Skip to content

chore(deps): bump the production-dependencies group across 1 directory with 7 updates#82

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-da1f8b8e55
Open

chore(deps): bump the production-dependencies group across 1 directory with 7 updates#82
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-da1f8b8e55

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 7 updates in the / directory:

Package From To
commander 14.0.3 15.0.0
@ai-sdk/anthropic 3.0.81 3.0.84
@ai-sdk/google 3.0.80 3.0.82
@ai-sdk/openai 3.0.68 3.0.71
ai 6.0.197 6.0.205
protobufjs 8.6.0 8.6.3
yauzl 3.3.2 3.4.0

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

Updates @ai-sdk/anthropic from 3.0.81 to 3.0.84

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.84

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.83

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.82

Patch Changes

  • 2a91a17: feat(provider/anthropic): add support for claude-fable-5 and the fallbacks API parameter
Commits

Updates @ai-sdk/google from 3.0.80 to 3.0.82

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28
Commits
  • bae9bab Version Packages (#16026)
  • 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
  • bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
  • 9ef2c3c Version Packages (#15998)
  • 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
  • See full diff in compare view

Updates @ai-sdk/openai from 3.0.68 to 3.0.71

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.71

Patch Changes

  • Updated dependencies [bfa5864]
  • Updated dependencies [f42aa79]
    • @​ai-sdk/provider-utils@​4.0.29

3.0.70

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.69

Patch Changes

  • 9a55f6d: feat(openai): add namespaces for tool definitions
Commits

Updates ai from 6.0.197 to 6.0.205

Changelog

Sourced from ai's changelog.

6.0.205

Patch Changes

  • Updated dependencies [6160ced]
  • Updated dependencies [c9b8abd]
    • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

  • Updated dependencies [c5d4716]
    • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

  • f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

    • A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
    • IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
    • Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
    • Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).

    The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.

  • 5291f7e: Harden stream text processing and middleware against prototype pollution from stream part IDs.

  • b4b575a: fix: redact server error details from UI message streams by default

    streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

    The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29
    • @​ai-sdk/gateway@​3.0.129

6.0.202

Patch Changes

  • 942f2f8: fix(security): re-validate tool approvals from client message history before execution

    The approval-replay path in generateText/streamText reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-checking that the tool actually requires approval. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.

... (truncated)

Commits
  • 5548672 Version Packages (#16097)
  • 63b3f60 Version Packages (#16086)
  • bae9bab Version Packages (#16026)
  • b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
  • f42aa79 Backport: fix(provider-utils,ai): harden download SSRF guard against hostname...
  • 5291f7e Backport: fix: Harden stream text processing and middleware against prototype...
  • 9ef2c3c Version Packages (#15998)
  • 942f2f8 Backport: fix(security): harden tool approval replay path against client-forg...
  • dca8c38 Version Packages (#15992)
  • 0c8c0ed Backport: fix(ai): return schema-transformed elements in array output mode (#...
  • Additional commits viewable in compare view

Updates protobufjs from 8.6.0 to 8.6.3

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.3

8.6.3 (2026-06-10)

Bug Fixes

  • Consistently reject truncated 64-bit varints (#2322) (ec868f3)
  • Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
  • Preserve explicit URLs in path resolution (#2320) (c97cdbe)
  • Remove renamed reflection objects by identity (#2324) (9c9f8ee)
  • Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
  • Support utf8_validation during decode (#2325) (4dff8e4)

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

  • cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
  • cli: Preserve indentation in multiline declarations (#2307) (b38748d)
  • Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
  • Remove inquire submodule (#2305) (cc42616)
Changelog

Sourced from protobufjs's changelog.

8.6.3 (2026-06-10)

Bug Fixes

  • Consistently reject truncated 64-bit varints (#2322) (ec868f3)
  • Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
  • Preserve explicit URLs in path resolution (#2320) (c97cdbe)
  • Remove renamed reflection objects by identity (#2324) (9c9f8ee)
  • Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
  • Support utf8_validation during decode (#2325) (4dff8e4)

8.6.2 (2026-06-09)

Bug Fixes

8.6.1 (2026-06-07)

Bug Fixes

  • cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
  • cli: Preserve indentation in multiline declarations (#2307) (b38748d)
  • Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
  • Remove inquire submodule (#2305) (cc42616)
Commits
  • 8076a5e chore: release master (#2318)
  • 4dff8e4 fix: Support utf8_validation during decode (#2325)
  • 9c9f8ee fix: Remove renamed reflection objects by identity (#2324)
  • de18bbe docs: Document custom constructor registration order (#2323)
  • c98a4e5 fix: Include interfaces in API docs and fix FieldMask doc comment (#2319)
  • c97cdbe fix: Preserve explicit URLs in path resolution (#2320)
  • ec868f3 fix: Consistently reject truncated 64-bit varints (#2322)
  • 3359e64 fix: Support Node ESM named imports from CommonJS entrypoints (#2315)
  • 41d3517 chore: release master (#2316)
  • bf12d56 fix: Discard unknown fields by default (#2310)
  • Additional commits viewable in compare view

Updates yauzl from 3.3.2 to 3.4.0

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot dependabot Bot requested a review from yasserstudio as a code owner June 19, 2026 21:07
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@socket-security

socket-security Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​ai-sdk/​google@​3.0.82721008898100
Updated@​types/​yauzl@​2.10.3 ⏵ 3.4.0100 +110072 +289 +2100
Added@​ai-sdk/​openai@​3.0.71731008898100
Added@​ai-sdk/​anthropic@​3.0.84791008898100
Addedcommander@​15.0.010010010089100
Addedyauzl@​3.4.010010010091100
Addedprotobufjs@​8.6.39910010098100
Addedai@​6.0.2059810010099100

View full report

@github-actions

github-actions Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bundle Size Report

Package dist size
@gpc-cli/cli 3.7M
@gpc-cli/core 1.2M
@gpc-cli/api 396K
@gpc-cli/auth 44K
@gpc-cli/config 44K

Largest CLI ESM chunk: 40K

Sizes are uncompressed. Published npm tarballs are ~30-40% smaller.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-da1f8b8e55 branch 2 times, most recently from 8b93b5c to b45c612 Compare June 20, 2026 12:30
@dependabot
chore(deps): bump the production-dependencies group across 1 director…
bcfa401 
…y with 7 updates

Bumps the production-dependencies group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [commander](https://github.com/tj/commander.js) | `14.0.3` | `15.0.0` |
| [@ai-sdk/anthropic](https://github.com/vercel/ai/tree/HEAD/packages/anthropic) | `3.0.81` | `3.0.84` |
| [@ai-sdk/google](https://github.com/vercel/ai/tree/HEAD/packages/google) | `3.0.80` | `3.0.82` |
| [@ai-sdk/openai](https://github.com/vercel/ai/tree/HEAD/packages/openai) | `3.0.68` | `3.0.71` |
| [ai](https://github.com/vercel/ai/tree/HEAD/packages/ai) | `6.0.197` | `6.0.205` |
| [protobufjs](https://github.com/protobufjs/protobuf.js) | `8.6.0` | `8.6.3` |
| [yauzl](https://github.com/thejoshwolfe/yauzl) | `3.3.2` | `3.4.0` |



Updates `commander` from 14.0.3 to 15.0.0
- [Release notes](https://github.com/tj/commander.js/releases)
- [Changelog](https://github.com/tj/commander.js/blob/master/CHANGELOG.md)
- [Commits](tj/commander.js@v14.0.3...v15.0.0)

Updates `@ai-sdk/anthropic` from 3.0.81 to 3.0.84
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/anthropic@3.0.84/packages/anthropic/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/anthropic@3.0.84/packages/anthropic)

Updates `@ai-sdk/google` from 3.0.80 to 3.0.82
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/google@3.0.82/packages/google/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/google@3.0.82/packages/google)

Updates `@ai-sdk/openai` from 3.0.68 to 3.0.71
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/openai@3.0.71/packages/openai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/openai@3.0.71/packages/openai)

Updates `ai` from 6.0.197 to 6.0.205
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/ai@6.0.205/packages/ai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/ai@6.0.205/packages/ai)

Updates `protobufjs` from 8.6.0 to 8.6.3
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v8.6.0...protobufjs-v8.6.3)

Updates `yauzl` from 3.3.2 to 3.4.0
- [Commits](thejoshwolfe/yauzl@3.3.2...3.4.0)

---
updated-dependencies:
- dependency-name: "@ai-sdk/anthropic"
  dependency-version: 3.0.84
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@ai-sdk/google"
  dependency-version: 3.0.82
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@ai-sdk/openai"
  dependency-version: 3.0.71
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: ai
  dependency-version: 6.0.203
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: commander
  dependency-version: 15.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: protobufjs
  dependency-version: 8.6.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: yauzl
  dependency-version: 3.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-da1f8b8e55 branch from b45c612 to bcfa401 Compare June 22, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yasserstudio yasserstudio Awaiting requested review from yasserstudio yasserstudio is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants