deps(deps): bump the npm-minor-patch group across 1 directory with 20 updates

[dependabot]

Bumps the npm-minor-patch group with 20 updates in the / directory:

Package	From	To
typescript-eslint	8.61.0	8.62.0
vitest	4.1.8	4.1.9
@ai-sdk/openai-compatible	2.0.50	2.0.51
@arizeai/openinference-vercel	2.7.8	2.7.9
@browserbasehq/stagehand	3.5.0	3.6.0
@langchain/core	1.1.49	1.2.1
@langchain/langgraph	1.4.2	1.4.5
@mastra/core	1.42.0	1.45.0
@mastra/mcp	1.10.0	1.11.0
@openai/agents	0.11.6	0.11.8
ai	6.0.205	6.0.208
mem0ai	3.0.8	3.0.9
openai	6.42.0	6.44.0
playwright	1.60.0	1.61.0
@anthropic-ai/sdk	0.104.1	0.105.0
agents	0.16.0	0.16.2
@cloudflare/workers-types	4.20260615.1	4.20260621.1
wrangler	4.100.0	4.103.0
@cloudflare/vitest-pool-workers	0.16.15	0.16.18
@playwright/test	1.60.0	1.61.0

Updates typescript-eslint from 8.61.0 to 8.62.0

Release notes

Sourced from typescript-eslint's releases.

v8.62.0

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

🩹 Fixes

• add "files" to rule-schema-to-typescript-types (#12441)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.61.1 (2026-06-15)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 54e2857 chore(release): publish 8.62.0
• 81e4c26 feat: remove redundant package.json "files" (#12444)
• aaad718 chore(release): publish 8.61.1
• See full diff in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• See full diff in compare view

Updates @ai-sdk/openai-compatible from 2.0.50 to 2.0.51

Changelog

Sourced from @​ai-sdk/openai-compatible's changelog.

2.0.51

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

Commits

• caebb44 Version Packages (#16157)
• See full diff in compare view

Updates @arizeai/openinference-vercel from 2.7.8 to 2.7.9

Commits

• See full diff in compare view

Updates @browserbasehq/stagehand from 3.5.0 to 3.6.0

Release notes

Sourced from @​browserbasehq/stagehand's releases.

@​browserbasehq/stagehand@​3.6.0

Minor Changes

• #2178 c49a3fc Thanks @​seanmcguire12! - add support for WebMCP

Patch Changes

• #2217 147e310 Thanks @​monadoid! - Add Azure OpenAI Microsoft Entra ID model auth support.

• #2231 cf3603d Thanks @​miguelg719! - Add claude-fable-5 support: native structured outputs via the @​ai-sdk/anthropic bump, adaptive thinking (including the new "xhigh" effort) on the agent path, the API's built-in server-side refusal fallback to claude-opus-4-8, and auto tool choice for the final done call on models that reject forced tool use.

• #2233 8d7d414 Thanks @​seanmcguire12! - Normalize URLs in ActCache key derivation by sorting query parameters before hashing. Semantically equivalent URLs that differ only in parameter order (e.g. ?utm_source=email&id=42 vs ?id=42&utm_source=email) now hit the cache instead of silently missing. Fragments and duplicate keys are preserved.

• #2229 fd42e65 Thanks @​seanmcguire12! - launch local browser with --enable-features=WebMCPTesting,DevToolsWebMCPSupport by default

• #2220 a64c6b7 Thanks @​monadoid! - Fix Stagehand-generated shadow-root XPath resolution so deterministic actions can target elements inside web components.

• #2132 ed3e566 Thanks @​miguelg719! - Add canonical verifier evidence normalization for screenshots and text signals without requiring image dependencies in core installs.

• #2133 840aac8 Thanks @​miguelg719! - Add the rubric-based verifier engine with normalized public rubric output and bounded failure-step parsing.

Changelog

Sourced from @​browserbasehq/stagehand's changelog.

3.6.0

Minor Changes

• #2178 c49a3fc Thanks @​seanmcguire12! - add support for WebMCP

Patch Changes

• #2217 147e310 Thanks @​monadoid! - Add Azure OpenAI Microsoft Entra ID model auth support.

• #2231 cf3603d Thanks @​miguelg719! - Add claude-fable-5 support: native structured outputs via the @​ai-sdk/anthropic bump, adaptive thinking (including the new "xhigh" effort) on the agent path, the API's built-in server-side refusal fallback to claude-opus-4-8, and auto tool choice for the final done call on models that reject forced tool use.

• #2233 8d7d414 Thanks @​seanmcguire12! - Normalize URLs in ActCache key derivation by sorting query parameters before hashing. Semantically equivalent URLs that differ only in parameter order (e.g. ?utm_source=email&id=42 vs ?id=42&utm_source=email) now hit the cache instead of silently missing. Fragments and duplicate keys are preserved.

• #2229 fd42e65 Thanks @​seanmcguire12! - launch local browser with --enable-features=WebMCPTesting,DevToolsWebMCPSupport by default

• #2220 a64c6b7 Thanks @​monadoid! - Fix Stagehand-generated shadow-root XPath resolution so deterministic actions can target elements inside web components.

• #2132 ed3e566 Thanks @​miguelg719! - Add canonical verifier evidence normalization for screenshots and text signals without requiring image dependencies in core installs.

• #2133 840aac8 Thanks @​miguelg719! - Add the rubric-based verifier engine with normalized public rubric output and bounded failure-step parsing.

Commits

• d71d3a2 Version Packages (#2224)
• 75df86a [chore]: bump monorepo build & test deps (#2256)
• 840aac8 feat(verifier): add rubric verifier engine (#2133)
• 8d7d414 fix(core): normalize URLs in ActCache key derivation (#2190) (#2233)
• ed3e566 feat(verifier): normalize canonical evidence (#2132)
• cf3603d feat(llm): support claude-fable-5 (structured outputs, adaptive thinking, ref...
• fd42e65 [fix]: launch local browser with webmcp flags by default (#2229)
• c49a3fc [feat]: add support for WebMCP (#2178)
• a64c6b7 STG-2196 Shadow DOM fix (#2220)
• c343209 [test]: cover user-gesture clipboard copy event (#2225)
• Additional commits viewable in compare view

Updates @langchain/core from 1.1.49 to 1.2.1

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.1

Patch Changes

• #10674 f017708 Thanks @​christian-bromann! - fix: classify provider 429s before retrying

• #11092 7918bbd Thanks @​aolsenjazz! - fix(core): only treat arrays of content blocks as ToolMessage content

  Fix tool outputs that are arrays of plain objects being forwarded as malformed message content. An array is now only treated as message content blocks when every element is an object with a type; otherwise it is JSON-stringified.

@​langchain/core@​1.2.0

Minor Changes

• #10924 2e28115 Thanks @​christian-bromann! - feat(core): add OpenAI-compatible stream event conversion

Patch Changes

• #11047 ac0f71d Thanks @​christian-bromann! - fix(core): preserve AIMessage content blocks

  Keep existing v1 contentBlocks when constructing AIMessage instances so serialized messages do not lose block content during deserialization.

Commits

• See full diff in compare view

Updates @langchain/langgraph from 1.4.2 to 1.4.5

Release notes

Sourced from @​langchain/langgraph's releases.

@​langchain/langgraph@​1.4.5

Patch Changes

• #2557 b1e856d Thanks @​christian-bromann! - fix(sdk): apply state update and goto alongside interrupt resume

  respond(decision, { update, goto }) now maps to LangGraph's Command(resume, update, goto), so a human-in-the-loop UI can commit a state update (e.g. push the interrupt card into state) in the same superstep as the resume — one checkpoint, no separate updateState write, no flicker. @langchain/langgraph-api forwards update/goto through input.respond, and @langchain/core message instances in update are serialized to dicts before transport, exactly like submit(). Bumps @langchain/protocol to ^0.0.18 for the Goto type.

  respond/respondAll also apply update optimistically (mirroring submit()): the pushed messages paint immediately, with stable ids minted so the resumed run's echo reconciles them in place. Without this the interrupt is cleared the instant respond() dispatches while the pushed card only reappears a server round-trip later — so the card would flicker in that gap. The optimistic state settles on the resumed run's terminal (pending → sent, or rolled back on a failure before any echo).

  User-initiated optimistic writes (submit() / respond() / respondAll()) now commit to the store synchronously, in the same tick as the triggering event, instead of being coalesced onto the next macrotask. This lets a framework render the pushed message in the same commit as any local UI state the caller flips alongside it (e.g. a HITL form swapping its inputs for the resolved card), so the card no longer blinks out for the one-macrotask window before the flush lands. High-frequency streaming writes keep their macrotask coalescing.

• Updated dependencies [b1e856d]:

  • @​langchain/langgraph-sdk@​1.9.24

@​langchain/langgraph@​1.4.4

Patch Changes

• #2552 d662cbb Thanks @​christian-bromann! - fix(langgraph): isolate concurrent singleton-agent invocations by thread

  ensureLangGraphConfig ignores the ambient AsyncLocalStorage configurable on root-level invokes that supply an invoke-time thread_id and have no nesting keys (ignoring graph-bound .withConfig() defaults). On a fresh top-level run the ambient configurable can belong to another concurrent invocation, so its keys — internal scratchpad/task-input as well as user keys like tenant_id/user_id — must not leak in; values the caller wants arrive through the explicit (bound + invoke-time) configs. Ambient nesting (__pregel_read__) and bound child graphs invoked from parent tasks are unaffected. This prevents cross-invocation leakage between concurrent invoke() calls on a shared compiled graph (e.g. BullMQ workers with concurrency > 1). Complements the config-merge fix that stopped shared graph-bound metadata/configurable objects from being mutated across invocations

... (truncated)

Changelog

Sourced from @​langchain/langgraph's changelog.

1.4.5

Patch Changes

• #2557 b1e856d Thanks @​christian-bromann! - fix(sdk): apply state update and goto alongside interrupt resume

  respond(decision, { update, goto }) now maps to LangGraph's Command(resume, update, goto), so a human-in-the-loop UI can commit a state update (e.g. push the interrupt card into state) in the same superstep as the resume — one checkpoint, no separate updateState write, no flicker. @langchain/langgraph-api forwards update/goto through input.respond, and @langchain/core message instances in update are serialized to dicts before transport, exactly like submit(). Bumps @langchain/protocol to ^0.0.18 for the Goto type.

  respond/respondAll also apply update optimistically (mirroring submit()): the pushed messages paint immediately, with stable ids minted so the resumed run's echo reconciles them in place. Without this the interrupt is cleared the instant respond() dispatches while the pushed card only reappears a server round-trip later — so the card would flicker in that gap. The optimistic state settles on the resumed run's terminal (pending → sent, or rolled back on a failure before any echo).

  User-initiated optimistic writes (submit() / respond() / respondAll()) now commit to the store synchronously, in the same tick as the triggering event, instead of being coalesced onto the next macrotask. This lets a framework render the pushed message in the same commit as any local UI state the caller flips alongside it (e.g. a HITL form swapping its inputs for the resolved card), so the card no longer blinks out for the one-macrotask window before the flush lands. High-frequency streaming writes keep their macrotask coalescing.

• Updated dependencies [b1e856d]:

  • @​langchain/langgraph-sdk@​1.9.24

1.4.4

Patch Changes

• #2552 d662cbb Thanks @​christian-bromann! - fix(langgraph): isolate concurrent singleton-agent invocations by thread

  ensureLangGraphConfig ignores the ambient AsyncLocalStorage configurable on root-level invokes that supply an invoke-time thread_id and have no nesting keys (ignoring graph-bound .withConfig() defaults). On a fresh top-level run the ambient configurable can belong to another concurrent invocation, so its keys — internal scratchpad/task-input as well as user keys like tenant_id/user_id — must not leak in; values the caller wants arrive through the explicit (bound + invoke-time) configs. Ambient nesting (__pregel_read__) and bound child graphs invoked from parent tasks are unaffected. This prevents cross-invocation leakage between concurrent invoke() calls on a shared compiled graph (e.g. BullMQ workers with concurrency > 1). Complements the config-merge

... (truncated)

Commits

• 31261c3 chore: version packages (#2558)
• 5d279df chore(deps): bump langchain (#2564)
• b1e856d feat(sdk): apply state update and goto alongside interrupt resume (#2557)
• e6082e0 chore: version packages (#2554)
• d662cbb fix(langgraph): isolate concurrent singleton-agent invocations by thread (#2552)
• 1c2aa5b fix(langgraph): recognize JSON-erased Overwrite values across runtimes (#2553)
• 73ecaa0 chore: version packages (#2536)
• 4487214 fix(langgraph): replay concurrent DeltaChannel writes in live order (#2544)
• bc667a9 fix(langgraph): support DeltaChannel fields in StateSchema (#2549)
• e73bf8a test(langgraph-core): add test coverage on merging tags and metadata
• Additional commits viewable in compare view

Updates @mastra/core from 1.42.0 to 1.45.0

Release notes

Sourced from @​mastra/core's releases.

June 19, 2026

Highlights

Faster long-thread resume via improved state signal restoration

@mastra/core now restores state signals without scanning every message, making it significantly cheaper and faster to resume very long threads.

More reliable signal turn handling in agents

Fixes to agent signal drains ensure pending signals are recorded through the canonical signal transcript path and response message IDs rotate consistently—preventing follow-up signal turns from attaching to the wrong assistant response.

Clearer system guidance around automatic state signals

New system guidance clarifies that browser and task-list state signals are automatic context updates rather than user instructions, reducing prompt confusion and accidental instruction-following.

Redesigned Studio panel & code-surface UI primitives in @mastra/playground-ui

Adds reusable UI support for revamped Studio panels, including true resizable panels with smooth open/close, mobile drawer behavior via PanelDrawer, a new useIsMobile hook, and CodeBlock.actions for header controls; plus new popover collision-avoidance alignment controls.

WorkOS OAuth login fix (PKCE verifier cookie missing)

@mastra/auth-workos fixes an OAuth/SSO login failure affecting both single-auth and dual-auth setups, restoring reliable WorkOS sign-in flows.

Breaking Changes

• None called out in this changelog.

Changelog

@​mastra/core@1.45.0

Minor Changes

• Random bump (#18178)

Patch Changes

• Improved state signal restoration so long threads can resume without scanning every message. (#18182)

• Fix agent signal drains so pending signals are recorded through the canonical signal transcript path and consistently rotate the response message id. This prevents follow-up signal turns from being attached to the previous assistant response and helps the agent see the latest completed step before continuing. (#18105)

• Add system guidance explaining that browser and task-list state signals are automatic context updates, not user instructions. (#18163)

@​mastra/acp@0.3.0

Minor Changes

• Random bump (#18178)

Patch Changes

@​mastra/agent-browser@0.4.0

Minor Changes

• Random bump (#18178)

Patch Changes

... (truncated)

Commits

• 7a8a824 chore: version - exit prerelease mode
• faae1eb chore: version packages (alpha) (#18159)
• d9d2273 fix(core): preserve signal transcript ordering (#18105)
• 8f3c262 fix(core): explain automatic state signals to agents (#18163)
• 7c0d868 fix(core): restore state signals without thread scans (#18182)
• 6e3e3c3 Revert "fix(core): require approval by default for execute_command on a local...
• 17f01b5 chore: version - exit prerelease mode
• 9d6aa1b fix(core): require approval by default for execute_command on a local sandbox...
• 57e66f6 chore: version packages (alpha) (#18128)
• 30ce559 feat(core): move Harness display state onto Session.displayState (#18136)
• Additional commits viewable in compare view

Updates @mastra/mcp from 1.10.0 to 1.11.0

Release notes

Sourced from @​mastra/mcp's releases.

March 11, 2026

Highlights

Dynamic Model Fallback Arrays (Runtime Routing)

Agents can now use model functions that return full fallback arrays (ModelWithRetries[]), enabling context-driven model routing (tier/region/etc.) with nested/async selection and proper maxRetries inheritance.

Standard Schema + Zod v4 Compatibility Layer

Mastra adds Standard Schema normalization (toStandardSchema, standardSchemaToJSONSchema) across Zod v3/v4, AI SDK Schema, and JSON Schema via @mastra/schema-compat, unifying schema handling and improving strict-mode provider compatibility.

Customizable Request Validation Errors Across All Server Adapters

New onValidationError hook on ServerConfig and createRoute() lets you control status codes and response bodies for Zod validation failures, supported consistently in Hono/Express/Fastify/Koa adapters.

RequestContext End-to-End (Tracing + Datasets/Experiments + Storage)

requestContext is now captured on tracing spans (and persisted in ClickHouse/PG/LibSQL/MSSQL span tables) and is supported on dataset items and experiments, allowing request-scoped metadata (tenant/user/flags) to flow through evaluation and observability.

Faster & More Flexible Storage: Recall Performance + PgVector Indexing + New Vector Types

Semantic recall is significantly faster across multiple adapters (notably Postgres for very large threads), PgVector adds metadataIndexes for btree indexing filtered metadata fields, and @mastra/pg now supports pgvector bit and sparsevec vector types.

Breaking Changes

• Minimum Zod version is now ^3.25.0 (for v3) or ^4.0.0 (for v4 support).

Changelog

@​mastra/core@1.11.0

Minor Changes

• feat: support dynamic functions returning model fallback arrays (#11975)

  Agents can now use dynamic functions that return entire fallback arrays based on runtime context. This enables:

  • Dynamic selection of complete fallback configurations
  • Context-based model selection with automatic fallback
  • Flexible model routing based on user tier, region, or other factors
  • Nested dynamic functions within returned arrays (each model in array can also be dynamic)

  Examples

  Basic dynamic fallback array

  const agent = new Agent({
    model: ({ requestContext }) => {
      const tier = requestContext.get('tier');
      if (tier === 'premium') {
        return [
          { model: 'openai/gpt-4', maxRetries: 2 },
          { model: 'anthropic/claude-3-opus', maxRetries: 1 },
        ];
      }
      return [{ model: 'openai/gpt-3.5-turbo', maxRetries: 1 }];
    },

... (truncated)

Changelog

Sourced from @​mastra/mcp's changelog.

1.11.0

Minor Changes

• Random bump (#18178)

Patch Changes

• Updated dependencies [7c0d868, d9d2273, b04369d, 8f3c262]:
  • @​mastra/core@​1.45.0

1.11.0-alpha.0

Minor Changes

• Random bump (#18178)

Patch Changes

• Updated dependencies [7c0d868, d9d2273, b04369d, 8f3c262]:
  • @​mastra/core@​1.45.0-alpha.0

1.10.1

Patch Changes

• Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the latest dist-tag forward, superseding the compromised versions that declared the malicious easy-day-js dependency. (#18056)

• Updated dependencies [339c57c, 1dd4117, 2b11d1f, 77a2351, b7dff0a, 02087e1, 49af8df, 30ce559, c241b92, 7d6ff70, ab975d4, 9d6aa1b]:

  • @​mastra/core@​1.44.0

1.10.1-alpha.0

Patch Changes

• Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the latest dist-tag forward, superseding the compromised versions that declared the malicious easy-day-js dependency. (#18056)

• Updated dependencies [77a2351]:

  • @​mastra/core@​1.43.1-alpha.0

Commits

• 7a8a824 chore: version - exit prerelease mode
• faae1eb chore: version packages (alpha) (#18159)
• 17f01b5 chore: version - exit prerelease mode
• ad3243a chore: version packages (alpha) (#18057)
• a27d561 chore(deps): update build tools (#17657)
• 81b7981 chore(deps): update build tools to v22.19.21 (#17929)
• 42b0dba Expose source-backed stored agent APIs (#17583)
• See full diff in compare view

Updates @openai/agents from 0.11.6 to 0.11.8

Release notes

Sourced from @​openai/agents's releases.

v0.11.8

What's Changed

• feat: add opt-in pre-approval tool input guardrails by @​seratch in openai/openai-agents-js#1358
• feat: add SDK-only custom data for tool outputs by @​seratch in openai/openai-agents-js#1360

Documentation & Other Changes

• chore: update versions by @​github-actions[bot] in openai/openai-agents-js#1411

Full Changelog: openai/openai-agents-js@v0.11.7...v0.11.8

v0.11.7

What's Changed

• feat: expose serializable full MCP tool results by @​seratch in openai/openai-agents-js#1380
• fix: expose sandbox error retryability metadata by @​seratch in openai/openai-agents-js#1398
• fix: delegate incomplete auth to Vercel SDK by @​scotttrinh in openai/openai-agents-js#1405
• fix: recover legacy session authentication through Vercel SDK by @​seratch in openai/openai-agents-js#1410
• fix: update Modal sandbox provider for Modal SDK 0.7.6 APIs by @​thomelane in openai/openai-agents-js#1381
• fix: honor top-level input_image detail in the Chat Completions converter by @​bymle in openai/openai-agents-js#1407

Documentation & Other Changes

• docs: add Latitude to external tracing processors list by @​guillemwilly in openai/openai-agents-js#1379
• docs: add Traccia to external tracing processors list by @​Traccia-Official in openai/openai-agents-js#1409
• chore: update versions by @​github-actions[bot] in openai/openai-agents-js#1389

New Contributors

• @​guillemwilly made their first contribution in openai/openai-agents-js#1379
• @​thomelane made their first contribution in openai/openai-agents-js#1381
• @​Traccia-Official made their first contribution in openai/openai-agents-js#1409
• @​scotttrinh made their first contribution in openai/openai-agents-js#1405
• @​bymle made their first contribution in openai/openai-agents-js#1407

Full Changelog: openai/openai-agents-js@v0.11.6...v0.11.7

Commits

• 7e73145 chore: update versions (#1411)
• b740fb3 feat: add SDK-only custom data for tool outputs (#1360)
• dd64ba6 feat: add opt-in pre-approval tool input guardrails (#1358)
• a92c2ab chore: update versions (#1389)
• ae0fb45 chore: improve pr-draft-summary skill trigger
• 9b54b79 fix: honor top-level input_image detail in the Chat Completions converter (#1...
• 6d9152d fix(vercel): recover legacy session authentication through the SDK (#1410)
• 9c6db7c fix(vercel): delegate incomplete auth to SDK (#1405)
• d44d7ba docs: add Traccia to external tracing processors list (#1409)
• edd0a07 fix: expose sandbox error retryability metadata (#1398)
• Additional commits viewable in compare view

Updates ai from 6.0.205 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

Commits

• 3270146 Version Packages (#16243)
• f994df3 Backport: Serialize undefined tool output to null in UI message chunks (#16240)
• 8261640 Backport: fix(ai): handle partial unicode escapes in fixJson (#16233)
• caebb44 Version Packages (

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.