Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@opennextjs/cloudflare (source)	^1.14.4 -> ^1.14.7
@tailwindcss/postcss (source)	^4.1.17 -> ^4.1.18
@types/node (source)	^24.10.1 -> ^24.10.4
lucide-react (source)	^0.556.0 -> ^0.562.0
next (source)	16.0.10 -> 16.1.1
pnpm (source)	10.24.0 -> 10.26.1
react (source)	^19.2.1 -> ^19.2.3
react-dom (source)	^19.2.1 -> ^19.2.3
tailwindcss (source)	^4.1.17 -> ^4.1.18
wrangler (source)	^4.53.0 -> ^4.56.0

---

Release Notes

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.14.7

Compare Source

Patch Changes

• #​1053 d447125 Thanks @​vicb! - Support composable cache in Next 16

v1.14.6

Compare Source

Patch Changes

• #​1043 c83cb83 Thanks @​vicb! - fix for CVE-2025-67779

  See https://nextjs.org/blog/security-update-2025-12-11

v1.14.5

Compare Source

Patch Changes

• #​1042 763c4ec Thanks @​vicb! - Bump Next, React, and @​opennextjs/aws to fix vulnerabilities (CVE-2025-55184 and CVE-2025-55183)

  See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  See https://nextjs.org/blog/security-update-2025-12-11
  See https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.5

• #​1034 721bff0 Thanks @​james-elicx! - output more wrangler command logs when the command fails

• #​1023 a4a2f02 Thanks @​dario-piotrowicz! - When running wrangler deploy add a OPEN_NEXT_DEPLOY environment variable to let wrangler know that it is being run by open-next

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.1.18

Compare Source

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#​19274)
• Include filename and line numbers in CSS parse errors (#​19282)
• Skip comments in Ruby files when checking for class names (#​19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#​19243)
• Support environment API in @tailwindcss/vite (#​18970)
• Preserve case of theme keys from JS configs and plugins (#​19337)
• Write source maps correctly on the CLI when using --watch (#​19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#​19348)
• Improve backwards compatibility for content theme key from JS configs (#​19381)
• Upgrade: Handle future and experimental config keys (#​19344)
• Try to canonicalize any arbitrary utility to a bare value (#​19379)
• Validate candidates similarly to Oxide (#​19397)
• Canonicalization: combine text-* and leading-* classes (#​19396)
• Correctly handle duplicate CLI arguments (#​19416)
• Don’t emit color-mix fallback rules inside @keyframes (#​19419)
• CLI: Don't hang when output is /dev/stdout (#​19421)

lucide-icons/lucide (lucide-react)

v0.562.0

Compare Source

v0.561.0: Version 0.561.0

Compare Source

What's Changed

• fix(site): Small adjustments color picker and add clear button search bar by @​ericfennis in #​3851
• feat(icons): added stone icon by @​Alportan in #​3850

Full Changelog: lucide-icons/lucide@0.560.0...0.561.0

v0.560.0: Version 0.560.0

Compare Source

What's Changed

• feat(icons): added cannabis-off icon by @​NickVeles in #​3748

New Contributors

• @​NickVeles made their first contribution in #​3748

Full Changelog: lucide-icons/lucide@0.559.0...0.560.0

v0.559.0: Version 0.559.0

Compare Source

What's Changed

• feat(icons): added fishing-hook icon by @​7ender in #​3837

New Contributors

• @​7ender made their first contribution in #​3837

Full Changelog: lucide-icons/lucide@0.558.0...0.559.0

v0.558.0: Version 0.558.0

Compare Source

What's Changed

• feat(icons): added hd icon by @​jamiemlaw in #​2958

Full Changelog: lucide-icons/lucide@0.557.0...0.558.0

v0.557.0: Version 0.557.0

Compare Source

What's Changed

• fix(github/workflows/ci): fixes linting issues by @​karsa-mistmere in #​3858
• fix(icons): changed memory-stick icon by @​karsa-mistmere in #​3017
• fix(icons): changed microchip icon by @​karsa-mistmere in #​3018
• chore(repo): Update Node version and overal cleanup by @​ericfennis in #​3861
• fix(icons): changed paint-bucket icon by @​jguddas in #​3865
• fix(icons): changed brush-cleaning icon by @​jguddas in #​3863
• fix(icons): Swap thumbs-up thumbs-down paths to fix fill issue by @​theianjones in #​3873
• fix(icons): changed tickets icon by @​karsa-mistmere in #​3859
• feat(icons): added layers-plus icon by @​juanisidoro in #​3367
• docs(dev): Fix code sample for vanilla JS by @​wavebeem in #​3836
• feat(icons): add search-error icon by @​Veatec22 in #​3292
• feat(icons): Add cloud-sync and cloud-backup by @​ericfennis in #​3466
• feat(icons): added circle-pile icon by @​nathan-de-pachtere in #​3681
• feat(icons): added balloon icon by @​peteruithoven in #​2519

New Contributors

• @​theianjones made their first contribution in #​3873
• @​juanisidoro made their first contribution in #​3367
• @​wavebeem made their first contribution in #​3836
• @​Veatec22 made their first contribution in #​3292

Full Changelog: lucide-icons/lucide@0.556.0...0.557.0

vercel/next.js (next)

v16.1.1

Compare Source

v16.1.0

Compare Source

pnpm/pnpm (pnpm)

v10.26.1

Compare Source

v10.26.0

Compare Source

v10.25.0

Compare Source

facebook/react (react)

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #​35351)

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #​35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #​35289)

cloudflare/workers-sdk (wrangler)

v4.56.0

Compare Source

Minor Changes

• #​11196 171cfd9 Thanks @​emily-shen! - For containers being created in a FedRAMP high environment, registry credentials are encrypted by the container platform.
  Update wrangler to correctly send a request to configure a registry for FedRAMP containers.

