Release 2026-05-05 00:00

• fix plain TypeScript parser handling (#7342) (056337ef02) by @schiller-manuel

• @tanstack/react-start@1.167.63
• @tanstack/react-start-rsc@0.0.42
• @tanstack/router-cli@1.166.41
• @tanstack/router-generator@1.166.40
• @tanstack/router-plugin@1.167.33
• @tanstack/router-utils@1.161.8
• @tanstack/router-vite-plugin@1.166.48
• @tanstack/solid-start@1.167.60
• @tanstack/start-plugin-core@1.169.18
• @tanstack/vue-start@1.167.56

This release includes an improvement in the devtools middleware.

• refactor(devtools): remove duplicate module augmentation by @mahmoodhamdi in https://github.com/pmndrs/zustand/pull/3443
• fix(devtools): support Firefox/Safari stack format in findCallerName by @SBolsec in https://github.com/pmndrs/zustand/pull/3469

• @mahmoodhamdi made their first contribution in https://github.com/pmndrs/zustand/pull/3443
• @FelixEckl-vireq made their first contribution in https://github.com/pmndrs/zustand/pull/3466
• @KimHyeongRae0 made their first contribution in https://github.com/pmndrs/zustand/pull/3471
• @lstak made their first contribution in https://github.com/pmndrs/zustand/pull/3483
• @AlexRixten made their first contribution in https://github.com/pmndrs/zustand/pull/3474
• @SBolsec made their first contribution in https://github.com/pmndrs/zustand/pull/3469

Full Changelog: https://github.com/pmndrs/zustand/compare/v5.0.12...v5.0.13

• Upgrade React from da9325b5-20260417 to f4e0d4ed-20260429: #93457
• Bump @vercel/ncc: #93459
• Include deployment id in cacheHandlers keys: #93453
• fix(next/image): Improve error message for private IP (SSRF) rejections: #91686

• Upgrade to swc 65: #93325
• [test] Ensure target page is compiled before navigation in instant-navs-devtools: #93365
• [ci] Allow configuring the base URL for preview builds: #93464
• turbo-tasks-backend: fix snapshot coordination races + extract SnapshotCoordinator: #93416

Huge thanks to @mischnic, @vercel-release-bot, @eps1lon, @rishishanbhag, and @lukesandberg for helping!

• Fix/docs build typeoperator and anchor by @mathuo in https://github.com/mathuo/dockview/pull/1224
• fix(docs): drop theme entries whose import resolved to undefined by @mathuo in https://github.com/mathuo/dockview/pull/1225
• fix(docs): bump dockview-{react,core} dep range to ^6.0.0 by @mathuo in https://github.com/mathuo/dockview/pull/1226
• fix(docs): rename demo localStorage key to dv-demo-state-v6 and clear… by @mathuo in https://github.com/mathuo/dockview/pull/1227
• Fix: fix angular types path for v21 by @puschie286 in https://github.com/mathuo/dockview/pull/1231

Full Changelog: https://github.com/mathuo/dockview/compare/v6.0.0...v6.0.1

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

• df81c144fb148b64140d761aa61f032a7f429e12 #4523 Thanks @exzos28! - Make FlowCancellationError a proper Error instance while preserving its previous string representation.

• 21fc4de6c09a77caf115aedd2fe6df972637412b #4626 Thanks @kubk! - Export CancellablePromise from the public mobx entrypoint.

• #16292 00f48ee Thanks @p-linnane! - Fixes head metadata propagation in dev for adapters that load modules in the prerender Vite environment, such as @astrojs/cloudflare. The astro:head-metadata plugin previously only tracked the ssr environment, so maybeRenderHead() could fire inside an unrelated component's <template> element, trapping subsequent hoisted <style> blocks.

• #16451 778865f Thanks @maximslo! - Fixes build crash when processing animated AVIF images. Sharp now gracefully passes through unsupported image formats instead of crashing during the build.

• #16548 7214d3e Thanks @senutpal! - Fixes scoped styles applying to the wrong element when vite.css.transformer is set to 'lightningcss' and a selector uses a nested & inside :where(...), such as Tailwind v4's space-x-*, space-y-*, and divide-* utilities.

• #16566 9ac96b4 Thanks @web-dev0521! - Fixes data-astro-prefetch="tap" not triggering when clicking nested elements (e.g. <span>, <img>, <svg>) inside an anchor tag.

• #15994 1e70d18 Thanks @ossaidqadri! - Fix <style> compilation failure when importing Astro components via tsconfig path aliases

• #16144 1cd6650 Thanks @fkatsuhiro! - Fixed a regression where .html was unexpectedly stripped from dynamic route parameters on non-page routes (.ts endpoints and redirects). This caused endpoints like /some/[...id].ts returning id: 'file.html' on getStaticPaths to not serve that file because the generated route (/some/file.html) would get matched as id: file that is not part of the list returned by getStaticPaths.

• #16415 559c0fd Thanks @0xbejaxer! - Fix CSS traversal boundaries so pages with export const partial = true still contribute styles when imported as components by other pages.

• #16516 17f1867 Thanks @fkatsuhiro! - Fixes an issue where the index route would return a 404 error when using a custom base path combined with trailingSlash: 'never'. This ensures that the home page and internal rewrites are correctly matched under these configurations.

• #16515 280ec88 Thanks @jp-knj! - Fixes an issue where i18n.fallback pages with fallbackType: 'rewrite' were emitted with empty bodies during astro build.

• #16565 7959798 Thanks @enjoyandlove! - Fixes session persistence when session.delete() is the first mutation in a request (no prior get, set, has, or keys). The session was marked dirty in memory, but persistence skipped the save because #data stayed undefined, so the backing store could still return the deleted key on the next request.

• #16527 86fd80d Thanks @enjoyandlove! - Prevents script deduplication state from being consumed while rendering inert <template> contexts.

• #16540 e59c637 Thanks @ascorbic! - Skips session storage reads when no session cookie is present. Previously, calling session.get() on a request without a session cookie would initialize the storage driver and make a read that was guaranteed to miss. On network-backed drivers this added latency and resource usage to every anonymous request.

• #16517 6ab0b3c Thanks @adamchal! - Removes inline CSS for prerendered routes from the SSR manifest. The static HTML on disk already inlines those styles, and the SSR worker never renders prerendered routes, so the data was dead weight. Builds with many prerendered routes and build.inlineStylesheets: "always" (or "auto" with small stylesheets) will see a smaller SSR entry chunk, which reduces cold-start parse time on platforms like Cloudflare Workers.

• #16509 d3d3557 Thanks @cyphercodes! - Fix conditional named slot callbacks receiving arguments from Astro.slots.render().

• #16236 c6b068e Thanks @fkatsuhiro! - Fixes the position prop on <Image /> and <Picture /> components to correctly apply object-position styles

• #16018 d14f47c Thanks @felmonon! - Fix defineLiveCollection() so LiveLoader data types declared as interfaces are accepted.

• #16552 409f6ef Thanks @web-dev0521! - Fixes an issue where existing KV namespace bindings were silently removed when session support was enabled.

• #16277 7666bcd Thanks @Calvin-LL! - Fix static assets and prerendered pages 404ing when base is configured.

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.3

• Import error on recording.ts  -  by @toreis-up in https://github.com/slidevjs/slidev/issues/2574 (de8eb)
• Restore Windows virtual style globs  -  by @cyphercodes and cyphercodes in https://github.com/slidevjs/slidev/issues/2573 (ac6e5)
• client: Make drawing stroke-width control click-triggered  -  by @enieuwy in https://github.com/slidevjs/slidev/issues/2565 (9b93d)
• create-slidev: Only scaffold pnpm npmrc for pnpm  -  by @hrithik18k in https://github.com/slidevjs/slidev/issues/2564 (0e814)
• export: Pass timeout to frame.waitForLoadState()  -  by @andreas-taranetz and Claude Sonnet 4.6 in https://github.com/slidevjs/slidev/issues/2578 (36f8a)