Skip to content

chore(deps): update all non-major dependencies#6718

Merged
benjamincanac merged 1 commit into
v4from
renovate/all-minor-patch
Jul 15, 2026
Merged

chore(deps): update all non-major dependencies#6718
benjamincanac merged 1 commit into
v4from
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@ai-sdk/anthropic (source) ^4.0.8^4.0.14 age confidence
@ai-sdk/gateway (source) ^4.0.12^4.0.19 age confidence
@ai-sdk/mcp (source) ^2.0.7^2.0.12 age confidence
@ai-sdk/vue (source) ^4.0.15^4.0.26 age confidence
@floating-ui/dom (source) ^1.7.6^1.8.0 age confidence
@iconify-json/lucide ^1.2.114^1.2.117 age confidence
@iconify-json/lucide ^1.2.116^1.2.117 age confidence
@iconify-json/simple-icons ^1.2.89^1.2.90 age confidence
@iconify-json/vscode-icons ^1.2.64^1.2.67 age confidence
@nuxtjs/mcp-toolkit (source) ^0.17.2^0.18.0 age confidence
@tanstack/vue-virtual (source) ^3.13.31^3.13.32 age confidence
ai (source) ^7.0.15^7.0.26 age confidence
eslint (source) ^10.6.0^10.7.0 age confidence
fuse.js (source) ^7.4.2^7.5.0 age confidence
nuxt-component-meta ^0.17.2^0.18.0 age confidence
pnpm (source) 11.10.011.13.0 age confidence
prettier (source) ^3.9.4^3.9.5 age confidence
vitest (source) ^4.1.9^4.1.10 age confidence
vue-component-meta (source) ^3.3.6^3.3.7 age confidence
vue-component-type-helpers (source) ^3.3.6^3.3.7 age confidence
vue-tsc (source) ^3.3.6^3.3.7 age confidence

Release Notes

vercel/ai (@​ai-sdk/anthropic)

v4.0.14

Compare Source

Patch Changes
  • 4be62c1: fix(provider-utils): validate provider-response URLs in getFromApi

    getFromApi now has a validateUrl flag. It is optional so existing callers keep compiling (omitting it behaves like false, i.e. no validation), but all AI SDK provider packages set it explicitly at every call site so each one makes a visible trust decision. When true, the URL is routed through fetchWithValidatedRedirects — the same guard used by downloadBlob — which rejects private/loopback/link-local targets, re-validates every redirect hop, strips proxy/metadata/cookie request headers, and drops all caller headers except the user-agent on cross-origin redirects (custom API-key headers must not follow a redirect off-origin any more than Authorization may); blocked URLs throw DownloadError. It is enabled at the image/video/audio download and polling call sites where the URL comes from a provider response body; URLs built from developer-configured endpoints pass validateUrl: false and are unaffected.

    A new optional credentialedOrigin withholds caller headers unless the URL is same-origin with it, so the API key is not sent to a response-supplied host on a different origin.

    A new optional trustedOrigin exempts URLs (and redirect hops) that are same-origin with the developer-configured provider endpoint from target validation, so self-hosted and localhost deployments whose response URLs point back at the configured host keep working; all other hops are still validated.

    Also closes range gaps in validateDownloadUrl (IPv4 224.0.0.0/4 multicast and the TEST-NET documentation ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24; IPv6 documentation ranges 2001:db8::/32 and 3fff::/20), and follows only the fetch-spec redirect status codes (301/302/303/307/308) — a Location header on any other status is not followed. This guard performs string/literal checks only and does not resolve DNS; hostnames that resolve to private addresses and DNS rebinding remain out of scope and must be constrained at the network layer (or by injecting a Node fetch that pins the resolved IP at connect time) for server deployments handling untrusted URLs. See contributing/secure-url-handling.md.

  • cd12954: Reject empty OpenAI, Anthropic, and Replicate base URLs with a helpful AI SDK
    invalid argument error.

