website/docs: release notes 2026.5: add section about package reduction (#22308)

* Add section about package reduction

* Suggestion from marc

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

website/docs/releases/2026/v2026.5.md

@@ -114,6 +114,10 @@ The worker status reporting change also uses one fewer PostgreSQL connection per
 
 The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.
 
+### Fewer packages, smaller attack surface
+
+We’ve removed 17 packages, trimming bloat and tightening security in one move. Fewer components mean fewer potential vulnerabilities, helping keep your authentik deployments faster, lighter, and more resilient.
+
 ### OAuth2 configurable grant types
 
 [OAuth2 providers](../../add-secure-apps/providers/oauth2/index.mdx#oauth-20-flows-and-grant-types) now have a **Grant Types** setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.