chore(deps): bump the npm_and_yarn group across 8 directories with 12 updates#2
Conversation
… updates Bumps the npm_and_yarn group with 4 updates in the /showcase/integrations/spring-ai directory: [hono](https://github.com/honojs/hono), [ws](https://github.com/websockets/ws), [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils) and [dompurify](https://github.com/cure53/DOMPurify). Bumps the npm_and_yarn group with 5 updates in the /showcase/integrations/strands directory: | Package | From | To | | --- | --- | --- | | [hono](https://github.com/honojs/hono) | `4.12.21` | `4.12.27` | | [ws](https://github.com/websockets/ws) | `8.20.1` | `8.21.0` | | [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils) | `3.0.22` | `4.0.27` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.4.5` | `3.4.11` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.8.4` | Bumps the npm_and_yarn group with 1 update in the /showcase/integrations/strands-typescript directory: [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils). Bumps the npm_and_yarn group with 3 updates in the /showcase/scripts directory: [esbuild](https://github.com/evanw/esbuild), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [fast-uri](https://github.com/fastify/fast-uri). Bumps the npm_and_yarn group with 1 update in the /showcase/shell directory: [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils). Bumps the npm_and_yarn group with 5 updates in the /showcase/shell-dashboard directory: | Package | From | To | | --- | --- | --- | | [next](https://github.com/vercel/next.js) | `15.5.15` | `15.5.18` | | [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) | `7.28.3` | `removed` | | [esbuild](https://github.com/evanw/esbuild) | `0.27.7` | `0.28.1` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.9` | `8.1.3` | | [undici](https://github.com/nodejs/undici) | `7.25.0` | `7.28.0` | Bumps the npm_and_yarn group with 4 updates in the /showcase/shell-docs directory: [esbuild](https://github.com/evanw/esbuild), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [dompurify](https://github.com/cure53/DOMPurify) and [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js). Bumps the npm_and_yarn group with 2 updates in the /showcase/shell-dojo directory: [next](https://github.com/vercel/next.js) and [esbuild](https://github.com/evanw/esbuild). Updates `hono` from 4.12.19 to 4.12.27 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.19...v4.12.27) Updates `ws` from 8.20.1 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.1...8.21.0) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.27 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) Updates `hono` from 4.12.21 to 4.12.27 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.19...v4.12.27) Updates `ws` from 8.20.1 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.1...8.21.0) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.27 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) Updates `shell-quote` from 1.8.3 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.8.3...v1.8.4) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.30 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.7...v0.28.1) Updates `vite` from 8.0.9 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `fast-uri` from 3.1.0 to 3.1.3 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.3) Updates `@ai-sdk/provider-utils` from 3.0.22 to 4.0.30 - [Release notes](https://github.com/vercel/ai/releases) - [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/provider-utils@4.0.27/packages/provider-utils/CHANGELOG.md) - [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.27/packages/provider-utils) Updates `next` from 15.5.15 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v15.5.15...v15.5.18) Removes `@babel/core` Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.7...v0.28.1) Updates `vite` from 8.0.9 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `undici` from 7.25.0 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.25.0...v7.28.0) Updates `esbuild` from 0.28.0 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.7...v0.28.1) Updates `vite` from 8.0.13 to 8.1.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite) Updates `dompurify` from 3.4.5 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.5...3.4.11) Removes `@opentelemetry/core` Updates `next` from 15.5.15 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v15.5.15...v15.5.18) Updates `esbuild` from 0.27.3 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.7...v0.28.1) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.27 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.30 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@ai-sdk/provider-utils" dependency-version: 4.0.30 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@babel/core" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@opentelemetry/core" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependency limit exceeded — report not shown. This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report. Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard. Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account. |
