Skip to content

build(deps): Bump the npm_and_yarn group across 1 directory with 5 updates#8785

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-ae0bc84ed2
Open

build(deps): Bump the npm_and_yarn group across 1 directory with 5 updates#8785
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-ae0bc84ed2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Bumps the npm_and_yarn group with 4 updates in the / directory: turbo, @ai-sdk/provider-utils, vitest and next.

Updates turbo from 2.5.4 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

Low:

What's Changed

Changelog

New Contributors

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.


Updates @ai-sdk/provider-utils from 3.0.7 to 4.0.0

Release notes

Sourced from @​ai-sdk/provider-utils's releases.

@​ai-sdk/react@​4.0.0-canary.163

Patch Changes

  • ai@7.0.0-canary.160

@​ai-sdk/react@​4.0.0-canary.162

Patch Changes

  • Updated dependencies [dcefad3]
    • @​ai-sdk/mcp@​2.0.0-canary.56

@​ai-sdk/react@​4.0.0-canary.161

Patch Changes

  • Updated dependencies [b5092f5]
    • ai@7.0.0-canary.159

@​ai-sdk/react@​4.0.0-canary.160

Patch Changes

  • Updated dependencies [bcce2dd]
    • ai@7.0.0-canary.158

@​ai-sdk/vue@​4.0.0-canary.160

Patch Changes

  • ai@7.0.0-canary.160

@​ai-sdk/react@​4.0.0-canary.159

Patch Changes

  • ai@7.0.0-canary.157

@​ai-sdk/vue@​4.0.0-canary.159

Patch Changes

  • Updated dependencies [b5092f5]
    • ai@7.0.0-canary.159

@​ai-sdk/vue@​4.0.0-canary.158

Patch Changes

  • Updated dependencies [bcce2dd]
    • ai@7.0.0-canary.158

@​ai-sdk/vue@​4.0.0-canary.157

Patch Changes

  • ai@7.0.0-canary.157

... (truncated)

Changelog

Sourced from @​ai-sdk/provider-utils's changelog.

4.0.0

Major Changes

  • dee8b05: ai SDK 6 beta

Minor Changes

  • 78928cb: release: start 5.1 beta

Patch Changes

  • 0adc679: feat(provider): shared spec v3
  • 50b70d6: feat(anthropic): add programmatic tool calling
  • dce03c4: feat: tool input examples
  • 3b1d015: feat(ai): Effect schema support
  • 95f65c2: chore: use import * from zod/v4
  • 016b111: fix(provider-utils): make ReadableStream.cancel() properly finalize async iterators
  • 58920e0: refactor: consolidate header normalization across packages, remove duplicates, preserve custom headers
  • 954c356: feat(openai): allow custom names for provider-defined tools
  • 544d4e8: chore(specification): rename v3 provider defined tool to provider tool
  • 521c537: feat(ai): Tool.needsApproval can be a function
  • e8109d3: feat: tool execution approval
  • 03849b0: move DelayedPromise into provider utils
  • e06565c: feat(provider-utils): add needsApproval support to provider-defined tools
  • 32d8dbb: fix(provider-utils): compatibility with V8 readonly execution environment
  • d116b4b: feat(ai): arktype support
  • 293a6b7: Added a title to the tools
  • 703459a: feat: tool execution approval for dynamic tools
  • 83e5744: feat: support async Tool.toModelOutput
  • 7e32fea: feat(ai): valibot support
  • 3ed5519: chore: rename ToolCallOptions to ToolExecutionOptions
  • 8dac895: feat: LanguageModelV3
  • cbb1d35: Update for provider-util changeset after change in PR #8588
  • 9061dc0: feat: image editing
  • 32223c8: feat: add toolCallId arg to toModelOutput
  • c1efac4: feat: add input arg to toModelOutput
  • 4616b86: chore: update zod peer depenedency version
  • 4f16c37: chore(provider-utils): upgrade eventsource-parser to 3.0.6
  • 81e29ab: chore: update docs
  • 6306603: chore: replace Validator with Schema
  • fca786b: feat(provider-utils): add MaybePromiseLike type
  • 763d04a: feat: Standard JSON Schema support
  • 3794514: feat: flexible tool output content support
  • e9e157f: fix: generate zod4 json schema from input schema
  • 960ec8f: chore: change argument of toModelOutput to parameter object
  • 1bd7d32: feat: tool-specific strict mode
  • f0b2157: fix: revert zod import change
  • 95f65c2: chore: load zod schemas lazily
  • Updated dependencies

... (truncated)

Commits

Updates vitest from 3.2.4 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

... (truncated)

Commits
  • 4150b91 chore: release v4.1.0
  • 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
  • c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
  • eab68ba chore(deps): update all non-major dependencies (#9824)
  • 031f02a fix: allow catch/finally for async assertion (#9827)
  • 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
  • 0c2c013 chore: release v4.1.0-beta.6
  • 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
  • a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
  • 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates next from 15.3.8 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates js-cookie from 3.0.5 to 3.0.8

Release notes

Sourced from js-cookie's releases.

v3.0.8

  • Restore ES5 compatibility, inadvertently broken in 3.0.7 - #959
  • Lift Node version restriction, inadvertently restricted to >= 20 in 3.0.7 - #956

v3.0.7

  • Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
  • Add Partitioned attribute to readme (b994768)
  • Publish to npm registry via trusted publisher exclusively (4dc71be)
  • Ensure consistent behaviour for get('name') + get() (1953d30)
Commits
  • d7a1096 Craft v3.0.8 release
  • 248e685 Use existing Chrome with puppeteer
  • fc04269 Remove QUnit related workaround in Grunt config
  • 265a685 Tidy up package lock file
  • 478e591 Disable Node deprecation DEP0044 for release workflow
  • 331d524 Fix node version config for E2E test job
  • 11d773d Ensure ECMAScript compatibility
  • d788646 Remove engines property from package
  • e7d9a4d Fix typo in test assertion message
  • b5fca24 Make credentials use explicit in release workflow
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): Bump the npm_and_yarn group across 1 directory with 5 up…
cbeeb16 
…dates

Bumps the npm_and_yarn group with 4 updates in the / directory: [turbo](https://github.com/vercel/turborepo), [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils), [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) and [next](https://github.com/vercel/next.js).


Updates `turbo` from 2.5.4 to 2.9.14
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.5.4...v2.9.14)

Updates `@ai-sdk/provider-utils` from 3.0.7 to 4.0.0
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/main/packages/provider-utils/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@4.0.0/packages/provider-utils)

Updates `vitest` from 3.2.4 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

Updates `next` from 15.3.8 to 15.5.18
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.3.8...v15.5.18)

Updates `js-cookie` from 3.0.5 to 3.0.8
- [Release notes](https://github.com/js-cookie/js-cookie/releases)
- [Commits](js-cookie/js-cookie@v3.0.5...v3.0.8)

---
updated-dependencies:
- dependency-name: turbo
  dependency-version: 2.9.14
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@ai-sdk/provider-utils"
  dependency-version: 4.0.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-cookie
  dependency-version: 3.0.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 1, 2026
@dependabot dependabot Bot requested review from a team as code owners June 1, 2026 21:52
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Jun 1, 2026

⚠️ No Changeset found

Latest commit: cbeeb16

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-v2 Error Error Jun 1, 2026 9:58pm
nebula Ready Ready Preview, Comment Jun 1, 2026 9:58pm
thirdweb_playground Error Error Jun 1, 2026 9:58pm
thirdweb-www Error Error Jun 1, 2026 9:58pm
wallet-ui Ready Ready Preview, Comment Jun 1, 2026 9:58pm

@github-actions github-actions Bot added Dashboard Involves changes to the Dashboard. Playground Changes involving the Playground codebase. Portal Involves changes to the Portal (docs) codebase. packages Ecosystem Portal Involves changes to the Ecosystem Portal SDK Involves changes to the thirdweb SDK labels Jun 1, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 1, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednext@​15.5.1863100919970
Added@​ai-sdk/​provider-utils@​4.0.0921007598100
Added@​wagmi/​cli@​2.10.0771007789100
Updatedvitest@​3.2.4 ⏵ 4.1.096 +1100 +7579 +199 +2100
Addedturbo@​2.9.141001008597100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 1, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm js-yaml is 85.0% likely obfuscated

Confidence: 0.85

Location: Package overview

From: pnpm-lock.yamlnpm/@coinbase/wallet-mobile-sdk@1.1.2npm/expo-application@6.0.1npm/@mobile-wallet-protocol/client@1.0.0npm/expo-linking@8.0.8npm/@abstract-foundation/agw-react@1.10.0npm/expo-web-browser@15.0.9npm/wagmi@2.19.4npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Dashboard Involves changes to the Dashboard. Dependencies Pull requests that update a dependency file Ecosystem Portal Involves changes to the Ecosystem Portal javascript Pull requests that update Javascript code packages Playground Changes involving the Playground codebase. Portal Involves changes to the Portal (docs) codebase. SDK Involves changes to the thirdweb SDK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants