Contributions

31 PRs merged across 10 upstream repos. Plus a public patches repo with 88 drop-in fixes for Bun, npm, and pnpm. I find the bug, file the upstream PR, and drop the patch into the repo so my projects, and anyone else hitting the same bug, can ship without waiting for the merge to land. When the fix lands in a release, I bump the dep and delete the patch. Every merged PR listed here shipped as a patch first.

Merged PRs

• expo/expo (10 PRs):
  • #45403 getPackageByName did a packages/<name>/package.json lookup, which misses for scoped packages whose dir name differs from the package name (@expo/ui lives at packages/expo-ui/, @expo/app-integrity at packages/expo-app-integrity/). On a miss, Workspace.getInfoAsync recorded empty workspacePeerDependencies for those packages, so updateWorkspaceProjects never rewrote workspace:* to the canary version, and the published canary tarballs shipped peerDependencies.expo: "workspace:*". bun add @expo/ui@canary errored with Workspace dependency "expo" not found and npm install @expo/ui@canary errored with EUNSUPPORTEDPROTOCOL. Fix keeps the existing path-based fast path and falls back to scanning cachedPackages by name field when the path lookup misses. Same root cause as #44412, different call site
  • #44652 scrollPosition and id modifiers (iOS 17+) binding a ScrollView’s leading target to JS via useNativeState and the worklet .value write path. Reading state.value returns the id of the leading target; writing scrolls to the matching view. The optional onChange callback fires on the JS thread when the leading target changes. id(string) marks views as scroll targets and works on ScrollView, LazyVStack, and LazyHStack. Built on the worklet infrastructure from #44214 and #44215. Deferred from #43955 per @intergalacticspacehighway
  • #44548 textContentType modifier wrapping SwiftUI’s textContentType(_:) with all 45 UITextContentType values. Wires @expo/ui TextField and SecureField into iOS keychain autofill for passwords, emails, addresses, credit cards, and OTP codes. Before this, @expo/ui text fields could not participate in iOS autofill at all. Includes #available guards for the iOS 17+ values (creditCardExpiration, birthdate, etc.) and iOS 17.4+ values (cellularEID, cellularIMEI)
  • #44547 textInputAutocapitalization modifier (iOS 15+) with all four TextInputAutocapitalization modes: never, words, sentences, characters. Before this, the only way to disable auto-capitalization on @expo/ui TextField was forcing keyboardType="ascii-capable", which changed the keyboard layout entirely. Username and email fields can now behave correctly without that workaround
  • #43958 PersistentFileLog.readEntries race condition where reads bypassed the serialQueue that guards every write. Caused flaky UpdatesLogReaderTests.PurgeOldLogs failures in expo-updates CI when a read executed before a queued write flushed to disk and returned entries1.count == 1 instead of 2. Fix wraps readEntries in serialQueue.sync so reads wait for pending writes. No deadlock risk because all callers are external to the queue
  • #43955 scrollTargetBehavior and scrollTargetLayout modifiers (iOS 17+) for paging and view-aligned scroll snapping in @expo/ui ScrollView. Brings SwiftUI’s snap-paging API to React Native through @expo/ui modifier composition with #available guards for iOS 17, tvOS 17, and macOS 14
  • #43923 defaultScrollAnchorForRole modifier (iOS 18+) wrapping the two-parameter defaultScrollAnchor(_:for:) overload. Lets you set independent scroll anchors per ScrollAnchorRole (initialOffset, sizeChanges, alignment), so a chat view can anchor to bottom globally but start at top via a per-role override. Also added null support to match Apple’s UnitPoint? signature and the missing @platform macos 14.0+ JSDoc to the single-arg version from #43914
  • #43914 defaultScrollAnchor modifier (iOS 17+) for controlling where a ScrollView or List starts. Removes the need for scaleEffect(y: -1) flips, reversed data arrays, and inverted scroll indicator hacks that chat UIs used to need. Reuses the existing UnitPointOptions enum and falls back to a no-op on iOS < 17
  • #43228 per-axis scaleEffect accepting { x, y } in addition to number. Backwards-compatible: scaleEffect(0.5) still normalizes to { x: 0.5, y: 0.5 } in the TS layer before hitting native
  • #43158 ClipShapeModifier and MaskModifier were silently rendering Rectangle for any shape other than circle or roundedRectangle because they used a raw String field instead of the ShapeType enum from #40748. Every other shape modifier (BackgroundModifier, ContainerShapeModifier, ContentShapeModifier, GlassEffectModifier) already used ShapeType. Switched both to exhaustive ShapeType switching with no default fallthrough, added roundedCornerStyle and cornerSize fields, and unblocked capsule and ellipse in clipShape() and mask()
• get-convex/better-auth (5 PRs):
  • #218 four bugs causing stale auth state and incorrect isAuthenticated values. (1) getCookie() parsed cookies from JSON, which turned expires into a string. Comparing string < new Date() coerced the Date to a number and the string to NaN, and NaN < anything is always false, so expired cookies were never filtered out. (2) Cookies persisted after /get-session returned null, so combined with bug 1, stale credentials shipped indefinitely. (3) Sign-out stored "{}" in localCacheName and JSON.parse("{}") returns truthy {}, breaking if (sessionData) checks. Fix stores "null" so JSON.parse("null") returns null. (4) isAuthenticated was session !== null, which returned true for {} (from bug 3) and undefined during loading edges. Fix uses Boolean(session?.session)
  • #245 widened the better-auth peer dep from exact 1.4.9 to >=1.4.9 <1.5.0 after verifying every import path is stable across 1.4.9 through 1.4.18. Explicitly excludes 1.5.0, which moved createAuthEndpoint and createAuthMiddleware from better-auth/plugins to better-auth/api, removed the better-auth/adapters/test export path, and deleted runAdapterTest entirely
  • #267 concurrent fetchAccessToken dedup with useRef. On page load, sessionId transitions from undefined to a value, which creates a new fetchAccessToken reference and triggers ConvexProviderWithAuth to call setAuth() again while the first request is still in-flight. React 18 StrictMode doubles this in dev. Each /convex/token call hits the DB for session middleware and runs JWT signing, so N concurrent calls meant N redundant round-trips with only one result used. Fix stores the in-flight promise in a useRef so concurrent callers share it, with forceRefreshToken: true bypassing the guard and .finally() clearing the ref after resolution. Closes #219, likely reduces the action count reported in #186
  • #278 removed the dead react-dom peer dep declaration. Zero imports of react-dom, ReactDOM, createRoot, hydrateRoot, flushSync, or createPortal across all 32 files in src/. None of the exports (/react, /nextjs, /react-start) touch it. The declaration was generating peer dep warnings in bun and pnpm projects that don’t use react-dom
  • #323 migrated @convex-dev/better-auth to better-auth 1.6.7+, fixing five runtime breaks across the 1.6.x line in one rebase. Where.mode folding (1.6.0): CleanedWhere = Required<Where> forced the new field onto every adapter call, so adapterWhereValidator and per-table validators threw ArgumentValidationError on bump. Fix accepts mode in validators, case-folds eq/ne/in/not_in/contains/starts_with/ends_with in filterByWhere, and excludes insensitive clauses from findIndex and paginate fast-paths since Convex indexes are byte-compared. shouldReturnResponse flip (1.6.0, commit 8304f65): to-auth-endpoints.ts defaults to a Response when context carries a Request, so internal endpoint calls from cross-domain hooks returned a Response instead of a parsed object, JWT cookies got the literal string "undefined", and setSessionCookie crashed. Fix passes asResponse: false at all 7 internal call sites with regression tests that pre-set the flags to true so dropping the override fails the assertion. twoFactor.verified (1.6.2, #8711): new schema column the Convex validator rejected. parseSetCookieHeader: deleted the 34-line local copy in cross-domain/client.ts that split on ", " and shattered Expires=Wed, 21 Oct 2015 07:28:00 GMT into four garbage cookies, re-exported from better-auth/cookies. ./instrumentation (1.6.6, #9111): peer floor raised to 1.6.7 where #9281 routes the dynamic import("@opentelemetry/api") to a noop on browser and edge conditions, fixing Convex V8 isolate’s synchronous bare-specifier rejection. Shipped in @convex-dev/better-auth@0.12.0
• shadcn-ui/ui (5 PRs):
  • #10396 added the TanStack Start dark mode guide to the official shadcn docs, the fifth framework-specific guide after Next.js, Vite, Astro, and Remix. The canonical pattern was scattered across Discord threads and three stale PRs with different tradeoffs: #7173 (cookies, no system mode), #7490 (cookies, conditional ScriptOnce), and #9096 (wrapped tanstack-theme-kit as a runtime dep). Pattern: ScriptOnce from @tanstack/react-router for the pre-hydration inline script, a React context for post-hydration state, suppressHydrationWarning on <html>, document.documentElement.style.colorScheme so native UI respects the theme, and a prefers-color-scheme listener for system mode. In review, @shadcn refactored the inline script string into a getThemeScript(storageKey, defaultTheme) function so custom provider props reach the pre-hydration pass, extracted the class-swap into an applyTheme helper, and added a mounted gate so the inline script’s work isn’t overwritten on first mount
  • #10369 notFoundComponent on the Start root route in the start-app and start-monorepo templates. Silences the TanStack Router warning that fires on first load from phantom requests hitting /favicon.ico and Chrome DevTools’ /.well-known/appspecific/com.chrome.devtools.json when neither notFoundComponent nor defaultNotFoundComponent is configured. JSX shape matches the existing 404 ErrorBoundary pattern from templates/react-router-app and templates/react-router-monorepo (same container mx-auto p-4 pt-16 wrapper, same “404” heading and “The requested page could not be found.” copy) so the ten-template suite stays consistent
  • #10337 fixed llms.txt 404s and backfilled missing routes so LLM crawlers can index the full docs site
  • #9484 raw <ComponentsList /> tag leaking into copy-to-markdown output on component pages
  • #9331 registered the @ramonclaudio-coderabbit shadcn registry in the official open source directory after #8892 asked for it. Adds entries to apps/v4/public/r/registries.json and apps/v4/registry/directory.json so the registry is discoverable through the shadcn CLI. The registry itself ships a framework-agnostic CodeRabbit API client, pluggable storage adapters (LocalStorage, Convex, Supabase, PostgreSQL, MySQL), and React components for generating developer activity reports
