chore(deps)(deps): bump the production-dependencies group across 1 directory with 44 updates

[dependabot]

Bumps the production-dependencies group with 36 updates in the / directory:

Package	From	To
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.92
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.48.0
@hono/node-server	1.19.9	1.19.12
@modelcontextprotocol/sdk	1.26.0	1.29.0
@supabase/supabase-js	2.97.0	2.101.1
fastmcp	3.33.0	3.35.0
axios	1.13.5	1.14.0
bare-fs	4.5.4	4.6.0
bare-os	3.6.2	3.8.7
bare-stream	2.8.0	2.12.0
bare-url	2.3.2	2.4.0
express-rate-limit	8.2.1	8.3.2
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
fs-extra	11.3.3	11.3.4
fuse.js	7.1.0	7.3.0
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hono	4.12.1	4.12.11
koa	3.1.1	3.2.0
mcp-proxy	6.4.0	6.4.4
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
path-to-regexp	8.3.0	8.4.2
pump	3.0.3	3.0.4
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.24.7
validator	13.15.26	13.15.35
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3
zod-to-json-schema	3.25.1	3.25.2

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.92

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.92

What's changed

• Added forceRemoteSettingsRefresh policy setting: when set, the CLI blocks startup until remote managed settings are freshly fetched, and exits if the fetch fails (fail-closed)
• Added interactive Bedrock setup wizard accessible from the login screen when selecting "3rd-party platform" — guides you through AWS authentication, region configuration, credential verification, and model pinning
• Added per-model and cache-hit breakdown to /cost for subscription users
• /release-notes is now an interactive version picker
• Remote Control session names now use your hostname as the default prefix (e.g. myhost-graceful-unicorn), overridable with --remote-control-session-name-prefix
• Pro users now see a footer hint when returning to a session after the prompt cache has expired, showing roughly how many tokens the next turn will send uncached
• Fixed subagent spawning permanently failing with "Could not determine pane count" after tmux windows are killed or renumbered during a long-running session
• Fixed prompt-type Stop hooks incorrectly failing when the small fast model returns ok:false, and restored preventContinuation:true semantics for non-Stop prompt-type hooks
• Fixed tool input validation failures when streaming emits array/object fields as JSON-encoded strings
• Fixed an API 400 error that could occur when extended thinking produced a whitespace-only text block alongside real content
• Fixed accidental feedback survey submissions from auto-pilot keypresses and consecutive-prompt digit collisions
• Fixed misleading "esc to interrupt" hint appearing alongside "esc to clear" when a text selection exists in fullscreen mode during processing
• Fixed Homebrew install update prompts to use the cask's release channel (claude-code → stable, claude-code@latest → latest)
• Fixed ctrl+e jumping to the end of the next line when already at end of line in multiline prompts
• Fixed an issue where the same message could appear at two positions when scrolling up in fullscreen mode (iTerm2, Ghostty, and other terminals with DEC 2026 support)
• Fixed idle-return "/clear to save X tokens" hint showing cumulative session tokens instead of current context size
• Fixed plugin MCP servers stuck "connecting" on session start when they duplicate a claude.ai connector that is unauthenticated
• Improved Write tool diff computation speed for large files (60% faster on files with tabs/&/$)
• Removed /tag command
• Removed /vim command (toggle vim mode via /config → Editor mode)
• Linux sandbox now ships the apply-seccomp helper in both npm and native builds, restoring unix-socket blocking for sandboxed commands

v2.1.91

What's changed

• Added MCP tool result persistence override via _meta["anthropic/maxResultSizeChars"] annotation (up to 500K), allowing larger results like DB schemas to pass through without truncation
• Added disableSkillShellExecution setting to disable inline shell execution in skills, custom slash commands, and plugin commands
• Added support for multi-line prompts in claude-cli://open?q= deep links (encoded newlines %0A no longer rejected)
• Plugins can now ship executables under bin/ and invoke them as bare commands from the Bash tool
• Fixed transcript chain breaks on --resume that could lose conversation history when async transcript writes fail silently
• Fixed cmd+delete not deleting to start of line on iTerm2, kitty, WezTerm, Ghostty, and Windows Terminal
• Fixed plan mode in remote sessions losing track of the plan file after a container restart, which caused permission prompts on plan edits and an empty plan-approval modal
• Fixed JSON schema validation for permissions.defaultMode: "auto" in settings.json
• Fixed Windows version cleanup not protecting the active version's rollback copy
• /feedback now explains why it's unavailable instead of disappearing from the slash menu
• Improved /claude-api skill guidance for agent design patterns including tool surface decisions, context management, and caching strategy
• Improved performance: faster stripAnsi on Bun by routing through Bun.stripANSI
• Edit tool now uses shorter old_string anchors, reducing output tokens

v2.1.90

What's changed

• Added /powerup — interactive lessons teaching Claude Code features with animated demos
• Added CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE env var to keep the existing marketplace cache when git pull fails, useful in offline environments
• Added .husky to protected directories (acceptEdits mode)
• Fixed an infinite loop where the rate-limit options dialog would repeatedly auto-open after hitting your usage limit, eventually crashing the session
• Fixed --resume causing a full prompt-cache miss on the first request for users with deferred tools, MCP servers, or custom agents (regression since v2.1.69)

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.92

• Added forceRemoteSettingsRefresh policy setting: when set, the CLI blocks startup until remote managed settings are freshly fetched, and exits if the fetch fails (fail-closed)
• Added interactive Bedrock setup wizard accessible from the login screen when selecting "3rd-party platform" — guides you through AWS authentication, region configuration, credential verification, and model pinning
• Added per-model and cache-hit breakdown to /cost for subscription users
• /release-notes is now an interactive version picker
• Remote Control session names now use your hostname as the default prefix (e.g. myhost-graceful-unicorn), overridable with --remote-control-session-name-prefix
• Pro users now see a footer hint when returning to a session after the prompt cache has expired, showing roughly how many tokens the next turn will send uncached
• Fixed subagent spawning permanently failing with "Could not determine pane count" after tmux windows are killed or renumbered during a long-running session
• Fixed prompt-type Stop hooks incorrectly failing when the small fast model returns ok:false, and restored preventContinuation:true semantics for non-Stop prompt-type hooks
• Fixed tool input validation failures when streaming emits array/object fields as JSON-encoded strings
• Fixed an API 400 error that could occur when extended thinking produced a whitespace-only text block alongside real content
• Fixed accidental feedback survey submissions from auto-pilot keypresses and consecutive-prompt digit collisions
• Fixed misleading "esc to interrupt" hint appearing alongside "esc to clear" when a text selection exists in fullscreen mode during processing
• Fixed Homebrew install update prompts to use the cask's release channel (claude-code → stable, claude-code@latest → latest)
• Fixed ctrl+e jumping to the end of the next line when already at end of line in multiline prompts
• Fixed an issue where the same message could appear at two positions when scrolling up in fullscreen mode (iTerm2, Ghostty, and other terminals with DEC 2026 support)
• Fixed idle-return "/clear to save X tokens" hint showing cumulative session tokens instead of current context size
• Fixed plugin MCP servers stuck "connecting" on session start when they duplicate a claude.ai connector that is unauthenticated
• Improved Write tool diff computation speed for large files (60% faster on files with tabs/&/$)
• Removed /tag command
• Removed /vim command (toggle vim mode via /config → Editor mode)
• Linux sandbox now ships the apply-seccomp helper in both npm and native builds, restoring unix-socket blocking for sandboxed commands

2.1.91

• Added MCP tool result persistence override via _meta["anthropic/maxResultSizeChars"] annotation (up to 500K), allowing larger results like DB schemas to pass through without truncation
• Added disableSkillShellExecution setting to disable inline shell execution in skills, custom slash commands, and plugin commands
• Added support for multi-line prompts in claude-cli://open?q= deep links (encoded newlines %0A no longer rejected)
• Plugins can now ship executables under bin/ and invoke them as bare commands from the Bash tool
• Fixed transcript chain breaks on --resume that could lose conversation history when async transcript writes fail silently
• Fixed cmd+delete not deleting to start of line on iTerm2, kitty, WezTerm, Ghostty, and Windows Terminal
• Fixed plan mode in remote sessions losing track of the plan file after a container restart, which caused permission prompts on plan edits and an empty plan-approval modal
• Fixed JSON schema validation for permissions.defaultMode: "auto" in settings.json
• Fixed Windows version cleanup not protecting the active version's rollback copy
• /feedback now explains why it's unavailable instead of disappearing from the slash menu
• Improved /claude-api skill guidance for agent design patterns including tool surface decisions, context management, and caching strategy
• Improved performance: faster stripAnsi on Bun by routing through Bun.stripANSI
• Edit tool now uses shorter old_string anchors, reducing output tokens

2.1.90

• Added /powerup — interactive lessons teaching Claude Code features with animated demos
• Added CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE env var to keep the existing marketplace cache when git pull fails, useful in offline environments
• Added .husky to protected directories (acceptEdits mode)
• Fixed an infinite loop where the rate-limit options dialog would repeatedly auto-open after hitting your usage limit, eventually crashing the session
• Fixed --resume causing a full prompt-cache miss on the first request for users with deferred tools, MCP servers, or custom agents (regression since v2.1.69)
• Fixed Edit/Write failing with "File content has changed" when a PostToolUse format-on-save hook rewrites the file between consecutive edits
• Fixed PreToolUse hooks that emit JSON to stdout and exit with code 2 not correctly blocking the tool call
• Fixed collapsed search/read summary badge appearing multiple times in fullscreen scrollback when a CLAUDE.md file auto-loads during a tool call

... (truncated)

Commits

• b543a25 chore: Update CHANGELOG.md
• 1e03cc7 chore: Update CHANGELOG.md
• a50a919 chore: Update CHANGELOG.md
• b4fa5f8 chore: Update CHANGELOG.md
• 66ab4ae chore: Update CHANGELOG.md
• 4411cba Read issue number from workflow event in helper scripts (#40969)
• 2d5c1ba chore: Update CHANGELOG.md
• 78a44f1 chore: Update CHANGELOG.md
• 2923bc8 chore: Update CHANGELOG.md
• f75b613 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.48.0

Release notes

Sourced from @​google/genai's releases.

v1.48.0

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

v1.47.0

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

v1.46.0

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)
• Add service tier for interactions. (406de38)
• Add service tier to GenerateContent. (0bfe800)
• Add support for more image and audio MIME types in Interactions content (baadbfd)
• Add supported models to the ModelOptions (94642b6)
• genai: add TURN_INCLUDES_AUDIO_ACTIVITY_AND_ALL_VIDEO to TurnCoverage (fdacac2)
• support hyperparameters in distillation tuning (716e021)
• Support rendered_parts in GroundingSupport (5e1110d)

Bug Fixes

• support us region routing (d391cff)

1.46.0 (2026-03-17)

Breaking changes

• [Interactions] Breaking change to Interactions API to refactor TextContent annotations to use specific citation types (9fa8b1d)
• [Interactions] Breaking change for Interactions, rename ContentDelta unions. (917f24f)
• [Interactions] Breaking change to Interactions API to rename rendered_content to search_suggestions (cc6bd38)

Features

• [Interactions] Add and update 'signature' fields for tool call/result content types. (e73ca5b)
• [Interactions] Support Google Maps in Interactions (d0593e3)
• Support include_server_side_tool_invocations for genai. (c627d6f)

... (truncated)

Commits

• ef91dab chore(main): release 1.48.0 (#1454)
• 9bdc2ae fix: Fix service_tier enums.
• 89552ba feat: Support dedicated TextAnnotationDelta for streaming tool responses
• 585c177 chore(main): release 1.47.0 (#1423)
• 0bfe800 feat: Add service tier to GenerateContent.
• 406de38 feat: Add service tier for interactions.
• 716e021 feat: support hyperparameters in distillation tuning
• 8f3373e chore: Remove TYPE_JPG from ImageContent.MimeType enums
• 94642b6 feat: Add supported models to the ModelOptions
• fbe5ad2 chore: update comments
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.12

Release notes

Sourced from @​hono/node-server's releases.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• a056569 chore: bump version to 1.28.0 (#1746)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.101.1

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.101.1

2.101.1 (2026-03-31)

🩹 Fixes

• storage: support exactOptionalPropertyTypes (#2200)

❤️ Thank You

• Vaibhav @​7ttp

v2.101.1-canary.0

2.101.1-canary.0 (2026-03-31)

🩹 Fixes

• storage: support exactOptionalPropertyTypes (#2200)

❤️ Thank You

• Vaibhav @​7ttp

v2.101.0

2.101.0 (2026-03-30)

🚀 Features

• realtime: add copyBindings functionality (#2197)
• realtime: block setting postgres_changes event listener after joining (#2201)

❤️ Thank You

• Dominik Pilipczuk @​snickerdoodle2

v2.101.0-canary.0

2.101.0-canary.0 (2026-03-30)

This was a version bump only, there were no code changes.

v2.100.1

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: add type safety for eq() and neq() column names (#2175)
• postgrest: fix maybeSingle for all request methods by removing Accept header override (#2182)
• postgrest: narrow tstyche testFileMatch to only type test files (#2193)
• postgrest: prevent Args: never functions from being classified as computed fields (#2195)
• storage: spread all DEFAULT_FILE_OPTIONS in uploadToSignedUrl (#2194)

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.101.1 (2026-03-31)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.101.0 (2026-03-30)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: narrow tstyche testFileMatch to only type test files (#2193)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.100.0 (2026-03-23)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.2 (2026-03-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.1 (2026-03-11)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.0 (2026-03-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.98.0 (2026-02-26)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

Commits

• 79d1a08 chore(release): version 2.101.0 changelogs (#2203)
• 5053334 chore(release): version 2.100.1 changelogs (#2196)
• cd6335e docs(repo): enrich docs comment for remaining packages (#2165)
• 9f487bd fix(postgrest): narrow tstyche testFileMatch to only type test files (#2193)
• 379ce05 chore(release): version 2.100.0 changelogs (#2185)
• bc435b3 chore(release): version 2.99.2 changelogs (#2168)
• b85174f chore(release): version 2.99.1 changelogs (Description has been truncated

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.