Skip to content

build(deps): bump the npm_and_yarn group across 2 directories with 3 updates#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-b410734e11
Open

build(deps): bump the npm_and_yarn group across 2 directories with 3 updates#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-b410734e11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 2 updates in the / directory: agents and drizzle-orm.
Bumps the npm_and_yarn group with 1 update in the /debug-tools/presentation-tester directory: vite.

Updates agents from 0.2.35 to 0.15.0

Release notes

Sourced from agents's releases.

agents@0.15.0

Minor Changes

  • #1701 6caa6e8 Thanks @​mattzcarey! - Refactor WorkerTransport to extend the official MCP SDK's WebStandardStreamableHTTPServerTransport instead of being a hand-rolled implementation.

    The wrapper is now a thin subclass that layers Workers-specific concerns on top of the SDK transport:

    • CORS — preflight handling and response-header injection (corsOptions).
    • Persistent transport state across DO hibernation via the existing MCPStorageApi adapter. sessionId, initialized, and initializeParams are snapshotted after each request and replayed on cold start so client capabilities are restored without a fresh initialize round-trip.
    • SSE keepalive — preserves the issue #1583 fix. Uses the shared KEEPALIVE_FRAME (: keepalive\n\n) at KEEPALIVE_INTERVAL_MS (25s) from sse-keepalive.ts. Keepalive is unconditional on POST response streams and disabled on the standalone GET stream when an eventStore is configured (clients recover idle drops via Last-Event-ID instead).

    Everything else — session validation, SSE streaming, protocol-version negotiation, event-store resumability, send/close lifecycle — is delegated to the SDK transport. Net: ~500 fewer lines of code to maintain.

    The exported shape is unchanged: WorkerTransport, WorkerTransportOptions, MCPStorageApi, and TransportState keep the same names, and WorkerTransportOptions now also extends the SDK's transport options. The default createMcpHandler path (a fresh transport per request) is unaffected.

    There are, however, a few observable behaviour changes for callers who used WorkerTransport directly or relied on its previous quirks:

    • handleRequest's second argument is now { parsedBody?, authInfo? } (the SDK shape) instead of a positional parsedBody. createMcpHandler and McpAgent don't pass it, but callers invoking transport.handleRequest(request, parsedBody) directly must wrap it as transport.handleRequest(request, { parsedBody }).
    • retryInterval priming now follows the SDK contract. Previously a retry: priming frame was written to any GET SSE stream whenever retryInterval was set. The SDK only writes a priming event when an eventStore is configured and the negotiated protocol version is >= 2025-11-25 (older clients can't parse the empty-data: priming frame), and on POST streams rather than the standalone GET stream. retryInterval is still accepted but only affects that SDK priming event.
    • onerror now fires on client/protocol validation failures. The SDK invokes onerror for responses such as 400/405/406/415 and session-not-found. The old transport only surfaced internal errors, so handlers that log onerror will now see normal client mistakes.
    • onsessionclosed fires before the underlying close() (and therefore before onclose) on DELETE, instead of after. Ordering only; the session id is still passed.
    • started is now read-only. It was a writable instance field and is now a getter backed by the SDK's internal _started flag. Reading it (e.g. createMcpHandler's reconnect guard) is unchanged; assigning to it is no longer supported.
    • createMcpHandler now forwards SDK transport options. Because WorkerTransportOptions extends the SDK options, the handler passes through everything except its own route/authContext/transport fields — including eventStore, retryInterval, onsessionclosed, and the SDK DNS-rebinding options (enableDnsRebindingProtection, allowedHosts, allowedOrigins). The previous handler silently dropped these.

    The SDK dependency is pinned exactly (@modelcontextprotocol/sdk 1.29.0, no caret) because the wrapper relies on a handful of SDK internals for state restore and keepalive cleanup. The exact pin stops a patch release from shifting those out from under us, and the tests assert against the SDK field names so a bump fails CI loudly rather than breaking at runtime.

agents@0.14.5

Patch Changes

  • #1613 124a47a Thanks @​threepointone! - Introduce the first Think framework layer for convention-driven agent apps.

    This release adds a manifest-driven Vite plugin that discovers agents from the agents/ directory, generates a Worker entrypoint and virtual framework modules, derives stable Durable Object class names, and merges framework-owned Worker config defaults with user Wrangler config. It also keeps the Think Vite plugin usable directly in normal Vite plugin arrays.

    The framework now supports optional app server entries, manifest-scoped friendly agent and sub-agent routing, deterministic route surfaces, colocated skill detection, Worker Loader requirement diagnostics, and explicit diagnostics for unsupported nested sub-agent conventions. Think currently supports top-level agents and one sub-agent layer; deeper nesting is rejected with guidance so that the routing and lifecycle model can be designed deliberately.

    This framework layer is experimental: both the Vite plugin (once, on build start) and the think CLI (on startup) emit a notice that the API may change or be removed in any release. The core Think agent runtime is unchanged.

    The Think CLI now includes think init, think inspect, and think types. think init scaffolds a minimal Workers/Vite Think app, safely handles prompted

... (truncated)

Changelog

Sourced from agents's changelog.

0.15.0

Minor Changes

  • #1701 6caa6e8 Thanks @​mattzcarey! - Refactor WorkerTransport to extend the official MCP SDK's WebStandardStreamableHTTPServerTransport instead of being a hand-rolled implementation.

    The wrapper is now a thin subclass that layers Workers-specific concerns on top of the SDK transport:

    • CORS — preflight handling and response-header injection (corsOptions).
    • Persistent transport state across DO hibernation via the existing MCPStorageApi adapter. sessionId, initialized, and initializeParams are snapshotted after each request and replayed on cold start so client capabilities are restored without a fresh initialize round-trip.
    • SSE keepalive — preserves the issue #1583 fix. Uses the shared KEEPALIVE_FRAME (: keepalive\n\n) at KEEPALIVE_INTERVAL_MS (25s) from sse-keepalive.ts. Keepalive is unconditional on POST response streams and disabled on the standalone GET stream when an eventStore is configured (clients recover idle drops via Last-Event-ID instead).

    Everything else — session validation, SSE streaming, protocol-version negotiation, event-store resumability, send/close lifecycle — is delegated to the SDK transport. Net: ~500 fewer lines of code to maintain.

    The exported shape is unchanged: WorkerTransport, WorkerTransportOptions, MCPStorageApi, and TransportState keep the same names, and WorkerTransportOptions now also extends the SDK's transport options. The default createMcpHandler path (a fresh transport per request) is unaffected.

    There are, however, a few observable behaviour changes for callers who used WorkerTransport directly or relied on its previous quirks:

    • handleRequest's second argument is now { parsedBody?, authInfo? } (the SDK shape) instead of a positional parsedBody. createMcpHandler and McpAgent don't pass it, but callers invoking transport.handleRequest(request, parsedBody) directly must wrap it as transport.handleRequest(request, { parsedBody }).
    • retryInterval priming now follows the SDK contract. Previously a retry: priming frame was written to any GET SSE stream whenever retryInterval was set. The SDK only writes a priming event when an eventStore is configured and the negotiated protocol version is >= 2025-11-25 (older clients can't parse the empty-data: priming frame), and on POST streams rather than the standalone GET stream. retryInterval is still accepted but only affects that SDK priming event.
    • onerror now fires on client/protocol validation failures. The SDK invokes onerror for responses such as 400/405/406/415 and session-not-found. The old transport only surfaced internal errors, so handlers that log onerror will now see normal client mistakes.
    • onsessionclosed fires before the underlying close() (and therefore before onclose) on DELETE, instead of after. Ordering only; the session id is still passed.
    • started is now read-only. It was a writable instance field and is now a getter backed by the SDK's internal _started flag. Reading it (e.g. createMcpHandler's reconnect guard) is unchanged; assigning to it is no longer supported.
    • createMcpHandler now forwards SDK transport options. Because WorkerTransportOptions extends the SDK options, the handler passes through everything except its own route/authContext/transport fields — including eventStore, retryInterval, onsessionclosed, and the SDK DNS-rebinding options (enableDnsRebindingProtection, allowedHosts, allowedOrigins). The previous handler silently dropped these.

    The SDK dependency is pinned exactly (@modelcontextprotocol/sdk 1.29.0, no caret) because the wrapper relies on a handful of SDK internals for state restore and keepalive cleanup. The exact pin stops a patch release from shifting those out from under us, and the tests assert against the SDK field names so a bump fails CI loudly rather than breaking at runtime.

0.14.5

Patch Changes

  • #1613 124a47a Thanks @​threepointone! - Introduce the first Think framework layer for convention-driven agent apps.

    This release adds a manifest-driven Vite plugin that discovers agents from the agents/ directory, generates a Worker entrypoint and virtual framework modules, derives stable Durable Object class names, and merges framework-owned Worker config defaults with user Wrangler config. It also keeps the Think Vite plugin usable directly in normal Vite plugin arrays.

    The framework now supports optional app server entries, manifest-scoped friendly agent and sub-agent routing, deterministic route surfaces, colocated skill detection, Worker Loader requirement diagnostics, and explicit diagnostics for unsupported nested sub-agent conventions. Think currently supports top-level agents and one sub-agent layer; deeper nesting is rejected with guidance so that the routing and lifecycle model can be designed deliberately.

    This framework layer is experimental: both the Vite plugin (once, on build start) and the think CLI (on startup) emit a notice that the API may change or be removed in any release. The core Think agent runtime is unchanged.

    The Think CLI now includes think init, think inspect, and think types. think init scaffolds a minimal Workers/Vite Think app, safely handles prompted

... (truncated)

Commits

Updates drizzle-orm from 0.44.7 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

  • Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

0.45.1

  • Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden require() (#5107)

0.45.0

  • Fixed pg-native Pool detection in node-postgres transactions
  • Allowed subqueries in select fields
  • Updated typo algorythm => algorithm
  • Fixed $onUpdate not handling SQL values (fixes #2388, tests implemented by L-Mario564 in #2911)
  • Fixed pg mappers not handling Date instances in bun-sql:postgresql driver responses for date, timestamp types (fixes #4493)
Commits
  • 273c780 + 0.45.2 (#5534)
  • 4aa6ecf Kit updates (#5490)
  • e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
  • a086f59 Fixed pg-native Pool detection in node-postgres transactions breaking in envi...
  • c445637 Merge pull request #5095 from drizzle-team/main-workflows
  • e7b3aaa Merge branch 'main' into main-workflows
  • 0d885a5 refactor: Update condition for run-feature job to improve clarity and functio...
  • 45a1ffb Merge pull request #5087 from drizzle-team/main-workflows
  • 6357645 chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows
  • 53dec98 refactor: Simplify release router workflow by removing unnecessary switch job...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for drizzle-orm since your current version.


Updates vite from 5.4.21 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

8.0.15 (2026-06-01)

Features

Bug Fixes

  • capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
  • deps: update all non-major dependencies (#22511) (2686d7d)
  • dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
  • glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
  • optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
  • resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

Code Refactoring

8.0.14 (2026-05-21)

Features

Bug Fixes

  • deps: update all non-major dependencies (#22471) (98b8163)
  • dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
  • html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
  • optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

  • deps: update rolldown-related dependencies (#22470) (7cb728e)
  • remove irrelevant commits from changelog (2c69495)

Code Refactoring

  • glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates

Bumps the npm_and_yarn group with 2 updates in the / directory: [agents](https://github.com/cloudflare/agents/tree/HEAD/packages/agents) and [drizzle-orm](https://github.com/drizzle-team/drizzle-orm).
Bumps the npm_and_yarn group with 1 update in the /debug-tools/presentation-tester directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).


Updates `agents` from 0.2.35 to 0.15.0
- [Release notes](https://github.com/cloudflare/agents/releases)
- [Changelog](https://github.com/cloudflare/agents/blob/main/packages/agents/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/agents/commits/agents@0.15.0/packages/agents)

Updates `drizzle-orm` from 0.44.7 to 0.45.2
- [Release notes](https://github.com/drizzle-team/drizzle-orm/releases)
- [Commits](drizzle-team/drizzle-orm@0.44.7...0.45.2)

Updates `vite` from 5.4.21 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

---
updated-dependencies:
- dependency-name: agents
  dependency-version: 0.15.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: drizzle-orm
  dependency-version: 0.45.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code size/S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants