deps(app)(deps): bump the production-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the production-dependencies group with 10 updates in the /chartsmith-app directory:

Package	From	To
autoprefixer	10.4.22	10.4.23
centrifuge	5.5.2	5.5.3
diff	8.0.2	8.0.3
jotai	2.16.0	2.16.2
lodash	4.17.21	4.17.23
next	15.5.9	15.5.10
parse-duration	2.1.4	2.1.5
react	19.2.3	19.2.4
react-dom	19.2.3	19.2.4
tar	7.5.2	7.5.6

Updates autoprefixer from 10.4.22 to 10.4.23

Release notes

Sourced from autoprefixer's releases.

10.4.23

• Reduced dependencies (by @​hyperz111).

Changelog

Sourced from autoprefixer's changelog.

10.4.23

• Reduced dependencies (by @​hyperz111).

Commits

• 212ba3c Release 10.4.23 version
• 7f62fb6 Update dependencies
• c455bb1 chore: inline and simplify normalize-range (#1539)
• See full diff in compare view

Updates centrifuge from 5.5.2 to 5.5.3

Release notes

Sourced from centrifuge's releases.

5.5.3

What's Changed

• General maintenance release to audit and update used dependencies

Full Changelog: centrifugal/centrifuge-js@5.5.2...5.5.3

Commits

• a5a327a bump to 5.5.3
• 525b1de Merge pull request #346 from centrifugal/update_deps
• 2ca9917 update dependencies
• da652a0 Merge pull request #331 from centrifugal/dependabot/npm_and_yarn/tmp-0.2.4
• e6957bb Bump tmp from 0.2.1 to 0.2.4
• See full diff in compare view

Updates diff from 8.0.2 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Commits

• 13576bf 8.0.3 release (#652)
• 1179ccb Ignore .zed (#651)
• 949d6e2 Add test for the vuln I just fixed (#650)
• 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
• de95cca Fix potentially cubic-time regex in parsePatch (#647)
• b9aeede Allow more customisation of file headers in patches (#641)
• 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
• b8162c7 Bump node-forge from 1.3.1 to 1.3.2
• ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
• 3e1774a Fix a comment typo (#633)
• Additional commits viewable in compare view

Updates jotai from 2.16.0 to 2.16.2

Release notes

Sourced from jotai's releases.

v2.16.2

Fixes unwrap and loadable, resolving a regression introduced in v2.15.2.

What's Changed

• fix(utils): unwrap should not violate the store mutation rule by @​dai-shi in pmndrs/jotai#3213

New Contributors

• @​dev-itsheng made their first contribution in pmndrs/jotai#3206

Full Changelog: pmndrs/jotai@v2.16.1...v2.16.2

v2.16.1

This fixes an internal API issue that affects ecosystem libraries.

What's Changed

• fix(internals): buildingblocks should not invoke buildingblock definitions from top-scope by @​dmaskasky in pmndrs/jotai#3197

Full Changelog: pmndrs/jotai@v2.16.0...v2.16.1

Commits

• c3a472f 2.16.2
• f2b0e2c chore(deps): update dev dependencies (#3216)
• fe05c20 fix(utils): unwrap should not violate the store mutation rule (#3213)
• a816121 test(react/vanilla-utils/atomWithStorage): add test for 'createJSONStorage' w...
• 49c4a15 test(react/useSetAtom): add test for throwing error when called with read-onl...
• 83dce49 fix: typo (#3206)
• dba8ff1 Revert "remove stale-discussions.yml for now"
• 6897847 2.16.1
• 8dbb95c chore: update dev dependencies (#3204)
• 2243375 fix(internals): buildingblocks should not invoke buildingblock definitions fr...
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates next from 15.5.9 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• See full diff in compare view

Updates parse-duration from 2.1.4 to 2.1.5

Commits

• See full diff in compare view

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates tar from 7.5.2 to 7.5.6

Commits

• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• e9a1ddb fix: do not prevent valid linkpaths within archive
• 911c886 7.5.4
• 3b1abfa normalize out unicode ligatures
• a43478c remove some unused files
• 970c58f update deps
• bb21974 update changelog
• 0313844 7.5.3
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions