chore(deps): bump the patches group across 1 directory with 24 updates

[dependabot]

Bumps the patches group with 24 updates in the / directory:

Package	From	To
@ai-sdk/mcp	1.0.35	1.0.43
@ai-sdk/openai-compatible	2.0.41	2.0.47
@ai-sdk/react	3.0.155	3.0.192
@headlessui/react	2.2.0	2.2.10
@opentelemetry/api	1.9.0	1.9.1
@radix-ui/react-accordion	1.2.3	1.2.12
@radix-ui/react-avatar	1.1.3	1.1.11
@radix-ui/react-collapsible	1.1.11	1.1.12
@radix-ui/react-dialog	1.1.6	1.1.15
@radix-ui/react-dropdown-menu	2.1.6	2.1.16
@radix-ui/react-hover-card	1.1.6	1.1.15
@radix-ui/react-label	2.1.2	2.1.8
@radix-ui/react-scroll-area	1.2.9	1.2.10
@radix-ui/react-select	2.2.5	2.2.6
@radix-ui/react-separator	1.1.2	1.1.8
@radix-ui/react-tabs	1.1.3	1.1.13
@react-three/fiber	9.6.0	9.6.1
ai	6.0.153	6.0.190
jsonwebtoken	9.0.2	9.0.3
langfuse	3.38.4	3.38.20
livekit-server-sdk	2.15.0	2.15.3
nanoid	5.1.5	5.1.11
openai-edge	1.2.2	1.2.3
use-stick-to-bottom	1.1.1	1.1.4

Updates @ai-sdk/mcp from 1.0.35 to 1.0.43

Changelog

Sourced from @​ai-sdk/mcp's changelog.

1.0.43

Patch Changes

• e2b923f: fix(mcp): deduplicate auth refresh on http transport

1.0.42

Patch Changes

• 725f2ed: feat(mcp): expose server instructions to be accessible through client
• 7281592: fix(mcp): use negotiated protocol version in transport request headers

1.0.41

Patch Changes

• f591416: feat(ai): add toolMetadata for tool specific metdata
• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

1.0.40

Patch Changes

• 221a984: Add resource_link content type to CallToolResultSchema and PromptMessageSchema per MCP spec. Fixes hard rejection when MCP servers return resource_link content parts with zod ≥ 4.4.x.
• 0084974: feat(mcp): deprecate name and use clientName for MCPClient

1.0.39

Patch Changes

• 7beadf0: feat(mcp): propagate the server name through dynamic tool parts
• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

1.0.38

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

1.0.37

Patch Changes

... (truncated)

Commits

• 0075589 Version Packages (#15529)
• e2b923f Backport: fix(mcp): deduplicate auth refresh on http transport (#15528)
• 5e287d0 Backport: chore: add readme for @​ai-sdk/mcp (#15450)
• 8ccd431 Version Packages (#15168)
• 725f2ed Backport: feat(mcp): expose server instructions to be accessible through clie...
• 7281592 Backport: fix(mcp): use negotiated protocol version in transport request head...
• e3ccdb5 Version Packages (#15094)
• f591416 Backport: feat(ai): add toolMetadata for tool specific metdata (#15053)
• 74a7a20 Version Packages (#15012)
• 0084974 Backport: feat(mcp): deprecate name and use clientName for MCPClient (#15003)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/mcp since your current version.

Updates @ai-sdk/openai-compatible from 2.0.41 to 2.0.47

Changelog

Sourced from @​ai-sdk/openai-compatible's changelog.

2.0.47

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

2.0.46

Patch Changes

• 38966ab: fix(openai, openai-compatible): only send null content for assistant messages with tool calls

2.0.45

Patch Changes

• 6043d24: feat(vertex): add grok models to vertex provider

2.0.44

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

2.0.43

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

2.0.42

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• 408a2ad: patch - send content: null instead of empty string for tool-only assistant messages
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• e3ccdb5 Version Packages (#15094)
• a1dddcc Version Packages (#14954)
• 38966ab backport v6: fix(openai, openai-compatible): only send null content for assis...
• 3def720 Version Packages (#14908)
• 6043d24 Backport: feat(vertex): add grok models to vertex provider (#14902)
• 8a46a3c Version Packages (#14875)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai-compatible since your current version.

