chore(deps)(deps): bump the production-dependencies group across 1 directory with 69 updates

[dependabot]

Bumps the production-dependencies group with 42 updates in the / directory:

Package	From	To
ajv	8.18.0	8.20.0
cosmiconfig	9.0.0	9.0.1
handlebars	4.7.8	4.7.9
@anthropic-ai/claude-code	2.1.50	2.1.143
@anthropic-ai/sdk	0.60.0	0.65.0
@babel/runtime	7.28.6	7.29.2
@borewit/text-codec	0.2.1	0.2.2
@google/genai	1.42.0	1.52.0
@modelcontextprotocol/sdk	1.26.0	1.29.0
@supabase/supabase-js	2.97.0	2.106.0
fastmcp	3.33.0	3.35.0
b4a	1.8.0	1.8.1
bare-events	2.8.2	2.8.3
bare-fs	4.5.4	4.7.1
bare-os	3.6.2	3.9.1
bare-stream	2.8.0	2.13.1
bare-url	2.3.2	2.4.3
stdin-discarder	0.1.0	0.2.2
eventsource-parser	3.0.6	3.0.8
figlet	1.10.0	1.11.0
mime-db	1.52.0	1.54.0
fs-extra	11.3.3	11.3.5
fuse.js	7.1.0	7.3.0
gaxios	7.1.3	7.1.4
get-east-asian-width	1.5.0	1.6.0
google-auth-library	10.5.0	10.6.2
hasown	2.0.2	2.0.3
is-arrayish	0.2.1	0.3.4
jsonfile	6.2.0	6.2.1
mcp-proxy	6.4.0	6.5.0
nan	2.25.0	2.27.0
node-abi	3.87.0	3.92.0
pipenet	1.4.0	1.4.2
pump	3.0.3	3.0.4
qs	6.15.0	6.15.2
side-channel-list	1.0.0	1.0.1
sql.js	1.14.0	1.14.1
strtok3	10.3.4	10.3.5
type-is	2.0.1	2.1.0
validator	13.15.26	13.15.35
ws	8.19.0	8.20.1
zod-to-json-schema	3.25.1	3.25.2

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates cosmiconfig from 9.0.0 to 9.0.1

Changelog

Sourced from cosmiconfig's changelog.

9.0.1

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

Commits

• 9a5cda3 9.0.1
• 2174017 update changelog
• 536d4a0 Prevent race conditions when running multiple instances of cosmiconfig and ...
• 4b48611 remove debug log
• 53d1745 remove more EOL node versions
• 7c1a1e3 replace resolve with realpath
• fcc9084 add additional path.resolve for windows short paths
• 7e995c8 debug
• 52b6b1c drop node 14 build as it seems to fail for unreachable reasons
• db45e38 fix tests on windows (3)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.50 to 2.1.143

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.143

What's changed

• Added plugin dependency enforcement: claude plugin disable now refuses when another enabled plugin depends on the target (with a copy-pasteable disable-chain hint), and claude plugin enable force-enables transitive dependencies
• Added projected context cost (per-turn and per-invocation token estimates) to the /plugin marketplace browse pane
• Added worktree.bgIsolation: "none" setting to let background sessions edit the working copy directly without EnterWorktree, for repos where worktrees are impractical
• PowerShell tool now passes -ExecutionPolicy Bypass. Opt out with CLAUDE_CODE_POWERSHELL_RESPECT_EXECUTION_POLICY=1
• Background sessions now preserve the model and effort level you set after waking from idle
• Shift+Tab in attached agent sessions now includes auto mode in the cycle
• Fixed a corrupt .credentials.json with a non-array scopes value hanging the CLI on startup or silently aborting OAuth token refresh
• Fixed right-click paste in claude agents on Windows Terminal and WSL
• Fixed stop hooks that block repeatedly looping forever — the turn now ends with a warning after 8 consecutive blocks (override via CLAUDE_CODE_STOP_HOOK_BLOCK_CAP)
• Fixed Esc/Ctrl+C not cancelling a pending /loop wakeup while Claude is idle between iterations
• Fixed /goal evaluator firing while background shells or delegated subagents are still running
• Fixed NO_COLOR/FORCE_COLOR in settings.json env stripping Claude Code's own UI colors — they now apply to subprocesses only
• Fixed agent view spawning repeated PowerShell processes on Windows when listing sessions
• Fixed /bg without a prompt sending "continue" to the forked session — the fork now waits for input
• Fixed --agent <name> not finding plugin-contributed agents without the plugin: prefix
• Fixed deleting a session from agent view not removing its transcript file
• Fixed stale-fragment rendering when scrolling in attached background sessions on Windows Terminal
• Fixed background agents false-positive worker-stall detection storm after host sleep or macOS App Nap
• Fixed 5xx error messages pointing at status.claude.com instead of naming the configured gateway or cloud provider
• The PowerShell tool is now enabled by default on Windows for Bedrock, Vertex, and Foundry users. Opt out with CLAUDE_CODE_USE_POWERSHELL_TOOL=0.
• claude agents now accepts --add-dir, --settings, --mcp-config, and --plugin-dir and applies them to the dashboard and to background sessions dispatched from it
• claude agents accepts --permission-mode, --model, --effort, and --dangerously-skip-permissions to set defaults for sessions dispatched from the view
• claude --bg --dangerously-skip-permissions now persists across retire→wake
• Fixed background sessions silently capturing IDE file references into the warm spare's input, which caused the reference to be prepended to the next prompt dispatched from claude agents
• Worktree cleanup no longer falls back to rm -rf when git worktree remove fails, preventing loss of gitignored or in-progress files
• Fixed background-job sessions on macOS getting "Operation not permitted" errors when reading files under ~/Documents, ~/Desktop, or ~/Downloads, even with Full Disk Access granted.
• /bg now preserves --mcp-config, --settings, --add-dir, --plugin-dir, and --strict-mcp-config, so backgrounded sessions keep their MCP servers and settings across respawn.
• Background sessions launched from claude agents now honor permissions.defaultMode from settings.json (was previously overridden to auto mode)
• Fixed: on Windows, pressing ← in claude agents while a response was streaming could leave the agents list unresponsive to all input
• /bg and ←-detach now preserve --fallback-model, so backgrounded workers degrade to the fallback model on overload instead of hard-failing.
• /bg and ←-detach now preserve --allow-dangerously-skip-permissions, so the forked worker keeps bypass-permissions available in its Shift+Tab cycle.
• Fixed: background daemon spawn now falls back to the running binary when the ~/.local/bin/claude launcher is missing or non-executable
• Fixed claude agents --allow-dangerously-skip-permissions defaulting dispatched sessions to bypass mode instead of making it available in the permission cycle

v2.1.142

What's changed

• Added new claude agents flags: --add-dir, --settings, --mcp-config, --plugin-dir, --permission-mode, --model, --effort, and --dangerously-skip-permissions to configure dispatched background sessions
• Fast mode now uses Opus 4.7 by default (previously Opus 4.6). Set CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE=1 to pin fast mode to Opus 4.6
• Plugins with a root-level SKILL.md and no skills/ subdirectory are now surfaced as a skill
• The /plugin details pane and claude plugin details now show LSP servers a plugin provides
• /web-setup warns before replacing an existing GitHub App connection
• Fixed MCP_TOOL_TIMEOUT not raising the per-request fetch timeout for remote HTTP and SSE MCP servers, which capped tool calls at 60 seconds regardless of the configured value
• Fixed background sessions not recognizing pre-existing git worktrees, blocking Edit while EnterWorktree refused to create a duplicate
• Fixed background sessions disappearing and daemon reconnect failing after macOS sleep/wake — the daemon now detects clock jumps instead of treating them as elapsed idle time
• Fixed daemon not exiting cleanly after the binary is upgraded (e.g. brew upgrade), causing dispatched agents to crash-loop on the deleted path
• Fixed background agents crash-looping when the Claude-in-Chrome extension is connected without a shared tab

