chore(deps): update all non-major dependencies#6718
Merged
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 13, 2026 07:49
f6fac9b to
4a6659b
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 13, 2026 21:50
4a6659b to
6f6a673
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 14, 2026 07:14
6f6a673 to
b499b1c
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 14, 2026 15:41
b499b1c to
8d8987e
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 14, 2026 20:30
8d8987e to
f676b0d
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
July 15, 2026 03:40
f676b0d to
a59e18c
Compare
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.0.8→^4.0.14^4.0.12→^4.0.19^2.0.7→^2.0.12^4.0.15→^4.0.26^1.7.6→^1.8.0^1.2.114→^1.2.117^1.2.116→^1.2.117^1.2.89→^1.2.90^1.2.64→^1.2.67^0.17.2→^0.18.0^3.13.31→^3.13.32^7.0.15→^7.0.26^10.6.0→^10.7.0^7.4.2→^7.5.0^0.17.2→^0.18.011.10.0→11.13.0^3.9.4→^3.9.5^4.1.9→^4.1.10^3.3.6→^3.3.7^3.3.6→^3.3.7^3.3.6→^3.3.7Release Notes
vercel/ai (@ai-sdk/anthropic)
v4.0.14Compare Source
Patch Changes
4be62c1: fix(provider-utils): validate provider-response URLs ingetFromApigetFromApinow has avalidateUrlflag. It is optional so existing callers keep compiling (omitting it behaves likefalse, i.e. no validation), but all AI SDK provider packages set it explicitly at every call site so each one makes a visible trust decision. Whentrue, the URL is routed throughfetchWithValidatedRedirects— the same guard used bydownloadBlob— which rejects private/loopback/link-local targets, re-validates every redirect hop, strips proxy/metadata/cookie request headers, and drops all caller headers except the user-agent on cross-origin redirects (custom API-key headers must not follow a redirect off-origin any more thanAuthorizationmay); blocked URLs throwDownloadError. It is enabled at the image/video/audio download and polling call sites where the URL comes from a provider response body; URLs built from developer-configured endpoints passvalidateUrl: falseand are unaffected.A new optional
credentialedOriginwithholds caller headers unless the URL is same-origin with it, so the API key is not sent to a response-supplied host on a different origin.A new optional
trustedOriginexempts URLs (and redirect hops) that are same-origin with the developer-configured provider endpoint from target validation, so self-hosted and localhost deployments whose response URLs point back at the configured host keep working; all other hops are still validated.Also closes range gaps in
validateDownloadUrl(IPv4224.0.0.0/4multicast and the TEST-NET documentation ranges192.0.2.0/24,198.51.100.0/24,203.0.113.0/24; IPv6 documentation ranges2001:db8::/32and3fff::/20), and follows only the fetch-spec redirect status codes (301/302/303/307/308) — aLocationheader on any other status is not followed. This guard performs string/literal checks only and does not resolve DNS; hostnames that resolve to private addresses and DNS rebinding remain out of scope and must be constrained at the network layer (or by injecting a Nodefetchthat pins the resolved IP at connect time) for server deployments handling untrusted URLs. Seecontributing/secure-url-handling.md.cd12954: Reject empty OpenAI, Anthropic, and Replicate base URLs with a helpful AI SDKinvalid argument error.
Updated dependencies [
4be62c1]Updated dependencies [
7805e4a]Updated dependencies [
cd12954]v4.0.12Compare Source
Patch Changes
308a519: chore: enforce consistent imports fromzod/v4instead ofzodv4.0.11Compare Source
Patch Changes
0f93c57]v4.0.10Compare Source
Patch Changes
ac306ed]v4.0.9Compare Source
Patch Changes
2e45d9c: fix(anthropic): wrap invalid tool input in objectvercel/ai (@ai-sdk/gateway)
v4.0.19Compare Source
Patch Changes
4be62c1: fix(provider-utils): validate provider-response URLs ingetFromApigetFromApinow has avalidateUrlflag. It is optional so existing callers keep compiling (omitting it behaves likefalse, i.e. no validation), but all AI SDK provider packages set it explicitly at every call site so each one makes a visible trust decision. Whentrue, the URL is routed throughfetchWithValidatedRedirects— the same guard used bydownloadBlob— which rejects private/loopback/link-local targets, re-validates every redirect hop, strips proxy/metadata/cookie request headers, and drops all caller headers except the user-agent on cross-origin redirects (custom API-key headers must not follow a redirect off-origin any more thanAuthorizationmay); blocked URLs throwDownloadError. It is enabled at the image/video/audio download and polling call sites where the URL comes from a provider response body; URLs built from developer-configured endpoints passvalidateUrl: falseand are unaffected.A new optional
credentialedOriginwithholds caller headers unless the URL is same-origin with it, so the API key is not sent to a response-supplied host on a different origin.A new optional
trustedOriginexempts URLs (and redirect hops) that are same-origin with the developer-configured provider endpoint from target validation, so self-hosted and localhost deployments whose response URLs point back at the configured host keep working; all other hops are still validated.Also closes range gaps in
validateDownloadUrl(IPv4224.0.0.0/4multicast and the TEST-NET documentation ranges192.0.2.0/24,198.51.100.0/24,203.0.113.0/24; IPv6 documentation ranges2001:db8::/32and3fff::/20), and follows only the fetch-spec redirect status codes (301/302/303/307/308) — aLocationheader on any other status is not followed. This guard performs string/literal checks only and does not resolve DNS; hostnames that resolve to private addresses and DNS rebinding remain out of scope and must be constrained at the network layer (or by injecting a Nodefetchthat pins the resolved IP at connect time) for server deployments handling untrusted URLs. Seecontributing/secure-url-handling.md.f8e82fd: Add experimental streaming transcription support to the gateway provider (GatewayTranscriptionModel.doStream), speaking the shared transcription-stream WebSocket envelope from@ai-sdk/provider-utils.experimental_streamTranscribenow works with gateway string model IDs, e.g.experimental_streamTranscribe({ model: 'openai/gpt-realtime-whisper', ... }).Updated dependencies [
4be62c1]Updated dependencies [
7805e4a]Updated dependencies [
cd12954]v4.0.17Compare Source
Patch Changes
867f80a: chore(provider/gateway): update gateway model settings filesv4.0.16Compare Source
Patch Changes
308a519: chore: enforce consistent imports fromzod/v4instead ofzod7fe53d2: chore(provider/gateway): update gateway model settings filesv4.0.15Compare Source
Patch Changes
e12411e: chore(provider/gateway): update gateway model settings files5d894a7: feat(gateway): expose ruleId on GatewayForbiddenError so callers can identify which routing rule denied a requestfdb6d5d: feat(provider/openai,provider/gateway): add gpt-5.6 model idsd25a084: feat (provider/xai): add grok-4.5 model id0f93c57]v4.0.14Compare Source
Patch Changes
ac306ed]v4.0.13Compare Source
Patch Changes
cad8227: chore(provider/gateway): update gateway model settings filesvercel/ai (@ai-sdk/mcp)
v2.0.12Compare Source
Patch Changes
4be62c1]7805e4a]cd12954]v2.0.10Compare Source
Patch Changes
0f93c57]v2.0.9Compare Source
Patch Changes
ac306ed]v2.0.8Compare Source
Patch Changes
3e6e955: Reject in-flight MCP requests when their abort signal fires and remove the pending response handler.eebd14b: Prevent streamable HTTP MCP background SSE disconnects from surfacing as unhandled promise rejections.vercel/ai (@ai-sdk/vue)
v4.0.26Compare Source
Patch Changes
27d294d]v4.0.25Compare Source
Patch Changes
4be62c1]7805e4a]7805e4a]f8e82fd]cd12954]v4.0.23Compare Source
Patch Changes
930f949]v4.0.22Compare Source
Patch Changes
8f89c25]v4.0.21Compare Source
Patch Changes
308a519]v4.0.20Compare Source
Patch Changes
b9ac19f]a4186d6]v4.0.19Compare Source
Patch Changes
be7f05a]ee55a07]aad737d]0f93c57]v4.0.18Compare Source
Patch Changes
0363440: PromoteuseObject(React, Vue) andStructuredObject(Svelte) to stable exports, with deprecated experimental aliases for backwards compatibility.ac306ed]v4.0.17Compare Source
Patch Changes
v4.0.16Compare Source
Patch Changes
a8f9b6d]floating-ui/floating-ui (@floating-ui/dom)
v1.8.0Compare Source
Minor Changes
'layoutViewport'string option torootBoundary. Unlike the visual'viewport'boundary, it remains stable while pinch-zooming or when a mobile software keyboard is open, and unlike a manually passedRectof the documentElement's client size, it accounts for space reserved byscrollbar-gutter: stable.Patch Changes
undefinedfor optional properties withexactOptionalPropertyTypeslayoutShiftrefresh throttle when the reference moved during an observer refreshscrollbar-gutter: stable both-edgesreserved spacegetClientRectswhen a virtual element without agetClientRectsmethod is used with theinline()middleware@floating-ui/core@1.8.0,@floating-ui/utils@0.2.12nuxt-modules/mcp-toolkit (@nuxtjs/mcp-toolkit)
v0.18.0Compare Source
What's Changed
Features 🚀
Bug Fixes 🐞
Dependency Updates 📦
Full Changelog: https://github.com/nuxt-modules/mcp-toolkit/compare/@nuxtjs/mcp-toolkit@0.17.2...@nuxtjs/mcp-toolkit@0.18.0
