fix(deps): update dependencies (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fortawesome/react-fontawesome	3.3.0 → 3.3.1
cron-parser	5.5.0 → 5.6.0
cronstrue (source)	3.14.0 → 3.20.0
dotenv	17.4.1 → 17.4.2
openid-client	6.8.2 → 6.8.4
react (source)	19.2.4 → 19.2.7
react-dom (source)	19.2.4 → 19.2.7
react-router-dom (source)	7.14.0 → 7.18.0
yaml (source)	2.8.3 → 2.9.0

---

Release Notes

FortAwesome/react-fontawesome (@​fortawesome/react-fontawesome)

v3.3.1

Compare Source

Chores

• deps-dev: bump handlebars from 4.7.8 to 4.7.9 (f1d6d94)
• deps-dev: bump lodash-es from 4.17.23 to 4.18.1 (212496a)
• deps-dev: bump picomatch from 2.3.1 to 2.3.2 (557ceaf)
• deps: bump lodash from 4.17.23 to 4.18.1 (2d06890)
• deps: node 22.22.2, bump all dev dependencies (99ba500)

harrisiirak/cron-parser (cron-parser)

v5.6.0

Compare Source

What's Changed

• fix: ES6 iterator done flag handling by @​harrisiirak in 90e1c68
• fix: CronExpressionParser.#parseRepeat ranges parsing by @​harrisiirak in 862c0cd
• fix: stop hour-step loop early on spring-forward DST days to prevent day skip by @​malenkov in #​400
• fix: preserve timezone in CronExpression.reset() by @​kings9527 in #​407
• chore: update deps and adapt tsconfig for TypeScript 6 by @​harrisiirak in #​412

New Contributors

• @​malenkov made their first contribution in #​400
• @​kings9527 made their first contribution in #​407

Full Changelog: harrisiirak/cron-parser@v5.5.0...v5.6.0

bradymholt/cRonstrue (cronstrue)

v3.20.0

Compare Source

Full Changelog: bradymholt/cRonstrue@v3.19.0...v3.20.0

v3.19.0

Compare Source

What's Changed

• Fix publish workflow: add issues: write permission for PR comments by @​bradymholt with @​Copilot in #​395

Full Changelog: bradymholt/cRonstrue@v3.18.0...v3.19.0

v3.18.0

Compare Source

What's Changed

• fix: push version commit/tag only after successful npm publish by @​bradymholt with @​Copilot in #​391
• Fix npm Trusted Publishers (OIDC) auth in publish workflow by @​bradymholt with @​Copilot in #​393

Full Changelog: bradymholt/cRonstrue@v3.16.0...v3.18.0

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

Changed

• Improved skill files - tightened up details (#​1009)

panva/openid-client (openid-client)

v6.8.4

Compare Source

Fixes

• apply optional non-repudiation on generic grant ID Tokens (6202888)
• filter jwe decryption keys by algorithm (34e2ffd)
• preserve poll abort signals on requests (96a2d17)
• retry dpop nonce errors for generic grants (498c4d9)

v6.8.3

Compare Source

Documentation

• note a workaround for redirect_uri with query string or bare origin (e9689de), closes #​868

Fixes

• passport: delete one-time state on callback (1e7dd2e)

facebook/react (react)

v19.2.7: 19.2.7 (June 1st, 2026)

Compare Source

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6
  (#​36566 by @​unstubbable)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

remix-run/react-router (react-router-dom)

v7.18.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.18.0

v7.17.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.17.0

v7.16.0

Compare Source

Patch Changes

• Remove stale/invalid unpkg field from package.json. This was removed from other packages with the release of v7 but missed in the react-router-dom re-export package (#​15075)
• Updated dependencies:
  • react-router@7.16.0

v7.15.1

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.15.1

v7.15.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.15.0

v7.14.2

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

v7.14.1

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.14.1

eemeli/yaml (yaml)

v2.9.0

Compare Source

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

Compare Source

• Disable alias resolution with maxAliasCount:0 (#​677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#​676)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.