fix(deps): bump the prod-minor-patch group across 1 directory with 8 updates

[dependabot]

Bumps the prod-minor-patch group with 8 updates in the / directory:

Package	From	To
@inquirer/prompts	8.4.2	8.5.1
@oclif/core	4.11.1	4.11.4
@oclif/plugin-autocomplete	3.2.48	3.2.50
@oclif/plugin-warn-if-update-available	3.1.63	3.1.65
sigstore	4.1.0	4.1.1
ws	8.20.0	8.21.0
lucide-react	1.14.0	1.17.0
tailwind-merge	3.5.0	3.6.0

Updates @inquirer/prompts from 8.4.2 to 8.5.1

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.5.1

• Rolled back mute-stream dependency from v4 to v3 to undo breaking compatible engines.
• Added tooling to prevent regression of the above in the future. This surfaced our min engines already enforced a higher limit, so adjusted the explicit limits to match the current state.

@​inquirer/prompts@​8.5.0

• Feat: Read env variable INQUIRER_KEYBINDINGS to enable vim or emacs keybindings; making this a user preference instead of a library author preference. One caveat is doing so disable the search feature in the select prompt. Syntax: INQUIRER_KEYBINDINGS=vim,emacs.
• Fix: Line wraps would sometime cause the cursor to be mispositioned relative to the input.
• Chore: Bump dependencies.

@​inquirer/prompts@​8.4.3

• Fix: Windows rendering bug
• Fix: Preserve exact literal types in choices array (Typescript only)
• Fix: Allow input default value to be of type undefined (Typescript only)
• Bump dependencies

Commits

• b43359d chore: Publish new release
• 24ecae2 chore: fix yarn.lock
• b078d97 fix: validate package engine compatibility
• 3a49f9f chore(deps-dev): Bump oxfmt in the formatting group (#2143)
• 9cc492f chore(deps): Bump fast-wrap-ansi from 0.2.0 to 0.2.2 (#2146)
• feb7edf chore(deps-dev): Bump @​types/node in the types group (#2145)
• a05eb68 chore(deps-dev): Bump the build group with 3 updates (#2144)
• f6ddfce chore(deps-dev): Bump the linting group with 3 updates (#2142)
• 5ca6d11 chore: Publish new release
• 2520349 feat(@​inquirer/core): support keybindings env defaults
• Additional commits viewable in compare view

Updates @oclif/core from 4.11.1 to 4.11.4

Release notes

Sourced from @​oclif/core's releases.

4.11.4

Bug Fixes

• deps: bump semver from 7.8.0 to 7.8.1 (65e054c)

4.11.3

Bug Fixes

• updating tinyglobby dependency [skip-validate-pr] (1dc29ff)

4.11.2

Bug Fixes

• deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

Changelog

Sourced from @​oclif/core's changelog.

4.11.4 (2026-05-23)

Bug Fixes

• deps: bump semver from 7.8.0 to 7.8.1 (65e054c)

4.11.3 (2026-05-15)

Bug Fixes

• updating tinyglobby dependency [skip-validate-pr] (1dc29ff)

4.11.2 (2026-05-09)

Bug Fixes

• deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

Commits

• d55138e chore(release): 4.11.4 [skip ci]
• ef99bf7 Merge pull request #1604 from oclif/dependabot-npm_and_yarn-semver-7.8.1
• 65e054c fix(deps): bump semver from 7.8.0 to 7.8.1
• 09e6926 Merge pull request #1602 from oclif/dependabot-npm_and_yarn-oclif-plugin-plug...
• 6b029a8 chore(dev-deps): bump @​oclif/plugin-plugins from 5.4.68 to 5.4.69
• bd28ff2 Merge pull request #1598 from oclif/dependabot-npm_and_yarn-oclif-plugin-help...
• 37cb4d8 Merge pull request #1599 from oclif/dependabot-npm_and_yarn-oclif-plugin-plug...
• a240a45 chore(dev-deps): bump @​oclif/plugin-plugins from 5.4.65 to 5.4.68
• ae42b32 chore(dev-deps): bump @​oclif/plugin-help from 6.2.47 to 6.2.48
• 101c033 chore(release): 4.11.3 [skip ci]
• Additional commits viewable in compare view

Updates @oclif/plugin-autocomplete from 3.2.48 to 3.2.50

Release notes

Sourced from @​oclif/plugin-autocomplete's releases.

3.2.50

Bug Fixes

• deps: bump @​oclif/core from 4.11.3 to 4.11.4 (#1151) (f25d073)

3.2.49

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1146) (4127ce2)

Changelog

Sourced from @​oclif/plugin-autocomplete's changelog.

3.2.50 (2026-05-24)

Bug Fixes

• deps: bump @​oclif/core from 4.11.3 to 4.11.4 (#1151) (f25d073)

3.2.49 (2026-05-10)

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1146) (4127ce2)

Commits

• 7121dfb chore(release): 3.2.50 [skip ci]
• f25d073 fix(deps): bump @​oclif/core from 4.11.3 to 4.11.4 (#1151)
• 6434cf0 chore(dev-deps): bump oclif from 4.23.5 to 4.23.7 (#1152)
• e57879e chore(dev-deps): bump eslint-config-oclif from 6.0.164 to 6.0.165 (#1153)
• 6f0f40b chore(dev-deps): bump eslint-config-oclif from 6.0.162 to 6.0.164 (#1147)
• cee68f5 chore(dev-deps): bump oclif from 4.23.0 to 4.23.5 (#1150)
• 0fe489d chore(dev-deps): bump eslint-config-oclif from 6.0.160 to 6.0.162 (#1144)
• de7a0ad chore(dev-deps): bump @​oclif/plugin-help from 6.2.45 to 6.2.48 (#1145)
• 5250e7c chore(release): 3.2.49 [skip ci]
• 4127ce2 fix(deps): bump @​oclif/core from 4.11.0 to 4.11.2 (#1146)
• See full diff in compare view

Updates @oclif/plugin-warn-if-update-available from 3.1.63 to 3.1.65

Release notes

Sourced from @​oclif/plugin-warn-if-update-available's releases.

3.1.65

Bug Fixes

• deps: bump @​oclif/core from 4.11.2 to 4.11.3 (#1019) (8a5e833)

3.1.64

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1016) (6aa16a8)

Changelog

Sourced from @​oclif/plugin-warn-if-update-available's changelog.

3.1.65 (2026-05-17)

Bug Fixes

• deps: bump @​oclif/core from 4.11.2 to 4.11.3 (#1019) (8a5e833)

3.1.64 (2026-05-10)

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.2 (#1016) (6aa16a8)

Commits

• 26797da chore(release): 3.1.65 [skip ci]
• 8a5e833 fix(deps): bump @​oclif/core from 4.11.2 to 4.11.3 (#1019)
• d8e24c6 chore(dev-deps): bump eslint-config-oclif from 6.0.162 to 6.0.164 (#1020)
• c7801bd chore(release): 3.1.64 [skip ci]
• 6aa16a8 fix(deps): bump @​oclif/core from 4.11.0 to 4.11.2 (#1016)
• 505e8eb chore(dev-deps): bump eslint-config-oclif from 6.0.160 to 6.0.162 (#1017)
• See full diff in compare view

Updates sigstore from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore's releases.

sigstore@4.1.1

Patch Changes

• 7845532: Verification of OID certificate extensions
• f074710: Require inclusion promise in Rekor entry when used as timestamp source
• Updated dependencies [b5aa4f1]
• Updated dependencies [7845532]
• Updated dependencies [f074710]
  • @​sigstore/core@​3.2.1
  • @​sigstore/verify@​3.1.1

Commits

• c1dc7d4 Version Packages (#1607)
• f074710 reject integratedTime w/o inclusionPromise (#1659)
• 7845532 OID certificate extension verification (#1658)
• b5aa4f1 proper utf-8 encoding in DSSE PAE (#1657)
• c7a34e0 clarify cert ID matching (#1656)
• 9858bd7 Upgrade TypeScript to 6.x (#1655)
• 8cef20d bump qs from 6.15.1 to 6.15.2 (#1654)
• aca341b bump @​sigstore/mock deps (#1653)
• 0855aca Pin all @​swc/core platform binaries as optionalDependencies (#1652)
• 44a374d Pin all @​swc/core platform binaries as optionalDependencies (#1650)
• Additional commits viewable in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates lucide-react from 1.14.0 to 1.17.0

Release notes

Sourced from lucide-react's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• See full diff in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in dcastil/tailwind-merge@6b2499c

Full Changelog: dcastil/tailwind-merge@v3.5.0...v3.6.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph, @​mike-healy and more via @​thnxdev for sponsoring tailwind-merge! ❤️

Commits

• d54f7e5 v3.6.0
• 638871a Update README to add info about Tailwind CSS v4.3 support
• 39fc7b5 Revert "v3.6.0"
• bd8390f v3.6.0
• 802877c add v3.6.0 changelog
• a35feda Merge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x
• 940389c Merge pull request #667 from dcastil/renovate/release-drafter-release-drafter...
• 005af6d pin to specific version
• 5816ced implement breaking changes
• 17041e1 Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Jun 2, 2026 3:52am

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: group bump (8 packages) — all patch/minor
Scope: runtime dependencies + devDependencies
Workspace: root

What changed upstream

• @inquirer/prompts 8.4.2 → 8.5.1 (mute-stream rollback, vim/emacs keybindings env var)
• @oclif/core 4.11.1 → 4.11.4 (minor patches)
• @oclif/plugin-autocomplete 3.2.48 → 3.2.50 (minor patches)
• @oclif/plugin-warn-if-update-available 3.1.63 → 3.1.65 (minor patches)
• sigstore 4.1.0 → 4.1.1 (patch)
• ws 8.20.0 → 8.21.0 (minor patch)
• lucide-react 1.14.0 → 1.17.0 (icon additions/updates)
• tailwind-merge 3.5.0 → 3.6.0 (minor patch)

Migration concerns checked

• Peer dependencies: OK
• Type changes: OK — no breaking type changes in any of these packages
• Config files: OK — no config format changes
• Module format: OK — all packages maintained same ESM/CJS format
• React compatibility: OK — lucide-react and tailwind-merge are UI-only, not in the CLI core
• Monorepo impact: OK — lucide-react/tailwind-merge are in react-web-cli workspace only

What broke

All 4 CI failures share a single root cause: the Ably Control API returned HTTP 500 Internal Server Error when listing integration rules (GET /apps/{appId}/rules) during the E2E test run. This is a transient server-side error.

• test/e2e/integrations/integrations-e2e.test.ts:53 — integrations list exited with code 1 due to HTTP 500
• test/e2e/control-api.test.ts:293 — controlApi.listRules() threw CommandError: API request failed (500 Internal Server Error)
• test/e2e/control/control-api-workflows.test.ts:723 — cascade failure: result is null because list returned an error envelope, not a result record
• test/e2e/control/control-api-workflows.test.ts:1140 — cascade failure from the same upstream 500

None of the 8 bumped packages are involved in making REST HTTP requests to the Ably Control API. The ws WebSocket library update is irrelevant because the Control API uses REST/HTTP (fetch), not WebSocket connections.

What was fixed

No code changes needed. The failures are caused by a transient Ably API server error, not by the dependency update.

Verification

• Build: ✅ (no code changes)
• Lint: ✅ (no code changes)
• Unit tests: ✅ (no code changes)
• Web CLI tests: ✅ (no code changes)

Notes for reviewer

The failing tests should pass on a CI re-run. The Ably Control API's integration rules endpoint returned HTTP 500 during this specific run — this is a known flaky failure pattern for E2E tests that hit live APIs. The dependency bump itself is safe to merge.