TanStack/virtual (@tanstack/vue-virtual)
v3.13.32Compare Source
Patch Changes
6cbecd8,d49cc52,cf7834d]:vercel/ai (ai)
v7.0.26Compare Source
Patch Changes
27d294d: feat(ai): group orphaned tool calls after tool approvals under parent spanv7.0.25Compare Source
Patch Changes
7805e4a: Cancelling theexperimental_streamTranscribefullStreamnow also aborts a still-pendingdoStreamsetup, so a model whosedoStreamhas not yet resolved is cancelled instead of leaking.f8e82fd: Update theexperimental_streamTranscribeunsupported-model error message now that gateway string model IDs can support streaming transcription.4be62c1]f8e82fd]7805e4a]cd12954]v7.0.23Compare Source
Patch Changes
930f949: feat(ai): wrap embedMany in tracing channel context867f80a]v7.0.22Compare Source
Patch Changes
8f89c25: Add the Cartesia provider with Sonic 3.5 speech generation, Ink-Whisper batch transcription, and Ink 2 realtime transcription support.v7.0.21Compare Source
Patch Changes
308a519: chore: enforce consistent imports fromzod/v4instead ofzod308a519]7fe53d2]v7.0.20Compare Source
Patch Changes
b9ac19f: Flush compressed Node.js response chunks as they are piped so UI message and text streams remain incremental in Express and Next.js.a4186d6: Promote therepairToolCalloption to stable, with a deprecatedexperimental_repairToolCallalias for backwards compatibility.v7.0.19Compare Source
Patch Changes
be7f05a: AddfingerprintToolsanddetectToolDriftto detect MCP tool-definition drift ("rug pull"). Pin a tool set's server-controlled fields (string description, input schema, title) at trust time withfingerprintTools, then diff later fetches withdetectToolDriftto catch injected descriptions or widened schemas before passing tools to the model. Baseline storage and the drift response remain the app's responsibility.ee55a07: Preserve tool approval signatures when approvals transition to responded.aad737d: Use own-property checks when resolving per-tool approvals so tool names and approval ids that match inherited object properties (e.g.constructor,toString,valueOf,__proto__) are treated as unconfigured/absent.@ai-sdk/policy-opa:wrapMcpToolsbuilds its per-tool map with a null prototype and reads supplied approvals via an own-property check, andshadowguards its per-tool map lookup the same way.ai: tool and tool-context lookups keyed by a model- or client-supplied name now go through an own-property check (getOwn), so a name matching an inherited object property resolves to "no such tool"/"unconfigured" instead of a prototype value. This covers the approval path (per-tool approval resolution and replay re-validation) as well as tool-call parsing, execution, streaming callbacks, and UI message conversion/validation. The human-in-the-loop approval matching (collectToolApprovals) and streaming tool-name maps are built with a null prototype so a client-supplied id that matches an inherited property no longer slips past the "unknown approval" / "tool call not found" guards.0f93c57: feat (video): support video (not just image) reference inputs ininputReferencesfor reference-to-video generationUpdated dependencies [
e12411e]Updated dependencies [
5d894a7]Updated dependencies [
fdb6d5d]Updated dependencies [
0f93c57]Updated dependencies [
d25a084]v7.0.18Compare Source
Patch Changes
ac306ed]v7.0.17Compare Source
Patch Changes
cad8227]v7.0.16Compare Source
Patch Changes
a8f9b6d: Preserve signed tool approval metadata when recording approval responses.eslint/eslint (eslint)
v10.7.0Compare Source
Features
cf2a9bffeat: add errorClassNames option to preserve-caught-error rule (#21032) (sethamus)f8b873afeat: max-nested-callbacks option for constructor callbacks (#21063) (fnx)557fde8feat: support computedNumber.parseIntmember access inradixrule (#21041) (Pixel)0b4a73bfeat: add suggestions to no-compare-neg-zero (#21034) (den$)96cdd42feat: report invalid signed numeric radix values inradixrule (#21030) (Pixel)Bug Fixes
3e7bf15fix: applyignoreClassesWithImplementsto class expressions (#21069) (Pixel)0d7d70cfix: insert cause outside wrapping parens in preserve-caught-error (#21062) (Mahin Anowar)75ec753fix: handle static template literals ineqeqeqrule (#21058) (Pixel)b717a22fix: preventeqeqeqnull option from reporting non-equality operators (#21057) (Pixel)e35b05ffix: avoidno-invalid-regexpfalse positive for shadowed RegExp (#21051) (Pixel)a3172b6fix: avoidno-control-regexfalse positive for shadowed RegExp (#21050) (Pixel)d1f637efix: parenthesize sequence expression operands in no-implicit-coercion (#21045) (spokodev)8859baffix: avoid prefer-numeric-literals false positive for shadowed globals (#21047) (한국)a9e5961fix: use-isnan false positive on shadowed NaN/Number (#20958) (sethamus)8a240a7fix: avoid false positives inradixrule for spread arguments (#21044) (Pixel)Documentation
c30d808docs: Update README (GitHub Actions Bot)5139800docs: document ESLint migration codemods in v9 and v10 guides (#20980) (Alex Bit)04174cbdocs: Update README (GitHub Actions Bot)026e130docs: update semver policy for bug fixes (#21048) (Milos Djermanovic)9d42fefdocs: Update README (GitHub Actions Bot)b230159docs: Update README (GitHub Actions Bot)0129972docs: correct**/.jsglob to**/*.jsin config files guide (#21036) (EduardF1)Chores
9489379chore: update dependency @eslint/eslintrc to ^3.3.6 (#21076) (renovate[bot])81a4774chore: updates for v9.39.5 release (Jenkins)9835414chore: enable$ExpectTypeannotations in all TypeScript files (#21071) (Francesco Trotta)72adf6bchore: restrictmarkdownlint-cli2updates in renovate (#21067) (lumir)833ec10chore: update dependency prettier to v3.9.4 (#21061) (renovate[bot])7ea106dchore: update ecosystem plugins (#21059) (ESLint Bot)8fb550echore: add prettier update commit to.git-blame-ignore-revs(#21056) (lumir)e4e1166chore: update dependency prettier to v3.9.1 (#21055) (renovate[bot])0493f53chore: update prettier to v3.9.0 (#21054) (Pixel)1056a99chore: update dependency prettier to v3.8.5 (#21049) (renovate[bot])4d4155dci: run ecosystem tests on pull requests (#21027) (sethamus)993539fchore: update dependency @eslint/json to ^2.0.1 (#21042) (renovate[bot])53f8b69test: add error locations tono-constant-binary-expression(#21039) (lumir)5ab71d5refactor: clean up radix rule internals (#21015) (Pixel)a80a9a4chore: update ecosystem plugins (#21035) (ESLint Bot)7c9a029ci: add Node.js 26 to CI (#20847) (lumir)krisk/Fuse (fuse.js)
v7.5.0Compare Source
Every change in this release is a bug fix, but each one corrects a scoring or ranking bug. Scores and result ordering will shift for some queries. That is why this ships as a minor rather than a patch: the public API is unchanged and upgrading is a drop-in, but the results you get back can differ, and that should not arrive silently in a patch bump.
If you assert on exact
scorevalues or on a specific result order, expect those assertions to need updating. Re-baseline them against 7.5.0 rather than pinning to 7.4.x, since the 7.4.x behavior was wrong in the cases below.\t,\n, or\rnow score differently (#830).1were applied unnormalised, skewing the relative influence of each key. If yourkeysweights do not already sum to1, your relative ranking changes (#833).limitnow returns the correct top-N when scores tie. A tie at the cutoff boundary could evict a result that should have been kept, solimitcould return the wrong items, not merely the right items in a different order (#835).minMatchCharLengthin the exact-match shortcut. Matches shorter thanminMatchCharLengthwere still reported via the exact-match fast path, so thematchesarray could contain entries it was configured to exclude (#831).Bug Fixes
7.4.2 (2026-06-05)
Bug Fixes
7.4.1 (2026-06-02)
Bug Fixes
nuxt-content/nuxt-component-meta (nuxt-component-meta)
v0.18.0Compare Source
🚀 Features
pnpm/pnpm (pnpm)
v11.13.0Compare Source
Minor Changes
Added
versioning.epicstopnpm-workspace.yaml. An epic ties a group of member packages to a lead package, constraining every member's major version to a band derived from the lead's major: while the lead is on majorM, members live inM*100 … M*100+99. Members move independently inside the band (patch, minor, and amajorintent that stays in-band); a bump that would carry a member past the band ceiling is rejected until the lead advances its own major. When a release plan takes the lead to a new stable major, every member re-bases to the band floor in the same plan. Membership is matched with pnpm's package selectors — name globs,./-prefixed directory globs, and!-prefixed negations.Added the
teamcommand for managing organization teams and team memberships on the registry, with create, destroy, add, rm, and ls subcommands and support for --otp, --parseable, and --json flags.Added native workspace release management #12952: the new
pnpm changecommand records change intents as changesets-compatible.changeset/*.mdfiles (pnpm change statusshows the pending release plan), and the barepnpm version -rconsumes them — bumping versions across the workspace with dependent propagation throughworkspace:ranges, fixed groups, amaxBumpcap,--filternarrowing, and `--dry-Configuration
📅 Schedule: (in timezone Europe/Paris)
* 6-9 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.