Skip to content

deps(deps): bump the ai-sdk group across 1 directory with 6 updates#481

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/ai-sdk-ac098502e0
Open

deps(deps): bump the ai-sdk group across 1 directory with 6 updates#481
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/ai-sdk-ac098502e0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updates the requirements on ai, @ai-sdk/groq, @ai-sdk/anthropic, @ai-sdk/google, @ai-sdk/openai and @ai-sdk/svelte to permit the latest version.
Updates ai to 6.0.206

Release notes

Sourced from ai's releases.

ai@6.0.206

Patch Changes

  • Updated dependencies [e962dda]
    • @​ai-sdk/gateway@​3.0.132
Changelog

Sourced from ai's changelog.

6.0.206

Patch Changes

  • Updated dependencies [e962dda]
    • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

  • Updated dependencies [6160ced]
  • Updated dependencies [c9b8abd]
    • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

  • Updated dependencies [c5d4716]
    • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

  • f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

    • A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
    • IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
    • Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
    • Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).

    The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.

  • 5291f7e: Harden stream text processing and middleware against prototype pollution from stream part IDs.

  • b4b575a: fix: redact server error details from UI message streams by default

    streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

    The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29
    • @​ai-sdk/gateway@​3.0.129

6.0.202

... (truncated)

Commits
  • 5623117 Version Packages (#16134)
  • 5548672 Version Packages (#16097)
  • 63b3f60 Version Packages (#16086)
  • bae9bab Version Packages (#16026)
  • b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
  • f42aa79 Backport: fix(provider-utils,ai): harden download SSRF guard against hostname...
  • 5291f7e Backport: fix: Harden stream text processing and middleware against prototype...
  • 9ef2c3c Version Packages (#15998)
  • 942f2f8 Backport: fix(security): harden tool approval replay path against client-forg...
  • dca8c38 Version Packages (#15992)
  • Additional commits viewable in compare view

Updates @ai-sdk/groq to 3.0.41

Changelog

Sourced from @​ai-sdk/groq's changelog.

3.0.41

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.40

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.39

Patch Changes

  • Updated dependencies [f591416]
    • @​ai-sdk/provider-utils@​4.0.27

3.0.38

Patch Changes

  • Updated dependencies [7beadf0]
    • @​ai-sdk/provider-utils@​4.0.26

3.0.37

Patch Changes

  • a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
  • Updated dependencies [a727da4]
    • @​ai-sdk/provider-utils@​4.0.25
    • @​ai-sdk/provider@​3.0.10

3.0.36

Patch Changes

  • a7f3c72: trigger release for all packages after provenance setup
  • Updated dependencies [a7f3c72]
    • @​ai-sdk/provider@​3.0.9
    • @​ai-sdk/provider-utils@​4.0.24

3.0.35

Patch Changes

... (truncated)

Commits

Updates @ai-sdk/anthropic to 3.0.84

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.84

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.83

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.82

Patch Changes

  • 2a91a17: feat(provider/anthropic): add support for claude-fable-5 and the fallbacks API parameter

3.0.81

Patch Changes

  • 4084fcd: feat(provider/anthropic): add support for claude-opus-4-8

3.0.80

Patch Changes

  • 263d3e6: fix(provider/anthropic): fix remaining errors with Anthropic code_execution tool dynamic calls from latest web_fetch or web_search

3.0.79

Patch Changes

  • d61a788: Handle errors from anthropic websearch tool

3.0.78

Patch Changes

  • 6e28d25: fix(anthropic): propagate toModelOutput providerOption to anthropic tool results

3.0.77

Patch Changes

  • d53314d: feat(anthropic): add the new advisor tool

... (truncated)

Commits

Updates @ai-sdk/google to 3.0.82

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.80

Patch Changes

  • f62ffe0: fix(google): auto-inject skip_thought_signature_validator for Gemini 3 tool-call replays without a signature

    Gemini 3 models reject requests when an assistant functionCall part lacks a thoughtSignature with HTTP 400 "Function call is missing a thought_signature in functionCall parts." This is easy to hit when application code persists/serializes messages and drops providerOptions.google.thoughtSignature (custom DB schemas, useChat server routes that rebuild messages, synthetic tool-call injection).

    The provider now detects this case (Gemini 3 model + missing signature under google, googleVertex, and vertex namespaces) and injects the documented skip_thought_signature_validator sentinel into the outbound functionCall, plus surfaces a one-shot warning per request listing the affected tool names so the developer can find and fix the upstream serialization. Non-Gemini-3 models are unaffected, and real signatures take precedence when present.

3.0.79

Patch Changes

  • cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

  • cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

    The previous implementation read serviceTier from the x-gemini-service-tier response header, which is only populated on non-streaming responses. Gemini streaming includes the value in usageMetadata.serviceTier on every chunk, so providerMetadata.google.serviceTier was always null for streams. Read from usageMetadata for both paths instead.

... (truncated)

Commits
  • bae9bab Version Packages (#16026)
  • 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
  • bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
  • 9ef2c3c Version Packages (#15998)
  • 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
  • See full diff in compare view

Updates @ai-sdk/openai to 3.0.71

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.71

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.70

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.69

Patch Changes

  • 9a55f6d: feat(openai): add namespaces for tool definitions

3.0.68

Patch Changes

  • c65c952: fix(openai): round-trip namespace on function_call input items

    When tool_search dispatches a deferred tool, the resulting function_call carries a namespace field identifying which deferred-tool group the model picked. [#14789](https://github.com/vercel/ai/tree/HEAD/packages/openai/issues/14789) preserved this on the read side (providerMetadata.openai.namespace), but the write side still serialized function_call input items without namespace. Multi-step / multi-turn conversations then failed with Missing namespace for function_call '<name>'. ... Round-trip the model's function_call item with its namespace field included.

    convert-to-openai-responses-input.ts now reads namespace from providerOptions.openai.namespace (or providerMetadata.openai.namespace) on tool-call parts and includes it on the serialized function_call item, mirroring how itemId is round-tripped.

3.0.67

Patch Changes

  • c679fec: feat(provider/azure):web search tool in the Azure OpenAI Responses API.

3.0.66

Patch Changes

  • c82ab42: feat(openai): forward web_search_call.action.queries from Responses API

3.0.65

Patch Changes

  • eb52378: fix(openai): skip passing reasoning items when using previous response id

3.0.64

... (truncated)

Commits

Updates @ai-sdk/svelte to 4.0.206

Release notes

Sourced from @​ai-sdk/svelte's releases.

@​ai-sdk/svelte@​4.0.206

Patch Changes

  • ai@6.0.206
Changelog

Sourced from @​ai-sdk/svelte's changelog.

4.0.206

Patch Changes

  • ai@6.0.206

4.0.205

Patch Changes

  • ai@6.0.205

4.0.204

Patch Changes

  • ai@6.0.204

4.0.203

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
  • Updated dependencies [5291f7e]
  • Updated dependencies [b4b575a]
    • @​ai-sdk/provider-utils@​4.0.29
    • ai@6.0.203

4.0.202

Patch Changes

  • Updated dependencies [942f2f8]
    • ai@6.0.202
    • @​ai-sdk/provider-utils@​4.0.28

4.0.201

Patch Changes

  • Updated dependencies [0c8c0ed]
    • ai@6.0.201

4.0.200

Patch Changes

  • Updated dependencies [14098e7]
  • Updated dependencies [2cabe9c]

... (truncated)

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 13, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from ljagiello as a code owner June 13, 2026 04:28
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 13, 2026
@dependabot dependabot Bot requested a review from Vpr99 as a code owner June 13, 2026 04:28
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 13, 2026
@dependabot
deps(deps): bump the ai-sdk group across 1 directory with 6 updates
984e5a7 
Updates the requirements on [ai](https://github.com/vercel/ai/tree/HEAD/packages/ai), [@ai-sdk/groq](https://github.com/vercel/ai/tree/HEAD/packages/groq), [@ai-sdk/anthropic](https://github.com/vercel/ai/tree/HEAD/packages/anthropic), [@ai-sdk/google](https://github.com/vercel/ai/tree/HEAD/packages/google), [@ai-sdk/openai](https://github.com/vercel/ai/tree/HEAD/packages/openai) and [@ai-sdk/svelte](https://github.com/vercel/ai/tree/HEAD/packages/svelte) to permit the latest version.

Updates `ai` to 6.0.206
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/ai@6.0.206/packages/ai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/ai@6.0.206/packages/ai)

Updates `@ai-sdk/groq` to 3.0.41
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/groq@3.0.41/packages/groq/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/groq@3.0.41/packages/groq)

Updates `@ai-sdk/anthropic` to 3.0.84
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/anthropic@3.0.84/packages/anthropic/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/anthropic@3.0.84/packages/anthropic)

Updates `@ai-sdk/google` to 3.0.82
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/google@3.0.82/packages/google/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/google@3.0.82/packages/google)

Updates `@ai-sdk/openai` to 3.0.71
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/openai@3.0.71/packages/openai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/openai@3.0.71/packages/openai)

Updates `@ai-sdk/svelte` to 4.0.206
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/svelte@4.0.206/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/svelte@4.0.206/packages/svelte)

---
updated-dependencies:
- dependency-name: "@ai-sdk/anthropic"
  dependency-version: 3.0.84
  dependency-type: direct:production
  dependency-group: ai-sdk
- dependency-name: "@ai-sdk/google"
  dependency-version: 3.0.82
  dependency-type: direct:production
  dependency-group: ai-sdk
- dependency-name: "@ai-sdk/groq"
  dependency-version: 3.0.41
  dependency-type: direct:production
  dependency-group: ai-sdk
- dependency-name: "@ai-sdk/openai"
  dependency-version: 3.0.71
  dependency-type: direct:production
  dependency-group: ai-sdk
- dependency-name: "@ai-sdk/svelte"
  dependency-version: 4.0.204
  dependency-type: direct:production
  dependency-group: ai-sdk
- dependency-name: ai
  dependency-version: 6.0.204
  dependency-type: direct:production
  dependency-group: ai-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title deps(deps): bump the ai-sdk group with 6 updates deps(deps): bump the ai-sdk group across 1 directory with 6 updates Jun 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ai-sdk-ac098502e0 branch from 735e1d1 to 984e5a7 Compare June 15, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljagiello ljagiello Awaiting requested review from ljagiello ljagiello is a code owner

@Vpr99 Vpr99 Awaiting requested review from Vpr99 Vpr99 is a code owner

Assignees

@ljagiello ljagiello

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ljagiello