chore(deps): update minor

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	OpenSSF
@base-ui/react (source)	dependencies	minor	1.1.0 → 1.2.0
dotenv	dependencies	minor	17.2.3 → 17.3.1
pnpm (source)	engines	minor	10.28.2 → 10.30.0	10.30.2 (+1)
react-resizable-panels (source)	dependencies	minor	4.5.2 → 4.6.4	4.6.5
undici (source)	dependencies	minor	7.19.2 → 7.22.0

---

Release Notes

mui/base-ui (@​base-ui/react)

v1.2.0

Compare Source

Feb 12, 2026

General changes

• Do not memoize state when not needed (#​3812) by @​flaviendelangle
• Support lazy element in render prop (#​3856) by @​oliviertassinari
• Replace Firefox deprecated mozInputSource check for virtual click detection (#​3942) by @​CiscoFran10
• Use WeakRef for previously focused elements (#​3916) by @​atomiks
• Fix page scroll jump when input has focus on unmount in Safari (#​3925) by @​atomiks
• Fix flash at origin before positioning completes in Preact (#​3975) by @​OliverSpeir
• Reduce style recalculation with classic scrollbars (#​3854) by @​mdm317
• Fix event handling in useEnhancedClickHandler (#​3981) by @​sai6855

Autocomplete

• Fix filter method's useMemo dependency (#​3862) by @​ZeeshanTamboli
• Fix Autocomplete not using its internal filter method when mode is list (#​3936) by @​ZeeshanTamboli
• Remove unnecessary double stringification of item in filtering logic (#​3945) by @​ZeeshanTamboli
• Add useFilteredItems hook (#​3732) by @​guisehn
• Fix popup closing on iOS VoiceOver (#​3859) by @​atomiks
• Remove aria-readonly prop from Clear and Popup components when readOnly (#​3907) by @​markocupic024

Avatar

• Add transition attributes (#​3939) by @​atomiks

Button

• Capture component stack for nativeButton error message (#​3861) by @​atomiks

Checkbox

• Cleanup disabled state tracking (#​3913) by @​atomiks
• Preserve modifier key properties in the change event (#​3935) by @​mj12albert
• Allow exit animations on <Checkbox.Indicator> when keepMounted={false} (#​3939) by @​atomiks

Combobox

• Fix the type of the ref of the Icon part (#​3796) by @​flaviendelangle
• Avoid clearing selected value if item is not present in items array (#​3824) by @​atomiks
• Fix highlight change reason in ChipRemove (#​3980) by @​sai6855
• Keep highlight on last deselect (#​3923) by @​atomiks
• Fix inline filtering after selection in single mode (#​3978) by @​atomiks
• Clear highlight on inline blur when inline (#​3973) by @​atomiks
• Prevent opening popup on autofill change (#​3924) by @​atomiks
• Distinguish input-press from trigger-press in onOpenChange reason (#​4015) by @​jijiseong
• Fix async items while popup is open (#​4034) by @​atomiks
• Prevent Chip from receiving focus when disabled (#​4044) by @​jijiseong
• Add useFilteredItems hook (#​3732) by @​guisehn
• Fix popup closing on iOS VoiceOver (#​3859) by @​atomiks
• Remove aria-readonly prop from Clear and Popup components when readOnly (#​3907) by @​markocupic024
• Fix onClick Item type (#​3964) by @​atomiks
• Use reactive domReferenceElement subscriptions (#​4017) by @​atomiks
• Add autoComplete prop for explicit browser autofill support (#​4005) by @​mattrothenberg
• Fix inconsistent isItemEqualToValue argument order (#​4056) by @​atomiks

Context Menu

• Fix disabled prop not working (#​3806) by @​arturbien
• Fix explicit collisionAvoidance with side: 'flip' not working (#​3877) by @​obeattie

Drawer

• Create new Drawer / Sheet component (#​3680) by @​atomiks

Field

• Prevent re-renders when Field.Control is uncontrolled (#​3820) by @​atomiks
• Fix autofocus in SSR environments (#​3871) by @​mj12albert
• Fix max update depth loop when using <React.Activity> (#​3931) by @​atomiks
• Add transition attributes (#​3939) by @​atomiks

Input

• Fix autofocus in SSR environments (#​3871) by @​mj12albert
• Update ref type to HTMLElement (#​3866) by @​mj12albert

Menu

• Fix onClick Item type (#​3964) by @​atomiks
• Fix submenu stuck glitch (#​3783) by @​atomiks
• Fix race conditions (#​3821) by @​atomiks
• Add <Menu.LinkItem> part (#​3400) by @​mj12albert

Navigation Menu

• Fix forwarded ref types (#​3775) by @​CrawlerCode
• Add keepMounted prop to Content part (#​3794) by @​atomiks

Number Field

• Fix click handlers on ScrubArea (#​3827) by @​mj12albert
• Remove event.isTrusted (#​3920) by @​atomiks
• Stop repeat change at bounds (#​3915) by @​atomiks
• Add allowOutOfRange prop (#​3919) by @​atomiks
• Fix pen pointer handling (#​3917) by @​atomiks
• Fix missing field state data attributes (#​3909) by @​mj12albert

Popover

• Fix missing aria-owns element (#​3959) by @​atomiks
• Use reactive domReferenceElement subscriptions (#​4017) by @​atomiks
• Fix broken scale transition with detached triggers (#​3810) by @​michaldudak

Preview Card

• Fix broken scale transition with detached triggers (#​3810) by @​michaldudak

Progress

• De-duplicate formatValue function (#​3805) by @​sai6855

Radio Group

• Preserve modifier key properties in the change event (#​3935) by @​mj12albert
• Allow exit animations on <Radio.Indicator> when keepMounted={false} (#​3939) by @​atomiks
• Rely on individual radio hidden inputs (#​3826) by @​atomiks
• Add generic Value typing to Radio (#​4033) by @​atomiks

Scroll Area

• Add data-scrolling state attribute to Root and Viewport parts (#​3823) by @​arturbien
• Fix overflow edge rounding (#​3888) by @​atomiks

Select

• Add finalFocus prop (#​3785) by @​markocupic024
• Fix alignItemWithTrigger transform with CSS animations (#​3831) by @​atomiks
• Fix highlightItemOnHover not being respected (#​3868) by @​sarthakmalik0810
• Reset typeahead on external blur (#​2618) by @​antonfrolovsky
• Fix scroll height loop (#​3795) by @​atomiks
• Add autoComplete prop for explicit browser autofill support (#​4005) by @​mattrothenberg
• Fix inconsistent isItemEqualToValue argument order (#​4056) by @​atomiks

Slider

• Fix missing field state data attributes (#​3909) by @​mj12albert
• Fix change event cloning (#​3960) by @​atomiks

Switch

• Preserve modifier key properties in the change event (#​3935) by @​mj12albert

Tabs

• Add transition attributes to <Tabs.Panel> part (#​3880) by @​atomiks

Toast

• Make useToastManager and createToastManager generic functions (#​3882) by @​solastley
• Prevent dismissed promise toast from reopening on updates (#​4040) by @​atomiks
• Introduce a store (#​3464) by @​flaviendelangle

Toggle

• Improve type safety and inference (#​3173) by @​michaelhazan

Toggle Group

• Type value as string to match Toggle (#​3770) by @​markocupic024
• Enable Home/End key navigation (#​3971) by @​jijiseong
• Improve type safety and inference (#​3173) by @​michaelhazan

Tooltip

• Prevent opening when focusing a disabled Trigger (#​3902) by @​michaldudak
• Fix broken scale transition with detached triggers (#​3810) by @​michaldudak
• Fix disabled prop on Triggers (#​4049) by @​michaldudak

All contributors of this release in alphabetical order : @​antonfrolovsky, @​arturbien, @​atomiks, @​CiscoFran10, @​CrawlerCode, @​flaviendelangle, @​guisehn, @​jijiseong, @​LukasTy, @​markocupic024, @​mattrothenberg, @​mdm317, @​michaelhazan, @​michaldudak, @​mj12albert, @​obeattie, @​OliverSpeir, @​oliviertassinari, @​sai6855, @​sarthakmalik0810, @​solastley, @​ZeeshanTamboli

motdotla/dotenv (dotenv)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

pnpm/pnpm (pnpm)

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

bvaughn/react-resizable-panels (react-resizable-panels)

v4.6.4

Compare Source

• 664, 665: Resize actions sometimes "jump" on touch devices

v4.6.3

Compare Source

• Fixed a problem with project logo not displaying correctly in the README for the Firefox browser.

v4.6.2

Compare Source

• 660: Group guards against layouts with mis-ordered Panel id keys

v4.6.1

Compare Source

• 658: Imperative Panel and Group APIs ignored disabled status when resizing panels; this is an explicit override of the disabled state and is required to support conditionally disabled groups.
• 658: Separator component does not set a cursor: not-allowed style if the parent Group has cursors disabled.

v4.6.0

Compare Source

• 657: Allow Panel and Separator components to be disabled

v4.5.9

Compare Source

• 649: Optimization: Replace useForceUpdate with useSyncExternalStore to avoid side effect of swallowing "click" events in certain cases
• 654: Bugfix Imperative Group method setLayout persists layout to in-memory cache
• 652: Re-enable collapsible panel bugfix after fixing another reported issue

v4.5.8

Compare Source

• 651: Disabled the change to collapsible panel behavior that was originally made in 635 due to another reported regression

v4.5.7

Compare Source

• 646: Re-enable the collapsible Panel from 4.5.3 that was disabled in 4.5.6
• 648: Bugfix: Reset Separator hover-state on Document "pointerout"

v4.5.6

Compare Source

• 644: Disabled the change to collapsible panel behavior that was originally made in 635

v4.5.5

Compare Source

• 641: Removed aria-orientation role from root Group element as this was invalid according to the ARIA spec; (for more information see the discussion on issue #​640)
• 642: Bugfix: Fix collapsible Panel regression introduced in 4.5.3

v4.5.4

Compare Source

• 638: Panel avoids unnecessary re-renders in response to mouse-hover state.

v4.5.3

Compare Source

• 635: Expand pre-collapsed panels if drug past the halfway point for more consistent collapse/expand behavior.
• 631: Bugfix: Panels set max-width and max-height to 100% to fix potential CSS overflow bug.

nodejs/undici (undici)

v7.22.0

Compare Source

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @​styfle in #​4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @​jackhax in #​4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @​SuperOleg39 in #​4676
• fix: route WebSocket upgrades through onRequestUpgrade by @​mcollina in #​4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @​dependabot[bot] in #​4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @​mcollina in #​4818
• feat: Support async cache stores in revalidation by @​marcopiraccini in #​4826

New Contributors

• @​jackhax made their first contribution in #​4816
• @​marcopiraccini made their first contribution in #​4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in #​4796
• test: restore global dispatcher after fetch tests by @​mcollina in #​4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in #​4802
• fix: error stream instead of canceling by @​KhafraDev in #​4804
• Fix clientTtl cleanup race in Agent by @​mcollina in #​4807
• feat(#​4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in #​4296
• fix: handle undefined __filename in bundled environments by @​mcollina in #​4812
• fix: set finalizer only for fetch responses by @​tsctx in #​4803

New Contributors

• @​piotr-cz made their first contribution in #​4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed

• fix: preserve fetch stack traces by @​mcollina in #​4778
• Fix error handling in MockPool example by @​dave-kennedy in #​4781
• feat: expose statusText in request() ResponseData by @​domenic in #​4784
• test: reduce retry-after invalid date flake by @​mcollina in #​4788
• extractBody fixes by @​KhafraDev in #​4791
• fix: MockAgent delayed response with AbortSignal (#​4693) by @​mcollina in #​4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in #​4758

New Contributors

• @​dave-kennedy made their first contribution in #​4781
• @​vbfox made their first contribution in #​4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

Your pnpm version is incompatible with "/tmp/renovate/repos/github/allthingslinux/portal".

Expected version: 10.30.0
Got: 10.28.2

This is happening because the package's manifest has an engines.pnpm field specified.
To fix this issue, install the required pnpm version globally.

To install the latest version of pnpm, run "pnpm i -g pnpm".
To check your pnpm version, run "pnpm -v".

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sentry]

Bug: The PR description claims to update several dependencies, but these changes are missing from package.json. The packageManager version is also not updated, creating an inconsistency.
_{Severity: MEDIUM}

Suggested Fix

Ensure the dependency versions in package.json match the versions specified in the PR description. Update @base-ui/react, dotenv, react-resizable-panels, and undici. Also, update the packageManager field to pnpm@10.30.0 to match the engines.pnpm version. Finally, run pnpm install to regenerate the pnpm-lock.yaml file.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L143

Potential issue: The pull request description indicates updates for four dependencies
(`@base-ui/react`, `dotenv`, `react-resizable-panels`, `undici`), but these version
changes are not reflected in the `package.json` file. The application will continue to
use the old, un-updated versions of these packages. Additionally, there is a mismatch
between the `engines.pnpm` version, which was updated to `10.30.0`, and the
`packageManager` field, which remains at `10.28.2`. This inconsistency could lead to
issues for developers. The `pnpm-lock.yaml` file also remains unchanged, confirming the
dependencies were not updated.