chore(deps)(deps): bump the production-dependencies group across 1 directory with 52 updates

[dependabot]

Bumps the production-dependencies group with 44 updates in the / directory:

Package	From	To
ajv	8.18.0	8.20.0
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.119
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.50.1
@hono/node-server	1.19.9	1.19.14
@modelcontextprotocol/sdk	1.26.0	1.29.0
@supabase/supabase-js	2.97.0	2.104.1
fastmcp	3.33.0	3.35.0
axios	1.13.5	1.15.2
bare-fs	4.5.4	4.7.1
bare-os	3.6.2	3.9.0
bare-stream	2.8.0	2.13.0
bare-url	2.3.2	2.4.2
eventsource-parser	3.0.6	3.0.8
express-rate-limit	8.2.1	8.4.1
figlet	1.10.0	1.11.0
file-type	21.3.0	21.3.4
follow-redirects	1.15.11	1.16.0
fs-extra	11.3.3	11.3.4
fuse.js	7.1.0	7.3.0
gaxios	7.1.3	7.1.4
google-auth-library	10.5.0	10.6.2
hasown	2.0.2	2.0.3
hono	4.12.1	4.12.15
jsonfile	6.2.0	6.2.1
koa	3.1.1	3.2.0
mcp-proxy	6.4.0	6.4.6
nan	2.25.0	2.26.2
node-abi	3.87.0	3.89.0
protobufjs	6.11.4	6.11.5
path-to-regexp	8.3.0	8.4.2
pump	3.0.3	3.0.4
qs	6.15.0	6.15.1
side-channel-list	1.0.0	1.0.1
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
undici	7.22.0	7.25.0
validator	13.15.26	13.15.35
ws	8.19.0	8.20.0
yaml	2.8.2	2.8.3
zod-to-json-schema	3.25.1	3.25.2

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.119

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.119

What's changed

• /config settings (theme, editor mode, verbose, etc.) now persist to ~/.claude/settings.json and participate in project/local/policy override precedence
• Added prUrlTemplate setting to point the footer PR badge at a custom code-review URL instead of github.com
• Added CLAUDE_CODE_HIDE_CWD environment variable to hide the working directory in the startup logo
• --from-pr now accepts GitLab merge-request, Bitbucket pull-request, and GitHub Enterprise PR URLs
• --print mode now honors the agent's tools: and disallowedTools: frontmatter, matching interactive-mode behavior
• --agent <name> now honors the agent definition's permissionMode for built-in agents
• PowerShell tool commands can now be auto-approved in permission mode, matching Bash behavior
• Hooks: PostToolUse and PostToolUseFailure hook inputs now include duration_ms (tool execution time, excluding permission prompts and PreToolUse hooks)
• Subagent and SDK MCP server reconfiguration now connects servers in parallel instead of serially
• Plugins pinned by another plugin's version constraint now auto-update to the highest satisfying git tag
• Vim mode: Esc in INSERT no longer pulls a queued message back into the input; press Esc again to interrupt
• Slash command suggestions now highlight the characters that matched your query
• Slash command picker now wraps long descriptions onto a second line instead of truncating
• owner/repo#N shorthand links in output now use your git remote's host instead of always pointing at github.com
• Security: blockedMarketplaces now correctly enforces hostPattern and pathPattern entries
• OpenTelemetry: tool_result and tool_decision events now include tool_use_id; tool_result also includes tool_input_size_bytes
• Status line: stdin JSON now includes effort.level and thinking.enabled
• Fixed pasting CRLF content (Windows clipboards, Xcode console) inserting an extra blank line between every line
• Fixed multi-line paste losing newlines in terminals using kitty keyboard protocol sequences inside bracketed paste
• Fixed Glob and Grep tools disappearing on native macOS/Linux builds when the Bash tool is denied via permissions
• Fixed scrolling up in fullscreen mode snapping back to the bottom every time a tool finishes
• Fixed MCP HTTP connections failing with "Invalid OAuth error response" when servers returned non-JSON bodies for OAuth discovery requests
• Fixed Rewind overlay showing "(no prompt)" for messages with image attachments
• Fixed auto mode overriding plan mode with conflicting "Execute immediately" instructions
• Fixed async PostToolUse hooks that emit no response payload writing empty entries to the session transcript
• Fixed spinner staying on when a subagent task notification is orphaned in the queue
• Tool search is now disabled by default on Vertex AI to avoid an unsupported beta header error (opt in with ENABLE_TOOL_SEARCH)
• Fixed @-file Tab completion replacing the entire prompt when used inside a slash command with an absolute path
• Fixed a stray p character appearing at the prompt on startup in macOS Terminal.app via Docker or SSH
• Fixed ${ENV_VAR} placeholders in headers for HTTP/SSE/WebSocket MCP servers not being substituted before requests
• Fixed MCP OAuth client secret stored via --client-secret not being sent during token exchange for servers requiring client_secret_post
• Fixed /skills Enter key closing the dialog instead of pre-filling /<skill-name> in the prompt
• Fixed /agents detail view mislabeling built-in tools unavailable to subagents as "Unrecognized"
• Fixed MCP servers from plugins not spawning on Windows when the plugin cache was incomplete
• Fixed /export showing the current default model instead of the model the conversation actually used
• Fixed verbose output setting not persisting after restart
• Fixed /usage progress bars overlapping with their "Resets …" labels
• Fixed plugin MCP servers failing when ${user_config.*} references an optional field left blank
• Fixed list items containing a sentence-final number wrapping the number onto its own line
• Fixed /plan and /plan open not acting on the existing plan when entering plan mode
• Fixed skills invoked before auto-compaction being re-executed against the next user message
• Fixed /reload-plugins and /doctor reporting load errors for disabled plugins
• Fixed Agent tool with isolation: "worktree" reusing stale worktrees from prior sessions
• Fixed disabled MCP servers appearing as "failed" in /status
• Fixed TaskList returning tasks in arbitrary filesystem order instead of sorted by ID
• Fixed spurious "GitHub API rate limit exceeded" hints when gh output contained PR titles mentioning "rate limit"
• Fixed SDK/bridge read_file not correctly enforcing size cap on growing files

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.119

• /config settings (theme, editor mode, verbose, etc.) now persist to ~/.claude/settings.json and participate in project/local/policy override precedence
• Added prUrlTemplate setting to point the footer PR badge at a custom code-review URL instead of github.com
• Added CLAUDE_CODE_HIDE_CWD environment variable to hide the working directory in the startup logo
• --from-pr now accepts GitLab merge-request, Bitbucket pull-request, and GitHub Enterprise PR URLs
• --print mode now honors the agent's tools: and disallowedTools: frontmatter, matching interactive-mode behavior
• --agent <name> now honors the agent definition's permissionMode for built-in agents
• PowerShell tool commands can now be auto-approved in permission mode, matching Bash behavior
• Hooks: PostToolUse and PostToolUseFailure hook inputs now include duration_ms (tool execution time, excluding permission prompts and PreToolUse hooks)
• Subagent and SDK MCP server reconfiguration now connects servers in parallel instead of serially
• Plugins pinned by another plugin's version constraint now auto-update to the highest satisfying git tag
• Vim mode: Esc in INSERT no longer pulls a queued message back into the input; press Esc again to interrupt
• Slash command suggestions now highlight the characters that matched your query
• Slash command picker now wraps long descriptions onto a second line instead of truncating
• owner/repo#N shorthand links in output now use your git remote's host instead of always pointing at github.com
• Security: blockedMarketplaces now correctly enforces hostPattern and pathPattern entries
• OpenTelemetry: tool_result and tool_decision events now include tool_use_id; tool_result also includes tool_input_size_bytes
• Status line: stdin JSON now includes effort.level and thinking.enabled
• Fixed pasting CRLF content (Windows clipboards, Xcode console) inserting an extra blank line between every line
• Fixed multi-line paste losing newlines in terminals using kitty keyboard protocol sequences inside bracketed paste
• Fixed Glob and Grep tools disappearing on native macOS/Linux builds when the Bash tool is denied via permissions
• Fixed scrolling up in fullscreen mode snapping back to the bottom every time a tool finishes
• Fixed MCP HTTP connections failing with "Invalid OAuth error response" when servers returned non-JSON bodies for OAuth discovery requests
• Fixed Rewind overlay showing "(no prompt)" for messages with image attachments
• Fixed auto mode overriding plan mode with conflicting "Execute immediately" instructions
• Fixed async PostToolUse hooks that emit no response payload writing empty entries to the session transcript
• Fixed spinner staying on when a subagent task notification is orphaned in the queue
• Tool search is now disabled by default on Vertex AI to avoid an unsupported beta header error (opt in with ENABLE_TOOL_SEARCH)
• Fixed @-file Tab completion replacing the entire prompt when used inside a slash command with an absolute path
• Fixed a stray p character appearing at the prompt on startup in macOS Terminal.app via Docker or SSH
• Fixed ${ENV_VAR} placeholders in headers for HTTP/SSE/WebSocket MCP servers not being substituted before requests
• Fixed MCP OAuth client secret stored via --client-secret not being sent during token exchange for servers requiring client_secret_post
• Fixed /skills Enter key closing the dialog instead of pre-filling /<skill-name> in the prompt
• Fixed /agents detail view mislabeling built-in tools unavailable to subagents as "Unrecognized"
• Fixed MCP servers from plugins not spawning on Windows when the plugin cache was incomplete
• Fixed /export showing the current default model instead of the model the conversation actually used
• Fixed verbose output setting not persisting after restart
• Fixed /usage progress bars overlapping with their "Resets …" labels
• Fixed plugin MCP servers failing when ${user_config.*} references an optional field left blank
• Fixed list items containing a sentence-final number wrapping the number onto its own line
• Fixed /plan and /plan open not acting on the existing plan when entering plan mode
• Fixed skills invoked before auto-compaction being re-executed against the next user message
• Fixed /reload-plugins and /doctor reporting load errors for disabled plugins
• Fixed Agent tool with isolation: "worktree" reusing stale worktrees from prior sessions
• Fixed disabled MCP servers appearing as "failed" in /status
• Fixed TaskList returning tasks in arbitrary filesystem order instead of sorted by ID
• Fixed spurious "GitHub API rate limit exceeded" hints when gh output contained PR titles mentioning "rate limit"
• Fixed SDK/bridge read_file not correctly enforcing size cap on growing files
• Fixed PR not linked to session when working in a git worktree

... (truncated)

Commits

• ab3ce06 chore: Update CHANGELOG.md
• a5fa36c fix: point $schema at schemastore.org (URL was 404) (#52239)
• 925200d chore: Update CHANGELOG.md
• 9afdfd7 chore: Update CHANGELOG.md
• 2fa6771 chore: Update CHANGELOG.md
• fe53778 chore: Update CHANGELOG.md
• 0385848 chore: Update CHANGELOG.md
• 71366ec chore: Update CHANGELOG.md
• 2b53fac chore: Update CHANGELOG.md
• bf77ee6 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@​0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.50.1

Release notes

Sourced from @​google/genai's releases.

v1.50.1

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

v1.50.0

1.50.0 (2026-04-13)

[!CAUTION] CRITICAL WARNING: Do not use this version if you are implementing or relying on webhooks. This release contains known issues regarding webhook sdk. Please use v1.50.1 or later.

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

v1.49.0

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

v1.48.0

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

v1.47.0

1.47.0 (2026-03-27)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

1.50.0 (2026-04-13)

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

1.48.0 (2026-03-31)

Features

• Support dedicated TextAnnotationDelta for streaming tool responses (89552ba)

Bug Fixes

• Fix service_tier enums. (9bdc2ae)

1.47.0 (2026-03-27)

Features

• Add custom_metadata to FileSearchResult. (083a1e3)
• Add labels field to Veo configs (930c9c3)
• Add mime type for Audio content (1ad80c6)
• Add model_status to GenerateContentResponse (Gemini API only) (5e1110d)
• Add part_metadata in Part (Gemini API only) (5e1110d)

... (truncated)

Commits

• aeb5cd3 chore(main): release 1.50.1 (#1497)
• db6e771 fix: Rename webhooks.retrieve to webhooks.get.
• 5100abc fix: Refactor Webhook types in GenAI SDKs for easier useage
• 53829c4 chore(main): release 1.50.0 (#1481)
• 4d5e949 chore: internal change
• 894bc93 feat: Add webhook_config to batches.create() and models.generate_videos()
• b6c5d18 feat: Wire the webhook into python and js client.
• 0f89605 feat: add webhook and webhookConfig for js and python sdk
• 70d8f53 chore: support new config mappings and fields for gemini-embedding-2 on GenAI...
• 3615ca2 feat: Add DeepResearchAgentConfig fields
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• a056569 chore: bump version to 1.28.0 (#1746)
• Additional commits viewable in compare view

Updates @supabase/supabase-js from 2.97.0 to 2.104.1

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.104.1

2.104.1 (2026-04-23)

🩹 Fixes

• auth: emit PASSWORD_RECOVERY event for PKCE recovery flows (#2272)
• postgrest: restore runtime test files to tstyche scope (#2266)
• supabase: propagate custom fetch to realtime client (#2267)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.104.1-canary.3

2.104.1-canary.3 (2026-04-23)

🩹 Fixes

• auth: emit PASSWORD_RECOVERY event for PKCE recovery flows (#2272)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.104.1-canary.2

2.104.1-canary.2 (2026-04-23)

This was a version bump only, there were no code changes.

v2.104.1-canary.1

2.104.1-canary.1 (2026-04-22)

🩹 Fixes

• supabase: propagate custom fetch to realtime client (#2267)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.104.1-canary.0

2.104.1-canary.0 (2026-04-22)

🩹 Fixes

• postgrest: restore runtime test files to tstyche scope (#2266)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.104.1 (2026-04-23)

🩹 Fixes

• supabase: propagate custom fetch to realtime client (#2267)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.104.0 (2026-04-20)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.3 (2026-04-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.2 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.1 (2026-04-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.103.0 (2026-04-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.102....

Description has been truncated

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.