Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@opennextjs/cloudflare (source)	^1.14.4 -> ^1.14.7
@tailwindcss/postcss (source)	^4.1.17 -> ^4.1.18
@types/node (source)	^24.10.1 -> ^24.10.4
lucide-react (source)	^0.556.0 -> ^0.562.0
next (source)	16.0.10 -> 16.1.1
pnpm (source)	10.24.0 -> 10.26.2
react (source)	^19.2.1 -> ^19.2.3
react-dom (source)	^19.2.1 -> ^19.2.3
tailwindcss (source)	^4.1.17 -> ^4.1.18
wrangler (source)	^4.53.0 -> ^4.54.0

---

Release Notes

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.14.7

Compare Source

Patch Changes

• #​1053 d447125 Thanks @​vicb! - Support composable cache in Next 16

v1.14.6

Compare Source

Patch Changes

• #​1043 c83cb83 Thanks @​vicb! - fix for CVE-2025-67779

  See https://nextjs.org/blog/security-update-2025-12-11

v1.14.5

Compare Source

Patch Changes

• #​1042 763c4ec Thanks @​vicb! - Bump Next, React, and @​opennextjs/aws to fix vulnerabilities (CVE-2025-55184 and CVE-2025-55183)

  See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  See https://nextjs.org/blog/security-update-2025-12-11
  See https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.5

• #​1034 721bff0 Thanks @​james-elicx! - output more wrangler command logs when the command fails

• #​1023 a4a2f02 Thanks @​dario-piotrowicz! - When running wrangler deploy add a OPEN_NEXT_DEPLOY environment variable to let wrangler know that it is being run by open-next

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.1.18

Compare Source

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#​19274)
• Include filename and line numbers in CSS parse errors (#​19282)
• Skip comments in Ruby files when checking for class names (#​19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#​19243)
• Support environment API in @tailwindcss/vite (#​18970)
• Preserve case of theme keys from JS configs and plugins (#​19337)
• Write source maps correctly on the CLI when using --watch (#​19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#​19348)
• Improve backwards compatibility for content theme key from JS configs (#​19381)
• Upgrade: Handle future and experimental config keys (#​19344)
• Try to canonicalize any arbitrary utility to a bare value (#​19379)
• Validate candidates similarly to Oxide (#​19397)
• Canonicalization: combine text-* and leading-* classes (#​19396)
• Correctly handle duplicate CLI arguments (#​19416)
• Don’t emit color-mix fallback rules inside @keyframes (#​19419)
• CLI: Don't hang when output is /dev/stdout (#​19421)

lucide-icons/lucide (lucide-react)

v0.562.0

Compare Source

v0.561.0: Version 0.561.0

Compare Source

What's Changed

• fix(site): Small adjustments color picker and add clear button search bar by @​ericfennis in #​3851
• feat(icons): added stone icon by @​Alportan in #​3850

