chore(deps): bump the production-dependencies group across 1 directory with 15 updates

[dependabot]

Bumps the production-dependencies group with 12 updates in the / directory:

Package	From	To
@ai-sdk/anthropic	3.0.82	3.0.85
@ai-sdk/google	3.0.80	3.0.83
@ai-sdk/openai	3.0.69	3.0.73
@aws-sdk/client-s3	3.1066.0	3.1072.0
@better-auth/sso	1.6.16	1.6.19
@nuxtjs/mdc	0.21.1	0.22.0
@posthog/nuxt	1.7.73	1.7.77
@tailwindcss/vite	4.3.0	4.3.1
ai	6.0.201	6.0.208
better-sqlite3	12.10.0	12.11.1
resend	6.12.4	6.14.0
vue	3.5.37	3.5.38

Updates @ai-sdk/anthropic from 3.0.82 to 3.0.85

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.85

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.84

Patch Changes

• Updated dependencies [bfa5864]
• Updated dependencies [f42aa79]
  • @​ai-sdk/provider-utils@​4.0.29

3.0.83

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 9ef2c3c Version Packages (#15998)
• See full diff in compare view

Updates @ai-sdk/google from 3.0.80 to 3.0.83

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.83

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.82

Patch Changes

• 3258f22: fix(google): prevent prototype pollution when streaming tool args

• bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

  Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

  A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

• Updated dependencies [bfa5864]

• Updated dependencies [f42aa79]

  • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
• bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
• 9ef2c3c Version Packages (#15998)
• 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
• See full diff in compare view

Updates @ai-sdk/openai from 3.0.69 to 3.0.73

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.73

Patch Changes

• 1274c07: fix(provider/openai): send client-executed tool calls as full function_call items in the Responses API so they pair with their function_call_output by call_id

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.73

Patch Changes

• 1274c07: fix(provider/openai): send client-executed tool calls as full function_call items in the Responses API so they pair with their function_call_output by call_id

3.0.72

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.71

Patch Changes

• Updated dependencies [bfa5864]
• Updated dependencies [f42aa79]
  • @​ai-sdk/provider-utils@​4.0.29

3.0.70

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• cc38fce Version Packages (#16229)
• 1274c07 Backport: fix(openai): send client-executed tool calls as full function_call ...
• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 9ef2c3c Version Packages (#15998)
• See full diff in compare view

Updates @aws-sdk/client-s3 from 3.1066.0 to 3.1072.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes

• client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)

New Features

• client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
• client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
• client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
• client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
• client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
• client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
• client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
• client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
• client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
• client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
• client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
• client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

---

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features

• client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
• client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)
• client-bedrock-agent: Launching Bedrock Managed Knowledge Bases. Added support for resource-based policies on Knowledge Base resources, enabling cross-account access for Managed Knowledge Bases. (de0affe4)
• client-securityagent: Updated AWS Security Agent SDK model with new APIs for threat modeling, code review, security requirements, and additional integration providers. (9c3d3351)
• client-opensearch: Adds support for configuring IAM Identity Center options on existing OpenSearch applications via the UpdateApplication API. (94f06a20)
• client-glue: This release adds support for Search and Discovery in AWS Glue, letting you and your applications search Data Catalog assets such as table and enrich them with business context and glossary terms. (b394fc0b)
• client-bedrock-agentcore-control: AgentCore Gateway now supports inference targets to LLM providers (direct config or built-in connectors), HTTP passthrough targets with session stickiness, runtime target API schemas, AWS WAF web ACL association with configurable fail-open or fail-close modes, and interceptor payload filtering. (75f1d588)
• client-devops-agent: Adds support for Remote A2A (Agent-to-Agent) agent registration and management. Adds new Release Readiness Review and Release Testing capabilities. Adds support for Git managed skills in AWS DevOps Agent. (ebc040e1)
• client-bedrock-agentcore: AgentCore Harness service will be Generally Available at NYS 2026 with this Treb release. Harness will support invoking specific endpoints via the qualifier parameter, AWS Skills for pre-built agent capabilities, and improved validation for skill git source URLs. (5bf9fccc)
• client-ecs: Releasing the ability to bring-your-own task-definition for CreateExpressGatewayService and UpdateGatewayExpressService (b7b9cb4f)
• client-mq: This release adds private networking support for Amazon MQ for RabbitMQ. You can now associate AWS RAM resource shares with your broker and retrieve shared resource details using the new DescribeSharedResources API. (e96af450)
• client-bedrock-agent-runtime: Adds new AgenticRetrieveStream API for managed knowledge bases to use conversation history and autonomously plan for multi-hop multi-KB reasoning with built-in evaluation and access-control. Updates Retrieve API for access-control-based filtering for managed knowledge bases. (557f7b32)

