fix(deps): update bun minor and patch dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@better-auth/passkey (source)	^1.6.12 → ^1.6.15
@better-auth/sso (source)	^1.6.12 → ^1.6.15
@cloudflare/vite-plugin (source)	^1.39.0 → ^1.40.0
@hey-api/openapi-ts (source)	^0.97.3 → ^0.98.2
@inquirer/prompts (source)	^8.5.1 → ^8.5.2
@radix-ui/react-alert-dialog (source)	^1.1.15 → ^1.1.16
@radix-ui/react-checkbox (source)	^1.3.3 → ^1.3.4
@radix-ui/react-dialog (source)	^1.1.15 → ^1.1.16
@radix-ui/react-dropdown-menu (source)	^2.1.16 → ^2.1.17
@radix-ui/react-hover-card (source)	^1.1.15 → ^1.1.16
@radix-ui/react-label (source)	^2.1.8 → ^2.1.9
@radix-ui/react-progress (source)	^1.1.8 → ^1.1.9
@radix-ui/react-scroll-area (source)	^1.2.10 → ^1.2.11
@radix-ui/react-select (source)	^2.2.6 → ^2.3.0
@radix-ui/react-separator (source)	^1.1.8 → ^1.1.9
@radix-ui/react-slot (source)	^1.2.4 → ^1.2.5
@radix-ui/react-switch (source)	^1.2.6 → ^1.3.0
@radix-ui/react-tabs (source)	^1.1.13 → ^1.1.14
@radix-ui/react-tooltip (source)	^1.2.8 → ^1.2.9
@scalar/hono-api-reference (source)	^0.10.19 → ^0.11.0
@tailwindcss/typography	^0.5.19 → ^0.5.20
@tanstack/react-query (source)	^5.100.14 → ^5.101.0
@tanstack/react-query-devtools (source)	^5.100.14 → ^5.101.0
@tanstack/react-router (source)	^1.170.10 → ^1.170.15
@tanstack/react-start (source)	^1.168.18 → ^1.168.25
@tanstack/router-plugin (source)	^1.168.13 → ^1.168.18
@types/mdx (source)	^2.0.13 → ^2.0.14
@types/node (source)	^25.9.1 → ^25.9.2
@types/react (source)	^19.2.15 → ^19.2.17
better-auth (source)	^1.6.12 → ^1.6.15
effect (source)	^3.21.2 → ^3.21.3
fumadocs-mdx (source)	^15.0.10 → ^15.0.11
happy-dom	^20.9.0 → ^20.10.2
hono (source)	^4.12.23 → ^4.12.25
oxfmt (source)	0.52.0 → 0.54.0
react (source)	^19.2.6 → ^19.2.7
react-dom (source)	^19.2.6 → ^19.2.7
react-hook-form (source)	^7.77.0 → ^7.78.0
semver	^7.8.1 → ^7.8.3
shadcn (source)	^4.8.3 → ^4.11.0
vite (source)	^8.0.14 → ^8.0.16
vite-plus (source)	^0.1.23 → ^0.1.24
vitest (source)	^4.1.7 → ^4.1.8
wrangler (source)	^4.95.0 → ^4.98.0

---

Release Notes

better-auth/better-auth (@​better-auth/passkey)

v1.6.15

Compare Source

Patch Changes

• #​9927 d23735b Thanks @​gustavovalverde! - Resolve a friendly label for a passkey from the authenticator that created it. Passkeys already store the authenticator aaguid; the plugin now exports getAuthenticatorName(aaguid) and an extensible commonAuthenticatorNames map so you can show a provider name (for example "1Password" or "Google Password Manager") when rendering passkeys, with full coverage available through the community AAGUID source. To set a server-side default, registration.afterVerification can now return a name used when the client supplies none. Passkey names are trimmed on registration and update.

• Updated dependencies [1012b69, ad60333, 0933c05, b0ddfd3]:

  • better-auth@​1.6.15
  • @​better-auth/core@​1.6.15

v1.6.14

Compare Source

Patch Changes

• Updated dependencies [2d9781a, 5a2d642, 13abc79, 9d3450a]:
  • better-auth@​1.6.14
  • @​better-auth/core@​1.6.14

v1.6.13

Compare Source

Patch Changes

• Updated dependencies [d3919dc, 5f282bd, 43c08a2, 43c08a2, be32012, 87c1a0c, 5c3e248, 9c8ded6, 23d7cbf]:
  • better-auth@​1.6.13
  • @​better-auth/core@​1.6.13

better-auth/better-auth (@​better-auth/sso)

v1.6.15

Compare Source

Patch Changes

• #​9748 bff65fd Thanks @​seebykilian! - When clockSkew is configured in the SSO plugin's SAML options, it was only
  applied to better-auth's internal validation but never passed down to samlify's
  ServiceProvider. As a result, samlify used its default [0, 0] clock drift,
  causing ERR_SUBJECT_UNCONFIRMED errors on valid SAML responses whenever there
  was any clock difference between the SP and the IdP.

  This affects any standard IdP (Auth0, Keycloak, Okta, etc.) even when the SAML
  response is fully valid and the server time is well within the
  NotBefore/NotOnOrAfter window.

  This is now fixed.

• Updated dependencies [1012b69, ad60333, 0933c05, b0ddfd3]:

  • better-auth@​1.6.15
  • @​better-auth/core@​1.6.15

v1.6.14

Compare Source

Patch Changes

• Updated dependencies [2d9781a, 5a2d642, 13abc79, 9d3450a]:
  • better-auth@​1.6.14
  • @​better-auth/core@​1.6.14

v1.6.13

Compare Source

Patch Changes

• #​9818 43c08a2 Thanks @​gustavovalverde! - Fix SAML Single Logout leaving the user signed in. The logout handlers passed the session row id to a delete that matches on the session token, so the session was never removed. The stored SAML session record now carries the session token, and all three logout paths revoke the session by token.

• #​9821 4c3bbc4 Thanks @​gustavovalverde! - Fix a high-severity XML injection in signed SAML assertions (GHSA-34r5-q4jw-r36m) by updating samlify from 2.10.2 to 2.13.1. A crafted AttributeValue could escalate privileges.

  samlify 2.11 replaced node-forge with Node's native crypto, which parses private keys through OpenSSL 3 and rejects PEM blocks that carry leading whitespace. SAML private keys are now normalized before they reach samlify, so a key pasted with indentation (for example from an indented YAML or JSON config) keeps loading.

  IdP-initiated Single Logout now derives its response from the parsed logout request, which fixes response generation under samlify 2.13. When mapping SAML attributes to user fields, a multi-valued attribute is read by its first value.

• Updated dependencies [d3919dc, 5f282bd, 43c08a2, 43c08a2, be32012, 87c1a0c, 5c3e248, 9c8ded6, 23d7cbf]:

  • better-auth@​1.6.13
  • @​better-auth/core@​1.6.13

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.40.0

Compare Source

Minor Changes

• #​14013 3cf9d0e Thanks @​jamesopstad! - Add experimental experimental.newConfig option to load the entry Worker's configuration from cloudflare.config.ts

  This is an experimental, opt-in feature. When enabled, the plugin loads the entry Worker's configuration from a cloudflare.config.ts file instead of the usual wrangler.json / wrangler.jsonc / wrangler.toml.

  Pass true to enable with defaults, or an object to customise behaviour. Currently the only sub-option is types.generate (defaults to true), which writes a worker-configuration.d.ts file next to the config. This enables typed env and exports for your Worker and currently assumes that you have @cloudflare/workers-types installed.

  // vite.config.ts
  import { defineConfig } from "vite";
  import { cloudflare } from "@​cloudflare/vite-plugin";
  
  export default defineConfig({
    plugins: [
      cloudflare({
        experimental: {
          newConfig: true,
        },
      }),
    ],
  });

  // cloudflare.config.ts
  import {
  	defineWorker,
  	bindings,
  } from "@​cloudflare/vite-plugin/experimental-config";
  import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
  
  export default defineWorker((ctx) => ({
  	name: "my-worker",
  	entrypoint,
  	compatibilityDate: "2026-05-18",
  	env: {
  		MY_TEXT: bindings.text(`The mode is ${ctx.mode}`),
  		MY_KV: bindings.kv(),
  	},
  }));

  A few limitations apply while the feature is experimental:

  • configPath cannot be combined with experimental.newConfig. The entry Worker is always loaded from cloudflare.config.ts at the project root.
  • auxiliaryWorkers are not yet supported with experimental.newConfig.

  Because this is experimental, the option, the cloudflare.config.ts schema, and the @cloudflare/vite-plugin/experimental-config exports may change in any release.

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@​4.98.0
  • miniflare@​4.20260603.0

v1.39.2

Compare Source

Patch Changes

• #​13893 d8a16e7 Thanks @​penalosa! - Add an experimental, internal cf-vite delegate binary

  This adds an experimental bin/cf-vite binary that is spawned by Cloudflare's own parent tooling to drive the plugin as a long-running dev-server subprocess. It is not part of the plugin's public API surface, is not intended to be invoked directly, and its contract may change at any time without notice.

• #​14117 3c86121 Thanks @​aicayzer! - Forward response headers from the Worker on WebSocket upgrade responses

  Headers set on a new Response(null, { status: 101, webSocket, headers }) returned from the Worker are now propagated to the upgrade response sent to the browser during vite dev. Previously the headers were dropped, so cookies (Set-Cookie) and custom headers (X-*) on WebSocket handshake responses were invisible client-side — even though they were delivered correctly by wrangler dev.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@​4.97.0
  • miniflare@​4.20260601.0

v1.39.1

Compare Source

Patch Changes

• #​14087 e3c862a Thanks @​edmundhung! - Filter compatibility date fallback warning when no update is available

  The compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of @cloudflare/vite-plugin is available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version.

  The update-check logic has been extracted to @cloudflare/workers-utils so it can be shared across packages.

• #​14080 ec70cf1 Thanks @​edmundhung! - Fix Tunnel closed being logged when no tunnel was opened

  Previously, the Vite plugin printed Tunnel closed during cleanup even when tunnel startup had never begun. This message is now only shown after tunnel startup begins, including when the tunnel is still starting or has already expired.

• Updated dependencies [e3c862a, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, e3c862a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, e3c862a, e3c862a, e3c862a, b64b7e4, e3c862a, e3c862a, e4c8fd9, 2dffeeb, e3c862a, e3c862a, 4c0da7b, 972d13d, 13cbadb, 59e43e4]:

  • miniflare@​4.20260529.0
  • wrangler@​4.96.0

hey-api/openapi-ts (@​hey-api/openapi-ts)

v0.98.2

Compare Source

@​hey-api/openapi-ts 0.98.2

Plugins

@​hey-api/client-angular

• reassign the result of HttpHeaders.delete() back to opts.headers (#​3988)
• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-axios

• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-fetch

• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-ky

• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-next

• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-nuxt

• export augmentable ClientMeta interface (#​3996)

@​hey-api/client-ofetch

• export augmentable ClientMeta interface (#​3996)

@​hey-api/sdk

• don't expose SSE errors as iterator return types (#​3989)
• support type-safe meta option via augmentable ClientMeta interface (#​3996)

---

@​hey-api/codegen-core 0.9.0

Updates

• symbol: add event listeners (#​3998)
• types: rename ProjectRenderMeta to ProjectMeta and key it by language (#​3984)
• utils: expose Version class (#​3991)

---

@​hey-api/shared 0.4.8

Updates

• types: update project meta types (#​3984)
• utils: expose SymbolFactory (#​3991)

---

v0.98.1

Compare Source

@​hey-api/openapi-ts 0.98.1

Updates

• cli: simplify generate command messages (#​3982)

Plugins

valibot

• revert referencing TypeScript enums (#​3982)

zod

• revert referencing TypeScript enums (#​3982)

---

@​hey-api/openapi-ts 0.98.0

⚠️ Breaking

This release has 1 breaking change. Please review the release notes carefully before upgrading.

Updates

• ⚠️ Breaking: config: declarative configuration (#​3950)

This is an internal change that simplifies the configuration and plugin APIs. The generated output should be unaffected, please open an issue if that's not the case. If you have custom plugins, refer to the custom plugin guide for the latest instructions.

• dsl: track extended class symbols (#​3945)
• parser: preserve sort order when filtering input (#​3953)

Plugins

@​hey-api/client-angular

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/client-axios

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/client-fetch

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/client-ky

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/client-next

• add explicit return types (#​3880)
• improve params helper type (#​3946)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)

@​hey-api/client-nuxt

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/client-ofetch

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Reported by @​programsurf, @​daeungdaeung, @​yoonsh, and @​lubroai (GHSA-hhx9-57xq-r5rw) (#​3973)
• improve params helper type (#​3946)

@​hey-api/sdk

• add explicit return types (#​3880)
• expose key on security schemes when their signatures collide (#​3935)

orpc

• handle no-content success responses (#​3948)

valibot

• improve boolean enum handling (#​3974)

---

@​hey-api/codegen-core 0.8.4

Updates

• node: add ~dsl property (#​3982)

---

@​hey-api/codegen-core 0.8.3

Updates

• symbol: add children and override property (#​3945)
• symbols: export pythonNameConflictResolver, SymbolChild, SymbolKind, and SymbolRegistry (#​3945)

---

@​hey-api/json-schema-ref-parser 1.4.3

Updates

• bundle: name whole-file $refs after the source filename (#​3936)

---

@​hey-api/shared 0.4.7

Updates

• plugin: add generics support to querySymbol() and querySymbols() (#​3982)

---

@​hey-api/shared 0.4.6

Updates

• plugin: add symbols property (#​3942)
• parser: expose key on security schemes when their signatures collide (#​3935)
• parser: preserve sort order when filtering input (#​3953)
• config: valueToObject is recursive (#​3927)
• plugin: do not stamp external symbols (#​3942)
• plugin: export coerce, defineConfig, Coercer, CoercerMap, ConfigTable, PluginSymbols, PluginTag, TableDirectives, and WithCoercers (#​3927)

---

v0.98.0

Compare Source

@​hey-api/openapi-ts 0.98.1

Updates

• cli: simplify generate command messages (#​3982)

Plugins

valibot

• revert referencing TypeScript enums (#​3982)

zod

• revert referencing TypeScript enums (#​3982)

---

@​hey-api/openapi-ts 0.98.0

⚠️ Breaking

This release has 1 breaking change. Please review the release notes carefully before upgrading.

Updates

• ⚠️ Breaking: config: declarative configuration (#​3950)

This is an internal change that simplifies the configuration and plugin APIs. The generated output should be unaffected, please open an issue if that's not the case. If you have custom plugins, refer to the custom plugin guide for the latest instructions.

• dsl: track extended class symbols (#​3945)
• parser: preserve sort order when filtering input (#​3953)

Plugins

@​hey-api/client-angular

• add explicit return types (#​3880)
• use Object.create() to avoid prototype chain substitution. Report

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	happy-dom@​20.9.0 ⏵ 20.10.2			+1
	@​radix-ui/​react-label@​2.1.8 ⏵ 2.1.9	+1
	@​radix-ui/​react-separator@​1.1.8 ⏵ 1.1.9	+1
	@​radix-ui/​react-progress@​1.1.8 ⏵ 1.1.9	+1			+1
	@​radix-ui/​react-slot@​1.2.4 ⏵ 1.2.5	+1		+1
	@​radix-ui/​react-tabs@​1.1.13 ⏵ 1.1.14	+1
	@​tanstack/​react-query-devtools@​5.100.14 ⏵ 5.101.0
	@​radix-ui/​react-switch@​1.2.6 ⏵ 1.3.0	+1		+2
	@​radix-ui/​react-hover-card@​1.1.15 ⏵ 1.1.16	+1
	@​radix-ui/​react-checkbox@​1.3.3 ⏵ 1.3.4	+1
	@​radix-ui/​react-dropdown-menu@​2.1.16 ⏵ 2.1.17	+1
	@​radix-ui/​react-alert-dialog@​1.1.15 ⏵ 1.1.16	+1		+1
	@​radix-ui/​react-dialog@​1.1.15 ⏵ 1.1.16	+1
	@​radix-ui/​react-tooltip@​1.2.8 ⏵ 1.2.9	+1		+1
	fumadocs-mdx@​15.0.10 ⏵ 15.0.11	+1		+1	+1
	@​types/​mdx@​2.0.14
	@​radix-ui/​react-scroll-area@​1.2.10 ⏵ 1.2.11	+1		+1
	@​radix-ui/​react-select@​2.2.6 ⏵ 2.3.0			+1
	@​tanstack/​react-router@​1.170.10 ⏵ 1.170.15	-1
	@​scalar/​hono-api-reference@​0.10.19 ⏵ 0.11.0
	@​better-auth/​sso@​1.6.12 ⏵ 1.6.15	+1		+1	+1
	@​tanstack/​router-plugin@​1.168.13 ⏵ 1.168.18	+1		+1
	@​types/​react@​19.2.15 ⏵ 19.2.17
	@​types/​node@​25.9.1 ⏵ 25.9.2			+1
	effect@​3.21.2 ⏵ 3.21.3				+1
	@​tanstack/​react-start@​1.168.18 ⏵ 1.168.25
	better-auth@​1.6.12 ⏵ 1.6.15	+1		+1
	@​cloudflare/​vite-plugin@​1.39.0 ⏵ 1.40.0			+1
	@​better-auth/​passkey@​1.6.12 ⏵ 1.6.15	+1		+1	+1
	@​tanstack/​react-query@​5.100.14 ⏵ 5.101.0
	semver@​7.7.4 ⏵ 7.8.3	+1		+1
	@​inquirer/​prompts@​8.5.1 ⏵ 8.5.2
See 3 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm effect is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/agent/package.json → npm/effect@3.21.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/effect@3.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm happy-dom is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/happy-dom@20.10.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/happy-dom@20.10.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report