Skip to content

chore(deps): bump the npm-minor-and-patch group across 1 directory with 12 updates#30

Open
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/npm_and_yarn/frontend/npm-minor-and-patch-258052e589
Open

chore(deps): bump the npm-minor-and-patch group across 1 directory with 12 updates#30
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/npm_and_yarn/frontend/npm-minor-and-patch-258052e589

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown

Bumps the npm-minor-and-patch group with 10 updates in the /frontend directory:

Package From To
@radix-ui/react-slider 1.3.6 1.4.0
lucide-react 1.17.0 1.18.0
next 16.2.6 16.2.9
shadcn 4.10.0 4.11.0
@tailwindcss/postcss 4.3.0 4.3.1
@types/node 25.9.1 25.9.3
@types/react 19.2.16 19.2.17
@vitest/coverage-v8 4.1.8 4.1.9
eslint 10.4.1 10.5.0
eslint-config-next 16.2.6 16.2.9

Updates @radix-ui/react-slider from 1.3.6 to 1.4.0

Changelog

Sourced from @​radix-ui/react-slider's changelog.

1.4.0

  • Added unstable ThumbProvider, ThumbTrigger, and BubbleInput parts to Slider. SliderThumb was previously a single component that implicitly rendered a hidden native input for form submission. It is now composed from these new parts, which are exposed so consumers can decouple the bubble input from the thumb (for example, to render or customize it independently) instead of relying on SliderThumb to render it implicitly. SliderThumb continues to render all three by default, so existing usage is unaffected.
  • Added focusVisible for non-keyboard interactions with slider thumbs for progressively enabling styles using :focus-visible alongside programmatic focus management
  • Fixed Slider focus bugs in scrollable context
  • Fixed a Slider bug where very small step values made the thumbs unresponsive
  • Added repository.directory to all package.json files
  • Updated dependencies: @radix-ui/react-collection@1.1.9, @radix-ui/react-direction@1.1.2, @radix-ui/number@1.1.2, @radix-ui/primitive@1.1.4, @radix-ui/react-compose-refs@1.1.3, @radix-ui/react-context@1.1.4, @radix-ui/react-primitive@2.1.5, @radix-ui/react-use-controllable-state@1.2.3, @radix-ui/react-use-layout-effect@1.1.2, @radix-ui/react-use-previous@1.1.2, @radix-ui/react-use-size@1.1.2
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​radix-ui/react-slider since your current version.


Updates lucide-react from 1.17.0 to 1.18.0

Release notes

Sourced from lucide-react's releases.

Version 1.18.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

Commits

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits
  • f37fad9 v16.2.9
  • d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
  • 6f16804 v16.2.8
  • 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
  • 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
  • 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
  • 411c455 v16.2.7
  • c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
  • 63115c7 [16.2.x] Don't drop FormData entries (#94240)
  • aef22fd [backport] Propagate adapter preferred regions (#94200)
  • Additional commits viewable in compare view

Updates shadcn from 4.10.0 to 4.11.0

Release notes

Sourced from shadcn's releases.

shadcn@4.11.0

Minor Changes

Patch Changes

Changelog

Sourced from shadcn's changelog.

4.11.0

Minor Changes

Patch Changes

Commits

Updates @tailwindcss/postcss from 4.3.0 to 4.3.1

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.1

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

  • Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
  • Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)
Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.1] - 2026-06-12

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

  • Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
  • Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)
Commits

Updates @types/node from 25.9.1 to 25.9.3

Commits

Updates @types/react from 19.2.16 to 19.2.17

Commits

Updates @vitest/coverage-v8 from 4.1.8 to 4.1.9

Commits

Updates eslint from 10.4.1 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

  • b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
  • c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
  • 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
  • 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
  • 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
  • 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
  • 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
  • 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
  • cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
  • fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)
Commits

Updates eslint-config-next from 16.2.6 to 16.2.9

Release notes

Sourced from eslint-config-next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

Updates tailwindcss from 4.3.0 to 4.3.1

Release notes

Sourced from tailwindcss's releases.

v4.3.1

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

  • Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
  • Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)
Changelog

Sourced from tailwindcss's changelog.

[4.3.1] - 2026-06-12

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

  • Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
  • Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)
Commits

Updates vitest from 4.1.8 to 4.1.9

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

dmichael-fastly and others added 5 commits June 5, 2026 16:53
@dmichael-fastly
Delete docs/demo_production_guide.md
4f026f5
@dmichael-fastly
Merge pull request #4 from fastly/session-scoring
9448897 
v1.1.0: session scoring + security hardening + scoring-recv exclusion override
@dmichael-fastly @claude
v1.2.0: dashboard performance overhaul + security hardening
0f0887e 
Cold and warm dashboard loads drop from seconds to sub-second on large
services; sustained concurrent load no longer wedges the backend. Read
path I/O is structurally cut by a per-service DuckDB connection pool, a
per-minute time-series rollup bundle, size-capped bin-packing local
compaction (daily + weekly tiers), composite admin-page endpoints, and a
frontend pre-warm + hover-prefetch pattern that makes navigation feel
instant.

Performance — structural

* Per-minute time-series rollup bundle precomputes the dashboard chart's
  per-minute aggregate per (field, hour); eliminates the wide Iceberg
  scan on chart render.
* Per-day rollup compaction — closed days roll up into a single per-day
  file; the reader prefers per-day and falls back to hourly only for the
  current day.
* Size-capped bin-packing local compaction (default 256 MB cap) replaces
  single-file daily/weekly rollups; preserves DuckDB scan parallelism on
  multi-month services.
* DuckDB connection-pool tuning — DUCKDB_POOL_CONN_MEMORY_LIMIT and
  DUCKDB_POOL_CONN_THREADS env vars cap per-connection RSS and threads.
  View-binding moved outside the pool's Condition lock to eliminate a
  stale-snapshot deadlock.
* Composite read endpoints — POST /api/scoring/dashboard,
  GET /api/scoring/analytics, GET /api/scoring/config,
  GET /api/network-health (now includes shielding), and the new
  POST /api/origin/aggregates collapse multi-card mounts into one round
  trip. Per-card endpoints stay mounted for back-compat.
* Parquet ingest sort key changed to (timestamp, ip) so sessions queries
  stream-merge on ip instead of materialising a temp table (~2× speedup).
* ingested_files.file_date column + (source_name, file_date) index for
  the log-accounting fast path.
* Iceberg buffer files tombstoned and removed on the next pass instead
  of unlinked inline at commit. optimize_table adds union_by_name +
  retry-on-CAS-conflict.
* Bootstrap stale-while-revalidate for dir-stats; views folded into the
  response.

Performance — tuning

* Dashboard: live-hour TEMP TABLE shared across CTEs; Python-side bot
  match; memoised ngwaf_top.
* Insights: coalesce 4 city/region/country queries into 1; coalesce 4
  URL-keyed insights into 1 CTE.
* Sessions: split monolithic CTE into measurable stages; eliminate hot-
  path temp-table materialisation.
* Origin: combine two sequential scans into one via GROUPING SETS.
* Cron-runs since_id delta-poll on /logs recentCrons.
* Admin usage-log visibility-gates its 30s tick; latest-per-task SQL
  rewritten to skip the full join.
* 60s TTL on bot-source cache-dir scandir.
* React-Query: skip 4xx retries; hooks lifted out of insights /
  ReportLayout render-props.

Frontend

* starlette-compress replaces GZipMiddleware (br / zstd / gzip
  negotiation).
* Keep-alive on Next.js http/undici global agents.
* Pre-warm + lazy-mount pattern for plotly + maplibre-gl +
  world.geojson on AppLayout mount; hover-prefetch sidebar links;
  per-insight skeleton cards on first paint.
* Modulepreload for the plotly chunk via a build-time-generated preload
  manifest. Root layout opts out of build-time SSG so the manifest is
  read at request time.
* /geo/* aggressively cached; PlotlyChart dynamic-import on /network.
* SystemHealthCard polls at 1s for live attack/load feedback.
* Shared useNowMs interval for visible-tick components.
* MapLibre style-data listener replaces a 100ms setTimeout poll.

Reliability

* Multi-worker login loop fixed via on-demand SQLite session rehydration.
* DuckDB lock conflict between pool and cron writes resolved —
  get_connection forces read_only=False on the file.
* QueryRunner empty-schema self-heal busts _view_cache before the
  force=True rebuild so the lock-timeout fallback can't re-execute the
  same stale cached SQL (mirrors the execute() self-heal). Without
  this, ingest-cron lock contention pinned the view to a deleted buffer
  path and the dashboard surfaced "No data available" on a 200.
* QueryRunner clears _view_cache before force=True rebuild on the post-
  empty self-heal path.
* Iceberg s3fs proxy hook falls back to the process-global source so the
  hook always registers (cold-start LIST before _get_catalog).
* Top-N current-hour merge silent ImportError fixed; rollup compaction
  threads run_id through the error branch + uses in-memory DuckDB.
* Dashboard response cache: write to is_cached (not aliased _is_cached)
  to keep Pydantic from dropping the flag.
* Usage-log reconcile cycle changed from DELETE+INSERT to UPSERT.
* expire_snapshots updated for pyiceberg 0.11.1 + emits cron_runs
  telemetry.
* Next.js 16 compat: middleware.ts → proxy.ts (Caddy-marker preserved).
* TelemetryResponseBodyMiddleware backstops endpoints that bypass
  BaseResponse.with_telemetry.

Security

* Cross-tenant ContextVar leak in the s3fs proxy hook closed —
  ThreadPoolExecutor.submit monkeypatched to wrap callables in
  contextvars.copy_context(); endpoint-keyed global registry removed.
* Path-param service-scope desync — centralised the session-scope check
  via a router-utils helper invoked on every scoped route.
* Secret-in-URL leak on downloads — switched to a signed short-lived
  bearer stripped before redirect.
* Strict input validation on the destructive-op surface (provision
  teardown, NGWAF mutations, scoring threshold + enforce-status-code +
  recv-exclusion-regex). Length caps, character allowlists, and falco
  static analysis before any VCL ships.
* CSRF: state-changing endpoints moved off GET.
* Cross-tenant cache key audit — every per-tenant cache key includes
  service_id; closed two missing entries on insights and origin paths.
* Thread leak in share-login replaced by on-demand SQLite rehydration.
* Terms-of-service bypass on share-login /acknowledge fixed.

Tests

* 3500+ backend tests (+450), 290+ frontend vitest tests (+25).
* New coverage: DuckDB pool, local compaction, rollups compaction +
  hour bundling, iceberg helpers, service manager, SQL validator,
  telemetry response middleware, router utils, state sync, terraform
  gen, plus router coverage for the new composite endpoints and the
  destructive-op-auth surface.
* make ci green: lint + format + mypy + pytest + vcl-test + verify-deps
  + typecheck-frontend + test-frontend + osv + secret-scan.

Infrastructure

* Synthetic load generator (scripts/loadtest_generator.py) and read-path
  probe (scripts/dev/loadtest_probe.sh) for reproducible perf
  measurement.
* Two-pass next build in the frontend Dockerfile so SSG sees the
  correct plotly chunk hashes.

Documentation

* AGENTS.md — Key Systems entries for the DuckDB connection pool, the
  hourly Top-N rollup pipeline, and the response telemetry middleware;
  local-compaction section updated for the bin-packing tiers.
* MONKEYPATCHES.md — documents the new ThreadPoolExecutor.submit patch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dmichael-fastly
Merge pull request #7 from fastly/performance-improvement
b552c60 
v1.2.0: dashboard performance overhaul + security hardening
@dependabot
chore(deps): bump the npm-minor-and-patch group across 1 directory wi…
afc34d5 
…th 12 updates

Bumps the npm-minor-and-patch group with 10 updates in the /frontend directory:

| Package | From | To |
| --- | --- | --- |
| [@radix-ui/react-slider](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slider) | `1.3.6` | `1.4.0` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.17.0` | `1.18.0` |
| [next](https://github.com/vercel/next.js) | `16.2.6` | `16.2.9` |
| [shadcn](https://github.com/shadcn-ui/ui/tree/HEAD/packages/shadcn) | `4.10.0` | `4.11.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.0` | `4.3.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.1` | `25.9.3` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.16` | `19.2.17` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` |
| [eslint](https://github.com/eslint/eslint) | `10.4.1` | `10.5.0` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.6` | `16.2.9` |



Updates `@radix-ui/react-slider` from 1.3.6 to 1.4.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slider/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slider)

Updates `lucide-react` from 1.17.0 to 1.18.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.18.0/packages/lucide-react)

Updates `next` from 16.2.6 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.6...v16.2.9)

Updates `shadcn` from 4.10.0 to 4.11.0
- [Release notes](https://github.com/shadcn-ui/ui/releases)
- [Changelog](https://github.com/shadcn-ui/ui/blob/main/packages/shadcn/CHANGELOG.md)
- [Commits](https://github.com/shadcn-ui/ui/commits/shadcn@4.11.0/packages/shadcn)

Updates `@tailwindcss/postcss` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss)

Updates `@types/node` from 25.9.1 to 25.9.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@types/react` from 19.2.16 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/HEAD/packages/coverage-v8)

Updates `eslint` from 10.4.1 to 10.5.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.4.1...v10.5.0)

Updates `eslint-config-next` from 16.2.6 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.9/packages/eslint-config-next)

Updates `tailwindcss` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/HEAD/packages/vitest)

---
updated-dependencies:
- dependency-name: "@radix-ui/react-slider"
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: lucide-react
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: next
  dependency-version: 16.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: shadcn
  dependency-version: 4.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@types/node"
  dependency-version: 25.9.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: eslint
  dependency-version: 10.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: eslint-config-next
  dependency-version: 16.2.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmichael-fastly