Tests

• core:
  • prebuild before integration and e2e (#8111) (363f3fb7)
  • prebuild core before unit tests (#8108) (5f789e7f)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/client-s3

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/client-s3

3.1070.0 (2026-06-16)

Features

• client-s3: Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata. (c555874)

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

3.1067.0 (2026-06-11)

Note: Version bump only for package @​aws-sdk/client-s3

Commits

• 501cd33 Publish v3.1072.0
• 3ce820a Publish v3.1071.0
• 4f2cfe1 Publish v3.1070.0
• c555874 feat(client-s3): Added support for annotations. You can now attach up to 1000...
• 7058d13 Publish v3.1069.0
• 67981c5 chore(scripts): tuning the build graph (#8095)
• 0632f6d Publish v3.1068.0
• 0a3246f Publish v3.1067.0
• See full diff in compare view

Updates @better-auth/sso from 1.6.16 to 1.6.19

Release notes

Sourced from @​better-auth/sso's releases.

v1.6.19

better-auth

Features

• Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

• Fixed headerless session checks (#10053)
• Fixed cookie cache fallback lookup (#9348)
• Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
• Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
• Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
• Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
• Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
• Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
• Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed the generate command not handling a directory path passed to --output (#9564)
• Fixed array additionalField default values not being serialized correctly in the Drizzle schema generator (#10048)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

• Fixed password reset tokens not working with the Drizzle MySQL adapter after being consumed (#10081)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

Bug Fixes

• Fixed guarded state transitions (token rotation, revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance) failing on Prisma and on MongoDB servers older than 5.0 (#10086)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

... (truncated)

Changelog

Sourced from @​better-auth/sso's changelog.

1.6.19

Patch Changes

• Updated dependencies [de4aa52, b4b0266, 5bd5e1c, 581f827, 8407885, c1a8a64, 635f190, a787e0b, c2f718f, 7d18175]:
  • better-auth@1.6.19
  • @​better-auth/core@​1.6.19

1.6.18

Patch Changes

• Updated dependencies [9ef7240, b21a5f7]:
  • better-auth@1.6.18
  • @​better-auth/core@​1.6.18

1.6.17

Patch Changes

• #9993 baeaa00 Thanks @​gustavovalverde! - A SAML assertion submitted twice at the same time can no longer be accepted more than once; replay protection now holds under concurrent requests.

• #10003 fdef997 Thanks @​gustavovalverde! - With trustEmailVerified enabled, an OIDC email_verified claim or mapped SAML attribute whose value is the string "false" is no longer treated as a verified email. Only a boolean true or the string "true" counts as verified.

• #10002 ed7b6c9 Thanks @​gustavovalverde! - Organization admins and owners can now request and verify domain ownership for an SSO provider their organization owns, even if another member registered it. Previously only the member who created the provider could verify its domain.

• Updated dependencies [baeaa00, 3e99e6c, 96c78c3, baeaa00, baeaa00, 0c3856f, baeaa00, baeaa00, ed7b6c9, e0a768c, 7343284, 0c3856f, baeaa00, baeaa00, 7343284, 7343284, 0c3856f, fdef997, 0c3856f, d9c526b, 0c3856f, fdef997, baeaa00, baeaa00, baeaa00, baeaa00, fdef997, 7343284, baeaa00, 8960f5f, baeaa00, 5c289b5, 1dbf5bb, baeaa00, baeaa00, 59e0ccb, b803c61, fdef997]:

  • better-auth@1.6.17
  • @​better-auth/core@​1.6.17

Commits

• ac4d81d chore: release v1.6.19 (#10034)
• 04debbf chore: release v1.6.18 (#10026)
• 0d8b238 chore: release v1.6.17 (#9984)
• ed7b6c9 fix: enforce team capacity, constant-time SCIM tokens, and org-admin SSO doma...
• fdef997 fix: harden provider identity validation (One Tap, Microsoft, SSO, WeChat, Re...
• baeaa00 fix: make single-use credentials, counters, and replay markers atomic (#9993)
• See full diff in compare view

Updates @nuxtjs/mdc from 0.21.1 to 0.22.0

Release notes

Sourced from @​nuxtjs/mdc's releases.

v0.22.0

• chore: upgrade deps (b3de9fc)
• docs: add Comark migration guide in README (595fe77)

Changelog

Sourced from @​nuxtjs/mdc's changelog.

v0.22.0

compare changes

📖 Documentation

• Add Comark migration guide in README (595fe77)

🏡 Chore

• Upgrade deps (b3de9fc)

❤️ Contributors

• Farnabaz farnabaz@gmail.com

Commits

• 88b95a9 chore(release): release v0.22.0
• b3de9fc chore: upgrade deps
• 595fe77 docs: add Comark migration guide in README
• See full diff in compare view

Updates @posthog/nuxt from 1.7.73 to 1.7.77

Release notes

Sourced from @​posthog/nuxt's releases.

@​posthog/nuxt@​1.7.77

1.7.77

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2
  • posthog-node@5.38.1

@​posthog/nuxt@​1.7.76

1.7.76

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3, d3a9462]:
  • posthog-js@1.386.7
  • @​posthog/core@​1.32.4
  • posthog-node@5.37.1
  • @​posthog/plugin-utils@​1.1.2

@​posthog/nuxt@​1.7.75

1.7.75

Patch Changes

• Updated dependencies [5ddfd44, dbf2377, 21441a8]:
  • posthog-js@1.386.3
  • @​posthog/core@​1.32.3
  • posthog-node@5.36.17

@​posthog/nuxt@​1.7.74

1.7.74

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2
  • posthog-js@1.386.2
  • posthog-node@5.36.16

Changelog

Sourced from @​posthog/nuxt's changelog.

1.7.77

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2
  • posthog-node@5.38.1

1.7.76

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3, d3a9462]:
  • posthog-js@1.386.7
  • @​posthog/core@​1.32.4
  • posthog-node@5.37.1
  • @​posthog/plugin-utils@​1.1.2

1.7.75

Patch Changes

• Updated dependencies [5ddfd44, dbf2377, 21441a8]:
  • posthog-js@1.386.3
  • @​posthog/core@​1.32.3
  • posthog-node@5.36.17

1.7.74

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2
  • posthog-js@1.386.2
  • posthog-node@5.36.16

Commits

• 229efff chore: update versions and lockfile [version bump]
• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1f2c06b chore: make workspace releases explicit (#3803)
• c7abf85 chore: update versions and lockfile [version bump]
• 5fe3bd4 chore: update versions and lockfile [version bump]
• See full diff in compare view

Updates @tailwindcss/vite from 4.3.0 to 4.3.1

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.3.1

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.3.1] - 2026-06-12

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

Commits

• 8a14a71 4.3.1 (#20226)
• 73983e1 Fix 'Sourcemap is likely to be incorrect' warnings when using `@tailwindcss/v...
• See full diff in compare view

Updates ai from 6.0.201 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

ai@6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

• Updated dependencies [6160ced]
• Updated dependencies [c9b8abd]
  • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

• Updated dependencies [c5d4716]
  • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

• f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

  validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

... (truncated)

Commits

• 3270146 Version Packages (#16243)
• f994df3 Backport: Serialize undefined tool output to null in UI message chunks (#16240)
• 8261640 Backport: fix(ai): handle partial unicode escapes in fixJson (#16233)
• caebb44 Version Packages (#16157)
• 779f5cd Backport: fix(provider-utils): cancel response body on download rejection to ...

[railway-app]

🚅 Deployed to the reqcore-pr-210 environment in applirank

Service	Status	Web	Updated (UTC)
applirank	✅ Success (View Logs)		Jun 19, 2026 at 12:18 pm