Contributions

40 PRs merged across 10 upstream repos. Plus a public patches repo with 54 patches: drop-in for Bun, npm, pnpm, and Yarn, plus source-only ones for CI, docs, and native code. I find the bug, file the upstream PR, and drop the patch into the repo so my projects, and anyone else hitting the same bug, can ship without waiting for the merge to land. When the fix lands in a release, I bump the dep and delete the patch. Every merged PR listed here shipped as a patch first.

Merged PRs

• expo/expo (19 PRs):
  • #46556 iOS accessibilityIdentifier modifier wrapping SwiftUI’s accessibilityIdentifier(_:). Sets a stable, machine-readable id that UI-testing tools like XCUITest read to locate a view, distinct from accessibilityLabel in that it’s not user-visible and exists purely for test targeting. Registers AccessibilityIdentifierModifier and exports accessibilityIdentifier(id). Merged, ships in the next @expo/ui release
  • #46540 iOS dynamicTypeSize modifier to set or clamp Dynamic Type within a view. A single size pins it, { min, max } bounds the range with either end optional. Caps how far text grows at the largest accessibility sizes for layout safety while still honoring Dynamic Type, and cascades from <Host> to every descendant. Bounds the textStyle scaling from #46007. Merged, ships in the next @expo/ui release
  • #46509 the font modifier dropped Dynamic Type scaling (relativeTo) and weight on concatenated <Text> runs, so font({ textStyle, weight }) scaled standalone but lost both once nested in another <Text>. Made FontModifier.resolveFont() non-private and routed the concatenation path through it so both resolve the identical Font. Completes #46007. Merged, ships in the next @expo/ui release
  • #46050 closed the fork-safety sweep. Gated 15 more workflows on github.repository == 'expo/expo' so fork CI stops red-checking nightly RN and test-suite jobs, hourly issue-maintenance crons, the GCP publish path in ios-prebuild-external-xcframeworks, and Slack-notify steps that reference org-only webhooks. Covers test-react-native-nightly, test-suite-nightly, lock, issue-stale, cli, create-expo-app, create-expo-module, fingerprint, sdk, ios-static-frameworks, bare-diffs, native-component-list, test-suite, test-suite-macos, and drops a redundant step-level repo check in development-client-latest-e2e. Finishes what #45782 and #45859 started
  • #46007 iOS font({ textStyle }) for Dynamic Type, wiring textStyle through to SwiftUI’s Font.system(_:design:) and Font.custom(_:size:relativeTo:) so @expo/ui text scales with the user’s preferred content size, the SwiftUI-native path for the Larger Text Accessibility Nutrition Label. All 11 Font.TextStyle cases, with extraLargeTitle and extraLargeTitle2 on iOS 17+. Shipped in 56.0.10
  • #45872 <Host modifiers={...}> was a silent no-op on iOS. HostProps extended CommonViewModifierProps and Host/index.tsx already forwarded modifiers to the native view, but the Swift HostViewProps never declared the field, so every typechecked modifier on Host did nothing. Adding the field plus one .applyModifiers(...) chain in HostView.body restored the entire registered modifier surface to Host in one shot. Shipped in 56.0.10
  • #45859 gated pull_request_target, issues, and label-event workflows on github.repository == 'expo/expo' so fork PRs stop red-checking on secret-gated jobs that can’t run. Covers 18 workflows including code-review, commentator, docs-pr, issue-triage, and sync-template. Sibling to #45782
  • #45782 made five auto-firing scheduled workflows fork-safe. Swapped ../expo/ (breaks on forks named anything but expo) for ${{ github.workspace }} and gated validate-npm-owners, check-issues-nightly, publish-canaries, and both development-client-e2e matrices on the repo check. Dropped failing checks and 120-minute fork CI burns
  • #45700 Alert component for @expo/ui wrapping SwiftUI’s iOS 15 .alert(_:isPresented:actions:message:), with Alert.Trigger, Alert.Actions, and optional Alert.Message slots. Mirrors ConfirmationDialog’s shape so isPresented bindings and Button actions compose the same way. Fills in the previously-stubbed iOS half. Shipped in 56.0.8
  • #45403 getPackageByName did a packages/<name>/package.json lookup, which misses for scoped packages whose dir name differs from the package name (@expo/ui lives at packages/expo-ui/, @expo/app-integrity at packages/expo-app-integrity/). On a miss, Workspace.getInfoAsync recorded empty workspacePeerDependencies for those packages, so updateWorkspaceProjects never rewrote workspace:* to the canary version, and the published canary tarballs shipped peerDependencies.expo: "workspace:*". bun add @expo/ui@canary errored with Workspace dependency "expo" not found and npm install @expo/ui@canary errored with EUNSUPPORTEDPROTOCOL. Fix keeps the existing path-based fast path and falls back to scanning cachedPackages by name field when the path lookup misses. Same root cause as #44412, different call site
  • #44652 scrollPosition and id modifiers (iOS 17+) binding a ScrollView’s leading target to JS via useNativeState and the worklet .value write path. Reading state.value returns the id of the leading target; writing scrolls to the matching view. The optional onChange callback fires on the JS thread when the leading target changes. id(string) marks views as scroll targets and works on ScrollView, LazyVStack, and LazyHStack. Built on the worklet infrastructure from #44214 and #44215. Deferred from #43955 per @intergalacticspacehighway
  • #44548 textContentType modifier wrapping SwiftUI’s textContentType(_:) with all 45 UITextContentType values. Wires @expo/ui TextField and SecureField into iOS keychain autofill for passwords, emails, addresses, credit cards, and OTP codes. Before this, @expo/ui text fields could not participate in iOS autofill at all. Includes #available guards for the iOS 17+ values (creditCardExpiration, birthdate, etc.) and iOS 17.4+ values (cellularEID, cellularIMEI)
  • #44547 textInputAutocapitalization modifier (iOS 15+) with all four TextInputAutocapitalization modes: never, words, sentences, characters. Before this, the only way to disable auto-capitalization on @expo/ui TextField was forcing keyboardType="ascii-capable", which changed the keyboard layout entirely. Username and email fields can now behave correctly without that workaround
  • #43958 PersistentFileLog.readEntries race condition where reads bypassed the serialQueue that guards every write. Caused flaky UpdatesLogReaderTests.PurgeOldLogs failures in expo-updates CI when a read executed before a queued write flushed to disk and returned entries1.count == 1 instead of 2. Fix wraps readEntries in serialQueue.sync so reads wait for pending writes. No deadlock risk because all callers are external to the queue
  • #43955 scrollTargetBehavior and scrollTargetLayout modifiers (iOS 17+) for paging and view-aligned scroll snapping in @expo/ui ScrollView. Brings SwiftUI’s snap-paging API to React Native through @expo/ui modifier composition with #available guards for iOS 17, tvOS 17, and macOS 14
  • #43923 defaultScrollAnchorForRole modifier (iOS 18+) wrapping the two-parameter defaultScrollAnchor(_:for:) overload. Lets you set independent scroll anchors per ScrollAnchorRole (initialOffset, sizeChanges, alignment), so a chat view can anchor to bottom globally but start at top via a per-role override. Also added null support to match Apple’s UnitPoint? signature and the missing @platform macos 14.0+ JSDoc to the single-arg version from #43914
  • #43914 defaultScrollAnchor modifier (iOS 17+) for controlling where a ScrollView or List starts. Removes the need for scaleEffect(y: -1) flips, reversed data arrays, and inverted scroll indicator hacks that chat UIs used to need. Reuses the existing UnitPointOptions enum and falls back to a no-op on iOS < 17
  • #43228 per-axis scaleEffect accepting { x, y } in addition to number. Backwards-compatible: scaleEffect(0.5) still normalizes to { x: 0.5, y: 0.5 } in the TS layer before hitting native
  • #43158 ClipShapeModifier and MaskModifier were silently rendering Rectangle for any shape other than circle or roundedRectangle because they used a raw String field instead of the ShapeType enum from #40748. Every other shape modifier (BackgroundModifier, ContainerShapeModifier, ContentShapeModifier, GlassEffectModifier) already used ShapeType. Switched both to exhaustive ShapeType switching with no default fallthrough, added roundedCornerStyle and cornerSize fields, and unblocked capsule and ellipse in clipShape() and mask()
• get-convex/better-auth (5 PRs):
  • #218 four bugs causing stale auth state and incorrect isAuthenticated values. (1) getCookie() parsed cookies from JSON, which turned expires into a string. Comparing string < new Date() coerced the Date to a number and the string to NaN, and NaN < anything is always false, so expired cookies were never filtered out. (2) Cookies persisted after /get-session returned null, so combined with bug 1, stale credentials shipped indefinitely. (3) Sign-out stored "{}" in localCacheName and JSON.parse("{}") returns truthy {}, breaking if (sessionData) checks. Fix stores "null" so JSON.parse("null") returns null. (4) isAuthenticated was session !== null, which returned true for {} (from bug 3) and undefined during loading edges. Fix uses Boolean(session?.session)
  • #245 widened the better-auth peer dep from exact 1.4.9 to >=1.4.9 <1.5.0 after verifying every import path is stable across 1.4.9 through 1.4.18. Explicitly excludes 1.5.0, which moved createAuthEndpoint and createAuthMiddleware from better-auth/plugins to better-auth/api, removed the better-auth/adapters/test export path, and deleted runAdapterTest entirely
  • #267 concurrent fetchAccessToken dedup with useRef. On page load, sessionId transitions from undefined to a value, which creates a new fetchAccessToken reference and triggers ConvexProviderWithAuth to call setAuth() again while the first request is still in-flight. React 18 StrictMode doubles this in dev. Each /convex/token call hits the DB for session middleware and runs JWT signing, so N concurrent calls meant N redundant round-trips with only one result used. Fix stores the in-flight promise in a useRef so concurrent callers share it, with forceRefreshToken: true bypassing the guard and .finally() clearing the ref after resolution. Closes #219, likely reduces the action count reported in #186
  • #278 removed the dead react-dom peer dep declaration. Zero imports of react-dom, ReactDOM, createRoot, hydrateRoot, flushSync, or createPortal across all 32 files in src/. None of the exports (/react, /nextjs, /react-start) touch it. The declaration was generating peer dep warnings in bun and pnpm projects that don’t use react-dom
  • #323 migrated @convex-dev/better-auth to better-auth 1.6.7+, fixing five runtime breaks across the 1.6.x line in one rebase. Where.mode folding (1.6.0): CleanedWhere = Required<Where> forced the new field onto every adapter call, so adapterWhereValidator and per-table validators threw ArgumentValidationError on bump. Fix accepts mode in validators, case-folds eq/ne/in/not_in/contains/starts_with/ends_with in filterByWhere, and excludes insensitive clauses from findIndex and paginate fast-paths since Convex indexes are byte-compared. shouldReturnResponse flip (1.6.0, commit 8304f65): to-auth-endpoints.ts defaults to a Response when context carries a Request, so internal endpoint calls from cross-domain hooks returned a Response instead of a parsed object, JWT cookies got the literal string "undefined", and setSessionCookie crashed. Fix passes asResponse: false at all 7 internal call sites with regression tests that pre-set the flags to true so dropping the override fails the assertion. twoFactor.verified (1.6.2, #8711): new schema column the Convex validator rejected. parseSetCookieHeader: deleted the 34-line local copy in cross-domain/client.ts that split on ", " and shattered Expires=Wed, 21 Oct 2015 07:28:00 GMT into four garbage cookies, re-exported from better-auth/cookies. ./instrumentation (1.6.6, #9111): peer floor raised to 1.6.7 where #9281 routes the dynamic import("@opentelemetry/api") to a noop on browser and edge conditions, fixing Convex V8 isolate’s synchronous bare-specifier rejection. Shipped in @convex-dev/better-auth@0.12.0
