Update all non-major frontend dependencies - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@marsidev/react-turnstile	1.5.0 → 1.5.1
@mui/x-date-pickers (source)	8.28.3 → 8.28.4
@sentry/react (source)	10.50.0 → 10.51.0
@typescript-eslint/parser (source)	8.59.0 → 8.59.1
axios (source)	1.15.2 → 1.16.0
globals	17.5.0 → 17.6.0
react-hook-form (source)	7.74.0 → 7.75.0
typescript-eslint (source)	8.59.0 → 8.59.1

---

Release Notes

marsidev/react-turnstile (@​marsidev/react-turnstile)

v1.5.1

Compare Source

   🐞 Bug Fixes

• Stop passing params to turnstile.execute()  -  by @​marsidev (4c778)

    View changes on GitHub

mui/mui-x (@​mui/x-date-pickers)

v8.28.4

Compare Source

We'd like to extend a big thank you to the 3 contributors who made this release possible. Here are some highlights ✨:

• 🐞 Bugfixes

Special thanks go out to these community members for their valuable contributions:
@​supunsathsara

The following team members contributed to this release:
@​LukasTy, @​michelengelen

Date and Time Pickers

@mui/x-date-pickers@8.28.4

• [pickers] Fix DateRangeCalendar drag with AdapterDayjs plain-constructor values (#​22170) @​LukasTy
• [pickers] Fix disabled state not overriding error border color (#​22186) @​supunsathsara
• [pickers] Use convertToMeridiem utility in transferDateSectionValue (#​22132) @​michelengelen

@mui/x-date-pickers-pro@8.28.4

Same changes as in @mui/x-date-pickers@8.28.4.

Docs

• [docs] Remove obsolete v7 deprecation warning for dayOfWeekFormatter (#​22120) @​LukasTy
• [docs] Use mui.com for broken links checker known targets (#​22171) @​LukasTy

getsentry/sentry-javascript (@​sentry/react)

v10.51.0

Compare Source

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#​20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects.
  This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#​20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options.
  Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@​sentry/hono/node';
  
  Sentry.init({
    dsn: '__DSN__',
    tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#​19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig.
  Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

• deps(minimatch): Upgrade patch version to use new brace-expansion peer-dep (#​20198)
• docs: Add deprecation notices to bin scripts (#​20570)
• feat(astro): Drop prerendered http.server filter via ignoreSpans (#​20513)
• feat(aws-serverless): Validate extension tunnel DSN against SENTRY_DSN (#​20528)
• feat(browser): Add ingest_settings to span v2 envelope payload (#​20411)
• feat(browser): Add support for streamed spans in httpContextIntegration (#​20464)
• feat(core): Backfill otel attributes on streamed spans (#​20439)
• feat(core): clear up integrations on dispose (#​20407)
• feat(core): Instrument langgraph createReactAgent (#​20344)
• feat(core): Support attribute matching in ignoreSpans (#​20512)
• feat(feedback): allow error messages to be customized (#​20474)
• feat(hono): Support middleware spans defined in app groups (#​20465)
• feat(nextjs): Filter unwanted segments when span streaming is enabled (#​20384)
• feat(nextjs): Migrate edge event processors to span-first APIs (#​20551)
• feat(nextjs): Migrate server event processors to span-first APIs (#​20527)
• feat(nextjs): Set global attribute for turbopack usage (#​20558)
• feat(nitro): Nitro SDK (#​19224)
• feat(react-router): Clean up bogus * http.route attribute on segment spans (#​20471)
• feat(react-router): Drop low-quality transactions via ignoreSpans (#​20514)
• feat(sveltekit): Support span streaming in svelteKitSpansEnhancement integration (#​20496)
• feat(tanstackstart-react): Add dynamic tunnel route helper and generator (#​20264)
• fix: update prisma v7 spans descriptions (#​20456)
• fix(core): Avoid parse-time SyntaxError on Safari <16.4 in postgresjs (#​20498)
• fix(core): Ensure isSentryRequest handles subdomains properly (#​20530)
• fix(core): Ensure ip address headers are stripped when lower case (#​20484)
• fix(core): Filter more cookie names for PII (#​20485)
• fix(core): Use symbol for normalization checks (#​20486)
• fix(hono): Distinguish .use() middleware in sub-apps from .all() handlers (#​20554)
• fix(nextjs): Ensure we do not match tunnel endpoints too broadly (#​20488)
• fix(opentelemetry): Add conditional browser export to avoid node deps (#​20556)
• fix(replay): Avoid main-thread blocking in WorkerHandler under event bursts (#​20548)
• fix(replay): Ensure maskAttributes works with maskAllText=false (#​20491)
• fix(supabase): Consider sendDefaultPii for supabase integration (#​20490)

