chore(deps)(deps): bump the production-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the production-dependencies group with 3 updates in the / directory: next, fumadocs-core and fumadocs-ui.

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates fumadocs-core from 16.8.7 to 16.8.11

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.11

Patch Changes

• 1dc86c7: loosen the range for waku

fumadocs-core@16.8.10

Patch Changes

• 062beab: fix internal types
• 505cfe0: Add remark-block-id plugin

fumadocs-core@16.8.8

No release notes provided.

Commits

• 99f1066 Version Packages (#3280)
• d4c78e4 OpenAPI: render deprecated badge for deprecated operations (#3281)
• 0287f49 UI: improve default OG image
• 1dc86c7 Core: loosen the range for waku
• b3052ac Version Packages (#3279)
• 61f3a27 UI: encode storage keys
• 1c94949 Preview: Rate limit config for AI
• 8a4e1d1 Previiew: Support file-sytem checks
• b160b26 Version Packages (#3275)
• ce1d37a Chore: re-define bin.js for fumadocs-mdx
• Additional commits viewable in compare view

Updates fumadocs-ui from 16.8.7 to 16.8.11

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.11

Patch Changes

• Updated dependencies [1dc86c7]
  • fumadocs-core@16.8.11

fumadocs-ui@16.8.10

Patch Changes

• Updated dependencies [062beab]
• Updated dependencies [505cfe0]
  • fumadocs-core@16.8.10

fumadocs-ui@16.8.8

Patch Changes

• b494c8d: Support copy ID in headings
• 03626ba: [Search UI] show ctrl for Linux machines
  • fumadocs-core@16.8.8

Commits

• 99f1066 Version Packages (#3280)
• d4c78e4 OpenAPI: render deprecated badge for deprecated operations (#3281)
• 0287f49 UI: improve default OG image
• 1dc86c7 Core: loosen the range for waku
• b3052ac Version Packages (#3279)
• 61f3a27 UI: encode storage keys
• 1c94949 Preview: Rate limit config for AI
• 8a4e1d1 Previiew: Support file-sytem checks
• b160b26 Version Packages (#3275)
• ce1d37a Chore: re-define bin.js for fumadocs-mdx
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-cloud	Ready	Preview, Comment	May 17, 2026 2:43am
objectstack-objectos	Ready	Preview, Comment	May 17, 2026 2:43am
spec	Ready	Preview, Comment	May 17, 2026 2:43am

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.