Updates @ai-sdk/react from 3.0.155 to 3.0.192

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.192

Patch Changes

• ai@6.0.190

3.0.191

Patch Changes

• Updated dependencies [356c3cf]
  • ai@6.0.189

3.0.190

Patch Changes

• Updated dependencies [c98715a]
  • ai@6.0.188

3.0.189

Patch Changes

• ai@6.0.187

3.0.188

Patch Changes

• ai@6.0.186

3.0.187

Patch Changes

• ai@6.0.185

3.0.186

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

3.0.185

Patch Changes

• ai@6.0.183

... (truncated)

Commits

• 1a3ec6d Version Packages (#15513)
• bde7d0f Version Packages (#15494)
• 93ad540 Version Packages (#15489)
• a15eda9 Version Packages (#15473)
• e33b836 Version Packages (#15440)
• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• c0e4fef Version Packages (#15251)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @headlessui/react from 2.2.0 to 2.2.10

Release notes

Sourced from @​headlessui/react's releases.

@​headlessui/react@​v2.2.10

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

@​headlessui/react@​v2.2.9

Fixed

• Improve focus management in shadow DOM roots (#3794)
• Don't accidentally open the Combobox when touching the ComboboxButton while dragging on mobile (#3795)
• Ensure sibling Dialog components are scrollable on mobile (#3796)
• Infer Combobox type based on onChange handler (#3798)
• Allow home/end key default behavior inside ComboboxInput when Combobox is closed (#3798)
• Ensure interacting with a Dialog on iOS works after interacting with a disallowed area (#3801)
• Freeze Listbox values as soon as a value is selected (#3802)
• Ensure refs are forwarded when freezing data (#3390)
• Do not serialize React components into form fields (49e9e8e)

@​headlessui/react@​v2.2.8

Fixed

• Ensure we are not freezing data when the static prop is used (#3779)
• Ensure onChange types are contravariant instead of bivariant (#3781)
• Support <summary> as a focusable element inside <details> (#3389)
• Fix Maximum update depth exceeded crash when using transition prop (#3782)
• Ensure pressing Tab in the ComboboxInput, correctly syncs the input value (#3785)
• Ensure --button-width and --input-width have the latest value (#3786)
• Fix 'Invalid prop data-headlessui-state supplied to React.Fragment' warning (#3788)
• Ensure element in ref callback is always connected when rendering in a Portal (#3789)
• Ensure form state is up to date when using uncontrolled components (#3790)
• Ensure data-open on ComboboxInput is up to date (#3791)
• Ensure changing the immediate prop value on the Combobox component works as expected (#3792)

@​headlessui/react@​v2.2.7

Fixed

• Fix incorrect double invocation of menu items, listbox options and combobox options (#3766)
• Fix memory leak in SSR environment (#3767)
• Ensure programmatic .click() on MenuButton ref works (#3768)
• Don't activate hovered items while using the keyboard (#3769)

@​headlessui/react@​v2.2.6

Fixed

• Fix immediately closing Listbox by requiring some cursor movement (#3762)

@​headlessui/react@​v2.2.5

Fixed

... (truncated)

Changelog

Sourced from @​headlessui/react's changelog.

[2.2.10] - 2026-04-07

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

[2.2.9] - 2025-09-25

Fixed

• Improve focus management in shadow DOM roots (#3794)
• Don't accidentally open the Combobox when touching the ComboboxButton while dragging on mobile (#3795)
• Ensure sibling Dialog components are scrollable on mobile (#3796)
• Infer Combobox type based on onChange handler (#3798)
• Allow home/end key default behavior inside ComboboxInput when Combobox is closed (#3798)
• Ensure interacting with a Dialog on iOS works after interacting with a disallowed area (#3801)
• Freeze Listbox values as soon as a value is selected (#3802)
• Ensure refs are forwarded when freezing data (#3390)
• Do not serialize React components into form fields (49e9e8e)

[2.2.8] - 2025-09-12

Fixed

• Ensure we are not freezing data when the static prop is used (#3779)
• Ensure onChange types are contravariant instead of bivariant (#3781)
• Support <summary> as a focusable element inside <details> (#3389)
• Fix Maximum update depth exceeded crash when using transition prop (#3782)
• Ensure pressing Tab in the ComboboxInput, correctly syncs the input value (#3785)
• Ensure --button-width and --input-width have the latest value (#3786)
• Fix 'Invalid prop data-headlessui-state supplied to React.Fragment' warning (#3788)
• Ensure element in ref callback is always connected when rendering in a Portal (#3789)
• Ensure form state is up to date when using uncontrolled components (#3790)
• Ensure data-open on ComboboxInput is up to date (#3791)
• Ensure changing the immediate prop value on the Combobox component works as expected (#3792)

[2.2.7] - 2025-07-30

Fixed

• Fix incorrect double invocation of menu items, listbox options and combobox options (#3766)
• Fix memory leak in SSR environment (#3767)
• Ensure programmatic .click() on MenuButton ref works (#3768)
• Don't activate hovered items while using the keyboard (#3769)

[2.2.6] - 2025-07-24

Fixed

... (truncated)

Commits

• d13526d 2.2.10 - @​headlessui/react
• b0dcd8f Handle props on Fragment error due to Symbol(react.lazy) (#3873)
• 7baca70 Don’t render \<Portal>s while hydrating (#3825)
• 5ef7395 Add RefProp to props (#3823)
• 589ea90 2.2.9 - @​headlessui/react
• bba75c7 update changelog
• ca536ed update changelog
• 49e9e8e do not serialize React components into form fields
• 2a647a7 Ensure refs are forwarded when freezing data (#3390)
• da2fa94 Freeze values as soon as possible (#3802)
• Additional commits viewable in compare view

Updates @opentelemetry/api from 1.9.0 to 1.9.1

Release notes

Sourced from @​opentelemetry/api's releases.

api/v1.9.1

1.9.1

🐛 (Bug Fix)

• fix(api): prioritize esnext export condition as it is more specific #5458
• fix(api): update diag consoleLogger to use original console methods to prevent infinite loop when a console instrumentation is present #6395
• fix(api): use Attributes instead of deprecated SpanAttributes in SpanOptions #6478 @​overbalance
• fix(diag): change types in DiagComponentLogger from any to unknown#5478 @​loganrosen
• fix(api): re-introduce fallback chain for global utils #6523 @​pichlermarc

🏠 (Internal)

• refactor(api): refactor to avoid circular deps by merging observable types into Metric.ts #6441 @​pichlermarc
• refactor(api): remove "export *" in favor of explicit named exports #4880 @​robbkidd
• chore: enable tsconfig isolatedModules #5697 @​legendecas
• chore: disallow constructor parameter property syntax #6187 @​legendecas
• refactor(api): remove platform-specific globalThis, use globalThis directly #6208 @​overbalance
• chore(api): mark ProxyTracerProvider as deprecated #6328 @​cjihrig
• chore: enforce import type for type-only imports via ESLint #6467 @​overbalance
• perf(api): improve isValidSpanId, isValidTraceId performance #5714 @​seemk

Changelog

Sourced from @​opentelemetry/api's changelog.

1.9.1

🐛 (Bug Fix)

• fix: avoid grpc types dependency #3551 @​flarna
• fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter #3562 @​scheler
• fix: include tracestate in export #3569 @​flarna

🏠 (Internal)

• chore: fix cross project links and missing implicitly exported types #3533 @​legendecas
• feat(sdk-metrics): add exponential histogram mapping functions #3504 @​mwear

Commits

• 279458e Release 1.9.1 / 0.35.1 (#3573)
• 4978743 fix(http): remove outgoing headers normalization (#3557)
• d1f9594 chore(deps): update dependency rimraf to v4 (#3532)
• e0abcc0 fix: remove JSON syntax error and regenerate tsconfig files (#3566)
• a90c558 fix(sdk-node): register instrumentations early (#3502)
• 5b070b8 fix: include TraceState in trace exports (#3569)
• dcb09b7 chore(deps): update dependency gh-pages to v5 (#3571)
• 3bc93a9 feat: exponential histogram - part 1 - mapping functions (#3504)
• 3670071 fix: avoid grpc types dependency (#3551)
• b5ef0e4 chore: fix proto generation (#3567)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/api since your current version.

Updates @radix-ui/react-accordion from 1.2.3 to 1.2.12

Commits

• See full diff in compare view

Updates @radix-ui/react-avatar from 1.1.3 to 1.1.11

Commits

• See full diff in compare view

Updates @radix-ui/react-collapsible from 1.1.11 to 1.1.12

Commits

• See full diff in compare view

Updates @radix-ui/react-dialog from 1.1.6 to 1.1.15

Commits

• See full diff in compare view

Updates @radix-ui/react-dropdown-menu from 2.1.6 to 2.1.16

Commits

• See full diff in compare view

Updates @radix-ui/react-hover-card from 1.1.6 to 1.1.15

Commits

• See full diff in compare view

Updates @radix-ui/react-label from 2.1.2 to 2.1.8

Commits

• See full diff in compare view

Updates @radix-ui/react-scroll-area from 1.2.9 to 1.2.10

Commits

• See full diff in compare view

Updates @radix-ui/react-select from 2.2.5 to 2.2.6

Commits

• See full diff in compare view

Updates @radix-ui/react-separator from 1.1.2 to 1.1.8

Commits

• See full diff in compare view

Updates @radix-ui/react-tabs from 1.1.3 to 1.1.13

Commits

• See full diff in compare view

Updates @react-three/fiber from 9.6.0 to 9.6.1

Release notes

Sourced from @​react-three/fiber's releases.

v9.6.1

What's Changed

• fix: Seamlessly transfer interactivity state when swapping instances (#3743) by @​notrabs in pmndrs/react-three-fiber#3744

Full Changelog: pmndrs/react-three-fiber@v9.6.0...v9.6.1

Commits

• 2a52874 RELEASING: Releasing 1 package(s)
• b645741 docs(changeset): fix: Seamlessly transfer interactivity state when swapping i...
• 119668f fix: Seamlessly transfer interactivity state when swapping instances (#3744)
• 943a37e Merge pull request #3738 from pmndrs:chore/simplify-shadermaterial-demo
• 1be9504 chore: Add uniform piercing test
• 4df10c0 chore: Simplify ShaderMaterial demo
• 47d30ba chore: Move ShaderMaterial uniform notes to objects out of pitfalls
• See full diff in compare view

Updates ai from 6.0.153 to 6.0.190

Changelog

Sourced from ai's changelog.

6.0.190

Patch Changes

• Updated dependencies [33b10a2]
• Updated dependencies [f6e4146]
  • @​ai-sdk/gateway@​3.0.119

6.0.189

Patch Changes

• 356c3cf: fix(ai): make input optional on input-streaming UIMessagePart variants

6.0.188

Patch Changes

• c98715a: Add allowSystemInMessages option to ToolLoopAgent.

  This exposes the same option that exists on streamText and generateText, whether role: "system" messages are allowed in the prompt or messages fields. When unset, system messages are rejected because they can create a prompt injection attack risk. Ideally, use the instructions option instead. Set to true to allow system messages, or false to explicitly reject them.

  const agent = new ToolLoopAgent({
    model,
    allowSystemInMessages: true,
  });
  await agent.generate({
  messages: [
  { role: "system", content: "Server context" },
  { role: "user", content: "Hello" },
  ],
  });

  The option can also be returned from prepareCall for dynamic per-call configuration.

6.0.187

Patch Changes

• Updated dependencies [6f4bb06]
  • @​ai-sdk/gateway@​3.0.118

6.0.186

Patch Changes

• Updated dependencies [756fec1]

... (truncated)

Commits

• 1a3ec6d Version Packages (#15513)
• bde7d0f Version Packages (#15494)
• 356c3cf Backport: fix(ai): make input optional on input-streaming UIMessagePart varia...
• 93ad540 Version Packages (#15489)
• c98715a Backport: [tool-loop-agent] adding support for messages with system role with...
• a15eda9 Version Packages (#15473)
• 917e487 Backport CI speed improvements to release-v6.0 (#15455)
• e33b836 Version Packages (#15440)
• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates jsonwebtoken from 9.0.2 to 9.0.3

Changelog

Sourced from jsonwebtoken's changelog.

9.0.3 - 2025-12-04

• updates jws version to 4.0.1.

Commits

• ed59e76 chore: bump jws to 4.0.1 (#1007)
• See full diff in compare view

Updates langfuse from 3.38.4 to 3.38.20

Commits

• 88f742a v3.38.20
• be826fd v3.38.19
• 401ff11 v3.38.18
• e0ca44b v3.38.17
• 79350d2 v3.38.16
• 34bd9c4 v3.38.15
• 249a8ea v3.38.14
• 4ebe6fb v3.38.13
• d50023b v3.38.12
• 3339402 v3.38.11
• Additional commits viewable in compare view

Updates livekit-server-sdk from 2.15.0 to 2.15.3

Release notes

Sourced from livekit-server-sdk's releases.

livekit-server-sdk@2.15.3

Patch Changes

• Bump @livekit/protocol to 1.45.6 and surface new fields on the agent dispatch and connector clients: - #657 (@​anunaym14)

  • AgentDispatchClient.createDispatch: new restartPolicy option (cloud only)
  • ConnectorClient.dialWhatsAppCall / acceptWhatsAppCall: new ringingTimeout option (and waitUntilAnswered on accept)
  • ConnectorClient.disconnectWhatsAppCall: new optional disconnectReason parameter
  • Re-export JobRestartPolicy and DisconnectWhatsAppCallRequest_DisconnectReason

• Add canManageAgentSession to VideoGrant - #661 (@​theomonnom)

livekit-server-sdk@2.15.2

Patch Changes

• add ringingTimeput field to SIP inbound create api - #645 (@​s-hamdananwar)

livekit-server-sdk@2.15.1

Patch Changes

• Add ringingTimeout option to transferSipParticipant - #627 (@​alexlivekit)

Changelog

Sourced from livekit-server-sdk's changelog.