• #​11646 472cf72 Thanks @​vovacf201! - feat: add R2 Data Catalog snapshot expiration commands

  Adds new commands to manage automatic snapshot expiration for R2 Data Catalog tables:

  • wrangler r2 bucket catalog snapshot-expiration enable - Enable automatic snapshot expiration
  • wrangler r2 bucket catalog snapshot-expiration disable - Disable automatic snapshot expiration

  Snapshot expiration helps manage storage costs by automatically removing old table snapshots while keeping a minimum number of recent snapshots for recovery purposes.

  Example usage:

  # Enable snapshot expiration for entire catalog (keep 10 snapshots, expire after 5 days)
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket --token $R2_CATALOG_TOKEN --max-age 7200 --min-count 10
  
  # Enable for specific table
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket my-namespace my-table --token $R2_CATALOG_TOKEN --max-age 2880 --min-count 5
  
  # Disable snapshot expiration
  wrangler r2 bucket catalog snapshot-expiration disable my-bucket

Patch Changes

• #​11649 428ae9e Thanks @​ascorbic! - fix: respect TypeScript path aliases when resolving non-JS modules with module rules

  When importing non-JavaScript files (like .graphql, .txt, etc.) using TypeScript path aliases defined in tsconfig.json, Wrangler's module-collection plugin now correctly resolves these imports. Previously, path aliases were only respected for JavaScript/TypeScript files, causing imports like import schema from '~lib/schema.graphql' to fail when using module rules.

• #​11647 c0e249e Thanks @​dario-piotrowicz! - The auto-configuration logic present in wrangler setup and wrangler deploy --x-autoconfig cannot reliably handle Hono projects, so in these cases make sure to properly error saying that automatically configuring such projects is not supported.

• #​11694 3853200 Thanks @​dario-piotrowicz! - fix: improve the open-next detection that wrangler deploy performs to eliminate false positives for non open-next projects

• Updated dependencies [ae1ad22, 737c0f4]:

  • miniflare@​4.20251217.0

v4.55.0

Compare Source

Minor Changes

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Make wrangler deploy run opennextjs-cloudflare deploy when executed in an open-next project

• #​11045 12a63ef Thanks @​edmundhung! - Add an internal unstable_printBindings API for vite plugin integration

• #​11590 7d8d4a6 Thanks @​pombosilva! - Add Workflows send-event to wrangler commands.

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Support Next.js (via OpenNext) projects in autoconfig

Patch Changes

• #​11615 ed42010 Thanks @​elithrar! - Add helpful warning when SSL certificate errors occur due to corporate proxies or VPNs intercepting HTTPS traffic. When errors like "self-signed certificate in certificate chain" are detected, wrangler now displays guidance about installing missing system roots from your corporate proxy vendor.

• #​11641 6b28de1 Thanks @​petebacondarwin! - update command status text and formatting

• #​11578 4201472 Thanks @​gpanders! - Fixup UX papercuts in containers SSH

• #​11550 95d81e1 Thanks @​hiendv! - Fix "TypeError: Body is unusable: Body has already been read" when failing to exchange oauth code because of double response.text().

• Updated dependencies [5d085fb, b75b710, 1e9be12]:

  • miniflare@​4.20251213.0

v4.54.0

Compare Source

Minor Changes

• #​11512 c15e99e Thanks @​emily-shen! - Enable using ctx.exports with containers

  You can now use containers with Durable Objects that are accessed via ctx.exports.

  Now your config file can look something like this:

  {
  	"name": "container-app",
  	"main": "src/index.ts",
  	"compatibility_date": "2025-12-01",
  	"compatibility_flags": ["enable_ctx_exports"], // compat flag needed for now.
  	"containers": [
  		{
  			"image": "./Dockerfile",
  			"class_name": "MyDOClassname",
  			"name": "my-container"
  		},
  	],
  	"migrations": [
  		{
  			"tag": "v1",
  			"new_sqlite_classes": ["MyDOClassname"],
  		},
  	],
  	// no need to declare your durable object binding here
  }
  

  Note that when using ctx.exports, where you previously accessed a Durable Object via something like env.DO, you should now access with ctx.exports.MyDOClassname.

  Refer to the docs for more information on using ctx.exports.

• #​11508 b17797c Thanks @​dario-piotrowicz! - Wrangler will no longer try to add additional configuration to projects using @cloudflare/vite-plugin when deploying or running wrangler setup

• #​11508 b17797c Thanks @​dario-piotrowicz! - When a Vite project is detected, install @cloudflare/vite-plugin

• #​11576 bb47e20 Thanks @​dario-piotrowicz! - Support Analog projects in autoconfig

• #​10582 991760d Thanks @​flakey5! - Add containers ssh command

Patch Changes

• #​11467 235d325 Thanks @​edmundhung! - fix: prevent reporting SQLite error from wrangler d1 execute to Sentry

• #​11414 41103f5 Thanks @​petebacondarwin! - add extra logging to user log-in flow for diagnosing failed login requests

• #​11559 ea6fbec Thanks @​nikitassharma! - Remove image validation for containers on wrangler deploy.

  Internal customers are able to use additional image registries and will run into failures with this validation. Image registry validation will now be handled by the API.

• Updated dependencies [31c162a, bd5f087, c6dd86f]:

  • miniflare@​4.20251210.0

---

Configuration

📅 Schedule: Branch creation - Only on Monday ( * * * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.