chore: bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
@orpc/client	1.13.14	1.14.0
@orpc/tanstack-query	1.13.14	1.14.0
@tanstack/react-query	5.99.2	5.100.1
better-auth	1.6.6	1.6.8
posthog-js	1.369.5	1.371.2

Updates @orpc/client from 1.13.14 to 1.14.0

Release notes

Sourced from @​orpc/client's releases.

v1.14.0

   🚀 Features

• server,openapi: Support ReadableStream as handler return value  -  by @​ghdoergeloh in middleapi/orpc#1535 (b6b87)

    View changes on GitHub

Commits

• ce664fb chore: release v1.14.0
• a1bb16f chore: sync sponsors
• See full diff in compare view

Updates @orpc/tanstack-query from 1.13.14 to 1.14.0

Release notes

Sourced from @​orpc/tanstack-query's releases.

v1.14.0

   🚀 Features

• server,openapi: Support ReadableStream as handler return value  -  by @​ghdoergeloh in middleapi/orpc#1535 (b6b87)

    View changes on GitHub

Commits

• ce664fb chore: release v1.14.0
• a1bb16f chore: sync sponsors
• See full diff in compare view

Updates @tanstack/react-query from 5.99.2 to 5.100.1

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.1
  • @​tanstack/react-query@​5.100.1

@​tanstack/react-query-devtools@​5.100.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.0
  • @​tanstack/react-query@​5.100.0

@​tanstack/react-query-next-experimental@​5.100.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.0

@​tanstack/react-query-persist-client@​5.100.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.0
  • @​tanstack/react-query@​5.100.0

@​tanstack/react-query@​5.100.0

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

5.100.0

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

Commits

• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• 6540a41 feat(core): callback for retryOnMount (#10515)
• e236194 test(react-query/useQuery.promise): improve stability by isolating 'queryClie...
• 59efc40 test(*): resolve 'require-await' warnings in test files (#10551)
• cf8a765 test(react-query/useQuery): rename 'throwOnError' callback parameter to 'err'...
• 6b6667e test(*): migrate 'test' to 'it' and enforce 'vitest/consistent-test-it' rule ...
• See full diff in compare view

Updates better-auth from 1.6.6 to 1.6.8

Release notes

Sourced from better-auth's releases.

v1.6.8

better-auth

Bug Fixes

• Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
• Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​baptisteArno, @​gustavovalverde, @​ping-maxwell

Full changelog: v1.6.7...v1.6.8

v1.6.7

better-auth

Features

• Added support for an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

• Fixed response headers being lost when an APIError is thrown (#9211)
• Fixed browser and edge runtime errors by serving a no-op ./instrumentation module in those environments (#9281)
• Fixed a crash when parsing OAuth2 state with an undefined request body (#9293)
• Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.8

Patch Changes

• #9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

  Mirrors #4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

• #9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

  Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

  Provider profile types now reflect where email can be null or absent:

  • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
  • AppleProfile.email is optional
  • GithubProfile.email is string | null
  • FacebookProfile.email is optional
  • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
  • LinkedInProfile.email is optional
  • LinkedInProfile.email_verified is optional
  • MicrosoftEntraIDProfile.email is optional

  TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

  Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #9124.

• Updated dependencies [9aa8e63]:

  • @​better-auth/core@​1.6.8
  • @​better-auth/drizzle-adapter@​1.6.8
  • @​better-auth/kysely-adapter@​1.6.8
  • @​better-auth/memory-adapter@​1.6.8
  • @​better-auth/mongo-adapter@​1.6.8
  • @​better-auth/prisma-adapter@​1.6.8
  • @​better-auth/telemetry@​1.6.8

1.6.7

Patch Changes

• #9211 307196a Thanks @​stewartjarod! - Preserve Set-Cookie headers accumulated on ctx.responseHeaders when an endpoint throws APIError. Cookie side-effects from deleteSessionCookie (and any ctx.setCookie / ctx.setHeader calls before the throw) are no longer silently discarded on the error path.

• #9292 4f373ee Thanks @​gustavovalverde! - Accept an array of Client IDs on providers that verify ID tokens by audience (Google, Apple, Microsoft Entra, Facebook, Cognito). The first entry is used for the authorization code flow; all entries are accepted when verifying an ID token's aud claim, so a single backend can serve Web, iOS, and Android clients with their platform-specific Client IDs.

  socialProviders: {
    google: {
      clientId: [
        process.env.GOOGLE_WEB_CLIENT_ID!,
        process.env.GOOGLE_IOS_CLIENT_ID!,
        process.env.GOOGLE_ANDROID_CLIENT_ID!,

... (truncated)

Commits

• b289ac6 chore: release v1.6.8 (#9316)
• 9aa8e63 fix(oauth): support mapProfileToUser fallback for providers that may omit e...
• 856ab24 fix(organization): allow passing id through beforeCreateTeam and `beforeCre...
• f8076d1 chore: release v1.6.7 (#9289)
• 4f373ee feat(social-providers): accept array of Client IDs for ID token audience (#9292)
• e1b1cfc fix(oauth2): guard against undefined body when parsing state (#9293)
• d053a45 fix(phone-number): call callbackOnVerification when updatePhoneNumber is enab...
• 307196a fix(api): preserve response headers when APIError is thrown (#9211)
• See full diff in compare view

Updates posthog-js from 1.369.5 to 1.371.2

Release notes

Sourced from posthog-js's releases.

posthog-js@1.371.2

1.371.2

Patch Changes

• #3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the upcoming React Native logs feature consumes the same builders. Browser gains two fixes as a side effect: NaN and ±Infinity attribute values no longer get silently dropped during JSON encoding, and the scope.version OTLP field is now populated with the SDK version (changes the server's instrumentation_scope column from "posthog-js@" to "posthog-js@"). (2026-04-23)
• Updated dependencies [96f19b7]:
  • @​posthog/types@​1.371.2
  • @​posthog/core@​1.27.1

posthog-js@1.371.1

1.371.1

Patch Changes

• #3425 2da17e8 Thanks @​marandaneto! - Classify SDK-owned persistence keys with an explicit event exposure policy so new internal persistence state must be intentionally marked as event-visible, hidden, or derived. (2026-04-23)
• Updated dependencies []:
  • @​posthog/types@​1.371.1

posthog-js@1.371.0

1.371.0

Patch Changes

• #3432 1a8b727 Thanks @​richardsolomou! - refactor: rename __add_tracing_headers to addTracingHeaders. The __ prefix signalled an internal/experimental option, but the config is a public API (documented for linking LLM traces to session replays). __add_tracing_headers continues to work as a deprecated alias on the browser SDK.

  Also exposes patchFetchForTracingHeaders from @posthog/core so non-browser SDKs can reuse the implementation. (2026-04-23)

• Updated dependencies [1a8b727]:

  • @​posthog/core@​1.27.0
  • @​posthog/types@​1.371.0

posthog-js@1.370.1

1.370.1

Patch Changes

• #3442 6f19ce8 Thanks @​marandaneto! - fix(surveys): guard survey seen localStorage access (2026-04-22)
• Updated dependencies []:
  • @​posthog/types@​1.370.1

posthog-js@1.370.0

1.370.0

... (truncated)

Commits

• ee4fb75 chore: update versions and lockfile [version bump]
• 96f19b7 refactor(logs): lift OTLP utilities to @​posthog/core (#3453)
• 21679b8 chore: update versions and lockfile [version bump]
• 2da17e8 fix(browser): classify SDK persistence keys explicitly (#3425)
• 37d7897 chore: update versions and lockfile [version bump]
• 1a8b727 feat: support addTracingHeaders in react-native sdk (#3432)
• 45dbf03 chore: update versions and lockfile [version bump]
• 6f19ce8 fix(surveys): guard eligibility checks against storage access errors (#3442)
• 73f5cb5 chore: update versions and lockfile [version bump]
• 922a1c1 feat: add exception steps buffering and public API (#3389)
• Additional commits viewable in compare view

[changeset-bot]

⚠️ No Changeset found

Latest commit: 81286c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ishiko732]

@dependabot rebase