chore(deps): bump the production-dependencies group with 14 updates

[dependabot]

Bumps the production-dependencies group with 14 updates:

Package	From	To
@ai-sdk/anthropic	3.0.71	3.0.74
@ai-sdk/google	3.0.64	3.0.67
@ai-sdk/openai	3.0.53	3.0.58
@aws-sdk/client-s3	3.1037.0	3.1041.0
@opentelemetry/api-logs	0.215.0	0.216.0
@opentelemetry/exporter-logs-otlp-http	0.215.0	0.216.0
@opentelemetry/resources	2.7.0	2.7.1
@opentelemetry/sdk-logs	0.215.0	0.216.0
@posthog/nuxt	1.7.13	1.7.21
ai	6.0.168	6.0.174
nodemailer	8.0.6	8.0.7
nuxt	4.4.2	4.4.4
posthog-node	5.30.4	5.33.0
zod	4.3.6	4.4.2

Updates @ai-sdk/anthropic from 3.0.71 to 3.0.74

Release notes

Sourced from @​ai-sdk/anthropic's releases.

@​ai-sdk/anthropic@​3.0.74

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.74

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

3.0.73

Patch Changes

• f8c9ae4: feat(anthropic): sanitize the unsupported JSON schema validation properties
• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

3.0.72

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 8a46a3c Version Packages (#14875)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• f8c9ae4 backport v6: feat (provider/anthropic): sanitize unsupported json schema vali...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/anthropic since your current version.

Updates @ai-sdk/google from 3.0.64 to 3.0.67

Release notes

Sourced from @​ai-sdk/google's releases.

@​ai-sdk/google@​3.0.67

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.67

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

3.0.66

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

3.0.65

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 8a46a3c Version Packages (#14875)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/google since your current version.

Updates @ai-sdk/openai from 3.0.53 to 3.0.58

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

@​ai-sdk/openai@​3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

3.0.56

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

3.0.55

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

3.0.54

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• 408a2ad: patch - send content: null instead of empty string for tool-only assistant messages
• c71ad14: feat(provider/openai): add gpt-image-2 model support
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 0129eb6 Version Packages (#14912)
• 2370948 Backport: feat(openai): preserve namespace on function_call output items (#14...
• 91d95c9 Version Packages (#14881)
• d33e7cc Backport: chore(provider/openai): add type for image model options for type-s...
• 8a46a3c Version Packages (#14875)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• c71ad14 Backport: feat(provider/openai): add gpt-image-2 model support (#14682)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates @aws-sdk/client-s3 from 3.1037.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/client-s3

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/client-s3

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/client-s3

3.1038.0 (2026-04-27)

Bug Fixes

• xml-builder: use xml 1.1 parsing behavior for entities (#7964) (7a30bce)

Commits

• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
• 3fbf6c5 Publish v3.1038.0
• e9f8d8a chore(codegen): sync for typed waiter-result values (#7965)
• 7a30bce fix(xml-builder): use xml 1.1 parsing behavior for entities (#7964)
• See full diff in compare view

Updates @opentelemetry/api-logs from 0.215.0 to 0.216.0

Release notes

Sourced from @​opentelemetry/api-logs's releases.

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/exporter-logs-otlp-http from 0.215.0 to 0.216.0

Release notes

Sourced from @​opentelemetry/exporter-logs-otlp-http's releases.

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/resources from 2.7.0 to 2.7.1

Release notes

Sourced from @​opentelemetry/resources's releases.

v2.7.1

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad
• perf(sdk-metrics): reduce loop overhead in sdk hot paths #6593 @​mcollina

Changelog

Sourced from @​opentelemetry/resources's changelog.

2.7.1

🐛 Bug Fixes

• fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
  • important: this bug fix may be breaking for certain uses of TraceState
    • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
    • unset now returns the same TraceState instance if key is not present.
    • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

🏠 Internal

• perf(sdk-trace-base): optimize TraceIdRatioBasedSampler performance #6284 @​AbhiPrasad

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @opentelemetry/sdk-logs from 0.215.0 to 0.216.0

Release notes

Sourced from @​opentelemetry/sdk-logs's releases.

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
• fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
• fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
• fix(web-common): add limit for timeout #6601 @​maryliag
• fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

• test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
• refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

Commits

• 2400d83 chore: prepare next release (#6647)
• f7a9b7c fix(otlp-transformer): pin protobufjs to 8.0.1 (#6646)
• cb38d7f test(otlp-transformer): add metrics transfrom benchmark (#6628)
• a28f12f fix(opentelemetry-core): defer tracestate vaidation (#6459)
• b27c514 refactor(opentelemetry-exporter-prometheus): do not call `enforcePrometheusNa...
• a2a8186 perf(sdk-trace-base): optimize TraceIdRatioBasedSampler hex parsing (#6284)
• 4c0f3f1 feat(sdk-node): set TracerProvider in startNodeSDK() (#6607)
• 417f2f1 fix(instr-xhr): do not unpatch XHR methods (#6611)
• 47ac523 Revert "chore: allow browser maintainers to approve changelog edits" (#6627)
• 86c621d fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix pr...
• Additional commits viewable in compare view

Updates @posthog/nuxt from 1.7.13 to 1.7.21

Release notes

Sourced from @​posthog/nuxt's releases.

@​posthog/nuxt@​1.7.21

1.7.21

Patch Changes

• Updated dependencies [f8bc02f]:
  • posthog-node@5.33.0

@​posthog/nuxt@​1.7.20

1.7.20

Patch Changes

• Updated dependencies [cf56753, 04db756]:
  • posthog-js@1.372.6
  • @​posthog/core@​1.28.0
  • posthog-node@5.32.1

@​posthog/nuxt@​1.7.19

1.7.19

Patch Changes

• Updated dependencies [70ba8f8]:
  • posthog-node@5.32.0

@​posthog/nuxt@​1.7.18

1.7.18

Patch Changes

• Updated dependencies [974e4b2]:
  • posthog-node@5.31.0

@​posthog/nuxt@​1.7.17

1.7.17

Patch Changes

• Updated dependencies [c726aae]:
  • posthog-js@1.372.5
  • @​posthog/core@​1.27.9
  • posthog-node@5.30.8

@​posthog/nuxt@​1.7.16

1.7.16

Patch Changes

• Updated dependencies [5a6b2a5]:

... (truncated)

Changelog

Sourced from @​posthog/nuxt's changelog.

1.7.21

Patch Changes

• Updated dependencies [f8bc02f]:
  • posthog-node@5.33.0

1.7.20

Patch Changes

• Updated dependencies [cf56753, 04db756]:
  • posthog-js@1.372.6
  • @​posthog/core@​1.28.0
  • posthog-node@5.32.1

1.7.19

Patch Changes

• Updated dependencies [70ba8f8]:
  • posthog-node@5.32.0

1.7.18

Patch Changes

• Updated dependencies [974e4b2]:
  • posthog-node@5.31.0

1.7.17

Patch Changes

• Updated dependencies [c726aae]:
  • posthog-js@1.372.5
  • @​posthog/core@​1.27.9
  • posthog-node@5.30.8

1.7.16

Patch Changes

• Updated dependencies [5a6b2a5]:
  • posthog-js@1.372.4
  • @​posthog/core@​1.27.8
  • posthog-node@5.30.7

1.7.15

... (truncated)

Commits

• 2a1c739 chore: update versions and lockfile [version bump]
• c1ac939 chore: update versions and lockfile [version bump]
• b02194b chore: update versions and lockfile [version bump]
• eb5fc8e chore: update versions and lockfile [version bump]
• d0db43d chore: update versions and lockfile [version bump]
• 983118f chore: update versions and lockfile [version bump]
• 1816007 chore: update versions and lockfile [version bump]
• 1f68496 chore: update versions and lockfile [version bump]
• See full diff in compare view

Updates ai from 6.0.168 to 6.0.174

Release notes

Sourced from ai's releases.

ai@6.0.174

Patch Changes

• Updated dependencies [49f6d44]
  • @​ai-sdk/gateway@​3.0.109

ai@6.0.173

Patch Changes

• 7beadf0: feat(mcp): propagate the server name through dynamic tool parts
• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • @​ai-sdk/gateway@​3.0.108

Changelog

Sourced from ai's changelog.

6.0.174

Patch Changes

• Updated dependencies [49f6d44]
  • @​ai-sdk/gateway@​3.0.109

6.0.173

Patch Changes

• 7beadf0: feat(mcp): propagate the server name through dynamic tool parts
• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • @​ai-sdk/gateway@​3.0.108

6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

6.0.170

Patch Changes

• 19d587a: fix(ai): add allowSystemInMessages option and warn by default when system messages are found in prompt or messages

6.0.169

Patch Changes

... (truncated)

Commits

• 0129eb6 Version Packages (#14912)
• 8a46a3c Version Packages (#14875)
• 7beadf0 Backport: feat(mcp): propagate the server name through dynamic tool parts (#1...
• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• 48f842a backport v6: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent (...
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 5fee301 backport v6: fix(mcp): prevent prototype pollution by using secureJsonParse (...
• 7ab1e18 Version Packages (#14815)
• 19d587a v6: fix(ai): warn about system messages in messages or prompt (#14810)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates nodemailer from 8.0.6 to 8.0.7

Release notes

Sourced from nodemailer's releases.

v8.0.7

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

Changelog

Sourced from nodemailer's changelog.

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

Commits

• 1997040 chore(master): release 8.0.7 (#1815)
• 9b9c545 chore: drop nodemailer-ntlm-auth devDependency (#1816)
• 22bf90c Bumped dev deps
• 66d4ecb fix: keep domain as UTF-8 when local part is non-ASCII (#1814)
• 6a4a01e Fix/base64 wrap trailing crlf (#1813)
• See full diff in compare view

Updates nuxt from 4.4.2 to 4.4.4

Commits

• 7f8443d v4.4.4
• e177b61 v4.4.3
• b03db36 fix(nuxt): invoke user-supplied error handler when suppressing render errors ...
• 6bdb1de fix(nuxt): resolve layer aliases in css files (#34940)
• d3600bf fix(nuxt): avoid transforming NuxtTeleportIslandComponent with nuxt-client ...
• 507d279 fix(nuxt): correct async data type inference when using transform with `get...
• e8c82ab fix(nuxt): flatten buffer before filtering promises and fix rendering of cont...
• b5d344b chore(deps): update all non-major dependencies (4.x) (#34952)
• 5acd56e chore(deps): update all non-major dependencies (4.x) (#34901)
Description has been truncated

[railway-app]

🚅 Deployed to the reqcore-pr-173 environment in applirank

Service	Status	Web	Updated (UTC)
applirank	✅ Success (View Logs)		May 4, 2026 at 4:50 am