• shadcn-ui/ui (5 PRs):
  • #10396 added the TanStack Start dark mode guide to the official shadcn docs, the fifth framework-specific guide after Next.js, Vite, Astro, and Remix. The canonical pattern was scattered across Discord threads and three stale PRs with different tradeoffs: #7173 (cookies, no system mode), #7490 (cookies, conditional ScriptOnce), and #9096 (wrapped tanstack-theme-kit as a runtime dep). Pattern: ScriptOnce from @tanstack/react-router for the pre-hydration inline script, a React context for post-hydration state, suppressHydrationWarning on <html>, document.documentElement.style.colorScheme so native UI respects the theme, and a prefers-color-scheme listener for system mode. In review, @shadcn refactored the inline script string into a getThemeScript(storageKey, defaultTheme) function so custom provider props reach the pre-hydration pass, extracted the class-swap into an applyTheme helper, and added a mounted gate so the inline script’s work isn’t overwritten on first mount
  • #10369 notFoundComponent on the Start root route in the start-app and start-monorepo templates. Silences the TanStack Router warning that fires on first load from phantom requests hitting /favicon.ico and Chrome DevTools’ /.well-known/appspecific/com.chrome.devtools.json when neither notFoundComponent nor defaultNotFoundComponent is configured. JSX shape matches the existing 404 ErrorBoundary pattern from templates/react-router-app and templates/react-router-monorepo (same container mx-auto p-4 pt-16 wrapper, same “404” heading and “The requested page could not be found.” copy) so the ten-template suite stays consistent
  • #10337 fixed llms.txt 404s and backfilled missing routes so LLM crawlers can index the full docs site
  • #9484 raw <ComponentsList /> tag leaking into copy-to-markdown output on component pages
  • #9331 registered the @ramonclaudio-coderabbit shadcn registry in the official open source directory after #8892 asked for it. Adds entries to apps/v4/public/r/registries.json and apps/v4/registry/directory.json so the registry is discoverable through the shadcn CLI. The registry itself ships a framework-agnostic CodeRabbit API client, pluggable storage adapters (LocalStorage, Convex, Supabase, PostgreSQL, MySQL), and React components for generating developer activity reports
• better-auth/better-auth (3 PRs):
  • #9281 serve a noop ./instrumentation via conditional exports for browser and edge runtimes, matching the shape ./async_hooks already uses. The dynamic import("@opentelemetry/api") in packages/core/src/instrumentation/api.ts threw synchronously on runtimes like Convex’s V8 isolate (bare specifiers rejected at resolve time via deno_core::resolve_import), so the .catch() in getOpenTelemetryAPI never ran and every withSpan call through to-auth-endpoints.ts and with-hooks.ts surfaced an uncaught error. The breaking pattern landed in #9111 and shipped in v1.6.6. @opentelemetry/api itself ships a noop proxy when no SDK is registered, so this is about dynamic-import-probe portability, not OTel runtime support. Unblocks the 1.6 migration for @convex-dev/better-auth consumers
  • #9087 add /change-password and /revoke-other-sessions to the atomListeners matcher so $sessionSignal fires after session-rotating endpoints. Without this, callers like useSession() kept returning stale session data after password changes because the client never re-fetched. Companion to get-convex/better-auth#329 which invalidates the Convex adapter’s cached JWT on the same events
  • #9072 incorrect operationId in the password reset callback endpoint, plus forget to forgot cleanup across demo apps and tests
• withastro/compiler-rs (2 PRs):
  • #25 real fix for the @astrojs/compiler-rs GLIBC_2.35 issue. #22 added -x to the linux-gnu builds hoping zigbuild would pin glibc, but zigbuild without an explicit suffix falls back to zig’s per-arch baseline (GLIBC_2.35 on x86_64, GLIBC_2.30 on aarch64 for zig 0.15), so the shipped 0.1.7 binary still couldn’t load on Vercel (glibc 2.34), Amazon Linux 2023, AWS Lambda, RHEL/CentOS 7, or Debian 10. Switched both gnu targets to --use-napi-cross, which downloads @napi-rs/cross-toolchain with a sysroot pinned to glibc 2.17. Matches the pattern used by oxc, @swc/core, @napi-rs/canvas, lightningcss, and the official @napi-rs/package-template. Verified on a fork CI run plus a Vercel preview deploy with experimental.rustCompiler: true, both objdump -T showing GLIBC_2.16 max on x64 and GLIBC_2.17 on arm64. Shipped in @astrojs/compiler-rs@0.1.8
  • #22 first-attempt glibc compat fix, added -x to x86_64-unknown-linux-gnu. Turned out to be insufficient, superseded by #25
• napi-rs/napi-rs (1 PR): #3189 cross-compile regression in the v3 CLI rewrite. When --cross-compile / -x was passed for a linux or darwin target, pickBinary() in cli/src/api/build.ts skipped cargo-zigbuild if host platform, arch, and abi matched target, logged a warning, then silently fell through to cargo build. The whole point of --cross-compile on a native build is to pin a lower glibc via zig’s linker. Without it, building x86_64-unknown-linux-gnu on ubuntu-latest (glibc 2.39) produced binaries incompatible with glibc < 2.35 systems like Amazon Linux 2023 (glibc 2.34) and Vercel’s build container. v2 had this fix in #1432 (resolving #1430) but it wasn’t carried over during the v3 rewrite in #1492. Fix removes the platform-match conditions in the else branch of pickBinary() so --cross-compile always uses cargo-zigbuild for non-Windows targets
• oven-sh/bun (1 PR): #21855 added the decompress property to the BunFetchRequestInit interface with JSDoc documentation. The option already worked at runtime in Bun’s fetch(), but TypeScript users had to @ts-ignore it on every call to disable response decompression. Now it’s a first-class typed option, no escape hatch required
• fuma-nama/fumadocs (2 PRs):
  • #2092 fixed the TanStack Start template in create-fumadocs-app. Wired the vite-react plugin with the required customViteReactPlugin: true flag, configured a custom NotFound component for TanStack Router, and bumped deps to current versions. Resolved four issues at once: TanStack Start vite-react plugin warning, missing custom 404 component warning, module resolution errors during client-side navigation, and React hydration errors caused by useMemo null references that flashed errors mid-route-change
  • #2095 prettier formatting fix that unblocked the changesets release PR #2093 for create-fumadocs-app@15.7.0. The release PR was stuck on a formatting check, so I ran the formatter and shipped the diff so the release could go out
• rorkai/App-Store-Connect-CLI (1 PR): #784 Mac App Store screenshot support for the asc CLI. New --provider macos grabs the frontmost window of a running macOS app by bundle ID using screencapture -l <windowID>, where the window ID comes from a Swift one-liner piped to swift - via CGWindowListCopyWindowInfo, without cgo or extra binaries. New --device mac renders to the 2880x1800 APP_DESKTOP canvas without a device bezel, with optional title, subtitle, and background color overlays. Also fixed ASC_TIMEOUT being silently ignored for screenshots capture and screenshots frame, both now use ContextWithTimeout
• TanStack/db (1 PR): #17 corrected the stale README link to the example todo app, repointing it at examples/react/todo. Tiny fix, but it was the first thing I clicked when I landed on the repo and it 404’d. Was PR #17 in the repo, early days

Patches

Drop-in for Bun, npm, pnpm, and Yarn. Source-only patches for CI, docs, and native code apply with git apply.

Open

PRs still awaiting upstream merge.

• @expo/ui 56.0.15: Add the iOS accessibilityHidden modifier wrapping SwiftUI’s accessibilityHidden(_:), hiding decorative views (hero icons, imagery already described by adjacent text) from VoiceOver traversal. Registers AccessibilityHiddenModifier and exports accessibilityHidden(hidden?), defaulting to true. expo/expo#46579
• react-native 0.85.3: Set :always_out_of_date on hermes-engine.podspec’s Replace Hermes script phase so Xcode stops warning that it runs every build without declaring outputs. Matches the guard already on the sibling Replace X phases, while the phase still swaps the prebuilt Hermes binary per $CONFIGURATION. facebook/react-native#56912
• hermes: Cherry-pick 18a9634659 onto the 250829098.0.0-stable branch RN 0.85 ships. genObjectExpr passed nullptr as the home object for object-literal getters and setters, so super.x inside an accessor compiled against a null home object and SIGSEGV’d hermesc at compile time. Routes accessors through the same capturedObj path regular methods already use. Source fix for one of the Hermes V1 codegen bugs babel-preset-expo works around, root cause facebook/hermes#1761. facebook/hermes#2045
• hermes: Cherry-pick 1e94fbe0eb onto 250829098.0.0-stable. A finally block emits its body twice, and on the second pass legacy class compilation built fresh internal Variables while cached functions reached via findCompiledEntity still pointed at the originals, miscompiling any class declared in finally. Caches them in a LegacyClassVars struct keyed by the class AST node and emits private-brand stores unconditionally. Source fix for the class-in-finally half of facebook/hermes#1761. facebook/hermes#2046
• hermes: Swap the hardcoded hermes source dir for ${{ github.event.repository.name }} in the test-linux-armv7 job’s cmake -S and test_runner.py paths. The job runs actions/checkout@v1 without path: (v4 breaks in the arm32 container), so the checkout dir takes the repo name and the job fails on any fork not named hermes. Unchanged upstream. facebook/hermes#2047
• bun 1.3.14: Fix bun add X@version being silently ignored when X is a same-name peerDependency, leaving bun.lock and node_modules pinned to the peer’s first-resolved version. The order-dependent peer early-match in get_or_put_resolved_package is dropped so peers flow through find_best_version, with dedup moved to Tree::hoist_dependency where placement is deterministic. oven-sh/bun#30855
• @convex-dev/better-auth 0.12.2: Wrap the fetchAccessToken body in an explicit new Promise(executor) so useConvexAuth().isAuthenticated flips after sign-in on Hermes V1. The async arrow with non-simple params hit a Hermes native bug (facebook/hermes#1761) that the SDK 56 canary exposed when it dropped @babel/plugin-transform-async-to-generator, leaving the Convex auth bridge paused even after the JWT landed. get-convex/better-auth#368
• @convex-dev/better-auth 0.12.2: Clear the cached JWT when sessionId changes, not just on logout, so the first fetchAccessToken after a session rotation stops returning a token for the deleted session. cachedToken is backed by a ref the fetcher reads inline, with a promise-identity guard blocking a late stale token() fetch from clobbering a fresh value. get-convex/better-auth#329
• better-auth 1.6.11: Stop changePassword({ revokeOtherSessions: true }) from rotating the caller’s own session, which left cached JWTs pointing at a deleted session id and broke the revokeOtherSessions contract. Adds internalAdapter.deleteOtherSessions(userId, exceptToken) and routes both /change-password and /revoke-other-sessions through it. better-auth/better-auth#9345
• @hugeicons/react 1.1.6: Add an ambient declaration for @hugeicons/core-free-icons/* subpath imports typed as IconSvgElement, auto-loaded via a triple-slash reference in src/index.ts. The package advertises "./*" exports but ships only the barrel index.d.ts, so subpaths resolve at runtime yet fail typechecking under node16, nodenext, and bundler, forcing the 6.2 MB barrel instead of the 33 KB you use. hugeicons/react#5
• shadcn 4.7.0: Strip C0 control characters (0x00-0x1F) and DEL (0x7F) from prompts text input via a wrapper every command routes through. On macOS, Cmd+Delete to clear the default name sends Ctrl+U (\x15), which prompts inserts as a literal byte and turns into names like \x15my-app. shadcn-ui/ui#10364
• bun 1.3.13: Switch the labels input in update-root-certs.yml from a YAML sequence to the pipe-delimited string peter-evans/create-pull-request expects. The sequence form made GitHub Actions reject the workflow with A sequence was not expected on every push. oven-sh/bun#27086

Merged, awaiting release

PR merged upstream, patch still live until the fix ships in a published release.

• @expo/ui 56.0.15: Add the iOS accessibilityIdentifier modifier wrapping SwiftUI’s accessibilityIdentifier(_:), a stable machine-readable id that UI-testing tools like XCUITest read to locate a view. Not user-visible, purely for test targeting, distinct from accessibilityLabel. expo/expo#46556
• @expo/ui 56.0.15: Add the SwiftUI dynamicTypeSize modifier to set or clamp Dynamic Type within a view, a single size or a { min, max } range, cascading from <Host> to bound how far text scales at the largest accessibility sizes. expo/expo#46540
• @expo/ui 56.0.15: Resolve the font modifier on the Text-concatenation path so concatenated <Text> runs keep relativeTo (Dynamic Type) and weight. FontModifier.resolveFont() is now shared by the view and concatenation paths instead of a fixed-size Font.custom that dropped both. expo/expo#46509

Dropped

PR merged, patch deleted, dep bumped.

