chore(deps)(deps): bump the production-dependencies group across 1 directory with 73 updates

[dependabot]

Bumps the production-dependencies group with 60 updates in the / directory:

Package	From	To
ajv	8.18.0	8.20.0
cosmiconfig	9.0.0	9.0.2
handlebars	4.7.8	4.7.9
js-yaml	4.1.1	4.2.0
@anthropic-ai/claude-code	2.1.50	2.1.177
@babel/code-frame	7.29.0	7.29.7
@babel/runtime	7.28.6	7.29.7
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.52.0
@hono/node-server	1.19.9	1.19.14
@modelcontextprotocol/sdk	1.26.0	1.29.0
@protobufjs/codegen	2.0.4	2.0.5
@protobufjs/eventemitter	1.1.0	1.1.1
@protobufjs/fetch	1.1.0	1.1.1
@protobufjs/inquire	1.1.0	1.1.2
@protobufjs/utf8	1.1.0	1.1.1
@supabase/supabase-js	2.97.0	2.108.2
fastmcp	3.33.0	3.35.0
axios	1.13.5	1.18.0
b4a	1.8.0	1.8.1
bare-events	2.8.2	2.9.1
bare-fs	4.5.4	4.7.2
bare-os	3.6.2	3.9.1
bare-path	3.0.0	3.0.1
bare-stream	2.8.0	2.13.3
bare-url	2.3.2	2.4.5
es-object-atoms	1.1.1	1.1.2
eventsource-parser	3.0.6	3.1.0
express-rate-limit	8.2.1	8.5.2
fast-uri	3.1.0	3.1.2
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
form-data	4.0.5	4.0.6
fs-extra	11.3.3	11.3.5
fuse.js	7.1.0	7.4.2
gaxios	7.1.3	7.1.5
gcp-metadata	8.1.2	8.1.3
get-east-asian-width	1.5.0	1.6.0
google-auth-library	10.5.0	10.7.0
hono	4.12.1	4.12.25
http-proxy-middleware	3.0.5	3.0.7
jsonfile	6.2.0	6.2.1
koa	3.1.1	3.2.1
mcp-proxy	6.4.0	6.5.1
nan	2.25.0	2.27.0
node-abi	3.87.0	3.92.0
protobufjs	6.11.4	6.11.6
path-to-regexp	8.3.0	8.4.2
pipenet	1.4.0	1.4.2
pump	3.0.3	3.0.4
qs	6.15.0	6.15.2
side-channel	1.1.0	1.1.1
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
type-is	2.0.1	2.1.0
undici	7.22.0	7.27.2
validator	13.15.26	13.15.35
ws	8.19.0	8.21.0
yaml	2.8.2	2.9.0
zod-to-json-schema	3.25.1	3.25.2

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates cosmiconfig from 9.0.0 to 9.0.2

Changelog

Sourced from cosmiconfig's changelog.

9.0.2

• Fixed a prototype chain issue that may happen when merging different config objects.
• Fixed the project search strategy not correctly stopping at the package boundary.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• See full diff in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.177

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.177

No release notes provided.

v2.1.176

What's changed

• Session titles are now generated in the language of your conversation (set the language setting to pin a specific language)
• Added footerLinksRegexes setting for regex-matched link badges in the footer row, configurable via user or managed settings
• Improved Bedrock credential caching: credentials from awsCredentialExport are now cached until their Expiration instead of a fixed 1 hour
• Fixed availableModels enforcement: alias model picks can no longer be redirected to a blocked model via ANTHROPIC_DEFAULT_*_MODEL environment variables, and /fast now refuses to toggle when it would switch to a model outside the allowlist
• Fixed auto mode failing on Fable 5 for organizations without Opus 4.8 enabled — the classifier now falls back to the best available Opus model
• Fixed hook if conditions for Read/Edit/Write tool paths: documented patterns like Edit(src/**), Read(~/.ssh/**), and Read(.env) now match correctly
• Fixed Linux sandbox failing to start when .claude/settings.json is a symlink with an absolute target
• Fixed /copy and mouse-selection copy not reaching the system clipboard inside tmux over SSH, and tmux paste buffer not loading on versions older than 3.2
• Fixed Remote Control connecting from web/mobile silently switching the session's model
• Fixed Remote Control disconnect notifications showing a bare numeric code instead of a human-readable reason, and connection failures adding a duplicate line to the conversation transcript
• Fixed Remote Control sessions not disconnecting when you sign in to a different account
• Fixed /cd and worktree moves leaving the session reporting the previous directory's git branch
• Fixed claude agents: pressing back in one window no longer detaches other windows attached to the same session
• Fixed backgrounded sessions showing "Working" forever when /bg mid-turn had nothing left to continue
• Fixed background agent search by PR URL: PRs opened during scheduled wakeups or while a job was blocked now appear in claude agents search
• Fixed the agents view input showing no text cursor on Windows
• Fixed claude --bg -cn <name> not seeding the session name
• Fixed background sessions to neutralize Windows network paths in persisted state before respawn
• Fixed background-session respawn rejecting malformed resume IDs from corrupted state files
• Fixed the Windows background-service daemon not starting when ~/.claude/daemon has the ReadOnly attribute set
• Fixed cloud sessions failing with "Could not resolve authentication method" when idle for too long before being claimed
• Background sessions now show clearer guidance when a window left open across an auto-update can't submit a reply, and claude daemon status explains version-skew behavior

v2.1.175

What's changed

• Added enforceAvailableModels managed setting — when enabled, the availableModels allowlist also constrains the Default model (a Default that would resolve to a disallowed model now falls back to the first allowed model), and user or project settings can no longer widen a managed availableModels list

v2.1.174

What's changed

• Added wheelScrollAccelerationEnabled setting to disable mouse-wheel scroll acceleration in fullscreen mode
• Fixed the /model picker hiding the model family that Default resolves to — Opus now appears as its own row on Max/Team Premium/Enterprise plans, Sonnet on Pro/Team plans, and Opus on pay-as-you-go API accounts
• Fixed /model picker showing a hardcoded Sonnet version label when ANTHROPIC_DEFAULT_SONNET_MODEL pins a different Sonnet
• Fixed the "Fable 5 is now consuming usage credits" banner incorrectly showing for enterprise accounts with usage-based billing
• Fixed Bedrock GovCloud regions (us-gov-*) deriving the wrong inference profile prefix (global instead of us-gov), causing 400 errors on derived model IDs
• Fixed background sessions inheriting another session's ANTHROPIC_* provider env (gateway URL, custom headers, /model aliases) from the shell that started the background daemon
• Fixed a 1-2 second pause when exiting Claude Code shortly after a shell command was interrupted or killed on macOS and Linux
• Fixed git commit co-author attribution showing an incorrect model name for some models
• Fixed the /advisor dialog pre-selecting a saved advisor model that is blocked by the availableModels allowlist
• Fixed skill hot-reload re-sending the entire skill listing when a single skill changed; only changed skills are now re-announced
• Fixed Workflow tool agent() subagents missing per-agent attribution headers
• [VSCode] Added usage attribution to the Account & usage dialog (/usage) showing cache misses, long context, subagents, and per-skill/agent/plugin/MCP breakdowns over the last 24h or 7d
• Fixed pre-warmed background workers failing with "Could not resolve authentication method" when claimed after sitting idle

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

Changelog

2.1.176

• Session titles are now generated in the language of your conversation (set the language setting to pin a specific language)
• Added footerLinksRegexes setting for regex-matched link badges in the footer row, configurable via user or managed settings
• Improved Bedrock credential caching: credentials from awsCredentialExport are now cached until their Expiration instead of a fixed 1 hour
• Fixed availableModels enforcement: alias model picks can no longer be redirected to a blocked model via ANTHROPIC_DEFAULT_*_MODEL environment variables, and /fast now refuses to toggle when it would switch to a model outside the allowlist
• Fixed auto mode failing on Fable 5 for organizations without Opus 4.8 enabled — the classifier now falls back to the best available Opus model
• Fixed hook if conditions for Read/Edit/Write tool paths: documented patterns like Edit(src/**), Read(~/.ssh/**), and Read(.env) now match correctly
• Fixed Linux sandbox failing to start when .claude/settings.json is a symlink with an absolute target
• Fixed /copy and mouse-selection copy not reaching the system clipboard inside tmux over SSH, and tmux paste buffer not loading on versions older than 3.2
• Fixed Remote Control connecting from web/mobile silently switching the session's model
• Fixed Remote Control disconnect notifications showing a bare numeric code instead of a human-readable reason, and connection failures adding a duplicate line to the conversation transcript
• Fixed Remote Control sessions not disconnecting when you sign in to a different account
• Fixed /cd and worktree moves leaving the session reporting the previous directory's git branch
• Fixed claude agents: pressing back in one window no longer detaches other windows attached to the same session
• Fixed backgrounded sessions showing "Working" forever when /bg mid-turn had nothing left to continue
• Fixed background agent search by PR URL: PRs opened during scheduled wakeups or while a job was blocked now appear in claude agents search
• Fixed the agents view input showing no text cursor on Windows
• Fixed claude --bg -cn <name> not seeding the session name
• Fixed background sessions to neutralize Windows network paths in persisted state before respawn
• Fixed background-session respawn rejecting malformed resume IDs from corrupted state files
• Fixed the Windows background-service daemon not starting when ~/.claude/daemon has the ReadOnly attribute set
• Fixed cloud sessions failing with "Could not resolve authentication method" when idle for too long before being claimed
• Background sessions now show clearer guidance when a window left open across an auto-update can't submit a reply, and claude daemon status explains version-skew behavior

2.1.175

• Added enforceAvailableModels managed setting — when enabled, the availableModels allowlist also constrains the Default model (a Default that would resolve to a disallowed model now falls back to the first allowed model), and user or project settings can no longer widen a managed availableModels list

2.1.174

• Added wheelScrollAccelerationEnabled setting to disable mouse-wheel scroll acceleration in fullscreen mode
• Fixed the /model picker hiding the model family that Default resolves to — Opus now appears as its own row on Max/Team Premium/Enterprise plans, Sonnet on Pro/Team plans, and Opus on pay-as-you-go API accounts
• Fixed /model picker showing a hardcoded Sonnet version label when ANTHROPIC_DEFAULT_SONNET_MODEL pins a different Sonnet
• Fixed the "Fable 5 is now consuming usage credits" banner incorrectly showing for enterprise accounts with usage-based billing
• Fixed Bedrock GovCloud regions (us-gov-*) deriving the wrong inference profile prefix (global instead of us-gov), causing 400 errors on derived model IDs
• Fixed background sessions inheriting another session's ANTHROPIC_* provider env (gateway URL, custom headers, /model aliases) from the shell that started the background daemon
• Fixed a 1-2 second pause when exiting Claude Code shortly after a shell command was interrupted or killed on macOS and Linux
• Fixed git commit co-author attribution showing an incorrect model name for some models
• Fixed the /advisor dialog pre-selecting a saved advisor model that is blocked by the availableModels allowlist
• Fixed skill hot-reload re-sending the entire skill listing when a single skill changed; only changed skills are now re-announced
• Fixed Workflow tool agent() subagents missing per-agent attribution headers
• [VSCode] Added usage attribution to the Account & usage dialog (/usage) showing cache misses, long context, subagents, and per-skill/agent/plugin/MCP breakdowns over the last 24h or 7d
• Fixed pre-warmed background workers failing with "Could not resolve authentication method" when claimed after sitting idle

2.1.173

• Fixed Fable 5 model names with a [1m] suffix not being normalized — Fable 5 includes 1M context by default, so the suffix is now stripped automatically

... (truncated)

Commits

• ca9f604 chore: Update CHANGELOG.md and feed.xml
• ee81682 chore: Update CHANGELOG.md and feed.xml
• 5754a8b chore: Update CHANGELOG.md and feed.xml
• 3a7c736 chore: Update CHANGELOG.md and feed.xml
• ca34f27 chore: Update CHANGELOG.md and feed.xml
• 1c5f951 chore: Update CHANGELOG.md and feed.xml
• 6a9c2db chore: Update CHANGELOG.md and feed.xml
• f967b36 chore: Update CHANGELOG.md and feed.xml
• 7228175 chore: Update CHANGELOG.md and feed.xml
• c1b75cb chore: Update CHANGELOG.md and feed.xml
• Additional commits viewable in compare view

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates @babel/code-frame from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/code-frame's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• See full diff in compare view

Updates @babel/helper-validator-identifier from 7.28.5 to 7.29.7

Release notes

Sourced from @​babel/helper-validator-identifier's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• See full diff in compare view

Updates @babel/runtime from 7.28.6 to 7.29.7

Release notes

Sourced from @​babel/runtime's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.52.0

Release notes

Sourced from @​google/genai's releases.

v1.52.0

1.52.0 (2026-05-04)

Features

• [Python] Multimodal file search (e626bef)
• Multimodal file search (54caf6b)

v1.51.0

1.51.0 (2026-04-29)

Features

• [Interactions] Add FileCitation.{custom_metadata,media_id,page_number} (9e08ba9)
• Add output_info to BatchJob (5327c60)
• Add gemini-3.1-flash-tts-preview model to options (35c941b)
• Add ImageResizeMode for GenerateVideos (faa1088)
• Add new Gemini Deep Research agent models (6f83a05)
• Add Vertex Dataset input and output options for batch jobs (6aa848e)
• interaction-api: Add grounding tool usage breakdown to Interaction Usage. (e1c31ad)
• introduce enterprise flag and GOOGLE_GENAI_USE_ENTERPRISE env var (cf7ad52)
• Replace the more ambiguous rate field with sample_rate. (6c80464)

v1.50.1

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

v1.50.0

1.50.0 (2026-04-13)

[!CAUTION] CRITICAL WARNING: Do not use this version if you are implementing or relying on webhooks. This release contains known issues regarding webhook sdk. Please use v1.51.0 or later.

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.52.0 (2026-05-04)

Features

• [Python] Multimodal file search (e626bef)
• Multimodal file search (54caf6b)

1.51.0 (2026-04-29)

Features

• [Interactions] Add FileCitation.{custom_metadata,media_id,page_number} (9e08ba9)
• Add output_info to BatchJob (5327c60)
• Add gemini-3.1-flash-tts-preview model to options (35c941b)
• Add ImageResizeMode for GenerateVideos (faa1088)
• Add new Gemini Deep Research agent models (6f83a05)
• Add Vertex Dataset input and output options for batch jobs (6aa848e)
• interaction-api: Add grounding tool usage breakdown to Interaction Usage. (e1c31ad)
• introduce enterprise flag and GOOGLE_GENAI_USE_ENTERPRISE env var (cf7ad52)
• Replace the more ambiguous rate field with sample_rate. (6c80464)

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

1.50.0 (2026-04-13)

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

... (truncated)

Commits

• e8c8c44 chore(main): release 1.52.0 (#1546)
• 50d81ca chore: [Multimodal FileSearch] Move embedding_model to body
• 54caf6b feat: Multimodal file search
• e626bef feat: [Python] Multimodal file search
• 61013d6 chore(main): release 1.51.0 (#1503)
• 8137d23 chore: add the deprecation marker back
• 734dab0 chore: no-op
• 006286b chore: Add page number
• 986bbed chore: Adjust Webhook update to better reflect modifiable fields
• e1c31ad feat(interaction-api): Add grounding tool usage breakdown to Interaction Usage.
• Additional commits viewable in compare view

Install script changes

This version adds preinstall script that runs during installation. Review the package contents before updating.

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions