chore(deps)(deps): bump the production-dependencies group across 1 directory with 38 updates

[dependabot]

Bumps the production-dependencies group with 31 updates in the / directory:

Package	From	To
cosmiconfig	9.0.0	9.0.1
@anthropic-ai/claude-code	2.1.50	2.1.81
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.46.0
@hono/node-server	1.19.9	1.19.11
@modelcontextprotocol/sdk	1.26.0	1.27.1
@supabase/supabase-js	2.97.0	2.99.3
fastmcp	3.33.0	3.34.0
axios	1.13.5	1.13.6
bare-fs	4.5.4	4.5.6
bare-os	3.6.2	3.8.0
bare-stream	2.8.0	2.10.0
bare-url	2.3.2	2.4.0
express-rate-limit	8.2.1	8.3.1
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
fs-extra	11.3.3	11.3.4
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hono	4.12.1	4.12.8
koa	3.1.1	3.1.2
mcp-proxy	6.4.0	6.4.4
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
pump	3.0.3	3.0.4
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.24.5
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.81

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.81

What's changed

• Added --bare flag for scripted -p calls — skips hooks, LSP, plugin sync, and skill directory walks; requires ANTHROPIC_API_KEY or an apiKeyHelper via --settings (OAuth and keychain auth disabled); auto-memory fully disabled
• Added --channels permission relay — channel servers that declare the permission capability can forward tool approval prompts to your phone
• Fixed multiple concurrent Claude Code sessions requiring repeated re-authentication when one session refreshes its OAuth token
• Fixed voice mode silently swallowing retry failures and showing a misleading "check your network" message instead of the actual error
• Fixed voice mode audio not recovering when the server silently drops the WebSocket connection
• Fixed CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS not suppressing the structured-outputs beta header, causing 400 errors on proxy gateways forwarding to Vertex/Bedrock
• Fixed --channels bypass for Team/Enterprise orgs with no other managed settings configured
• Fixed a crash on Node.js 18
• Fixed unnecessary permission prompts for Bash commands containing dashes in strings
• Fixed plugin hooks blocking prompt submission when the plugin directory is deleted mid-session
• Fixed a race condition where background agent task output could hang indefinitely when the task completed between polling intervals
• Resuming a session that was in a worktree now switches back to that worktree
• Fixed /btw not including pasted text when used during an active response
• Fixed a race where fast Cmd+Tab followed by paste could beat the clipboard copy under tmux
• Fixed terminal tab title not updating with an auto-generated session description
• Fixed invisible hook attachments inflating the message count in transcript mode
• Fixed Remote Control sessions showing a generic title instead of deriving from the first prompt
• Fixed /rename not syncing the title for Remote Control sessions
• Fixed Remote Control /exit not reliably archiving the session
• Improved MCP read/search tool calls to collapse into a single "Queried {server}" line (expand with Ctrl+O)
• Improved ! bash mode discoverability — Claude now suggests it when you need to run an interactive command
• Improved plugin freshness — ref-tracked plugins now re-clone on every load to pick up upstream changes
• Improved Remote Control session titles to refresh after your third message
• Updated MCP OAuth to support Client ID Metadata Document (CIMD / SEP-991) for servers without Dynamic Client Registration
• Changed plan mode to hide the "clear context" option by default (restore with "showClearContextOnPlanAccept": true)
• Disabled line-by-line response streaming on Windows (including WSL in Windows Terminal) due to rendering issues
• [VSCode] Fixed Windows PATH inheritance for Bash tool when using Git Bash (regression in v2.1.78)

v2.1.80

What's changed

• Added rate_limits field to statusline scripts for displaying Claude.ai rate limit usage (5-hour and 7-day windows with used_percentage and resets_at)
• Added source: 'settings' plugin marketplace source — declare plugin entries inline in settings.json
• Added CLI tool usage detection to plugin tips, in addition to file pattern matching
• Added effort frontmatter support for skills and slash commands to override the model effort level when invoked
• Added --channels (research preview) — allow MCP servers to push messages into your session
• Fixed --resume dropping parallel tool results — sessions with parallel tool calls now restore all tool_use/tool_result pairs instead of showing [Tool result missing] placeholders
• Fixed voice mode WebSocket failures caused by Cloudflare bot detection on non-browser TLS fingerprints
• Fixed 400 errors when using fine-grained tool streaming through API proxies, Bedrock, or Vertex
• Fixed /remote-control appearing for gateway and third-party provider deployments where it cannot function
• Fixed /sandbox tab switching not responding to Tab or arrow keys
• Improved responsiveness of @ file autocomplete in large git repositories
• Improved /effort to show what auto currently resolves to, matching the status bar indicator
• Improved /permissions — Tab and arrow keys now switch tabs from within a list
• Improved background tasks panel — left arrow now closes from the list view
• Simplified plugin install tips to use a single /plugin install command instead of a two-step flow
• Reduced memory usage on startup in large repositories (~80 MB saved on 250k-file repos)

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.81

• Added --bare flag for scripted -p calls — skips hooks, LSP, plugin sync, and skill directory walks; requires ANTHROPIC_API_KEY or an apiKeyHelper via --settings (OAuth and keychain auth disabled); auto-memory fully disabled
• Added --channels permission relay — channel servers that declare the permission capability can forward tool approval prompts to your phone
• Fixed multiple concurrent Claude Code sessions requiring repeated re-authentication when one session refreshes its OAuth token
• Fixed voice mode silently swallowing retry failures and showing a misleading "check your network" message instead of the actual error
• Fixed voice mode audio not recovering when the server silently drops the WebSocket connection
• Fixed CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS not suppressing the structured-outputs beta header, causing 400 errors on proxy gateways forwarding to Vertex/Bedrock
• Fixed --channels bypass for Team/Enterprise orgs with no other managed settings configured
• Fixed a crash on Node.js 18
• Fixed unnecessary permission prompts for Bash commands containing dashes in strings
• Fixed plugin hooks blocking prompt submission when the plugin directory is deleted mid-session
• Fixed a race condition where background agent task output could hang indefinitely when the task completed between polling intervals
• Resuming a session that was in a worktree now switches back to that worktree
• Fixed /btw not including pasted text when used during an active response
• Fixed a race where fast Cmd+Tab followed by paste could beat the clipboard copy under tmux
• Fixed terminal tab title not updating with an auto-generated session description
• Fixed invisible hook attachments inflating the message count in transcript mode
• Fixed Remote Control sessions showing a generic title instead of deriving from the first prompt
• Fixed /rename not syncing the title for Remote Control sessions
• Fixed Remote Control /exit not reliably archiving the session
• Improved MCP read/search tool calls to collapse into a single "Queried {server}" line (expand with Ctrl+O)
• Improved ! bash mode discoverability — Claude now suggests it when you need to run an interactive command
• Improved plugin freshness — ref-tracked plugins now re-clone on every load to pick up upstream changes
• Improved Remote Control session titles to refresh after your third message
• Updated MCP OAuth to support Client ID Metadata Document (CIMD / SEP-991) for servers without Dynamic Client Registration
• Changed plan mode to hide the "clear context" option by default (restore with "showClearContextOnPlanAccept": true)
• Disabled line-by-line response streaming on Windows (including WSL in Windows Terminal) due to rendering issues
• [VSCode] Fixed Windows PATH inheritance for Bash tool when using Git Bash (regression in v2.1.78)

2.1.80

• Added rate_limits field to statusline scripts for displaying Claude.ai rate limit usage (5-hour and 7-day windows with used_percentage and resets_at)
• Added source: 'settings' plugin marketplace source — declare plugin entries inline in settings.json
• Added CLI tool usage detection to plugin tips, in addition to file pattern matching
• Added effort frontmatter support for skills and slash commands to override the model effort level when invoked
• Added --channels (research preview) — allow MCP servers to push messages into your session
• Fixed --resume dropping parallel tool results — sessions with parallel tool calls now restore all tool_use/tool_result pairs instead of showing [Tool result missing] placeholders
• Fixed voice mode WebSocket failures caused by Cloudflare bot detection on non-browser TLS fingerprints
• Fixed 400 errors when using fine-grained tool streaming through API proxies, Bedrock, or Vertex
• Fixed /remote-control appearing for gateway and third-party provider deployments where it cannot function
• Fixed /sandbox tab switching not responding to Tab or arrow keys
• Improved responsiveness of @ file autocomplete in large git repositories
• Improved /effort to show what auto currently resolves to, matching the status bar indicator
• Improved /permissions — Tab and arrow keys now switch tabs from within a list
• Improved background tasks panel — left arrow now closes from the list view
• Simplified plugin install tips to use a single /plugin install command instead of a two-step flow
• Reduced memory usage on startup in large repositories (~80 MB saved on 250k-file repos)
• Fixed managed settings (enabledPlugins, permissions.defaultMode, policy-set env vars) not being applied at startup when remote-settings.json was cached from a prior session

... (truncated)

Commits

• 6aadfbd chore: Update CHANGELOG.md
• 1653669 chore: Update CHANGELOG.md
• 5e34f19 chore: Update CHANGELOG.md
• a3d9426 chore: Update CHANGELOG.md
• 079dc85 chore: Update CHANGELOG.md
• 420a188 chore: Update CHANGELOG.md
• 48b1c6c chore: Update CHANGELOG.md
• 2dc1e69 Merge pull request #33472 from anthropics/kashyap/code-review-batch-output
• db8834b feat(code-review): pass confirmed=true when posting inline comments
• 6f049b6 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.46.0

Release notes

Sourced from @​google/genai's releases.

v1.46.0

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)
• [Interactions] Support Google Maps in Interactions (d0593e3)
• Support include_server_side_tool_invocations for genai. (c627d6f)

Bug Fixes

• Quote functionResponses key in LiveClientMessage (9740426)

v1.45.0

1.45.0 (2026-03-12)

Features

• Add inference_generation_config to EvaluationConfig for Tuning (b4ac722)
• enable language code for audio transcription config in Live API for Vertex AI (67f39ec)

v1.44.0

1.44.0 (2026-03-04)

Features

• Add gemini-3.1-flash-image-preview model (175603b)
• Support signature for all Interaction tool types (b79108f)
• Update data types from discovery doc. (249b15a)

v1.43.0

1.43.0 (2026-02-26)

Features

• Add gemini-3.1-pro-preview to list of models in Interactions (14775fe)
• Add Image Grounding support to GoogleSearch tool (9187ca7)
• enable server side MCP and disable all other AFC when server side MCP is configured. (c7888c4)
• Support more image sizes and resolutions (54f4145)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)
• [Interactions] Support Google Maps in Interactions (d0593e3)
• Support include_server_side_tool_invocations for genai. (c627d6f)

Bug Fixes

• Quote functionResponses key in LiveClientMessage (9740426)

1.45.0 (2026-03-12)

Features

• Add inference_generation_config to EvaluationConfig for Tuning (b4ac722)
• enable language code for audio transcription config in Live API for Vertex AI (67f39ec)

1.44.0 (2026-03-04)

Features

• Add gemini-3.1-flash-image-preview model (175603b)
• Support signature for all Interaction tool types (b79108f)
• Update data types from discovery doc. (249b15a)

1.43.0 (2026-02-26)

Features

• Add gemini-3.1-pro-preview to list of models in Interactions (14775fe)
• Add Image Grounding support to GoogleSearch tool (9187ca7)
• enable server side MCP and disable all other AFC when server side MCP is configured. (c7888c4)
• Support more image sizes and resolutions (54f4145)

Bug Fixes

... (truncated)

Commits

• b9d4b88 chore(main): release 1.46.0 (#1408)
• c627d6f feat: Support include_server_side_tool_invocations for genai.
• 9740426 fix: Quote functionResponses key in LiveClientMessage
• 9fa8b1d feat: Breaking change to Interactions API to refactor TextContent annotations...
• e73ca5b feat: Add and update 'signature' fields for tool call/result content types.
• d0593e3 feat: Support Google Maps in Interactions
• cc6bd38 fix: Breaking change to Interactions API to rename rendered_content to search...
• 917f24f fix: Breaking change for Interactions, rename ContentDelta unions.
• 211cd6b chore: process proxy and base url settings for file uploads
• 2d82de4 chore(main): release 1.45.0 (#1384)
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.11

Release notes

Sourced from @​hono/node-server's releases.

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.27.1

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

• feat: add conformance test infrastructure for v1.x by @​felixweinberger in modelcontextprotocol/typescript-sdk#1518
• feat: backport discoverOAuthServerInfo() and discovery caching to v1.x by @​felixweinberger in modelcontextprotocol/typescript-sdk#1533
• feat: add url property to RequestInfo interface by @​valentinbeggi in modelcontextprotocol/typescript-sdk#1353
• [v1.x] feat(tasks): add streaming methods for elicitation and sampling by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1528
• chore: bump version for v1.27.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1541

New Contributors

• @​valentinbeggi made their first contribution in modelcontextprotocol/typescript-sdk#1353

Full Changelog: modelcontextprotocol/typescript-sdk@v1.26.0...v1.27.0

Commits

• 4faa8c8 chore: bump version to 1.27.1 (#1581)
• 09a85a8 fix: call onerror for silently swallowed transport errors (#1580)
• e79d14a fix: prevent command injection in example URL opening (v1.x backport) (#1579)
• 342ea39 docs: comprehensive feature documentation for SEP-1730 Tier 1 (#1548)
• 2084a22 docs: add governance documentation for SEP-1730 (#1547)
• f2d2145 feat: implement auth/pre-registration conformance scenario (#1545)
• 8cbc658 chore: bump version for v1.27.0 (#1541)
• 5c16ae3 [v1.x] feat(tasks): add streaming methods for elicitation and sampling (#1528)
• 97ab379 feat: add url property to RequestInfo interface (#1353)
• 825e9ab feat: backport discoverOAuthServerInfo() and discovery caching to v1.x (#1533)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.99.3

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.99.3

2.99.3 (2026-03-19)

🩹 Fixes

• auth: guard navigator lock steal against cascade when lock is stolen by another request (#2178)
• storage: structural detection on json() to detect Response-like errors (#2179)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.99.3-canary.0

2.99.3-canary.0 (2026-03-16)

🚀 Features

• realtime: use phoenix's js lib inside realtime-js (#2119)

❤️ Thank You

• Alan Guzek

v2.99.2

2.99.2 (2026-03-16)

🩹 Fixes

• storage: do not rewrite signed URL to render endpoint for empty transform object (#2162)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.99.2-canary.0

2.99.2-canary.0 (2026-03-13)

🩹 Fixes

• storage: do not rewrite signed URL to render endpoint for empty transform object (#2162)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.99.1

2.99.1 (2026-03-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.99.2 (2026-03-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.1 (2026-03-11)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.0 (2026-03-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.98.0 (2026-02-26)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• bc435b3 chore(release): version 2.99.2 changelogs (#2168)
• b85174f chore(release): version 2.99.1 changelogs (#2161)
• 280e453 docs(repo): enrich tsdoc with examples and notes (#2152)
• 749aaa9 chore(release): version 2.99.0 changelogs (#2156)
• fab1655 chore(deps): update supabase ssr (#2147)
• e6bdfe2 test(ci): add e2e tests for example apps (#2138)
• 8451cc0 chore(release): version 2.98.0 changelogs (#2141)
• c56d249 chore(release): version 2.97.0 changelogs (#2124)
• See full diff in compare view

Updates fastmcp from 3.33.0 to 3.34.0

Release notes

Sourced from fastmcp's releases.

v3.34.0

3.34.0 (2026-03-06)

Features

• add outputSchema support for structured tool responses — closes #207 (#247) (334a8fc)

Commits

• 2cca0e4 chore: update xsschema (#250)
• 334a8fc feat: add outputSchema support for structured tool responses — closes #207 (#...
• See full diff in compare view

Updates xsschema from 0.4.0-beta.5 to 0.4.4

Release notes

Sourced from xsschema's releases.

v0.4.4

   🐞 Bug Fixes

• shared-chat:
  • Handle empty tool call arguments in executeTool  -  by @​lietblue in moeru-ai/xsai#266 (e23b9)
  • Clean execute only  -  by @​Wyatex in moeru-ai/xsai#270 (02092)

    View changes on GitHub

v0.4.3

   🏎 Performance

• Use Promise.all for tool calling  -  by @​dsh0416 in moeru-ai/xsai#264 (9241e)

    View changes on GitHub

v0.4.2

   🚨 Breaking Changes

• providers: Sync upstream, rename novita  -  by @​kwaa (72f1b)

   🚀 Features

• providers: Cohere  -  by @​kwaa (6fa8d)

    View changes on GitHub

v0.4.1

   🚀 Features

• Reasoning effort  -  by @​kwaa in moeru-ai/xsai#257 (c97c2)
• Support reasoning field  -  by @​kwaa in moeru-ai/xsai#259 (66b89)
• telemetry: Embed, embedMany  -  by @​kwaa in moeru-ai/xsai#260 (93c40)

   🏎 Performance

• Use oxlint  -  by @​kwaa (a7170)

    View changes on GitHub

v0.4.0 "AIAIAI"

   🚨 Breaking Changes

• Remove old providers package  -  by @​kwaa in moeru-ai/xsai#252 (98060)
• providers:
  • Correct naming  -  by @​kwaa (ca8a5)
  • Special providers, move azure, workers-ai  -  by @​kwaa in moeru-ai/xsai#251 (a7f90)
  • Remove deprecated providers  -  by @​kwaa in moeru-ai/xsai#253 (4128b)
• shared-chat:
  • Rewrite types to align with openai  -  by @​kwaa in moeru-ai/xsai#207 (abcfb)

... (truncated)

Commits

• a87ee15 chore: release v0.4.4
• d9c6f75 chore: release v0.4.3
• 96292a3 chore: release v0.4.2
• fb3714b chore: release v0.4.1
• 519322e chore: release v0.4.0
• af41c03 refactor(xsschema)!: remove sync method (#254)
• 494e381 chore: release v0.4.0-beta.13
• d9a8b7b chore(deps): bump version, follow upstream changes (#247)
• a925b23 chore: release v0.4.0-beta.12
• bf2ea4d chore: release v0.4.0-beta.11
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for xsschema since your current version.

Updates jose from 5.10.0 to 6.1.3

Release notes

Sourced from jose's releases.

v6.1.3

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #832

v6.1.2

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #765 #803 #821 #827 #828

v6.1.1

Documentation

• add link to RFC9864 (767edde)
• link to ML-DSA for JOSE (ed4252c)
• remove mention of Edge Runtime from the readme (94fdde7)
• update README.md (25098ef)

Refactor

• eliminate named exports in the source code (f6ae30d)
• expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
• faster path for symmetric key checks (a44c2ec)
• improve en/decoding overheads (daee426)

v6.1.0

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

v6.0.13

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.12

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)

... (truncated)

Changelog

Sourced from jose's changelog.

6.1.3 (2025-12-02)

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #832

6.1.2 (2025-11-15)

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #765 #803 #821 Description has been truncated

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.