build(deps): bump the prod-minor-versions group across 1 directory with 9 updates

[dependabot]

Bumps the prod-minor-versions group with 9 updates in the /frontend directory:

Package	From	To
@axe-core/playwright	4.11.0	4.11.1
express-session	1.18.2	1.19.0
i18next	25.7.4	25.8.10
ioredis	5.9.2	5.9.3
isbot	5.1.33	5.1.35
minimatch	10.1.1	10.2.0
react	19.2.3	19.2.4
react-dom	19.2.3	19.2.4
tailwind-merge	3.4.0	3.4.1

Updates @axe-core/playwright from 4.11.0 to 4.11.1

Release notes

Sourced from @​axe-core/playwright's releases.

Release 4.11.1

Bug Fixes

• reorder exports to place types first (#1261) (40d22e3), closes #1243
• Update axe-core to v4.11.1 (#1271) (77f577e)

Changelog

Sourced from @​axe-core/playwright's changelog.

4.11.1 (2026-01-09)

Bug Fixes

• reorder exports to place types first (#1261) (40d22e3), closes #1243
• Update axe-core to v4.11.1 (#1271) (77f577e)

Commits

• 66a3106 chore(release): v4.11.1 (#1275)
• 9a07fd7 chore: RC v4.11.1 (#1272)
• 999a563 chore: applying release changes
• 26e0d0b chore: RC v4.11.1
• 77f577e fix: Update axe-core to v4.11.1 (#1271)
• 40d22e3 fix: reorder exports to place types first (#1261)
• bd80a5f chore: rebuild lockfile (#1266)
• a73c6a8 chore: bump the npm-low-risk group across 1 directory with 27 updates (#1265)
• a80460d chore: bump @​wdio/mocha-framework from 8.39.0 to 9.20.1 (#1256)
• 2199e1b chore: bump mocha from 9.2.2 to 11.7.5 (#1257)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​axe-core/playwright since your current version.

Updates express-session from 1.18.2 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes

• Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

  var app = express()
  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: function (req) {
      var match = req.url.match(/^\/([^/]+)/);
      return {
        path: match ? '/' + match[1] : '/',
        httpOnly: true,
        secure: req.secure || false,
        maxAge: 60000
      }
    }
  }))

• Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

• deps: use tilde notation for dependencies

PRs

• chore: add funding to package.json by @​bjohansebas in expressjs/session#1071
• build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @​dependabot[bot] in expressjs/session#1086
• build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @​dependabot[bot] in expressjs/session#1085
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @​dependabot[bot] in expressjs/session#1091
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/session#1090
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @​dependabot[bot] in expressjs/session#1089
• build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @​dependabot[bot] in expressjs/session#1088
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @​dependabot[bot] in expressjs/session#1082
• refactor: remove unused sess parameter from generateSessionId fun… by @​Ayoub-Mabrouk in expressjs/session#1001
• chore: remove history.md from being packaged on publish by @​bjohansebas in expressjs/session#1097
• deps: use tilde notation for dependencies by @​bjohansebas in expressjs/session#1096
• Add sameSite 'auto' support to match secure 'auto' pattern by @​djunehor in expressjs/session#1087
• feat: add support to dynamic cookie options by @​lincond in expressjs/session#1027
• Release: 1.19.0 by @​UlisesGascon in expressjs/session#1107

New Contributors

• @​Ayoub-Mabrouk made their first contribution in expressjs/session#1001
• @​djunehor made their first contribution in expressjs/session#1087
• @​lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

• Add dynamic cookie options support
• Add sameSite 'auto' support for automatic SameSite attribute configuration
• deps: use tilde notation for dependencies

Commits

• c10b2a3 1.19.0 (#1107)
• 2673736 feat: add support to dynamic cookie options (#1027)
• 73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
• 264b6a0 deps: use tilde notation for dependencies (#1096)
• 6d69f09 chore: remove history.md from being packaged on publish (#1097)
• 00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
• 2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
• 1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
• 0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
• a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
• Additional commits viewable in compare view

Updates i18next from 25.7.4 to 25.8.10

Release notes

Sourced from i18next's releases.

v25.8.10

• fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing 2395

v25.8.9

• fix(interpolator): escape nestingOptionsSeparator in nesting option parsing 223943

v25.8.8

• types(i18n): add missing toJSON() declaration 2393

v25.8.7

• avoid crash due to ReferenceError without Intl API 2391

v25.8.6

• ts: address incomplete type definition for getFixedT() return value 2318

v25.8.5

• fix: compatibility with moduleResolution bundler (issue 2380) 2381

v25.8.4

• fix: crashes when backend in backends array has no name property 2386

v25.8.3

• ts: document option to suppress the support message 2385

v25.8.2

• option to suppress the support message 2385

v25.8.1

• fix(types): Selector API - fix Namespace inference for selector ns option 2384

v25.8.0

• fix: TFunctionReturn fallback 2360

Changelog

Sourced from i18next's changelog.

25.8.10

• fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing 2395

25.8.9

• fix(interpolator): escape nestingOptionsSeparator in nesting option parsing 2394

25.8.8

• types(i18n): add missing toJSON() declaration 2393

25.8.7

• avoid crash due to ReferenceError without Intl API 2391

25.8.6

• ts: address incomplete type definition for getFixedT() return value 2318

25.8.5

• fix: compatibility with moduleResolution bundler (issue 2380) 2381

25.8.4

• fix: crashes when backend in backends array has no name property 2386

25.8.3

• ts: document option to suppress the support message 2385

25.8.2

• option to suppress the support message 2385

25.8.1

• fix(types): Selector API - fix Namespace inference for selector ns option 2384

25.8.0

• fix: TFunctionReturn fallback 2360

Commits

• 3172321 25.8.10
• 405803c release
• 106254c fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing (...
• 6932e2c jsr update
• 7357217 25.8.9
• 13c29c0 release
• 00863a2 fix(interpolator): escape nestingOptionsSeparator in nesting option parsing (...
• 725f5cc jsr update
• dd3804a 25.8.8
• 68fa155 release
• Additional commits viewable in compare view

Updates ioredis from 5.9.2 to 5.9.3

Release notes

Sourced from ioredis's releases.

v5.9.3

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

Changelog

Sourced from ioredis's changelog.

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

Commits

• cd19ab0 chore(release): 5.9.3 [skip ci]
• 326528b chore(release): 5.9.3 [skip ci]
• 0a1a898 fix(types): optional properties on RedisOptions allow explicit undefined (#2066)
• 8adb1ae fix: autopipelining to route writes to masters with scaleReads (#2072)
• de4eed4 fix: fix issue with moved command for replicas (#2064)
• See full diff in compare view

Updates isbot from 5.1.33 to 5.1.35

Changelog

Sourced from isbot's changelog.

5.1.35

• [Pattern] Pattern updates

5.1.34

• [Pattern] Pattern updates

Commits

• See full diff in compare view

Updates minimatch from 10.1.1 to 10.2.0

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• 1a62a2a 10.2.0
• 758b5a3 changelog 10.2
• 903e50b add braceExpandMax option, format
• a50a110 10.1.3
• a08c046 move back to og brace-expansion
• fde70d1 10.1.2
• 05210d8 update deps
• ba4093c update workflows and package stuff
• See full diff in compare view

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates tailwind-merge from 3.4.0 to 3.4.1

Release notes

Sourced from tailwind-merge's releases.

v3.4.1

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in dcastil/tailwind-merge#635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• 02b6eb6 v3.4.1
• 6b845eb add agent info for release workflow
• 655f2f1 add changelog for v3.4.1
• e44e5eb add agent docs
• 4a38681 Merge pull request #644 from dcastil/renovate/major-vitest-monorepo
• 23ac259 migrate to vitest v4
• 927f617 chore(deps): update vitest monorepo to v4
• aea4869 Merge pull request #648 from dcastil/renovate/major-octokit-monorepo
• 78365f2 Merge pull request #646 from dcastil/renovate/actions-exec-3.x
• b08384d fix(deps): update dependency @​octokit/types to v16
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions