chore(deps): bump the npm-minor-patch group across 1 directory with 13 updates

[dependabot]

Bumps the npm-minor-patch group with 13 updates in the /web directory:

Package	From	To
framer-motion	12.24.11	12.33.0
i18next	25.8.0	25.8.4
jspdf	4.0.0	4.1.0
lucide-react	0.562.0	0.563.0
next	16.1.1	16.1.6
react	19.2.3	19.2.4
@types/react	19.2.7	19.2.13
react-dom	19.2.3	19.2.4
react-i18next	16.5.3	16.5.4
@playwright/test	1.57.0	1.58.2
@types/node	25.0.3	25.2.2
autoprefixer	10.4.23	10.4.24
eslint-config-next	16.1.1	16.1.6

Updates framer-motion from 12.24.11 to 12.33.0

Changelog

Sourced from framer-motion's changelog.

[12.33.0] 2026-02-05

Added

• <motion />: New propagate.tap prop prevents tap gestures from propagating to parents.

[12.32.0] 2026-02-05

Added

• transition.inherit: When true, inherit transition values from less-specific transitions.

[12.31.3] 2026-02-05

Fixed

• <motion />: Ensure animation state is reset after being re-suspended.
• Prevent stale values when mixing transitionEnd and transition.type: false.
• Drag: Fix "sticky" throw velocity on initial interaciton.
• Drag: Ensure catching a thrown element kills its velocity.

[12.31.2] 2026-02-05

Fixed

• onHoverStart and onHoverEnd first argument now correctly typed as PointerEvent.
• whileHover: No longer persists after drag end.
• AnimatePresence: Allow changing mode prop.

[12.31.1] 2026-02-04

Added

• Drag constraints updated even when draggable or constraints resize outside of React renders.

[12.31.0] 2026-02-03

Added

• animate: Support for bi-directional callbacks within animation sequences.

Fixed

• Ensure onPan never fires before onPanStart.

[12.30.1] 2026-02-03

Fixed

• Allow drag to be initiated by child a and button elements.

... (truncated)

Commits

• fde47ac v12.33.0
• 4849b3a Updating changelog
• 6a1edd6 Merge pull request #3539 from motiondivision/event-propagation
• 0fec416 Adding changelog updates
• b962d09 v12.32.0
• 69b1c97 Updating changelog
• 972e556 Merge pull request #3538 from motiondivision/motion-config-merge-transition
• d4c0bcd refactor(gestures): Rename stopTapPropagation to propagate={{ tap: false }}
• cd4ec23 v12.31.3
• 461273f Updating changelog
• Additional commits viewable in compare view

Updates i18next from 25.8.0 to 25.8.4

Release notes

Sourced from i18next's releases.

v25.8.4

• fix: crashes when backend in backends array has no name property 2386

v25.8.3

• ts: document option to suppress the support message 2385

v25.8.2

• option to suppress the support message 2385

v25.8.1

• fix(types): Selector API - fix Namespace inference for selector ns option 2384

Changelog

Sourced from i18next's changelog.

25.8.4

• fix: crashes when backend in backends array has no name property 2386

25.8.3

• ts: document option to suppress the support message 2385

25.8.2

• option to suppress the support message 2385

25.8.1

• fix(types): Selector API - fix Namespace inference for selector ns option 2384

Commits

• 6eb7f54 25.8.4
• 336b151 fix: crashes when backend in backends array has no name property #2386
• cfa00ea jsr update
• d1df354 25.8.3
• 65d719b ts: document option to suppress the support message #2385
• 13e876c jsr update
• 3bc15f0 25.8.2
• 1949922 option to suppress the support message #2385
• 15ea457 jsr update
• 3d4cb35 25.8.1
• Additional commits viewable in compare view

Updates jspdf from 4.0.0 to 4.1.0

Release notes

Sourced from jspdf's releases.

v4.1.0

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

Commits

• 0227381 4.1.0
• ae4b93f Merge commit from fork
• 2863e5c Merge commit from fork
• efe54bf Merge commit from fork
• da291a5 Merge commit from fork
• 685e41e Bump @​koa/cors and local-web-server (#3951)
• 8cc22a5 Bump tmp, inquirer and karma (#3945)
• 008b276 Bump sha.js from 2.4.11 to 2.4.12 (#3946)
• ff66d52 Bump vite from 5.4.20 to 5.4.21 in /examples/vite (#3949)
• bcf79f2 Bump cipher-base from 1.0.4 to 1.0.7 (#3942)
• Additional commits viewable in compare view

Updates lucide-react from 0.562.0 to 0.563.0

Release notes

Sourced from lucide-react's releases.

Version 0.563.0

What's Changed

aria-hidden is by default added to icons components in all packages. This was already added to lucide-react before. Making icons accessible, you can add an aria-label or a title. See docs about accessibility.

