chore(deps): bump the npm_and_yarn group across 7 directories with 12 updates#1
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
… updates Bumps the npm_and_yarn group with 2 updates in the /showcase/shell-dojo directory: [next](https://github.com/vercel/next.js) and [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 4 updates in the /showcase/shell-docs directory: [esbuild](https://github.com/evanw/esbuild), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [dompurify](https://github.com/cure53/DOMPurify) and [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js). Bumps the npm_and_yarn group with 5 updates in the /showcase/shell-dashboard directory: | Package | From | To | | --- | --- | --- | | [next](https://github.com/vercel/next.js) | `15.5.15` | `15.5.18` | | [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) | `7.28.3` | `removed` | | [esbuild](https://github.com/evanw/esbuild) | `0.27.7` | `0.28.1` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.9` | `8.1.3` | | [undici](https://github.com/nodejs/undici) | `7.25.0` | `7.28.0` | Bumps the npm_and_yarn group with 3 updates in the /showcase/scripts directory: [esbuild](https://github.com/evanw/esbuild), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [fast-uri](https://github.com/fastify/fast-uri). Bumps the npm_and_yarn group with 5 updates in the /showcase/integrations/strands directory: | Package | From | To | | --- | --- | --- | | [hono](https://github.com/honojs/hono) | `4.12.21` | `4.12.27` | | [ws](https://github.com/websockets/ws) | `8.20.1` | `8.21.0` | | [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils) | `3.0.22` | `4.0.27` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.4.5` | `3.4.11` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.8.4` | Bumps the npm_and_yarn group with 1 update in the /showcase/integrations/strands-typescript directory: [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils). Bumps the npm_and_yarn group with 4 updates in the /showcase/integrations/spring-ai directory: [hono](https://github.com/honojs/hono), [ws](https://github.com/websockets/ws), [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils) and [dompurify](https://github.com/cure53/DOMPurify). Updates `next` from 15.5.15 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v15.5.15...v15.5.18) Updates `esbuild` from 0.27.3 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) Updates `esbuild` from 0.28.0 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) Updates `vite` from 8.0.13 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) Removes `@opentelemetry/core` Updates `next` from 15.5.15 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v15.5.15...v15.5.18) Removes `@babel/core` Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) Updates `vite` from 8.0.9 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `undici` from 7.25.0 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.25.0...v7.28.0) Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) Updates `vite` from 8.0.9 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `fast-uri` from 3.1.0 to 3.1.3 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.3) Updates `hono` from 4.12.21 to 4.12.27 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.21...v4.12.27) Updates `ws` from 8.20.1 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.1...8.21.0) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.27 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) Updates `shell-quote` from 1.8.3 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.8.3...v1.8.4) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.30 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `hono` from 4.12.19 to 4.12.27 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.21...v4.12.27) Updates `ws` from 8.20.1 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.1...8.21.0) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.27 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@opentelemetry/core" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@babel/core" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.30 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependency limit exceeded — report not shown. This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report. Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard. Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account. |
Author
|
Superseded by #2. |
danielbodnar
pushed a commit
that referenced
this pull request
Jul 10, 2026
…rwarded inbound headers (CopilotKit#5782) ## Problem When a self-hosted v2 `CopilotRuntime` is configured with a server-side agent (an `@ag-ui/client` `HttpAgent` with static `headers` for service-to-service auth), the runtime forwards inbound `authorization`/`x-*` request headers onto the agent's outgoing call **and lets them override the headers the server configured** — silently breaking service-to-service auth to a secured backend (e.g. a private Cloud Run agent behind IAM). `Fixes CopilotKit#5712` ## Root cause `packages/runtime/src/v2/runtime/handlers/shared/agent-utils.ts:125-128` merged forwarded inbound headers **last**, so they won on collision: ```ts agent.headers = { ...agent.headers, // server-configured ...extractForwardableHeaders(request), // inbound — overrode the above }; ``` There are actually **two** failure modes: 1. **Same-case collision** — inbound `authorization` overwrites a server `authorization` (last-write-wins). 2. **Case-mismatch collision** — `extractForwardableHeaders` lowercases inbound keys (`authorization`), while the server typically configures canonical casing (`Authorization`). A plain spread treats those as *distinct* keys and emits **both** — which undici downstream comma-joins into a single invalid `"Bearer A, Bearer B"` ("multiple JWTs") value. Flipping the spread order alone does **not** fix this case. ## Fix In `agent-utils.ts`, make server-configured `agent.headers` authoritative on collision, matched **case-insensitively**: drop any forwarded inbound header whose name (case-insensitively) is already set on the agent, and let non-colliding inbound headers pass through unchanged. This preserves the existing forward-for-auth behavior for headers the server does *not* set, while guaranteeing a server-set token is never overridden or duplicated. The merge logic lives in a shared `mergeForwardableHeaders(serverHeaders, request)` helper in `packages/runtime/src/v2/runtime/handlers/header-utils.ts` so the precedence semantics are defined in exactly one place. ### Scope note This is the conservative precedence + case-insensitive-dedup fix (the issue's suggested fix #1). I did **not** tighten the default allowlist to drop hop-by-hop/platform `x-*` headers (`x-serverless-*`, `x-forwarded-*`, …) or add an opt-out — those alter existing forwarding behavior and are worth a separate, deliberate change. The precedence fix alone resolves the reported breakage (the server-set token now wins regardless of what the platform injects on a colliding header name). A documented workaround already exists for users on released versions: pass a custom `fetch` to the `HttpAgent` that builds outgoing headers from scratch (it runs after `configureAgentForRequest` and survives the per-request `agent.clone()`). ## Red-green proof (the real fix — `/run` path) The load-bearing assertion: there must be exactly **one** authorization header carrying the **server** value. ### RED (fix stashed, against unmodified `agent-utils.ts`) ``` ❯ src/v2/runtime/__tests__/agent-header-precedence.test.ts (2 tests | 1 failed) × configureAgentForRequest — header precedence (CopilotKit#5712) > server-configured agent headers win over a colliding inbound header AssertionError: expected [ 'Authorization', 'authorization' ] to have a length of 1 but got 2 81| expect(authKeys).toHaveLength(1); Test Files 1 failed (1) Tests 1 failed | 1 passed (2) ``` The pre-existing `agent-utils-header-forwarding.test.ts` also failed, because it explicitly encoded the buggy behavior (`expect(...["x-aimock-context"]).toBe("new-context")` — inbound winning): ``` FAIL src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts > ... > request forwardable headers override matching pre-existing agent headers AssertionError: expected 'old-context' to be 'new-context' ``` ### GREEN (fix applied) ``` ✓ src/v2/runtime/__tests__/agent-header-precedence.test.ts (2 tests) 2ms ✓ src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts (8 tests) 3ms Test Files 2 passed (2) Tests 10 passed (10) ``` The colliding test (`agent-utils-header-forwarding.test.ts`) was updated from asserting the old bug to asserting corrected precedence + a new case-insensitive-dedup guard. The non-colliding-forward test is retained unchanged as a regression guard. ## Quality gates ``` NX Successfully ran target check-types for project @copilotkit/runtime NX Successfully ran target test for project @copilotkit/runtime — Test Files 113 passed (113), Tests 1576 passed (1576) ``` --- ## `/connect`-path change — forward-looking plumbing, inert today The original issue and a prior eval flagged the same forwarding pattern at `handlers/sse/connect.ts`. To keep the two paths' merge semantics consistent, the `/connect` path now builds the same server-wins merged headers (via the shared `mergeForwardableHeaders` helper) and passes them into `runner.connect()`. **This is not an active auth fix, and it is not red-green-proven as one — because there is no live bug to fix on the connect path today.** No shipped runner consumes the `headers` field of `AgentRunnerConnectRequest`: the in-memory, intelligence, telemetry, and sqlite runners all destructure only `threadId` from the connect request and ignore `headers` entirely. Connect is a thread replay/reconnect, not a fresh outgoing agent call. So whatever headers we pass into `runner.connect()` are dropped on the floor by every runner that ships. What this change actually does: - Threads the per-request agent clone through `handle-connect.ts → handleSseConnect` so the connect path *has access to* the server-configured `agent.headers` (it previously did not). - Passes `mergeForwardableHeaders(agent?.headers, request)` into `runner.connect()` — the correct, server-wins argument **shape** for a future outbound-connecting runner that *would* consume connect-path headers. - Rewrites the comments/JSDoc on this path to say this plainly, rather than implying an active auth fix. It also documents that the connect-site `cloneAgentForRequest` call is the sole `agentId`-existence guard (the intelligence branch never re-validates the id), and documents `cloneAgentForRequest`'s `AbstractAgent | Response` (404) dual-return contract that both callers depend on. The real outbound header forwarding — the thing that fixes CopilotKit#5712 — is the `/run` path's `agent.headers` mutation described above. The connect change is staged plumbing so that if/when a runner starts honoring connect-path