v3.0.86

Compare Source

Patch Changes

• 6086c60: fix(anthropic): reorder assistant content b/w client and provider tool use

v3.0.85

Compare Source

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

v0.17.4

Compare Source

v4.9.0

Compare Source

Features

• Calendar: add month and year selection (#​6582) (ca3c72e)
• ChatMessages: expose registerMessageRef (#​6275) (f99778e)
• components: allow hiding icon with false (#​6597) (09eb639)
• ContentSearch/DashboardSearch: forward input config to command palette (#​6312) (5199b7e)
• FileUpload: expose removeFile in slots (#​6492) (4da3a5d)
• locale: add Latvian language (#​6552) (fa52538)
• Modal/Slideover: add leave and enter events (#​6596) (006324a)
• module: add theme.unstyled option (#​6551) (a2a8bc9)
• PinInput: add separator prop (#​6392) (89b30e8)
• ScrollArea: add shadow prop (#​6561) (d850ae6)
• Select/SelectMenu: use multiple in theme (#​6554) (f66eb65)
• Sidebar: add transition prop (#​6484) (af80a67)
• theme: allow replacing slot classes with a function (#​6562) (ea576e2)
• theme: uniformize focus styles across components (#​6576) (b026ca2)
• useTour: new composable (#​6557) (dc05151)
• vite: add root option to override .nuxt-ui directory location (#​6595) (cccb3d5)

Bug Fixes

• CommandPalette: only scroll to highlighted item when focused (#​6579) (02259a6)
• Link: set default for locale prop (#​6563) (e9ab758)
• module: remove inline script in SPA mode for strict CSP (#​6577) (7225e9f)
• ProseCodeCollapse: cap root max-height instead of toggling pre height (#​6565) (52d3c45)
• ProseKbd: type default slot as VNode[] (52367b1)
• SelectMenu: bind id and aria attributes on trigger (#​6572) (c3bef7a)
• Select: open menu on label click (#​6575) (e8d18c3)
• Tabs: render active indicator during SSR (#​6570) (9e5b8a6)
• templates: resolve vite root to an absolute path for #build aliases (#​6586) (238e291)

v1.61.1

Compare Source

v1.61.0

Compare Source

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();

// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
  id: credentialId,
  userHandle,
  privateKey,
  publicKey,
});
await context.credentials.install();

const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.
• New -G command line shorthand for --grep-invert.

🛠️ Other improvements

• Playwright now supports Ubuntu 26.04.
• HAR and trace recordings now include WebSocket requests.

Browser Versions

• Chromium 149.0.7827.55
• Mozilla Firefox 151.0
• WebKit 26.5

This version was also tested against the following stable channels:

• Google Chrome 149
• Microsoft Edge 149

v1.8.7

Compare Source

Patch Changes

• 81c3678: Removed the seperate .d.ts file and updated tsdown to v0.22.3
• 9604fd7: Split package export types per import/require condition so CJS consumers resolve .d.cts
• Updated dependencies [9604fd7]
  • @​takumi-rs/helpers@​1.8.7

v1.8.6

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.8.6

v3.7.3

Compare Source

Patch Changes

• Updated dependencies [415fde0]
  • @​vercel/oidc@​3.7.0

v3.7.2

Compare Source

Patch Changes

• 071569d: Add a maxPayload option to experimental_upgradeWebSocket(), defaulting to 256 KiB.
  • @​vercel/oidc@​3.6.2

v3.5.39

Compare Source

Bug Fixes

• compiler-core: correct filter rewrite recursion (#​14959) (be7ce31)
• hydration: force patch dynamic props when hydrating (#​9083) (024cf06), closes #​9033
• hydration: respect data-allow-mismatch on conditional branches (#​12801) (164af63), closes #​12782
• reactivity: avoid triggering effects when set fails (#​14964) (e450973)
• runtime-core: handle non-isomorphic block element update (#​15002) (932ddd0), closes #​6385
• runtime-core: normalize function children for elements and Teleport (#​9108) (2f374cd), closes #​9107
• runtime-core: pause tracking when invoking function refs (#​14985) (3ac052b)
• runtime-core: preserve once event listener name (#​8341) (87b73b6), closes #​8342
• runtime-dom: preserve option modifier event names (#​8338) (4b659e6), closes #​8334
• ssr: dedupe inherited scope ids during vnode rendering (#​15005) (027da6b), closes #​12159 #​12175
• ssr: resolve nested async teleport content (#​9431) (31d0f23), closes #​6207
• teleport: handle teleport unmount edge case (#​12705) (671997a), closes #​12702
• types: support named tuple emits (#​12676) (232f402), closes #​12673
• types: validate defineModel defaults (#​14968) (747f57e), closes #​14966

v1.15.0

Compare Source

Full Changelog: MatteoGabriele/agentscan-action@v1.14.0...v1.15.0

v6.0.209

Compare Source

v6.0.208

Compare Source

v6.0.207

Compare Source

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

v6.0.206

Compare Source

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

v12.11.1

Compare Source

What's Changed

• Fix Electron v42 build errors on Windows by @​m4heshd in #​1488

Full Changelog: WiseLibs/better-sqlite3@v12.11.0...v12.11.1

v2.19.2

Compare Source

What's Changed

Bug Fixes 🐞

• fix(nitro): stop the v3 path importing the optional h3 peer by @​jmcgoldrick in #​373
• fix: show canonical env var names in adapter messages by @​HugoRCD in #​379
• fix(next): split instrumentation gate and quiet edge dev warnings by @​HugoRCD in #​380
• fix(nitro): flush v2 error responses by @​HugoRCD in #​375
• fix: dedupe Next captureOutput logs and map dev stacks to source by @​HugoRCD in #​381
• fix(hono): resolve "ReadableStream is locked" error in AI SDK by @​nadaniels in #​384
• fix: type framework loggers as AuditableLogger with required audit by @​HugoRCD in #​393
• fix(nuxt): restore error.vue rendering for SSR page errors by @​HugoRCD in #​391
• fix: keep Node built-ins out of the main entrypoint bundle by @​HugoRCD in #​392

Dependency Updates 📦

• chore: repo-wide hardening and performance improvements by @​HugoRCD in #​376

New Contributors

• @​jmcgoldrick made their first contribution in #​373
• @​nadaniels made their first contribution in #​384

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.19.0...evlog@2.19.2

v20.10.6

Compare Source

👷‍♂️ Patch fixes

• Await NodeJS internal ReadableStream promise during teardown - By @​capricorn86 in task #​2217

v20.10.5

Compare Source

👷‍♂️ Patch fixes

• Adds cache to query selector parser - By @​capricorn86 in task #​2142
  • The selector parser degraded in performance in v20.6.3 to solve more complex selectors
  • Parsing is still a bit slower, but the cache will hopefully mitigate most of the problem

v20.10.4

Compare Source

👷‍♂️ Patch fixes

• Coerce null qualifiedName to empty string in createDocument - By @​Firer in task #​2206

v6.7.0

Compare Source

   🚀 Features

• Support Takumi v2 compatibility  -  by @​harlan-zw in #​635 (065ac)
• Sign og image urls by default  -  by @​harlan-zw in #​638 (e6c5b)

   🐞 Bug Fixes

• Point Takumi installs at v2 beta  -  by @​harlan-zw in #​636 (5aa6d)
• Prevent unauthenticated SSRF via font URL parameter  -  by @​harlan-zw in #​637 (243ca)

    View changes on GitHub

v6.2.2

Compare Source

   🐞 Bug Fixes

• Export schema-org v2 vue helpers  -  by @​harlan-zw in #​130 (9cab5)

   🏎 Performance

• devtools: Move nuxtseo-layer-devtools to dev dep  -  by @​harlan-zw in #​128 (19808)

    View changes on GitHub

v11.9.0

Compare Source

v11.8.0

Compare Source

Minor Changes

• c112b61: Added a --dry-run option to pnpm install. It runs a full dependency resolution and reports what an install would change, but writes nothing to disk (no lockfile, no node_modules) and always exits with code 0. This mirrors the preview semantics of npm install --dry-run #​7340.

• 179ebc4: pnpm run --no-bail now exits with a non-zero exit code when any of the executed scripts fail, while still running every matched script to completion. This makes the exit-code behavior of --no-bail consistent between recursive and non-recursive runs (recursive runs already failed at the end). Previously, a non-recursive pnpm run --no-bail always exited with code 0, even when a script failed #​8013.

• 0474a9c: Added support for generating Node.js package maps at node_modules/.package-map.json during isolated and hoisted installs. Added the node-experimental-package-map setting to inject the generated map into pnpm-managed Node.js script environments, and the node-package-map-type setting to choose between standard and loose package maps.

• dcededc: pnpm sbom now marks components reachable only through devDependencies with CycloneDX scope: "excluded" and the cdx:npm:package:development property. The excluded scope documents "component usage for test and other non-runtime purposes", which matches the semantics of a devDependency; the property is the CycloneDX npm-taxonomy marker emitted by @cyclonedx/cyclonedx-npm, so both modern (scope) and existing (property) consumers are covered. Components reachable at runtime (including installed optionalDependencies) omit scope and default to required.

• 1495cb0: Added per-package SBOM generation with --out and --split flags. Use --out out/%s.cdx.json to write one SBOM per workspace package to individual files, or --split for NDJSON output to stdout. When --filter selects a single package, the SBOM root component now uses that package's metadata. Workspace inter-dependencies (workspace: protocol) and their transitive dependencies are included. Author, repository, and license fall back to the root manifest when the package doesn't define them.

