From ec55890da03e79a1cd9b7f0785892fa9489ba470 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:39:21 -0500 Subject: [PATCH 01/22] Create devcontainer.json --- .devcontainer/devcontainer.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000..39bbd2681 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,4 @@ +{ + "image": "mcr.microsoft.com/devcontainers/universal:2", + "features": {} +} From c50d5302b06788a359bef3804d42ef3884528f95 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:39:50 -0500 Subject: [PATCH 02/22] Create datadog-synthetics.yml --- .github/workflows/datadog-synthetics.yml | 38 ++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/datadog-synthetics.yml diff --git a/.github/workflows/datadog-synthetics.yml b/.github/workflows/datadog-synthetics.yml new file mode 100644 index 000000000..66c70f8ea --- /dev/null +++ b/.github/workflows/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + From 9288924248d6bdeda0ebde16a9eff408d63472ff Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:40:05 -0500 Subject: [PATCH 03/22] Create generator-generic-ossf-slsa3-publish.yml --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 000000000..35c829b13 --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From 15db3505a6692689e014545e94b9c7472947b09a Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:41:07 -0500 Subject: [PATCH 04/22] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..034e84803 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From e2035713c10f989cfe9809b06d69b8232938ac06 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 18:41:43 +0000 Subject: [PATCH 05/22] Version Packages --- .changeset/big-beers-cheer.md | 5 --- .changeset/bitter-years-fly.md | 5 --- .changeset/busy-pugs-stare.md | 5 --- .changeset/clean-birds-fetch.md | 5 --- .changeset/cold-onions-refuse.md | 5 --- .changeset/curvy-suns-invite.md | 5 --- .changeset/fair-cups-protect.md | 12 ------ .changeset/fifty-gifts-win.md | 5 --- .changeset/five-frogs-cry.md | 5 --- .changeset/five-stars-study.md | 5 --- .changeset/floppy-zebras-lie.md | 5 --- .changeset/free-spies-cover.md | 5 --- .changeset/hungry-areas-remain.md | 5 --- .changeset/late-parks-taste.md | 5 --- .changeset/odd-snakes-film.md | 5 --- .changeset/plain-brooms-make.md | 5 --- .changeset/shy-clouds-type.md | 6 --- .changeset/small-jobs-drum.md | 5 --- .changeset/thin-ants-clean.md | 6 --- .changeset/thin-things-wear.md | 5 --- .changeset/tidy-ghosts-wear.md | 5 --- .changeset/tricky-mangos-prove.md | 5 --- .changeset/upset-colts-enter.md | 5 --- .changeset/wild-beds-retire.md | 5 --- .changeset/yellow-mails-deny.md | 5 --- .changeset/yummy-games-act.md | 5 --- packages/core/CHANGELOG.md | 61 +++++++++++++++++++++++++++++++ packages/core/package.json | 2 +- packages/evals/CHANGELOG.md | 7 ++++ packages/evals/package.json | 2 +- packages/server/CHANGELOG.md | 17 +++++++++ packages/server/package.json | 2 +- 32 files changed, 88 insertions(+), 142 deletions(-) delete mode 100644 .changeset/big-beers-cheer.md delete mode 100644 .changeset/bitter-years-fly.md delete mode 100644 .changeset/busy-pugs-stare.md delete mode 100644 .changeset/clean-birds-fetch.md delete mode 100644 .changeset/cold-onions-refuse.md delete mode 100644 .changeset/curvy-suns-invite.md delete mode 100644 .changeset/fair-cups-protect.md delete mode 100644 .changeset/fifty-gifts-win.md delete mode 100644 .changeset/five-frogs-cry.md delete mode 100644 .changeset/five-stars-study.md delete mode 100644 .changeset/floppy-zebras-lie.md delete mode 100644 .changeset/free-spies-cover.md delete mode 100644 .changeset/hungry-areas-remain.md delete mode 100644 .changeset/late-parks-taste.md delete mode 100644 .changeset/odd-snakes-film.md delete mode 100644 .changeset/plain-brooms-make.md delete mode 100644 .changeset/shy-clouds-type.md delete mode 100644 .changeset/small-jobs-drum.md delete mode 100644 .changeset/thin-ants-clean.md delete mode 100644 .changeset/thin-things-wear.md delete mode 100644 .changeset/tidy-ghosts-wear.md delete mode 100644 .changeset/tricky-mangos-prove.md delete mode 100644 .changeset/upset-colts-enter.md delete mode 100644 .changeset/wild-beds-retire.md delete mode 100644 .changeset/yellow-mails-deny.md delete mode 100644 .changeset/yummy-games-act.md diff --git a/.changeset/big-beers-cheer.md b/.changeset/big-beers-cheer.md deleted file mode 100644 index 02b81b811..000000000 --- a/.changeset/big-beers-cheer.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix: include shadow DOM in .count() & .nth() & support xpath predicates diff --git a/.changeset/bitter-years-fly.md b/.changeset/bitter-years-fly.md deleted file mode 100644 index 5ce53f76a..000000000 --- a/.changeset/bitter-years-fly.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Fix unhandled CDP detaches by returning the original sendCDP promise diff --git a/.changeset/busy-pugs-stare.md b/.changeset/busy-pugs-stare.md deleted file mode 100644 index e14236a0c..000000000 --- a/.changeset/busy-pugs-stare.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Fix [Agent] - Address bug causing issues with continuing a conversation from past messages in dom mode diff --git a/.changeset/clean-birds-fetch.md b/.changeset/clean-birds-fetch.md deleted file mode 100644 index c54b0da2f..000000000 --- a/.changeset/clean-birds-fetch.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Enforce - regex validation on act/observe for elementId diff --git a/.changeset/cold-onions-refuse.md b/.changeset/cold-onions-refuse.md deleted file mode 100644 index 10c2805cd..000000000 --- a/.changeset/cold-onions-refuse.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -add support for codex models diff --git a/.changeset/curvy-suns-invite.md b/.changeset/curvy-suns-invite.md deleted file mode 100644 index a626ca62a..000000000 --- a/.changeset/curvy-suns-invite.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fixes issue with context.addInitScript() where scripts were not being applied to out of process iframes (OOPIFs), and popup pages with same process iframes (SPIFs) diff --git a/.changeset/fair-cups-protect.md b/.changeset/fair-cups-protect.md deleted file mode 100644 index 158fbb0bf..000000000 --- a/.changeset/fair-cups-protect.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Remove automatic `.env` loading via `dotenv`. - -If your app relies on `.env` files, install `dotenv` and load it explicitly in your code: - -```ts -import dotenv from "dotenv"; -dotenv.config({ path: ".env" }); -``` diff --git a/.changeset/fifty-gifts-win.md b/.changeset/fifty-gifts-win.md deleted file mode 100644 index f8846dc51..000000000 --- a/.changeset/fifty-gifts-win.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix issue where screenshot masks were not being applied to dialog elements diff --git a/.changeset/five-frogs-cry.md b/.changeset/five-frogs-cry.md deleted file mode 100644 index 419493e7c..000000000 --- a/.changeset/five-frogs-cry.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Update usage/metrics handling in agent diff --git a/.changeset/five-stars-study.md b/.changeset/five-stars-study.md deleted file mode 100644 index 593e4d86d..000000000 --- a/.changeset/five-stars-study.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Add right and middle click support to act and observe diff --git a/.changeset/floppy-zebras-lie.md b/.changeset/floppy-zebras-lie.md deleted file mode 100644 index 6d0e2efe8..000000000 --- a/.changeset/floppy-zebras-lie.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -SupportedUnderstudyAction Enum validation for 'method' on act/observe inference diff --git a/.changeset/free-spies-cover.md b/.changeset/free-spies-cover.md deleted file mode 100644 index b715d28dc..000000000 --- a/.changeset/free-spies-cover.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Add support for gemini 3 flash and pro in hybrid/cua agent diff --git a/.changeset/hungry-areas-remain.md b/.changeset/hungry-areas-remain.md deleted file mode 100644 index e14bb678e..000000000 --- a/.changeset/hungry-areas-remain.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": minor ---- - -add boolean keepAlive parameter to allow for configuring whether the browser should be closed when stagehand.close() is called. diff --git a/.changeset/late-parks-taste.md b/.changeset/late-parks-taste.md deleted file mode 100644 index a0741eb54..000000000 --- a/.changeset/late-parks-taste.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Add warning when incorrect models are used with agents hybrid mode diff --git a/.changeset/odd-snakes-film.md b/.changeset/odd-snakes-film.md deleted file mode 100644 index 8fb327f7e..000000000 --- a/.changeset/odd-snakes-film.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Add SupportedUnderstudyActions to observe system prompt diff --git a/.changeset/plain-brooms-make.md b/.changeset/plain-brooms-make.md deleted file mode 100644 index abebbc762..000000000 --- a/.changeset/plain-brooms-make.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand-server": patch ---- - -Enable bedrock diff --git a/.changeset/shy-clouds-type.md b/.changeset/shy-clouds-type.md deleted file mode 100644 index 9f70f9516..000000000 --- a/.changeset/shy-clouds-type.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@browserbasehq/stagehand-server": minor -"@browserbasehq/stagehand": minor ---- - -Using `mode` enum instead of old `cua` boolean in openapi spec diff --git a/.changeset/small-jobs-drum.md b/.changeset/small-jobs-drum.md deleted file mode 100644 index a16645b38..000000000 --- a/.changeset/small-jobs-drum.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix issue where scripts added via context.addInitScripts() were not being injected into new pages that were opened via popups (eg, clicking a link that opens a new page) and/or calling context.newPage(url) diff --git a/.changeset/thin-ants-clean.md b/.changeset/thin-ants-clean.md deleted file mode 100644 index 4c1f55e06..000000000 --- a/.changeset/thin-ants-clean.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@browserbasehq/stagehand-server": patch -"@browserbasehq/stagehand": patch ---- - -Include executionModel on the AgentConfigSchema diff --git a/.changeset/thin-things-wear.md b/.changeset/thin-things-wear.md deleted file mode 100644 index 3b3565bc9..000000000 --- a/.changeset/thin-things-wear.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand-server": patch ---- - -Include vertex as a supported provider diff --git a/.changeset/tidy-ghosts-wear.md b/.changeset/tidy-ghosts-wear.md deleted file mode 100644 index 9741ad312..000000000 --- a/.changeset/tidy-ghosts-wear.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix issue where locator.count() was not working with xpaths that have attribute predicates diff --git a/.changeset/tricky-mangos-prove.md b/.changeset/tricky-mangos-prove.md deleted file mode 100644 index 43274066b..000000000 --- a/.changeset/tricky-mangos-prove.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Add user-agent to CDP connections diff --git a/.changeset/upset-colts-enter.md b/.changeset/upset-colts-enter.md deleted file mode 100644 index 182ad84c6..000000000 --- a/.changeset/upset-colts-enter.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Improve error and warning message for legacy model format diff --git a/.changeset/wild-beds-retire.md b/.changeset/wild-beds-retire.md deleted file mode 100644 index 63989d385..000000000 --- a/.changeset/wild-beds-retire.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -Bump ai sdk & google provider version diff --git a/.changeset/yellow-mails-deny.md b/.changeset/yellow-mails-deny.md deleted file mode 100644 index 66b03d1c5..000000000 --- a/.changeset/yellow-mails-deny.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix issue where locator.fill() was not working on elements that require direct value setting diff --git a/.changeset/yummy-games-act.md b/.changeset/yummy-games-act.md deleted file mode 100644 index 31e965fc5..000000000 --- a/.changeset/yummy-games-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@browserbasehq/stagehand": patch ---- - -fix issue where screenshot mask was only being applied to the first element that the locator resolved to. masks now apply to all matching elements. diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md index af06144b3..c5c425cfb 100644 --- a/packages/core/CHANGELOG.md +++ b/packages/core/CHANGELOG.md @@ -1,5 +1,66 @@ # @browserbasehq/stagehand +## 3.1.0 + +### Minor Changes + +- [#1672](https://github.com/browserbase/stagehand/pull/1672) [`b65756e`](https://github.com/browserbase/stagehand/commit/b65756e9e85643055446aa4a51956f7d6627c89f) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - add boolean keepAlive parameter to allow for configuring whether the browser should be closed when stagehand.close() is called. + +- [#1611](https://github.com/browserbase/stagehand/pull/1611) [`8a3c066`](https://github.com/browserbase/stagehand/commit/8a3c06600a9ba98485db7e9ed5c3cc43ea180334) Thanks [@monadoid](https://github.com/monadoid)! - Using `mode` enum instead of old `cua` boolean in openapi spec + +### Patch Changes + +- [#1683](https://github.com/browserbase/stagehand/pull/1683) [`7584f3e`](https://github.com/browserbase/stagehand/commit/7584f3e92e60a557d2b3e0e0d2a2af04c3527523) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fix: include shadow DOM in .count() & .nth() & support xpath predicates + +- [#1644](https://github.com/browserbase/stagehand/pull/1644) [`1e1c9c1`](https://github.com/browserbase/stagehand/commit/1e1c9c15773e49d5c3cd36021dbc1d23495c1bce) Thanks [@monadoid](https://github.com/monadoid)! - Fix unhandled CDP detaches by returning the original sendCDP promise + +- [#1647](https://github.com/browserbase/stagehand/pull/1647) [`ffd4b33`](https://github.com/browserbase/stagehand/commit/ffd4b335a873d0f4dcd76ea22d44f47919bf8e49) Thanks [@tkattkat](https://github.com/tkattkat)! - Fix [Agent] - Address bug causing issues with continuing a conversation from past messages in dom mode + +- [#1614](https://github.com/browserbase/stagehand/pull/1614) [`677bff5`](https://github.com/browserbase/stagehand/commit/677bff5834c879a2d95f7dbff918b8e1510516b3) Thanks [@miguelg719](https://github.com/miguelg719)! - Enforce - regex validation on act/observe for elementId + +- [#1666](https://github.com/browserbase/stagehand/pull/1666) [`101bcf2`](https://github.com/browserbase/stagehand/commit/101bcf2da8b527fd6ace6aa291ada5d0f2d90344) Thanks [@Kylejeong2](https://github.com/Kylejeong2)! - add support for codex models + +- [#1664](https://github.com/browserbase/stagehand/pull/1664) [`b27c04d`](https://github.com/browserbase/stagehand/commit/b27c04d278c290364347acd0c354a878ea9b7c2d) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fixes issue with context.addInitScript() where scripts were not being applied to out of process iframes (OOPIFs), and popup pages with same process iframes (SPIFs) + +- [#1632](https://github.com/browserbase/stagehand/pull/1632) [`afbd08b`](https://github.com/browserbase/stagehand/commit/afbd08bb6367a9c9f65f67e453667987e4659918) Thanks [@pirate](https://github.com/pirate)! - Remove automatic `.env` loading via `dotenv`. + + If your app relies on `.env` files, install `dotenv` and load it explicitly in your code: + + ```ts + import dotenv from "dotenv"; + dotenv.config({ path: ".env" }); + ``` + +- [#1624](https://github.com/browserbase/stagehand/pull/1624) [`0e8d569`](https://github.com/browserbase/stagehand/commit/0e8d5695f662040f7384e64f46301152802e3c62) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fix issue where screenshot masks were not being applied to dialog elements + +- [#1596](https://github.com/browserbase/stagehand/pull/1596) [`ff0f979`](https://github.com/browserbase/stagehand/commit/ff0f9795f3b2c1cf4f2610a80ebcb3341a24f987) Thanks [@tkattkat](https://github.com/tkattkat)! - Update usage/metrics handling in agent + +- [#1631](https://github.com/browserbase/stagehand/pull/1631) [`2d89d2b`](https://github.com/browserbase/stagehand/commit/2d89d2b35ce812431956b28e0c8b52d32ddc7a27) Thanks [@miguelg719](https://github.com/miguelg719)! - Add right and middle click support to act and observe + +- [#1613](https://github.com/browserbase/stagehand/pull/1613) [`aa4d981`](https://github.com/browserbase/stagehand/commit/aa4d981e440bdd0e3d3f42ccc310d5958aa25cc6) Thanks [@miguelg719](https://github.com/miguelg719)! - SupportedUnderstudyAction Enum validation for 'method' on act/observe inference + +- [#1652](https://github.com/browserbase/stagehand/pull/1652) [`18b1e3b`](https://github.com/browserbase/stagehand/commit/18b1e3bd2b16b721845d52fcf1a45c6158e2403f) Thanks [@miguelg719](https://github.com/miguelg719)! - Add support for gemini 3 flash and pro in hybrid/cua agent + +- [#1633](https://github.com/browserbase/stagehand/pull/1633) [`22e371a`](https://github.com/browserbase/stagehand/commit/22e371ae4c25deb6350328fe02832bf2b2197b94) Thanks [@tkattkat](https://github.com/tkattkat)! - Add warning when incorrect models are used with agents hybrid mode + +- [#1609](https://github.com/browserbase/stagehand/pull/1609) [`3f9ca4d`](https://github.com/browserbase/stagehand/commit/3f9ca4d9acc109101357378d29cf969168991608) Thanks [@miguelg719](https://github.com/miguelg719)! - Add SupportedUnderstudyActions to observe system prompt + +- [#1642](https://github.com/browserbase/stagehand/pull/1642) [`3673369`](https://github.com/browserbase/stagehand/commit/36733691f90c15386cf2a7b47d04ef429b7195ae) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fix issue where scripts added via context.addInitScripts() were not being injected into new pages that were opened via popups (eg, clicking a link that opens a new page) and/or calling context.newPage(url) + +- [#1636](https://github.com/browserbase/stagehand/pull/1636) [`ea33052`](https://github.com/browserbase/stagehand/commit/ea330520a325583b71b87d85beb740df4bdb9b2d) Thanks [@miguelg719](https://github.com/miguelg719)! - Include executionModel on the AgentConfigSchema + +- [#1679](https://github.com/browserbase/stagehand/pull/1679) [`5764ede`](https://github.com/browserbase/stagehand/commit/5764edee7aab00ef1aafafb68fc56eb26c0a70b2) Thanks [@shrey150](https://github.com/shrey150)! - fix issue where locator.count() was not working with xpaths that have attribute predicates + +- [#1646](https://github.com/browserbase/stagehand/pull/1646) [`f09b184`](https://github.com/browserbase/stagehand/commit/f09b184cc5e774736280ae8c94ba3f4f13adda80) Thanks [@miguelg719](https://github.com/miguelg719)! - Add user-agent to CDP connections + +- [#1637](https://github.com/browserbase/stagehand/pull/1637) [`a7d29de`](https://github.com/browserbase/stagehand/commit/a7d29decee0f7d12e2437267b9eef1795d3b4e3a) Thanks [@miguelg719](https://github.com/miguelg719)! - Improve error and warning message for legacy model format + +- [#1685](https://github.com/browserbase/stagehand/pull/1685) [`d334399`](https://github.com/browserbase/stagehand/commit/d3343990041bf9cd5613569840afb0c17131e33c) Thanks [@tkattkat](https://github.com/tkattkat)! - Bump ai sdk & google provider version + +- [#1662](https://github.com/browserbase/stagehand/pull/1662) [`44416da`](https://github.com/browserbase/stagehand/commit/44416da7ff33301bb32d3811e6c3be8782a7d168) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fix issue where locator.fill() was not working on elements that require direct value setting + +- [#1612](https://github.com/browserbase/stagehand/pull/1612) [`bdd8b4e`](https://github.com/browserbase/stagehand/commit/bdd8b4ee3c697a02728375510ab7fae764990576) Thanks [@seanmcguire12](https://github.com/seanmcguire12)! - fix issue where screenshot mask was only being applied to the first element that the locator resolved to. masks now apply to all matching elements. + ## 3.0.8 ### Patch Changes diff --git a/packages/core/package.json b/packages/core/package.json index fb23f5e64..c40e6c846 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@browserbasehq/stagehand", - "version": "3.0.8", + "version": "3.1.0", "description": "An AI web browsing framework focused on simplicity and extensibility.", "type": "module", "main": "./dist/cjs/index.js", diff --git a/packages/evals/CHANGELOG.md b/packages/evals/CHANGELOG.md index 2bc3c959f..6e169cc63 100644 --- a/packages/evals/CHANGELOG.md +++ b/packages/evals/CHANGELOG.md @@ -1,5 +1,12 @@ # @browserbasehq/stagehand-evals +## 1.1.8 + +### Patch Changes + +- Updated dependencies [[`7584f3e`](https://github.com/browserbase/stagehand/commit/7584f3e92e60a557d2b3e0e0d2a2af04c3527523), [`1e1c9c1`](https://github.com/browserbase/stagehand/commit/1e1c9c15773e49d5c3cd36021dbc1d23495c1bce), [`ffd4b33`](https://github.com/browserbase/stagehand/commit/ffd4b335a873d0f4dcd76ea22d44f47919bf8e49), [`677bff5`](https://github.com/browserbase/stagehand/commit/677bff5834c879a2d95f7dbff918b8e1510516b3), [`101bcf2`](https://github.com/browserbase/stagehand/commit/101bcf2da8b527fd6ace6aa291ada5d0f2d90344), [`b27c04d`](https://github.com/browserbase/stagehand/commit/b27c04d278c290364347acd0c354a878ea9b7c2d), [`afbd08b`](https://github.com/browserbase/stagehand/commit/afbd08bb6367a9c9f65f67e453667987e4659918), [`0e8d569`](https://github.com/browserbase/stagehand/commit/0e8d5695f662040f7384e64f46301152802e3c62), [`ff0f979`](https://github.com/browserbase/stagehand/commit/ff0f9795f3b2c1cf4f2610a80ebcb3341a24f987), [`2d89d2b`](https://github.com/browserbase/stagehand/commit/2d89d2b35ce812431956b28e0c8b52d32ddc7a27), [`aa4d981`](https://github.com/browserbase/stagehand/commit/aa4d981e440bdd0e3d3f42ccc310d5958aa25cc6), [`18b1e3b`](https://github.com/browserbase/stagehand/commit/18b1e3bd2b16b721845d52fcf1a45c6158e2403f), [`b65756e`](https://github.com/browserbase/stagehand/commit/b65756e9e85643055446aa4a51956f7d6627c89f), [`22e371a`](https://github.com/browserbase/stagehand/commit/22e371ae4c25deb6350328fe02832bf2b2197b94), [`3f9ca4d`](https://github.com/browserbase/stagehand/commit/3f9ca4d9acc109101357378d29cf969168991608), [`8a3c066`](https://github.com/browserbase/stagehand/commit/8a3c06600a9ba98485db7e9ed5c3cc43ea180334), [`3673369`](https://github.com/browserbase/stagehand/commit/36733691f90c15386cf2a7b47d04ef429b7195ae), [`ea33052`](https://github.com/browserbase/stagehand/commit/ea330520a325583b71b87d85beb740df4bdb9b2d), [`5764ede`](https://github.com/browserbase/stagehand/commit/5764edee7aab00ef1aafafb68fc56eb26c0a70b2), [`f09b184`](https://github.com/browserbase/stagehand/commit/f09b184cc5e774736280ae8c94ba3f4f13adda80), [`a7d29de`](https://github.com/browserbase/stagehand/commit/a7d29decee0f7d12e2437267b9eef1795d3b4e3a), [`d334399`](https://github.com/browserbase/stagehand/commit/d3343990041bf9cd5613569840afb0c17131e33c), [`44416da`](https://github.com/browserbase/stagehand/commit/44416da7ff33301bb32d3811e6c3be8782a7d168), [`bdd8b4e`](https://github.com/browserbase/stagehand/commit/bdd8b4ee3c697a02728375510ab7fae764990576)]: + - @browserbasehq/stagehand@3.1.0 + ## 1.1.7 ### Patch Changes diff --git a/packages/evals/package.json b/packages/evals/package.json index 29eb35d75..bafa5263c 100644 --- a/packages/evals/package.json +++ b/packages/evals/package.json @@ -1,6 +1,6 @@ { "name": "@browserbasehq/stagehand-evals", - "version": "1.1.7", + "version": "1.1.8", "private": true, "description": "Evaluation suite for Stagehand", "type": "module", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md index 15d7d3bf2..86a9330f7 100644 --- a/packages/server/CHANGELOG.md +++ b/packages/server/CHANGELOG.md @@ -1,5 +1,22 @@ # @browserbasehq/stagehand-server +## 3.6.0 + +### Minor Changes + +- [#1611](https://github.com/browserbase/stagehand/pull/1611) [`8a3c066`](https://github.com/browserbase/stagehand/commit/8a3c06600a9ba98485db7e9ed5c3cc43ea180334) Thanks [@monadoid](https://github.com/monadoid)! - Using `mode` enum instead of old `cua` boolean in openapi spec + +### Patch Changes + +- [#1604](https://github.com/browserbase/stagehand/pull/1604) [`4753078`](https://github.com/browserbase/stagehand/commit/4753078cc9d37cbdb8d1a63dfdb53ccc4b4c2bd2) Thanks [@miguelg719](https://github.com/miguelg719)! - Enable bedrock + +- [#1636](https://github.com/browserbase/stagehand/pull/1636) [`ea33052`](https://github.com/browserbase/stagehand/commit/ea330520a325583b71b87d85beb740df4bdb9b2d) Thanks [@miguelg719](https://github.com/miguelg719)! - Include executionModel on the AgentConfigSchema + +- [#1602](https://github.com/browserbase/stagehand/pull/1602) [`22a0502`](https://github.com/browserbase/stagehand/commit/22a0502e8b042bef0cfafa32901984a8be9529d8) Thanks [@miguelg719](https://github.com/miguelg719)! - Include vertex as a supported provider + +- Updated dependencies [[`7584f3e`](https://github.com/browserbase/stagehand/commit/7584f3e92e60a557d2b3e0e0d2a2af04c3527523), [`1e1c9c1`](https://github.com/browserbase/stagehand/commit/1e1c9c15773e49d5c3cd36021dbc1d23495c1bce), [`ffd4b33`](https://github.com/browserbase/stagehand/commit/ffd4b335a873d0f4dcd76ea22d44f47919bf8e49), [`677bff5`](https://github.com/browserbase/stagehand/commit/677bff5834c879a2d95f7dbff918b8e1510516b3), [`101bcf2`](https://github.com/browserbase/stagehand/commit/101bcf2da8b527fd6ace6aa291ada5d0f2d90344), [`b27c04d`](https://github.com/browserbase/stagehand/commit/b27c04d278c290364347acd0c354a878ea9b7c2d), [`afbd08b`](https://github.com/browserbase/stagehand/commit/afbd08bb6367a9c9f65f67e453667987e4659918), [`0e8d569`](https://github.com/browserbase/stagehand/commit/0e8d5695f662040f7384e64f46301152802e3c62), [`ff0f979`](https://github.com/browserbase/stagehand/commit/ff0f9795f3b2c1cf4f2610a80ebcb3341a24f987), [`2d89d2b`](https://github.com/browserbase/stagehand/commit/2d89d2b35ce812431956b28e0c8b52d32ddc7a27), [`aa4d981`](https://github.com/browserbase/stagehand/commit/aa4d981e440bdd0e3d3f42ccc310d5958aa25cc6), [`18b1e3b`](https://github.com/browserbase/stagehand/commit/18b1e3bd2b16b721845d52fcf1a45c6158e2403f), [`b65756e`](https://github.com/browserbase/stagehand/commit/b65756e9e85643055446aa4a51956f7d6627c89f), [`22e371a`](https://github.com/browserbase/stagehand/commit/22e371ae4c25deb6350328fe02832bf2b2197b94), [`3f9ca4d`](https://github.com/browserbase/stagehand/commit/3f9ca4d9acc109101357378d29cf969168991608), [`8a3c066`](https://github.com/browserbase/stagehand/commit/8a3c06600a9ba98485db7e9ed5c3cc43ea180334), [`3673369`](https://github.com/browserbase/stagehand/commit/36733691f90c15386cf2a7b47d04ef429b7195ae), [`ea33052`](https://github.com/browserbase/stagehand/commit/ea330520a325583b71b87d85beb740df4bdb9b2d), [`5764ede`](https://github.com/browserbase/stagehand/commit/5764edee7aab00ef1aafafb68fc56eb26c0a70b2), [`f09b184`](https://github.com/browserbase/stagehand/commit/f09b184cc5e774736280ae8c94ba3f4f13adda80), [`a7d29de`](https://github.com/browserbase/stagehand/commit/a7d29decee0f7d12e2437267b9eef1795d3b4e3a), [`d334399`](https://github.com/browserbase/stagehand/commit/d3343990041bf9cd5613569840afb0c17131e33c), [`44416da`](https://github.com/browserbase/stagehand/commit/44416da7ff33301bb32d3811e6c3be8782a7d168), [`bdd8b4e`](https://github.com/browserbase/stagehand/commit/bdd8b4ee3c697a02728375510ab7fae764990576)]: + - @browserbasehq/stagehand@3.1.0 + ## 3.5.0 ### Minor Changes diff --git a/packages/server/package.json b/packages/server/package.json index 8bc537a72..6775263fc 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@browserbasehq/stagehand-server", - "version": "3.5.0", + "version": "3.6.0", "description": "Stagehand API server", "type": "module", "private": true, From 6e2291caa3f638b7a3e132c85475cbef88798b74 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:41:55 -0500 Subject: [PATCH 06/22] Create webpack.yml --- .github/workflows/webpack.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/webpack.yml diff --git a/.github/workflows/webpack.yml b/.github/workflows/webpack.yml new file mode 100644 index 000000000..9626ff6d3 --- /dev/null +++ b/.github/workflows/webpack.yml @@ -0,0 +1,28 @@ +name: NodeJS with Webpack + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + + steps: + - uses: actions/checkout@v4 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + npx webpack From f813410401f0e5eb2d36e1f6ba5b4e51e4986aba Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:42:16 -0500 Subject: [PATCH 07/22] Create deno.yml --- .github/workflows/deno.yml | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/deno.yml diff --git a/.github/workflows/deno.yml b/.github/workflows/deno.yml new file mode 100644 index 000000000..782af35b4 --- /dev/null +++ b/.github/workflows/deno.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will install Deno then run `deno lint` and `deno test`. +# For more information see: https://github.com/denoland/setup-deno + +name: Deno + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + test: + runs-on: ubuntu-latest + + steps: + - name: Setup repo + uses: actions/checkout@v4 + + - name: Setup Deno + # uses: denoland/setup-deno@v1 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2 + with: + deno-version: v1.x + + # Uncomment this step to verify the use of 'deno fmt' on each commit. + # - name: Verify formatting + # run: deno fmt --check + + - name: Run linter + run: deno lint + + - name: Run tests + run: deno test -A From 946a6916b7465607f25ee9b073f8e7acabd6088d Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:42:39 -0500 Subject: [PATCH 08/22] Create nextjs.yml --- .github/workflows/nextjs.yml | 93 ++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/nextjs.yml diff --git a/.github/workflows/nextjs.yml b/.github/workflows/nextjs.yml new file mode 100644 index 000000000..ed7473670 --- /dev/null +++ b/.github/workflows/nextjs.yml @@ -0,0 +1,93 @@ +# Sample workflow for building and deploying a Next.js site to GitHub Pages +# +# To get started with Next.js see: https://nextjs.org/docs/getting-started +# +name: Deploy Next.js site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT + exit 0 + else + echo "Unable to determine package manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + uses: actions/configure-pages@v5 + with: + # Automatically inject basePath in your Next.js configuration file and disable + # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: next + - name: Restore cache + uses: actions/cache@v4 + with: + path: | + .next/cache + # Generate a new cache whenever packages or source files change. + key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} + # If source files changed but packages didn't, rebuild from a prior cache. + restore-keys: | + ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next build + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./out + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 4b6cb3d18ec72ac25ad793e5999500bfed010759 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:52:05 -0500 Subject: [PATCH 09/22] Potential fix for code scanning alert no. 19: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/core/examples/actionable_observe_example.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/packages/core/examples/actionable_observe_example.ts b/packages/core/examples/actionable_observe_example.ts index 2c2ce8d7f..4bda3692e 100644 --- a/packages/core/examples/actionable_observe_example.ts +++ b/packages/core/examples/actionable_observe_example.ts @@ -60,10 +60,15 @@ async function example() { const currentUrl = page.url(); await stagehand.close(); + + const expectedUrl = new URL( + "https://www.apartments.com/apartments/san-francisco-ca/min-1-bedrooms-pet-friendly-dog/", + ); + const actualUrl = new URL(currentUrl); + if ( - currentUrl.includes( - "https://www.apartments.com/apartments/san-francisco-ca/min-1-bedrooms-pet-friendly-dog/", - ) + actualUrl.origin === expectedUrl.origin && + actualUrl.pathname === expectedUrl.pathname ) { console.log("✅ Success! we made it to the correct page"); } else { From 65b9e76d15824aa0ba75ecca1faa67200e573aa4 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:54:36 -0500 Subject: [PATCH 10/22] Potential fix for code scanning alert no. 20: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/evals/tasks/agent/steam_games.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/evals/tasks/agent/steam_games.ts b/packages/evals/tasks/agent/steam_games.ts index 12a859812..6b515a6b3 100644 --- a/packages/evals/tasks/agent/steam_games.ts +++ b/packages/evals/tasks/agent/steam_games.ts @@ -18,7 +18,14 @@ export const steam_games: EvalFunction = async ({ }); //strictly used url check and no extract as the top games / players can vary - const success = page.url().includes("https://store.steampowered.com/"); + const currentUrl = page.url(); + let success = false; + try { + const parsed = new URL(currentUrl); + success = parsed.hostname === "store.steampowered.com"; + } catch { + success = false; + } if (!success) { return { From c3d33b3f3b4543347b8a8e8d79c281173b3fbb1c Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:56:06 -0500 Subject: [PATCH 11/22] Potential fix for code scanning alert no. 21: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/evals/tasks/agent/trivago.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/evals/tasks/agent/trivago.ts b/packages/evals/tasks/agent/trivago.ts index 7248a4081..b3adbbbbd 100644 --- a/packages/evals/tasks/agent/trivago.ts +++ b/packages/evals/tasks/agent/trivago.ts @@ -19,10 +19,11 @@ export const trivago: EvalFunction = async ({ logger.log(agentResult); const url = page.url(); + const parsedUrl = new URL(url); if ( - url.includes("hotel-h10-tribeca-madrid") && - url.includes("trivago.com") + parsedUrl.hostname === "www.trivago.com" && + url.includes("hotel-h10-tribeca-madrid") ) { return { _success: true, From 274551f8f45b810b0a696590ef9e3113da6d76a3 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:57:01 -0500 Subject: [PATCH 12/22] Potential fix for code scanning alert no. 22: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/evals/tasks/agent/ubereats.ts | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/evals/tasks/agent/ubereats.ts b/packages/evals/tasks/agent/ubereats.ts index 8876d5987..5038990b3 100644 --- a/packages/evals/tasks/agent/ubereats.ts +++ b/packages/evals/tasks/agent/ubereats.ts @@ -23,8 +23,16 @@ export const ubereats: EvalFunction = async ({ question: "Did the agent make it to the login page?", }); - const success = - evaluation === "YES" && page.url().includes("https://auth.uber.com/"); + const currentUrl = page.url(); + let isAuthDomain = false; + try { + const parsedUrl = new URL(currentUrl); + isAuthDomain = parsedUrl.origin === "https://auth.uber.com"; + } catch { + isAuthDomain = false; + } + + const success = evaluation === "YES" && isAuthDomain; if (!success) { return { _success: false, From 69c366fadaa5be4d039ddd47b22922903bd1800b Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:58:17 -0500 Subject: [PATCH 13/22] Potential fix for code scanning alert no. 23: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/server/test/integration/v3/navigate.test.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/server/test/integration/v3/navigate.test.ts b/packages/server/test/integration/v3/navigate.test.ts index 0e4c74339..e393ac0b1 100644 --- a/packages/server/test/integration/v3/navigate.test.ts +++ b/packages/server/test/integration/v3/navigate.test.ts @@ -71,9 +71,10 @@ describe("POST /v1/sessions/:id/navigate (V3)", () => { .waitForURL("**example.com**", { timeout: 15_000 }) .catch(() => {}); const pageUrl = page.url(); + const parsedUrl = new URL(pageUrl); assert.ok( - pageUrl.includes("example.com"), - `Page URL should be example.com, got: ${pageUrl}`, + parsedUrl.hostname === "example.com", + `Page hostname should be example.com, got: ${parsedUrl.hostname} (full URL: ${pageUrl})`, ); await browser.close(); }); From f3bb06484c842754d36927a67fa80bf5afe6493f Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 13:59:44 -0500 Subject: [PATCH 14/22] Potential fix for code scanning alert no. 24: Incomplete multi-character sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/docs/scripts/sync-sdk-docs.