All changes

• chore(dev): Enable ligatures in font build configuration by @​dcxo in lucide-icons/lucide#3876
• chore(repo): add Android to brand stopwords by @​karsa-mistmere in lucide-icons/lucide#3895
• fix(site): add missing titles and a title template by @​taimar in lucide-icons/lucide#3920
• fix(site): unify and improve the styling of input fields by @​taimar in lucide-icons/lucide#3919
• fix(icons): changed star-off icon by @​jguddas in lucide-icons/lucide#3952
• fix(icons): changed tickets-plane icon by @​jguddas in lucide-icons/lucide#3928
• fix(icons): changed monitor-off icon by @​jguddas in lucide-icons/lucide#3962
• fix(icons): changed lasso icon by @​jguddas in lucide-icons/lucide#3961
• fix(icons): changed cloud-off icon by @​jguddas in lucide-icons/lucide#3942
• docs(site): added lucide-web-components third-party package by @​midesweb in lucide-icons/lucide#3948
• chore(deps-dev): bump preact from 10.27.2 to 10.27.3 by @​dependabot[bot] in lucide-icons/lucide#3955
• feat(icon): add globe-x icon with metadata by @​Muhammad-Aqib-Bashir in lucide-icons/lucide#3827
• fix(icons): changed waypoints icon by @​karsa-mistmere in lucide-icons/lucide#3990
• fix(icons): changed bookmark icon by @​jguddas in lucide-icons/lucide#2906
• fix(icons): changed message-square-dashed icon by @​jguddas in lucide-icons/lucide#3959
• fix(icons): changed cloudy icon by @​jguddas in lucide-icons/lucide#3966
• fix(github-actions): resolved spelling mistake in gh issue close command by @​jguddas in lucide-icons/lucide#4000
• Update LICENSE by @​alxgraphy in lucide-icons/lucide#4009
• feat(packages): Added aria-hidden fallback for decorative icons to all packages by @​ericfennis in lucide-icons/lucide#3604
• chore(deps): bump lodash from 4.17.21 to 4.17.23 by @​dependabot[bot] in lucide-icons/lucide#4020
• chore(deps): bump lodash-es from 4.17.21 to 4.17.23 by @​dependabot[bot] in lucide-icons/lucide#4019
• Suggest anchoring to a specific lucide version when using a cdn by @​drago1520 in lucide-icons/lucide#3727
• feat(docs): upgraded backers block by @​karsa-mistmere in lucide-icons/lucide#4014
• fix(site): hide native search input clear "X" icon by @​epifaniofrancisco in lucide-icons/lucide#3933
• feat(icons): added printer-x icon by @​lt25106 in lucide-icons/lucide#3941

New Contributors

• @​dcxo made their first contribution in lucide-icons/lucide#3876
• @​midesweb made their first contribution in lucide-icons/lucide#3948
• @​alxgraphy made their first contribution in lucide-icons/lucide#4009
• @​drago1520 made their first contribution in lucide-icons/lucide#3727
• @​lt25106 made their first contribution in lucide-icons/lucide#3941

Full Changelog: lucide-icons/lucide@0.562.0...0.563.0

Commits

• 67c0485 feat(scripts): added helper script to automatically update OpenCollective bac...
• b6ed43d feat(packages): Added aria-hidden fallback for decorative icons to all packag...
• See full diff in compare view

Updates next from 16.1.1 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates @types/react from 19.2.7 to 19.2.13

Commits

• See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates react-i18next from 16.5.3 to 16.5.4

Changelog

Sourced from react-i18next's changelog.

16.5.4

• fix: Overriding React component props not working 1902

Commits

• b97c2bb 16.5.4
• 596840e fix: Overriding React component props not working #1902
• See full diff in compare view

Updates @playwright/test from 1.57.0 to 1.58.2

Release notes

Sourced from @​playwright/test's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

📣 Playwright CLI+SKILLs 📣

We are adding a new token-efficient CLI mode of operation to Playwright with the skills located at playwright-cli. This brings the long-awaited official SKILL-focused CLI mode to our story and makes it more coding agent-friendly.

It is the first snapshot with the essential command set (which is already larger than the original MCP!), but we expect it to grow rapidly. Unlike the token use, that one we expect to go down since snapshots are no longer forced into the LLM!

Timeline

If you're using merged reports, the HTML report Speedboard tab now shows the Timeline:

UI Mode and Trace Viewer Improvements

• New 'system' theme option follows your OS dark/light mode preference
• Search functionality (Cmd/Ctrl+F) is now available in code editors
• Network details panel has been reorganized for better usability
• JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

browserType.connectOverCDP() now accepts an isLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

• Removed _react and _vue selectors. See locators guide for alternatives.

... (truncated)

Commits

• ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
• e40c137 chore: mark v1.58.2 (#39155)
• 50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
• f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
• 8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
• 97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
• ad625fe chore: mark v1.58.1 (#39055)
• f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
• ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
• aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
• Additional commits viewable in compare view

Updates @types/node from 25.0.3 to 25.2.2

Commits

• See full diff in compare view

Updates @types/react from 19.2.7 to 19.2.13

Commits

• See full diff in compare view

Updates autoprefixer from 10.4.23 to 10.4.24

Release notes

Sourced from autoprefixer's releases.

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

Changelog

Sourced from autoprefixer's changelog.

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

Commits

• 36692c2 Release 10.4.24 version
• 67df014 Update dependencies
• 032440e perf: reduce array allocations (#1542)
• See full diff in compare view

Updates eslint-config-next from 16.1.1 to 16.1.6

Release notes

Sourced from eslint-config-next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• acba4a6 v16.1.5
• 60de6c2 v16.1.4
• f01cf07 v16.1.3
• cb436b3 v16.1.2
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.