chore(deps): bump the minor-and-patch group across 1 directory with 9 updates

[dependabot]

Bumps the minor-and-patch group with 9 updates in the / directory:

Package	From	To
@supabase/supabase-js	2.103.3	2.104.0
knip	6.4.1	6.5.0
vite	8.0.8	8.0.9
wrangler	4.83.0	4.84.0
@anthropic-ai/sdk	0.82.0	0.90.0
@forgespace/siza-gen	0.14.1	0.15.0
fumadocs-core	16.8.0	16.8.1
fumadocs-ui	16.8.0	16.8.1
@opennextjs/cloudflare	1.19.1	1.19.2

Updates @supabase/supabase-js from 2.103.3 to 2.104.0

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.104.0

2.104.0 (2026-04-20)

🚀 Features

• storage: extract shared header normalization utility (#2251)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.104.0-canary.2

2.104.0-canary.2 (2026-04-17)

This was a version bump only, there were no code changes.

v2.104.0-canary.1

2.104.0-canary.1 (2026-04-17)

🚀 Features

• postgrest: add stripNulls method for null value stripping (#2189)
• storage: add cacheNonce parameter for download (#2234)
• storage: extract shared header normalization utility (#2251)
• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)

🩹 Fixes

• auth: downgrade console.error to console.warn for missing session (#2214)
• auth: add toJSON to AuthError for correct JSON serialization (#2238)
• auth: include Cloudflare error codes in NETWORK_ERROR_CODES (#2239)
• auth: remove Prettify wrapper from exported types for TypeDoc expansion (#2250)
• functions: add toJSON to FunctionsError for correct JSON serialization (#2226)
• misc: add explicit return types to toJSON methods for JSR compat (#2252)
• postgrest: fix scalar computed column type inference for isNotNullable and SETOF scalar (#2224)
• postgrest: handle bigint rpc (#2245)
• realtime: throw Error objects instead of bare strings (#2256)
• storage: set correct content-type for uploads (#2211)
• storage: avoid duplicate content-type headers in vector requests (#2220)
• storage: add toJSON to StorageError for correct JSON serialization (#2246)
• storage: apply empty transform check to download and getPublicUrl (#2219)
• storage: remove client-side signed URL render endpoint normalization (#2249)
• storage: correct signedUrl type to allow null in createSignedUrls (#2254)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• oniani1
• Seydi Charyyev @​TheSeydiCharyyev
• Vaibhav @​7ttp

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.104.0 (2026-04-20)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• 897fb8e docs(repo): show createClient as primary example in all client constructors (...
• 7a9b2e1 chore(release): version 2.103.3 changelogs (#2258)
• See full diff in compare view

Updates knip from 6.4.1 to 6.5.0

Release notes

Sourced from knip's releases.

Release 6.5.0

• Drop project-extension-redundant config hint (resolve #1683) (f86092949d6dbd041fd621876da674fd3eac7534)
• Add instructions to .agents/PLUGINS.md (e2943ed8fb6d2c0ab4cf12ff04d10bd5ab9fd5f7)
• Add a plugin for react-email (#1684) (d8ae4d3ccb810b9a9211fd43e9d1e7d7b704fcaf) - thanks @​xaqrox!
• Replace fast-glob with tinyglobby (#1462) (9f6b4c8aa6857fea40e66d008c905c948af10939) - thanks @​gameroman!
• Added plugin for Serverless framework (#1478) (f885f1ded52427d984c67e7172e3141eb4e5ee29) - thanks @​BenCrinion-IW!
• Add args to Prettier plugin to resolve --config CLI flag (#1685) (f4658c84e714afd8a2233b72be6169da1ac3723e) - thanks @​xaqrox!
• fix(util): tolerate JSONC and array extends in findRootDirsBase (#1681) (f7e5464a6f70e9024a341fdb923766b5ff53a831) - thanks @​Hoffs!
• Format (15bd7e7a56b470096cfee1690263d5d13ddb8fb6)
• Inherit outDir/rootDir from tsconfig project references (resolve #1680) (b89b4f716f4c117b0106e9a212e9e5c46aa85035)
• tsc → tsgo (a6e09ca1b65936b3790a6c3628a4646f030d18b8)
• Update dependencies (4cb05c96a2ae7c790d29ee76ff13288c5bbb97a2)
• Housekeep (28c56cb8bf68031b1c8e9bee75b18ee7274ec981)
• Test test test (7eb4ab3a8a6635dcaf756bb2b4a88e1298615994)
• Add pino plugin with transportCall visitor (resolve #1480) (53a033e4ddc5036c6a4a0e55c0abc42c5c64e4f5)
• Add signal to projects using knip (dbedd665c1f8d735030600d3f68ef1825d9a2668)
• Tune logos (3148f4d0485875370634b9b53c1b3aa7f6eafcc3)
• Tweak knip-run tool response (42940381a947c46996ae4055e8789f6ea39cfca4)
• Add workspace option to knip-run tool (64c4aaea89e3abb41d8695ebffc5538878520b21)
• Remove old lingering experimentalTags (e503d108e5535800ac6467f4d92c7dd6a9e90037)
• Fix compiler type (resolve #1689) (e7a69adb5e584eb6e5af9b4007820afcbcf27a08)

Commits

• 5b5cda5 Release knip@6.5.0
• e7a69ad Fix compiler type (resolve #1689)
• e503d10 Remove old lingering experimentalTags
• 53a033e Add pino plugin with transportCall visitor (resolve #1480)
• 7eb4ab3 Test test test
• 28c56cb Housekeep
• 4cb05c9 Update dependencies
• a6e09ca tsc → tsgo
• b89b4f7 Inherit outDir/rootDir from tsconfig project references (resolve #1680)
• 15bd7e7 Format
• Additional commits viewable in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

Commits

• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• c28e9c1 fix(deps): update all non-major dependencies (#22268)
• 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
• 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
• 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
• 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
• 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
• fc08bda fix(dev): handle errors in watchChange hook (#22188)
• 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
• Additional commits viewable in compare view

Updates wrangler from 4.83.0 to 4.84.0

Release notes

Sourced from wrangler's releases.

wrangler@4.84.0

Minor Changes

• #13326 4a9ba90 Thanks @​mattzcarey! - Add Artifacts binding support to wrangler

  You can now configure Artifacts bindings in your wrangler configuration:

  // wrangler.jsonc
  {
    "artifacts": [{ "binding": "MY_ARTIFACTS", "namespace": "default" }]
  }

  Type generation produces the correct Artifacts type reference from the workerd type definitions:

  interface Env {
    MY_ARTIFACTS: Artifacts;
  }

• #13567 d8c895a Thanks @​gpanders! - Rename the documented containers SSH config option to ssh

  Wrangler now accepts and documents containers.ssh in config files while continuing to accept containers.wrangler_ssh as an undocumented backwards-compatible alias. Wrangler still sends and reads wrangler_ssh when talking to the containers API.

• #13571 7dc0433 Thanks @​must108! - Add regional and jurisdictional placement constraints for Containers. Users can now set constraints.regions and constraints.jurisdiction in wrangler config to control where containers run.

• #12600 50bf819 Thanks @​penalosa! - Use workerd's debug port to power cross-process service bindings, Durable Objects, and tail workers via the dev registry. This enables Durable Object RPC via the dev registry, and is an overall stability improvement.

Patch Changes

• #13160 05f4443 Thanks @​JoaquinGimenez1! - Log a helpful error message when AI binding requests fail with a 403 authentication error

  Previously, when the AI proxy token expired during a long session, users received an unhelpful 403 error. Now, wrangler detects error code 1031 and suggests running wrangler login to refresh the token.

• #13557 8ca78bb Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260415.1	1.20260416.2

• #13579 b6e1351 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To

... (truncated)

Commits

• fe874ac Version Packages (#13511)
• d8314c6 [ci] Cap parallel test concurrency and fix fragile test timeouts (#13604)
• 5716d69 Update am-i-vibing to v 0.1.1 (#13473)
• 05f4443 Return more sensible user error (#13160)
• 7dc0433 Add regional and jurisdictional placement constraints (#13571)
• 4a9ba90 [wrangler] add artifacts binding support (#13326)
• b35617b [miniflare] Close all open handles on dispose to prevent process hangs (#13515)
• cc1413a [wrangler] fix: pass force query parameter to API in pages deployment delete ...
• b6e1351 chore(deps): bump the workerd-and-workers-types group with 2 updates (#13579)
• 6d887db Add D1 export prompt message for unavailability (#13575)
• Additional commits viewable in compare view

Updates @anthropic-ai/sdk from 0.82.0 to 0.90.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.90.0

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

sdk: v0.89.0

0.89.0 (2026-04-14)