• 293921a: feat(view): support searching project manifest upward when package name is omitted

  When running pnpm view without a package name, the command now searches
  upward for the nearest project manifest (package.json, package.yaml, or package.json5) and uses its name field.
  If the manifest exists but lacks a name field, an error is thrown.

  This change also replaces the find-up dependency with empathic for
  improved performance and consistency across workspace tools.

Patch Changes

• 29ab905: Fixed pnpm update overriding the version range policy of a named catalog whose name parses as a version (e.g. catalog:express4-21). The catalog: reference carries no pinning of its own, so the prefix from the catalog entry (such as ~) is now preserved instead of being widened to ^ #​10321.

• bee4bf4: Security: validate config dependency names and versions from the env lockfile (pnpm-lock.yaml) before using them to build filesystem paths. A committed lockfile with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions; the same validation is applied to optional subdependencies of config dependencies, and to the legacy workspace-manifest format before any lockfile is written. See GHSA-qrv3-253h-g69c.

• 96bdd57: Fix link: workspace protocol switching to file: after pnpm rm is run from inside a workspace package whose target workspace dependency has its own dependencies, when injectWorkspacePackages: true is set. Follow-up to #​10575, which fixed the same symptom for workspace packages without dependencies.

• 302a2f7: No longer warn about using both packageManager and devEngines.packageManager when the two fields pin the same package manager at the same version with the same integrity hash (e.g. both pnpm@11.5.1+sha512.…). Previously the hash was stripped from the legacy packageManager field but not from devEngines.packageManager, so even identical specifications looked like a mismatch #​12028.

  The warning still fires on any genuine divergence, and several cases now state the specific reason instead of a single generic message: a different package manager, a different version, or contradictory integrity hashes for the same version.

• 3f0fb21: Fixed the progress line showing leftover characters from external processes that write to the terminal between progress updates (e.g. an SSH passphrase prompt would leave a fragment like added 0sa':). The interactive reporter now redraws each frame in place, erasing to the end of the display before reprinting, so any such remnants are cleared #​12350.

• 564619f: Fixed pnpm approve-builds reporting "no packages awaiting approval" when a build-script dependency whose approval was revoked (e.g. after git stash drops the allowBuilds from pnpm-workspace.yaml) is re-added. The revoked packages are now correctly recorded in .modules.yaml so approve-builds can find them. #​12221

• 3d1fd20: Skip the redundant "target bin directory already contains an exe called node" warning on Windows when the existing node.exe already matches the target (same hard link or identical content) pnpm/pnpm#12203.

• 1b02b47: Fix macOS Gatekeeper blocking native binaries (.node, .dylib, .so) by removing the com.apple.quarantine extended attribute after importing them from the store.

  When pnpm imports files from its content-addressable store into node_modules, macOS preserves extended attributes, including com.apple.quarantine. If this xattr is present on a store blob (e.g. it was first written under a Gatekeeper-enabled app such as a Git client), it propagates to node_modules, and Gatekeeper blocks the native binary from loading even though pnpm already verified the file's integrity against the lockfile.

  After importing a package, pnpm now strips com.apple.quarantine from its native binaries, matching Homebrew's behaviour of dropping quarantine from verified downloads. The cleanup is macOS-only, runs in a single batched xattr call per package, is restricted to native binaries (other files are untouched), and is non-fatal (it logs a warning on unexpected errors).

  Fixes #​11056

• 61969fb: Fix pnpm install with optimisticRepeatInstall incorrectly reporting Already up to date when pnpm-lock.yaml changed but project manifests did not. This affected workflows such as checking out or restoring only the lockfile #​12100.

  Also fixes checkDepsStatus to use the correct lockfile path when useGitBranchLockfile is enabled, so the optimistic fast-path and lockfile modification detection work with pnpm-lock.<branch>.yaml files instead of always stat'ing pnpm-lock.yaml. Merge-conflict detection now reads the resolved lockfile name as well, and with mergeGitBranchLockfiles enabled every pnpm-lock.*.yaml is scanned for modifications and conflicts. The git branch is now resolved by reading .git/HEAD directly (no process spawn) and uses the workspace directory rather than process.cwd().

• 5c12968: Fix recursive updates of transitive dependencies when the update command mixes transitive dependency patterns with direct dependency selectors. For example, pnpm up -r "@​babel/core" uuid now updates matching transitive @babel/core dependencies even when uuid is a direct dependency selector #​12103.

• 9d79ba1: Register the pnpm update --no-save flag in the CLI help and option parser.

• 0474a9c: Fixed pnpm import for Yarn v2 lockfiles when js-yaml v4 is installed.

