chore(deps): bump the production-dependencies group across 1 directory with 15 updates

[dependabot]

Bumps the production-dependencies group with 12 updates in the / directory:

Package	From	To
@ai-sdk/anthropic	3.0.82	3.0.85
@ai-sdk/google	3.0.80	3.0.83
@ai-sdk/openai	3.0.69	3.0.73
@aws-sdk/client-s3	3.1066.0	3.1073.0
@better-auth/sso	1.6.16	1.6.20
@nuxtjs/mdc	0.21.1	0.22.0
@posthog/nuxt	1.7.73	1.7.77
@tailwindcss/vite	4.3.0	4.3.1
ai	6.0.201	6.0.208
better-sqlite3	12.10.0	12.11.1
resend	6.12.4	6.14.0
vue	3.5.37	3.5.38

Updates @ai-sdk/anthropic from 3.0.82 to 3.0.85

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.85

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.84

Patch Changes

• Updated dependencies [bfa5864]
• Updated dependencies [f42aa79]
  • @​ai-sdk/provider-utils@​4.0.29

3.0.83

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 9ef2c3c Version Packages (#15998)
• See full diff in compare view

Updates @ai-sdk/google from 3.0.80 to 3.0.83

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.83

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.82

Patch Changes

• 3258f22: fix(google): prevent prototype pollution when streaming tool args

• bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

  Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

  A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

• Updated dependencies [bfa5864]

• Updated dependencies [f42aa79]

  • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
• bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
• 9ef2c3c Version Packages (#15998)
• 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
• See full diff in compare view

Updates @ai-sdk/openai from 3.0.69 to 3.0.73

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.73

Patch Changes

• 1274c07: fix(provider/openai): send client-executed tool calls as full function_call items in the Responses API so they pair with their function_call_output by call_id

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.73

Patch Changes

• 1274c07: fix(provider/openai): send client-executed tool calls as full function_call items in the Responses API so they pair with their function_call_output by call_id

3.0.72

Patch Changes

• Updated dependencies [779f5cd]
  • @​ai-sdk/provider-utils@​4.0.30

3.0.71

Patch Changes

• Updated dependencies [bfa5864]
• Updated dependencies [f42aa79]
  • @​ai-sdk/provider-utils@​4.0.29

3.0.70

Patch Changes

• Updated dependencies [942f2f8]
  • @​ai-sdk/provider-utils@​4.0.28

Commits

• cc38fce Version Packages (#16229)
• 1274c07 Backport: fix(openai): send client-executed tool calls as full function_call ...
• caebb44 Version Packages (#16157)
• bae9bab Version Packages (#16026)
• 9ef2c3c Version Packages (#15998)
• See full diff in compare view

Updates @aws-sdk/client-s3 from 3.1066.0 to 3.1073.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1073.0

3.1073.0(2026-06-19)

New Features

• client-glue: Adds the SearchAssets operation for discovering assets in the AWS Glue Data Catalog using full-text search and filters. Minor naming refinements across the Glossary Terms and Attachment APIs for consistency. (ef204650)
• client-connect: This is the release for point based scoring system and the evaluation form validation project (b19c162a)
• client-bedrock-agent: Add support for metadata-only retrieval on GetFlow, GetFlowVersion, and GetPrompt APIs. (c9d5fb33)
• client-appstream: Amazon WorkSpaces Agent Access now supports domain-joined fleets for enterprise identity integration, real-time agent observation with instant stop controls, and MCP tool forwarding for lower-latency, cost-effective desktop tool access. (d9c25f0b)
• client-opensearch: This release introduces data source attachment APIs, enabling users to attach and detach Amazon OpenSearch Service domains and Amazon OpenSearch Serverless collections to an OpenSearch application. (6cce3d69)

---

For list of updated packages, view updated-packages.md in assets-3.1073.0.zip

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes

• client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)

New Features

• client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
• client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
• client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
• client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
• client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
• client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
• client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
• client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
• client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
• client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
• client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
• client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

---

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features

• client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
• client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1073.0 (2026-06-19)

Note: Version bump only for package @​aws-sdk/client-s3

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/client-s3

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/client-s3

3.1070.0 (2026-06-16)

Features

• client-s3: Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata. (c555874)

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• ee71adc Publish v3.1073.0
• 501cd33 Publish v3.1072.0
• 3ce820a Publish v3.1071.0
• 4f2cfe1 Publish v3.1070.0
• c555874 feat(client-s3): Added support for annotations. You can now attach up to 1000...
• 7058d13 Publish v3.1069.0
• 67981c5 chore(scripts): tuning the build graph (#8095)
• 0632f6d Publish v3.1068.0
• 0a3246f Publish v3.1067.0
• See full diff in compare view

Updates @better-auth/sso from 1.6.16 to 1.6.20

Release notes

Sourced from @​better-auth/sso's releases.

v1.6.20

better-auth

Bug Fixes

• Fixed account-linking logs to route through the configured logger (#10121)
• Fixed TypeScript inference errors by declaring inherited APIError properties (#8734)
• Fixed refresh cookie Max-Age to be capped at expiresIn (#9621)

For detailed changes, see CHANGELOG

@better-auth/i18n

Bug Fixes

• Fixed English language fallback behavior and improved i18n documentation (#9872)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​adityachaudhary99, @​dipan-ck, @​sleepe229, @​WilsonnnTan

Full changelog: v1.6.19...v1.6.20

v1.6.19

better-auth

Features

• Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

• Fixed headerless session checks (#10053)
• Fixed cookie cache fallback lookup (#9348)
• Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
• Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
• Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
• Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
• Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
• Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
• Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

... (truncated)

Changelog

Sourced from @​better-auth/sso's changelog.

1.6.20

Patch Changes

• Updated dependencies [21448b1, 8ecf238, 930f534]:
  • better-auth@1.6.20
  • @​better-auth/core@​1.6.20

1.6.19

Patch Changes

• Updated dependencies [de4aa52, b4b0266, 5bd5e1c, 581f827, 8407885, c1a8a64, 635f190, a787e0b, c2f718f, 7d18175]:
  • better-auth@1.6.19
  • @​better-auth/core@​1.6.19

1.6.18

Patch Changes

• Updated dependencies [9ef7240, b21a5f7]:
  • better-auth@1.6.18
  • @​better-auth/core@​1.6.18

1.6.17

Patch Changes

• #9993 baeaa00 Thanks @​gustavovalverde! - A SAML assertion submitted twice at the same time can no longer be accepted more than once; replay protection now holds under concurrent requests.

• #10003 fdef997 Thanks @​gustavovalverde! - With trustEmailVerified enabled, an OIDC email_verified claim or mapped SAML attribute whose value is the string "false" is no longer treated as a verified email. Only a boolean true or the string "true" counts as verified.

• #10002 ed7b6c9 Thanks @​gustavovalverde! - Organization admins and owners can now request and verify domain ownership for an SSO provider their organization owns, even if another member registered it. Previously only the member who created the provider could verify its domain.

• Updated dependencies [baeaa00, 3e99e6c, 96c78c3, baeaa00, baeaa00, 0c3856f, baeaa00, baeaa00, ed7b6c9, e0a768c, 7343284, 0c3856f, baeaa00, baeaa00, 7343284, 7343284, 0c3856f, fdef997, 0c3856f, d9c526b, 0c3856f, fdef997, baeaa00, baeaa00, baeaa00, baeaa00, fdef997, 7343284, baeaa00, 8960f5f, baeaa00, 5c289b5, 1dbf5bb, baeaa00, baeaa00, 59e0ccb, b803c61, fdef997]:

  • better-auth@1.6.17
  • @​better-auth/core@​1.6.17

Commits

• c342f42 chore: release v1.6.20 (#10108)
• ac4d81d chore: release v1.6.19 (#10034)
• 04debbf chore: release v1.6.18 (#10026)
• 0d8b238 chore: release v1.6.17 (#9984)
• ed7b6c9 fix: enforce team capacity, constant-time SCIM tokens, and org-admin SSO doma...
• fdef997 fix: harden provider identity validation (One Tap, Microsoft, SSO, WeChat, Re...
• baeaa00 fix: make single-use credentials, counters, and replay markers atomic (#9993)
• See full diff in compare view

Updates @nuxtjs/mdc from 0.21.1 to 0.22.0

Release notes

Sourced from @​nuxtjs/mdc's releases.

v0.22.0

• chore: upgrade deps (b3de9fc)
• docs: add Comark migration guide in README (595fe77)

Changelog

Sourced from @​nuxtjs/mdc's changelog.

v0.22.0

compare changes

📖 Documentation

• Add Comark migration guide in README (595fe77)

🏡 Chore

• Upgrade deps (b3de9fc)

❤️ Contributors

• Farnabaz farnabaz@gmail.com

Commits

• 88b95a9 chore(release): release v0.22.0
• b3de9fc chore: upgrade deps
• 595fe77 docs: add Comark migration guide in README
• See full diff in compare view

Updates @posthog/nuxt from 1.7.73 to 1.7.77

Release notes

Sourced from @​posthog/nuxt's releases.

@​posthog/nuxt@​1.7.77

1.7.77

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2
  • posthog-node@5.38.1

@​posthog/nuxt@​1.7.76

1.7.76

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3, d3a9462]:
  • posthog-js@1.386.7
  • @​posthog/core@​1.32.4
  • posthog-node@5.37.1
  • @​posthog/plugin-utils@​1.1.2

@​posthog/nuxt@​1.7.75

1.7.75

Patch Changes

• Updated dependencies [5ddfd44, dbf2377, 21441a8]:
  • posthog-js@1.386.3
  • @​posthog/core@​1.32.3
  • posthog-node@5.36.17

@​posthog/nuxt@​1.7.74

1.7.74

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2
  • posthog-js@1.386.2
  • posthog-node@5.36.16

Changelog

Sourced from @​posthog/nuxt's changelog.

1.7.77

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2
  • posthog-node@5.38.1

1.7.76

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3, d3a9462]:
  • posthog-js@1.386.7
  • @​posthog/core@​1.32.4
  • posthog-node@5.37.1
  • @​posthog/plugin-utils@​1.1.2

1.7.75

Patch Changes

• Updated dependencies [5ddfd44, dbf2377, 21441a8]:
  • posthog-js@1.386.3
  • @​posthog/core@​1.32.3
  • posthog-node@5.36.17

1.7.74

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2
  • posthog-js@1.386.2
  • posthog-node@5.36.16

Commits

• 229efff chore: update versions and lockfile [version bump]
• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1f2c06b chore: make workspace releases explicit (#3803)
• c7abf85 chore: update versions and lockfile [version bump]
• 5fe3bd4 chore: update versions and lockfile [version bump]
• See full diff in compare view

Updates @tailwindcss/vite from 4.3.0 to 4.3.1

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.3.1

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.3.1] - 2026-06-12

Added

• Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
• Allow @apply to be used with CSS mixins (#19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
• Allow @variant to be used inside addBase (#19480)
• Ensure @source globs with symlinks are preserved (#20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)

Commits

• 8a14a71 4.3.1 (#20226)
• 73983e1 Fix 'Sourcemap is likely to be incorrect' warnings when using `@tailwindcss/v...
• See full diff in compare view

Updates ai from 6.0.201 to 6.0.208

Release notes

Sourced from ai's releases.

ai@6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

ai@6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

Changelog

Sourced from ai's changelog.

6.0.208

Patch Changes

• 8261640: fix(ai): handle partial unicode escapes in fixJson
• f994df3: Serialize undefined tool output to null in UI message chunks

6.0.207

Patch Changes

• 779f5cd: fix(provider-utils): cancel response body on download rejection to prevent socket leak

  When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit, download, and downloadBlob, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

• Updated dependencies [5bfde36]

• Updated dependencies [779f5cd]

  • @​ai-sdk/gateway@​3.0.133
  • @​ai-sdk/provider-utils@​4.0.30

6.0.206

Patch Changes

• Updated dependencies [e962dda]
  • @​ai-sdk/gateway@​3.0.132

6.0.205

Patch Changes

• Updated dependencies [6160ced]
• Updated dependencies [c9b8abd]
  • @​ai-sdk/gateway@​3.0.131

6.0.204

Patch Changes

• Updated dependencies [c5d4716]
  • @​ai-sdk/gateway@​3.0.130

6.0.203

Patch Changes

• f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

  validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

... (truncated)

Commits

• 3270146 Version Packages (#16243)
• f994df3 Backport: Serialize undefined tool output to null in UI message chunks (#16240)
• 8261640 Backport: fix(ai): handle partial unicode escapes in fixJson (#16233)
• caebb44 Version Packages (#16157)
• 779f5cd Backport: fix(provider-utils): cancel response body on download rejection to ...
• 5623117 Version Packages (#16134)
• 5548672 Version Packages (#16097)
• 63b3f60 Version Packages (#16086)
• bae9bab Version Packages (#16026)
• b4b575a Backport: fix(ai): redact server error details from UI message streams by def...
• Additional commits viewable in compare view

Updates better-auth ...

Description has been truncated

[railway-app]

🚅 Deployed to the reqcore-pr-210 environment in applirank

Service	Status	Web	Updated (UTC)
applirank	✅ Success (View Logs)		Jun 22, 2026 at 4:24 am