in LangChain instrumentation (#20849)
• fix(react-router): Do not re-write origin on router state changes (#21056)
• fix(replay): Set sentry.replay_id attribute on streamed spans (#20897)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.54.0

Important Changes

• feat(browser): Add fetchStreamPerformanceIntegration for streamed response tracking (#20778)

  A new integration that tracks the performance of streamed fetch responses. Use this to measure time-to-first-byte and streaming duration for APIs that return chunked/streamed data. This replaces the now deprecated trackFetchStreamPerformance option.

• feat(core): Add dataCollection client option (#20965)

  Adds a new dataCollection client option for controlling what data the SDK collects and sends to Sentry. This provides a centralized way to configure data collection behavior across different SDK features. In the future, this option will be used for fine-granular data filtering, while the simple sendDefaultPii boolean option will be deprecated and removed in a future release.

• feat(core): Support array attributes for spans, logs, and metrics (#20427)

  Arrays of primitive values (string, number, boolean) are now accepted as attribute values. Arrays containing non-primitive elements will be dropped and won't show up in Sentry. Note that array attributes on logs and metrics were previously stringified in certain cases and will now be sent as arrays instead.

• feat(hono): Add hono.request spans for internal .request() calls (#20843)

  The Hono SDK now creates spans for internal .request() calls, providing better visibility into request handling within Hono applications.

Other Changes

• feat(core): Add data collection filtering utilities (#20989)
• feat(core): Convert scope contexts to segment span attributes in span streaming (#20828)
• feat(core): Emit sentry.sdk.integrations on streamed segment spans (#20428)
• feat(core): HTTP server diagnostics channel utility (#20779)
• feat(core): Migrate span streaming envelope to dataCollection (#21080)
• feat(core): Migrate Supabase integration to dataCollection (#21085)
• feat(core): Migrate trpc to dataCollection (#21072)
• feat(deno): Instrument node:http on versions that support it (#21009)
• feat(ember): Extract ember-specific logic into custom browserTracingIntegration (#20702)
• feat(logs): Migrate log envelope user inference to dataCollection (#21073)
• feat(nuxt): Allow custom configuration files paths in Nuxt module (#20650)
• feat(replay): Update example worker script (#20899)
• feat(serverless): Add server-only context span attributes via processSegmentSpan hooks (#20842)
• fix(astro): Avoid injecting meta tags into <head> inside attribute values (#21089)
• fix(astro): Use explicit ResponseInit when injecting meta tags in response (#21021)
• fix(browser): Add a synthetic stack trace to DOMException with empty stack traces if attachStacktrace is true (#19988)
• fix(browser): Fix internal frame detection in minified bundles (#20802)
• fix(cloudflare): Avoid repeated flush lock wrapping (#21156)
• fix(cloudflare): Skip SDK initialization for OPTIONS/HEAD requests (#21090)
• fix(cloudflare, vercel-edge): Disable timer-based flush for serverless runtimes (#20889)
• fix(core): Sanitize lone surrogates in log body and attributes (#20245)
• fix(deno): Support Deno.serve instrumentation on Deno 2.8 (#21155)
• fix(hono): Preserve middleware handler metadata (#20954)
• fix(hono): Use generic Hono type in Bun/Node (#21060)
• fix(nextjs): Widen project option type to string | string[] (#21067)
• fix(node): Improve http.client double-wrap message (#20705)
• fix(node): Preserve CallbackManager handlers in LangChain instrumentation (#20849)
• fix(react-router): Do not re-write origin on router state changes (#21056)

... (truncated)

Commits

• f31686b release: 10.54.0
• c9bb0d4 meta(changelog): Update changelog for 10.54.0 (#21163)
• 7546a18 meta(changelog): Update changelog for 10.54.0
• d16a889 fix(deno): support Deno.serve instrumentation on Deno 2.8 (#21155)
• 1e0341d fix(cloudflare): avoid repeated flush lock wrapping (#21156)
• d75440c ref(node): Vendor @opentelemetry/sql-common (#21140)
• ba8dd0c test(node-core): Fix flaky cron instrumentation test (#21092)
• 170161b ref(node): Vendor @fastify/otel (#21099)
• 683bee2 ref(node): Remove unused @opentelemetry/instrumentation-http dependency (#2...
• 2516805 ref(node): Vendor @opentelemetry/instrumentation-pg (#21102)
• Additional commits viewable in compare view

Updates @stellar/stellar-sdk from 15.0.1 to 15.1.0

Release notes

Sourced from @​stellar/stellar-sdk's releases.

v15.1.0

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

Full Changelog: stellar/js-stellar-sdk@v15.0.1...v15.1.0

Changelog

Sourced from @​stellar/stellar-sdk's changelog.

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Operator precedence bug in parseSuccessful: sim.results?.length ?? 0 > 0 was parsed as ?? (0 > 0), causing simulation results and state changes to never be included in the parsed response (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• Fixed missing template literal $ in two Spec error messages that were not interpolated (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

Commits

• c5eafa2 release v15.1.0 (#1405)
• ee81ed2 Federation domain validation (#1393)
• 7ad2b0a Fix fetch implementation (#1390)
• 8db146e Update Server.getLatestLedger response fields (#1389)
• da2f95b Bump axios from 1.14.0 to 1.15.0 (#1381)
• 9ec7ffd Internal agent bug fixes 2 (#1373)
• cbb53ed Internal agent bug fixes 1 (#1372)
• 2f049ab Stop unpublishing a prior version on every publish run (#1370)
• See full diff in compare view

Updates @tanstack/react-query from 5.87.4 to 5.100.14

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

@​tanstack/react-query-devtools@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-next-experimental@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-persist-client@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query@​5.100.13

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

... (truncated)

Commits

• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.6
	eslint-config-next@​16.2.6
	@​amplitude/​analytics-browser@​2.42.4
	jest@​30.4.2
	@​tanstack/​react-query-devtools@​5.100.14
	@​next/​eslint-plugin-next@​16.2.6
	@​types/​papaparse@​5.5.2
	lodash@​4.18.1
	@​types/​lodash@​4.17.24
	zustand-querystring@​0.7.0
	@​typescript-eslint/​eslint-plugin@​8.60.0
	@​types/​node@​25.9.1
	@​next/​third-parties@​16.2.6
	lossless-json@​4.3.0
	immer@​11.1.8
	@​tanstack/​react-query@​5.100.14
	eslint@​10.4.0
	typescript@​6.0.3
	prettier@​3.8.3
	bignumber.js@​11.1.1
	@​trezor/​connect-web@​9.7.3
	@​sentry/​nextjs@​10.54.0
	sass@​1.100.0
	html-react-parser@​6.1.2
	@​ledgerhq/​hw-app-str@​7.7.2
	@​stellar/​stellar-sdk@​13.3.0 ⏵ 15.1.0	+1		+1
	eslint-plugin-react-hooks@​7.1.1
	lint-staged@​17.0.5
	@​playwright/​test@​1.60.0
	@​ledgerhq/​hw-transport-webhid@​6.35.2
	dompurify@​3.4.7

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT License: LicenseRef-FSL-1.1-MIT - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/@sentry/nextjs@10.54.0 → npm/@sentry/cli@2.58.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/blockchain-link@2.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: package.json → npm/@trezor/connect-web@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/transport@1.6.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.6 → npm/axe-core@4.11.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.11.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm next Location: Package overview From: package.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript under MIT-Khronos-old License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report