chore(deps): bump the npm-minor-patch group with 13 updates

[dependabot]

Bumps the npm-minor-patch group with 13 updates:

Package	From	To
@opennextjs/cloudflare	1.19.9	1.19.11
@shikijs/core	4.0.2	4.1.0
@shikijs/engine-javascript	4.0.2	4.1.0
@shikijs/langs	4.0.2	4.1.0
@shikijs/themes	4.0.2	4.1.0
@shikijs/transformers	4.0.2	4.1.0
@types/node	25.7.0	25.9.1
lucide-react	1.14.0	1.16.0
posthog-js	1.373.4	1.374.3
shiki	4.0.2	4.1.0
@types/react	19.2.14	19.2.15
tsx	4.21.0	4.22.3
wrangler	4.90.1	4.93.0

Updates @opennextjs/cloudflare from 1.19.9 to 1.19.11

Release notes

Sourced from @​opennextjs/cloudflare's releases.

@​opennextjs/cloudflare@​1.19.11

Patch Changes

• #1270 802047e Thanks @​alex-all3dp! - fix: skip non-upload-triggered worker versions when building skew-protection deployment mapping

  Worker versions created by metadata-only operations (e.g. Cloudflare API secret updates) do not include the static assets bundle. Previously, such versions could become the "latest" target in the skew-protection mapping, causing /_next/static/* requests to return 404 on past deployments. Versions are now filtered to those with workers/triggered_by in {upload, version_upload}.

  Closes #1230

@​opennextjs/cloudflare@​1.19.10

Patch Changes

• #1261 780dd4f Thanks @​vicb! - Allow populating R2 when the domain is protected by Cloudflare Access

  You need to:

  • create a "Service Auth" policy for "open-next-cache-populate..workers.dev"
  • add an "Include" rule for "Any Access Service Token" or for a given service token ("Service Token")
  • populate the env variables CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET

Changelog

Sourced from @​opennextjs/cloudflare's changelog.

1.19.11

Patch Changes

• #1270 802047e Thanks @​alex-all3dp! - fix: skip non-upload-triggered worker versions when building skew-protection deployment mapping

  Worker versions created by metadata-only operations (e.g. Cloudflare API secret updates) do not include the static assets bundle. Previously, such versions could become the "latest" target in the skew-protection mapping, causing /_next/static/* requests to return 404 on past deployments. Versions are now filtered to those with workers/triggered_by in {upload, version_upload}.

  Closes #1230

1.19.10

Patch Changes

• #1261 780dd4f Thanks @​vicb! - Allow populating R2 when the domain is protected by Cloudflare Access

  You need to:

  • create a "Service Auth" policy for "open-next-cache-populate..workers.dev"
  • add an "Include" rule for "Any Access Service Token" or for a given service token ("Service Token")
  • populate the env variables CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET

Commits

• 596f924 Version Packages (#1271)
• 802047e fix: skip non-upload-triggered worker versions in skew-protection (#1270)
• dd78941 docs: clarify Cloudflare Access setup in populate-cache comment (#1267)
• 49eade5 Version Packages (#1266)
• 780dd4f Allow populating R2 when the domain is protected by Cloudflare Access (#1261)
• See full diff in compare view

Updates @shikijs/core from 4.0.2 to 4.1.0

Release notes

Sourced from @​shikijs/core's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @shikijs/engine-javascript from 4.0.2 to 4.1.0

Release notes

Sourced from @​shikijs/engine-javascript's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• acbea86 chore: bump deps, TypeScript v6, pnpm v11 (#1278)
• 95371cb chore: lint
• See full diff in compare view

Updates @shikijs/langs from 4.0.2 to 4.1.0

Release notes

Sourced from @​shikijs/langs's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @shikijs/themes from 4.0.2 to 4.1.0

Release notes

Sourced from @​shikijs/themes's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @shikijs/transformers from 4.0.2 to 4.1.0

Release notes

Sourced from @​shikijs/transformers's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates lucide-react from 1.14.0 to 1.16.0

Release notes

Sourced from lucide-react's releases.

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates posthog-js from 1.373.4 to 1.374.3

Release notes

Sourced from posthog-js's releases.

posthog-js@1.374.3

1.374.3

Patch Changes

• #3607 557b893 Thanks @​eli-r-ph! - Enable $web_vitals reporting when cookieless mode is enabled (2026-05-20)
• Updated dependencies [557b893, a880dbc]:
  • @​posthog/types@​1.374.3
  • @​posthog/core@​1.29.6

posthog-js@1.374.2

1.374.2

Patch Changes

• #3550 df91995 Thanks @​TueHaulund! - Preserve session-recording remote config across posthog.reset().

  posthog.reset() was clearing the entire persistence store, which wiped $session_recording_remote_config along with user state. On the next session rotation triggered by the reset, start('session_id_changed') would early-return because the remote config was missing — leaving rrweb torn down and the new session opening with no Meta + FullSnapshot until the next periodic 5-minute checkout.

  This affected any flow where an app calls posthog.reset() mid-session (e.g. on sign-out / sign-in) and was particularly visible on Flutter Web recordings that depend on a fresh FullSnapshot to anchor the CanvasKit DOM. (2026-05-18)

• Updated dependencies []:

  • @​posthog/types@​1.374.2
  • @​posthog/core@​1.29.5

posthog-js@1.374.1

1.374.1

Patch Changes

• #3627 07a0f5f Thanks @​marandaneto! - Respect transport overrides passed to posthog.capture. (2026-05-18)
• Updated dependencies []:
  • @​posthog/types@​1.374.1
  • @​posthog/core@​1.29.4

posthog-js@1.374.0

1.374.0

Minor Changes

• #3620 594ea11 Thanks @​pauldambra! - Dead clicks: add a .ph-no-deadclick CSS class (and capture_dead_clicks.css_selector_ignorelist config option) to exclude specific elements from dead-click detection without affecting autocapture, session replay, or heatmaps. Mirrors the existing .ph-no-rageclick pattern.

... (truncated)

Commits

• e59c337 chore: update versions and lockfile [version bump]
• a880dbc fix(core): detect Oculus Browser instead of falling back to Chrome (#3581)
• 557b893 feat(js-sdk): Enable $web_vitals reporting when cookieless mode is enabled (#...
• 477aee5 fix(nextjs-config): warn when withPostHogConfig is not the outermost wrapper ...
• 5f95335 chore: update versions and lockfile [version bump]
• a1a668e feat(convex): v1.0 with local + remote feature flag evaluation (#3622)
• e119eec fix(node): correct edge cases in local feature flag evaluation (#3623)
• 44b9d2a chore: update versions and lockfile [version bump]
• df91995 fix(replay): preserve recording remote config across posthog.reset() (#3550)
• 6fbda2e chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates shiki from 4.0.2 to 4.1.0

Release notes

Sourced from shiki's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @types/react from 19.2.14 to 19.2.15

Commits

• See full diff in compare view

Updates tsx from 4.21.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

... (truncated)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Updates wrangler from 4.90.1 to 4.93.0

Release notes

Sourced from wrangler's releases.

wrangler@4.93.0

Minor Changes

• #13901 aac7ca0 Thanks @​bghira! - Add wrangler ai models schema command for fetching model schemas

  You can now run wrangler ai models schema <model> to fetch the input and output schema for a Workers AI model from the public model catalog schema endpoint.

• #12656 ae047ee Thanks @​mikenomitch! - Add --containers-rollout=none

  This allows you to skip deploying a container. This is useful if you know that your container is not going to be updated or you don't have Docker locally, but still want to make changes to your Worker.

• #13901 aac7ca0 Thanks @​bghira! - Add wrangler ai models list command for querying the Workers AI model catalog

  wrangler ai models list accepts --search, --task, --author, --source, and --hide-experimental, matching the public model catalog search endpoint.

Patch Changes

• #13948 b25dc0d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260515.1	1.20260518.1

• #13882 a4f22bc Thanks @​matingathani! - Throw a clear error when a D1 migration is cancelled instead of silently returning

• #13950 f78d435 Thanks @​dario-piotrowicz! - Improve the Docker CLI error message to be more actionable.

  Include a link to Docker installation docs, platform-specific instructions for starting the daemon, and guidance for alternative Docker-compatible CLIs.

• #11896 c5c9e20 Thanks @​staticpayload! - Surface remote proxy session errors

  When remote bindings fail to start, include the controller reason and root cause in the error message to make failures like missing cloudflared clearer.

• #13932 ebf4b24 Thanks @​zebp! - Fix local Workflow startup when compatibility flags include experimental

  Miniflare now deduplicates compatibility flags for the internal Workflow engine service. This prevents wrangler dev from failing with Compatibility flag specified multiple times: experimental when the user's Worker already enables that flag.

• #13929 895baf5 Thanks @​Caio-Nogueira! - Prompt to provision a workers.dev subdomain before deploying Workflows

  Wrangler now checks for the account-level workers.dev subdomain when deploying Workflows, even if the Worker is not being published to workers.dev. If the subdomain has not been registered yet, Wrangler prompts to create one before calling the Workflows deploy API so users avoid an opaque server-side deployment failure.

• #13930 7bcdf45 Thanks @​shiminshen! - Sweep stale .wrangler/tmp/* dirs left behind by abnormal exits

  A wrangler dev session creates .wrangler/tmp/bundle-* and .wrangler/tmp/dev-* directories at startup and removes them via a signal-exit hook on graceful shutdown. When the process exited abnormally (SIGKILL, OOM, host crash) those directories were left behind and accumulated across sessions, slowing down dependency-walking tools that follow the bundle-emitted absolute-path imports.

  wrangler now sweeps entries in .wrangler/tmp/ older than 24 hours when a new temporary directory is requested, bounding the leak regardless of how prior sessions exited.

• Updated dependencies [b25dc0d, ebf4b24, b27eb18]:

... (truncated)

Commits

• ee8857f Version Packages (#13931)
• a4f22bc [wrangler] fix: throw clear error when D1 migration execution returns null (#...
• f78d435 Improve the Docker CLI error message to be more actionable (#13950)
• b25dc0d Bump the workerd-and-workers-types group with 2 updates (#13948)
• ae047ee Adds option to skip container rollout on deploy (#12656)
• 1d8924f [wrangler] fix: update remote proxy session error test snapshots (#13935)
• c5c9e20 [wrangler] Surface remote proxy session errors (#11896)
• 895baf5 WOR-1251: provision workers.dev subdomain when a script has a workflo… (#13929)
• aac7ca0 add missing model catalogue search parameters (search, task, author, source) ...
• 7bcdf45 [wrangler] sweep stale .wrangler/tmp/* dirs at startup (#13930)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	docs-preview	26bb5d4	Commit Preview URL Branch Preview URL	May 21 2026, 04:57 AM