chore(deps)(deps): bump the production-dependencies group across 1 directory with 16 updates

[dependabot]

Bumps the production-dependencies group with 16 updates in the /frontend directory:

Package	From	To
@aws-amplify/ui-react	6.13.0	6.15.4
@aws-sdk/client-pinpoint	3.913.0	3.1048.0
@aws-sdk/client-pinpoint-email	3.913.0	3.1048.0
@headlessui/react	2.2.9	2.2.10
@testing-library/react	16.3.0	16.3.2
aws-amplify	6.15.7	6.17.0
date-fns	4.1.0	4.2.1
dompurify	3.3.0	3.4.5
@types/dompurify	3.0.5	3.2.0
framer-motion	12.23.24	12.39.0
react	19.2.0	19.2.6
@types/react	19.2.2	19.2.14
react-dom	19.2.0	19.2.6
@types/react-dom	19.2.2	19.2.3
react-toastify	11.0.5	11.1.0
recharts	3.3.0	3.8.1

Updates @aws-amplify/ui-react from 6.13.0 to 6.15.4

Release notes

Sourced from @​aws-amplify/ui-react's releases.

@​aws-amplify/ui-react@​6.15.4

Patch Changes

• #6961 3b0710ffddf12cf46315c231fcf2f5d0523e9551 Thanks @​osama-rizk! - fix(authenticator): hide Resend Code button during password-based MFA sign-in

• Updated dependencies [a6470c163288a6dcd928959d41b4cf74e71ddd27]:

  • @​aws-amplify/ui@​6.15.4
  • @​aws-amplify/ui-react-core@​3.6.4

@​aws-amplify/ui-react@​6.15.3

Patch Changes

• #6947 00c6b6cb4d0dfe4f6389b70da04acdb3f70bde53 Thanks @​soberm! - fix(deps): bump lodash from 4.17.23 to 4.18.1

• Updated dependencies [00c6b6cb4d0dfe4f6389b70da04acdb3f70bde53, aea51618abe852ffedd4375a592cffb976880a66]:

  • @​aws-amplify/ui@​6.15.3
  • @​aws-amplify/ui-react-core@​3.6.3

@​aws-amplify/ui-react@​6.15.2

Patch Changes

• Updated dependencies [d7c34c609830395d09f078902de1c17aa5674d5f]:
  • @​aws-amplify/ui@​6.15.2
  • @​aws-amplify/ui-react-core@​3.6.2

@​aws-amplify/ui-react@​6.15.1

Patch Changes

• #6853 8b2d38cd9da29d159c26070299b4ac4b97419b82 Thanks @​sarayev! - fix(authenticator): exclude username from user attributes in force change password flow

• Updated dependencies [8b2d38cd9da29d159c26070299b4ac4b97419b82]:

  • @​aws-amplify/ui@​6.15.1
  • @​aws-amplify/ui-react-core@​3.6.1

@​aws-amplify/ui-react@​6.15.0

Minor Changes

• #6834 0401829108ffae82db4fa776c96e8d0075a591b9 Thanks @​osama-rizk! - feat(storage-browser): Folder deletion.

Patch Changes

• Updated dependencies [0401829108ffae82db4fa776c96e8d0075a591b9]:
  • @​aws-amplify/ui-react-core@​3.6.0
  • @​aws-amplify/ui@​6.15.0

@​aws-amplify/ui-react@​6.14.0

Minor Changes

• #6783 167714536a6dbe43f918b5c8f3a46afb6f9c66fb Thanks @​ahmedhamouda78! - Add passwordless authentication support

... (truncated)

Changelog

Sourced from @​aws-amplify/ui-react's changelog.

6.15.4

Patch Changes

• #6961 3b0710ffddf12cf46315c231fcf2f5d0523e9551 Thanks @​osama-rizk! - fix(authenticator): hide Resend Code button during password-based MFA sign-in

• Updated dependencies [a6470c163288a6dcd928959d41b4cf74e71ddd27]:

  • @​aws-amplify/ui@​6.15.4
  • @​aws-amplify/ui-react-core@​3.6.4

6.15.3

Patch Changes

• #6947 00c6b6cb4d0dfe4f6389b70da04acdb3f70bde53 Thanks @​soberm! - fix(deps): bump lodash from 4.17.23 to 4.18.1

• Updated dependencies [00c6b6cb4d0dfe4f6389b70da04acdb3f70bde53, aea51618abe852ffedd4375a592cffb976880a66]:

  • @​aws-amplify/ui@​6.15.3
  • @​aws-amplify/ui-react-core@​3.6.3

6.15.2

Patch Changes

• Updated dependencies [d7c34c609830395d09f078902de1c17aa5674d5f]:
  • @​aws-amplify/ui@​6.15.2
  • @​aws-amplify/ui-react-core@​3.6.2

6.15.1

Patch Changes

• #6853 8b2d38cd9da29d159c26070299b4ac4b97419b82 Thanks @​sarayev! - fix(authenticator): exclude username from user attributes in force change password flow

• Updated dependencies [8b2d38cd9da29d159c26070299b4ac4b97419b82]:

  • @​aws-amplify/ui@​6.15.1
  • @​aws-amplify/ui-react-core@​3.6.1

6.15.0

Minor Changes

• #6834 0401829108ffae82db4fa776c96e8d0075a591b9 Thanks @​osama-rizk! - feat(storage-browser): Folder deletion.

Patch Changes

• Updated dependencies [0401829108ffae82db4fa776c96e8d0075a591b9]:
  • @​aws-amplify/ui-react-core@​3.6.0
  • @​aws-amplify/ui@​6.15.0

... (truncated)

Commits

• 4d40027 Version Packages (#6963)
• 3b0710f fix(authenticator): hide Resend Code button during password-based MFA (#6961)
• 417341e Version Packages (#6917)
• a60edd8 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#6942)
• caa09bb chore(deps-dev): bump eslint from 8.44.0 to 9.26.0 (#6825)
• f5d5e72 Version Packages (#6888)
• 46515f3 Version Packages (#6854)
• 7dc7e4b Version Packages (#6844)
• f5bf6fa Version Packages (#6781)
• 1677145 feat(authenticator): add passwordless authentication support (#6783)
• Additional commits viewable in compare view

Updates @aws-sdk/client-pinpoint from 3.913.0 to 3.1048.0

Release notes

Sourced from @​aws-sdk/client-pinpoint's releases.

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

v3.1047.0

3.1047.0(2026-05-14)

Chores

• upgrade fast-xml-parser to 5.7.3 (#8021) (b2aae04e)

New Features

• clients: update client endpoints as of 2026-05-14 (3505575d)
• client-glue: Release --has-databases parameter for AWS Glue get-catalogs API, which filters catalog responses to include only those capable of containing databases, excluding parent catalogs that hold only other catalogs. Remove model-level validation on partition index list size for AWS Glue tables. (e2b076ee)
• client-database-migration-service: Add 9 SDK waiters for DMS Schema Conversion async operations. Eliminates manual polling for import, assessment, conversion, export, and creation jobs. (32d372e7)
• client-mgn: Introducing new option for security groups mapping - with MAP-DHCP the service translates security rules from your source environment with DHCP compatibility. (27c07049)
• client-bedrock: Advanced Prompt Optimization (AdvPO) allows you to optimize and migrate your prompts for any model on Bedrock by automatically evaluating responses and rewriting prompts to improve performance. This release provides a programmatic way to create, get, list, stop, and delete AdvPO jobs. (7e479fde)
• client-cloudfront: Adding a new boolean for OCSP Revocations in Viewer mTLS Create and Update APIs, and adding a new 'Passthrough' option for TrustStore modes (ee96afaa)
• client-datazone: Adds support for SageMaker Unified Studio notebook operations, including notebook import and export (383f4ea2)
• client-qconnect: ListModels is an API that returns the available AI models for a Connect Assistant based on its region and AI prompt type. (0d6d7ec3)
• client-grafana: Adds support for dual-stack (IPv4 and IPv6) connectivity to Amazon Managed Grafana workspaces. Customers can configure the ipAddressType parameter when creating or updating a workspace to choose between IPv4-only or dual-stack (IPv4 and IPv6) access. (1184c5e5)

---

For list of updated packages, view updated-packages.md in assets-3.1047.0.zip

v3.1046.0

3.1046.0(2026-05-14)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-pinpoint's changelog.

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1044.0 (2026-05-06)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/client-pinpoint

3.1042.0 (2026-05-04)

... (truncated)

Commits

• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• 96baad9 Publish v3.1043.0
• Additional commits viewable in compare view

Updates @aws-sdk/client-pinpoint-email from 3.913.0 to 3.1048.0

Release notes

Sourced from @​aws-sdk/client-pinpoint-email's releases.

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

v3.1047.0

3.1047.0(2026-05-14)

Chores

• upgrade fast-xml-parser to 5.7.3 (#8021) (b2aae04e)

New Features

• clients: update client endpoints as of 2026-05-14 (3505575d)
• client-glue: Release --has-databases parameter for AWS Glue get-catalogs API, which filters catalog responses to include only those capable of containing databases, excluding parent catalogs that hold only other catalogs. Remove model-level validation on partition index list size for AWS Glue tables. (e2b076ee)
• client-database-migration-service: Add 9 SDK waiters for DMS Schema Conversion async operations. Eliminates manual polling for import, assessment, conversion, export, and creation jobs. (32d372e7)
• client-mgn: Introducing new option for security groups mapping - with MAP-DHCP the service translates security rules from your source environment with DHCP compatibility. (27c07049)
• client-bedrock: Advanced Prompt Optimization (AdvPO) allows you to optimize and migrate your prompts for any model on Bedrock by automatically evaluating responses and rewriting prompts to improve performance. This release provides a programmatic way to create, get, list, stop, and delete AdvPO jobs. (7e479fde)
• client-cloudfront: Adding a new boolean for OCSP Revocations in Viewer mTLS Create and Update APIs, and adding a new 'Passthrough' option for TrustStore modes (ee96afaa)
• client-datazone: Adds support for SageMaker Unified Studio notebook operations, including notebook import and export (383f4ea2)
• client-qconnect: ListModels is an API that returns the available AI models for a Connect Assistant based on its region and AI prompt type. (0d6d7ec3)
• client-grafana: Adds support for dual-stack (IPv4 and IPv6) connectivity to Amazon Managed Grafana workspaces. Customers can configure the ipAddressType parameter when creating or updating a workspace to choose between IPv4-only or dual-stack (IPv4 and IPv6) access. (1184c5e5)

---

For list of updated packages, view updated-packages.md in assets-3.1047.0.zip

v3.1046.0

3.1046.0(2026-05-14)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-pinpoint-email's changelog.

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1044.0 (2026-05-06)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/client-pinpoint-email

3.1042.0 (2026-05-04)

... (truncated)

Commits

• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• 96baad9 Publish v3.1043.0
• Additional commits viewable in compare view

Updates @headlessui/react from 2.2.9 to 2.2.10

Release notes

Sourced from @​headlessui/react's releases.

@​headlessui/react@​v2.2.10

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

Changelog

Sourced from @​headlessui/react's changelog.

[2.2.10] - 2026-04-07

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

Commits

• d13526d 2.2.10 - @​headlessui/react
• b0dcd8f Handle props on Fragment error due to Symbol(react.lazy) (#3873)
• 7baca70 Don’t render \<Portal>s while hydrating (#3825)
• 5ef7395 Add RefProp to props (#3823)
• See full diff in compare view

Updates @testing-library/react from 16.3.0 to 16.3.2

Release notes

Sourced from @​testing-library/react's releases.

v16.3.2

16.3.2 (2026-01-19)

Bug Fixes

• Update 'onCaughtError' type inference in 'RenderOptions' to work with React v19 (#1438) (f32bd1b)

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

• Switch to trusted publishing (#1437) (a2d37ff)

Commits

• f32bd1b fix: Update 'onCaughtError' type inference in 'RenderOptions' to work with Re...
• a2d37ff fix: Switch to trusted publishing (#1437)
• cd6a175 chore: fix action permissions (#1436)
• 22b8c28 chore: fix release (#1435)
• d996673 chore: new release workflow (#1434)
• 205ce17 chore: fix typo in jest.config.js (#1427)
• aba5740 [test] Fix tests for react@experimental (#1424)
• 590bc18 [test] Fix npm run typecheck (#1423)
• 1c931a6 chore(deps): use npm-run-all2 (#1411)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​testing-library/react since your current version.

Updates aws-amplify from 6.15.7 to 6.17.0

Release notes

Sourced from aws-amplify's releases.

aws-amplify@6.17.0

Minor Changes

• #14796 d01b650 Thanks @​osama-rizk! - feat(storage): add server-side uploadData storage API.

Patch Changes

• Updated dependencies [93487ff, aa831db, d01b650]:
  • @​aws-amplify/auth@​6.20.0
  • @​aws-amplify/core@​6.16.3
  • @​aws-amplify/storage@​6.15.0
  • @​aws-amplify/api@​6.3.26
  • @​aws-amplify/datastore@​5.1.7

aws-amplify@6.16.4

Patch Changes

• Updated dependencies [e3b6b96, 8641160]:
  • @​aws-amplify/core@​6.16.2
  • @​aws-amplify/analytics@​7.0.94
  • @​aws-amplify/storage@​6.14.0
  • @​aws-amplify/notifications@​2.0.94
  • @​aws-amplify/api@​6.3.25
  • @​aws-amplify/datastore@​5.1.6

aws-amplify@6.16.3

Patch Changes

• Updated dependencies [e2b77fa]:
  • @​aws-amplify/storage@​6.13.2

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

2026-02-05 Amplify JS release - aws-amplify@6.16.2

What's Changed

• chore: Merge release into main by @​aws-amplify-ops in aws-amplify/amplify-js#14686
• feat(rtn-web-browser): add unit tests by @​ahmedhamouda78 in aws-amplify/amplify-js#14541
• fix(auth): rename passwordless_options to passwordless by @​ahmedhamouda78 in aws-amplify/amplify-js#14691
• chore(deps-dev): bump next from 16.1.1 to 16.1.5 by @​dependabot[bot] in aws-amplify/amplify-js#14692
• chore(deps): bump fast-xml-parser from 4.5.3 to 5.3.4 by @​dependabot[bot] in aws-amplify/amplify-js#14699
• Version Packages (#14701) by @​soberm in aws-amplify/amplify-js#14702
• chore(deps): bump @aws-sdk/* to 3.982.0 by @​pranavosu in aws-amplify/amplify-js#14704
• release(required): Amplify JS release by @​Simone319 in aws-amplify/amplify-js#14705

Full Changelog: https://github.com/aws-amplify/amplify-js/compare/aws-amplify@6.16.0...aws-amplify@6.16.2

2026-02-02 Amplify JS release - aws-amplify@6.16.1

No change.

... (truncated)

Commits

• 3c7a96f Version Packages (main) (#14785)
• f3ee7e1 fix: update change set config. (#14800)
• d01b650 feat(storage): add server uploadData storage api
• aa831db fix(storage): merge authenticated and group permissions in resolveLocationsFo...
• 9fbd3ba fix: remove unused uuid dependency from api-graphql, predictions, and interac...
• 68de0b1 fix(adapter-nextjs): match percent-encoded cookie names on read (#14791)
• 5d622ed Merge branch 'main' into fix/nextjs-signout-url-encoded-username-14781
• 8bf7c89 chore(deps): bump fast-xml-parser from 5.5.11 to 5.7.0 (#14787)
• cbd2307 chore(adapter-nextjs): add changeset for sign-out cookie fix
• 8abbac9 fix(adapter-nextjs): match percent-encoded cookie names on read
• Additional commits viewable in compare view

Updates date-fns from 4.1.0 to 4.2.1

Release notes

Sourced from date-fns's releases.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Changelog

Sourced from date-fns's changelog.

v4.2.1 - 2026-05-19

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0 - 2026-05-18

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• 87635a8 Fix missing type definitions, promote to v4.2.1 (closed #4190)
• 3d4ca4b Update browserslist
• 562c485 Promote to v4.2.0
• 3709c02 Make steps into the Temporal-first future
• 07592b9 Upgrade Node.js types, upgrade TypeScript
• 09ece22 Upgrade Vitest
• c37c22e Set up Oxfmt as the default formatter
• d40bb80 Upgrade mise setup
• dd66398 Fix tz tests workflow
• ef962f8 Adjust smoke tests
• Additional commits viewable in compare view

Updates dompurify from 3.3.0 to 3.4.5

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth

... (truncated)

Commits

• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @types/dompurify from 3.0.5 to 3.2.0

Commits

• See full diff in compare view

Updates framer-motion from 12.23.24 to 12.39.0

Changelog

Sourced from framer-motion's changelog.

[12.39.0] 2026-05-18

Added

• Support for repeatType and repeatDelay in animation sequences.

Fixed

• Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
• Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
• LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
• useScroll: Support hydrating target and container refs from anywhere in the tree.
• Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
• Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
• Updated visualElement hydration order.
• useAnimate: Now respects skipAnimations.
• AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
• scroll: Fixed callback progress when tracking an element.
• useScroll: Fix hardware acceleration when tracking an element.

[12.38.0] 2026-03-16

Added

• Added layoutAnchor prop to configure custom anchor point for resolving relative projection boxes.

Fixed

• Reorder: Fix axis switching after window resize.
• Reorder: Fix with virtualised lists.
• AnimatePresence: Ensure children are removed when exit animation matches current values.

[12.37.0] 2026-03-16

Added

• Support for hardware accelerating "start" and "end" offsets in scroll and useScroll.
• Support for oklch, oklab, lab, lch, color, color-mix, light-dark color types.

Fixed

• Fix whileInView with client-side navigation.
• Fix draggable elements when layout updates due to surrounding element re-renders.
• Improved memory pressure of layout animations.
• Ensure motion value returned from useSpring reports correct isAnimating().

[12.36.0] 2026-03-09

Added

... (truncated)

Commits

• b607391 v12.39.0
• cd53178 Updating changelog
• bd07642 Merge pull request #3716 from motiondivision/worktree-fix-issue-3315
• 3f053b6 Merge branch 'main' into worktree-fix-issue-3315
• f434c42 Merge pull request #3718 from motiondivision/dependabot/npm_and_yarn/next-15....
• 5973dfb Merge pull request #3722 from motiondivision/worktree-fix-issue-2829
• cfccb03 fix(drag): Refresh root scroll before measuring ref constraints
• 16aa417 Updating...

  Description has been truncated

[dependabot]

Assignees

The following users could not be added as assignees: aquachain-dev-team. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, frontend. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Manual review required

This is a minor version update that may include new features.

Action Required:

1. Review the changelog for breaking changes
2. Test the changes locally
3. Approve and merge if everything looks good

📋 This PR will not be auto-merged and requires manual approval.