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/packages/docs/scripts/sync-sdk-docs.js b/packages/docs/scripts/sync-sdk-docs.js index 8fb56fe2d..0931dd8bc 100644 --- a/packages/docs/scripts/sync-sdk-docs.js +++ b/packages/docs/scripts/sync-sdk-docs.js @@ -80,7 +80,13 @@ function processReadmeContent(content, config) { let processed = content; // Remove HTML comments - processed = processed.replace(//g, ''); + { + let previous; + do { + previous = processed; + processed = processed.replace(//g, ''); + } while (processed !== previous); + } // Remove entire HTML blocks with picture/source tags (badge sections) processed = processed.replace(/]*>[\s\S]*?<\/div>/gi, ''); From 61cd94b2e076e96f70e4c64979df371d02d43366 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 14:11:35 -0500 Subject: [PATCH 15/22] Create index.ts --- index.ts | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 index.ts diff --git a/index.ts b/index.ts new file mode 100644 index 000000000..1de1884a3 --- /dev/null +++ b/index.ts @@ -0,0 +1,7 @@ +import { generateText } from 'ai'; + +const { text } = await generateText({ + model: 'anthropic/claude-sonnet-4.5', + prompt: 'What is the capital of France?', +}); + From d02d7ef2ec805c7856792b991321fd6cab2bbcbf Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 14:17:19 -0500 Subject: [PATCH 16/22] Create node.js.yml --- .github/workflows/node.js.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/node.js.yml diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml new file mode 100644 index 000000000..2284b9357 --- /dev/null +++ b/.github/workflows/node.js.yml @@ -0,0 +1,31 @@ +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs + +name: Node.js CI + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ + + steps: + - uses: actions/checkout@v4 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: 'npm' + - run: npm ci + - run: npm run build --if-present + - run: npm test From 753e3ae180c817acd284f3b2f3cc4e6fcaf8557c Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 18 Feb 2026 14:19:13 -0500 Subject: [PATCH 17/22] Create npm-publish.yml --- .github/workflows/npm-publish.yml | 33 +++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/npm-publish.yml diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml new file mode 100644 index 000000000..2a4766d38 --- /dev/null +++ b/.github/workflows/npm-publish.yml @@ -0,0 +1,33 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm test + + publish-npm: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://registry.npmjs.org/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.npm_token}} From 16246f3e902b838513c3f4b3100dbd2e8e2ab005 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 19:34:20 +0000 Subject: [PATCH 18/22] Bump @modelcontextprotocol/sdk from 1.17.2 to 1.26.0 Bumps [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) from 1.17.2 to 1.26.0. - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](https://github.com/modelcontextprotocol/typescript-sdk/compare/1.17.2...v1.26.0) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- packages/core/package.json | 2 +- pnpm-lock.yaml | 511 ++++++++++++++++++++++++++----------- 2 files changed, 370 insertions(+), 143 deletions(-) diff --git a/packages/core/package.json b/packages/core/package.json index c40e6c846..7bdfd2d2c 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -61,7 +61,7 @@ "@browserbasehq/sdk": "^2.4.0", "@google/genai": "^1.22.0", "@langchain/openai": "^0.4.4", - "@modelcontextprotocol/sdk": "^1.17.2", + "@modelcontextprotocol/sdk": "^1.26.0", "ai": "^5.0.133", "devtools-protocol": "^0.0.1464554", "fetch-cookie": "^3.1.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index ea8f2ff9b..7652f04b1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -70,13 +70,13 @@ importers: version: 2.5.0 '@google/genai': specifier: ^1.22.0 - version: 1.24.0(@modelcontextprotocol/sdk@1.17.2)(bufferutil@4.0.9) + version: 1.24.0(@modelcontextprotocol/sdk@1.26.0(@cfworker/json-schema@4.1.1)(zod@4.2.1))(bufferutil@4.0.9) '@langchain/openai': specifier: ^0.4.4 version: 0.4.9(@langchain/core@0.3.50(openai@4.96.2(ws@8.18.3(bufferutil@4.0.9))(zod@4.2.1)))(ws@8.18.3(bufferutil@4.0.9)) '@modelcontextprotocol/sdk': - specifier: ^1.17.2 - version: 1.17.2 + specifier: ^1.26.0 + version: 1.26.0(@cfworker/json-schema@4.1.1)(zod@4.2.1) ai: specifier: ^5.0.133 version: 5.0.133(zod@4.2.1) @@ -1043,6 +1043,12 @@ packages: '@modelcontextprotocol/sdk': optional: true + '@hono/node-server@1.19.9': + resolution: {integrity: sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw==} + engines: {node: '>=18.14.1'} + peerDependencies: + hono: ^4 + '@humanfs/core@0.19.1': resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==} engines: {node: '>=18.18.0'} @@ -1561,9 +1567,15 @@ packages: '@mintlify/validation@0.1.442': resolution: {integrity: sha512-s99u9Kv92nGjUvkdMpi7Mks+B8sG3t30p/8NppS04GngqlE16VDXp8z3qHhWUTJnjJFJZCyraz8zzWaonhWykA==} - '@modelcontextprotocol/sdk@1.17.2': - resolution: {integrity: sha512-EFLRNXR/ixpXQWu6/3Cu30ndDFIFNaqUXcTqsGebujeMan9FzhAaFFswLRiFj61rgygDRr8WO1N+UijjgRxX9g==} + '@modelcontextprotocol/sdk@1.26.0': + resolution: {integrity: sha512-Y5RmPncpiDtTXDbLKswIJzTqu2hyBKxTNsgKqKclDbhIgg1wgtf1fRuvxgTnRfcnxtvvgbIEcqUOzZrJ6iSReg==} engines: {node: '>=18'} + peerDependencies: + '@cfworker/json-schema': ^4.1.1 + zod: ^3.25 || ^4.0 + peerDependenciesMeta: + '@cfworker/json-schema': + optional: true '@next/env@14.2.28': resolution: {integrity: sha512-PAmWhJfJQlP+kxZwCjrVd9QnR5x0R3u0mTXTiZDgSd4h5LdXmjxCCWbN9kq6hkZBOax8Rm3xDW5HagWyJuT37g==} @@ -2176,8 +2188,8 @@ packages: ajv@6.12.6: resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==} - ajv@8.17.1: - resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==} + ajv@8.18.0: + resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==} ansi-colors@4.1.3: resolution: {integrity: sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==} @@ -2367,8 +2379,12 @@ packages: resolution: {integrity: sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==} engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} - body-parser@2.2.0: - resolution: {integrity: sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==} + body-parser@1.20.4: + resolution: {integrity: sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==} + engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} + + body-parser@2.2.2: + resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==} engines: {node: '>=18'} brace-expansion@1.1.11: @@ -2590,9 +2606,9 @@ packages: resolution: {integrity: sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==} engines: {node: '>= 0.6'} - content-disposition@1.0.0: - resolution: {integrity: sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==} - engines: {node: '>= 0.6'} + content-disposition@1.0.1: + resolution: {integrity: sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==} + engines: {node: '>=18'} content-type@1.0.5: resolution: {integrity: sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==} @@ -2608,6 +2624,9 @@ packages: cookie-signature@1.0.6: resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==} + cookie-signature@1.0.7: + resolution: {integrity: sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==} + cookie-signature@1.2.2: resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==} engines: {node: '>=6.6.0'} @@ -2628,6 +2647,10 @@ packages: resolution: {integrity: sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==} engines: {node: '>= 0.10'} + cors@2.8.6: + resolution: {integrity: sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==} + engines: {node: '>= 0.10'} + cosmiconfig@9.0.0: resolution: {integrity: sha512-itvL5h8RETACmOTFc4UfIyB2RfEHi71Ax6E/PivVxq9NseKbOWpeyHEOIbmAw1rs8Ak0VursQNww7lf7YtUwzg==} engines: {node: '>=14'} @@ -3066,10 +3089,6 @@ packages: resolution: {integrity: sha512-v0eOBUbiaFojBu2s2NPBfYUoRR9GjcDNvCXVaqEf5vVfpIAh9f8RCo4vXTP8c63QRKCFwoLpMpTdPwwhEKVgzA==} engines: {node: '>=14.18'} - eventsource-parser@3.0.3: - resolution: {integrity: sha512-nVpZkTMM9rF6AQ9gPJpFsNAMt48wIzB5TQgiTLdHiuO8XEDhUgZEhqKlZWXbIzo9VmJ/HvysHqEaVeD5v9TPvA==} - engines: {node: '>=20.0.0'} - eventsource-parser@3.0.6: resolution: {integrity: sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==} engines: {node: '>=18.0.0'} @@ -3082,8 +3101,8 @@ packages: resolution: {integrity: sha512-JhFGDVJ7tmDJItKhYgJCGLOWjuK9vPxiXoUFLwLDc99NlmklilbiQJwoctZtt13+xMw91MCk/REan6MWHqDjyA==} engines: {node: '>=12.0.0'} - express-rate-limit@7.5.1: - resolution: {integrity: sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==} + express-rate-limit@8.2.1: + resolution: {integrity: sha512-PCZEIEIxqwhzw4KF0n7QF4QqruVTcF73O5kFKUnGOyjbCCgizBBiFaYpd/fnBLUMPw/BWw9OsiN7GgrNYr7j6g==} engines: {node: '>= 16'} peerDependencies: express: '>= 4.11' @@ -3092,8 +3111,12 @@ packages: resolution: {integrity: sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==} engines: {node: '>= 0.10.0'} - express@5.1.0: - resolution: {integrity: sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==} + express@4.22.1: + resolution: {integrity: sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==} + engines: {node: '>= 0.10.0'} + + express@5.2.1: + resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==} engines: {node: '>= 18'} extend-shallow@2.0.1: @@ -3156,6 +3179,9 @@ packages: fast-uri@3.0.6: resolution: {integrity: sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==} + fast-uri@3.1.0: + resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==} + fastify-metrics@12.1.0: resolution: {integrity: sha512-EpbT+W1jm8kMbkCPvfW4j23y3BZlXGOcO6+75EFTKDxbJIyXbldrFIoVoP0oD4CsqrKeIARvrOjbZNqK5MdRwQ==} peerDependencies: @@ -3225,10 +3251,14 @@ packages: resolution: {integrity: sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==} engines: {node: '>= 0.8'} - finalhandler@2.1.0: - resolution: {integrity: sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==} + finalhandler@1.3.2: + resolution: {integrity: sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==} engines: {node: '>= 0.8'} + finalhandler@2.1.1: + resolution: {integrity: sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==} + engines: {node: '>= 18.0.0'} + find-my-way@9.3.0: resolution: {integrity: sha512-eRoFWQw+Yv2tuYlK2pjFS2jGXSxSppAs3hSQjfxVKxM5amECzIgYYc1FEI8ZmhSh/Ig+FrKEz43NLRKJjYCZVg==} engines: {node: '>=20'} @@ -3558,6 +3588,10 @@ packages: help-me@5.0.0: resolution: {integrity: sha512-7xgomUX6ADmcYzFik0HzAxh/73YlKR9bmFzf51CZwR+b6YtzU2m0u49hQCqV6SvlqIqsaxovfwdvbnsw3b/zpg==} + hono@4.11.10: + resolution: {integrity: sha512-kyWP5PAiMooEvGrA9jcD3IXF7ATu8+o7B3KCbPXid5se52NPqnOpM/r9qeW2heMnOekF4kqR1fXJqCYeCLKrZg==} + engines: {node: '>=16.9.0'} + html-encoding-sniffer@4.0.0: resolution: {integrity: sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==} engines: {node: '>=18'} @@ -3575,6 +3609,10 @@ packages: resolution: {integrity: sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==} engines: {node: '>= 0.8'} + http-errors@2.0.1: + resolution: {integrity: sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==} + engines: {node: '>= 0.8'} + http-proxy-agent@7.0.2: resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==} engines: {node: '>= 14'} @@ -3605,6 +3643,10 @@ packages: resolution: {integrity: sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==} engines: {node: '>=0.10.0'} + iconv-lite@0.7.2: + resolution: {integrity: sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==} + engines: {node: '>=0.10.0'} + ieee754@1.2.1: resolution: {integrity: sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==} @@ -3666,6 +3708,10 @@ packages: resolution: {integrity: sha512-4gd7VpWNQNB4UKKCFFVcp1AVv+FMOgs9NKzjHKusc8jTMhd5eL1NqQqOpE0KzMds804/yHlglp3uxgluOqAPLw==} engines: {node: '>= 0.4'} + ip-address@10.0.1: + resolution: {integrity: sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==} + engines: {node: '>= 12'} + ip-address@9.0.5: resolution: {integrity: sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==} engines: {node: '>= 12'} @@ -3889,6 +3935,9 @@ packages: resolution: {integrity: sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==} hasBin: true + jose@6.1.3: + resolution: {integrity: sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==} + joycon@3.1.1: resolution: {integrity: sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw==} engines: {node: '>=10'} @@ -3948,6 +3997,9 @@ packages: json-schema-traverse@1.0.0: resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==} + json-schema-typed@8.0.2: + resolution: {integrity: sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA==} + json-schema@0.4.0: resolution: {integrity: sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==} @@ -4304,9 +4356,9 @@ packages: resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==} engines: {node: '>= 0.6'} - mime-types@3.0.1: - resolution: {integrity: sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==} - engines: {node: '>= 0.6'} + mime-types@3.0.2: + resolution: {integrity: sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==} + engines: {node: '>=18'} mime@1.6.0: resolution: {integrity: sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==} @@ -4701,9 +4753,8 @@ packages: path-to-regexp@0.1.12: resolution: {integrity: sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==} - path-to-regexp@8.2.0: - resolution: {integrity: sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==} - engines: {node: '>=16'} + path-to-regexp@8.3.0: + resolution: {integrity: sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==} path-type@4.0.0: resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==} @@ -4764,8 +4815,8 @@ packages: resolution: {integrity: sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA==} engines: {node: '>= 6'} - pkce-challenge@5.0.0: - resolution: {integrity: sha512-ueGLflrrnvwB3xuo/uGob5pd5FN7l0MsLf0Z87o/UQmRtwjvfylfc9MurIxRAWywCYTgrvpXBcqjV4OfCYGCIQ==} + pkce-challenge@5.0.1: + resolution: {integrity: sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ==} engines: {node: '>=16.20.0'} playwright-core@1.52.0: @@ -4924,8 +4975,12 @@ packages: resolution: {integrity: sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==} engines: {node: '>=0.6'} - qs@6.14.0: - resolution: {integrity: sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==} + qs@6.14.2: + resolution: {integrity: sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==} + engines: {node: '>=0.6'} + + qs@6.15.0: + resolution: {integrity: sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==} engines: {node: '>=0.6'} quansync@0.2.10: @@ -4956,10 +5011,14 @@ packages: resolution: {integrity: sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==} engines: {node: '>= 0.8'} - raw-body@3.0.0: - resolution: {integrity: sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==} + raw-body@2.5.3: + resolution: {integrity: sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==} engines: {node: '>= 0.8'} + raw-body@3.0.2: + resolution: {integrity: sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==} + engines: {node: '>= 0.10'} + react-dom@18.3.1: resolution: {integrity: sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==} peerDependencies: @@ -5234,8 +5293,12 @@ packages: resolution: {integrity: sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==} engines: {node: '>= 0.8.0'} - send@1.2.0: - resolution: {integrity: sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==} + send@0.19.2: + resolution: {integrity: sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==} + engines: {node: '>= 0.8.0'} + + send@1.2.1: + resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==} engines: {node: '>= 18'} serialize-error@12.0.0: @@ -5246,8 +5309,12 @@ packages: resolution: {integrity: sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==} engines: {node: '>= 0.8.0'} - serve-static@2.2.0: - resolution: {integrity: sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==} + serve-static@1.16.3: + resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==} + engines: {node: '>= 0.8.0'} + + serve-static@2.2.1: + resolution: {integrity: sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==} engines: {node: '>= 18'} set-cookie-parser@2.7.1: @@ -5407,6 +5474,10 @@ packages: resolution: {integrity: sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==} engines: {node: '>= 0.8'} + statuses@2.0.2: + resolution: {integrity: sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==} + engines: {node: '>= 0.8'} + std-env@3.10.0: resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==} @@ -5503,7 +5574,7 @@ packages: tar@6.2.1: resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me + deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me tdigest@0.1.2: resolution: {integrity: sha512-+G0LLgjjo9BZX2MfdvPfH+MKLCrxlXSYec5DaPYP1fe6Iyhf0/fSmJ0bFiZ1F8BT6cGXl2LpltQptzjXKWEkKA==} @@ -6105,6 +6176,11 @@ packages: peerDependencies: zod: ^3.25 || ^4 + zod-to-json-schema@3.25.1: + resolution: {integrity: sha512-pM/SU9d3YAggzi6MtR4h7ruuQlqKtad8e9S0fmxcMi+ueAK5Korys/aWcV9LIIHTVbj01NdzxcnXSN+O74ZIVA==} + peerDependencies: + zod: ^3.25 || ^4 + zod@3.23.8: resolution: {integrity: sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==} @@ -6342,9 +6418,9 @@ snapshots: '@stoplight/types': 13.20.0 '@types/json-schema': 7.0.15 '@types/urijs': 1.19.25 - ajv: 8.17.1 - ajv-errors: 3.0.0(ajv@8.17.1) - ajv-formats: 2.1.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-errors: 3.0.0(ajv@8.18.0) + ajv-formats: 2.1.1(ajv@8.18.0) avsc: 5.7.7 js-yaml: 4.1.0 jsonpath-plus: 10.3.0 @@ -6801,8 +6877,8 @@ snapshots: '@fastify/ajv-compiler@4.0.5': dependencies: - ajv: 8.17.1 - ajv-formats: 3.0.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-formats: 3.0.1(ajv@8.18.0) fast-uri: 3.0.6 '@fastify/cors@11.1.0': @@ -6832,7 +6908,7 @@ snapshots: '@lukeed/ms': 2.0.2 escape-html: 1.0.3 fast-decode-uri-component: 1.0.1 - http-errors: 2.0.0 + http-errors: 2.0.1 mime: 3.0.0 '@fastify/static@8.3.0': @@ -6862,18 +6938,22 @@ snapshots: transitivePeerDependencies: - supports-color - '@google/genai@1.24.0(@modelcontextprotocol/sdk@1.17.2)(bufferutil@4.0.9)': + '@google/genai@1.24.0(@modelcontextprotocol/sdk@1.26.0(@cfworker/json-schema@4.1.1)(zod@4.2.1))(bufferutil@4.0.9)': dependencies: google-auth-library: 9.15.1 ws: 8.18.3(bufferutil@4.0.9) optionalDependencies: - '@modelcontextprotocol/sdk': 1.17.2 + '@modelcontextprotocol/sdk': 1.26.0(@cfworker/json-schema@4.1.1)(zod@4.2.1) transitivePeerDependencies: - bufferutil - encoding - supports-color - utf-8-validate + '@hono/node-server@1.19.9(hono@4.11.10)': + dependencies: + hono: 4.11.10 + '@humanfs/core@0.19.1': {} '@humanfs/node@0.16.6': @@ -7452,9 +7532,9 @@ snapshots: '@mintlify/openapi-parser@0.0.7': dependencies: - ajv: 8.17.1 - ajv-draft-04: 1.0.0(ajv@8.17.1) - ajv-formats: 3.0.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-draft-04: 1.0.0(ajv@8.18.0) + ajv-formats: 3.0.1(ajv@8.18.0) jsonpointer: 5.0.1 leven: 4.0.0 yaml: 2.7.1 @@ -7494,7 +7574,7 @@ snapshots: better-opn: 3.0.2 chalk: 5.4.1 chokidar: 3.6.0 - express: 4.21.2 + express: 4.22.1 fs-extra: 11.3.0 got: 13.0.0 gray-matter: 4.0.3 @@ -7562,24 +7642,31 @@ snapshots: lodash: 4.17.21 openapi-types: 12.1.3 zod: 3.25.76 - zod-to-json-schema: 3.25.0(zod@3.25.76) + zod-to-json-schema: 3.25.1(zod@3.25.76) transitivePeerDependencies: - debug - '@modelcontextprotocol/sdk@1.17.2': + '@modelcontextprotocol/sdk@1.26.0(@cfworker/json-schema@4.1.1)(zod@4.2.1)': dependencies: - ajv: 6.12.6 + '@hono/node-server': 1.19.9(hono@4.11.10) + ajv: 8.18.0 + ajv-formats: 3.0.1(ajv@8.18.0) content-type: 1.0.5 - cors: 2.8.5 + cors: 2.8.6 cross-spawn: 7.0.6 eventsource: 3.0.7 - eventsource-parser: 3.0.3 - express: 5.1.0 - express-rate-limit: 7.5.1(express@5.1.0) - pkce-challenge: 5.0.0 - raw-body: 3.0.0 - zod: 3.25.76 - zod-to-json-schema: 3.25.0(zod@3.25.76) + eventsource-parser: 3.0.6 + express: 5.2.1 + express-rate-limit: 8.2.1(express@5.2.1) + hono: 4.11.10 + jose: 6.1.3 + json-schema-typed: 8.0.2 + pkce-challenge: 5.0.1 + raw-body: 3.0.2 + zod: 4.2.1 + zod-to-json-schema: 3.25.1(zod@4.2.1) + optionalDependencies: + '@cfworker/json-schema': 4.1.1 transitivePeerDependencies: - supports-color @@ -7799,9 +7886,9 @@ snapshots: '@standard-schema/spec@1.1.0': {} - '@stoplight/better-ajv-errors@1.0.3(ajv@8.17.1)': + '@stoplight/better-ajv-errors@1.0.3(ajv@8.18.0)': dependencies: - ajv: 8.17.1 + ajv: 8.18.0 jsonpointer: 5.0.1 leven: 3.1.0 @@ -7840,7 +7927,7 @@ snapshots: '@stoplight/spectral-core@1.20.0': dependencies: - '@stoplight/better-ajv-errors': 1.0.3(ajv@8.17.1) + '@stoplight/better-ajv-errors': 1.0.3(ajv@8.18.0) '@stoplight/json': 3.21.0 '@stoplight/path': 1.3.2 '@stoplight/spectral-parsers': 1.0.5 @@ -7849,9 +7936,9 @@ snapshots: '@stoplight/types': 13.6.0 '@types/es-aggregate-error': 1.0.6 '@types/json-schema': 7.0.15 - ajv: 8.17.1 - ajv-errors: 3.0.0(ajv@8.17.1) - ajv-formats: 2.1.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-errors: 3.0.0(ajv@8.18.0) + ajv-formats: 2.1.1(ajv@8.18.0) es-aggregate-error: 1.0.13 jsonpath-plus: 10.3.0 lodash: 4.17.21 @@ -7875,15 +7962,15 @@ snapshots: '@stoplight/spectral-functions@1.10.1': dependencies: - '@stoplight/better-ajv-errors': 1.0.3(ajv@8.17.1) + '@stoplight/better-ajv-errors': 1.0.3(ajv@8.18.0) '@stoplight/json': 3.21.0 '@stoplight/spectral-core': 1.20.0 '@stoplight/spectral-formats': 1.8.2 '@stoplight/spectral-runtime': 1.1.4 - ajv: 8.17.1 - ajv-draft-04: 1.0.0(ajv@8.17.1) - ajv-errors: 3.0.0(ajv@8.17.1) - ajv-formats: 2.1.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-draft-04: 1.0.0(ajv@8.18.0) + ajv-errors: 3.0.0(ajv@8.18.0) + ajv-formats: 2.1.1(ajv@8.18.0) lodash: 4.17.21 tslib: 2.8.1 transitivePeerDependencies: @@ -8089,7 +8176,7 @@ snapshots: dependencies: '@typescript-eslint/typescript-estree': 8.31.1(typescript@5.8.3) '@typescript-eslint/utils': 8.31.1(eslint@9.25.1(jiti@1.21.7))(typescript@5.8.3) - debug: 4.4.1 + debug: 4.4.3 eslint: 9.25.1(jiti@1.21.7) ts-api-utils: 2.1.0(typescript@5.8.3) typescript: 5.8.3 @@ -8102,7 +8189,7 @@ snapshots: dependencies: '@typescript-eslint/types': 8.31.1 '@typescript-eslint/visitor-keys': 8.31.1 - debug: 4.4.1 + debug: 4.4.3 fast-glob: 3.3.3 is-glob: 4.0.3 minimatch: 9.0.5 @@ -8217,7 +8304,7 @@ snapshots: accepts@2.0.0: dependencies: - mime-types: 3.0.1 + mime-types: 3.0.2 negotiator: 1.0.0 acorn-jsx@5.3.2(acorn@8.14.1): @@ -8255,21 +8342,21 @@ snapshots: '@opentelemetry/api': 1.9.0 zod: 4.2.1 - ajv-draft-04@1.0.0(ajv@8.17.1): + ajv-draft-04@1.0.0(ajv@8.18.0): optionalDependencies: - ajv: 8.17.1 + ajv: 8.18.0 - ajv-errors@3.0.0(ajv@8.17.1): + ajv-errors@3.0.0(ajv@8.18.0): dependencies: - ajv: 8.17.1 + ajv: 8.18.0 - ajv-formats@2.1.1(ajv@8.17.1): + ajv-formats@2.1.1(ajv@8.18.0): optionalDependencies: - ajv: 8.17.1 + ajv: 8.18.0 - ajv-formats@3.0.1(ajv@8.17.1): + ajv-formats@3.0.1(ajv@8.18.0): optionalDependencies: - ajv: 8.17.1 + ajv: 8.18.0 ajv@6.12.6: dependencies: @@ -8278,10 +8365,10 @@ snapshots: json-schema-traverse: 0.4.1 uri-js: 4.4.1 - ajv@8.17.1: + ajv@8.18.0: dependencies: fast-deep-equal: 3.1.3 - fast-uri: 3.0.6 + fast-uri: 3.1.0 json-schema-traverse: 1.0.0 require-from-string: 2.0.2 @@ -8460,16 +8547,33 @@ snapshots: transitivePeerDependencies: - supports-color - body-parser@2.2.0: + body-parser@1.20.4: dependencies: bytes: 3.1.2 content-type: 1.0.5 - debug: 4.4.0 - http-errors: 2.0.0 - iconv-lite: 0.6.3 + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + http-errors: 2.0.1 + iconv-lite: 0.4.24 on-finished: 2.4.1 - qs: 6.14.0 - raw-body: 3.0.0 + qs: 6.14.2 + raw-body: 2.5.3 + type-is: 1.6.18 + unpipe: 1.0.0 + transitivePeerDependencies: + - supports-color + + body-parser@2.2.2: + dependencies: + bytes: 3.1.2 + content-type: 1.0.5 + debug: 4.4.3 + http-errors: 2.0.1 + iconv-lite: 0.7.2 + on-finished: 2.4.1 + qs: 6.15.0 + raw-body: 3.0.2 type-is: 2.0.1 transitivePeerDependencies: - supports-color @@ -8720,9 +8824,7 @@ snapshots: dependencies: safe-buffer: 5.2.1 - content-disposition@1.0.0: - dependencies: - safe-buffer: 5.2.1 + content-disposition@1.0.1: {} content-type@1.0.5: {} @@ -8732,6 +8834,8 @@ snapshots: cookie-signature@1.0.6: {} + cookie-signature@1.0.7: {} + cookie-signature@1.2.2: {} cookie@0.7.1: {} @@ -8745,6 +8849,11 @@ snapshots: object-assign: 4.1.1 vary: 1.1.2 + cors@2.8.6: + dependencies: + object-assign: 4.1.1 + vary: 1.1.2 + cosmiconfig@9.0.0(typescript@5.9.3): dependencies: env-paths: 2.2.1 @@ -8771,8 +8880,8 @@ snapshots: ctrf@0.0.17: dependencies: - ajv: 8.17.1 - ajv-formats: 3.0.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-formats: 3.0.1(ajv@8.18.0) glob: 11.1.0 typescript: 5.8.3 yargs: 18.0.0 @@ -8884,7 +8993,7 @@ snapshots: detect-port@1.6.1: dependencies: address: 1.2.2 - debug: 4.4.1 + debug: 4.4.3 transitivePeerDependencies: - supports-color @@ -8953,7 +9062,7 @@ snapshots: accepts: 1.3.8 base64id: 2.0.0 cookie: 0.7.2 - cors: 2.8.5 + cors: 2.8.6 debug: 4.3.7 engine.io-parser: 5.2.3 ws: 8.17.1(bufferutil@4.0.9) @@ -9275,19 +9384,18 @@ snapshots: eventsource-parser@1.1.2: {} - eventsource-parser@3.0.3: {} - eventsource-parser@3.0.6: {} eventsource@3.0.7: dependencies: - eventsource-parser: 3.0.3 + eventsource-parser: 3.0.6 expect-type@1.2.2: {} - express-rate-limit@7.5.1(express@5.1.0): + express-rate-limit@8.2.1(express@5.2.1): dependencies: - express: 5.1.0 + express: 5.2.1 + ip-address: 10.0.1 express@4.21.2: dependencies: @@ -9325,33 +9433,70 @@ snapshots: transitivePeerDependencies: - supports-color - express@5.1.0: + express@4.22.1: + dependencies: + accepts: 1.3.8 + array-flatten: 1.1.1 + body-parser: 1.20.4 + content-disposition: 0.5.4 + content-type: 1.0.5 + cookie: 0.7.2 + cookie-signature: 1.0.7 + debug: 2.6.9 + depd: 2.0.0 + encodeurl: 2.0.0 + escape-html: 1.0.3 + etag: 1.8.1 + finalhandler: 1.3.2 + fresh: 0.5.2 + http-errors: 2.0.1 + merge-descriptors: 1.0.3 + methods: 1.1.2 + on-finished: 2.4.1 + parseurl: 1.3.3 + path-to-regexp: 0.1.12 + proxy-addr: 2.0.7 + qs: 6.14.2 + range-parser: 1.2.1 + safe-buffer: 5.2.1 + send: 0.19.2 + serve-static: 1.16.3 + setprototypeof: 1.2.0 + statuses: 2.0.2 + type-is: 1.6.18 + utils-merge: 1.0.1 + vary: 1.1.2 + transitivePeerDependencies: + - supports-color + + express@5.2.1: dependencies: accepts: 2.0.0 - body-parser: 2.2.0 - content-disposition: 1.0.0 + body-parser: 2.2.2 + content-disposition: 1.0.1 content-type: 1.0.5 cookie: 0.7.2 cookie-signature: 1.2.2 - debug: 4.4.0 + debug: 4.4.3 + depd: 2.0.0 encodeurl: 2.0.0 escape-html: 1.0.3 etag: 1.8.1 - finalhandler: 2.1.0 + finalhandler: 2.1.1 fresh: 2.0.0 - http-errors: 2.0.0 + http-errors: 2.0.1 merge-descriptors: 2.0.0 - mime-types: 3.0.1 + mime-types: 3.0.2 on-finished: 2.4.1 once: 1.4.0 parseurl: 1.3.3 proxy-addr: 2.0.7 - qs: 6.14.0 + qs: 6.15.0 range-parser: 1.2.1 router: 2.2.0 - send: 1.2.0 - serve-static: 2.2.0 - statuses: 2.0.1 + send: 1.2.1 + serve-static: 2.2.1 + statuses: 2.0.2 type-is: 2.0.1 vary: 1.1.2 transitivePeerDependencies: @@ -9373,7 +9518,7 @@ snapshots: extract-zip@2.0.1: dependencies: - debug: 4.4.1 + debug: 4.4.3 get-stream: 5.2.0 yauzl: 2.10.0 optionalDependencies: @@ -9402,8 +9547,8 @@ snapshots: fast-json-stringify@6.1.1: dependencies: '@fastify/merge-json-schemas': 0.2.1 - ajv: 8.17.1 - ajv-formats: 3.0.1(ajv@8.17.1) + ajv: 8.18.0 + ajv-formats: 3.0.1(ajv@8.18.0) fast-uri: 3.0.6 json-schema-ref-resolver: 3.0.0 rfdc: 1.4.1 @@ -9422,6 +9567,8 @@ snapshots: fast-uri@3.0.6: {} + fast-uri@3.1.0: {} + fastify-metrics@12.1.0(fastify@5.6.2): dependencies: fastify: 5.6.2 @@ -9515,14 +9662,26 @@ snapshots: transitivePeerDependencies: - supports-color - finalhandler@2.1.0: + finalhandler@1.3.2: dependencies: - debug: 4.4.0 + debug: 2.6.9 encodeurl: 2.0.0 escape-html: 1.0.3 on-finished: 2.4.1 parseurl: 1.3.3 - statuses: 2.0.1 + statuses: 2.0.2 + unpipe: 1.0.0 + transitivePeerDependencies: + - supports-color + + finalhandler@2.1.1: + dependencies: + debug: 4.4.3 + encodeurl: 2.0.0 + escape-html: 1.0.3 + on-finished: 2.4.1 + parseurl: 1.3.3 + statuses: 2.0.2 transitivePeerDependencies: - supports-color @@ -10037,6 +10196,8 @@ snapshots: help-me@5.0.0: {} + hono@4.11.10: {} + html-encoding-sniffer@4.0.0: dependencies: whatwg-encoding: 3.1.1 @@ -10055,6 +10216,14 @@ snapshots: statuses: 2.0.1 toidentifier: 1.0.1 + http-errors@2.0.1: + dependencies: + depd: 2.0.0 + inherits: 2.0.4 + setprototypeof: 1.2.0 + statuses: 2.0.2 + toidentifier: 1.0.1 + http-proxy-agent@7.0.2: dependencies: agent-base: 7.1.3 @@ -10090,6 +10259,10 @@ snapshots: dependencies: safer-buffer: 2.1.2 + iconv-lite@0.7.2: + dependencies: + safer-buffer: 2.1.2 + ieee754@1.2.1: {} ignore@5.3.2: {} @@ -10166,6 +10339,8 @@ snapshots: hasown: 2.0.2 side-channel: 1.1.0 + ip-address@10.0.1: {} + ip-address@9.0.5: dependencies: jsbn: 1.1.0 @@ -10373,6 +10548,8 @@ snapshots: jiti@1.21.7: {} + jose@6.1.3: {} + joycon@3.1.1: {} js-tiktoken@1.0.20: @@ -10448,6 +10625,8 @@ snapshots: json-schema-traverse@1.0.0: {} + json-schema-typed@8.0.2: {} + json-schema@0.4.0: {} json-stable-stringify-without-jsonify@1.0.1: {} @@ -11092,7 +11271,7 @@ snapshots: dependencies: mime-db: 1.52.0 - mime-types@3.0.1: + mime-types@3.0.2: dependencies: mime-db: 1.54.0 @@ -11418,7 +11597,7 @@ snapshots: dependencies: '@tootallnate/quickjs-emscripten': 0.23.0 agent-base: 7.1.3 - debug: 4.4.1 + debug: 4.4.3 get-uri: 6.0.4 http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 @@ -11497,7 +11676,7 @@ snapshots: path-to-regexp@0.1.12: {} - path-to-regexp@8.2.0: {} + path-to-regexp@8.3.0: {} path-type@4.0.0: {} @@ -11598,7 +11777,7 @@ snapshots: pirates@4.0.7: {} - pkce-challenge@5.0.0: {} + pkce-challenge@5.0.1: {} playwright-core@1.52.0: {} @@ -11696,7 +11875,7 @@ snapshots: proxy-agent@6.5.0: dependencies: agent-base: 7.1.3 - debug: 4.4.1 + debug: 4.4.3 http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 lru-cache: 7.18.3 @@ -11755,7 +11934,11 @@ snapshots: dependencies: side-channel: 1.1.0 - qs@6.14.0: + qs@6.14.2: + dependencies: + side-channel: 1.1.0 + + qs@6.15.0: dependencies: side-channel: 1.1.0 @@ -11780,11 +11963,18 @@ snapshots: iconv-lite: 0.4.24 unpipe: 1.0.0 - raw-body@3.0.0: + raw-body@2.5.3: dependencies: bytes: 3.1.2 - http-errors: 2.0.0 - iconv-lite: 0.6.3 + http-errors: 2.0.1 + iconv-lite: 0.4.24 + unpipe: 1.0.0 + + raw-body@3.0.2: + dependencies: + bytes: 3.1.2 + http-errors: 2.0.1 + iconv-lite: 0.7.2 unpipe: 1.0.0 react-dom@18.3.1(react@18.3.1): @@ -12099,11 +12289,11 @@ snapshots: router@2.2.0: dependencies: - debug: 4.4.0 + debug: 4.4.3 depd: 2.0.0 is-promise: 4.0.0 parseurl: 1.3.3 - path-to-regexp: 8.2.0 + path-to-regexp: 8.3.0 transitivePeerDependencies: - supports-color @@ -12199,19 +12389,37 @@ snapshots: transitivePeerDependencies: - supports-color - send@1.2.0: + send@0.19.2: dependencies: - debug: 4.4.0 + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + encodeurl: 2.0.0 + escape-html: 1.0.3 + etag: 1.8.1 + fresh: 0.5.2 + http-errors: 2.0.1 + mime: 1.6.0 + ms: 2.1.3 + on-finished: 2.4.1 + range-parser: 1.2.1 + statuses: 2.0.2 + transitivePeerDependencies: + - supports-color + + send@1.2.1: + dependencies: + debug: 4.4.3 encodeurl: 2.0.0 escape-html: 1.0.3 etag: 1.8.1 fresh: 2.0.0 - http-errors: 2.0.0 - mime-types: 3.0.1 + http-errors: 2.0.1 + mime-types: 3.0.2 ms: 2.1.3 on-finished: 2.4.1 range-parser: 1.2.1 - statuses: 2.0.1 + statuses: 2.0.2 transitivePeerDependencies: - supports-color @@ -12228,12 +12436,21 @@ snapshots: transitivePeerDependencies: - supports-color - serve-static@2.2.0: + serve-static@1.16.3: dependencies: encodeurl: 2.0.0 escape-html: 1.0.3 parseurl: 1.3.3 - send: 1.2.0 + send: 0.19.2 + transitivePeerDependencies: + - supports-color + + serve-static@2.2.1: + dependencies: + encodeurl: 2.0.0 + escape-html: 1.0.3 + parseurl: 1.3.3 + send: 1.2.1 transitivePeerDependencies: - supports-color @@ -12425,7 +12642,7 @@ snapshots: dependencies: accepts: 1.3.8 base64id: 2.0.0 - cors: 2.8.5 + cors: 2.8.6 debug: 4.3.7 engine.io: 6.6.4(bufferutil@4.0.9) socket.io-adapter: 2.5.5(bufferutil@4.0.9) @@ -12438,7 +12655,7 @@ snapshots: socks-proxy-agent@8.0.5: dependencies: agent-base: 7.1.3 - debug: 4.4.1 + debug: 4.4.3 socks: 2.8.4 transitivePeerDependencies: - supports-color @@ -12480,6 +12697,8 @@ snapshots: statuses@2.0.1: {} + statuses@2.0.2: {} + std-env@3.10.0: {} streamx@2.22.0: @@ -12786,7 +13005,7 @@ snapshots: dependencies: content-type: 1.0.5 media-typer: 1.1.0 - mime-types: 3.0.1 + mime-types: 3.0.2 typed-array-buffer@1.0.3: dependencies: @@ -13298,6 +13517,14 @@ snapshots: dependencies: zod: 4.2.1 + zod-to-json-schema@3.25.1(zod@3.25.76): + dependencies: + zod: 3.25.76 + + zod-to-json-schema@3.25.1(zod@4.2.1): + dependencies: + zod: 4.2.1 + zod@3.23.8: {} zod@3.25.76: {} From 9ac48cf02f081ab777c830176ad4b766462fec42 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Mon, 2 Mar 2026 18:51:55 -0500 Subject: [PATCH 19/22] Potential fix for code scanning alert no. 28: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/npm-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 2a4766d38..f476ed2cb 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -3,6 +3,9 @@ name: Node.js Package +permissions: + contents: read + on: release: types: [created] From 82ca3ad95bae42ad44b6cb5f29f317d3bb537d1a Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Mar 2026 22:08:28 -0400 Subject: [PATCH 20/22] Create npm-publish-github-packages.yml --- .../workflows/npm-publish-github-packages.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/npm-publish-github-packages.yml diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml new file mode 100644 index 000000000..ea2d329fa --- /dev/null +++ b/.github/workflows/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} From 6980a33db22457b1c86ff50a460feb4b1f5efb0a Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Mar 2026 22:12:16 -0400 Subject: [PATCH 21/22] Potential fix for code scanning alert no. 30: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/npm-publish-github-packages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml index ea2d329fa..65fc0060c 100644 --- a/.github/workflows/npm-publish-github-packages.yml +++ b/.github/workflows/npm-publish-github-packages.yml @@ -10,6 +10,8 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 From fcbeeee1a3acbdb84097248607fba487ec577e4e Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Mar 2026 22:16:44 -0400 Subject: [PATCH 22/22] Create ruby.yml --- .github/workflows/ruby.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/ruby.yml diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml new file mode 100644 index 000000000..5d80832d3 --- /dev/null +++ b/.github/workflows/ruby.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake +# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby + +name: Ruby + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + test: + + runs-on: ubuntu-latest + strategy: + matrix: + ruby-version: ['2.6', '2.7', '3.0'] + + steps: + - uses: actions/checkout@v4 + - name: Set up Ruby + # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, + # change this to (see https://github.com/ruby/setup-ruby#versioning): + # uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: ${{ matrix.ruby-version }} + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + - name: Run tests + run: bundle exec rake