  • Updated dependencies [4be62c1]

  • Updated dependencies [7805e4a]

  • Updated dependencies [cd12954]

v4.0.12

Compare Source

Patch Changes
  • 308a519: chore: enforce consistent imports from zod/v4 instead of zod

v4.0.11

Compare Source

Patch Changes

v4.0.10

Compare Source

Patch Changes

v4.0.9

Compare Source

Patch Changes
  • 2e45d9c: fix(anthropic): wrap invalid tool input in object
vercel/ai (@​ai-sdk/gateway)

v4.0.19

Compare Source

Patch Changes
  • 4be62c1: fix(provider-utils): validate provider-response URLs in getFromApi

    getFromApi now has a validateUrl flag. It is optional so existing callers keep compiling (omitting it behaves like false, i.e. no validation), but all AI SDK provider packages set it explicitly at every call site so each one makes a visible trust decision. When true, the URL is routed through fetchWithValidatedRedirects — the same guard used by downloadBlob — which rejects private/loopback/link-local targets, re-validates every redirect hop, strips proxy/metadata/cookie request headers, and drops all caller headers except the user-agent on cross-origin redirects (custom API-key headers must not follow a redirect off-origin any more than Authorization may); blocked URLs throw DownloadError. It is enabled at the image/video/audio download and polling call sites where the URL comes from a provider response body; URLs built from developer-configured endpoints pass validateUrl: false and are unaffected.

    A new optional credentialedOrigin withholds caller headers unless the URL is same-origin with it, so the API key is not sent to a response-supplied host on a different origin.

    A new optional trustedOrigin exempts URLs (and redirect hops) that are same-origin with the developer-configured provider endpoint from target validation, so self-hosted and localhost deployments whose response URLs point back at the configured host keep working; all other hops are still validated.

    Also closes range gaps in validateDownloadUrl (IPv4 224.0.0.0/4 multicast and the TEST-NET documentation ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24; IPv6 documentation ranges 2001:db8::/32 and 3fff::/20), and follows only the fetch-spec redirect status codes (301/302/303/307/308) — a Location header on any other status is not followed. This guard performs string/literal checks only and does not resolve DNS; hostnames that resolve to private addresses and DNS rebinding remain out of scope and must be constrained at the network layer (or by injecting a Node fetch that pins the resolved IP at connect time) for server deployments handling untrusted URLs. See contributing/secure-url-handling.md.

  • f8e82fd: Add experimental streaming transcription support to the gateway provider (GatewayTranscriptionModel.doStream), speaking the shared transcription-stream WebSocket envelope from @ai-sdk/provider-utils. experimental_streamTranscribe now works with gateway string model IDs, e.g. experimental_streamTranscribe({ model: 'openai/gpt-realtime-whisper', ... }).

  • Updated dependencies [4be62c1]

  • Updated dependencies [7805e4a]

  • Updated dependencies [cd12954]

v4.0.17

Compare Source

Patch Changes
  • 867f80a: chore(provider/gateway): update gateway model settings files

v4.0.16

Compare Source

Patch Changes
  • 308a519: chore: enforce consistent imports from zod/v4 instead of zod
  • 7fe53d2: chore(provider/gateway): update gateway model settings files

v4.0.15

Compare Source

Patch Changes
  • e12411e: chore(provider/gateway): update gateway model settings files
  • 5d894a7: feat(gateway): expose ruleId on GatewayForbiddenError so callers can identify which routing rule denied a request
  • fdb6d5d: feat(provider/openai,provider/gateway): add gpt-5.6 model ids
  • d25a084: feat (provider/xai): add grok-4.5 model id
  • Updated dependencies [0f93c57]

v4.0.14

Compare Source

Patch Changes

v4.0.13

Compare Source

Patch Changes
  • cad8227: chore(provider/gateway): update gateway model settings files
vercel/ai (@​ai-sdk/mcp)

v2.0.12

Compare Source

Patch Changes

v2.0.10

Compare Source

Patch Changes

v2.0.9

Compare Source

Patch Changes

v2.0.8

Compare Source

Patch Changes
  • 3e6e955: Reject in-flight MCP requests when their abort signal fires and remove the pending response handler.
  • eebd14b: Prevent streamable HTTP MCP background SSE disconnects from surfacing as unhandled promise rejections.
vercel/ai (@​ai-sdk/vue)

v4.0.26

Compare Source

Patch Changes
  • Updated dependencies [27d294d]
    • ai@​7.0.26

v4.0.25

Compare Source

Patch Changes

v4.0.23

Compare Source

Patch Changes
  • Updated dependencies [930f949]
    • ai@​7.0.23

v4.0.22

Compare Source

Patch Changes
  • Updated dependencies [8f89c25]
    • ai@​7.0.22

v4.0.21

Compare Source

Patch Changes
  • Updated dependencies [308a519]
    • ai@​7.0.21

v4.0.20

Compare Source

Patch Changes
  • Updated dependencies [b9ac19f]
  • Updated dependencies [a4186d6]
    • ai@​7.0.20

v4.0.19

Compare Source

Patch Changes

v4.0.18

Compare Source

Patch Changes
  • 0363440: Promote useObject (React, Vue) and StructuredObject (Svelte) to stable exports, with deprecated experimental aliases for backwards compatibility.
  • Updated dependencies [ac306ed]

v4.0.17

Compare Source

Patch Changes
  • ai@​7.0.17

v4.0.16

Compare Source

Patch Changes
  • Updated dependencies [a8f9b6d]
    • ai@​7.0.16
floating-ui/floating-ui (@​floating-ui/dom)

v1.8.0

Compare Source

Minor Changes
  • feat: add 'layoutViewport' string option to rootBoundary. Unlike the visual 'viewport' boundary, it remains stable while pinch-zooming or when a mobile software keyboard is open, and unlike a manually passed Rect of the documentElement's client size, it accounts for space reserved by scrollbar-gutter: stable.
Patch Changes
  • fix: remove redundant passive options from scroll listeners
  • fix: support explicit undefined for optional properties with exactOptionalPropertyTypes
  • fix(autoUpdate): update immediately instead of waiting for the 1s layoutShift refresh throttle when the reference moved during an observer refresh
  • fix(getClippingRect): correct clipping-ancestor filtering for fixed-position elements
  • perf(dom): reduce bundle size and skip redundant per-call work in positioning utilities
  • fix(getViewportRect): account for scrollbar-gutter: stable both-edges reserved space
  • fix(getViewportRect): don't overflow past a left-side document scrollbar
  • fix(platform): don't throw in getClientRects when a virtual element without a getClientRects method is used with the inline() middleware
  • fix(autoUpdate): refresh layout shift observer on root resize
  • Update dependencies: @floating-ui/core@1.8.0, @floating-ui/utils@0.2.12
nuxt-modules/mcp-toolkit (@​nuxtjs/mcp-toolkit)

v0.18.0

Compare Source

What's Changed

Features 🚀
Bug Fixes 🐞
Dependency Updates 📦

Full Changelog: https://github.com/nuxt-modules/mcp-toolkit/compare/@nuxtjs/mcp-toolkit@0.17.2...@​nuxtjs/mcp-toolkit@0.18.0

TanStack/virtual (@​tanstack/vue-virtual)

v3.13.32

Compare Source

Patch Changes
vercel/ai (ai)

v7.0.26

Compare Source

Patch Changes
  • 27d294d: feat(ai): group orphaned tool calls after tool approvals under parent span

v7.0.25

Compare Source

Patch Changes
  • 7805e4a: Cancelling the experimental_streamTranscribe fullStream now also aborts a still-pending doStream setup, so a model whose doStream has not yet resolved is cancelled instead of leaking.
  • f8e82fd: Update the experimental_streamTranscribe unsupported-model error message now that gateway string model IDs can support streaming transcription.
  • Updated dependencies [4be62c1]
  • Updated dependencies [f8e82fd]
  • Updated dependencies [7805e4a]
  • Updated dependencies [cd12954]

v7.0.23

Compare Source

Patch Changes

v7.0.22

Compare Source

Patch Changes
  • 8f89c25: Add the Cartesia provider with Sonic 3.5 speech generation, Ink-Whisper batch transcription, and Ink 2 realtime transcription support.

v7.0.21

Compare Source

Patch Changes

v7.0.20

Compare Source

Patch Changes
  • b9ac19f: Flush compressed Node.js response chunks as they are piped so UI message and text streams remain incremental in Express and Next.js.
  • a4186d6: Promote the repairToolCall option to stable, with a deprecated experimental_repairToolCall alias for backwards compatibility.

v7.0.19

Compare Source

Patch Changes
  • be7f05a: Add fingerprintTools and detectToolDrift to detect MCP tool-definition drift ("rug pull"). Pin a tool set's server-controlled fields (string description, input schema, title) at trust time with fingerprintTools, then diff later fetches with detectToolDrift to catch injected descriptions or widened schemas before passing tools to the model. Baseline storage and the drift response remain the app's responsibility.