…rwarded inbound headers (CopilotKit#5782) ## Problem When a self-hosted v2 `CopilotRuntime` is configured with a server-side agent (an `@ag-ui/client` `HttpAgent` with static `headers` for service-to-service auth), the runtime forwards inbound `authorization`/`x-*` request headers onto the agent's outgoing call **and lets them override the headers the server configured** — silently breaking service-to-service auth to a secured backend (e.g. a private Cloud Run agent behind IAM). `Fixes CopilotKit#5712` ## Root cause `packages/runtime/src/v2/runtime/handlers/shared/agent-utils.ts:125-128` merged forwarded inbound headers **last**, so they won on collision: ```ts agent.headers = { ...agent.headers, // server-configured ...extractForwardableHeaders(request), // inbound — overrode the above }; ``` There are actually **two** failure modes: 1. **Same-case collision** — inbound `authorization` overwrites a server `authorization` (last-write-wins). 2. **Case-mismatch collision** — `extractForwardableHeaders` lowercases inbound keys (`authorization`), while the server typically configures canonical casing (`Authorization`). A plain spread treats those as *distinct* keys and emits **both** — which undici downstream comma-joins into a single invalid `"Bearer A, Bearer B"` ("multiple JWTs") value. Flipping the spread order alone does **not** fix this case. ## Fix In `agent-utils.ts`, make server-configured `agent.headers` authoritative on collision, matched **case-insensitively**: drop any forwarded inbound header whose name (case-insensitively) is already set on the agent, and let non-colliding inbound headers pass through unchanged. This preserves the existing forward-for-auth behavior for headers the server does *not* set, while guaranteeing a server-set token is never overridden or duplicated. The merge logic lives in a shared `mergeForwardableHeaders(serverHeaders, request)` helper in `packages/runtime/src/v2/runtime/handlers/header-utils.ts` so the precedence semantics are defined in exactly one place. ### Scope note This is the conservative precedence + case-insensitive-dedup fix (the issue's suggested fix #1). I did **not** tighten the default allowlist to drop hop-by-hop/platform `x-*` headers (`x-serverless-*`, `x-forwarded-*`, …) or add an opt-out — those alter existing forwarding behavior and are worth a separate, deliberate change. The precedence fix alone resolves the reported breakage (the server-set token now wins regardless of what the platform injects on a colliding header name). A documented workaround already exists for users on released versions: pass a custom `fetch` to the `HttpAgent` that builds outgoing headers from scratch (it runs after `configureAgentForRequest` and survives the per-request `agent.clone()`). ## Red-green proof (the real fix — `/run` path) The load-bearing assertion: there must be exactly **one** authorization header carrying the **server** value. ### RED (fix stashed, against unmodified `agent-utils.ts`) ``` ❯ src/v2/runtime/__tests__/agent-header-precedence.test.ts (2 tests | 1 failed) × configureAgentForRequest — header precedence (CopilotKit#5712) > server-configured agent headers win over a colliding inbound header AssertionError: expected [ 'Authorization', 'authorization' ] to have a length of 1 but got 2 81| expect(authKeys).toHaveLength(1); Test Files 1 failed (1) Tests 1 failed | 1 passed (2) ``` The pre-existing `agent-utils-header-forwarding.test.ts` also failed, because it explicitly encoded the buggy behavior (`expect(...["x-aimock-context"]).toBe("new-context")` — inbound winning): ``` FAIL src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts > ... > request forwardable headers override matching pre-existing agent headers AssertionError: expected 'old-context' to be 'new-context' ``` ### GREEN (fix applied) ``` ✓ src/v2/runtime/__tests__/agent-header-precedence.test.ts (2 tests) 2ms ✓ src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts (8 tests) 3ms Test Files 2 passed (2) Tests 10 passed (10) ``` The colliding test (`agent-utils-header-forwarding.test.ts`) was updated from asserting the old bug to asserting corrected precedence + a new case-insensitive-dedup guard. The non-colliding-forward test is retained unchanged as a regression guard. ## Quality gates ``` NX Successfully ran target check-types for project @copilotkit/runtime NX Successfully ran target test for project @copilotkit/runtime — Test Files 113 passed (113), Tests 1576 passed (1576) ``` --- ## `/connect`-path change — forward-looking plumbing, inert today The original issue and a prior eval flagged the same forwarding pattern at `handlers/sse/connect.ts`. To keep the two paths' merge semantics consistent, the `/connect` path now builds the same server-wins merged headers (via the shared `mergeForwardableHeaders` helper) and passes them into `runner.connect()`. **This is not an active auth fix, and it is not red-green-proven as one — because there is no live bug to fix on the connect path today.** No shipped runner consumes the `headers` field of `AgentRunnerConnectRequest`: the in-memory, intelligence, telemetry, and sqlite runners all destructure only `threadId` from the connect request and ignore `headers` entirely. Connect is a thread replay/reconnect, not a fresh outgoing agent call. So whatever headers we pass into `runner.connect()` are dropped on the floor by every runner that ships. What this change actually does: - Threads the per-request agent clone through `handle-connect.ts → handleSseConnect` so the connect path *has access to* the server-configured `agent.headers` (it previously did not). - Passes `mergeForwardableHeaders(agent?.headers, request)` into `runner.connect()` — the correct, server-wins argument **shape** for a future outbound-connecting runner that *would* consume connect-path headers. - Rewrites the comments/JSDoc on this path to say this plainly, rather than implying an active auth fix. It also documents that the connect-site `cloneAgentForRequest` call is the sole `agentId`-existence guard (the intelligence branch never re-validates the id), and documents `cloneAgentForRequest`'s `AbstractAgent | Response` (404) dual-return contract that both callers depend on. The real outbound header forwarding — the thing that fixes CopilotKit#5712 — is the `/run` path's `agent.headers` mutation described above. The connect change is staged plumbing so that if/when a runner starts honoring connect-path headers, it inherits the same server-wins precedence without a second fix. ### Tests on the `/connect` path The connect tests assert the *merge shape* that reaches `runner.connect()` (server value wins on collision, exactly one `authorization` key, non-colliding `x-*` still forwards) and that the agent-undefined case (no server `agent.headers`) degrades to forwarding allowlisted inbound headers only and does not crash. These verify the argument we construct is correctly shaped — not that any shipped runner consumes it. ## Files - `packages/runtime/src/v2/runtime/handlers/header-utils.ts` — shared `mergeForwardableHeaders` helper (case-insensitive, server-wins). - `packages/runtime/src/v2/runtime/handlers/shared/agent-utils.ts` — `/run` path uses the helper so server headers win on collision (**the real fix**). - `packages/runtime/src/v2/runtime/handlers/sse/connect.ts` — `/connect` path uses the helper; forward-looking plumbing, inert until a runner consumes connect-path headers. - `packages/runtime/src/v2/runtime/handlers/handle-connect.ts` — threads the per-request agent clone into `handleSseConnect`. - `packages/runtime/src/v2/runtime/__tests__/agent-header-precedence.test.ts` — `/run` regression test exercising the real `configureAgentForRequest` surface with a real `HttpAgent`. - `packages/runtime/src/v2/runtime/__tests__/agent-utils-header-forwarding.test.ts` — updated the test that encoded the old (buggy) precedence; added a case-mismatch dedup guard. - `packages/runtime/src/v2/runtime/handlers/sse/__tests__/sse-connect-agent-id.test.ts` — connect-path merge-shape + agent-undefined coverage. ### Notes - A documented `@ag-ui/client` `HttpAgent` `fetch` workaround already exists for attaching service-to-service auth the runtime can't override (see the issue). This change makes the workaround unnecessary for the `/run` precedence case. - Conservative scope: this is the **precedence flip on `/run`** plus forward-looking connect plumbing. Tightening the default allowlist (dropping hop-by-hop / platform `x-serverless-*`, `x-forwarded-*`, `x-cloud-trace-context`, …) and an opt-out switch — issue suggestions #2/#3 — are intentionally left as a follow-up to keep the security-policy change minimal.
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
1 similar comment
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
Bumps the npm_and_yarn group with 4 updates in the /showcase/integrations/spring-ai directory: hono, ws, @ai-sdk/provider-utils and dompurify.
Bumps the npm_and_yarn group with 5 updates in the /showcase/integrations/strands directory:
4.12.214.12.278.20.18.21.03.0.224.0.273.4.53.4.111.8.31.8.4Bumps the npm_and_yarn group with 1 update in the /showcase/integrations/strands-typescript directory: @ai-sdk/provider-utils.
Bumps the npm_and_yarn group with 3 updates in the /showcase/scripts directory: esbuild, vite and fast-uri.
Bumps the npm_and_yarn group with 1 update in the /showcase/shell directory: @ai-sdk/provider-utils.
Bumps the npm_and_yarn group with 5 updates in the /showcase/shell-dashboard directory:
15.5.1515.5.187.28.3removed0.27.70.28.18.0.98.1.37.25.07.28.0Bumps the npm_and_yarn group with 4 updates in the /showcase/shell-docs directory: esbuild, vite, dompurify and @opentelemetry/core.
Bumps the npm_and_yarn group with 2 updates in the /showcase/shell-dojo directory: next and esbuild.
Updates
honofrom 4.12.19 to 4.12.27Release notes
Sourced from hono's releases.
... (truncated)
Commits
97c6fe14.12.27aa92177Merge commit from forkcd3f6f7Merge commit from forkd4853a8fix(jsx): make merged context-isolation tests pass tsc type check (#5037)6735feafix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)fab3b13Merge commit from fork9f0dadfci: use npm Staged publishing (#5035)27b79924.12.26d29982cchore: replace arg and glob with Bun native APIs in build script16215d5chore: remove unused devcontainer and gitpod configs (#5029)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.
Updates
wsfrom 8.20.1 to 8.21.0Release notes
Sourced from ws's releases.
Commits
bca91ad[dist] 8.21.02b2abd4[security] Limit retained message parts78eabe2[security] Add latest vulnerability to SECURITY.mdUpdates
@ai-sdk/provider-utilsfrom 3.0.22 to 4.0.27Changelog
Sourced from @ai-sdk/provider-utils's changelog.
... (truncated)
Commits
e3ccdb5Version Packages (#15094)f591416Backport: feat(ai): add toolMetadata for tool specific metdata (#15053)8a46a3cVersion Packages (#14875)7beadf0Backport: feat(mcp): propagate the server name through dynamic tool parts (#1...8e650abVersion Packages (#14824)a727da4backport of chore: ensure consistent import handling and avoid import duplica...77a4e05Version Packages (#14802)a7f3c72Re-enable v6 releases (#14799)426e567Backport: fix: upgrade eventsource-parser to 3.0.8 (#14660)c3a057dVersion Packages (#14153)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@ai-sdk/provider-utilssince your current version.Updates
dompurifyfrom 3.4.5 to 3.4.11Release notes
Sourced from dompurify's releases.
Commits
0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)Updates
honofrom 4.12.21 to 4.12.27Release notes
Sourced from hono's releases.
... (truncated)
Commits
97c6fe14.12.27aa92177Merge commit from forkcd3f6f7Merge commit from forkd4853a8fix(jsx): make merged context-isolation tests pass tsc type check (#5037)6735feafix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)fab3b13Merge commit from fork9f0dadfci: use npm Staged publishing (#5035)27b79924.12.26d29982cchore: replace arg and glob with Bun native APIs in build script16215d5chore: remove unused devcontainer and gitpod configs (#5029)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.
Updates
wsfrom 8.20.1 to 8.21.0Release notes
Sourced from ws's releases.
Commits
bca91ad[dist] 8.21.02b2abd4[security] Limit retained message parts78eabe2[security] Add latest vulnerability to SECURITY.mdUpdates
@ai-sdk/provider-utilsfrom 3.0.22 to 4.0.27Changelog
Sourced from @ai-sdk/provider-utils's changelog.
... (truncated)
Commits
e3ccdb5Version Packages (#15094)f591416Backport: feat(ai): add toolMetadata for tool specific metdata (#15053)8a46a3cVersion Packages (#14875)7beadf0Backport: feat(mcp): propagate the server name through dynamic tool parts (#1...8e650abVersion Packages (#14824)a727da4backport of chore: ensure consistent import handling and avoid import duplica...77a4e05Version Packages (#14802)a7f3c72Re-enable v6 releases (#14799)426e567Backport: fix: upgrade eventsource-parser to 3.0.8 (#14660)c3a057dVersion Packages (#14153)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@ai-sdk/provider-utilssince your current version.Updates
dompurifyfrom 3.4.5 to 3.4.11Release notes
Sourced from dompurify's releases.
Commits
0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)Updates
shell-quotefrom 1.8.3 to 1.8.4Changelog
Sourced from shell-quote's changelog.
Commits
ff166e2v1.8.44378a6e[Fix]quote: validate object-token shapes22ebec0[Dev Deps] update@ljharb/eslint-config,auto-changelog,eslint, `npmig...9f3caa3[Tests] increase coverage3344a04[readme] replace runkit CI badge with shields.io check-runs badge699c511[Dev Deps] update@ljharb/eslint-configUpdates
@ai-sdk/provider-utilsfrom 3.0.22 to 4.0.30Changelog
Sourced from @ai-sdk/provider-utils's changelog.
... (truncated)
Commits
e3ccdb5Version Packages (#15094)f591416Backport: feat(ai): add toolMetadata for tool specific metdata (#15053)8a46a3cVersion Packages (#14875)7beadf0Backport: feat(mcp): propagate the server name through dynamic tool parts (#1...8e650abVersion Packages (#14824)a727da4backport of chore: ensure consistent import handling and avoid import duplica...77a4e05Version Packages (#14802)a7f3c72Re-enable v6 releases (#14799)426e567Backport: fix: upgrade eventsource-parser to 3.0.8 (#14660)c3a057dVersion Packages (#14153)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@ai-sdk/provider-utilssince your current version.Updates
esbuildfrom 0.27.7 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesUpdates
vitefrom 8.0.9 to 8.1.3Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.