• 9e0c375: Fixed pnpm install repeatedly prompting to remove and reinstall node_modules in a workspace package when enableGlobalVirtualStore is enabled. The post-install build step recorded a per-project node_modules/.pnpm virtual store directory in node_modules/.modules.yaml, overwriting the global <storeDir>/links value the install step had written. The next install then detected a virtual-store mismatch (ERR_PNPM_UNEXPECTED_VIRTUAL_STORE). The build step now derives the same global virtual store directory as the install step #​12307.

• 223d060: Document the --cpu, --os and --libc flags in the output of pnpm install --help. These flags were already supported but were only documented on the website #​12359.

• e85aea2: Avoid reading README.md from disk when publishing if the publish manifest already provides a readme field. The README is now only read lazily, inside createExportableManifest, when it is actually needed.

• 3188ae7: Fixed pnpm peers check to accept loose peer dependency ranges such as >=3.16.0 || >=4.0.0- when the installed peer version satisfies the range #​12149.

• 531f2a3: Fixed pnpm update rewriting a workspace: dependency that points at a local path (e.g. workspace:../packages/foo/dist) into a normalized link: or version-range specifier. Such specifiers are now preserved verbatim when the workspace protocol is preserved #​3902.

• fe66535: Fixed a lockfile non-convergence bug where an incremental install kept a duplicate transitive dependency that a fresh install would not produce. When a package is reused from the lockfile, its child edges are taken verbatim and bypass the preferred-versions walk, so a transitive dependency could stay pinned to an older version even after a direct dependency resolved to a higher version that satisfies the same range. The resolver now refreshes such a stale pin to the higher direct-dependency version during resolution — so the older version is never resolved or fetched, and the incremental result converges to the fresh one.

• 6d35338: pnpm install detects changes inside local file dependencies again. The optimistic repeat-install fast path only tracks manifest and lockfile modification times, so edits inside a local dependency's directory (or a repacked local tarball) were reported as "Already up to date". Projects with local file dependencies (file: and bare local path or tarball specifiers, declared directly or through pnpm.overrides) now always run a full install, which refetches those dependencies, matching pnpm v10 behavior #​11795.

• 4ca9247: Preserve the existing Node.js runtime version prefix when resolving node@runtime:<range> to a concrete version.

• 30c7590: Create shorter CAFS temporary package directories to leave room for lifecycle scripts that create IPC socket paths under TMPDIR.

• 13815ad: Reporter output (warnings, progress) for pnpm store and pnpm config subcommands now goes to stderr instead of stdout. This fixes scripts that capture their stdout (e.g. PNPM_STORE=$(pnpm store path), pnpm config list --json | jq) from getting warnings mixed into the result.

• 1c05876: Avoid relinking unchanged child dependencies and remove stale child links during warm installs.

• 817f99d: Fixed lockfile churn where a package's transitivePeerDependencies could be dropped (and shift between packages) when the package participates in a dependency cycle. A cycle re-entry resolves against truncated children, so it must not be cached as "pure"; otherwise sibling occurrences of the same package short-circuit and lose transitive peers depending on traversal order #​5108.

• eba03e0: Fix pnpm install reporting "Already up to date" after a catalog entry in pnpm-workspace.yaml was reverted to a previous version. After an update modified a catalog, the workspace state cache stored the pre-update catalog versions, so reverting the entry back to its original version was not detected as an outdated state #​12418.

• 3b54d79: pnpm update now keeps lockfile overrides that resolve through a catalog in sync with the catalog. Previously, when an override referenced a catalog (e.g. overrides: { foo: 'catalog:' }) and pnpm update bumped that catalog entry, the lockfile's catalogs advanced while the resolved overrides kept the old version. The resulting lockfile was internally inconsistent, so a later pnpm install --frozen-lockfile failed with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH.

• 9d0a300: Fixed pnpm version --recursive so it honors the workspace selection. In recursive mode the version bump now applies to the packages resolved from the workspace filter (selectedProjectsGraph), matching the behavior of pnpm publish --recursive, instead of always bumping every workspace package #​11348.

v11.7.0

Compare Source

Minor Changes

• Added a new setting frozenStore (--frozen-store) that lets pnpm install run against a package store on a read-only filesystem (e.g. a Nix store, a read-only bind mount, an OCI layer). When enabled, pnpm opens the store's SQLite index.db through the immutable=1 URI — bypassing the WAL/-shm sidecar creation that otherwise fails on a read-only directory — and suppresses every store-write path (the index.db writer and the project-registry write). Pair it with --offline --frozen-lockfile against a fully-populated store. Under the global virtual store, package directories live inside the store, so if the store is missing the build output of a package whose lifecycle scripts are approved (or that has a patch), pnpm fails up front with ERR_PNPM_FROZEN_STORE_NEEDS_BUILD rather than crashing mid-build on a read-

✂ Note

PR body was truncated to here.