fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@notionhq/client (source)	5.12.0 → 5.14.0			dependencies	minor
@posthog/nextjs-config (source)	1.8.20 → 1.8.23			dependencies	patch
@tailwindcss/postcss (source)	4.2.1 → 4.2.2			devDependencies	patch
@tanstack/react-query (source)	5.90.21 → 5.91.3			dependencies	minor	5.95.2 (+4)
@trpc/client (source)	11.12.0 → 11.14.1			dependencies	minor	11.15.0
@trpc/server (source)	11.12.0 → 11.14.1			dependencies	minor	11.15.0
@trpc/tanstack-react-query (source)	11.12.0 → 11.14.1			dependencies	minor	11.15.0
anthropics/claude-code-action	v1.0.72 → v1.0.77			action	patch
drizzle-kit (source)	0.31.9 → 0.31.10			devDependencies	patch
eslint (source)	10.0.3 → 10.1.0			devDependencies	minor
eslint-config-next (source)	16.1.6 → 16.2.1			devDependencies	minor
knip (source)	5.86.0 → 5.88.1			devDependencies	minor
lint-staged	16.3.3 → 16.4.0			devDependencies	minor
nanoid	5.1.6 → 5.1.7			dependencies	patch
posthog-js (source)	1.360.1 → 1.363.1			dependencies	minor	1.363.3 (+1)
posthog-node (source)	5.28.1 → 5.28.5			dependencies	patch
resend	6.9.3 → 6.9.4			dependencies	patch
tailwindcss (source)	4.2.1 → 4.2.2			devDependencies	patch

---

Release Notes

makenotion/notion-sdk-js (@​notionhq/client)

v5.14.0

Compare Source

What's Changed

• Sync api-endpoints: add status property support by @​ksinder in #​686
  • See the "Working with views" guide and changelog on our developer website for more information
• Add Views API endpoints by @​ksinder in #​684
• Bump version to v5.14.0 by @​github-actions[bot] in #​688

Links

• Full Changelog: makenotion/notion-sdk-js@v5.13.0...v5.14.0
• NPM Package: https://www.npmjs.com/package/@​notionhq/client/v/5.14.0

v5.13.0

Compare Source

What's Changed

• [AI] Add support for update_content and replace_content operations to PATCH /v1/pages/:id/markdown endpoint by @​notion-circleci-github-app[bot] in #​683
• Security-related upgrades and improvements to repo GitHub actions by @​elb-notion in #​652
• Proposal: Add ability to quickly run starter project on Val Town by @​charmaine in #​541
• Bump version to v5.13.0 by @​github-actions[bot] in #​685

New Contributors

• @​charmaine made their first contribution in #​541

Links

• Full Changelog: makenotion/notion-sdk-js@v5.12.0...v5.13.0
• NPM Package: https://www.npmjs.com/package/@​notionhq/client/v/5.13.0

PostHog/posthog-js (@​posthog/nextjs-config)

v1.8.23

Compare Source

Patch Changes

• #​3265 314120a Thanks @​hpouillot! - fix sourcemap upload with stdin, clean config
  (2026-03-20)
• Updated dependencies [314120a]:
  • @​posthog/webpack-plugin@​1.3.1
  • @​posthog/core@​1.24.1

v1.8.22

Compare Source

Patch Changes

• Updated dependencies [9cd2313]:
  • @​posthog/webpack-plugin@​1.3.0
  • @​posthog/core@​1.24.0

v1.8.21

Compare Source

Patch Changes

• Updated dependencies [bc30c2d, bc30c2d]:
  • @​posthog/core@​1.23.4
  • @​posthog/webpack-plugin@​1.2.27

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)

TanStack/query (@​tanstack/react-query)

v5.91.3

Compare Source

Patch Changes

• fix: stop node types from leaking into browser (#​10302)

v5.91.2

Compare Source

Patch Changes

• fix(streamedQuery): maintain error state on reset refetch with initialData defined (#​10287)

• Updated dependencies [248975e]:

  • @​tanstack/query-core@​5.91.2

v5.91.0

Compare Source

Minor Changes

• feat: environmentManager (#​10199)

Patch Changes

• Updated dependencies [6fa901b]:
  • @​tanstack/query-core@​5.91.0

trpc/trpc (@​trpc/client)

v11.14.1

Compare Source

What's Changed

• feat: Tanstack Intent Skills by @​Nick-Lucas in #​7252

Full Changelog: trpc/trpc@v11.14.0...v11.14.1

v11.14.0

Compare Source

What's Changed

• fix(server): use correct call index in batch stream error handling by @​karesansui-u in #​7262
• fix: preserve buffered chunks on stream close in httpBatchStreamLink by @​luinbytes in #​7233

New Contributors

• @​karesansui-u made their first contribution in #​7262
• @​luinbytes made their first contribution in #​7233

Full Changelog: trpc/trpc@v11.13.4...v11.14.0

v11.13.4

Compare Source

v11.13.3

Compare Source

v11.13.2

Compare Source

What's Changed

• fix: correct typo 'commitedFiles' → 'committedFiles' by @​mitre88 in #​7221
• feat(docs): revamp docs content for 2026, more framework agnostic, improved Next.js docs by @​Nick-Lucas in #​7193
• feat: Support OpenAPI json generation for any tRPC appRouter by @​Nick-Lucas in #​7231
• feat: Fix some OpenAPI AI feedback by @​Nick-Lucas in #​7242
• feat: add streamHeader option to httpBatchStreamLink by @​anatolzak in #​7241

New Contributors

• @​mitre88 made their first contribution in #​7221
• @​pendant-k made their first contribution in #​7236

Full Changelog: trpc/trpc@v11.12.0...v11.13.2

v11.13.1

Compare Source

v11.13.0

Compare Source

v11.12.1

Compare Source

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.77

Compare Source

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

• Auto-set subprocess env scrub when allowed_non_write_users is configured by @​OctavianGuzu in #​1093

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

Compare Source

What's Changed

• Restore .claude/ and .mcp.json from PR base branch before CLI runs by @​km-anthropic in #​1066
• Remove redundant git status/diff/log from tag mode allowlist by @​ddworken in #​1075

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

drizzle-team/drizzle-orm (drizzle-kit)

v0.31.10

Compare Source

• Updated to hanji@0.0.8 - native bun stringWidth, stripANSI support, errors for non-TTY environments
• We've migrated away from esbuild-register to tsx loader, it will now allow to use drizzle-kit seamlessly with both ESM and CJS modules
• We've also added native Bun and Deno launch support, which will not trigger tsx loader and utilise native bun and deno imports capabilities and faster startup times

eslint/eslint (eslint)

v10.1.0

Compare Source

Features

• ff4382b feat: apply fix for no-var in TSModuleBlock (#​20638) (Tanuj Kanti)
• 0916995 feat: Implement api support for bulk-suppressions (#​20565) (Blake Sager)

Bug Fixes

• 2b8824e fix: Prevent no-var autofix when a variable is used before declaration (#​20464) (Amaresh S M)
• e58b4bf fix: update eslint (#​20597) (renovate[bot])

Documentation

• b7b57fe docs: use correct JSDoc link in require-jsdoc.md (#​20641) (mkemna-clb)
• 58e4cfc docs: add deprecation notice partial (#​20639) (Milos Djermanovic)
• 7143dbf docs: update v9 migration guide for @eslint/js usage (#​20540) (fnx)
• 035fc4f docs: note that globalReturn applies only with sourceType: "script" (#​20630) (Milos Djermanovic)
• e972c88 docs: merge ESLint option descriptions into type definitions (#​20608) (Francesco Trotta)
• 7f10d84 docs: Update README (GitHub Actions Bot)
• aeed007 docs: open playground link in new tab (#​20602) (Tanuj Kanti)
• a0d1a37 docs: Add AI Usage Policy (#​20510) (Nicholas C. Zakas)

Chores

• a9f9cce chore: update dependency eslint-plugin-unicorn to ^63.0.0 (#​20584) (Milos Djermanovic)
• 1f42bd7 chore: update prettier to 3.8.1 (#​20651) (루밀LuMir)
• c0a6f4a chore: update dependency @​eslint/json to ^1.2.0 (#​20652) (renovate[bot])
• cc43f79 chore: update dependency c8 to v11 (#​20650) (renovate[bot])
• 2ce4635 chore: update dependency @​eslint/json to v1 (#​20649) (renovate[bot])
• f0406ee chore: update dependency markdownlint-cli2 to ^0.21.0 (#​20646) (renovate[bot])
• dbb4c95 chore: remove trunk (#​20478) (sethamus)
• c672a2a test: fix CLI test for empty output file (#​20640) (kuldeep kumar)
• c7ada24 ci: bump pnpm/action-setup from 4.3.0 to 4.4.0 (#​20636) (dependabot[bot])
• 07c4b8b test: fix RuleTester test without test runners (#​20631) (Francesco Trotta)
• 079bba7 test: Add tests for isValidWithUnicodeFlag (#​20601) (Manish chaudhary)
• 5885ae6 ci: unpin Node.js 25.x in CI (#​20615) (Copilot)
• f65e5d3 chore: update pnpm/action-setup digest to b906aff (#​20610) (renovate[bot])

vercel/next.js (eslint-config-next)

v16.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#​91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#​91698)
• Fix adapter outputs for dynamic metadata routes (#​91680)
• Turbopack: fix webpack loader runner layer (#​91727)
• Fix server actions in standalone mode with cacheComponents (#​91711)
• turbo-persistence: remove Unmergeable mmap advice (#​91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#​91701)
• Turbopack: lazy require metadata and handle TLA (#​91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#​91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.0

Compare Source

v16.1.7

Compare Source

webpro-nl/knip (knip)

v5.88.1: Release 5.88.1

Compare Source

• Bump GitHub actions to their latest versions (#​1624) (bf2ffca) - thanks @​deining!
• Prettier config for other formatters (e.g. unified-prettier) (e034cbd)
• Fix module/namespace regression (resolve #​1603) (394bcba)
• Fix counter type and --fix exit code (37b6f60)
• Restore all ecosystem tests (4d2cd9b)
• Release knip@​5.88.1 (8c25e4b)

v5.88.0: Release 5.88.0

Compare Source

• Add Sanity plugin (#​1608) (f777834) - thanks @​jonahsnider!
• feat: detect duplicated package.json dependencies (#​1611) (dec15a7) - thanks @​Zamiell!
• fix: docusaurus faster (#​1616) (c7a0128) - thanks @​Zamiell!
• feat: raycast plugin (#​1619) (52c77ee) - thanks @​TkDodo!
• fix: docusaurus scripts and stylesheets (#​1618) (9fa485f) - thanks @​Zamiell!
• Improve getPackageNameFromModuleSpecifier performance (817180e)
• Mark Nuxt extends entries as dependencies (96f178f)
• Simplify devDependency duplicate detection logic (99a7c9b)
• Add patch for argos (cecab21)
• Fix conflict and iterate on docusaurus plugin (d3d8cae)
• Iterate on raycast plugin (4948bf8)
• Oxfmt now supports .ts config files (#​1621) (27a4813) - thanks @​DaniFoldi!
• Fix typos (#​1622) (386b477) - thanks @​deining!
• docs: bump astro to newly released version 6 (#​1623) (f941db9) - thanks @​deining!
• pnpm dedupe (d1a9089)
• Release knip@​5.88.0 (7aeb857)

v5.87.0

Compare Source

lint-staged/lint-staged (lint-staged)

v16.4.0

Compare Source

Minor Changes

• #​1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Compare Source

Patch Changes

• #​1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

ai/nanoid (nanoid)

v5.1.7

Compare Source

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

PostHog/posthog-js (posthog-js)

v1.363.1

Compare Source

1.363.1

Patch Changes

• Updated dependencies [314120a]:
  • @​posthog/core@​1.24.1
  • @​posthog/types@​1.363.1

v1.363.0

Compare Source

1.363.0

Minor Changes

• #​3247 7efa558 Thanks @​dmarticus! - prevent silent identity switch during bootstrap and auto-identify anonymous users
  (2026-03-20)

Patch Changes

• #​3245 1acd6fd Thanks @​dmarticus! - handle plain array and object forms in overrideFeatureFlags
  (2026-03-20)
• Updated dependencies [1acd6fd]:
  • @​posthog/types@​1.363.0

v1.362.0

Compare Source

1.362.0

Minor Changes

• #​3244 ff8a93e Thanks @​sampennington! - Fixed $set_once initial person properties (e.g. $initial_current_url) not being included with $identify calls when they had already been sent with a prior event. This ensures initial properties are reliably set when identifying users across subdomains, even if an anonymous event was captured first.
  (2026-03-18)

Patch Changes

• Updated dependencies [9cd2313]:
  • @​posthog/core@​1.24.0
  • @​posthog/types@​1.362.0

v1.361.1

Compare Source

1.361.1

Patch Changes

• #​3249 c265d62 Thanks @​marandaneto! - fix: preserve _overrideSDKInfo from terser mangling so wrapper SDKs can call it
  (2026-03-18)
• Updated dependencies []:
  • @​posthog/types@​1.361.1

v1.361.0

Compare Source

1.361.0

Minor Changes

• #​3201 552c018 Thanks @​frankh! - Add a serviceName config option to logs config
  (2026-03-18)

• #​3240 e4a58d0 Thanks @​marandaneto! - Add internal _overrideSDKInfo method to allow wrapper SDKs to override $lib and $lib_version event properties
  (2026-03-18)

• #​3241 fe1fd7b Thanks @​dustinbyrne! - feat: add advanced_feature_flags_dedup_per_session config option to scope $feature_flag_called deduplication to the current session
  (2026-03-18)

Patch Changes

• #​3239 bf4f078 Thanks @​jonathanlab! - fix: debug mode not persisting across page navigations
  (2026-03-18)

• #​3228 8773fdf Thanks @​TueHaulund! - fix: restart session recorder when session rotates externally while idle, preventing "Recording not found" for sessions where analytics events triggered session rotation
  (2026-03-18)

• Updated dependencies [552c018, fe1fd7b]:

  • @​posthog/types@​1.361.0

v1.360.2

Compare Source

1.360.2

Patch Changes

• #​3236 bc30c2d Thanks @​dustinbyrne! - fix: Calling reset() now automatically reloads feature flags
  (2026-03-13)
• Updated dependencies [bc30c2d, bc30c2d]:
  • @​posthog/core@​1.23.4
  • @​posthog/types@​1.360.2

PostHog/posthog-js (posthog-node)

v5.28.5

Compare Source

Patch Changes

• Updated dependencies [314120a]:
  • @​posthog/core@​1.24.1

v5.28.4

Compare Source

Patch Changes

• Updated dependencies [9cd2313]:
  • @​posthog/core@​1.24.0

v5.28.3

Compare Source

Patch Changes

• #​3243 697e423 Thanks @​hpouillot! - fix captureExceptionImmediate return value
  (2026-03-18)

v5.28.2

Compare Source

Patch Changes

• #​3236 bc30c2d Thanks @​dustinbyrne! - Omit the config query parameter by default to request only the necessary data
  (2026-03-13)

• #​3236 bc30c2d Thanks @​dustinbyrne! - fix: Client shutdown awaits the feature flags poller to stop
  (2026-03-13)

• Updated dependencies [bc30c2d, bc30c2d]:

  • @​posthog/core@​1.23.4

resend/resend-node (resend)

v6.9.4

Compare Source

What's Changed

• chore(deps): update dependency tsdown to v0.21.0 by @​renovate[bot] in #​868
• chore(deps): update pnpm to v10.30.3 by @​renovate[bot] in #​846
• chore(deps): update tj-actions/changed-files digest to c23d52b by @​renovate[bot] in #​851
• chore(deps): update pnpm/action-setup digest to 9b5745c by @​renovate[bot] in #​852
• chore(deps): update dependency rimraf to v6.1.3 by @​renovate[bot] in #​850
• chore(deps): update dependency @​types/react to v19.2.14 by @​renovate[bot] in #​845
• chore(deps): update dependency dotenv to v17.3.1 by @​renovate[bot] in #​848
• fix(deps): update dependency svix to v1.86.0 by @​renovate[bot] in #​849
• chore(deps): update dependency @​types/node to v24.11.0 by @​renovate[bot] in #​856
• chore(deps): update dependency @​biomejs/biome to v2.4.6 by @​renovate[bot] in #​847
• feat(api-keys): add last_used_at field to API key response by @​joaopcm in #​877
• chore(deps): update dependency @​biomejs/biome to v2.4.7 by @​renovate[bot] in #​879
• chore: bump package version to 6.9.4 by @​joaopcm in #​878

Full Changelog: resend/resend-node@v6.9.3...v6.9.4

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
website	Ready	Preview, Comment	Mar 24, 2026 1:46am