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.143

• Added plugin dependency enforcement: claude plugin disable now refuses when another enabled plugin depends on the target (with a copy-pasteable disable-chain hint), and claude plugin enable force-enables transitive dependencies
• Added projected context cost (per-turn and per-invocation token estimates) to the /plugin marketplace browse pane
• Added worktree.bgIsolation: "none" setting to let background sessions edit the working copy directly without EnterWorktree, for repos where worktrees are impractical
• PowerShell tool now passes -ExecutionPolicy Bypass. Opt out with CLAUDE_CODE_POWERSHELL_RESPECT_EXECUTION_POLICY=1
• Background sessions now preserve the model and effort level you set after waking from idle
• Shift+Tab in attached agent sessions now includes auto mode in the cycle
• Fixed a corrupt .credentials.json with a non-array scopes value hanging the CLI on startup or silently aborting OAuth token refresh
• Fixed right-click paste in claude agents on Windows Terminal and WSL
• Fixed stop hooks that block repeatedly looping forever — the turn now ends with a warning after 8 consecutive blocks (override via CLAUDE_CODE_STOP_HOOK_BLOCK_CAP)
• Fixed Esc/Ctrl+C not cancelling a pending /loop wakeup while Claude is idle between iterations
• Fixed /goal evaluator firing while background shells or delegated subagents are still running
• Fixed NO_COLOR/FORCE_COLOR in settings.json env stripping Claude Code's own UI colors — they now apply to subprocesses only
• Fixed agent view spawning repeated PowerShell processes on Windows when listing sessions
• Fixed /bg without a prompt sending "continue" to the forked session — the fork now waits for input
• Fixed --agent <name> not finding plugin-contributed agents without the plugin: prefix
• Fixed deleting a session from agent view not removing its transcript file
• Fixed stale-fragment rendering when scrolling in attached background sessions on Windows Terminal
• Fixed background agents false-positive worker-stall detection storm after host sleep or macOS App Nap
• Fixed 5xx error messages pointing at status.claude.com instead of naming the configured gateway or cloud provider
• The PowerShell tool is now enabled by default on Windows for Bedrock, Vertex, and Foundry users. Opt out with CLAUDE_CODE_USE_POWERSHELL_TOOL=0.
• claude agents now accepts --add-dir, --settings, --mcp-config, and --plugin-dir and applies them to the dashboard and to background sessions dispatched from it
• claude agents accepts --permission-mode, --model, --effort, and --dangerously-skip-permissions to set defaults for sessions dispatched from the view
• claude --bg --dangerously-skip-permissions now persists across retire→wake
• Fixed background sessions silently capturing IDE file references into the warm spare's input, which caused the reference to be prepended to the next prompt dispatched from claude agents
• Worktree cleanup no longer falls back to rm -rf when git worktree remove fails, preventing loss of gitignored or in-progress files
• Fixed background-job sessions on macOS getting "Operation not permitted" errors when reading files under ~/Documents, ~/Desktop, or ~/Downloads, even with Full Disk Access granted.
• /bg now preserves --mcp-config, --settings, --add-dir, --plugin-dir, and --strict-mcp-config, so backgrounded sessions keep their MCP servers and settings across respawn.
• Background sessions launched from claude agents now honor permissions.defaultMode from settings.json (was previously overridden to auto mode)
• Fixed: on Windows, pressing ← in claude agents while a response was streaming could leave the agents list unresponsive to all input
• /bg and ←-detach now preserve --fallback-model, so backgrounded workers degrade to the fallback model on overload instead of hard-failing.
• /bg and ←-detach now preserve --allow-dangerously-skip-permissions, so the forked worker keeps bypass-permissions available in its Shift+Tab cycle.
• Fixed: background daemon spawn now falls back to the running binary when the ~/.local/bin/claude launcher is missing or non-executable
• Fixed claude agents --allow-dangerously-skip-permissions defaulting dispatched sessions to bypass mode instead of making it available in the permission cycle

2.1.142

• Added new claude agents flags: --add-dir, --settings, --mcp-config, --plugin-dir, --permission-mode, --model, --effort, and --dangerously-skip-permissions to configure dispatched background sessions
• Fast mode now uses Opus 4.7 by default (previously Opus 4.6). Set CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE=1 to pin fast mode to Opus 4.6
• Plugins with a root-level SKILL.md and no skills/ subdirectory are now surfaced as a skill
• The /plugin details pane and claude plugin details now show LSP servers a plugin provides
• /web-setup warns before replacing an existing GitHub App connection
• Fixed MCP_TOOL_TIMEOUT not raising the per-request fetch timeout for remote HTTP and SSE MCP servers, which capped tool calls at 60 seconds regardless of the configured value
• Fixed background sessions not recognizing pre-existing git worktrees, blocking Edit while EnterWorktree refused to create a duplicate
• Fixed background sessions disappearing and daemon reconnect failing after macOS sleep/wake — the daemon now detects clock jumps instead of treating them as elapsed idle time
• Fixed daemon not exiting cleanly after the binary is upgraded (e.g. brew upgrade), causing dispatched agents to crash-loop on the deleted path
• Fixed background agents crash-looping when the Claude-in-Chrome extension is connected without a shared tab
• Fixed clicking links in an attached claude agents session — the background worker's headless browser shim no longer applies while attached
• Fixed claude agents "v to open in editor" using the daemon's default editor instead of your shell's $EDITOR/$VISUAL

... (truncated)

Commits

• 8bdbb72 chore: Update CHANGELOG.md
• d61bfb5 chore: Update CHANGELOG.md
• c571267 chore: Update CHANGELOG.md
• 6b070c3 chore: Update CHANGELOG.md
• fdfbc06 chore: Update CHANGELOG.md
• 831608a chore: Update CHANGELOG.md
• 33a87ad chore: Update CHANGELOG.md
• f7ef09f Merge pull request #56784 from anthropics/devsec/pin-actions
• 2bd8547 chore: Update CHANGELOG.md
• 6cd790c chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates @anthropic-ai/sdk from 0.60.0 to 0.65.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.65.0

0.65.0 (2025-09-29)

Full Changelog: sdk-v0.64.0...sdk-v0.65.0

Features

• api: adds support for Claude Sonnet 4.5 and context management features (3f0b0fb)

Chores

• internal: codegen related update (724a2b1)
• internal: ignore .eslintcache (56a5f30)

sdk: v0.64.0

0.64.0 (2025-09-26)

Full Changelog: sdk-v0.63.1...sdk-v0.64.0

Features

• toolRunner: support custom headers (ac6a7a3)

Performance Improvements

• faster formatting (32d6185)

Chores

• internal: fix incremental formatting in some cases (2bdf8ee)
• internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (2817c45)

sdk: v0.63.1

0.63.1 (2025-09-23)

Full Changelog: sdk-v0.63.0...sdk-v0.63.1

Bug Fixes

• helpers/zod: fix compat with zod 3 (a2952e1)

Chores

• do not install brew dependencies in ./scripts/bootstrap by default (115d81a)
• internal: update CI (dfa991a)
• package: lower zod peer dependency constraints (b40cfec)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.65.0 (2025-09-29)

Full Changelog: sdk-v0.64.0...sdk-v0.65.0

Features

• api: adds support for Claude Sonnet 4.5 and context management features (3f0b0fb)

Chores

• internal: codegen related update (724a2b1)
• internal: ignore .eslintcache (56a5f30)

0.64.0 (2025-09-26)

Full Changelog: sdk-v0.63.1...sdk-v0.64.0

Features

• toolRunner: support custom headers (ac6a7a3)

Performance Improvements

• faster formatting (32d6185)

Chores

• internal: fix incremental formatting in some cases (2bdf8ee)
• internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (2817c45)

0.63.1 (2025-09-23)

Full Changelog: sdk-v0.63.0...sdk-v0.63.1

Bug Fixes

• helpers/zod: fix compat with zod 3 (a2952e1)

Chores

• do not install brew dependencies in ./scripts/bootstrap by default (115d81a)
• internal: update CI (dfa991a)
• package: lower zod peer dependency constraints (b40cfec)

0.63.0 (2025-09-17)

... (truncated)

Commits

• 293c5db chore: release main
• b0b7200 feat(api): adds support for Claude Sonnet 4.5 and context management features
• f994798 chore(internal): ignore .eslintcache
• a8c35bc chore(internal): codegen related update
• 1bb06f7 chore: release main
• d823e52 chore(internal): fix incremental formatting in some cases
• 8ee0c3a feat(toolRunner): support custom headers
• ba3eadd chore(internal): remove deprecated compilerOptions.baseUrl from tsconfig.json
• 5be54cb perf: faster formatting
• d3be31f chore: release main
• Additional commits viewable in compare view

Updates @babel/runtime from 7.28.6 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• See full diff in compare view

Updates @borewit/text-codec from 0.2.1 to 0.2.2

Release notes

Sourced from @​borewit/text-codec's releases.

v0.2.2

Changes

🐛 Bug Fixes

• fix: improve encoding correctness and update README @​Borewit (#36)

NPM release

NPM release: @​borewit/text-codec@0.2.2

Commits

• c2ce9c5 0.2.2
• e2f0705 Merge pull request #23 from Borewit/dependabot/npm_and_yarn/master/chai-6.2.2
• 5e58cb8 Bump chai from 5.2.1 to 6.2.2
• bc315b8 Merge pull request #37 from Borewit/update-biome
• f32adfc Update biome to 2.4.6
• 7776373 Merge pull request #36 from Borewit/fix-most-issue-exodus
• 068d7d4 fix: improve encoding correctness and update README
• See full diff in compare view

Updates @google/genai from 1.42.0 to 1.52.0

Release notes

Sourced from @​google/genai's releases.

v1.52.0

1.52.0 (2026-05-04)

Features

• [Python] Multimodal file search (e626bef)
• Multimodal file search (54caf6b)

v1.51.0

1.51.0 (2026-04-29)

Features

• [Interactions] Add FileCitation.{custom_metadata,media_id,page_number} (9e08ba9)
• Add output_info to BatchJob (5327c60)
• Add gemini-3.1-flash-tts-preview model to options (35c941b)
• Add ImageResizeMode for GenerateVideos (faa1088)
• Add new Gemini Deep Research agent models (6f83a05)
• Add Vertex Dataset input and output options for batch jobs (6aa848e)
• interaction-api: Add grounding tool usage breakdown to Interaction Usage. (e1c31ad)
• introduce enterprise flag and GOOGLE_GENAI_USE_ENTERPRISE env var (cf7ad52)
• Replace the more ambiguous rate field with sample_rate. (6c80464)

v1.50.1

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

v1.50.0

1.50.0 (2026-04-13)

[!CAUTION] CRITICAL WARNING: Do not use this version if you are implementing or relying on webhooks. This release contains known issues regarding webhook sdk. Please use v1.51.0 or later.

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

1.52.0 (2026-05-04)

Features

• [Python] Multimodal file search (e626bef)
• Multimodal file search (54caf6b)

1.51.0 (2026-04-29)

Features

• [Interactions] Add FileCitation.{custom_metadata,media_id,page_number} (9e08ba9)
• Add output_info to BatchJob (5327c60)
• Add gemini-3.1-flash-tts-preview model to options (35c941b)
• Add ImageResizeMode for GenerateVideos (faa1088)
• Add new Gemini Deep Research agent models (6f83a05)
• Add Vertex Dataset input and output options for batch jobs (6aa848e)
• interaction-api: Add grounding tool usage breakdown to Interaction Usage. (e1c31ad)
• introduce enterprise flag and GOOGLE_GENAI_USE_ENTERPRISE env var (cf7ad52)
• Replace the more ambiguous rate field with sample_rate. (6c80464)

1.50.1 (2026-04-14)

Bug Fixes

• Refactor Webhook types in GenAI SDKs for easier useage (5100abc)
• Rename webhooks.retrieve to webhooks.get. (db6e771)

1.50.0 (2026-04-13)

Features

• Add "eu" as a supported service location for Vertex AI platform. (2493f9c)
• Add DeepResearchAgentConfig fields (3615ca2)
• Add Live Avatar new fields (6a0ff96)
• Add support for new audio MIME types: opus, alaw, and mulaw (7137f13)
• add webhook and webhookConfig for js and python sdk (0f89605)
• Add webhook_config to batches.create() and models.generate_videos() (894bc93)
• Wire the webhook into python and js client. (b6c5d18)

1.49.0 (2026-04-08)

Features

• Introduce TYPE_L16 audio content and optional fields. (c62cb9a)

... (truncated)

Commits

• e8c8c44 chore(main): release 1.52.0 (#1546)
• 50d81ca chore: [Multimodal FileSearch] Move embedding_model to body
• 54caf6b feat: Multimodal file search
• e626bef feat: [Python] Multimodal file search
• 61013d6 chore(main): release 1.51.0 (#1503)
• 8137d23 chore: add the deprecation marker back
• 734dab0 chore: no-op
• 006286b chore: Add page number
• 986bbed chore: Adjust Webhook update to better reflect modifiable fields
• e1c31ad feat(interaction-api): Add grounding tool usage breakdown to Interaction Usage.
• Additional commits viewable in compare view

Install script changes

This version adds preinstall script that runs during installation. Review the package contents before updating.

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions