deps(deps): bump the minor-and-patch group with 7 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates:

Package	From	To
dotenv	17.3.1	17.4.1
mongoose	9.3.3	9.4.1
next	16.2.1	16.2.2
sass	1.98.0	1.99.0
@types/node	25.5.0	25.5.2
eslint	10.1.0	10.2.0
eslint-config-next	16.2.1	16.2.2

Updates dotenv from 17.3.1 to 17.4.1

Changelog

Sourced from dotenv's changelog.

17.4.1 (2026-04-05)

Changed

• Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

Commits

• 48aa216 17.4.1
• e4282b0 changelog 🪵
• c540e75 Merge pull request #1006 from motdotla/skills-update
• 5626f9b dotenvx skill
• 2411f2a update dotenvx skill
• 1e08a70 simplify dotenv skill
• 747f417 Merge pull request #1005 from motdotla/injected
• 271df30 changelog 🪵
• 3f01a8b injecting to injected
• ccc50d5 update
• Additional commits viewable in compare view

Updates mongoose from 9.3.3 to 9.4.1

Release notes

Sourced from mongoose's releases.

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098
• fix(setDefaultsOnInsert): run setters on default values during upsert #16051 mahmoodhamdi
• fix(utils): properly compare Set objects in deepEqual KhanjarSingh
• fix(utils): wrap discriminator merge check in parentheses to fix precedence Necro-Rohan
• fix(schema): correct template literal in encryptionType error message Mridul012
• fix(schema): correct error when unsupported query operator with number #16062
• fix(types): make MergeType and UnpackedIntersection distributive over union types techcodie
• types: add id to HydratedDocument virtuals by default unless explicitly set #16178
• types(populate): use marker type to track populated vs depopulated type for perf
• types(populate): retain populated paths in toObject() and toJSON() unless depopulate: true set #16085
• types(query): make TypeScript error on $and with unrecognized query operator
• chore: use TSTyche assertions mrazauskas
• docs(connection): remove references to useUnifiedTopology and fix backtick
• docs: fix typo 'retreiving' -> 'retrieving' in SchemaType getter JSDoc yogesh968
• docs: fix typos around 'retrieve' in schemaType and tests ayushshukla1807
• docs: fix typos in code comments Goldyvaiiii

Changelog

Sourced from mongoose's changelog.

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098
• fix(setDefaultsOnInsert): run setters on default values during upsert #16051 mahmoodhamdi
• fix(utils): properly compare Set objects in deepEqual KhanjarSingh
• fix(utils): wrap discriminator merge check in parentheses to fix precedence Necro-Rohan
• fix(schema): correct template literal in encryptionType error message Mridul012
• fix(schema): correct error when unsupported query operator with number #16062
• fix(types): make MergeType and UnpackedIntersection distributive over union types techcodie
• types: add id to HydratedDocument virtuals by default unless explicitly set #16178
• types(populate): use marker type to track populated vs depopulated type for perf
• types(populate): retain populated paths in toObject() and toJSON() unless depopulate: true set #16085
• types(query): make TypeScript error on $and with unrecognized query operator
• chore: use TSTyche assertions mrazauskas
• docs(connection): remove references to useUnifiedTopology and fix backtick
• docs: fix typo 'retreiving' -> 'retrieving' in SchemaType getter JSDoc yogesh968
• docs: fix typos around 'retrieve' in schemaType and tests ayushshukla1807
• docs: fix typos in code comments Goldyvaiiii

Commits

• 91cc6ba chore: release 9.4.1
• 32d0bef Merge pull request #16218 from Automattic/revert-16093-fix/issue-16051-setter...
• 655e0f3 Revert "fix(setDefaultsOnInsert): run setters on default values during upsert"
• 0ad38e6 chore: release 9.4.0
• 7ffb16d Merge pull request #16217 from Automattic/9.4
• 8c1d3df Merge pull request #16182 from Automattic/vkarpov15/gh-16179
• c63cae8 Update lib/model.js
• e454679 fix typescript tests
• 4400687 Merge branch 'master' into 9.4
• 16fdc8a fix: oneOf -> anyOf for union JSON schema
• Additional commits viewable in compare view

Updates next from 16.2.1 to 16.2.2

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates sass from 1.98.0 to 1.99.0

Release notes

Sourced from sass's releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.99.0

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

Commits

• 83c39fe Support the top-level parent selector (#2758)
• ec85871 Bump EndBug/add-and-commit from 9 to 10 (#2756)
• a604acd [Function Name] Implement changes (#2731)
• See full diff in compare view

Updates @types/node from 25.5.0 to 25.5.2

Commits

• See full diff in compare view

Updates eslint from 10.1.0 to 10.2.0

Release notes

Sourced from eslint's releases.

v10.2.0

Features

• 586ec2f feat: Add meta.languages support to rules (#20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)

Commits

• 000128c 10.2.0
• 1988fad Build: changelog update for 10.2.0
• 542cb3e fix: update first-party dependencies (#20714)
• a2af743 docs: add language to configuration objects (#20712)
• 845f23f docs: Update README
• 5fbcf59 docs: remove sourceType from ts playground link (#20477)
• 8702a47 docs: Update README
• ddeaded docs: Update README
• 8120e30 refactor: extract no unmodified loop condition (#20679)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697)
• Additional commits viewable in compare view

Updates eslint-config-next from 16.2.1 to 16.2.2

Release notes

Sourced from eslint-config-next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

Commits

• 52faae3 v16.2.2
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions