chore(deps)(deps): bump the production-dependencies group across 1 directory with 50 updates

[dependabot]

Bumps the production-dependencies group with 42 updates in the / directory:

Package	From	To
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.114
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.50.1
@hono/node-server	1.19.9	1.19.14
@modelcontextprotocol/sdk	1.26.0	1.29.0
@supabase/supabase-js	2.97.0	2.103.3
fastmcp	3.33.0	3.35.0
axios	1.13.5	1.15.1
bare-fs	4.5.4	4.7.1
bare-os	3.6.2	3.8.7
bare-stream	2.8.0	2.13.0
bare-url	2.3.2	2.4.1
eventsource-parser	3.0.6	3.0.8
express-rate-limit	8.2.1	8.3.2
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
follow-redirects	1.15.11	1.16.0
fs-extra	11.3.3	11.3.4
fuse.js	7.1.0	7.3.0
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hasown	2.0.2	2.0.3
hono	4.12.1	4.12.14
koa	3.1.1	3.2.0
mcp-proxy	6.4.0	6.4.6
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
protobufjs	6.11.4	6.11.5
path-to-regexp	8.3.0	8.4.2
pump	3.0.3	3.0.4
qs	6.15.0	6.15.1
side-channel-list	1.0.0	1.0.1
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.25.0
validator	13.15.26	13.15.35
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3
zod-to-json-schema	3.25.1	3.25.2

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.114

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.114

What's changed

• Fixed a crash in the permission dialog when an agent teams teammate requested tool permission

v2.1.113

What's changed

• Changed the CLI to spawn a native Claude Code binary (via a per-platform optional dependency) instead of bundled JavaScript
• Added sandbox.network.deniedDomains setting to block specific domains even when a broader allowedDomains wildcard would otherwise permit them
• Fullscreen mode: Shift+↑/↓ now scrolls the viewport when extending a selection past the visible edge
• Ctrl+A and Ctrl+E now move to the start/end of the current logical line in multiline input, matching readline behavior
• Windows: Ctrl+Backspace now deletes the previous word
• Long URLs in responses and bash output stay clickable when they wrap across lines (in terminals with OSC 8 hyperlinks)
• Improved /loop: pressing Esc now cancels pending wakeups, and wakeups display as "Claude resuming /loop wakeup" for clarity
• /extra-usage now works from Remote Control (mobile/web) clients
• Remote Control clients can now query @-file autocomplete suggestions
• Improved /ultrareview: faster launch with parallelized checks, diffstat in the launch dialog, and animated launching state
• Subagents that stall mid-stream now fail with a clear error after 10 minutes instead of hanging silently
• Bash tool: multi-line commands whose first line is a comment now show the full command in the transcript, closing a UI-spoofing vector
• Running cd <current-directory> && git … no longer triggers a permission prompt when the cd is a no-op
• Security: on macOS, /private/{etc,var,tmp,home} paths are now treated as dangerous removal targets under Bash(rm:*) allow rules
• Security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid and similar exec wrappers
• Security: Bash(find:*) allow rules no longer auto-approve find -exec/-delete
• Fixed MCP concurrent-call timeout handling where a message for one tool call could silently disarm another call's watchdog
• Fixed Cmd-backspace / Ctrl+U to once again delete from the cursor to the start of the line
• Fixed markdown tables breaking when a cell contains an inline code span with a pipe character
• Fixed session recap auto-firing while composing unsent text in the prompt
• Fixed /copy "Full response" not aligning markdown table columns for pasting into GitHub, Notion, or Slack
• Fixed messages typed while viewing a running subagent being hidden from its transcript and misattributed to the parent AI
• Fixed Bash dangerouslyDisableSandbox running commands outside the sandbox without a permission prompt
• Fixed /effort auto confirmation — now says "Effort level set to max" to match the status bar label
• Fixed the "copied N chars" toast overcounting emoji and other multi-code-unit characters
• Fixed /insights crashing with EBUSY on Windows
• Fixed exit confirmation dialog mislabeling one-shot scheduled tasks as recurring — now shows a countdown
• Fixed slash/@ completion menu not sitting flush against the prompt border in fullscreen mode
• Fixed CLAUDE_CODE_EXTRA_BODY output_config.effort causing 400 errors on subagent calls to models that don't support effort and on Vertex AI
• Fixed prompt cursor disappearing when NO_COLOR is set
• Fixed ToolSearch ranking so pasted MCP tool names surface the actual tool instead of description-matching siblings
• Fixed compacting a resumed long-context session failing with "Extra usage is required for long context requests"
• Fixed plugin install succeeding when a dependency version conflicts with an already-installed plugin — now reports range-conflict
• Fixed "Refine with Ultraplan" not showing the remote session URL in the transcript
• Fixed SDK image content blocks that fail to process crashing the session — now degrade to a text placeholder
• Fixed Remote Control sessions not streaming subagent transcripts
• Fixed Remote Control sessions not being archived when Claude Code exits
• Fixed thinking.type.enabled is not supported 400 error when using Opus 4.7 via a Bedrock Application Inference Profile ARN

v2.1.112

What's changed

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.114

• Fixed a crash in the permission dialog when an agent teams teammate requested tool permission

2.1.113

• Changed the CLI to spawn a native Claude Code binary (via a per-platform optional dependency) instead of bundled JavaScript
• Added sandbox.network.deniedDomains setting to block specific domains even when a broader allowedDomains wildcard would otherwise permit them
• Fullscreen mode: Shift+↑/↓ now scrolls the viewport when extending a selection past the visible edge
• Ctrl+A and Ctrl+E now move to the start/end of the current logical line in multiline input, matching readline behavior
• Windows: Ctrl+Backspace now deletes the previous word
• Long URLs in responses and bash output stay clickable when they wrap across lines (in terminals with OSC 8 hyperlinks)
• Improved /loop: pressing Esc now cancels pending wakeups, and wakeups display as "Claude resuming /loop wakeup" for clarity
• /extra-usage now works from Remote Control (mobile/web) clients
• Remote Control clients can now query @-file autocomplete suggestions
• Improved /ultrareview: faster launch with parallelized checks, diffstat in the launch dialog, and animated launching state
• Subagents that stall mid-stream now fail with a clear error after 10 minutes instead of hanging silently
• Bash tool: multi-line commands whose first line is a comment now show the full command in the transcript, closing a UI-spoofing vector
• Running cd <current-directory> && git … no longer triggers a permission prompt when the cd is a no-op
• Security: on macOS, /private/{etc,var,tmp,home} paths are now treated as dangerous removal targets under Bash(rm:*) allow rules
• Security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid and similar exec wrappers
• Security: Bash(find:*) allow rules no longer auto-approve find -exec/-delete
• Fixed MCP concurrent-call timeout handling where a message for one tool call could silently disarm another call's watchdog
• Fixed Cmd-backspace / Ctrl+U to once again delete from the cursor to the start of the line
• Fixed markdown tables breaking when a cell contains an inline code span with a pipe character
• Fixed session recap auto-firing while composing unsent text in the prompt
• Fixed /copy "Full response" not aligning markdown table columns for pasting into GitHub, Notion, or Slack
• Fixed messages typed while viewing a running subagent being hidden from its transcript and misattributed to the parent AI
• Fixed Bash dangerouslyDisableSandbox running commands outside the sandbox without a permission prompt
• Fixed /effort auto confirmation — now says "Effort level set to max" to match the status bar label
• Fixed the "copied N chars" toast overcounting emoji and other multi-code-unit characters
• Fixed /insights crashing with EBUSY on Windows
• Fixed exit confirmation dialog mislabeling one-shot scheduled tasks as recurring — now shows a countdown
• Fixed slash/@ completion menu not sitting flush against the prompt border in fullscreen mode
• Fixed CLAUDE_CODE_EXTRA_BODY output_config.effort causing 400 errors on subagent calls to models that don't support effort and on Vertex AI
• Fixed prompt cursor disappearing when NO_COLOR is set
• Fixed ToolSearch ranking so pasted MCP tool names surface the actual tool instead of description-matching siblings
• Fixed compacting a resumed long-context session failing with "Extra usage is required for long context requests"
• Fixed plugin install succeeding when a dependency version conflicts with an already-installed plugin — now reports range-conflict
• Fixed "Refine with Ultraplan" not showing the remote session URL in the transcript
• Fixed SDK image content blocks that fail to process crashing the session — now degrade to a text placeholder
• Fixed Remote Control sessions not streaming subagent transcripts
• Fixed Remote Control sessions not being archived when Claude Code exits
• Fixed thinking.type.enabled is not supported 400 error when using Opus 4.7 via a Bedrock Application Inference Profile ARN

2.1.112

• Fixed "claude-opus-4-7 is temporarily unavailable" for auto mode

2.1.111

... (truncated)

Commits

• 0385848 chore: Update CHANGELOG.md
• 71366ec chore: Update CHANGELOG.md
• 2b53fac chore: Update CHANGELOG.md
• bf77ee6 chore: Update CHANGELOG.md
• 5a7bf28 chore: Update CHANGELOG.md
• 4fb8aa4 chore: Update CHANGELOG.md
• 45ae2f5 chore: Update CHANGELOG.md
• f348a16 chore: Update CHANGELOG.md
• 5c18c78 chore: Update CHANGELOG.md
• 194736a chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.50.1

Release notes

Sourced from @​google/genai's releases.

v1.50.1

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

v1.50.0

1.50.0 (2026-04-13)

[!CAUTION] CRITICAL WARNING: Do not use this version if you are implementing or relying on webhooks. This release contains known issues regarding webhook sdk. Please use v1.50.1 or later.

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

v1.49.0

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

v1.48.0

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

v1.47.0

1.47.0 (2026-03-27)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

1.50.0 (2026-04-13)

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)

... (truncated)

Commits

• aeb5cd3 chore(main): release 1.50.1 (#1497)
• db6e771 fix: Rename webhooks.retrieve to webhooks.get.
• 5100abc fix: Refactor Webhook types in GenAI SDKs for easier useage
• 53829c4 chore(main): release 1.50.0 (#1481)
• 4d5e949 chore: internal change
• 894bc93 feat: Add webhook_config to batches.create() and models.generate_videos()
• b6c5d18 feat: Wire the webhook into python and js client.
• 0f89605 feat: add webhook and webhookConfig for js and python sdk
• 70d8f53 chore: support new config mappings and fields for gemini-embedding-2 on GenAI...
• 3615ca2 feat: Add DeepResearchAgentConfig fields
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• a056569 chore: bump version to 1.28.0 (#1746)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.103.3

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.103.3

2.103.3 (2026-04-16)

🩹 Fixes

• realtime: throw Error objects instead of bare strings (#2256)
• storage: correct signedUrl type to allow null in createSignedUrls (#2254)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• oniani1

v2.103.3-canary.1

2.103.3-canary.1 (2026-04-16)

🚀 Features

• postgrest: add stripNulls method for null value stripping (#2189)
• storage: add cacheNonce parameter for download (#2234)
• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)

🩹 Fixes

• auth: downgrade console.error to console.warn for missing session (#2214)
• auth: add toJSON to AuthError for correct JSON serialization (#2238)
• auth: include Cloudflare error codes in NETWORK_ERROR_CODES (#2239)
• auth: remove Prettify wrapper from exported types for TypeDoc expansion (#2250)
• functions: add toJSON to FunctionsError for correct JSON serialization (#2226)
• misc: add explicit return types to toJSON methods for JSR compat (#2252)
• postgrest: fix scalar computed column type inference for isNotNullable and SETOF scalar (#2224)
• postgrest: handle bigint rpc (#2245)
• realtime: throw Error objects instead of bare strings (#2256)
• storage: set correct content-type for uploads (#2211)
• storage: avoid duplicate content-type headers in vector requests (#2220)
• storage: add toJSON to StorageError for correct JSON serialization (#2246)
• storage: apply empty transform check to download and getPublicUrl (#2219)
• storage: remove client-side signed URL render endpoint normalization (#2249)
• storage: correct signedUrl type to allow null in createSignedUrls (#2254)

❤️ Thank You

• Katerina Skroumpelou @​mandarini
• oniani1
• Seydi Charyyev @​TheSeydiCharyyev
• Vaibhav @​7ttp
• Vansh Sharma @​Vansh1811

v2.103.3-canary.0

2.103.3-canary.0 (2026-04-15)

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.103.3 (2026-04-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.2 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.1 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.0 (2026-04-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.102.1 (2026-04-07)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.102.0 (2026-04-07)

🚀 Features

• supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)
• postgrest: add automatic retries for transient errors (#2072)

❤️ Thank You

• Guilherme Souza
• Katerina Skroumpelou @​mandarini

2.101.1 (2026-03-31)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.101.0 (2026-03-30)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: narrow tstyche testFileMatch to only type test files (#2193)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

... (truncated)

Commits

• a2f9414 chore(release): version 2.103.2 changelogs (#2253)
• f9da9ee chore(release): version 2.103.1 changelogs (#2248)
• d38c180 chore(release): version 2.103.0 changelogs (#2237)
• 16dd265 chore(release): version 2.102.1 changelogs (#2233)
• 0c1e6db chore(release): version 2.102.0 changelogs (#2232)

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.