build(deps): bump the production-dependencies group across 1 directory with 23 updates

[dependabot]

Bumps the production-dependencies group with 23 updates in the / directory:

Package	From	To
@orpc/contract	1.14.3	1.14.6
@orpc/client	1.14.3	1.14.6
@orpc/openapi	1.14.3	1.14.6
@orpc/openapi-client	1.14.3	1.14.6
@posthog/nextjs-config	1.9.34	1.9.67
mediabunny	1.45.4	1.47.0
next	16.2.6	16.2.9
posthog-js	1.376.0	1.386.8
posthog-node	5.35.2	5.37.1
react	19.2.6	19.2.7
react-dom	19.2.6	19.2.7
@inquirer/prompts	8.5.0	8.5.2
tsx	4.22.3	4.22.4
commander	14.0.3	15.0.0
js-yaml	4.1.1	4.2.0
@aws-sdk/client-s3	3.1053.0	3.1069.0
@aws-sdk/s3-request-presigner	3.1053.0	3.1069.0
@orpc/server	1.14.3	1.14.6
@orpc/zod	1.14.3	1.14.6
@sentry/node	10.53.1	10.58.0
bullmq	5.77.3	5.78.1
ioredis	5.10.1	5.11.1
@aws-sdk/lib-storage	3.1053.0	3.1069.0

Updates @orpc/contract from 1.14.3 to 1.14.6

Release notes

Sourced from @​orpc/contract's releases.

v1.14.6

   🐞 Bug Fixes

• client: Reject calls when websocket is not open instead of sending into a closed socket  -  by @​strblr in middleapi/orpc#1581 (47dbd)

    View changes on GitHub

v1.14.5

   🐞 Bug Fixes

• client: Move global ORPCError constructors registration to static block for better bundler compatibility  -  by @​dinwwwh in middleapi/orpc#1574 (21703)

[!TIP] If you find oRPC valuable and would like to support its development, you can do so here.

    View changes on GitHub

v1.14.4

   🐞 Bug Fixes

• tanstack-query: Narrow live options defaults type  -  by @​lyzno1 in middleapi/orpc#1568 (36cf3)

    View changes on GitHub

Commits

• 7fcf090 chore: release v1.14.6
• e801713 chore: sync sponsors
• f87ed9b chore: sync sponsors
• e4bb292 chore: release v1.14.5
• e666e40 chore: sync sponsors
• 0db6505 chore: sync sponsors
• 81b6cfe chore: release v1.14.4
• e5fce66 chore: sync sponsors
• 0a17864 chore: sync sponsors
• 2867abf chore: sync sponsors
• Additional commits viewable in compare view

Updates @orpc/client from 1.14.3 to 1.14.6

Release notes

Sourced from @​orpc/client's releases.

v1.14.6

   🐞 Bug Fixes

• client: Reject calls when websocket is not open instead of sending into a closed socket  -  by @​strblr in middleapi/orpc#1581 (47dbd)

    View changes on GitHub

v1.14.5

   🐞 Bug Fixes

• client: Move global ORPCError constructors registration to static block for better bundler compatibility  -  by @​dinwwwh in middleapi/orpc#1574 (21703)

[!TIP] If you find oRPC valuable and would like to support its development, you can do so here.

    View changes on GitHub

v1.14.4

   🐞 Bug Fixes

• tanstack-query: Narrow live options defaults type  -  by @​lyzno1 in middleapi/orpc#1568 (36cf3)

    View changes on GitHub

Commits

• 7fcf090 chore: release v1.14.6
• 47dbd93 fix(client): reject calls when websocket is not open instead of sending into ...
• e801713 chore: sync sponsors
• f87ed9b chore: sync sponsors
• e4bb292 chore: release v1.14.5
• 21703c0 fix(client): move global ORPCError constructors registration to static block ...
• e666e40 chore: sync sponsors
• 0db6505 chore: sync sponsors
• 81b6cfe chore: release v1.14.4
• e5fce66 chore: sync sponsors
• Additional commits viewable in compare view

Updates @orpc/openapi from 1.14.3 to 1.14.6

Release notes

Sourced from @​orpc/openapi's releases.

v1.14.6

   🐞 Bug Fixes

• client: Reject calls when websocket is not open instead of sending into a closed socket  -  by @​strblr in middleapi/orpc#1581 (47dbd)

    View changes on GitHub

v1.14.5

   🐞 Bug Fixes

• client: Move global ORPCError constructors registration to static block for better bundler compatibility  -  by @​dinwwwh in middleapi/orpc#1574 (21703)

[!TIP] If you find oRPC valuable and would like to support its development, you can do so here.

    View changes on GitHub

v1.14.4

   🐞 Bug Fixes

• tanstack-query: Narrow live options defaults type  -  by @​lyzno1 in middleapi/orpc#1568 (36cf3)

    View changes on GitHub

Commits

• 7fcf090 chore: release v1.14.6
• e801713 chore: sync sponsors
• f87ed9b chore: sync sponsors
• e4bb292 chore: release v1.14.5
• e666e40 chore: sync sponsors
• 0db6505 chore: sync sponsors
• 81b6cfe chore: release v1.14.4
• e5fce66 chore: sync sponsors
• 0a17864 chore: sync sponsors
• 2867abf chore: sync sponsors
• Additional commits viewable in compare view

Updates @orpc/openapi-client from 1.14.3 to 1.14.6

Release notes

Sourced from @​orpc/openapi-client's releases.

v1.14.6

   🐞 Bug Fixes

• client: Reject calls when websocket is not open instead of sending into a closed socket  -  by @​strblr in middleapi/orpc#1581 (47dbd)

    View changes on GitHub

v1.14.5

   🐞 Bug Fixes

• client: Move global ORPCError constructors registration to static block for better bundler compatibility  -  by @​dinwwwh in middleapi/orpc#1574 (21703)

[!TIP] If you find oRPC valuable and would like to support its development, you can do so here.

    View changes on GitHub

v1.14.4

   🐞 Bug Fixes

• tanstack-query: Narrow live options defaults type  -  by @​lyzno1 in middleapi/orpc#1568 (36cf3)

    View changes on GitHub

Commits

• 7fcf090 chore: release v1.14.6
• e801713 chore: sync sponsors
• f87ed9b chore: sync sponsors
• e4bb292 chore: release v1.14.5
• e666e40 chore: sync sponsors
• 0db6505 chore: sync sponsors
• 81b6cfe chore: release v1.14.4
• e5fce66 chore: sync sponsors
• 0a17864 chore: sync sponsors
• 2867abf chore: sync sponsors
• Additional commits viewable in compare view

Updates @posthog/nextjs-config from 1.9.34 to 1.9.67

Release notes

Sourced from @​posthog/nextjs-config's releases.

@​posthog/nextjs-config@​1.9.67

1.9.67

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/plugin-utils@​1.1.2
  • @​posthog/webpack-plugin@​1.5.23

@​posthog/nextjs-config@​1.9.66

1.9.66

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.22

@​posthog/nextjs-config@​1.9.65

1.9.65

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.21

Changelog

Sourced from @​posthog/nextjs-config's changelog.

1.9.67

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/plugin-utils@​1.1.2
  • @​posthog/webpack-plugin@​1.5.23

1.9.66

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.22

1.9.65

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.21

1.9.64

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.20

1.9.63

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.19

1.9.62

Patch Changes

• Updated dependencies []:
  • @​posthog/webpack-plugin@​1.5.18

1.9.61

Patch Changes

• Updated dependencies []:

... (truncated)

Commits

• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1f2c06b chore: make workspace releases explicit (#3803)
• c7abf85 chore: update versions and lockfile [version bump]
• 5fe3bd4 chore: update versions and lockfile [version bump]
• defbc62 chore: update versions and lockfile [version bump]
• 50a666f chore: update versions and lockfile [version bump]
• f4d4c8b chore: update versions and lockfile [version bump]
• 8b8b196 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates mediabunny from 1.45.4 to 1.47.0

Release notes

Sourced from mediabunny's releases.

v1.47.0

• Added AudioSample.trim() for getting a slice of an existing audio sample
• Fixed zero-sample ISOBMFF fragments throwing an error (#411)
• Fixed unhandled rejection when disposing invalid input (#413)
• Fixed process in Conversion API being called before other transformations, not after (#403)

v1.46.0

• Added options to registerMediabunnyServer, allowing you to specify a custom hardware context (#389)
• Added VideoSample.encodeOptions and VideoSample.setEncodeOptions() for providing per-frame encoding settings
• keyFrame encoding option now always takes precedence over keyFrameInterval when defined
• Improved VideoSample error messages when the environment has insufficient canvas support
• Improved VideoSample.clone() performance for ArrayBuffer-backed samples

v1.45.5

• Fixed @mediabunny/server memory leaks (#392)
• Made sure that at least one track per type is enabled when muxing ISOBMFF (#391)
• Added support for reading and writing QuickTime nclc color space information (#397)
• Added workaround for faulty Chromium key frame detection causing VideoDecoder error (#396)
• UrlSource now properly respects the Range header passed into requestInit
• Improved requestInit docs for UrlSource (#387)

Commits

• ad167c7 Bump minor
• 8b9a1ac Fix Conversion API process callbacks being called before other transformati...
• 0da1107 [AI-generated] Fix unhandled rejection when disposing invalid input (#413)
• 00599e5 Properly handle zero-sample track fragments again (fixes #411)
• e1c6ab1 Docs clarification
• bc533c7 Fix indentation
• 879fd75 Update to NodeAv v6 (#392)
• b4e5107 Bump minor
• c423d62 Change keyFrame parameter priority
• 0cdf006 Add VideoSample.encodeOptions, optimized ArrayBuffer-backed VideoSample cloning
• Additional commits viewable in compare view

Updates next from 16.2.6 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Updates posthog-js from 1.376.0 to 1.386.8

Release notes

Sourced from posthog-js's releases.

posthog-js@1.386.8

1.386.8

Patch Changes

• #3838 3094f73 Thanks @​TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-side any(distinct_id) attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts. (2026-06-15)

posthog-js@1.386.7

1.386.7

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)

• #3832 d3a9462 Thanks @​archievi! - Surveys: guard the remaining unprotected localStorage accesses (reset() and the lastSeenSurveyDate write) so a SecurityError in cross-origin iframes is swallowed instead of bubbling up to user monitoring. (2026-06-15)

• Updated dependencies [29bf8e3]:

  • @​posthog/core@​1.32.4
  • @​posthog/types@​1.386.4

posthog-js@1.386.6

1.386.6

Patch Changes

• #3804 a27b163 Thanks @​pauldambra! - fix(product-tours): drop the cached tours blob when product tours is not enabled

  Tours fetched while product tours was enabled are cached under ph_product_tours in the main persistence blob. Once product tours is disabled (remote config or the disable_product_tours option) that cache was never cleaned up, so a potentially large stale blob kept riding on every persistence write — and on every cross-tab storage event those writes broadcast. onRemoteConfig now clears the cached tours whenever product tours resolves to disabled; they are re-fetched if it is ever re-enabled. (2026-06-11)

posthog-js@1.386.5

1.386.5

Patch Changes

• #3801 bd06ac7 Thanks @​ksvat! - fix(replay): prevent silent recorder teardown on session-id rotation. When the session id rotates during active rrweb capture, _updateWindowAndSessionIds calls stop() then synchronously start('session_id_changed'). If stop() took the _stopAfterCompressionQueueDrains path (which fires whenever the compression queue is non-empty — common during steady recording), its async cleanup would later resolve and call _teardown() against the freshly-started recorder, stopping rrweb, removing event listeners, and emptying the V2 trigger-group matchers. From that point on, the recorder's status getter kept reporting active/sampled (the _strategy reference was still set), but rrweb was no longer producing events, no listeners were registered, and no $snapshot data reached the server — the session looked recording-eligible from event metadata yet produced no replay. start() now invalidates the compression-queue state (generation bump plus reset of the stop-in-progress flag and queued-event count), so any pending cleanup from a prior stop() bails at its existing generation check and a later stop() of the new recorder is not mistaken for the old in-progress one. Affects long-running tabs that rotate session id mid-use (idle timeout, session-past-max-length, or posthog.reset()). (2026-06-11)

posthog-js@1.386.4

1.386.4

Patch Changes

• #3767 fdc07f3 Thanks @​arnohillen! - replay: jump scrolls instantly when seeking past pages that use scroll-behavior: smooth. During fast-forward the replayer applied scrolls with behavior: 'auto', which inherits the page's CSS scroll-behavior — so on sites that set scroll-behavior: smooth (e.g. Silk bottom sheets/modals) a seeked scroll animated from 0 instead of jumping, leaving scroll-revealed content (the open sheet) out of view and showing only the backdrop until the animation caught up. Sync scrolls now use behavior: 'instant', matching the method's stated intent that smooth scrolling be disabled while fast-forwarding. Full snapshot rebuilds apply their initial offset with behavior: 'instant' too, so the document-level scroll doesn't animate either. (2026-06-11)

posthog-js@1.386.3

1.386.3

... (truncated)

Commits

• c826954 chore: update versions and lockfile [version bump]
• 3094f73 fix(replay): discard prior session buffer on restart across reset (#3838)
• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• d3a9462 fix: Guard remaining survey localStorage accesses against SecurityError (#358...
• a3eff27 chore(deps): bump turbo to 2.9.16 (#3836)
• 5e8c4b7 chore: update versions and lockfile [version bump]
• d6fc0a5 feat(flags): support early_exit in posthog-node local evaluation (#3705)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1a2ddb7 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates posthog-node from 5.35.2 to 5.37.1