Full Changelog: sdk-v0.88.0...sdk-v0.89.0

Features

• api: manual updates (57c2a11)
• api: mark Sonnet and Opus 4 as deprecated (eff41b7)

Bug Fixes

• streaming: add missing events (4c52919)

sdk: v0.88.0

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

sdk: v0.87.0

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

0.89.0 (2026-04-14)

Full Changelog: sdk-v0.88.0...sdk-v0.89.0

Features

• api: manual updates (57c2a11)
• api: mark Sonnet and Opus 4 as deprecated (eff41b7)

Bug Fixes

• streaming: add missing events (4c52919)

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

Features

• api: Add beta advisor tool (1e99a8d)

... (truncated)

Commits

• 93ac7c7 chore: release main (#1003)
• 39549e9 chore: release main (#993)
• 089fe05 chore: release main (#987)
• 73f128f chore: release main (#985)
• fd6cf54 chore: release main (#983)
• 79d1d73 chore: release main (#982)
• 4ade5b1 chore: release main (#979)
• 4368602 chore: release main (#978)
• 4105fd6 chore: release main (#973)
• 0b536ae chore: release main (#970)
• See full diff in compare view

Updates @forgespace/siza-gen from 0.14.1 to 0.15.0

Release notes

Sourced from @​forgespace/siza-gen's releases.

v0.15.0

Changes

Added

• TurboQuant KV cache compression
• Token budget enforcer
• @​huggingface/transformers 4.0.1 upgrade

Changed

• TypeScript 6 peer dep overrides (madge, @​typescript-eslint)
• Dependency security updates
• Org-level issue template alignment

Changelog

Sourced from @​forgespace/siza-gen's changelog.

[0.15.0] - 2026-04-06

Added

• TurboQuant KV cache compression — python/siza_ml/turbo_cache.py hooks BertSelfAttention layers via register_forward_hook, compressing K/V with PolarQuant + QJL (turbo3 = 4.6x compression, ~1% PPL). On by default for all /embed/batch calls via SIZA_ML_TURBO_BITS=3.
• Token budget enforcer — src/llm/token-budget.ts replaces text.length / 4 with a BPE-aware estimator (~3-5% error vs tiktoken). Exports estimateTokens, truncateToTokenBudget, checkTokenBudget, TokenBudgetTracker.

Changed

• @huggingface/transformers upgraded to 4.0.1 — HF Transformers.js v4 with improved performance and updated model loading.
• TypeScript peer dependency overrides added for tooling compatibility across ESLint plugins, madge, and TypeScript-ESLint.
• Dependency updates across devDependencies for Jest, TypeScript, and linting tools.

Commits

• 2e58695 chore(release): v0.15.0 — TurboQuant KV cache, HF Transformers 4, TS6 overrid...
• 05fbe1f fix: add typescript-eslint overrides for TS 6 compatibility (#72)
• 0d7a060 fix: add madge typescript override for TS 6 compatibility (#71)
• 425a8d6 chore(deps): bump @​huggingface/transformers from 3.8.1 to 4.0.1 (#69)
• c734d7b chore(deps): bump trufflesecurity/trufflehog from 3.94.1 to 3.94.2 (#66)
• e56879a chore(deps-dev): bump the minor-and-patch group with 3 updates (#67)
• 9802c28 chore(deps-dev): bump knip from 5.87.0 to 6.3.0 (#70)
• 1680293 fix(deps): remediate 3 moderate npm audit vulnerabilities (#65)
• See full diff in compare view

Updates fumadocs-core from 16.8.0 to 16.8.1

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.1

No release notes provided.

Commits

• See full diff in compare view

Updates fumadocs-ui from 16.8.0 to 16.8.1

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.1

Patch Changes

• 3ae8809: Improve TOC sizing
  • fumadocs-core@16.8.1

Commits

• See full diff in compare view

Updates @opennextjs/cloudflare from 1.19.1 to 1.19.2

Release notes

Sourced from @​opennextjs/cloudflare's releases.

@​opennextjs/cloudflare@​1.19.2

Patch Changes

• #1207 0958726 Thanks @​edmundhung! - bump @opennextjs/aws to 3.10.2

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.10.2

• #1139 79b01b8 Thanks @​james-elicx! - Fix Turbopack external module resolution by dynamically discovering external imports at build time.

  When packages are listed in serverExternalPackages, Turbopack externalizes them via externalImport() which uses dynamic await import(id). The bundler (ESBuild) can't statically analyze import(id) with a variable, so these modules aren't included in the worker bundle.

  This patch:

  • Discovers hashed Turbopack external module mappings from .next/node_modules/ symlinks (e.g. shiki-43d062b67f27bbdc → shiki)
  • Scans traced chunk files for bare external imports (e.g. externalImport("shiki")) and subpath imports (e.g. shiki/engine/javascript)
  • Generates explicit switch/case entries so the bundler can statically resolve and include these modules

• #1203 6f02d12 Thanks @​314systems! - fix: exclude unsupported Next.js 16 releases from peer dependencies.

  The previous range allowed Next.js 16.0.0 through 16.2.2 without a peer dependency warning because >=16.2.3 was already covered by >=15.5.15.

  The range now explicitly supports Next.js 15.5.15 and above in the 15.x line, and Next.js 16.2.3 and above in the 16.x line.

• #1200 7820ad0 Thanks @​NathanDrake2406! - fix: reuse sharded tag data when filling the regional cache.

  The sharded tag cache miss path already reads tag data from the Durable Object before answering the request. Reuse that fetched data when populating the regional cache so a shard miss does not immediately trigger a second identical Durable Object read.

• #1206 585795d Thanks @​314systems! - fix: regression where getEnvFromPlatformProxy received wrong options type

  This fixes a regression introduced in 32ba91a where getEnvFromPlatformProxy call sites passed OpenNextConfig even though the function expects Wrangler GetPlatformProxyOptions.

  The fix restores the pre-32ba91a argument shape by passing { configPath, environment } from CLI arguments, so env resolution follows the selected Wrangler config/environment.

Changelog

Sourced from @​opennextjs/cloudflare's changelog.

1.19.2

Patch Changes

• #1207 0958726 Thanks @​edmundhung! - bump @opennextjs/aws to 3.10.2

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.10.2

• #1139 79b01b8 Thanks @​james-elicx! - Fix Turbopack external module resolution by dynamically discovering external imports at build time.

  When packages are listed in serverExternalPackages, Turbopack externalizes them via externalImport() which uses dynamic await import(id). The bundler (ESBuild) can't statically analyze import(id) with a variable, so these modules aren't included in the worker bundle.

  This patch:

  • Discovers hashed Turbopack external module mappings from .next/node_modules/ symlinks (e.g. shiki-43d062b67f27bbdc → shiki)
  • Scans traced chunk files for bare external imports (e.g. externalImport("shiki")) and subpath imports (e.g. shiki/engine/javascript)
  • Generates explicit switch/case entries so the bundler can statically resolve and include these modules

• #1203 6f02d12 Thanks @​314systems! - fix: exclude unsupported Next.js 16 releases from peer dependencies.

  The previous range allowed Next.js 16.0.0 through 16.2.2 without a peer dependency warning because >=16.2.3 was already covered by >=15.5.15.

  The range now explicitly supports Next.js 15.5.15 and above in the 15.x line, and Next.js 16.2.3 and above in the 16.x line.

• #1200 7820ad0 Thanks @​NathanDrake2406! - fix: reuse sharded tag data when filling the regional cache.

  The sharded tag cache miss path already reads tag data from the Durable Object before answering the request. Reuse that fetched data when populating the regional cache so a shard miss does not immediately trigger a second identical Durable Object read.

• #1206 585795d Thanks @​314systems! - fix: regression where getEnvFromPlatformProxy received wrong options type

  This fixes a regression introduced in 32ba91a where getEnvFromPlatformProxy call sites passed OpenNextConfig even though the function expects Wrangler GetPlatformProxyOptions.

  The fix restores the pre-32ba91a argument shape by passing { configPath, environment } from CLI arguments, so env resolution follows the selected Wrangler config/environment.

Commits

• 264d0a0 Version Packages (#1201)
• 0958726 chore: bump @​opennextjs/aws version (#1207)
• 7820ad0 Reuse sharded tag data on regional cache fill (#1200)
• 585795d fix: regression where getEnvFromPlatformProxy received wrong options type (#1...
• 6f02d12 fix: narrow peerDependencies next range to exclude 16.0.0–16.2.2 (#1203)
• 79b01b8 fix: dynamically resolve Turbopack external module mappings (#1139)
• 696f1c8 chore: Upgrade vitest from v2 to v4 (#1192)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
siza-web	Ready	Preview, Comment	Apr 20, 2026 3:52pm

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.