chore(deps): bump the patches group across 1 directory with 27 updates

[dependabot]

Bumps the patches group with 27 updates in the / directory:

Package	From	To
@ai-sdk/mcp	1.0.35	1.0.38
@ai-sdk/openai-compatible	2.0.41	2.0.43
@ai-sdk/react	3.0.155	3.0.174
@headlessui/react	2.2.0	2.2.10
@opentelemetry/api	1.9.0	1.9.1
@radix-ui/react-accordion	1.2.3	1.2.12
@radix-ui/react-avatar	1.1.3	1.1.11
@radix-ui/react-collapsible	1.1.11	1.1.12
@radix-ui/react-dialog	1.1.6	1.1.15
@radix-ui/react-dropdown-menu	2.1.6	2.1.16
@radix-ui/react-hover-card	1.1.6	1.1.15
@radix-ui/react-label	2.1.2	2.1.8
@radix-ui/react-scroll-area	1.2.9	1.2.10
@radix-ui/react-select	2.2.5	2.2.6
@radix-ui/react-separator	1.1.2	1.1.8
@radix-ui/react-tabs	1.1.3	1.1.13
@react-three/fiber	9.6.0	9.6.1
@tailwindcss/postcss	4.2.0	4.2.4
ai	6.0.153	6.0.172
jsonwebtoken	9.0.2	9.0.3
katex	0.16.22	0.16.45
langfuse	3.38.4	3.38.20
livekit-server-sdk	2.15.0	2.15.2
nanoid	5.1.5	5.1.11
openai-edge	1.2.2	1.2.3
tailwindcss	4.2.0	4.2.4
use-stick-to-bottom	1.1.1	1.1.4

Updates @ai-sdk/mcp from 1.0.35 to 1.0.38

Release notes

Sourced from @​ai-sdk/mcp's releases.

@​ai-sdk/mcp@​1.0.38

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

Changelog

Sourced from @​ai-sdk/mcp's changelog.

1.0.38

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

1.0.37

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

1.0.36

Patch Changes

• 9a8d276: feat(mcp): surface 'serverInfo' exposed from the MCP server

Commits

• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 5fee301 backport v6: fix(mcp): prevent prototype pollution by using secureJsonParse (...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• dce61ca Version Packages (#14324)
• 9a8d276 Backport: feat(mcp): surface 'serverInfo' exposed from the MCP server (#14321)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/mcp since your current version.

Updates @ai-sdk/openai-compatible from 2.0.41 to 2.0.43

Release notes

Sourced from @​ai-sdk/openai-compatible's releases.

@​ai-sdk/openai-compatible@​2.0.43

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

Changelog

Sourced from @​ai-sdk/openai-compatible's changelog.

2.0.43

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

2.0.42

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• 408a2ad: patch - send content: null instead of empty string for tool-only assistant messages
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• 408a2ad Backport: fix(openai, openai-compatible): send null content for tool-only ass...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai-compatible since your current version.

Updates @ai-sdk/react from 3.0.155 to 3.0.174

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.174

Patch Changes

• ai@6.0.172

@​ai-sdk/react@​3.0.173

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.174

Patch Changes

• ai@6.0.172

3.0.173

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

3.0.172

Patch Changes

• Updated dependencies [19d587a]
  • ai@6.0.170

3.0.171

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [2662bb5]
• Updated dependencies [a7f3c72]
  • ai@6.0.169
  • @​ai-sdk/provider-utils@​4.0.24

3.0.170

Patch Changes

• ai@6.0.168

3.0.169

Patch Changes

• ai@6.0.167

3.0.168

Patch Changes

... (truncated)

Commits

• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 7ab1e18 Version Packages (#14815)
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• c38119a Version Packages (#14574)
• db2a49b Version Packages (#14558)
• c76f57a Version Packages (#14553)
• 1072e57 Version Packages (#14535)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @headlessui/react from 2.2.0 to 2.2.10

Release notes

Sourced from @​headlessui/react's releases.