  • ee55a07: Preserve tool approval signatures when approvals transition to responded.

  • aad737d: Use own-property checks when resolving per-tool approvals so tool names and approval ids that match inherited object properties (e.g. constructor, toString, valueOf, __proto__) are treated as unconfigured/absent.

    • @ai-sdk/policy-opa: wrapMcpTools builds its per-tool map with a null prototype and reads supplied approvals via an own-property check, and shadow guards its per-tool map lookup the same way.
    • ai: tool and tool-context lookups keyed by a model- or client-supplied name now go through an own-property check (getOwn), so a name matching an inherited object property resolves to "no such tool"/"unconfigured" instead of a prototype value. This covers the approval path (per-tool approval resolution and replay re-validation) as well as tool-call parsing, execution, streaming callbacks, and UI message conversion/validation. The human-in-the-loop approval matching (collectToolApprovals) and streaming tool-name maps are built with a null prototype so a client-supplied id that matches an inherited property no longer slips past the "unknown approval" / "tool call not found" guards.
  • 0f93c57: feat (video): support video (not just image) reference inputs in inputReferences for reference-to-video generation

  • Updated dependencies [e12411e]

  • Updated dependencies [5d894a7]

  • Updated dependencies [fdb6d5d]

  • Updated dependencies [0f93c57]

  • Updated dependencies [d25a084]

v7.0.18

Compare Source

Patch Changes

v7.0.17

Compare Source

Patch Changes

v7.0.16

Compare Source

Patch Changes
  • a8f9b6d: Preserve signed tool approval metadata when recording approval responses.
eslint/eslint (eslint)

v10.7.0

Compare Source

Features

  • cf2a9bf feat: add errorClassNames option to preserve-caught-error rule (#​21032) (sethamus)
  • f8b873a feat: max-nested-callbacks option for constructor callbacks (#​21063) (fnx)
  • 557fde8 feat: support computed Number.parseInt member access in radix rule (#​21041) (Pixel)
  • 0b4a73b feat: add suggestions to no-compare-neg-zero (#​21034) (den$)
  • 96cdd42 feat: report invalid signed numeric radix values in radix rule (#​21030) (Pixel)

Bug Fixes

  • 3e7bf15 fix: apply ignoreClassesWithImplements to class expressions (#​21069) (Pixel)
  • 0d7d70c fix: insert cause outside wrapping parens in preserve-caught-error (#​21062) (Mahin Anowar)
  • 75ec753 fix: handle static template literals in eqeqeq rule (#​21058) (Pixel)
  • b717a22 fix: prevent eqeqeq null option from reporting non-equality operators (#​21057) (Pixel)
  • e35b05f fix: avoid no-invalid-regexp false positive for shadowed RegExp (#​21051) (Pixel)
  • a3172b6 fix: avoid no-control-regex false positive for shadowed RegExp (#​21050) (Pixel)
  • d1f637e fix: parenthesize sequence expression operands in no-implicit-coercion (#​21045) (spokodev)
  • 8859baf fix: avoid prefer-numeric-literals false positive for shadowed globals (#​21047) (한국)
  • a9e5961 fix: use-isnan false positive on shadowed NaN/Number (#​20958) (sethamus)
  • 8a240a7 fix: avoid false positives in radix rule for spread arguments (#​21044) (Pixel)

Documentation

  • c30d808 docs: Update README (GitHub Actions Bot)
  • 5139800 docs: document ESLint migration codemods in v9 and v10 guides (#​20980) (Alex Bit)
  • 04174cb docs: Update README (GitHub Actions Bot)
  • 026e130 docs: update semver policy for bug fixes (#​21048) (Milos Djermanovic)
  • 9d42fef docs: Update README (GitHub Actions Bot)
  • b230159 docs: Update README (GitHub Actions Bot)
  • 0129972 docs: correct **/.js glob to **/*.js in config files guide (#​21036) (EduardF1)

Chores

krisk/Fuse (fuse.js)

v7.5.0

Compare Source

⚠️ Behavior changes

Every change in this release is a bug fix, but each one corrects a scoring or ranking bug. Scores and result ordering will shift for some queries. That is why this ships as a minor rather than a patch: the public API is unchanged and upgrading is a drop-in, but the results you get back can differ, and that should not arrive silently in a patch bump.

If you assert on exact score values or on a specific result order, expect those assertions to need updating. Re-baseline them against 7.5.0 rather than pinning to 7.4.x, since the 7.4.x behavior was wrong in the cases below.

  • Field-length normalisation now counts words correctly. Tabs and newlines were not treated as word separators, so a multi-line or tab-delimited field was scored as though it were one long word, making it look far shorter than it is. Fields containing \t, \n, or \r now score differently (#​830).
  • Key weights are now normalised in object and keyless-logical search. Weights that did not sum to 1 were applied unnormalised, skewing the relative influence of each key. If your keys weights do not already sum to 1, your relative ranking changes (#​833).
  • limit now returns the correct top-N when scores tie. A tie at the cutoff boundary could evict a result that should have been kept, so limit could return the wrong items, not merely the right items in a different order (#​835).
  • Bitap respects minMatchCharLength in the exact-match shortcut. Matches shorter than minMatchCharLength were still reported via the exact-match fast path, so the matches array could contain entries it was configured to exclude (#​831).
Bug Fixes
  • bitap: respect minMatchCharLength in exact-match shortcut (dbb98b6), closes #​831
  • fieldNorm: count tabs and newlines as word separators (6fe85b0), closes #​830
  • fieldNorm: count word-starts instead of space transitions (2946f97)
  • scoring: normalise key weights in object and keyless-logical search (e164b61), closes #​833
  • search: keep the correct top-N under limit when scores tie (437f8f3), closes #​835, thanks @​spokodev for the report and the fix
7.4.2 (2026-06-05)
Bug Fixes
  • types: emit CommonJS declarations (.d.cts) for node16/nodenext (#​780) (33f5d29)
7.4.1 (2026-06-02)
Bug Fixes
  • types: add TypeScript declarations for fuse.js/worker-script (6ef6c33), closes #​828
  • types: ship TypeScript declarations for fuse.js/worker (572ad1e), closes #​828
nuxt-content/nuxt-component-meta (nuxt-component-meta)

v0.18.0

Compare Source

🚀 Features
pnpm/pnpm (pnpm)

v11.13.0

Compare Source

Minor Changes
  • Added versioning.epics to pnpm-workspace.yaml. An epic ties a group of member packages to a lead package, constraining every member's major version to a band derived from the lead's major: while the lead is on major M, members live in M*100 … M*100+99. Members move independently inside the band (patch, minor, and a major intent that stays in-band); a bump that would carry a member past the band ceiling is rejected until the lead advances its own major. When a release plan takes the lead to a new stable major, every member re-bases to the band floor in the same plan. Membership is matched with pnpm's package selectors — name globs, ./-prefixed directory globs, and !-prefixed negations.

  • Added the team command for managing organization teams and team memberships on the registry, with create, destroy, add, rm, and ls subcommands and support for --otp, --parseable, and --json flags.

  • Added native workspace release management #​12952: the new pnpm change command records change intents as changesets-compatible .changeset/*.md files (pnpm change status shows the pending release plan), and the bare pnpm version -r consumes them — bumping versions across the workspace with dependent propagation through workspace: ranges, fixed groups, a maxBump cap, --filter narrowing, and `--dry-

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Europe/Paris)

  • Branch creation
    • Between 06:00 AM and 09:59 AM, only on Monday (* 6-9 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from benjamincanac as a code owner July 13, 2026 05:16
@github-actions github-actions Bot added the v4 #4488 label Jul 13, 2026
@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from f676b0d to a59e18c Compare July 15, 2026 03:40
@pkg-pr-new

pkg-pr-new Bot commented Jul 15, 2026

Copy link
Copy Markdown
npm i https://pkg.pr.new/@nuxt/ui@6718

commit: a59e18c

@benjamincanac
benjamincanac merged commit c8e810c into v4 Jul 15, 2026
24 checks passed
@benjamincanac
benjamincanac deleted the renovate/all-minor-patch branch July 15, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v4 #4488

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant