fix(deps): update all non-major updates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@tailwindcss/postcss (source)	4.2.1 → 4.3.0			devDependencies	minor
@tanstack/react-query (source)	5.90.21 → 5.100.11			dependencies	minor
@types/node (source)	24.12.0 → 24.12.4			devDependencies	patch
@vitejs/plugin-react-swc (source)	4.2.3 → 4.3.1			devDependencies	minor
aiohttp	==3.13.3 → ==3.13.5			project.optional-dependencies	patch
anyio (changelog)	==4.12.1 → ==4.13.0			project.optional-dependencies	minor
autoprefixer	10.4.27 → 10.5.0			devDependencies	minor
build (changelog)	==1.4.0 → ==1.5.0			project.optional-dependencies	minor
certifi	==2026.2.25 → ==2026.4.22			project.optional-dependencies	minor
charset-normalizer (changelog)	==3.4.5 → ==3.4.7			project.optional-dependencies	patch
click (changelog)	==8.3.1 → ==8.4.0			project.optional-dependencies	minor
date-fns	4.1.0 → 4.2.1			dependencies	minor
eslint (source)	10.0.3 → 10.4.0			devDependencies	minor
eslint-plugin-react-hooks (source)	7.0.1 → 7.1.1			devDependencies	minor
ezcord	==0.7.4 → ==0.8.0			project.optional-dependencies	minor
fastapi (changelog)	==0.135.1 → ==0.136.1			project.optional-dependencies	minor
framer-motion	12.36.0 → 12.39.0			dependencies	minor
globals	17.4.0 → 17.6.0			devDependencies	minor
idna (changelog)	==3.11 → ==3.15			project.optional-dependencies	minor
myst-parser	==5.0.0 → ==5.1.0			project.optional-dependencies	minor
node	24.14.0 → 24.15.0			uses-with	minor
postcss (source)	8.5.10 → 8.5.15			devDependencies	patch
propcache	==0.4.1 → ==0.5.2			project.optional-dependencies	minor
py-cord (changelog)	==2.7.1 → ==2.8.0			project.optional-dependencies	minor
react (source)	19.2.4 → 19.2.6			dependencies	patch
react-dom (source)	19.2.4 → 19.2.6			dependencies	patch
react-hook-form (source)	7.71.2 → 7.76.0			dependencies	minor
react-resizable-panels (source)	4.7.2 → 4.11.1			dependencies	minor
react-router-dom (source)	7.13.1 → 7.15.1			dependencies	minor
requests (changelog)	==2.32.5 → ==2.34.2			project.optional-dependencies	minor
shiki (source)	4.0.2 → 4.1.0			dependencies	minor
tailwind-merge	3.5.0 → 3.6.0			dependencies	minor
tailwindcss (source)	4.2.1 → 4.3.0			devDependencies	minor
typescript-eslint (source)	8.57.0 → 8.59.4			devDependencies	minor
urllib3 (changelog)	==2.6.3 → ==2.7.0			project.optional-dependencies	minor
uvicorn (changelog)	==0.41.0 → ==0.47.0			project.optional-dependencies	minor
vite (source)	7.3.2 → 7.3.3			devDependencies	patch
vitest (source)	4.0.18 → 4.1.6			devDependencies	minor
zod (source)	4.3.6 → 4.4.3			dependencies	minor

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)

TanStack/query (@​tanstack/react-query)

v5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

v5.100.9

Compare Source

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

v5.100.8

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

v5.100.7

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

v5.100.6

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

v5.100.5

Compare Source

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

v5.100.4

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

v5.100.3

Compare Source

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#​10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

v5.100.2

Patch Changes

• Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:
  • @​tanstack/query-core@​5.100.2

v5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

v5.100.0

Compare Source

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

v5.99.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.2

v5.99.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

v5.99.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.0

v5.98.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.98.0

v5.97.0

Compare Source

Patch Changes

• Updated dependencies [2bfb12c]:
  • @​tanstack/query-core@​5.97.0

v5.96.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.2

v5.96.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.1

v5.96.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.0

v5.95.2

Compare Source

Patch Changes

• Updated dependencies [cd5a35b]:
  • @​tanstack/query-core@​5.95.2

v5.95.1

Compare Source

Patch Changes

• Updated dependencies [1f1775c]:
  • @​tanstack/query-core@​5.95.1

v5.95.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.95.0

v5.94.5

Compare Source

Patch Changes

• fix(*): resolve issue about excluded build directory (#​10312)

• Updated dependencies [4b6536d]:

  • @​tanstack/query-core@​5.94.5

v5.94.4

Compare Source

Patch Changes

• chore: fixed version (#​10064)

• Updated dependencies [4c75210]:

  • @​tanstack/query-core@​5.94.4

v5.91.3

Compare Source

Patch Changes

• fix: stop node types from leaking into browser (#​10302)

v5.91.2

Compare Source

Patch Changes

• fix(streamedQuery): maintain error state on reset refetch with initialData defined (#​10287)

• Updated dependencies [248975e]:

  • @​tanstack/query-core@​5.91.2

v5.91.0

Compare Source

Minor Changes

• feat: environmentManager (#​10199)

Patch Changes

• Updated dependencies [6fa901b]:
  • @​tanstack/query-core@​5.91.0

vitejs/vite-plugin-react (@​vitejs/plugin-react-swc)

v4.3.1

Compare Source

Avoid esbuild warnings with Vite 8 #​1195

Fixes #​1187.

v4.3.0

Compare Source

Add Vite 8 to peerDependencies range #​1142

This plugin is compatible with Vite 8.

aio-libs/aiohttp (aiohttp)

v3.13.5

Compare Source

===================

Bug fixes

• Skipped the duplicate singleton header check in lax mode (the default for response
  parsing). In strict mode (request parsing, or -X dev), all RFC 9110 singletons
  are still enforced -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:12302.

---

v3.13.4

Compare Source

===================

Features

• Added max_headers parameter to limit the number of headers that should be read from a response -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11955.

• Added a dns_cache_max_size parameter to TCPConnector to limit the size of the cache -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12106.

Bug fixes

• Fixed server hanging indefinitely when chunked transfer encoding chunk-size
  does not match actual data length. The server now raises
  TransferEncodingError instead of waiting forever for data that will
  never arrive -- by :user:Fridayai700.

  Related issues and pull requests on GitHub:
  :issue:10596.

• Fixed access log timestamps ignoring daylight saving time (DST) changes. The
  previous implementation used :py:data:time.timezone which is a constant and
  does not reflect DST transitions -- by :user:nightcityblade.

  Related issues and pull requests on GitHub:
  :issue:11283.

• Fixed RuntimeError: An event loop is running error when using aiohttp.GunicornWebWorker
  or aiohttp.GunicornUVLoopWebWorker on Python >=3.14.
  -- by :user:Tasssadar.

  Related issues and pull requests on GitHub:
  :issue:11701.

• Fixed :exc:ValueError when creating a TLS connection with ClientTimeout(total=0) by converting 0 to None before passing to ssl_handshake_timeout in :py:meth:asyncio.loop.start_tls -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:11859.

• Restored :py:meth:~aiohttp.BodyPartReader.decode as a synchronous method
  for backward compatibility. The method was inadvertently changed to async
  in 3.13.3 as part of the decompression bomb security fix. A new
  :py:meth:~aiohttp.BodyPartReader.decode_iter method is now available
  for non-blocking decompression of large payloads using an async generator.
  Internal aiohttp code uses the async variant to maintain security protections.

  Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
  match aiohttp internals
  -- by :user:bdraco and :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11898.

• Fixed false-positive :py:class:DeprecationWarning for passing enable_cleanup_closed=True to :py:class:~aiohttp.TCPConnector specifically on Python 3.12.7.
  -- by :user:Robsdedude.

  Related issues and pull requests on GitHub:
  :issue:11972.

• Fixed _sendfile_fallback over-reading beyond requested count -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12096.

• Fixed digest auth dropping challenge fields with empty string values -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12097.

• ClientConnectorCertificateError.os_error no longer raises :exc:AttributeError
  -- by :user:themylogin.

  Related issues and pull requests on GitHub:
  :issue:12136.

• Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12231.

• Rejected duplicate singleton headers (Host, Content-Type,
  Content-Length, etc.) in the C extension HTTP parser to match
  the pure Python parser behaviour, preventing potential host-based
  access control bypasses via parser differentials
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12240.

• Aligned the pure-Python HTTP request parser with the C parser by splitting
  comma-separated and repeated Connection header values for keep-alive,
  close, and upgrade handling -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12249.

Improved documentation

• Documented :exc:asyncio.TimeoutError for WebSocketResponse.receive()
  and related methods -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:12042.

Packaging updates and notes for downstreams

• Upgraded llhttp to 3.9.1 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12069.

Contributor-facing changes

• The benchmark CI job now runs only in the upstream repository -- by :user:Cycloctane.

  It used to always fail in forks, which this change fixed.

  Related issues and pull requests on GitHub:
  :issue:11737.

• Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:11992.

Miscellaneous internal changes

• Fixed test_invalid_idna to work with idna 3.11 by using an invalid character (\u0080) that is rejected by yarl during URL construction -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12027.

• Fixed race condition in test_data_file on Python 3.14 free-threaded builds -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12170.

---

agronholm/anyio (anyio)

v4.13.0

Compare Source

• Dropped support for Python 3.9
• Added a ttl parameter to the anyio.functools.lru_cache wrapper (#​1073; PR by @​Graeme22)
• Widened the type annotations of file I/O streams to accept IO[bytes] instead of just BinaryIO (#​1078)
• Fixed anyio.Path not being compatible with Python 3.15 due to the removal of pathlib.Path.is_reserved() and the addition of pathlib.Path.__vfspath__() (#​1061; PR by @​veeceey)
• Fixed the BrokenResourceError raised by the asyncio SocketStream not having the original exception as its cause (#​1055; PR by @​veeceey)
• Fixed the TypeError raised when using "func" as a parameter name in pytest.mark.parametrize when using the pytest plugin (#​1068; PR by @​JohnnyDeuss)
• Fixed the pytest plugin not running tests that had the anyio marker added programmatically via pytest_collection_modifyitems (#​422; PR by @​chbndrhnns)
• Fixed cancellation exceptions leaking from a CancelScope on asyncio when they are contained in an exception group alongside non-cancellation exceptions (#​1091; PR by @​gschaffner)
• Fixed Condition.wait() not passing on a notification when the task is cancelled but already received a notification
• Fixed inverted condition in the process pool shutdown phase which would cause still-running pooled processes not to be terminated (#​1074; PR by @​bysiber)

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

pypa/build (build)

v1.5.0

Compare Source

What's Changed

• ci: try to improve release docs by @​henryiii in #​1051
• feat: drop 3.9, require 3.10+ by @​henryiii in #​1036
• chore: tox toml by @​henryiii in #​1033
• fix: api should not ignore installed, only CLI by @​henryiii in #​1056

Full Changelog: pypa/build@1.4.4...1.5.0

v1.4.4

Compare Source

What's Changed

• 🐛 fix(release): generate consistent CHANGELOG heading levels by @​gaborbernat in #​1032
• docs: move source links by @​henryiii in #​1034
• revert: drop PEP 660 change by @​henryiii in #​1039
• fix: ignore installed when running pip by @​henryiii in #​1040
• fix: revert part of #​973 by @​henryiii in #​1044
• chore: report coverage failure lines by @​henryiii in #​1046
• tests: fix issue with uv run by @​henryiii in #​1048
• docs: reorganize testing docs for copy/paste by @​abitrolly in #​1043
• tests: keep environment from leaking in Python 3.15 by @​henryiii in #​1049
• docs: fix issue with changelog generation by @​henryiii in #​1050

Full Changelog: pypa/build@1.4.3...1.4.4

v1.4.3

Compare Source

What's Changed

• 🐛 fix(api): resolve thread-safety races in build API by @​gaborbernat in #​1015
• 🐛 fix(builder): validate backend-path entries exist on disk by @​gaborbernat in #​1016
• test: cover config settings build paths by @​terminalchai in #​992
• Add kind=(step, ) for root messages with * by @​abitrolly in #​973
• fix: correct changelog category ordering by @​gaborbernat in #​1017
• 🐛 fix(cli): show full dependency chain in missing deps error by @​gaborbernat in #​1019
• tests: fully annotate by @​henryiii in #​1020
• chore: lazy imports by @​henryiii in #​1021
• chore: adding more ruff codes by @​henryiii in #​1022
• tests: improve annotations by @​henryiii in #​1023
• 🧪 test(coverage): achieve 100% test coverage by @​gaborbernat in #​1018
• chore: add ruff PT by @​henryiii in #​1025
• chore: add ruff PYI by @​henryiii in #​1026
• chore: add ruff SIM/RET by @​henryiii in #​1028
• 🐛 fix(env): strip PYTHONPATH from isolated builds by @​gaborbernat in #​1024
• chore: use ruff ALL by @​henryiii in #​1029
• 🐛 fix(env): prevent pip credential hang with private indexes by @​gaborbernat in #​1030
• 🐛 fix(check_dependency): verify URL reqs via PEP 610 by @​gaborbernat in #​1027

New Contributors

• @​terminalchai made their first contribution in #​992

Full Changelog: pypa/build@1.4.2...1.4.3

v1.4.2

Compare Source

What's Changed

• fix(uv): always pass the python to use by @​henryiii in #​996
• 🐛 fix(release): detect pre-commit environment inconsistencies by @​gaborbernat in #​1001
• 🔧 fix(towncrier): match docstrfmt RST formatting expectations by @​gaborbernat in #​1002
• Fix _has_valid_outer_pip when pip is missing by @​notatallshaw in #​1003
• fix: release changelog issue by @​henryiii in #​1006

New Contributors

• @​notatallshaw made their first contribution in #​1003

Full Changelog: <https://github.com/pypa/build/compare/1.4.1..

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.