Internal Changes

• chore: Add size limit reports on PRs for Cloudflare (#​20055)
• chore: Update CODEOWNERS (#​20559)
• chore(build): Opt-out of nx analytics (#​20487)
• chore(ci): Automatically bump size limit every week (#​20531)
• chore(ci): Bump pnpm/action-setup to v5 and pin to commit SHA (#​20462)
• chore(ci): Do not report flaky test issues if we cannot find a test name (#​20589)
• chore(ci): Streamline CI setup to split bundle, layer, tarball generation (#​20396)
• chore(ci): Vendor nx-affected-list action, drop dkhunt27 dependency (#​20463)
• chore(e2e): Add vue and vue-router to nuxt-4 canary build step to fix rollup resolution (#​20519)
• chore(e2e): Remove @​tanstack/start-plugin-core override (#​20518)
• chore(size-limit): weekly auto-bump (#​20572)
• chore(skill): Add skill for writing unit and E2E tests (#​20561)
• chore(test): Reduce unneeded idleTimeout test config (#​20467)
• ci(size-bump): Fix path in size-limit auto-bump workflow (#​20566)
• fix(e2e/tanstackstart-react): pin @​tanstack/start-plugin-core to unblock CI (#​20482)
• fix(tests): Remove nitro canary test job (#​20473)
• ref(browser): Use safeSetSpanJSONAttributes in cultureContext integration (#​20481)
• test(browser): Unflake some more tests (#​20591)
• test(nextjs): Pin eslint-config-next package to major (#​20552)
• test(node): Fix flaky ANR test (#​20592)
• test(node): Fix flaky worker thread integration test (#​20588)
• test(node): Unflake postgres tests (#​20593)
• test(node): Update timeout for cron integration tests (#​20586)
• test(supabase): Stop supabase before initializing (#​20563)
• test(tanstack): Prefix test labels (#​20569)

Bundle size 📦

Path	Size
@​sentry/browser	25.54 KB
@​sentry/browser - with treeshaking flags	24.06 KB
@​sentry/browser (incl. Tracing)	43.08 KB
@​sentry/browser (incl. Tracing + Span Streaming)	45.07 KB
@​sentry/browser (incl. Tracing, Profiling)	47.91 KB
@​sentry/browser (incl. Tracing, Replay)	81.5 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.23 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	86.07 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	98.42 KB
@​sentry/browser (incl. Feedback)	42.38 KB
@​sentry/browser (incl. sendFeedback)	30.24 KB
@​sentry/browser (incl. FeedbackAsync)	35.3 KB
@​sentry/browser (incl. Metrics)	26.8 KB
@​sentry/browser (incl. Logs)	26.95 KB
@​sentry/browser (incl. Metrics & Logs)	27.62 KB
@​sentry/react	27.25 KB
@​sentry/react (incl. Tracing)	45.26 KB
@​sentry/vue	30.3 KB
@​sentry/vue (incl. Tracing)	44.87 KB
@​sentry/svelte	25.57 KB
CDN Bundle	28.16 KB
CDN Bundle (incl. Tracing)	45.61 KB
CDN Bundle (incl. Logs, Metrics)	29.54 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	46.68 KB
CDN Bundle (incl. Replay, Logs, Metrics)	67.71 KB
CDN Bundle (incl. Tracing, Replay)	81.91 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	82.95 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	87.59 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	88.66 KB
CDN Bundle - uncompressed	82.57 KB
CDN Bundle (incl. Tracing) - uncompressed	136.41 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	86.67 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	139.79 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	207.73 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	251.45 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	254.82 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	264.83 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	268.18 KB
@​sentry/nextjs (client)	47.7 KB
@​sentry/sveltekit (client)	43.52 KB
@​sentry/node-core	57.57 KB
@​sentry/node	166.25 KB
@​sentry/node - without tracing	94.54 KB
@​sentry/aws-serverless	111 KB
@​sentry/cloudflare (withSentry) - minified	160.29 KB
@​sentry/cloudflare (withSentry)	405.47 KB

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.59.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

sindresorhus/globals (globals)

v17.6.0

Compare Source

react-hook-form/react-hook-form (react-hook-form)

v7.75.0: Version 7.75.0

Compare Source

🦧 feat: improve get dirty fields prune empty fields (#​13363)

+ dirtyFields: { test: [{ data: false }] }
- dirtyFields: {} // removed the empty node with false value

🎹 typescript 6.0 (#​13330)
🌡️ chore: minor improvement on setValue & reset (#​13366)
🐞 fix #​13403: include setValues in FormProvider context value (#​13404)
🐞 fix: recompute isDirty after re-registering a previously unregistered field (#​13399)
🐞 fix: preserve watch updates on field array unmount fixes #​13375 (#​13385)
🐞 fix: prevent useWatch re-render when unrelated field validation is … (#​13398)

thanks to @​dfedoryshchev, @​cyky & @​gkarabelos

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: (in timezone Europe/Budapest)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.37%. Comparing base (fd8ca23) to head (0493d91).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1658   +/-   ##
=======================================
  Coverage   93.37%   93.37%           
=======================================
  Files          76       76           
  Lines        2386     2386           
  Branches      183      183           
=======================================
  Hits         2228     2228           
  Misses        132      132           
  Partials       26       26           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.