Skip to content

chore(deps): update dependency ai to v5.0.206#25

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ai-5.x-lockfile
Open

chore(deps): update dependency ai to v5.0.206#25
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ai-5.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented Sep 26, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ai (source) 5.0.1175.0.206 age confidence

Release Notes

vercel/ai (ai)

v5.0.206

Compare Source

Patch Changes

v5.0.205

Compare Source

Patch Changes

v5.0.204

Compare Source

Patch Changes

  • 9169261: fix(provider-utils): cancel response body on download rejection to prevent socket leak

    When a download was rejected early — because the Content-Length header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in readResponseWithSizeLimit and download, and fetchWithValidatedRedirects cancels each redirect hop's body before following or rejecting the next hop.

  • Updated dependencies [dd9349d]

  • Updated dependencies [9169261]

v5.0.203

Compare Source

Patch Changes

v5.0.202

Patch Changes

v5.0.200

Compare Source

Patch Changes

  • eea9166: fix: harden download URL SSRF guard against hostname and redirect bypasses

    validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:

    • A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
    • IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
    • Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
    • Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).

    The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.

  • 15cf74f: Harden stream text processing and middleware against prototype pollution from stream part IDs.

  • 8ad6f80: fix: redact server error details from UI message streams by default

    streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

    The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.

  • Updated dependencies [9f67efe]

  • Updated dependencies [eea9166]

v5.0.199

Compare Source

Patch Changes

  • 040dc83: fix(ai): return schema-transformed elements in array output mode

    Previously final array output validation checked each element against the schema but returned the raw model output. Array output now returns the validated values so Zod transforms, coercions, defaults, and pipes are applied consistently with object output.

v5.0.198

Compare Source

Patch Changes
  • b02267c: Harden UI message stream processing against prototype pollution from chunk IDs.

v5.0.197

Compare Source

Patch Changes

v5.0.196

Patch Changes

v5.0.194

Compare Source

Patch Changes

v5.0.193

Patch Changes

v5.0.192

Patch Changes

v5.0.190

Patch Changes

v5.0.188

Compare Source

Patch Changes
  • 1760d76: fix URL of hero animation in README

v5.0.187

Compare Source

Patch Changes

v5.0.186

Compare Source

Patch Changes

v5.0.185

Compare Source

Patch Changes

v5.0.184

Compare Source

Patch Changes
  • cb911d2: fix(ai): add allowSystemInMessages option and warn by default when system messages are found in prompt or messages

v5.0.183

Compare Source

Patch Changes

v5.0.182

Compare Source

Patch Changes

v5.0.181

Compare Source

Patch Changes

v5.0.180

Compare Source

Patch Changes

v5.0.179

Compare Source

Patch Changes
  • 5543cd1: Add AI Gateway hint to provider READMEs

v5.0.178

Compare Source

Patch Changes

v5.0.176

Compare Source

Patch Changes

v5.0.175

Compare Source

Patch Changes

v5.0.174

Compare Source

Patch Changes

v5.0.173

Compare Source

Patch Changes

v5.0.172

Compare Source

Patch Changes

v5.0.171

Compare Source

Patch Changes

v5.0.170

Compare Source

Patch Changes

v5.0.169

Compare Source

Patch Changes

v5.0.168

Compare Source

Patch Changes

v5.0.167

Compare Source

Patch Changes

v5.0.166

Compare Source

Patch Changes

v5.0.165

Compare Source

Patch Changes

v5.0.164

Compare Source

Patch Changes

v5.0.163

Compare Source

Patch Changes

v5.0.162

Compare Source

Patch Changes

v5.0.161

Compare Source

Patch Changes

v5.0.160

Compare Source

Patch Changes

v5.0.159

Compare Source

Patch Changes

v5.0.158

Compare Source

Patch Changes

v5.0.157

Compare Source

Patch Changes

v5.0.156

Compare Source

Patch Changes

v5.0.155

Compare Source

Patch Changes

v5.0.154

Compare Source

Patch Changes

v5.0.153

Compare Source

Patch Changes
  • c59a31c: Remove custom User-Agent header from HttpChatTransport to fix CORS preflight failures in Safari and Firefox

v5.0.152

Compare Source

Patch Changes

v5.0.151

Compare Source

Patch Changes

v5.0.150

Compare Source

Patch Changes

v5.0.149

Compare Source

Patch Changes

  • c66afc5: fix(security): validate redirect targets in download functions to prevent SSRF bypass

    download now validates the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.

v5.0.148

Compare Source

Patch Changes

v5.0.147

Compare Source

Patch Changes

v5.0.146

Compare Source

Patch Changes

v5.0.145

Compare Source

Patch Changes

v5.0.144

Compare Source

Patch Changes

v5.0.143

Compare Source

Patch Changes

v5.0.142

Compare Source

Patch Changes

v5.0.141

Compare Source

Patch Changes

v5.0.140

Compare Source

Patch Changes

v5.0.139

Compare Source

Patch Changes

v5.0.138

Compare Source

Patch Changes

v5.0.137

Compare Source

Patch Changes

v5.0.136

Compare Source

Patch Changes

v5.0.135

Compare Source

Patch Changes

v5.0.134

Compare Source

Patch Changes

v5.0.133

Compare Source

Patch Changes

v5.0.132

Compare Source

Patch Changes

v5.0.131

Compare Source

Patch Changes

v5.0.130

Compare Source

Patch Changes

  • 20565b8: security: prevent unbounded memory growth in download functions

    The download() and downloadBlob() functions now enforce a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a DownloadError instead of consuming unbounded memory and crashing the process. The abortSignal parameter is now passed through to fetch() in all download call sites.

    Added download option to transcribe() and experimental_generateVideo() for providing a custom download function. Use the new createDownload({ maxBytes }) factory to configure download size limits.

  • Updated dependencies [20565b8]

v5.0.129

Compare Source

Patch Changes

v5.0.128

Compare Source

Patch Changes

v5.0.127

Compare Source

Patch Changes

v5.0.126

Compare Source

Patch Changes

v5.0.125

Compare Source

Patch Changes

v5.0.124

Compare Source

Patch Changes

v5.0.123

Compare Source

Patch Changes

v5.0.122

Compare Source

Patch Changes

v5.0.121

Compare Source

Patch Changes

v5.0.120

Compare Source

Patch Changes

v5.0.119

Compare Source

Patch Changes

v5.0.118

Compare Source

Patch Changes
  • 42bad72: https://ai-sdk.dev -> https://v5.ai-sdk.dev

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel

vercel Bot commented Sep 26, 2025
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
code-copilot Ready Ready Preview, Comment Jun 25, 2026 1:14am

@coderabbitai

coderabbitai Bot commented Sep 26, 2025
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 35589ee to db95477 Compare September 26, 2025 21:34
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.55 chore(deps): update dependency ai to v5.0.56 Sep 26, 2025
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.56 chore(deps): update dependency ai to v5.0.57 Sep 29, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from db95477 to 6019c26 Compare September 29, 2025 12:29
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 6019c26 to 1a0cc10 Compare September 30, 2025 00:51
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.57 chore(deps): update dependency ai to v5.0.59 Sep 30, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 1a0cc10 to e422d79 Compare October 3, 2025 02:15
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.59 chore(deps): update dependency ai to v5.0.60 Oct 3, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from e422d79 to 4eaa301 Compare October 8, 2025 20:25
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.60 chore(deps): update dependency ai to v5.0.61 Oct 8, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 4eaa301 to f18d4fd Compare October 9, 2025 09:46
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.61 chore(deps): update dependency ai to v5.0.62 Oct 9, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from f18d4fd to 6084f3b Compare October 9, 2025 13:15
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.62 chore(deps): update dependency ai to v5.0.63 Oct 9, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 6084f3b to cd650e6 Compare October 9, 2025 16:55
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.63 chore(deps): update dependency ai to v5.0.64 Oct 9, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from cd650e6 to f4a861b Compare October 9, 2025 21:30
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.64 chore(deps): update dependency ai to v5.0.65 Oct 9, 2025
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.72 chore(deps): update dependency ai to v5.0.75 Oct 16, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from aa2dc7d to d88ffdc Compare October 17, 2025 10:39
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.75 chore(deps): update dependency ai to v5.0.76 Oct 17, 2025
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.76 chore(deps): update dependency ai to v5.0.77 Oct 23, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from d88ffdc to dfd1f3a Compare October 23, 2025 17:12
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from dfd1f3a to 08b0749 Compare October 24, 2025 02:14
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.77 chore(deps): update dependency ai to v5.0.78 Oct 24, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 08b0749 to a6ff690 Compare October 25, 2025 20:41
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.78 chore(deps): update dependency ai to v5.0.79 Oct 25, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from a6ff690 to dc71375 Compare October 26, 2025 14:48
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.79 chore(deps): update dependency ai to v5.0.80 Oct 26, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from dc71375 to dce512d Compare November 2, 2025 07:36
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.80 chore(deps): update dependency ai to v5.0.86 Nov 2, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from dce512d to 61db56a Compare November 4, 2025 01:52
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.86 chore(deps): update dependency ai to v5.0.87 Nov 4, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 61db56a to 2c04527 Compare November 6, 2025 07:16
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.87 chore(deps): update dependency ai to v5.0.88 Nov 6, 2025
@renovate renovate Bot force-pushed the renovate/ai-5.x-lockfile branch from 2c04527 to cd796e6 Compare November 6, 2025 23:38
@renovate renovate Bot changed the title chore(deps): update dependency ai to v5.0.88 chore(deps): update dependency ai to v5.0.89 Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants