chore(deps)(deps): bump the production-dependencies group across 1 directory with 42 updates

[dependabot]

Bumps the production-dependencies group with 34 updates in the / directory:

Package	From	To
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.87
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.47.0
@hono/node-server	1.19.9	1.19.12
@modelcontextprotocol/sdk	1.26.0	1.28.0
@supabase/supabase-js	2.97.0	2.100.1
fastmcp	3.33.0	3.34.0
axios	1.13.5	1.14.0
bare-fs	4.5.4	4.5.6
bare-os	3.6.2	3.8.4
bare-stream	2.8.0	2.11.0
bare-url	2.3.2	2.4.0
express-rate-limit	8.2.1	8.3.1
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
fs-extra	11.3.3	11.3.4
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hono	4.12.1	4.12.9
koa	3.1.1	3.2.0
mcp-proxy	6.4.0	6.4.4
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
path-to-regexp	8.3.0	8.4.0
pump	3.0.3	3.0.4
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.24.6
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3
zod-to-json-schema	3.25.1	3.25.2

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.87

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.87

What's changed

• Fixed messages in Cowork Dispatch not getting delivered

v2.1.86

What's changed

• Added X-Claude-Code-Session-Id header to API requests so proxies can aggregate requests by session without parsing the body
• Added .jj and .sl to VCS directory exclusion lists so Grep and file autocomplete don't descend into Jujutsu or Sapling metadata
• Fixed --resume failing with "tool_use ids were found without tool_result blocks" on sessions created before v2.1.85
• Fixed Write/Edit/Read failing on files outside the project root (e.g., ~/.claude/CLAUDE.md) when conditional skills or rules are configured
• Fixed unnecessary config disk writes on every skill invocation that could cause performance issues and config corruption on Windows
• Fixed potential out-of-memory crash when using /feedback on very long sessions with large transcript files
• Fixed --bare mode dropping MCP tools in interactive sessions and silently discarding messages enqueued mid-turn
• Fixed the c shortcut copying only ~20 characters of the OAuth login URL instead of the full URL
• Fixed masked input (e.g., OAuth code paste) leaking the start of the token when wrapping across multiple lines on narrow terminals
• Fixed official marketplace plugin scripts failing with "Permission denied" on macOS/Linux since v2.1.83
• Fixed statusline showing another session's model when running multiple Claude Code instances and using /model in one of them
• Fixed scroll not following new messages after wheel scroll or click-to-select at the bottom of a long conversation
• Fixed /plugin uninstall dialog: pressing n now correctly uninstalls the plugin while preserving its data directory
• Fixed a regression where pressing Enter after clicking could leave the transcript blank until the response arrived
• Fixed ultrathink hint lingering after deleting the keyword
• Fixed memory growth in long sessions from markdown/highlight render caches retaining full content strings
• Reduced startup event-loop stalls when many claude.ai MCP connectors are configured (macOS keychain cache extended from 5s to 30s)
• Reduced token overhead when mentioning files with @ — raw string content no longer JSON-escaped
• Improved prompt cache hit rate for Bedrock, Vertex, and Foundry users by removing dynamic content from tool descriptions
• Memory filenames in the "Saved N memories" notice now highlight on hover and open on click
• Skill descriptions in the /skills listing are now capped at 250 characters to reduce context usage
• Changed /skills menu to sort alphabetically for easier scanning
• Auto mode now shows "unavailable for your plan" when disabled by plan restrictions (was "temporarily unavailable")
• [VSCode] Fixed extension incorrectly showing "Not responding" during long-running operations
• [VSCode] Fixed extension defaulting Max plan users to Sonnet after the OAuth token refreshes (8 hours after login)
• Read tool now uses compact line-number format and deduplicates unchanged re-reads, reducing token usage

v2.1.85

What's changed

• Added CLAUDE_CODE_MCP_SERVER_NAME and CLAUDE_CODE_MCP_SERVER_URL environment variables to MCP headersHelper scripts, allowing one helper to serve multiple servers
• Added conditional if field for hooks using permission rule syntax (e.g., Bash(git *)) to filter when they run, reducing process spawning overhead
• Added timestamp markers in transcripts when scheduled tasks (/loop, CronCreate) fire
• Added trailing space after [Image #N] placeholder when pasting images
• Deep link queries (claude-cli://open?q=…) now support up to 5,000 characters, with a "scroll to review" warning for long pre-filled prompts
• MCP OAuth now follows RFC 9728 Protected Resource Metadata discovery to find the authorization server
• Plugins blocked by organization policy (managed-settings.json) can no longer be installed or enabled, and are hidden from marketplace views
• PreToolUse hooks can now satisfy AskUserQuestion by returning updatedInput alongside permissionDecision: "allow", enabling headless integrations that collect answers via their own UI
• tool_parameters in OpenTelemetry tool_result events are now gated behind OTEL_LOG_TOOL_DETAILS=1
• Fixed /compact failing with "context exceeded" when the conversation has grown too large for the compact request itself to fit
• Fixed /plugin enable and /plugin disable failing when a plugin's install location differs from where it's declared in settings
• Fixed --worktree exiting with an error in non-git repositories before the WorktreeCreate hook could run

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.87

• Fixed messages in Cowork Dispatch not getting delivered

2.1.86

• Added X-Claude-Code-Session-Id header to API requests so proxies can aggregate requests by session without parsing the body
• Added .jj and .sl to VCS directory exclusion lists so Grep and file autocomplete don't descend into Jujutsu or Sapling metadata
• Fixed --resume failing with "tool_use ids were found without tool_result blocks" on sessions created before v2.1.85
• Fixed Write/Edit/Read failing on files outside the project root (e.g., ~/.claude/CLAUDE.md) when conditional skills or rules are configured
• Fixed unnecessary config disk writes on every skill invocation that could cause performance issues and config corruption on Windows
• Fixed potential out-of-memory crash when using /feedback on very long sessions with large transcript files
• Fixed --bare mode dropping MCP tools in interactive sessions and silently discarding messages enqueued mid-turn
• Fixed the c shortcut copying only ~20 characters of the OAuth login URL instead of the full URL
• Fixed masked input (e.g., OAuth code paste) leaking the start of the token when wrapping across multiple lines on narrow terminals
• Fixed official marketplace plugin scripts failing with "Permission denied" on macOS/Linux since v2.1.83
• Fixed statusline showing another session's model when running multiple Claude Code instances and using /model in one of them
• Fixed scroll not following new messages after wheel scroll or click-to-select at the bottom of a long conversation
• Fixed /plugin uninstall dialog: pressing n now correctly uninstalls the plugin while preserving its data directory
• Fixed a regression where pressing Enter after clicking could leave the transcript blank until the response arrived
• Fixed ultrathink hint lingering after deleting the keyword
• Fixed memory growth in long sessions from markdown/highlight render caches retaining full content strings
• Reduced startup event-loop stalls when many claude.ai MCP connectors are configured (macOS keychain cache extended from 5s to 30s)
• Reduced token overhead when mentioning files with @ — raw string content no longer JSON-escaped
• Improved prompt cache hit rate for Bedrock, Vertex, and Foundry users by removing dynamic content from tool descriptions
• Memory filenames in the "Saved N memories" notice now highlight on hover and open on click
• Skill descriptions in the /skills listing are now capped at 250 characters to reduce context usage
• Changed /skills menu to sort alphabetically for easier scanning
• Auto mode now shows "unavailable for your plan" when disabled by plan restrictions (was "temporarily unavailable")
• [VSCode] Fixed extension incorrectly showing "Not responding" during long-running operations
• [VSCode] Fixed extension defaulting Max plan users to Sonnet after the OAuth token refreshes (8 hours after login)
• Read tool now uses compact line-number format and deduplicates unchanged re-reads, reducing token usage

2.1.85

• Added CLAUDE_CODE_MCP_SERVER_NAME and CLAUDE_CODE_MCP_SERVER_URL environment variables to MCP headersHelper scripts, allowing one helper to serve multiple servers
• Added conditional if field for hooks using permission rule syntax (e.g., Bash(git *)) to filter when they run, reducing process spawning overhead
• Added timestamp markers in transcripts when scheduled tasks (/loop, CronCreate) fire
• Added trailing space after [Image #N] placeholder when pasting images
• Deep link queries (claude-cli://open?q=…) now support up to 5,000 characters, with a "scroll to review" warning for long pre-filled prompts
• MCP OAuth now follows RFC 9728 Protected Resource Metadata discovery to find the authorization server
• Plugins blocked by organization policy (managed-settings.json) can no longer be installed or enabled, and are hidden from marketplace views
• PreToolUse hooks can now satisfy AskUserQuestion by returning updatedInput alongside permissionDecision: "allow", enabling headless integrations that collect answers via their own UI
• tool_parameters in OpenTelemetry tool_result events are now gated behind OTEL_LOG_TOOL_DETAILS=1
• Fixed /compact failing with "context exceeded" when the conversation has grown too large for the compact request itself to fit
• Fixed /plugin enable and /plugin disable failing when a plugin's install location differs from where it's declared in settings
• Fixed --worktree exiting with an error in non-git repositories before the WorktreeCreate hook could run
• Fixed deniedMcpServers setting not blocking claude.ai MCP servers
• Fixed switch_display in the computer-use tool returning "not available in this session" on multi-monitor setups
• Fixed crash when OTEL_LOGS_EXPORTER, OTEL_METRICS_EXPORTER, or OTEL_TRACES_EXPORTER is set to none

... (truncated)

Commits

• 78a44f1 chore: Update CHANGELOG.md
• 2923bc8 chore: Update CHANGELOG.md
• f75b613 chore: Update CHANGELOG.md
• a0d9b87 chore: Update CHANGELOG.md
• a542f1b chore: Update CHANGELOG.md
• cada21c chore: Update CHANGELOG.md
• 6aadfbd chore: Update CHANGELOG.md
• 1653669 chore: Update CHANGELOG.md
• 5e34f19 chore: Update CHANGELOG.md
• a3d9426 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.47.0

Release notes

Sourced from @​google/genai's releases.

v1.47.0

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

v1.46.0

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)
• [Interactions] Support Google Maps in Interactions (d0593e3)
• Support include_server_side_tool_invocations for genai. (c627d6f)

Bug Fixes

• Quote functionResponses key in LiveClientMessage (9740426)

v1.45.0

1.45.0 (2026-03-12)

Features

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)
• [Interactions] Support Google Maps in Interactions (d0593e3)
• Support include_server_side_tool_invocations for genai. (c627d6f)

Bug Fixes

• Quote functionResponses key in LiveClientMessage (9740426)

1.45.0 (2026-03-12)

Features

• Add inference_generation_config to EvaluationConfig for Tuning (b4ac722)

... (truncated)

Commits

• 585c177 chore(main): release 1.47.0 (#1423)
• 0bfe800 feat: Add service tier to GenerateContent.
• 406de38 feat: Add service tier for interactions.
• 716e021 feat: support hyperparameters in distillation tuning
• 8f3373e chore: Remove TYPE_JPG from ImageContent.MimeType enums
• 94642b6 feat: Add supported models to the ModelOptions
• fbe5ad2 chore: update comments
• fdacac2 feat(genai): add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage
• d391cff fix: support us region routing
• 930c9c3 feat: Add labels field to Veo configs
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.12

Release notes

Sourced from @​hono/node-server's releases.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.28.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

• feat: add conformance test infrastructure for v1.x by @​felixweinberger in modelcontextprotocol/typescript-sdk#1518
• feat: backport discoverOAuthServerInfo() and discovery caching to v1.x by @​felixweinberger in modelcontextprotocol/typescript-sdk#1533
• feat: add url property to RequestInfo interface by @​valentinbeggi in modelcontextprotocol/typescript-sdk#1353
• [v1.x] feat(tasks): add streaming methods for elicitation and sampling by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1528
• chore: bump version for v1.27.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1541

New Contributors

• @​valentinbeggi made their first contribution in modelcontextprotocol/typescript-sdk#1353

Full Changelog: modelcontextprotocol/typescript-sdk@v1.26.0...v1.27.0

Commits

• a056569 chore: bump version to 1.28.0 (#1746)
• 897bc25 fix(server/auth): RFC 8252 loopback port relaxation (#1738)
• 398dc70 fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller c...
• 93640d3 fix: reject plain JSON Schema objects passed as inputSchema (#1596)
• 4cbcec0 [v1.x backport] Default to client_secret_basic when server omits token_endpoi...
• c9b58d1 feat: use scopes_supported from resource metadata by default (fixes #580) (#757)
• 351e124 docs: add links to hosted V1 and V2 API reference docs
• 4faa8c8 chore: bump version to 1.27.1 (#1581)
• 09a85a8 fix: call onerror for silently swallowed transport errors (#1580)
• e79d14a fix: prevent command injection in example URL opening (v1.x backport) (#1579)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.100.1

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.100.1

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: add type safety for eq() and neq() column names (#2175)
• postgrest: fix maybeSingle for all request methods by removing Accept header override (#2182)
• postgrest: narrow tstyche testFileMatch to only type test files (#2193)
• postgrest: prevent Args: never functions from being classified as computed fields (#2195)
• storage: spread all DEFAULT_FILE_OPTIONS in uploadToSignedUrl (#2194)

❤️ Thank You

• Ayush Baluni @​aayushbaluni
• Katerina Skroumpelou @​mandarini

v2.100.0

2.100.0 (2026-03-23)

🚀 Features

• realtime: use phoenix's js lib inside realtime-js (#2119)

🩹 Fixes

• auth: guard navigator lock steal against cascade when lock is stolen by another request (#2178)
• realtime: revert vsn type to string (#2170)
• storage: structural detection on json() to detect Response-like errors (#2179)

❤️ Thank You

• Alan Guzek @​GuzekAlan
• Dominik Pilipczuk @​snickerdoodle2
• Katerina Skroumpelou @​mandarini

v2.100.0-rc.0

2.100.0-rc.0 (2026-03-16)

This was a version bump only, there were no code changes.

v2.100.0-canary.7

2.100.0-canary.7 (2026-03-26)

🩹 Fixes

• storage: spread all DEFAULT_FILE_OPTIONS in uploadToSignedUrl (#2194)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: narrow tstyche testFileMatch to only type test files (#2193)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.100.0 (2026-03-23)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.2 (2026-03-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.1 (2026-03-11)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.0 (2026-03-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.98.0 (2026-02-26)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• cd6335e docs(repo): enrich docs comment for remaining packages (#2165)
• 9f487bd fix(postgrest): narrow tstyche testFileMatch to only type test files (#2193)
• 379ce05 chore(release): version 2.100.0 changelogs (#2185)
• bc435b3 chore(release): version 2.99.2 changelogs (#2168)
• b85174f chore(release): version 2.99.1 changelogs (#2161)
• 280e453 docs(repo): enrich tsdoc with examples and notes (#2152)
• 749aaa9 chore(release): version 2.99.0 changelogs (#2156)
• fab1655 chore(deps): update supabase ssr (#2147)
• e6bdfe2 test(ci): add e2e tests for example apps (#2138)
• 8451cc0 chore(release): version 2.98.0 changelogs (#2141)
• Additional commits viewable in compare view

Updates fastmcp from 3.33.0 to 3.34.0

Commits

• See full diff in compare view

Updates xsschema from 0.4.0-beta.5 to 0.4.4

Release notes

Sourced from xsschema's releases.

v0.4.4

   🐞 Bug Fixes

• shared-chat:
  • Handle empty tool call arguments in executeTool  -  by @​lietblue in moeru-ai/xsai#266 (e23b9)
  • Clean execute only  -  by @​Wyatex in moeru-ai/xsai#270

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.