• expo fork CI:
  • Make five auto-firing scheduled workflows fork-safe by swapping ../expo/ paths for ${{ github.workspace }} and gating org-maintenance jobs behind if: github.repository == 'expo/expo'. The relative path only resolved when the checkout dir was named expo, so differently named forks hit No such file or directory, while the gated jobs read secrets like NPM_TOKEN_READ_ONLY that forks cannot see. #45782
  • Gate the pull_request_target, issues, and label workflows behind the same repo check so they skip cleanly on forks instead of sitting red. Covers code-review, commentator, docs, the issue-triage jobs, and the labelers, each reading an org-only secret or bot token. #45859
  • Gate the remaining nightly artifact tests, hourly issue crons, the GCP publish path in ios-prebuild-external-xcframeworks, and Slack-notify steps to finish the sweep. github.repository is a built-in context, so every guard is true upstream and skips the job or step on forks. #46050
• @expo/ui 56.0.9 -> 56.0.10: Add an optional textStyle field to the font modifier so text scales with iOS Dynamic Type, accepting the 11 Font.TextStyle cases. It routes through Font.system(_:design:) and Font.custom(_:size:relativeTo:), the SwiftUI-native path for Apple’s Larger Text criteria, while fixed-size fonts stay unchanged. #46007
• @expo/ui 56.0.8 -> 56.0.10: Declare the modifiers field on Swift’s HostViewProps and chain .applyModifiers(...) in HostView.body so <Host modifiers={...}> stops getting dropped on iOS. The TS side already forwarded the prop, so one field plus one chain routes Host through the same ViewModifierRegistry dispatch as UIBaseView, restoring the full registered modifier set. #45872
• @expo/ui 56.0.0-canary-20260506-03817f5 -> 56.0.8: Add an Alert component for @expo/ui/swift-ui wrapping iOS 15’s .alert(_:isPresented:actions:message:) with a Trigger/Actions/Message slot model mirroring ConfirmationDialog. Two-way isPresented binding runs through EventDispatcher with a props.isPresented != newValue guard so SwiftUI’s auto-dismiss fires the change exactly once. #45700
• expo canary-20260506-964f25d: Resolve scoped packages by their name field when the packages/<name> path lookup misses, so @expo/ui (at packages/expo-ui/) and @expo/app-integrity get their workspacePeerDependencies recorded. The miss left peerDependencies.expo shipping as workspace:* in canary tarballs and breaking bun install and npm install, the same root cause as #44412 at a call site its fix never reached. #45403
• better-auth 1.6.2 -> 1.6.5: Add /change-password and /revoke-other-sessions to the default atomListeners matcher. /change-password with revokeOtherSessions: true rotates the caller’s session but was missing from the matcher, so $sessionSignal never flipped and useSession() served the stale session until the next focus, poll, or reload. #9087
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260305-5163746:
  • Switch ClipShapeModifier and MaskModifier from a raw String field to the ShapeType enum with an exhaustive switch over all five cases. Both silently fell through to Rectangle() for capsule and ellipse, so clipShape("capsule") rendered a rectangle with no error after ShapeType landed in #40748. #43158
  • Let scaleEffect take { x, y } for per-axis scaling, not just a single number. The TS layer normalizes a bare number to { x, y } so existing scaleEffect(0.5) calls keep working, and the Swift vars pass straight to content.scaleEffect(x:y:), which unlocks a vertically flipped inverted List. #43228
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260401-5e87ef7:
  • Add a defaultScrollAnchor modifier wrapping SwiftUI’s .defaultScrollAnchor(_:) on iOS 17+. A ScrollView can start pinned to bottom without a scaleEffect(y: -1) flip or reversed data, reusing the existing UnitPointOptions enum and falling back to a no-op below iOS 17. #43914
  • Add a defaultScrollAnchorForRole modifier wrapping the two-parameter .defaultScrollAnchor(_:for:) on iOS 18+, with a ScrollAnchorRole of initialOffset, sizeChanges, or alignment. Each role anchor is set independently and null opts out, matching Apple’s UnitPoint? signature, which also adds null support back to defaultScrollAnchor. #43923
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260409-6fc2991:
  • Add scrollTargetBehavior for paging or viewAligned snapping and scrollTargetLayout to mark the snap target, both guarded for iOS 17+. scrollTargetLayout moves from a stack prop to a modifier to match SwiftUI, while scroll position state and callbacks stay deferred pending worklet support in #44214. #43955
  • Add a textInputAutocapitalization modifier on iOS 15+ with never, words, sentences, and characters modes. Before this there was no way to disable autocapitalization on TextField short of keyboardType="ascii-capable", which also swaps the keyboard layout. #44547
  • Add a textContentType modifier on iOS 13+ mapping all 45 UITextContentType values so fields join keychain autofill for passwords, emails, addresses, and OTP codes. The iOS 17+ and 17.4+ values carry #available guards, since without the modifier a TextField cannot participate in autofill at all. #44548
• expo-modules-core 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260402-87c5ce2: Wrap PersistentFileLog.readEntries in serialQueue.sync so reads wait for queued writes instead of bypassing the serial queue that guards every write. The race made UpdatesLogReaderTests.PurgeOldLogs flaky when a read ran before a pending write hit disk, with no deadlock risk since all callers sit outside the queue. #43958
• @convex-dev/better-auth 0.10.10 -> 0.10.11:
  • Fix four bugs that left stale credentials in storage and reported wrong isAuthenticated values after a session expired. getCookie() compared a JSON.parse’d expires string against a Date (always NaN), sign-out stored truthy "{}" instead of "null", and isAuthenticated now reads Boolean(session?.session). #218
  • Widen the better-auth peer range from exact 1.4.9 to >=1.4.9 <1.5.0, covering the whole 1.4.x line. Caps below 1.5.0, which moves createAuthEndpoint and createAuthMiddleware out of better-auth/plugins, drops the adapters/test path, and deletes runAdapterTest. #245
• @convex-dev/better-auth 0.10.11 -> 0.10.12: Share one in-flight token() promise across concurrent fetchAccessToken callers instead of firing a separate /convex/token request for each. A pendingTokenRef holds the promise and clears in .finally(), so the sessionId transition and React 18 StrictMode double-invoke no longer trigger N redundant session-middleware and JWT-signing round-trips. #267
• @convex-dev/better-auth 0.10.12 -> 0.10.13: Drop react-dom from peerDependencies. No file under src/ imports react-dom, createRoot, hydrateRoot, flushSync, or createPortal, so the dead entry only produced peer warnings in bun and pnpm projects that never pull it in. #278
• @convex-dev/better-auth 0.11.5 -> 0.12.0: Raise the better-auth peer floor to >=1.6.7 <1.7.0 and fix five runtime breaks the 1.6 line introduces. Adapter validators accept the Where.mode field, internal endpoint calls pass asResponse: false so tokens stop becoming the string "undefined", the twoFactor table gains verified, parseSetCookieHeader delegates to better-auth/cookies, and ./instrumentation resolves to a noop Convex’s V8 isolate can load. #323
• bun 1.2.20 -> 1.2.21: Add the decompress property to the BunFetchRequestInit interface so decompress: false type-checks without a @ts-ignore. The option already worked at runtime, so this only closes the gap between behavior and the published types. #21855
• create-fumadocs-app 15.6.4 -> 15.6.5:
  • Wire @vitejs/plugin-react into the tanstack-start template vite.config.ts and set defaultNotFoundComponent to a new NotFound component. Clears the vite-react plugin and missing-404 warnings plus the hydration and module-resolution errors that flashed during client-side navigation. #2092
  • Reflow the NotFound.tsx paragraph text to satisfy Prettier line length. The unformatted file failed the format check and blocked the changesets release PR #2093. #2095