@​headlessui/react@​v2.2.10

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

@​headlessui/react@​v2.2.9

Fixed

• Improve focus management in shadow DOM roots (#3794)
• Don't accidentally open the Combobox when touching the ComboboxButton while dragging on mobile (#3795)
• Ensure sibling Dialog components are scrollable on mobile (#3796)
• Infer Combobox type based on onChange handler (#3798)
• Allow home/end key default behavior inside ComboboxInput when Combobox is closed (#3798)
• Ensure interacting with a Dialog on iOS works after interacting with a disallowed area (#3801)
• Freeze Listbox values as soon as a value is selected (#3802)
• Ensure refs are forwarded when freezing data (#3390)
• Do not serialize React components into form fields (49e9e8e)

@​headlessui/react@​v2.2.8

Fixed

• Ensure we are not freezing data when the static prop is used (#3779)
• Ensure onChange types are contravariant instead of bivariant (#3781)
• Support <summary> as a focusable element inside <details> (#3389)
• Fix Maximum update depth exceeded crash when using transition prop (#3782)
• Ensure pressing Tab in the ComboboxInput, correctly syncs the input value (#3785)
• Ensure --button-width and --input-width have the latest value (#3786)
• Fix 'Invalid prop data-headlessui-state supplied to React.Fragment' warning (#3788)
• Ensure element in ref callback is always connected when rendering in a Portal (#3789)
• Ensure form state is up to date when using uncontrolled components (#3790)
• Ensure data-open on ComboboxInput is up to date (#3791)
• Ensure changing the immediate prop value on the Combobox component works as expected (#3792)

@​headlessui/react@​v2.2.7

Fixed

• Fix incorrect double invocation of menu items, listbox options and combobox options (#3766)
• Fix memory leak in SSR environment (#3767)
• Ensure programmatic .click() on MenuButton ref works (#3768)
• Don't activate hovered items while using the keyboard (#3769)

@​headlessui/react@​v2.2.6

Fixed

• Fix immediately closing Listbox by requiring some cursor movement (#3762)

@​headlessui/react@​v2.2.5

Fixed

... (truncated)

Changelog

Sourced from @​headlessui/react's changelog.

[2.2.10] - 2026-04-07

Fixed

• Don’t render <Portal> while hydrating (#3825)
• Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

[2.2.9] - 2025-09-25

Fixed

• Improve focus management in shadow DOM roots (#3794)
• Don't accidentally open the Combobox when touching the ComboboxButton while dragging on mobile (#3795)
• Ensure sibling Dialog components are scrollable on mobile (#3796)
• Infer Combobox type based on onChange handler (#3798)
• Allow home/end key default behavior inside ComboboxInput when Combobox is closed (#3798)
• Ensure interacting with a Dialog on iOS works after interacting with a disallowed area (#3801)
• Freeze Listbox values as soon as a value is selected (#3802)
• Ensure refs are forwarded when freezing data (#3390)
• Do not serialize React components into form fields (49e9e8e)

[2.2.8] - 2025-09-12

Fixed

• Ensure we are not freezing data when the static prop is used (#3779)
• Ensure onChange types are contravariant instead of bivariant (#3781)
• Support <summary> as a focusable element inside <details> (#3389)
• Fix Maximum update depth exceeded crash when using transition prop (#3782)
• Ensure pressing Tab in the ComboboxInput, correctly syncs the input value (#3785)
• Ensure --button-width and --input-width have the latest value (#3786)
• Fix 'Invalid prop data-headlessui-state supplied to React.Fragment' warning (#3788)
• Ensure element in ref callback is always connected when rendering in a Portal (#3789)
• Ensure form state is up to date when using uncontrolled components (#3790)
• Ensure data-open on ComboboxInput is up to date (#3791)
• Ensure changing the immediate prop value on the Combobox component works as expected (#3792)

[2.2.7] - 2025-07-30

Fixed

• Fix incorrect double invocation of menu items, listbox options and combobox options (#3766)
• Fix memory leak in SSR environment (#3767)
• Ensure programmatic .click() on MenuButton ref works (#3768)
• Don't activate hovered items while using the keyboard (#3769)

[2.2.6] - 2025-07-24

Fixed

... (truncated)

Commits

• d13526d 2.2.10 - @​headlessui/react
• b0dcd8f Handle props on Fragment error due to Symbol(react.lazy) (#3873)
• 7baca70 Don’t render \<Portal>s while hydrating (#3825)
• 5ef7395 Add RefProp to props (#3823)
• 589ea90 2.2.9 - @​headlessui/react
• bba75c7 update changelog
• ca536ed update changelog
• 49e9e8e do not serialize React components into form fields
• 2a647a7 Ensure refs are forwarded when freezing data (#3390)
• da2fa94 Freeze values as soon as possible (#3802)
• Additional commits viewable in compare view

Updates @opentelemetry/api from 1.9.0 to 1.9.1

Release notes

Sourced from @​opentelemetry/api's releases.

api/v1.9.1

1.9.1

🐛 (Bug Fix)

• fix(api): prioritize esnext export condition as it is more specific #5458
• fix(api): update diag consoleLogger to use original console methods to prevent infinite loop when a console instrumentation is present #6395
• fix(api): use Attributes instead of deprecated SpanAttributes in SpanOptions #6478 @​overbalance
• fix(diag): change types in DiagComponentLogger from any to unknown#5478 @​loganrosen
• fix(api): re-introduce fallback chain for global utils #6523 @​pichlermarc

🏠 (Internal)

• refactor(api): refactor to avoid circular deps by merging observable types into Metric.ts #6441 @​pichlermarc
• refactor(api): remove "export *" in favor of explicit named exports #4880 @​robbkidd
• chore: enable tsconfig isolatedModules #5697 @​legendecas
• chore: disallow constructor parameter property syntax #6187 @​legendecas
• refactor(api): remove platform-specific globalThis, use globalThis directly #6208 @​overbalance
• chore(api): mark ProxyTracerProvider as deprecated #6328 @​cjihrig
• chore: enforce import type for type-only imports via ESLint #6467 @​overbalance
• perf(api): improve isValidSpanId, isValidTraceId performance #5714 @​seemk

Changelog

Sourced from @​opentelemetry/api's changelog.

1.9.1

🐛 (Bug Fix)

• fix: avoid grpc types dependency #3551 @​flarna
• fix(otlp-proto-exporter-base): Match Accept header with Content-Type in the proto exporter #3562 @​scheler
• fix: include tracestate in export #3569 @​flarna

🏠 (Internal)

• chore: fix cross project links and missing implicitly exported types #3533 @​legendecas
• feat(sdk-metrics): add exponential histogram mapping functions #3504 @​mwear

Commits

• 279458e Release 1.9.1 / 0.35.1 (#3573)
• 4978743 fix(http): remove outgoing headers normalization (#3557)
• d1f9594 chore(deps): update dependency rimraf to v4 (#3532)
• e0abcc0 fix: remove JSON syntax error and regenerate tsconfig files (#3566)
• a90c558 fix(sdk-node): register instrumentations early (#3502)
• 5b070b8 fix: include TraceState in trace exports (#3569)
• dcb09b7 chore(deps): update dependency gh-pages to v5 (#3571)
• 3bc93a9 feat: exponential histogram - part 1 - mapping functions (#3504)
• 3670071 fix: avoid grpc types dependency (#3551)
• b5ef0e4 chore: fix proto generation (#3567)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/api since your current version.

Updates @radix-ui/react-accordion from 1.2.3 to 1.2.12

Commits

• See full diff in compare view

Updates @radix-ui/react-avatar from 1.1.3 to 1.1.11

Commits

• See full diff in compare view

Updates @radix-ui/react-collapsible from 1.1.11 to 1.1.12

Commits

• See full diff in compare view

Updates @radix-ui/react-dialog from 1.1.6 to 1.1.15

Commits

• See full diff in compare view

Updates @radix-ui/react-dropdown-menu from 2.1.6 to 2.1.16

Commits

• See full diff in compare view

Updates @radix-ui/react-hover-card from 1.1.6 to 1.1.15

Commits

• See full diff in compare view

Updates @radix-ui/react-label from 2.1.2 to 2.1.8

Commits

• See full diff in compare view

Updates @radix-ui/react-scroll-area from 1.2.9 to 1.2.10

Commits

• See full diff in compare view

Updates @radix-ui/react-select from 2.2.5 to 2.2.6

Commits

• See full diff in compare view

Updates @radix-ui/react-separator from 1.1.2 to 1.1.8

Commits

• See full diff in compare view

Updates @radix-ui/react-tabs from 1.1.3 to 1.1.13

Commits

• See full diff in compare view

Updates @react-three/fiber from 9.6.0 to 9.6.1

Release notes

Sourced from @​react-three/fiber's releases.

v9.6.1

What's Changed

• fix: Seamlessly transfer interactivity state when swapping instances (#3743) by @​notrabs in pmndrs/react-three-fiber#3744

Full Changelog: pmndrs/react-three-fiber@v9.6.0...v9.6.1

Commits

• 2a52874 RELEASING: Releasing 1 package(s)
• b645741 docs(changeset): fix: Seamlessly transfer interactivity state when swapping i...
• 119668f fix: Seamlessly transfer interactivity state when swapping instances (#3744)
• 943a37e Merge pull request #3738 from pmndrs:chore/simplify-shadermaterial-demo
• 1be9504 chore: Add uniform piercing test
• 4df10c0 chore: Simplify ShaderMaterial demo
• 47d30ba chore: Move ShaderMaterial uniform notes to objects out of pitfalls
• See full diff in compare view

Updates @tailwindcss/postcss from 4.2.0 to 4.2.4

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

v4.2.2

Added

• Support Vite 8 in @tailwindcss/vite (#19790)

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#19745)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#19812)

v4.2.1

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#19696)
• Properly detect classes containing . characters within curly braces in MDX files (#19711)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalization for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

[4.2.2] - 2026-03-18

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#19745)
• Add support for Vite 8 in @tailwindcss/vite (#19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#19812)
• Resolve tsconfig paths to allow for @import '@/path/to/file'; when using @tailwindcss/vite (#19803)

[4.2.1] - 2026-02-23

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#19696)

... (truncated)

Commits

• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 4527123 docs(postcss): remove duplicated optimize example from README (#19938)
• aad6017 docs/fix-lightning-css-typo-postcss-readme (#19913)
• d596b0c 4.2.2 (#19821)
• faa5e88 Cleanup inconsistencies related to (regex) escapes (#19804)
• 1dce64e 4.2.1 (#19714)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.

Updates ai from 6.0.153 to 6.0.172

Release notes

Sourced from ai's releases.

ai@6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

ai@6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

Changelog

Sourced from ai's changelog.

6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

6.0.170

Patch Changes

• 19d587a: fix(ai): add allowSystemInMessages option and warn by default when system messages are found in prompt or messages

6.0.169

Patch Changes

• 2662bb5: skip validation for tool parts in terminal states when tool schema is no longer registered
• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [a7f3c72]
• Updated dependencies [4368079]
• Updated dependencies [c71ad14]
  • @​ai-sdk/gateway@​3.0.105
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

6.0.168

Patch Changes

• Updated dependencies [493d7d4]
  • @​ai-sdk/gateway@​3.0.104

... (truncated)

Commits

• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• 48f842a backport v6: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent (...
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 5fee301 backport v6: fix(mcp): prevent prototype pollution by using secureJsonParse (...
• 7ab1e18 Version Packages (#14815)
• Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-docs	Ready	Preview, Comment	May 1, 2026 0:09am

[claude]

LGTM, patch-level dependency bumps from Dependabot.

Extended reasoning...

Overview

This PR is a Dependabot-generated patch bump touching only package.json and pnpm-lock.yaml, updating 27 dependencies within the same major versions (e.g., Radix UI, AI SDK, Tailwind CSS, KaTeX, etc.) for the langfuse-docs site.

Security risks

No direct security risks identified. The changes are limited to patch-level version bumps; jsonwebtoken 9.0.2 → 9.0.3 simply pulls in jws 4.0.1, which is a benign internal update. No code logic changes.

Level of scrutiny

Low scrutiny is appropriate. This is a docs/marketing site repo, the changes are mechanical patch bumps with no major version jumps, the bug hunting system flagged nothing, and the Vercel preview build is the validating signal.

Other factors

The PR is labeled size:XS, comes from Dependabot's batched patches group, and follows the same pattern as the prior dependency bump merged just before this one (5ea0f42 chore(deps): bump the patches group...).