chore(deps): bump the npm-prod-minor group with 8 updates

[dependabot]

Bumps the npm-prod-minor group with 8 updates:

Package	From	To
@tanstack/react-query	5.90.10	5.100.14
autoprefixer	10.4.21	10.5.0
date-fns	4.1.0	4.4.0
dompurify	3.3.3	3.4.7
gpt-po	1.1.1	1.3.0
react-hot-toast	2.5.2	2.6.0
tailwind-merge	3.3.1	3.6.0
use-debounce	10.0.4	10.1.1

Updates @tanstack/react-query from 5.90.10 to 5.100.14

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

@​tanstack/react-query-devtools@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-next-experimental@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-persist-client@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query@​5.100.13

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

... (truncated)

Commits

• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• 8c3d523 ci: Version Packages (#10630)
• 9800c8f ci: Version Packages (#10623)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.

Updates autoprefixer from 10.4.21 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• f95bcf1 (docs): Add missing tsx dependency
• Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

... (truncated)

Commits

• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates gpt-po from 1.1.1 to 1.3.0

Release notes

Sourced from gpt-po's releases.

1.3.0

What's Changed

chore: update version to 1.3.0 and add support for multiple AI providers

• Bump version from 1.2.4 to 1.3.0 in package.json
• Add dependencies for @​anthropic-ai/sdk and @​google/genai
• Update openai dependency to version 6.39.0
• Change Node.js engine requirement to >=20.0.0
• Refactor translate command to support multiple providers (openai, anthropic, gemini)
• Update environment variable handling for API keys and hosts based on selected provider
• Modify translation functions to accommodate new provider logic

Full Changelog: ryanhex53/gpt-po@1.2.4...1.3.0

1.2.4

What's Changed

• add OPENAI_MODEL_TMP enviroment
• add timeout option by @​Jadeiin in ryanhex53/gpt-po#28
• add context-length option by @​Jadeiin in ryanhex53/gpt-po#29
• Fixes for issue #30 by @​sg00 in ryanhex53/gpt-po#31

New Contributors

• @​Jadeiin made their first contribution in ryanhex53/gpt-po#28

Full Changelog: ryanhex53/gpt-po@1.2.3...1.2.4

1.2.3

What's Changed

• Added context support (msgctxt) by @​alehano in ryanhex53/gpt-po#23
• Correction to documentation by @​sg00 in ryanhex53/gpt-po#24
• Fix hang on Linux by @​glennschmidt in ryanhex53/gpt-po#25

New Contributors

• @​alehano made their first contribution in ryanhex53/gpt-po#23
• @​glennschmidt made their first contribution in ryanhex53/gpt-po#25

Full Changelog: ryanhex53/gpt-po@1.2.1...1.2.3

1.2.1

[1.2.1] - 2024-12-17

• add gettext compile options #15

1.2.0

[1.2.0] - 2024-11-26

• Submit multiple entries per chat to boost speed and reduce tokens
• Command systemprompt has been removed
• Bug fixes

What's Changed

• New features/improvements and bugfixes by @​sg00 in ryanhex53/gpt-po#7

... (truncated)

Commits

• See full diff in compare view

Updates react-hot-toast from 2.5.2 to 2.6.0

Release notes

Sourced from react-hot-toast's releases.

v2.6.0

• Adds support for multiple toasters
• Adapt build to minify inlined CSS

---

timolins/react-hot-toast@v2.5.2...v2.6.0

v2.6.0-beta.0

What's new

• Adds support for multiple toasters
• Add first version of Multi toaster docs
• Add dismissAll and removeAll More ergonomic API when working with multiple toasters a1d0b02

Ready to try it out?

npm i react-hot-toast@beta

Other Changes

• Update pnpm version f6c867b
• Move timeouts inside a useRef cb1fe8e
• Use data tag instead of id 1d5d3d3
• Fix dispatch to be id specific again fe934fd
• Merge branch 'main' into global-settings 0953822
• Add first version of multi toaster page 5b1ee55
• Merge branch 'main' into global-settings 4d43622
• Move toaster settings into state cf9ae4b
• Some experimentation with global settings API 2e0a4dd

---

timolins/react-hot-toast@v2.5.1...v2.6.0-beta.0

Commits

• 3a870ed 2.6.0
• 85d4b21 Merge pull request #383 from timolins/multi-toaster
• 15605ee Remove example
• 2bf1aaa Improve multi toaster docs
• b53bdb3 Merge branch 'main' into multi-toaster
• 4607412 Slight bump size limit
• e1bfeaf Merge branch 'main' into multi-toaster
• 35f5efe Merge pull request #407 from timolins/minify-inline-css
• 6dca025 Remove not working option
• 5f27b51 Remove fragile css minifier for now
• Additional commits viewable in compare view

Updates tailwind-merge from 3.3.1 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.5.0

New Features

• Add support for Tailwind CSS v4.2 by @​dcastil in dcastil/tailwind-merge#651

Full Changelog: dcastil/tailwind-merge@v3.4.1...v3.5.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.1

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in dcastil/tailwind-merge#635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.0

New Features

• Performance optimizations which make tailwind-merge >10% faster
  • Vibe optimization by @​quantizor in dcastil/tailwind-merge#547
  • Additional optimizations by @​quantizor in dcastil/tailwind-merge#619

Documentation

• Improve docs by clarifying things, adding more examples by @​dcastil in dcastil/tailwind-merge#618
• Make examples more realistic by @​dcastil in dcastil/tailwind-merge#617
• Add custom variant as an alternative to docs by @​kidonng in dcastil/tailwind-merge#592

... (truncated)

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tailwind-merge since your current version.

Updates use-debounce from 10.0.4 to 10.1.1

Release notes

Sourced from use-debounce's releases.

10.0.6

What's Changed

• Bump form-data from 4.0.0 to 4.0.4 by @​dependabot[bot] in xnimorz/use-debounce#198
• Fix/cancel ispending UI update by @​elrion018 in xnimorz/use-debounce#199

Full Changelog: xnimorz/use-debounce@10.0.5...10.0.6

10.0.5

What's Changed

• Update outdated tsdoc for useDebouncedCallback by @​stephan281094 in xnimorz/use-debounce#195
• Fix isPending updating bug and add a test case. by @​elrion018 in xnimorz/use-debounce#196
• Bump esbuild and @​size-limit/preset-small-lib by @​dependabot[bot] in xnimorz/use-debounce#197

New Contributors

• @​stephan281094 made their first contribution in xnimorz/use-debounce#195
• @​elrion018 made their first contribution in xnimorz/use-debounce#196

Full Changelog: xnimorz/use-debounce@10.0.4...10.0.5

Changelog

Sourced from use-debounce's changelog.

10.1.1

• replace global with globalThis which is defined in all possible environments (browser, node, workers) to address xnimorz/use-debounce#212

10.1.0

• New parameter introduced: flushOnExit. See issue #205 for details. This parameter allows the callback to be executed on component unmount or page exit, enabling specific side-effect such as persistence or other required I/O operations. Thanks to @​h for the contribution. PR

10.0.5

• Fixed issue xnimorz/use-debounce#192, where isPending remains true with leading: true configuration, thanks to @​elrion018

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	autoprefixer@​10.4.21 ⏵ 10.5.0	+1		-2
	@​tanstack/​react-query@​5.90.10 ⏵ 5.100.14	+1		+1	-1
	dompurify@​3.3.3 ⏵ 3.4.7		+6
	date-fns@​4.1.0 ⏵ 4.4.0	+1		+1

View full report

[dependabot]

Dependabot attempted to update this pull request, but because the branch dependabot/npm_and_yarn/npm-prod-minor-eb00b84e25 is protected it was unable to do so.