fix(deps): update all patch dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@tanstack/react-query (source)	5.90.16 → 5.90.18			dependencies	patch	5.90.20 (+1)
@types/node (source)	24.10.4 → 24.10.9			dependencies	patch
@types/node (source)	24.10.4 → 24.10.9			devDependencies	patch
@types/react (source)	19.2.7 → 19.2.8			dependencies	patch	19.2.9
@typescript/native-preview (source)	7.0.0-dev.20260109.1 → 7.0.0-dev.20260116.1			devDependencies	patch	7.0.0-dev.20260122.4 (+6)
hono (source)	4.11.3 → 4.11.4			dependencies	patch	4.11.5
next (source)	16.1.1 → 16.1.2			dependencies	patch	16.1.4 (+1)
supabase/postgres	17.6.1.071 → 17.6.1.072				patch
zod (source)	4.3.4 → 4.3.5			dependencies	patch	4.3.6
zod (source)	4.3.4 → 4.3.5			devDependencies	patch	4.3.6

---

Release Notes

TanStack/query (@​tanstack/react-query)

v5.90.18

Compare Source

Patch Changes

• Updated dependencies [dea1614]:
  • @​tanstack/query-core@​5.90.18

v5.90.17

Compare Source

Patch Changes

• Updated dependencies [269351b]:
  • @​tanstack/query-core@​5.90.17

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260116.1

Compare Source

v7.0.0-dev.20260115.1

Compare Source

v7.0.0-dev.20260114.1

Compare Source

v7.0.0-dev.20260113.1

Compare Source

v7.0.0-dev.20260112.1

Compare Source

v7.0.0-dev.20260111.1

Compare Source

honojs/hono (hono)

v4.11.4

Compare Source

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

• GHSA-f67f-6cw9-8mq4
• GHSA-3vhc-576x-3qv4

What's Changed

• test(utils/jwt): add missing algorithm types in jwa.test.ts by @​flathill404 in #​4607
• chore: bump @hono/eslint-config and enable curly rule by @​yusukebe in #​4620
• docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @​Itsnotaka in #​4618
• test: support alg option for JWT middleware by @​yusukebe in #​4624

New Contributors

• @​flathill404 made their first contribution in #​4607
• @​Itsnotaka made their first contribution in #​4618

Full Changelog: honojs/hono@v4.11.3...v4.11.4

vercel/next.js (next)

v16.1.2

Compare Source

colinhacks/zod (zod)

v4.3.5

Compare Source

Commits:

• 21afffd [Docs] Update migration guide docs for deprecation of message (#​5595)
• e36743e Improve mini treeshaking
• 0cdc0b8 4.3.5

---

Configuration

📅 Schedule: Branch creation - Only on Friday ( * * * * 5 ) in timezone Asia/Tokyo, Automerge - Only on Sunday through Thursday and Saturday ( * * * * 0-4,6 ) in timezone Asia/Tokyo.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}