2.15.3

Patch Changes

• Bump @livekit/protocol to 1.45.6 and surface new fields on the agent dispatch and connector clients: - #657 (@​anunaym14)

  • AgentDispatchClient.createDispatch: new restartPolicy option (cloud only)
  • ConnectorClient.dialWhatsAppCall / acceptWhatsAppCall: new ringingTimeout option (and waitUntilAnswered on accept)
  • ConnectorClient.disconnectWhatsAppCall: new optional disconnectReason parameter
  • Re-export JobRestartPolicy and DisconnectWhatsAppCallRequest_DisconnectReason

• Add canManageAgentSession to VideoGrant - #661 (@​theomonnom)

2.15.2

Patch Changes

• add ringingTimeput field to SIP inbound create api - #645 (@​s-hamdananwar)

2.15.1

Patch Changes

• Add ringingTimeout option to transferSipParticipant - #627 (@​alexlivekit)

Commits

• 4885d82 Version Packages (#658)
• 6609ca9 Add canManageAgentSession to VideoGrant (#661)
• 05e6f18 feat: add support for SimulateScenario (#659)
• f93752d feat: update agent dispatch and connector client (#657)
• 0ed1835 Version Packages (#646)
• 75824e5 add ringingTimeput field to SIP inbound create api (#645)
• a5cac5a Version Packages (#610)
• b3fcd70 Exposing optional TransferSipParticipant.ringingTimeout (#627)
• bcce97b Add bun runtime tests (#607)
• e094320 add e2e tests (#591)
• Additional commits viewable in compare view

Updates nanoid from 5.1.5 to 5.1.11

Release notes

Sourced from nanoid's releases.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking nanoid by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

5.1.7

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

5.1.6

• Fixed infinite loop on 0 size for customAlphabet.

Changelog

Sourced from nanoid's changelog.

5.1.11

• Fixed breaking Nano ID by requesting big ID.

5.1.10

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

5.1.9

• Fixed npm package size regression.

5.1.8

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

5.1.7

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

5.1.6

• Fixed infinite loop on 0 size for customAlphabet.

Commits

• 5423cf5 Release 5.1.11 version
• 2183894 Backport 3.3.12 changelog
• 7087969 Limit ID even more
• 013517b Temporary add pnpm-workspace.yaml to npm ignore
• 5db09ee Release 5.1.10 version
• be7901a Fix random pool break
• 974f73b Structure tests with describe() instead of prefix
• fe3e7ec Update dependencies
• 043a7c1 Move to pnpm 11
• e52d946 Release 5.1.9 version
• Additional commits viewable in compare view

Updates openai-edge from 1.2.2 to 1.2.3

Commits

• See full diff in compare view

Updates use-stick-to-bottom from 1.1.1 to 1.1.4

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-docs	Ready	Preview, Comment	May 29, 2026 11:25am

[claude]

LGTM - dependabot patch bumps for the docs site.

Extended reasoning...

Overview

This is a Dependabot grouped PR bumping 24 dependencies to patch versions in package.json and updating pnpm-lock.yaml accordingly. All bumps are patch-level (e.g., 1.0.35 → 1.0.43, 2.2.0 → 2.2.10, 1.9.0 → 1.9.1) — no major or minor jumps that would imply breaking changes per semver. The PR is labeled auto-merge and dependencies.

Security risks

The changes are limited to dependency version bumps. Notable security-positive bumps include @ai-sdk/mcp (which fixed prototype pollution via secureJsonParse in 1.0.38) and jsonwebtoken 9.0.2 → 9.0.3 (bumps jws transitively). No code-path changes are introduced by this PR itself.

Level of scrutiny

Low. This is the langfuse-docs documentation site (not the production Langfuse app), and all updates are patch versions from trusted ecosystems (Vercel AI SDK, Radix UI, OpenTelemetry, Headless UI, etc.). Patch versions are expected to be backwards-compatible, and any regressions would surface in the Vercel preview build that runs against this PR.

Other factors

The bug hunting system reported no bugs. The preview deployment was already running at the time of review. This is exactly the kind of routine grouped patch update that Dependabot is designed for, and approval here is appropriate.