41 minutes ago
material-ui

v7.3.11

A big thanks to the 5 contributors who made this release possible.

@mui/material@7.3.11

  • [autocomplete] Fix highlight sync and scroll preservation (#48350) @mj12albert
  • [autocomplete] Fix popper rendering issues (#48343) @mj12albert
  • [autocomplete] Improve highlight tracking and selection state (#48318) @mj12albert
  • [button] Fix startIcon alignment (#48339) @mj12albert
  • [button] Remove duplicated className entries (#48284) @silviuaavram
  • [checkbox] Set aria-checked=mixed when indeterminate (#48286) @mj12albert
  • [dialog][drawer][focus trap] Fix initial focus target (#48324) @mj12albert
  • [drawer] Fix transition jump (#48340) @mj12albert
  • [input] Fix layout shift with display: flex (#48359) @oliviertassinari
  • [inputs] Fix autofocus in SSR environment (#48307) @mj12albert
  • [popper] Persist positioning styles when popperOptions changes reference (#48302) @mj12albert
  • [switch] Fix incorrect role with slotProps.input (#48472) @mj12albert
  • [utils] Add shadow dom utils (#48309) @mj12albert

Docs

  • [docs] Update banner to announce v9 (#48299) @siriwatknp
  • [docs] Add v9 in the versions select in v7.mui.com (#48233) @alexfauquette

Core

  • [internal] Update some host-reference entries (#48225) @silviuaavram

All contributors of this release in alphabetical order: @alexfauquette, @mj12albert, @oliviertassinari, @silviuaavram, @siriwatknp

4 hours ago
next.js

v16.3.0-canary.13

Core Changes

  • Disable instant validations in draft mode: #93472

Misc Changes

  • Drop ReferencedAsset::from_resolve_result as a turbotask: #93297
  • Turbopack: Cache effect errors, replace the write_lock Mutex with a lazily created Notify instance: #93476

Credits

Huge thanks to @samselikoff, @lukesandberg, and @bgw for helping!

5 hours ago
router

Release 2026-05-06 23:03

Release 2026-05-06 23:03

Changes

Fix

  • Bump jiti to 2.7.0 (#7355) (c5811aacb5) by @Copilot

Packages

  • @tanstack/react-start@1.167.65
  • @tanstack/react-start-rsc@0.0.44
  • @tanstack/router-cli@1.166.43
  • @tanstack/router-generator@1.166.42
  • @tanstack/router-plugin@1.167.35
  • @tanstack/router-vite-plugin@1.166.50
  • @tanstack/solid-start@1.167.62
  • @tanstack/start-plugin-core@1.169.20
  • @tanstack/vue-start@1.167.58
6 hours ago
dockview

v6.0.5

What's Changed

Full Changelog: https://github.com/mathuo/dockview/compare/v6.0.4...v6.0.5

6 hours ago
etherpad-lite

v2.7.3

2.7.3

Breaking changes

  • Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
  • The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

Notable enhancements

  • GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
    • Pad deletion controls (admin-driven and self-service).
    • IP / privacy audit pass across the codebase.
    • Author-token cookies are now HttpOnly, removing them from JavaScript reach.
    • Configurable privacy banner shown on first visit.
    • Author erasure: an authenticated path for purging an individual author's identity and contributions.
  • Self-update subsystem (Tier 1: notify).
    • Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
    • The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
    • Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
    • New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
    • Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
    • See doc/admin/updates.md for full configuration.
  • Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
  • New packaging targets.
    • Etherpad is now published as a Snap package.
    • Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
  • Editor enhancements.
    • IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
    • New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
    • Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
    • New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
  • Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
  • Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
  • Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

Notable fixes

  • Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
  • Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
  • Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
  • Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

Internal / contributor-facing

  • The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
  • admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
  • Build and CI moved to pnpm 11 (packageManager: "pnpm@11.0.6"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
  • All client modules have been converted to ESM.
  • The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
  • Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
  • Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

Localisation

  • Multiple updates from translatewiki.net.
6 hours ago
etherpad

v2.7.3

2.7.3

Breaking changes

  • Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
  • The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

Notable enhancements

  • GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
    • Pad deletion controls (admin-driven and self-service).
    • IP / privacy audit pass across the codebase.
    • Author-token cookies are now HttpOnly, removing them from JavaScript reach.
    • Configurable privacy banner shown on first visit.
    • Author erasure: an authenticated path for purging an individual author's identity and contributions.
  • Self-update subsystem (Tier 1: notify).
    • Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
    • The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
    • Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
    • New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
    • Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
    • See doc/admin/updates.md for full configuration.
  • Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
  • New packaging targets.
    • Etherpad is now published as a Snap package.
    • Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
  • Editor enhancements.
    • IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
    • New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
    • Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
    • New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
  • Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
  • Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
  • Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

Notable fixes

  • Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
  • Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
  • Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
  • Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

Internal / contributor-facing

  • The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
  • admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
  • Build and CI moved to pnpm 11 (packageManager: "pnpm@11.0.6"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
  • All client modules have been converted to ESM.
  • The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
  • Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
  • Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

Localisation

  • Multiple updates from translatewiki.net.
6 hours ago
ionic-framework

v8.8.6

8.8.6 (2026-05-06)

Bug Fixes

  • action-sheet: restore action-sheet-selected class on non-radio buttons (#31109) (c18502f), closes #31090
  • datetime: prevent hidden-state observer from tearing down ready class on initial entry (#31108) (30b479a)
  • segment: segment drag would set disabled segment button checked (#31112) (44be424)
9 hours ago
next.js

v16.3.0-canary.12

Core Changes

  • Refactor: Decouple request store creation from req / res: #93499
  • Detect 'use cache' module-scope deadlocks early in dev: #93500
  • Bundle the 'use cache' deadlock probe worker: #93538
  • Support configuring a default instant validation level : #93301
  • Upgrade React from f4e0d4ed-20260429 to dd453071-20260506: #93547

Misc Changes

  • [turbopack] shrink the size of futures: #93474
  • [turbopack] Simplify local task tracking: #93478
  • [turbopack] correct a fencepost error in our inline string descision: #93524
  • Turbopack: make rcstr! macro expansion const: #93516
  • Turbopack: lazy aggregation optimize via persistent pending flag: #93454
  • docs: remove unreachable forms and mutations: #93509
  • docs: broken link from usePathname compat call out: #93528
  • Turbopack: really fix MAX_INLINE_LEN: #93531
  • [ci] Clarify new preview build flow: #93540
  • Turbopack: simplify asset ident constructors: #93213

Credits

Huge thanks to @lukesandberg, @unstubbable, @mischnic, @sokra, @icyJoseph, @eps1lon, @gnoff, and @vercel-release-bot for helping!