Bump the all-dependencies group across 1 directory with 31 updates

[dependabot]

Bumps the all-dependencies group with 31 updates in the / directory:

Package	From	To
@amplitude/analytics-browser	2.23.7	2.44.1
@creit.tech/stellar-wallets-kit	2.2.0	2.3.0
@ledgerhq/hw-app-str	7.2.9	7.7.4
@ledgerhq/hw-transport-webhid	6.30.9	6.35.4
@next/third-parties	15.5.7	16.2.9
@sentry/nextjs	10.29.0	10.59.0
@tanstack/react-query	5.87.4	5.101.0
@tanstack/react-query-devtools	5.87.4	5.101.0
@trezor/connect-web	9.6.4	9.7.3
bignumber.js	9.3.1	11.1.4
dompurify	3.2.6	3.4.11
html-react-parser	5.2.6	6.1.3
immer	10.1.3	11.1.8
lodash	4.17.21	4.18.1
@types/lodash	4.17.20	4.17.24
lossless-json	4.2.0	4.3.0
next	15.5.15	16.2.9
uuid	11.1.0	14.0.1
zustand-querystring	0.0.19	0.7.0
@next/eslint-plugin-next	15.5.3	16.2.9
@playwright/test	1.57.0	1.61.0
@types/node	24.3.1	26.0.0
@typescript-eslint/eslint-plugin	8.43.0	8.61.1
eslint	9.35.0	10.5.0
eslint-config-next	15.4.4	16.2.9
eslint-plugin-react-hooks	5.2.0	7.1.1
jest	30.2.0	30.4.2
lint-staged	16.1.6	17.0.8
prettier	3.6.2	3.8.4
sass	1.92.1	1.101.0
typescript	5.9.2	6.0.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.44.1

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.44.1

2.44.1 (2026-06-11)

Bug Fixes

• analytics-browser: use safe JSON stringify in remote config log messages (#1826) (477cda8)

@​amplitude/analytics-browser@​2.44.0

2.44.0 (2026-06-11)

Bug Fixes

• analytics-browser: only flush on actual offline->online transition (#1812) (675885e)
• analytics-browser: return trackVideo errors instead of throwing (#1804) (af76af9)

Features

• analytics-browser, analytics-core: support referrerPolicy in FetchTransport (#1805) (871e432)

@​amplitude/analytics-browser@​2.43.1-featzoning-selectors.0

2.43.1-featzoning-selectors.0 (2026-06-11)

Bug Fixes

• analytics-browser: return trackVideo errors instead of throwing (#1804) (af76af9)

Commits

• 3006ae7 chore(release): publish
• 137c894 ci: record v2.x releases in Linear after npm publish (#1827)
• 477cda8 fix(analytics-browser): use safe JSON stringify in remote config log messages...
• 82a3785 chore(release): publish
• 675885e fix(analytics-browser): only flush on actual offline->online transition (#1812)
• 871e432 feat(analytics-browser, analytics-core): support referrerPolicy in FetchTrans...
• a757414 chore: require npm release environment (#1821)
• 3a18415 refactor(analytics-browser): remove unused cursor pointer code from a… (#1815)
• af76af9 fix(analytics-browser): return trackVideo errors instead of throwing (#1804)
• 4a75130 ci(examples): smoke-test the React Native sample app on the New Architecture ...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​amplitude/analytics-browser since your current version.

Updates @creit.tech/stellar-wallets-kit from 2.2.0 to 2.3.0

Release notes

Sourced from @​creit.tech/stellar-wallets-kit's releases.

v2.3.0

2.3.0 (2026-06-05)

Add

• Adds support to sign both messages and authorization entries using WalletConnect ( following https://docs.freighter.app/mobile-walletconnect/signing)

Fix

• It upgrades the Trezor libraries to the latest ALPHA releases. This is because when a website is using modern bundling (ESM only), the process breaks since the @trezor/connect-plugin-stellar package is looking for ESM code that isn't available in old @trezor/connect-web versions.

Changelog

Sourced from @​creit.tech/stellar-wallets-kit's changelog.

2.3.0 (2026-06-05)

Add

• Adds support to sign both messages and authorization entries using WalletConnect ( following https://docs.freighter.app/mobile-walletconnect/signing)

Fix

• It upgrades the Trezor libraries to the latest ALPHA releases. This is because when a website is using modern bundling (ESM only), the process breaks since the @trezor/connect-plugin-stellar package is looking for ESM code that isn't available in old @trezor/connect-web versions.

Commits

• bd1c771 Upgrade to 2.3.0
• d0af8c1 Update WalletConnect module and Trezor libraries
• 27de8a3 Force versions for deno and pnpm in the npm workflow
• bfa7ab9 Update Node version in the npm publishing workflow
• See full diff in compare view

Updates @ledgerhq/hw-app-str from 7.2.9 to 7.7.4

Commits

• See full diff in compare view

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.35.4

Commits

• 689ead9 Merge release into main
• 6cc05c8 chore(release): 🚀 prepare release [skip ci]
• 9f31675 Merge pull request #18447 from LedgerHQ/smartling-translations-20260611093910037
• df2a5ed File apps/ledger-live-mobile/src/locales/en/common.json was translated to es-...
• 94d181b File apps/ledger-live-desktop/static/i18n/en/app.json was translated to pt-BR...
• 20e2c7f File apps/ledger-live-desktop/static/i18n/en/app.json was translated to es-ES...
• c7b4ad6 File apps/ledger-live-mobile/src/locales/en/common.json was translated to zh-...
• 43c6105 File apps/ledger-live-mobile/src/locales/en/common.json was translated to de-...
• fb521b3 File apps/ledger-live-mobile/src/locales/en/common.json was translated to ja-...
• de2b68d File apps/ledger-live-mobile/src/locales/en/common.json was translated to pt-...
• Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.2.9

Release notes

Sourced from @​next/third-parties's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• 6f16804 v16.2.8
• 411c455 v16.2.7
• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @sentry/nextjs from 10.29.0 to 10.59.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.59.0

Important Changes

• feat(react-router): Add support for React Router v8 (#21633)

  The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

• feat(react): Add version-agnostic React Router SPA exports (#21633)

  @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

  Deprecated	New
  reactRouterV6BrowserTracingIntegration / V7	reactRouterBrowserTracingIntegration
  withSentryReactRouterV6Routing / V7	wrapReactRouterRouting
  wrapCreateBrowserRouterV6 / V7	wrapCreateBrowserRouter
  wrapCreateMemoryRouterV6 / V7	wrapCreateMemoryRouter
  wrapUseRoutesV6 / V7	wrapUseRoutes

  The deprecated exports continue to work and will be removed in the next major version.

Other Changes

• feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
• feat(bun): Add orchestrion bun build plugin (#21410)
• feat(cloudflare): Instrument sync KV (#21316)
• feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
• feat(deno): Add orchestrion deno runtime hook (#21451)
• feat(hono): Extend peer dependency range (#21550)
• feat(node): Collapse orchestrion opt-in to a single option (#20900)
• fix: Diagnostics channel Node v18 (#21631)
• fix(browser): Clean up pageload readystatechange listener (#21632)
• fix(core): Capture scopes on span before emitting spanStart event (#21644)
• fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
• fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
• fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
• fix(nextjs): Register safe random ID context at module load (#21573)

• chore: Change deprecation/deprecation to oxlint equivalent (#21604)
• chore: Switch license headers to SPDX format (#21357)
• chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
• chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
• chore(deps): Bump react-router-6 to 6.30.4 (#21566)
• ci: Assign server team as codeowner for server-utils package (#21601)
• ci: Dedup flaky test issues across esm/cjs variants (#21595)
• ci: Do not apply Bug label to flaky test issues (#21593)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.59.0

Important Changes

• feat(react-router): Add support for React Router v8 (#21633)

  The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

• feat(react): Add version-agnostic React Router SPA exports (#21633)

  @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

  Deprecated	New
  reactRouterV6BrowserTracingIntegration / V7	reactRouterBrowserTracingIntegration
  withSentryReactRouterV6Routing / V7	wrapReactRouterRouting
  wrapCreateBrowserRouterV6 / V7	wrapCreateBrowserRouter
  wrapCreateMemoryRouterV6 / V7	wrapCreateMemoryRouter
  wrapUseRoutesV6 / V7	wrapUseRoutes

  The deprecated exports continue to work and will be removed in the next major version.

Other Changes

• feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
• feat(bun): Add orchestrion bun build plugin (#21410)
• feat(cloudflare): Instrument sync KV (#21316)
• feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
• feat(deno): Add orchestrion deno runtime hook (#21451)
• feat(hono): Extend peer dependency range (#21550)
• feat(node): Collapse orchestrion opt-in to a single option (#20900)
• fix: Diagnostics channel Node v18 (#21631)
• fix(browser): Clean up pageload readystatechange listener (#21632)
• fix(core): Capture scopes on span before emitting spanStart event (#21644)
• fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
• fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
• fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
• fix(nextjs): Register safe random ID context at module load (#21573)

• chore: Change deprecation/deprecation to oxlint equivalent (#21604)
• chore: Switch license headers to SPDX format (#21357)
• chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
• chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
• chore(deps): Bump react-router-6 to 6.30.4 (#21566)
• ci: Assign server team as codeowner for server-utils package (#21601)
• ci: Dedup flaky test issues across esm/cjs variants (#21595)

... (truncated)

Commits

• 2cb0ef6 release: 10.59.0
• f77b265 Merge pull request #21655 from getsentry/prepare-release/10.59.0
• 8e32a8d meta(changelog): Update changelog for 10.59.0
• 50fe5d9 fix: Diagnostics channel Node v18 (#21631)
• 9c765e0 feat(react-router): support react router v8 (#21633)
• 815c1cf feat(deps): Bump @​babel/core from 7.29.0 to 7.29.6 (#21574)
• a520447 ref(tanstackstart-react): Use @sentry/conventions (#21498)
• 38a0485 test(cloudflare): Remove mock in DO tests (#21634)
• cb69761 feat(deno): Add orchestrion deno runtime hook (#21451)
• 1e057ba chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/te...
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.87.4 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

... (truncated)

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.

Updates @tanstack/react-query-devtools from 5.87.4 to 5.101.0

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-devtools@​5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-devtools@​5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.12
  • @​tanstack/react-query@​5.100.12

Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

5.100.13

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.12
  • @​tanstack/react-query@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

5.100.10

Patch Changes

• Updated dependencies [4d130b9]:
  • @​tanstack/query-devtools@​5.100.10
  • @​tanstack/react-query@​5.100.10

5.100.9

... (truncated)

Commits

• f3d8d2a ci: Version Packages (#10774)
• 2d27c4e test(react-query-devtools/ReactQueryDevtools{,Panel}): add tests for the full...
• e0245c7 test(react-query-devtools/ReactQueryDevtools): add tests for forwarding 'butt...
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• ba6e7be ci: Version Packages (#10767)
• 05cf2bc ci: Version Packages (#10758)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query-devtools since your current version.

Updates @trezor/connect-web from 9.6.4 to 9.7.3

Release notes

Sourced from @​trezor/connect-web's releases.

v26.5.1@mobile

Trezor Suite 26.5.1 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.5.1

🚀 New features

• ERC-681 QR codes are now supported in the send form, making it easier to scan token transfer requests.
• Concierge trading (OTC) is now available on mobile for large trades.
• DEX swaps are now available on mobile.
• Stablecoin yield positions are now visible in the Earn tab in view-only mode.
• Token management has been improved, including better control over hidden tokens.
• A congratulations screen now appears after completing device onboarding.
• Device authenticity verification now includes MCU MLDSA support.
• BIP329 labels can now be exported from mobile.
• WalletConnect now warns when your account balance is insufficient before confirming a transaction.
• Trading offers in the US are now separated by state for more accurate results.

🎨 Improvements

• Address spacing can now be enabled or disabled for all networks.
• The mobile trade form has been simplified for a cleaner experience.
• Device onboarding no longer includes a redundant coin selection step.
• App performance has been improved with better handling of backend connections.

🔧 Bug fixes

• Fixed a crash on iOS when returning from the background with a custom Electrum server configured.
• Fixed a crash that sometimes occurred right after entering a passphrase on mobile.
• Fixed incorrect fee handling during Ethereum transaction signing on mobile.
• Fixed a signature mismatch error when using Rabby wallet on mobile.
• Minor bugs and usability improvements across the app.

v26.4.2@mobile

Trezor Suite 26.4.2 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.4.2

🚀 New features

• Full Ethereum staking: stake, unstake, claim rewards, with management dashboard
• Stellar (XLM) WalletConnect support
• Price quotes in buy flow and fiat deviation warnings on exchange
• Suite Sync labeling enabled by default, with custom relay option
• .onion Electrum server support (Tor)
• Device connection status card and unified Unpair/Forget flow
• Experimental Features screen in Settings

🎨 Improvements

• Discreet mode now hides amounts in send form
• “Send max” redesigned as a toggle; send flow cancels on disconnect
• Collapsed fee sections across send, trade, and staking
• Enhanced phishing protection (fake tokens, dust filtering, manual overrides)

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​trezor/connect-web since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates bignumber.js from 9.3.1 to 11.1.4

Release notes

Sourced from bignumber.js's releases.

v11.1.3

v11.1 adds a few useful improvements around formatting, parsing, rounding, and interoperability.

BigNumber.sum() now returns zero when called with no arguments, which makes patterns like BigNumber.sum(...arr) work cleanly even when the array is empty.

BigNumber.sum(...[]).toString()      // "0"

toBigInt() has been added, so BigNumber values can now be converted directly to native BigInt values.

new BigNumber("123.9").toBigInt(BigNumber.ROUND_DOWN)        // 123n

There is also a new BigNumber.fromFormat() method for parsing formatted strings back into BigNumber values.

const options =  {  prefix: "€",  groupSeparator: ".",  decimalSeparator: "," }
BigNumber.fromFormat("€1.234.567,89", options).toString()      // "1234567.89"

Negative decimal places are now supported by decimalPlaces(), toFixed(), and toFormat(), making it easier to round to tens, hundreds, and thousands etc.

new BigNumber("1234.5").toFormat(-2)      // "1,200"

toFormat() has also been expanded to support minimum and maximum decimal places, and per-call formatting options now fall back to the configured global FORMAT values for anything not explicitly overridden.

new BigNumber("12.3456789").toFormat([2, 5])      // "12.34568"

This release also includes a fix for slow hexadecimal integer base conversion when DECIMAL_PLACES is very large, plus improved TypeScript API test coverage.

Changelog

Sourced from bignumber.js's changelog.

11.1.4

• 16/06/26
• [BUGFIX] #407 Fix toFormat duplicating the fraction when groupSize is 0.

11.1.3

• 05/06/26
• #406 Fix EXPONENTIAL_AT default value documentation.

11.1.2

• 30/05/26
• [BUGFIX] #405 Fix invalid toFormat output for -0.

11.1.1

• 02/05/26
• Docs: fix version number and decimalPlaces API description.

11.1.0

• 30/04/26
• #401 BigNumber.sum: return zero if there are no arguments.
• #352 Add toBigInt method.
• #286 Add fromFormat method.
• #262 decimalPlaces, toFixed and toFormat: support negative decimal places.
• #260 toFormat: support minimum/maximum decimal places.
• toFormat: fallback to FORMAT for each property not in options.
• [BUGFIX] #342 Large DECIMAL_PLACES causing slow hex integer base conversion.
• Typescript: add test_api.ts to improved typed API test coverage.

11.0.0

• 14/04/26
• Add STRICT configuration option: if true (default), throw an exception on invalid input. if false, return NaN on invalid input.
• toFraction: return [1, 0] for Infinity and [0, 0] for NaN.
• Support underscores as separators.
• If a base is supplied, reject non-finite values and base prefixes.

10.0.2

• 24/02/26
• Reinstate README.md links.

10.0.1

• 24/02/26

... (truncated)

Commits

• 604bb2f v11.1.4
• e4534d1 toFormat clean-up
• aad81b2 #408 Fix toFormat duplicating the fraction when groupSize is 0
• cda702b v11.1.3
• ca2755e #406: Correct EXPONENTIAL_AT default value documentation
• 7317c92 v11.1.2
• 10a1a21 #405 Fix invalid toFormat output for -0
• 1e55b9a v11.1.1
• 300e0f3 docs: fix decimalPlaces API description
• cca72ee Update version number in API.html
• Additional commits viewable in compare view

Updates dompurify from 3.2.6 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

• Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
• Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
• Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
• Updated up the linting tool-chain and removed now-redundant lint directives
• Updated the documentation is several spots, README, wiki, etc.
• Bumped several dependencies where possible

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
<...

Description has been truncated

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.9
	eslint-config-next@​16.2.9
	jest@​30.4.2
	dompurify@​3.4.11
	@​tanstack/​react-query-devtools@​5.101.0
	@​next/​eslint-plugin-next@​16.2.9
	@​amplitude/​analytics-browser@​2.44.1
	@​types/​lodash@​4.17.24
	zustand-querystring@​0.7.0
	@​typescript-eslint/​eslint-plugin@​8.61.1
	lodash@​4.18.1
	@​types/​node@​26.0.0
	@​next/​third-parties@​16.2.9
	lossless-json@​4.3.0
	immer@​11.1.8
	@​creit.tech/​stellar-wallets-kit@​2.3.0
	@​tanstack/​react-query@​5.101.0
	typescript@​6.0.3
	@​trezor/​connect-web@​9.7.3
	@​sentry/​nextjs@​10.59.0
	uuid@​14.0.1
	bignumber.js@​11.1.4
	sass@​1.101.0
	prettier@​3.8.4
	html-react-parser@​6.1.3
	eslint@​10.5.0
	@​ledgerhq/​hw-app-str@​7.7.4
	eslint-plugin-react-hooks@​7.1.1
	lint-staged@​17.0.8
	@​playwright/​test@​1.61.0
	@​ledgerhq/​hw-transport-webhid@​6.35.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @amplitude/plugin-custom-enrichment-browser is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@amplitude/analytics-browser@2.44.1 → npm/@amplitude/plugin-custom-enrichment-browser@0.1.11 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/plugin-custom-enrichment-browser@0.1.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/next@16.2.9 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/rlp under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/rlp@10.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/rlp@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/tx under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/tx@10.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/tx@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/util under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/util@10.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/util@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT License: LicenseRef-FSL-1.1-MIT - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/@sentry/nextjs@10.59.0 → npm/@sentry/cli@2.58.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @sentry/node-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@sentry/nextjs@10.59.0 → npm/@sentry/node-core@10.59.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/node-core@10.59.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/blockchain-link@2.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-plugin-stellar under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@10.0.0-alpha.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-plugin-stellar@10.0.0-alpha.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: package.json → npm/@trezor/connect-web@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/transport@1.6.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@typescript-eslint/eslint-plugin@8.61.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.9 → npm/axe-core@4.12.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm es-abstract is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.9 → npm/es-abstract@1.24.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm immer is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/immer@11.1.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immer@11.1.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm next Location: Package overview From: package.json → npm/next@16.2.9 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript under MIT-Khronos-old License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm usb under GPL-1.0-only License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.h) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.c) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/fxload.c) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.3.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/usb@2.18.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/usb@2.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm yargs is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/jest@30.4.2 → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d77a5a4aa3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore parser helpers before bumping zustand-querystring

This bump installs zustand-querystring@0.7.0, whose root export no longer includes the parse/stringify helpers (current package source); the old 0.0.19 root did export them (old source). The app still imports those names from zustand-querystring in src/helpers/shareableUrl.ts, src/helpers/buildEndpointHref.ts, src/helpers/buildContractExplorerHref.ts, and src/metrics/tracking.ts, so pnpm lint:ts/Next builds will fail with missing-export errors once this version is installed.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Migrate lint commands before upgrading to Next 16

Upgrading next to 16 makes the existing lint commands invalid: package.json:15 still runs next lint, and .lintstagedrc.js:4 still generates next lint --fix --file .... The Next.js 16 ESLint docs state that next lint is removed (docs), so pnpm lint and pre-commit lint-staged runs will fail until these are migrated to the ESLint CLI/flat config.

Useful? React with 👍 / 👎.