Release notes

Sourced from posthog-node's releases.

posthog-node@5.37.1

5.37.1

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/core@​1.32.4

posthog-node@5.37.0

5.37.0

Minor Changes

• #3705 d6fc0a5 Thanks @​gustavohstrassburger! - feat(feature-flags): support the early_exit condition option in local evaluation. When a flag enables early exit, evaluation now stops and returns false as soon as a condition group's property filters match but the rollout percentage excludes the user, instead of falling through to later groups — matching the server-side evaluation behavior. (2026-06-12)

posthog-node@5.36.17

5.36.17

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.32.3

posthog-node@5.36.16

5.36.16

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2

posthog-node@5.36.15

5.36.15

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.32.1

posthog-node@5.36.14

5.36.14

Patch Changes

• Updated dependencies [612f97a]:
  • @​posthog/core@​1.32.0

... (truncated)

Changelog

Sourced from posthog-node's changelog.

5.37.1

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/core@​1.32.4

5.37.0

Minor Changes

• #3705 d6fc0a5 Thanks @​gustavohstrassburger! - feat(feature-flags): support the early_exit condition option in local evaluation. When a flag enables early exit, evaluation now stops and returns false as soon as a condition group's property filters match but the rollout percentage excludes the user, instead of falling through to later groups — matching the server-side evaluation behavior. (2026-06-12)

5.36.17

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.32.3

5.36.16

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2

5.36.15

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.32.1

5.36.14

Patch Changes

• Updated dependencies [612f97a]:
  • @​posthog/core@​1.32.0

5.36.13

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.31.4

... (truncated)

Commits

• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• 5e8c4b7 chore: update versions and lockfile [version bump]
• d6fc0a5 feat(flags): support early_exit in posthog-node local evaluation (#3705)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1f2c06b chore: make workspace releases explicit (#3803)
• c7abf85 chore: update versions and lockfile [version bump]
• 5fe3bd4 chore: update versions and lockfile [version bump]
• defbc62 chore: update versions and lockfile [version bump]
• 50a666f chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates react from 19.2.6 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.

Updates react-dom from 19.2.6 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (#36566 by @​unstubbable)

Commits

• 6117d7c Version 19.2.7 (#36591)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.

Updates @inquirer/prompts from 8.5.0 to 8.5.2

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.5.2

• Fix security warnings in external-editor

@​inquirer/prompts@​8.5.1

• Rolled back mute-stream dependency from v4 to v3 to undo breaking compatible engines.
• Added tooling to prevent regression of the above in the future. This surfaced our min engines already enforced a higher limit, so adjusted the explicit limits to match the current state.

Commits

• bfd8710 chore: Publish new release
• 55cc5f3 feat: add reusable package lint CLI
• 3af9ed0 test(inquirer): capture prompt runner output
• 4381857 fix(@​inquirer/input): remove stale lint suppression
• 45df331 fix(@​inquirer/external-editor): harden editor temp files
• adef323 chore: limit CI token permissions
• b43359d chore: Publish new release
• 24ecae2 chore: fix yarn.lock
• b078d97 fix: validate package engine compatibility
• 3a49f9f chore(deps-dev): Bump oxfmt in the formatting group (#2143)
• Additional commits viewable in compare view

Updates tsx from 4.22.3 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• See full diff in compare view

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

• ba6d13d Fix release dates in changelog (#2523)
• a752ed9 Pin GitHub actions with hash (#2521)
• 74d5dfe Drop EOL node 20 from test matrix, and add node 26 (#2520)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.9
	@​posthog/​nextjs-config@​1.9.67
	posthog-node@​5.37.1
	@​types/​react@​19.2.17
	posthog-js@​1.386.8
	tsx@​4.22.4
	react@​19.2.7
	@​aws-sdk/​lib-storage@​3.1069.0
	js-yaml@​4.2.0
	@​orpc/​zod@​1.14.6
	commander@​15.0.0
	react-dom@​19.2.7
	ioredis@​5.11.1
	@​orpc/​server@​1.14.6
	bullmq@​5.78.1
	@​inquirer/​prompts@​8.5.2
	@​sentry/​node@​10.58.0
	@​orpc/​client@​1.14.6
	@​orpc/​contract@​1.14.6
	@​orpc/​openapi-client@​1.14.6
	@​orpc/​openapi@​1.14.6
	@​aws-sdk/​client-s3@​3.1069.0
	@​aws-sdk/​s3-request-presigner@​3.1069.0
	mediabunny@​1.47.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/next@16.2.9 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/devscripts/package.json → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/client/package.json → npm/posthog-js@1.386.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.386.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report