• better-auth/better-auth (3 PRs):
  • #9281 serve a noop ./instrumentation via conditional exports for browser and edge runtimes, matching the shape ./async_hooks already uses. The dynamic import("@opentelemetry/api") in packages/core/src/instrumentation/api.ts threw synchronously on runtimes like Convex’s V8 isolate (bare specifiers rejected at resolve time via deno_core::resolve_import), so the .catch() in getOpenTelemetryAPI never ran and every withSpan call through to-auth-endpoints.ts and with-hooks.ts surfaced an uncaught error. The breaking pattern landed in #9111 and shipped in v1.6.6. @opentelemetry/api itself ships a noop proxy when no SDK is registered, so this is about dynamic-import-probe portability, not OTel runtime support. Unblocks the 1.6 migration for @convex-dev/better-auth consumers
  • #9087 add /change-password and /revoke-other-sessions to the atomListeners matcher so $sessionSignal fires after session-rotating endpoints. Without this, callers like useSession() kept returning stale session data after password changes because the client never re-fetched. Companion to get-convex/better-auth#329 which invalidates the Convex adapter’s cached JWT on the same events
  • #9072 incorrect operationId in the password reset callback endpoint, plus forget to forgot cleanup across demo apps and tests
• withastro/compiler-rs (2 PRs):
  • #25 real fix for the @astrojs/compiler-rs GLIBC_2.35 issue. #22 added -x to the linux-gnu builds hoping zigbuild would pin glibc, but zigbuild without an explicit suffix falls back to zig’s per-arch baseline (GLIBC_2.35 on x86_64, GLIBC_2.30 on aarch64 for zig 0.15), so the shipped 0.1.7 binary still couldn’t load on Vercel (glibc 2.34), Amazon Linux 2023, AWS Lambda, RHEL/CentOS 7, or Debian 10. Switched both gnu targets to --use-napi-cross, which downloads @napi-rs/cross-toolchain with a sysroot pinned to glibc 2.17. Matches the pattern used by oxc, @swc/core, @napi-rs/canvas, lightningcss, and the official @napi-rs/package-template. Verified on a fork CI run plus a Vercel preview deploy with experimental.rustCompiler: true, both objdump -T showing GLIBC_2.16 max on x64 and GLIBC_2.17 on arm64. Shipped in @astrojs/compiler-rs@0.1.8
  • #22 first-attempt glibc compat fix, added -x to x86_64-unknown-linux-gnu. Turned out to be insufficient, superseded by #25
• napi-rs/napi-rs (1 PR): #3189 cross-compile regression in the v3 CLI rewrite. When --cross-compile / -x was passed for a linux or darwin target, pickBinary() in cli/src/api/build.ts skipped cargo-zigbuild if host platform, arch, and abi matched target, logged a warning, then silently fell through to cargo build. The whole point of --cross-compile on a native build is to pin a lower glibc via zig’s linker. Without it, building x86_64-unknown-linux-gnu on ubuntu-latest (glibc 2.39) produced binaries incompatible with glibc < 2.35 systems like Amazon Linux 2023 (glibc 2.34) and Vercel’s build container. v2 had this fix in #1432 (resolving #1430) but it wasn’t carried over during the v3 rewrite in #1492. Fix removes the platform-match conditions in the else branch of pickBinary() so --cross-compile always uses cargo-zigbuild for non-Windows targets
• oven-sh/bun (1 PR): #21855 added the decompress property to the BunFetchRequestInit interface with JSDoc documentation. The option already worked at runtime in Bun’s fetch(), but TypeScript users had to @ts-ignore it on every call to disable response decompression. Now it’s a first-class typed option, no escape hatch required
• fuma-nama/fumadocs (2 PRs):
  • #2092 fixed the TanStack Start template in create-fumadocs-app. Wired the vite-react plugin with the required customViteReactPlugin: true flag, configured a custom NotFound component for TanStack Router, and bumped deps to current versions. Resolved four issues at once: TanStack Start vite-react plugin warning, missing custom 404 component warning, module resolution errors during client-side navigation, and React hydration errors caused by useMemo null references that flashed errors mid-route-change
  • #2095 prettier formatting fix that unblocked the changesets release PR #2093 for create-fumadocs-app@15.7.0. The release PR was stuck on a formatting check, so I ran the formatter and shipped the diff so the release could go out
• rorkai/App-Store-Connect-CLI (1 PR): #784 Mac App Store screenshot support for the asc CLI. New --provider macos grabs the frontmost window of a running macOS app by bundle ID using screencapture -l <windowID>, where the window ID comes from a Swift one-liner piped to swift - via CGWindowListCopyWindowInfo, without cgo or extra binaries. New --device mac renders to the 2880x1800 APP_DESKTOP canvas without a device bezel, with optional title, subtitle, and background color overlays. Also fixed ASC_TIMEOUT being silently ignored for screenshots capture and screenshots frame, both now use ContextWithTimeout
• TanStack/db (1 PR): #17 corrected the stale README link to the example todo app, repointing it at examples/react/todo. Tiny fix, but it was the first thing I clicked when I landed on the repo and it 404’d. Was PR #17 in the repo, early days

Patches

Open (PRs still awaiting upstream merge):

• @expo/ui 56.0.0-canary-20260506-03817f5: Alert component wrapping SwiftUI’s iOS 15 .alert(_:isPresented:actions:message:), with Alert.Trigger, Alert.Actions, and optional Alert.Message slots. Mirrors ConfirmationDialog’s shape so isPresented bindings and Button actions compose the same way. expo/expo#45700
• @convex-dev/better-auth 0.12.2: wrap fetchAccessToken in new Promise(executor) so useConvexAuth().isAuthenticated flips after sign-in on Hermes V1. Expo SDK 56 canary dropped @babel/plugin-transform-async-to-generator from the Hermes V1 preset (#45345), exposing a bridge race the transform’s extra tick was hiding. The explicit new Promise restores that one-tick delay, so back-to-back auth state changes no longer race the websocket reconnect. get-convex/better-auth#368
• shadcn 4.7.0: strip C0 control characters (0x00-0x1F) and DEL (0x7F) from prompts text input values. Cmd+Delete on macOS sends Ctrl+U (NAK) which prompts inserts as a literal byte, creating directories like \x15my-app. shadcn-ui/ui#10364
• better-auth 1.6.9: preserve the current session on /change-password when revokeOtherSessions is set. Without this, the rotating endpoint’s bulk-delete loop also wipes the row that was just minted for the active caller, so the response sets a session cookie pointing at a row that no longer exists and the next request 401s. better-auth/better-auth#9345
• @hugeicons/react 1.1.6: core-free-icons subpath type shim so TypeScript stops complaining about the bundled icon set under node16, nodenext, and bundler resolution without forcing a paid tier. Also stops Vite dev from pre-bundling the 6.2 MB barrel for the 33 KB you actually use. hugeicons/react#5
• bun 1.3.13: two PRs. oven-sh/bun#27085 fixes includePrerelease semantics in peer dep semver validation. oven-sh/bun#27086 fixes invalid YAML in the update-root-certs workflow labels field

Dropped (PR merged, patch no longer needed):

• expo canary-20260506-964f25d: #45403
• better-auth 1.6.2 -> 1.6.5: #9087
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260305-5163746: #43158, #43228
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260401-5e87ef7: #43914, #43923
• @expo/ui 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260409-6fc2991: #43955, #44547, #44548
• expo-modules-core 56.0.0-canary-20260212-4f61309 -> 56.0.0-canary-20260402-87c5ce2: #43958
• @convex-dev/better-auth 0.10.10 -> 0.10.11: #218, #245
• @convex-dev/better-auth 0.10.11 -> 0.10.12: #267
• @convex-dev/better-auth 0.10.12 -> 0.10.13: #278
• @convex-dev/better-auth 0.11.5 -> 0.12.0: #323
• bun 1.2.20 -> 1.2.21: #21855
• create-fumadocs-app 15.6.4 -> 15.6.5: #2092, #2095
• convex 1.31.3 -> 1.31.4 (not my PR): WebSocketManager addEventListener guard, patched while reporting (baafbf5)
• jose 6.0.3 -> 6.0.4: process.getBuiltinModule removed from webapi dist for Edge Runtime compat (panva/jose#752)
• @shopify/mini-oxygen 4.0.0 (not my PR, fix in next release): Shopify/hydrogen#3617 Environment API (Vite 6/7/8 backward compat) supersedes my rebase #3493, which picked up @thomasKn’s stalled #3417. Siblings @shopify/hydrogen 2026.1.0, @shopify/hydrogen-react 2026.1.0, @shopify/cli-hydrogen 11.1.9 dropped with it

Issues I filed upstream

• panva/jose#752 process.getBuiltinModule misuse broke Edge Runtime and Next.js middleware. Traces convinced @panva the bug was real, fixed in v6.0.4
• shadcn-ui/ui#8892 registry directory submission for CodeRabbit. @shadcn asked me to send a PR, I shipped #9331 which auto-closed this issue on merge
• get-convex/better-auth#219 potential duplicate token requests during concurrent fetchAccessToken calls. Fixed by my own PR #267
• Shopify/hydrogen#3263 Vite 7 support in @shopify/mini-oxygen. Closed by me after @frandiox shipped Vite Environment API in #3617, superseding my rebase #3493
• oven-sh/bun#29444 bun install warns on valid prereleases in peer deps. includePrerelease not applied to peer dep semver checks, so @tanstack/router-core@1.167.10-rc.0 satisfying ^1.167.0 emits a spurious peer warning. Open and tracked by my PR oven-sh/bun#27085
• anthropics/claude-code#18075 feature request for an env var to set a custom Chromium browser path, open
• anthropics/claude-code#18181 manual update doesn’t fix the symlink when CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC is set. @bcherny replied “Fix incoming” and closed it
• anthropics/claude-code#20664 --fork-session doesn’t inherit CLAUDE_CODE_TASK_LIST_ID from the parent session, auto-closed for inactivity
• tobi/qmd#198 bun add blocks node-llama-cpp postinstall (harmless warning, qmd still works). Closed by me as not a bug, upstream later added pnpm.onlyBuiltDependencies in cc32c995
• Textualize/textual#5980 emoji with variation selectors cause button layout misalignment in Ghostty. Closed after the discussion concluded the fix belongs in terminal emulators via DEC mode 2027, not in textual
• cursor/cursor#3182 unable to update spending limit or toggle usage-based pricing on the main dashboard. Fixed upstream