chore(deps)(deps): bump the production-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the production-dependencies group with 11 updates in the / directory:

Package	From	To
tsx	4.22.3	4.22.4
@ai-sdk/gateway	3.0.120	3.0.121
js-yaml	4.1.1	4.2.0
ai	6.0.191	6.0.193
@better-auth/core	1.6.11	1.6.13
@better-auth/oauth-provider	1.6.11	1.6.13
better-auth	1.6.11	1.6.13
lucide-react	1.16.0	1.17.0
fumadocs-core	16.9.1	16.9.3
fumadocs-mdx	15.0.8	15.0.10
fumadocs-ui	16.9.1	16.9.3

Updates tsx from 4.22.3 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• See full diff in compare view

Updates @ai-sdk/gateway from 3.0.120 to 3.0.121

Release notes

Sourced from @​ai-sdk/gateway's releases.

@​ai-sdk/gateway@​3.0.121

Patch Changes

• 4084fcd: feat(provider/anthropic): add support for claude-opus-4-8

Changelog

Sourced from @​ai-sdk/gateway's changelog.

3.0.121

Patch Changes

• 4084fcd: feat(provider/anthropic): add support for claude-opus-4-8

Commits

• 974e161 Version Packages (#15677)
• 4084fcd backport: feat(provider/anthropic): add support for claude-opus-4-8 (#15675)
• See full diff in compare view

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates ai from 6.0.191 to 6.0.193

Release notes

Sourced from ai's releases.

ai@6.0.193

Patch Changes

• af580ea: fix(ai): do not re-validate tool input for output-error parts in validateUIMessages

ai@6.0.192

Patch Changes

• Updated dependencies [4084fcd]
  • @​ai-sdk/gateway@​3.0.121

Changelog

Sourced from ai's changelog.

6.0.193

Patch Changes

• af580ea: fix(ai): do not re-validate tool input for output-error parts in validateUIMessages

6.0.192

Patch Changes

• Updated dependencies [4084fcd]
  • @​ai-sdk/gateway@​3.0.121

Commits

• 2412dfc Version Packages (#15697)
• af580ea Backport: fix(ai): do not re-validate tool input for output-error parts in va...
• 974e161 Version Packages (#15677)
• See full diff in compare view

Updates @better-auth/core from 1.6.11 to 1.6.13

Release notes

Sourced from @​better-auth/core's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from @​better-auth/core's changelog.

1.6.13

Patch Changes

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9831 5c3e248 Thanks @​bytaesu! - Surface a clear error when an adapter's deleteMany returns a non-numeric value in the consumeOne fallback, instead of silently failing the consume.

1.6.12

Patch Changes

• #8870 a3b0c63 Thanks @​jsj! - fix(apple): accept hashed nonces for native iOS Sign In

• #9799 c5b9f93 Thanks @​gustavovalverde! - Refresh access tokens from genericOAuth providers that omit expires_in.

  When a provider's token response leaves out expires_in, Better Auth recorded no expiry, so getAccessToken couldn't tell the token had lapsed and never refreshed it; callers kept receiving a stale token. Set accessTokenExpiresIn (seconds) on a genericOAuth config entry to declare the token's lifetime; the expiry is then synthesized at sign-in and on refresh, and the existing refresh path works. The option is opt-in: providers that return expires_in or issue non-expiring tokens are unaffected.

• #9727 83fa369 Thanks @​bytaesu! - Add toCamelCase, toSnakeCase, toPascalCase, and toKebabCase to @better-auth/core/utils/string.

• #9683 04303a9 Thanks @​yb175! - Widen Kysely peer dependency ranges to support both 0.28.x and 0.29.x.

• #9655 7bf5449 Thanks @​cyphercodes! - verifyAccessToken now returns unauthorized API errors for invalid token-shape verification failures, including missing JWT key IDs, while preserving raw JOSE errors for JWKS infrastructure failures.

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 5c3e248 fix(core): throw on non-numeric deleteMany in consumeOne fallback (#9831)
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• c0c574e chore: release v1.6.12 (#9590)
• c5b9f93 fix(generic-oauth): add accessTokenExpiresIn for providers that omit `expir...
• a3b0c63 fix: accept hashed nonces for native iOS sign-in with Apple (#8870)
• 7bf5449 fix(oauth2): map jose token verification errors (#9655)
• Additional commits viewable in compare view

Updates @better-auth/oauth-provider from 1.6.11 to 1.6.13

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.13

Patch Changes

• #9837 17ab66c Thanks @​gustavovalverde! - Enforce the clientPrivileges create check on dynamic client registration.

  POST /oauth2/register reached OAuth client persistence without the create gate that /oauth2/create-client and /admin/oauth2/create-client enforced. A deployment that restricted client creation through clientPrivileges could still let any authenticated user register a confidential client and receive a client_secret. The create check now runs at the single client-creation chokepoint, so every registration route enforces it by construction.

  Unauthenticated public-client registration through allowUnauthenticatedClientRegistration is unchanged.

• Updated dependencies [d3919dc, 5f282bd, 43c08a2, 43c08a2, be32012, 87c1a0c, 5c3e248, 9c8ded6, 23d7cbf]:

  • better-auth@1.6.13
  • @​better-auth/core@​1.6.13

1.6.12

Patch Changes

• #9624 f77060a Thanks @​bytaesu! - Expired magic-link tokens and OAuth authorization codes are now reliably rejected. Magic-link verify redirects to ?error=INVALID_TOKEN for expired tokens (was ?error=EXPIRED_TOKEN). The OIDC, MCP, and @better-auth/oauth-provider /token endpoints return error_description: "invalid code" for expired codes (was "code expired"). The OAuth error value stays invalid_grant.

• #9668 8401d11 Thanks @​kgarg2468! - Serve OAuth authorization server and OpenID Connect metadata at the direct issuer well-known URLs for path-prefixed issuers. Direct metadata requests now honor advanced.skipTrailingSlashes and only handle GET and HEAD.

• #9448 d64174e Thanks @​chdanielmueller! - Remove registration_endpoint on .well-known config if allowDynamicClientRegistration is not true

• #9601 938efee Thanks @​bytaesu! - Basic Auth authentication now accepts client_secret values that contain :. Previously /token, /revoke, and /introspect rejected valid credentials for any confidential client whose secret contained a colon.

• #9600 87f5a8f Thanks @​bytaesu! - The consent update endpoint now checks consent ownership before looking up the referenced client, and responds with 404 NOT_FOUND when the consent references a client that no longer exists. Both behaviors now match the get and delete consent endpoints.

• Updated dependencies [9bd53e1, 23dbe1a, 7a12072, 09a1d50, a6f144a, f77060a, dcb2e6d, c92cd74, f5fcc9d, 9d91eb7, a3b0c63, 1b40dac, 5626e1b, ad9ad82, 62dabf6, 276d67f, 2d73fff, c5b9f93, ac96316, 0a7cb70, 015f96b, 43cc49c, f5e29ea, 1d372bb, 3f8f310, 83fa369, 17cd433, c01b2f1, 6b44606, 04303a9, 7bf5449, 2b7937f]:

  • better-auth@1.6.12
  • @​better-auth/core@​1.6.12

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 17ab66c fix(oauth-provider): enforce clientPrivileges on dynamic client registration ...
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• c0c574e chore: release v1.6.12 (#9590)
• d64174e fix(oauth-provider): hide DCR endpoint unless enabled (#9448)
• 8401d11 fix(oauth-provider): serve path-prefixed issuer metadata aliases (#9668)
• f77060a fix: consumeVerificationValue returns null for expired rows (#9624)
• 938efee fix(oauth-provider): preserve colons in Basic Auth client secret (#9601)
• 87f5a8f fix(oauth-provider): return NOT_FOUND when consent update references a missin...
• See full diff in compare view

Updates better-auth from 1.6.11 to 1.6.13

Release notes

Sourced from better-auth's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13

... (truncated)

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• d3919dc feat(account): support server-side accountInfo calls without session header...
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• c0c574e chore: release v1.6.12 (#9590)
• c5b9f93 fix(generic-oauth): add accessTokenExpiresIn for providers that omit `expir...
• Additional commits viewable in compare view

Updates lucide-react from 1.16.0 to 1.17.0

Release notes

Sourced from lucide-react's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Commits

• See full diff in compare view

Updates fumadocs-core from 16.9.1 to 16.9.3

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.9.3

Patch Changes

• 42f0255: Support invalidate & revalidate on dynamic loader
• a807798: Improve source API utils & types

Commits

• 34b75a0 Version Packages (#3324)
• 73b9cec docs: fix build
• d35d0d6 fix(mdx): respect root in Vite config
• a9f95ff chore: bump deps
• 783c048 fix(preview): fix invalid content type in /img endpoint
• 42f0255 feat(core): support invalidate & revalidate on dynamic loader
• a807798 fix(core): improve source API utils & types
• 8b17019 docs: document LLM_GATEWAY_MODEL for Ask AI (#3319)
• cad622e Merge pull request #3318 from smakosh/feat/llmgateway-ai-provider
• ee98724 fix(openapi): newer scalar client
• Additional commits viewable in compare view

Updates fumadocs-mdx from 15.0.8 to 15.0.10

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@15.0.10

Patch Changes

• d35d0d6: Respect root in Vite config
• Updated dependencies [42f0255]
• Updated dependencies [a807798]
  • fumadocs-core@16.9.3

fumadocs-mdx@15.0.9

Patch Changes

• cd04425: Support _fumadocs_skipViteConfig internal flag

Commits

• 34b75a0 Version Packages (#3324)
• 73b9cec docs: fix build
• d35d0d6 fix(mdx): respect root in Vite config
• a9f95ff chore: bump deps
• 783c048 fix(preview): fix invalid content type in /img endpoint
• 42f0255 feat(core): support invalidate & revalidate on dynamic loader
• a807798 fix(core): improve source API utils & types
• 8b17019 docs: document LLM_GATEWAY_MODEL for Ask AI (#3319)
• cad622e Merge pull request #3318 from smakosh/feat/llmgateway-ai-provider
• ee98724 fix(openapi): newer scalar client
• Additional commits viewable in compare view

Updates fumadocs-ui from 16.9.1 to 16.9.3

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.9.3

Patch Changes

• Updated dependencies [42f0255]
• Updated dependencies [a807798]
  • fumadocs-core@16.9.3

Commits

• 34b75a0 Version Packages (#3324)
• 73b9cec docs: fix build
• d35d0d6 fix(mdx): respect root in Vite config
• a9f95ff chore: bump deps
• 783c048 fix(preview): fix invalid content type in /img endpoint
• 42f0255 feat(core): support invalidate & revalidate on dynamic loader<...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spec	Ready	Preview, Comment	Jun 1, 2026 10:51am