Bump the prod-patch-updates group across 1 directory with 12 updates

Bumps the prod-patch-updates group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@react-email/components](https://github.com/resend/react-email/tree/HEAD/packages/components) | `1.0.2` | `1.0.6` |
| [@react-email/render](https://github.com/resend/react-email/tree/HEAD/packages/render) | `2.0.0` | `2.0.4` |
| [@react-email/tailwind](https://github.com/resend/react-email/tree/HEAD/packages/tailwind) | `2.0.2` | `2.0.3` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.12` | `5.90.20` |
| [axios](https://github.com/axios/axios) | `1.13.2` | `1.13.4` |
| [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.1.0` | `16.1.6` |
| [maxmind](https://github.com/runk/node-maxmind) | `5.0.1` | `5.0.5` |
| [nodemailer](https://github.com/nodemailer/nodemailer) | `7.0.11` | `7.0.13` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.3` | `19.2.4` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.3` | `19.2.4` |
| [zod](https://github.com/colinhacks/zod) | `4.3.5` | `4.3.6` |



Updates `@react-email/components` from 1.0.2 to 1.0.6
- [Release notes](https://github.com/resend/react-email/releases)
- [Changelog](https://github.com/resend/react-email/blob/canary/packages/components/CHANGELOG.md)
- [Commits](https://github.com/resend/react-email/commits/@react-email/components@1.0.6/packages/components)

Updates `@react-email/render` from 2.0.0 to 2.0.4
- [Release notes](https://github.com/resend/react-email/releases)
- [Changelog](https://github.com/resend/react-email/blob/canary/packages/render/CHANGELOG.md)
- [Commits](https://github.com/resend/react-email/commits/@react-email/render@2.0.4/packages/render)

Updates `@react-email/tailwind` from 2.0.2 to 2.0.3
- [Release notes](https://github.com/resend/react-email/releases)
- [Changelog](https://github.com/resend/react-email/blob/canary/packages/tailwind/CHANGELOG.md)
- [Commits](https://github.com/resend/react-email/commits/@react-email/tailwind@2.0.3/packages/tailwind)

Updates `@tanstack/react-query` from 5.90.12 to 5.90.20
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.90.20/packages/react-query)

Updates `axios` from 1.13.2 to 1.13.4
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.2...v1.13.4)

Updates `cors` from 2.8.5 to 2.8.6
- [Release notes](https://github.com/expressjs/cors/releases)
- [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/cors/compare/v2.8.5...v2.8.6)

Updates `eslint-config-next` from 16.1.0 to 16.1.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.1.6/packages/eslint-config-next)

Updates `maxmind` from 5.0.1 to 5.0.5
- [Release notes](https://github.com/runk/node-maxmind/releases)
- [Commits](https://github.com/runk/node-maxmind/compare/v5.0.1...v5.0.5)

Updates `nodemailer` from 7.0.11 to 7.0.13
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v7.0.11...v7.0.13)

Updates `react` from 19.2.3 to 19.2.4
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react)

Updates `react-dom` from 19.2.3 to 19.2.4
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react-dom)

Updates `zod` from 4.3.5 to 4.3.6
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v4.3.5...v4.3.6)

---
updated-dependencies:
- dependency-name: "@react-email/components"
  dependency-version: 1.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: "@react-email/render"
  dependency-version: 2.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: "@react-email/tailwind"
  dependency-version: 2.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.90.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: axios
  dependency-version: 1.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: cors
  dependency-version: 2.8.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: eslint-config-next
  dependency-version: 16.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: maxmind
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: nodemailer
  dependency-version: 7.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: react
  dependency-version: 19.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: react-dom
  dependency-version: 19.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
- dependency-name: zod
  dependency-version: 4.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/cicd.yml

@@ -504,10 +504,55 @@ jobs:
                       }
 
                       echo "==> cosign verify (public key) ${REF}"
-                      retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"
+                      if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
+                        VERIFIED_INDEX=true
+                      else
+                        VERIFIED_INDEX=false
+                      fi
 
                       echo "==> cosign verify (keyless policy) ${REF}"
-                      retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"
+                      if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
+                        VERIFIED_INDEX_KEYLESS=true
+                      else
+                        VERIFIED_INDEX_KEYLESS=false
+                      fi
+
+                      # If index verification fails, attempt to verify child platform manifests
+                      if [ "${VERIFIED_INDEX}" != "true" ] || [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
+                        echo "Index verification not available; attempting child manifest verification for ${BASE_IMAGE}:${IMAGE_TAG}"
+                        CHILD_VERIFIED=false
+
+                        for ARCH in arm64 amd64; do
+                          CHILD_TAG="${IMAGE_TAG}-${ARCH}"
+                          echo "Resolving child digest for ${BASE_IMAGE}:${CHILD_TAG}"
+                          CHILD_DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${CHILD_TAG} | jq -r '.Digest' || true)"
+                          if [ -n "${CHILD_DIGEST}" ] && [ "${CHILD_DIGEST}" != "null" ]; then
+                            CHILD_REF="${BASE_IMAGE}@${CHILD_DIGEST}"
+                            echo "==> cosign verify (public key) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Public key verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Public key verification failed for child ${CHILD_REF}"
+                            fi
+
+                            echo "==> cosign verify (keyless policy) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Keyless verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Keyless verification failed for child ${CHILD_REF}"
+                            fi
+                          else
+                            echo "No child digest found for ${BASE_IMAGE}:${CHILD_TAG}; skipping"
+                          fi
+                        done
+
+                        if [ "${CHILD_VERIFIED}" != "true" ]; then
+                          echo "Failed to verify index and no child manifests verified for ${BASE_IMAGE}:${IMAGE_TAG}"
+                          exit 10
+                        fi
+                      fi
 
                       echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
                     done

messages/de-DE.json

@@ -97,7 +97,7 @@
     "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
     "siteSettingDescription": "Standorteinstellungen konfigurieren",
     "siteSetting": "{siteName} Einstellungen",
-    "siteNewtTunnel": "Neuer Standort (empfohlen)",
+    "siteNewtTunnel": "Newt Standort (empfohlen)",
     "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
     "siteWg": "Einfacher WireGuard Tunnel",
     "siteWgDescription": "Verwende jeden WireGuard-Client, um einen Tunnel einzurichten. Manuelles NAT-Setup erforderlich.",
@@ -107,7 +107,7 @@
     "siteSeeAll": "Alle Standorte anzeigen",
     "siteTunnelDescription": "Legen Sie fest, wie Sie sich mit dem Standort verbinden möchten",
     "siteNewtCredentials": "Zugangsdaten",
-    "siteNewtCredentialsDescription": "So wird sich die Seite mit dem Server authentifizieren",
+    "siteNewtCredentialsDescription": "So wird sich der Standort mit dem Server authentifizieren",
     "remoteNodeCredentialsDescription": "So wird sich der entfernte Node mit dem Server authentifizieren",
     "siteCredentialsSave": "Anmeldedaten speichern",
     "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
@@ -2503,7 +2503,7 @@
     "deviceModel": "Gerätemodell",
     "serialNumber": "Seriennummer",
     "hostname": "Hostname",
-    "firstSeen": "Erster Blick",
+    "firstSeen": "Zuerst gesehen",
     "lastSeen": "Zuletzt gesehen",
     "biometricsEnabled": "Biometrie aktiviert",
     "diskEncrypted": "Festplatte verschlüsselt",

package.json

@@ -60,16 +60,16 @@
         "@radix-ui/react-tabs": "1.1.13",
         "@radix-ui/react-toast": "1.2.15",
         "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.2",
-        "@react-email/render": "2.0.0",
-        "@react-email/tailwind": "2.0.2",
+        "@react-email/components": "1.0.6",
+        "@react-email/render": "2.0.4",
+        "@react-email/tailwind": "2.0.3",
         "@simplewebauthn/browser": "13.2.2",
         "@simplewebauthn/server": "13.2.2",
         "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.12",
+        "@tanstack/react-query": "5.90.20",
         "@tanstack/react-table": "8.21.3",
         "arctic": "3.7.0",
-        "axios": "1.13.2",
+        "axios": "1.13.4",
         "better-sqlite3": "11.9.1",
         "canvas-confetti": "1.9.4",
         "class-variance-authority": "0.7.1",
@@ -78,13 +78,13 @@
         "cookie": "1.1.1",
         "cookie-parser": "1.4.7",
         "cookies": "0.9.1",
-        "cors": "2.8.5",
+        "cors": "2.8.6",
         "crypto-js": "4.2.0",
         "d3": "7.9.0",
         "date-fns": "4.1.0",
         "drizzle-orm": "0.45.1",
         "eslint": "9.39.2",
-        "eslint-config-next": "16.1.0",
+        "eslint-config-next": "16.1.6",
         "express": "5.2.1",
         "express-rate-limit": "8.2.1",
         "glob": "13.0.0",
@@ -97,7 +97,7 @@
         "js-yaml": "4.1.1",
         "jsonwebtoken": "9.0.3",
         "lucide-react": "0.562.0",
-        "maxmind": "5.0.1",
+        "maxmind": "5.0.5",
         "moment": "2.30.1",
         "next": "15.5.9",
         "next-intl": "4.7.0",
@@ -105,16 +105,16 @@
         "nextjs-toploader": "3.9.17",
         "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
-        "nodemailer": "7.0.11",
+        "nodemailer": "7.0.13",
         "npm": "11.7.0",
         "nprogress": "0.2.0",
         "oslo": "1.2.1",
         "pg": "8.17.1",
         "posthog-node": "5.23.0",
         "qrcode.react": "4.2.0",
-        "react": "19.2.3",
+        "react": "19.2.4",
         "react-day-picker": "9.13.0",
-        "react-dom": "19.2.3",
+        "react-dom": "19.2.4",
         "react-easy-sort": "1.8.0",
         "react-hook-form": "7.71.1",
         "react-icons": "5.5.0",
@@ -136,7 +136,7 @@
         "ws": "8.19.0",
         "yaml": "2.8.2",
         "yargs": "18.0.0",
-        "zod": "4.3.5",
+        "zod": "4.3.6",
         "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
@@ -154,10 +154,10 @@
         "@types/jmespath": "0.15.2",
         "@types/jsonwebtoken": "9.0.10",
         "@types/node": "24.10.2",
-        "@types/nodemailer": "7.0.4",
+        "@types/nodemailer": "7.0.9",
         "@types/nprogress": "0.2.3",
         "@types/pg": "8.16.0",
-        "@types/react": "19.2.7",
+        "@types/react": "19.2.10",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
         "@types/swagger-ui-express": "4.1.8",

server/setup/ensureSetupToken.ts

@@ -64,16 +64,20 @@ export async function ensureSetupToken() {
                 );
             }
 
-            if (existingToken?.token !== envSetupToken) {
-                console.warn(
-                    "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set"
-                );
+            if (existingToken) {
+                // Token exists in DB - update it if different
+                if (existingToken.token !== envSetupToken) {
+                    console.warn(
+                        "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set"
+                    );
 
-                await db
-                    .update(setupTokens)
-                    .set({ token: envSetupToken })
-                    .where(eq(setupTokens.tokenId, existingToken.tokenId));
+                    await db
+                        .update(setupTokens)
+                        .set({ token: envSetupToken })
+                        .where(eq(setupTokens.tokenId, existingToken.tokenId));
+                }
             } else {
+                // No existing token - insert new one
                 const tokenId = generateId(15);
 
                 await db.insert(setupTokens).values({