headers, it inherits the same server-wins precedence without a second fix. ### Tests on the `/connect` path The connect tests assert the *merge shape* that reaches `runner.connect()` (server value wins on collision, exactly one `authorization` key, non-colliding `x-*` still forwards) and that the agent-undefined case (no server `agent.headers`) degrades to forwarding allowlisted inbound headers only and does not crash. These verify the argument we construct is correctly shaped — not that any shipped runner consumes it. ## Files - `packages/runtime/src/v2/runtime/handlers/header-utils.ts` — shared `mergeForwardableHeaders` helper (case-insensitive, server-wins). - `packages/runtime/src/v2/runtime/handlers/shared/agent-utils.ts` — `/run` path uses the helper so server headers win on collision (**the real fix**). - `packages/runtime/src/v2/runtime/handlers/sse/connect.ts` — `/connect` path uses the helper; forward-looking plumbing, inert until a runner consumes connect-path headers. - `packages/runtime/src/v2/runtime/handlers/handle-connect.ts` — threads the per-request agent clone into `handleSseConnect`. - `packages/runtime/src/v2/runtime/__tests__/agent-header-precedence.test.ts` — `/run` regression test exercising the real `configureAgentForRequest` surface with a real `HttpAgent`. - `packages/runtime/src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts` — updated the test that encoded the old (buggy) precedence; added a case-mismatch dedup guard. - `packages/runtime/src/v2/runtime/handlers/sse/__tests__/sse-connect-agent-id.test.ts` — connect-path merge-shape + agent-undefined coverage. ### Notes - A documented `@ag-ui/client` `HttpAgent` `fetch` workaround already exists for attaching service-to-service auth the runtime can't override (see the issue). This change makes the workaround unnecessary for the `/run` precedence case. - Conservative scope: this is the **precedence flip on `/run`** plus forward-looking connect plumbing. Tightening the default allowlist (dropping hop-by-hop / platform `x-serverless-*`, `x-forwarded-*`, `x-cloud-trace-context`, …) and an opt-out switch — issue suggestions #2/#3 — are intentionally left as a follow-up to keep the security-policy change minimal.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm_and_yarn group with 2 updates in the /showcase/shell-dojo directory: next and esbuild.
Bumps the npm_and_yarn group with 4 updates in the /showcase/shell-docs directory: esbuild, vite, dompurify and @opentelemetry/core.
Bumps the npm_and_yarn group with 5 updates in the /showcase/shell-dashboard directory:
15.5.1515.5.187.28.3removed0.27.70.28.18.0.98.1.37.25.07.28.0Bumps the npm_and_yarn group with 3 updates in the /showcase/scripts directory: esbuild, vite and fast-uri.
Bumps the npm_and_yarn group with 5 updates in the /showcase/integrations/strands directory:
4.12.214.12.278.20.18.21.03.0.224.0.273.4.53.4.111.8.31.8.4Bumps the npm_and_yarn group with 1 update in the /showcase/integrations/strands-typescript directory: @ai-sdk/provider-utils.
Bumps the npm_and_yarn group with 4 updates in the /showcase/integrations/spring-ai directory: hono, ws, @ai-sdk/provider-utils and dompurify.
Updates
nextfrom 15.5.15 to 15.5.18Release notes
Sourced from next's releases.
Commits
9ff92cev15.5.1800ebe23[backport] Disable build caches for production/staging/force-preview deploys ...62c97abv15.5.17423623aTurbopack: Match proxy matchers with webpack implementation (#93594)fa78739Turbopack: Fix middleware matcher suffix (#93590)36e62c6[backport] Turbopack: more strict vergen setup (#93588)36589b5[backport][test] Pin package manager to patch versions (#93596)ad6fd4ev15.5.1679d7dffIgnore malformed CSP nonce headers (#103)c4f6908router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.
Updates
esbuildfrom 0.27.3 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesUpdates
esbuildfrom 0.28.0 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesUpdates
vitefrom 8.0.13 to 8.1.3Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
578ffb8release: v8.1.37103c3afix(deps): bumpes-module-lexerto 2.3.0 (#22838)1534d36fix(css): inject inlined CSS after the shebang line (#22717)c4acd69fix(ssr): correct stacktrace column position for first line (#22828)2c53054fix: preload css for nested dynamic imports (#22759)ba31193release: v8.1.20d3bd7cfix(deps): revert es-module-lexer to 2.1.0 (#22827)efb98ccfix: restore, "fix: resolve pnpm .modules.yaml from workspace root instead of...cf97711fix: revert, "fix: resolve pnpm .modules.yaml from workspace root instead of ...cccef55fix: revert, "fix: escape ids with multiple null bytes (#22687)"Updates
dompurifyfrom 3.4.5 to 3.4.11Release notes
Sourced from dompurify's releases.
Commits
0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)Removes
@opentelemetry/coreUpdates
nextfrom 15.5.15 to 15.5.18Release notes
Sourced from next's releases.
Commits
9ff92cev15.5.1800ebe23[backport] Disable build caches for production/staging/force-preview deploys ...62c97abv15.5.17423623aTurbopack: Match proxy matchers with webpack implementation (#93594)fa78739Turbopack: Fix middleware matcher suffix (#93590)36e62c6[backport] Turbopack: more strict vergen setup (#93588)36589b5[backport][test] Pin package manager to patch versions (#93596)ad6fd4ev15.5.1679d7dffIgnore malformed CSP nonce headers (#103)c4f6908router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.
Removes
@babel/coreUpdates
esbuildfrom 0.27.7 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.