Skip to content

chore(deps): bump the production-minor-patch group across 1 directory with 7 updates#224

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-minor-patch-7119af847e
Closed

chore(deps): bump the production-minor-patch group across 1 directory with 7 updates#224
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-minor-patch-7119af847e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-minor-patch group with 7 updates in the / directory:

Package From To
@ai-sdk/google 3.0.75 3.0.83
ai 6.0.184 6.0.208
framer-motion 12.38.0 12.40.0
lucide-react 1.16.0 1.21.0
nanoid 5.1.11 5.1.15
smol-toml 1.6.1 1.7.0
axios 1.16.1 1.18.0

Updates @ai-sdk/google from 3.0.75 to 3.0.83

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.83

Patch Changes

  • Updated dependencies [779f5cd]
    • @​ai-sdk/provider-utils@​4.0.30

3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.80

Patch Changes

  • f62ffe0: fix(google): auto-inject skip_thought_signature_validator for Gemini 3 tool-call replays without a signature

    Gemini 3 models reject requests when an assistant functionCall part lacks a thoughtSignature with HTTP 400 "Function call is missing a thought_signature in functionCall parts." This is easy to hit when application code persists/serializes messages and drops providerOptions.google.thoughtSignature (custom DB schemas, useChat server routes that rebuild messages, synthetic tool-call injection).

    The provider now detects this case (Gemini 3 model + missing signature under google, googleVertex, and vertex namespaces) and injects the documented skip_thought_signature_validator sentinel into the outbound functionCall, plus surfaces a one-shot warning per request listing the affected tool names so the developer can find and fix the upstream serialization. Non-Gemini-3 models are unaffected, and real signatures take precedence when present.

3.0.79

Patch Changes

  • cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

  • cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

... (truncated)

Commits
  • caebb44 Version Packages (#16157)
  • bae9bab Version Packages (#16026)
  • 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
  • bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
  • 9ef2c3c Version Packages (#15998)
  • 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
  • 661127c Version Packages (#15622)
  • f62ffe0 fix(google): auto-inject skip_thought_signature_validator on Gemini 3 tool-ca...
  • fc83fa3 Version Packages (#15532)
  • cfa0cb2 Backport: feat(provider/google): support Google search grounding when using `...
  • Additional commits viewable in compare view

Updates ai from 6.0.184 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

  • 8261640: fix(ai): handle partial unicode escapes in fixJson
  • f994df3: Serialize undefined tool output to null in UI message chunks
Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

  • 8261640: fix(ai): handle partial unicode escapes in fixJson
  • f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

  • 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

    When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

  • Updated dependencies [5bfde36]

  • Updated dependencies [779f5cd]

    • @​ai-sdk/gateway@​3.0.133
    • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

  • Updated dependencies [e962dda]
    • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

  • Updated dependencies [6160ced]
  • Updated dependencies [c9b8abd]
    • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

  • Updated dependencies [c5d4716]
    • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

  • f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

... (truncated)

Commits

Updates framer-motion from 12.38.0 to 12.40.0

Changelog

Sourced from framer-motion's changelog.

[12.40.0] 2026-05-21

Added

  • path option to transition.
  • arc() for motion along an arc.

[12.39.0] 2026-05-18

Added

  • Support for repeatType and repeatDelay in animation sequences.

Fixed

  • Variants: Re-run keyframe animations when switching between variant labels even when they share identical keyframe arrays.
  • Drag: Preserve in-flight motion value animations across React 19 reorder unmount/remount so dragSnapToOrigin no longer leaves the drag transform stranded after a layout swap.
  • LazyMotion: Share React contexts between the framer-motion and framer-motion/m (and therefore motion/react and motion/react-m) CJS bundles so that <m.div> from the /m subpath picks up features loaded by <LazyMotion> from the main entry point.
  • useScroll: Support hydrating target and container refs from anywhere in the tree.
  • Drag: Gesture no longer starts from incorrect start point when rendered inside <AnimatePresence initial={false} />.
  • Drag: dragConstraints, when set as viewport-relative ref, no longer break on scroll.§
  • Updated visualElement hydration order.
  • useAnimate: Now respects skipAnimations.
  • AnimatePresence: Fix object-form initial values not applied on re-entry after exit completes.
  • scroll: Fixed callback progress when tracking an element.
  • useScroll: Fix hardware acceleration when tracking an element.
Commits
  • 38ebb94 v12.40.0
  • b1f766c Latest
  • bca5544 Merge pull request #3699 from motiondivision/lochie/arcs-injectable
  • f1a96cf arc(): rename amp/rotate, expose MotionPath, fix explicit cw/ccw
  • b4aaba0 pathRotation: non-destructive orientToPath rotation channel
  • 8604ef3 Make arcs injectable via transition.path = arc()
  • f90fe29 add orientToPath
  • 9ebe999 fix: test
  • bc2107e Revert "no should"
  • 6eeb92d no should
  • Additional commits viewable in compare view

Updates lucide-react from 1.16.0 to 1.21.0

Release notes

Sourced from lucide-react's releases.

Version 1.21.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

Version 1.20.0

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.19.0...1.20.0

Version 1.19.0

What's Changed

... (truncated)

Commits
  • 5ff536e ci(release.yml): Fix workflow and remove version scripts in package scripts...
  • See full diff in compare view

Updates nanoid from 5.1.11 to 5.1.15

Release notes

Sourced from nanoid's releases.

5.1.15

  • Fixed random pool corruption on big ID sizes.

5.1.14

  • Fixed npm package size regression.

5.1.13

  • Fixed npm package size regression.

5.1.12

  • Moved to npm Provenance and Staged Publishing.
Changelog

Sourced from nanoid's changelog.

5.1.15

  • Fixed random pool corruption on big ID sizes.

5.1.14

  • Fixed npm package size regression.

5.1.13

  • Fixed npm package size regression.

5.1.12

  • Moved to npm Provenance and Staged Publishing.
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nanoid since your current version.


Updates smol-toml from 1.6.1 to 1.7.0

Release notes

Sourced from smol-toml's releases.

v1.7.0

This version slightly changes the behaviour of stringify: integers beyond the safe range are always emitted as float numbers.

String decode logic has been rewritten, it is a bit faster now and uses a single-pass approach instead of a dual-pass approach as it did previously. The code should be a bit smaller too, though I didn't actually measure that.

The package is now published with source-maps, declaration-maps, and a copy of the original TypeScript source files. This will improve your DX if you're like me and like Ctrl+Click'ing things a lot. ;)

What's Changed

New Contributors

Full Changelog: squirrelchat/smol-toml@v1.6.1...v1.7.0

Commits
  • a62f06f revert: keep using vite 7
  • 89aa9a3 chore: remove prepare script
  • 17c7974 chore: make devEngine more lax w/ node version
  • e5280a3 ci: checkout repo first
  • 241c256 chore: version bump
  • 0bfe7f4 chore: build cjs with rolldown instead of esbuild
  • e0620ab chore: fmt
  • 96114cb test: add tests for large integers
  • f4537b6 fix: handle missed edge-cases in string parse
  • 7b39aed chore: include source files in published package
  • Additional commits viewable in compare view

Updates axios from 1.16.1 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits
  • 2d06f96 chore(release): prepare release 1.18.0 (#11003)
  • 32fc489 fix: malformed http urls (#11000)
  • b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
  • fe964f9 docs: mark proxy config as Node.js only (#10995)
  • 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
  • fae9d4e docs: clarify package update PR policy (#10992)
  • 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
  • a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
  • 614f455 docs: publish v1.17.0 release notes (#10988)
  • 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… with 7 updates

Bumps the production-minor-patch group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@ai-sdk/google](https://github.com/vercel/ai/tree/HEAD/packages/google) | `3.0.75` | `3.0.83` |
| [ai](https://github.com/vercel/ai/tree/HEAD/packages/ai) | `6.0.184` | `6.0.208` |
| [framer-motion](https://github.com/motiondivision/motion) | `12.38.0` | `12.40.0` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.16.0` | `1.21.0` |
| [nanoid](https://github.com/ai/nanoid) | `5.1.11` | `5.1.15` |
| [smol-toml](https://github.com/squirrelchat/smol-toml) | `1.6.1` | `1.7.0` |
| [axios](https://github.com/axios/axios) | `1.16.1` | `1.18.0` |



Updates `@ai-sdk/google` from 3.0.75 to 3.0.83
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/google@3.0.83/packages/google/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/google@3.0.83/packages/google)

Updates `ai` from 6.0.184 to 6.0.208
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/ai@6.0.208/packages/ai/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/ai@6.0.208/packages/ai)

Updates `framer-motion` from 12.38.0 to 12.40.0
- [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md)
- [Commits](motiondivision/motion@v12.38.0...v12.40.0)

Updates `lucide-react` from 1.16.0 to 1.21.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.21.0/packages/lucide-react)

Updates `nanoid` from 5.1.11 to 5.1.15
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@5.1.11...5.1.15)

Updates `smol-toml` from 1.6.1 to 1.7.0
- [Release notes](https://github.com/squirrelchat/smol-toml/releases)
- [Commits](squirrelchat/smol-toml@v1.6.1...v1.7.0)

Updates `axios` from 1.16.1 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.16.1...v1.18.0)

---
updated-dependencies:
- dependency-name: "@ai-sdk/google"
  dependency-version: 3.0.83
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: ai
  dependency-version: 6.0.208
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: framer-motion
  dependency-version: 12.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: lucide-react
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: nanoid
  dependency-version: 5.1.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-minor-patch
- dependency-name: smol-toml
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/production-minor-patch-7119af847e branch June 29, 2026 06:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants