41 minutes ago

material-ui

v7.3.11

A big thanks to the 5 contributors who made this release possible.

`@mui/material@7.3.11`

[autocomplete] Fix highlight sync and scroll preservation (#48350) @mj12albert
[autocomplete] Fix popper rendering issues (#48343) @mj12albert
[autocomplete] Improve highlight tracking and selection state (#48318) @mj12albert
[button] Fix startIcon alignment (#48339) @mj12albert
[button] Remove duplicated className entries (#48284) @silviuaavram
[checkbox] Set aria-checked=mixed when indeterminate (#48286) @mj12albert
[dialog][drawer][focus trap] Fix initial focus target (#48324) @mj12albert
[drawer] Fix transition jump (#48340) @mj12albert
[input] Fix layout shift with display: flex (#48359) @oliviertassinari
[inputs] Fix autofocus in SSR environment (#48307) @mj12albert
[popper] Persist positioning styles when popperOptions changes reference (#48302) @mj12albert
[switch] Fix incorrect role with slotProps.input (#48472) @mj12albert
[utils] Add shadow dom utils (#48309) @mj12albert

Docs

[docs] Update banner to announce v9 (#48299) @siriwatknp
[docs] Add v9 in the versions select in v7.mui.com (#48233) @alexfauquette

Core

[internal] Update some host-reference entries (#48225) @silviuaavram

All contributors of this release in alphabetical order: @alexfauquette, @mj12albert, @oliviertassinari, @silviuaavram, @siriwatknp

4 hours ago

next.js

vercel

v16.3.0-canary.13

Core Changes

Disable instant validations in draft mode: #93472

Misc Changes

Drop ReferencedAsset::from_resolve_result as a turbotask: #93297
Turbopack: Cache effect errors, replace the write_lock Mutex with a lazily created Notify instance: #93476

Credits

Huge thanks to @samselikoff, @lukesandberg, and @bgw for helping!

5 hours ago

router

TanStack

Release 2026-05-06 23:03

Changes

Fix

Bump jiti to 2.7.0 (#7355) (c5811aacb5) by @Copilot

Packages

@tanstack/react-start@1.167.65
@tanstack/react-start-rsc@0.0.44
@tanstack/router-cli@1.166.43
@tanstack/router-generator@1.166.42
@tanstack/router-plugin@1.167.35
@tanstack/router-vite-plugin@1.166.50
@tanstack/solid-start@1.167.62
@tanstack/start-plugin-core@1.169.20
@tanstack/vue-start@1.167.58

6 hours ago

dockview

mathuo

v6.0.5

What's Changed

fix(dockview-vue): forward didDrop and willDrop events (#1195) by @mathuo in https://github.com/mathuo/dockview/pull/1238

Full Changelog: https://github.com/mathuo/dockview/compare/v6.0.4...v6.0.5

6 hours ago

etherpad-lite

ether

v2.7.3

2.7.3

Breaking changes

Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

Notable enhancements

GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
- Pad deletion controls (admin-driven and self-service).
- IP / privacy audit pass across the codebase.
- Author-token cookies are now HttpOnly, removing them from JavaScript reach.
- Configurable privacy banner shown on first visit.
- Author erasure: an authenticated path for purging an individual author's identity and contributions.
Self-update subsystem (Tier 1: notify).
- Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
- The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
- Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
- New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
- Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
- See doc/admin/updates.md for full configuration.
Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
New packaging targets.
- Etherpad is now published as a Snap package.
- Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
Editor enhancements.
- IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
- New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
- Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
- New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

Notable fixes

Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

Internal / contributor-facing

The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
Build and CI moved to pnpm 11 (packageManager: "pnpm@11.0.6"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
All client modules have been converted to ESM.
The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

Localisation

Multiple updates from translatewiki.net.

6 hours ago

etherpad

ether

v2.7.3

2.7.3

Breaking changes

Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

Notable enhancements

GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
- Pad deletion controls (admin-driven and self-service).
- IP / privacy audit pass across the codebase.
- Author-token cookies are now HttpOnly, removing them from JavaScript reach.
- Configurable privacy banner shown on first visit.
- Author erasure: an authenticated path for purging an individual author's identity and contributions.
Self-update subsystem (Tier 1: notify).
- Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
- The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
- Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
- New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
- Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
- See doc/admin/updates.md for full configuration.
Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
New packaging targets.
- Etherpad is now published as a Snap package.
- Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
Editor enhancements.
- IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
- New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
- Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
- New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

Notable fixes

Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

Internal / contributor-facing

The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
Build and CI moved to pnpm 11 (packageManager: "pnpm@11.0.6"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
All client modules have been converted to ESM.
The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

Localisation

Multiple updates from translatewiki.net.

6 hours ago

ionic-framework

ionic-team

v8.8.6

8.8.6 (2026-05-06)

Bug Fixes

action-sheet: restore action-sheet-selected class on non-radio buttons (#31109) (c18502f), closes #31090
datetime: prevent hidden-state observer from tearing down ready class on initial entry (#31108) (30b479a)
segment: segment drag would set disabled segment button checked (#31112) (44be424)