Full Changelog: lucide-icons/lucide@0.560.0...0.561.0

v0.560.0: Version 0.560.0

Compare Source

What's Changed

• feat(icons): added cannabis-off icon by @​NickVeles in #​3748

New Contributors

• @​NickVeles made their first contribution in #​3748

Full Changelog: lucide-icons/lucide@0.559.0...0.560.0

v0.559.0: Version 0.559.0

Compare Source

What's Changed

• feat(icons): added fishing-hook icon by @​7ender in #​3837

New Contributors

• @​7ender made their first contribution in #​3837

Full Changelog: lucide-icons/lucide@0.558.0...0.559.0

v0.558.0: Version 0.558.0

Compare Source

What's Changed

• feat(icons): added hd icon by @​jamiemlaw in #​2958

Full Changelog: lucide-icons/lucide@0.557.0...0.558.0

v0.557.0: Version 0.557.0

Compare Source

What's Changed

• fix(github/workflows/ci): fixes linting issues by @​karsa-mistmere in #​3858
• fix(icons): changed memory-stick icon by @​karsa-mistmere in #​3017
• fix(icons): changed microchip icon by @​karsa-mistmere in #​3018
• chore(repo): Update Node version and overal cleanup by @​ericfennis in #​3861
• fix(icons): changed paint-bucket icon by @​jguddas in #​3865
• fix(icons): changed brush-cleaning icon by @​jguddas in #​3863
• fix(icons): Swap thumbs-up thumbs-down paths to fix fill issue by @​theianjones in #​3873
• fix(icons): changed tickets icon by @​karsa-mistmere in #​3859
• feat(icons): added layers-plus icon by @​juanisidoro in #​3367
• docs(dev): Fix code sample for vanilla JS by @​wavebeem in #​3836
• feat(icons): add search-error icon by @​Veatec22 in #​3292
• feat(icons): Add cloud-sync and cloud-backup by @​ericfennis in #​3466
• feat(icons): added circle-pile icon by @​nathan-de-pachtere in #​3681
• feat(icons): added balloon icon by @​peteruithoven in #​2519

New Contributors

• @​theianjones made their first contribution in #​3873
• @​juanisidoro made their first contribution in #​3367
• @​wavebeem made their first contribution in #​3836
• @​Veatec22 made their first contribution in #​3292

Full Changelog: lucide-icons/lucide@0.556.0...0.557.0

vercel/next.js (next)

v16.1.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: Create junction points instead of symlinks on Windows (#​87606)

Credits

Huge thanks to @​sokra and @​ztanner for helping!

v16.1.0

Compare Source

pnpm/pnpm (pnpm)

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

facebook/react (react)

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #​35351)

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #​35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #​35289)

cloudflare/workers-sdk (wrangler)

v4.54.0

Compare Source

Minor Changes

• #​11512 c15e99e Thanks @​emily-shen! - Enable using ctx.exports with containers

  You can now use containers with Durable Objects that are accessed via ctx.exports.

  Now your config file can look something like this:

  {
  	"name": "container-app",
  	"main": "src/index.ts",
  	"compatibility_date": "2025-12-01",
  	"compatibility_flags": ["enable_ctx_exports"], // compat flag needed for now.
  	"containers": [
  		{
  			"image": "./Dockerfile",
  			"class_name": "MyDOClassname",
  			"name": "my-container"
  		},
  	],
  	"migrations": [
  		{
  			"tag": "v1",
  			"new_sqlite_classes": ["MyDOClassname"],
  		},
  	],
  	// no need to declare your durable object binding here
  }
  

  Note that when using ctx.exports, where you previously accessed a Durable Object via something like env.DO, you should now access with ctx.exports.MyDOClassname.

  Refer to the docs for more information on using ctx.exports.

• #​11508 b17797c Thanks @​dario-piotrowicz! - Wrangler will no longer try to add additional configuration to projects using @cloudflare/vite-plugin when deploying or running wrangler setup

• #​11508 b17797c Thanks @​dario-piotrowicz! - When a Vite project is detected, install @cloudflare/vite-plugin

• #​11576 bb47e20 Thanks @​dario-piotrowicz! - Support Analog projects in autoconfig

• #​10582 991760d Thanks @​flakey5! - Add containers ssh command

Patch Changes

• #​11467 235d325 Thanks @​edmundhung! - fix: prevent reporting SQLite error from wrangler d1 execute to Sentry

• #​11414 41103f5 Thanks @​petebacondarwin! - add extra logging to user log-in flow for diagnosing failed login requests

• #​11559 ea6fbec Thanks @​nikitassharma! - Remove image validation for containers on wrangler deploy.

  Internal customers are able to use additional image registries and will run into failures with this validation. Image registry validation will now be handled by the API.

• Updated dependencies [31c162a, bd5f087, c6dd86f]:

  • miniflare@​4.20251210.0

---

Configuration

📅 Schedule: Branch creation - Only on Monday ( * * * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.