Skip to content

chore(deps): bump the npm-minor-and-patch group across 1 directory with 9 updates#361

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-eb64a442fc
Open

chore(deps): bump the npm-minor-and-patch group across 1 directory with 9 updates#361
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-eb64a442fc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-minor-and-patch group with 9 updates in the / directory:

Package From To
@copilotkit/aimock 1.35.1 1.36.0
tsx 4.23.0 4.23.1
turbo 2.10.4 2.10.5
verdaccio 6.7.4 6.8.0
@types/node 26.1.0 26.1.1
@langchain/core 1.2.1 1.2.2
@langchain/openai 1.5.3 1.5.5
@langchain/openrouter 0.4.3 0.4.5
@langchain/xai 1.4.3 1.4.5

Updates @copilotkit/aimock from 1.35.1 to 1.36.0

Release notes

Sourced from @​copilotkit/aimock's releases.

v1.36.0

What's Changed

Full Changelog: CopilotKit/aimock@v1.35.1...v1.36.0

Changelog

Sourced from @​copilotkit/aimock's changelog.

[1.36.0] - 2026-07-13

Added

  • On a fixture-miss passthrough (record/proxy mode), aimock can inject its own configured upstream provider key instead of forwarding a caller's dummy placeholder key. Every static-key provider aimock proxies is wired end-to-end, each with an independent AIMOCK_PROVIDER_<PROVIDER>_KEY env var applied with the provider-correct wire scheme: Authorization: Bearer for OpenAI (_OPENAI_KEY), OpenRouter (_OPENROUTER_KEY), Cohere (_COHERE_KEY), Grok/xAI (_GROK_KEY), and Ollama (_OLLAMA_KEY); x-api-key for Anthropic (_ANTHROPIC_KEY); x-goog-api-key for Gemini (_GEMINI_KEY, also used for Gemini Interactions) and Veo (_VEO_KEY); api-key for Azure OpenAI (_AZURE_KEY); xi-api-key for ElevenLabs (_ELEVENLABS_KEY); and Authorization: Key for fal.ai (_FAL_KEY). Injection fires only when the caller credential is absent or dummy-prefixed (sk-aimock-, overridable via AIMOCK_DUMMY_KEY_MARKER); a real caller key is always forwarded unchanged, an empty-string env var is treated as unset, and with no built-in key configured the feature is inert. Signed/exchanged credentials — AWS Bedrock (SigV4) and Vertex AI (OAuth) — are never rewritten (#293)
Commits
  • e6c3121 feat: aimock-owned upstream provider keys on fixture-miss passthrough (#293)
  • 4753feb feat: wire aimock-owned upstream keys for all static-key providers
  • 05ff862 docs: document AIMOCK_PROVIDER_*_KEY aimock-owned upstream keys
  • 5b7ce67 chore: release v1.36.0
  • b2ef945 feat: aimock-owned upstream provider keys on fixture-miss passthrough
  • 0f593a4 fix(drift): flag new voice/audio model families beyond the "realtime" substri...
  • 2e57ec6 fix(drift): normalize voice model ids to family keys to kill snapshot false p...
  • 6abd515 fix(drift): flag new voice/audio model families beyond the "realtime" substring
  • 666e0bb fix(drift): surface known-models canary drift as critical instead of crashing...
  • ec15911 test(drift): cover collector via real exports and property-based infra anchoring
  • Additional commits viewable in compare view

Updates tsx from 4.23.0 to 4.23.1

Release notes

Sourced from tsx's releases.

v4.23.1

4.23.1 (2026-07-13)

Bug Fixes

  • support tsImport after global preload (8d4ffc2)
  • watch: avoid clearing piped output (95d0672)
  • watch: treat script and dependency paths literally (79fddde)

Performance Improvements

  • index transform cache lazily (e818ad6)
  • load esbuild lazily in CLI (d067938)
  • map Node TypeScript formats directly (cdcc623)
  • use sync module hooks on Node v22.22.3+ (f8992f1)

This release is also available on:

Commits
  • 79fddde fix(watch): treat script and dependency paths literally
  • e818ad6 perf: index transform cache lazily
  • cdcc623 perf: map Node TypeScript formats directly
  • d067938 perf: load esbuild lazily in CLI
  • 95d0672 fix(watch): avoid clearing piped output
  • 6fd4607 docs: add per-page metadata
  • f4176d8 docs: generate sitemap
  • 8d4ffc2 fix: support tsImport after global preload
  • f0e89b2 docs: document Node's public type-stripping API vs internal loader path
  • f8992f1 perf: use sync module hooks on Node v22.22.3+
  • See full diff in compare view

Updates turbo from 2.10.4 to 2.10.5

Release notes

Sourced from turbo's releases.

Turborepo v2.10.5

What's Changed

Changelog

... (truncated)

Commits

Updates verdaccio from 6.7.4 to 6.8.0

Release notes

Sourced from verdaccio's releases.

v6.8.0

Minor Changes

  • 962fba8: feat: add unpublish notification hooks

    Port of #5920 (ref #5328). The notify webhook now also fires when a package is unpublished entirely and when a single version (tarball) is removed, not only on publish. Notification templates can distinguish the event through the new {{ publishType }} (publish | unpublish) and {{ publishedPackage }} variables, and the {{ publisher }} object exposes only name, groups and real_groups, so the remote user auth token can never leak to the notification endpoint (via @verdaccio/hooks 8.0.4).

Patch Changes

  • f0684dc: fix: return 403 to client when uplink responds with 403 for tarball requests

    Previously, any non-200/404 response from an uplink (e.g. a security proxy blocking a package download) would result in a generic 500 error being returned to the client. This change propagates 403 responses from the uplink through to the client, including any error detail from the response body, so callers can distinguish authorization failures from other upstream errors.

  • 3a84578: chore: refactor eslint

  • b7a5db1: fix: rate limit and bound the npm search v1 endpoint

    The /-/v1/search endpoint now applies the userRateLimit rate limiting middleware (matching the login, token and profile endpoints), clamps the size (max 250, like the public npm registry) and from (max 10000) pagination parameters, and stops evaluating package access as soon as the requested page is filled instead of running an auth check over the entire result set. The clamped values are also what gets forwarded to uplink registries (the raw request URL is no longer passed through), so the bounds hold end-to-end. This prevents cheap anonymous requests from triggering unbounded full-catalog scans. As part of this, pagination is fixed: results were sliced with slice(from, size) instead of slice(from, from + size), so pages beyond the first were wrong.

    Search results for local packages also emit npm-search-compatible maintainers ({ username, email }) — npm 11 on Node 24 crashes rendering entries without username (The "str" argument must be of type string. Received undefined) — and the publisher field is now populated from _npmUser when the publishing client provided it, falling back to the first maintainer, so the npm CLI shows the publishing user instead of by ???.

  • 808d916: fix: pick the right uplink for tarballs and heal missing distfile records

    Uplink selection. With several uplinks configured for a package, tarball downloads used the last uplink whose package pattern matched, even when the tarball url belongs to a different one, which could make downloads fail against registries that require authentication. The uplink is now selected by matching the tarball url: the registry recorded on the distfile wins, then the uplink whose url serves the file; when none matches, an autogenerated uplink with default settings is used. Single-uplink setups keep the previous behavior for tarballs hosted on another host (a CDN).

    Missing distfile records. Storages written by other verdaccio versions can carry cached versions without their _distfiles records, which made those tarballs permanently return 404 no such file available. The tarball location is now resolved from the version's dist.tarball metadata when the record is missing, and the record is restored when the tarball is cached.

  • a2de1d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.209.0.0-next-9.21
Changelog

Sourced from verdaccio's changelog.

6.8.0

Minor Changes

  • 962fba8: feat: add unpublish notification hooks

    Port of #5920 (ref #5328). The notify webhook now also fires when a package is unpublished entirely and when a single version (tarball) is removed, not only on publish. Notification templates can distinguish the event through the new {{ publishType }} (publish | unpublish) and {{ publishedPackage }} variables, and the {{ publisher }} object exposes only name, groups and real_groups, so the remote user auth token can never leak to the notification endpoint (via @verdaccio/hooks 8.0.4).

Patch Changes

  • f0684dc: fix: return 403 to client when uplink responds with 403 for tarball requests

    Previously, any non-200/404 response from an uplink (e.g. a security proxy blocking a package download) would result in a generic 500 error being returned to the client. This change propagates 403 responses from the uplink through to the client, including any error detail from the response body, so callers can distinguish authorization failures from other upstream errors.

  • 3a84578: chore: refactor eslint

  • b7a5db1: fix: rate limit and bound the npm search v1 endpoint

    The /-/v1/search endpoint now applies the userRateLimit rate limiting middleware (matching the login, token and profile endpoints), clamps the size (max 250, like the public npm registry) and from (max 10000) pagination parameters, and stops evaluating package access as soon as the requested page is filled instead of running an auth check over the entire result set. The clamped values are also what gets forwarded to uplink registries (the raw request URL is no longer passed through), so the bounds hold end-to-end. This prevents cheap anonymous requests from triggering unbounded full-catalog scans. As part of this, pagination is fixed: results were sliced with slice(from, size) instead of slice(from, from + size), so pages beyond the first were wrong.

    Search results for local packages also emit npm-search-compatible maintainers ({ username, email }) — npm 11 on Node 24 crashes rendering entries without username (The "str" argument must be of type string. Received undefined) — and the publisher field is now populated from _npmUser when the publishing client provided it, falling back to the first maintainer, so the npm CLI shows the publishing user instead of by ???.

  • 808d916: fix: pick the right uplink for tarballs and heal missing distfile records

    Uplink selection. With several uplinks configured for a package, tarball downloads used the last uplink whose package pattern matched, even when the tarball url belongs to a different one, which could make downloads fail against registries that require authentication. The uplink is now selected by matching the tarball url: the registry recorded on the distfile wins, then the uplink whose url serves the file; when none matches, an autogenerated uplink with default settings is used. Single-uplink setups keep the previous behavior for tarballs hosted on another host (a CDN).

    Missing distfile records. Storages written by other verdaccio versions can carry cached versions without their _distfiles records, which made those tarballs permanently return 404 no such file available. The tarball location is now resolved from the version's dist.tarball metadata when the record is missing, and the record is restored when the tarball is cached.

  • a2de1d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.209.0.0-next-9.21
Commits

Updates @types/node from 26.1.0 to 26.1.1

Commits

Updates @langchain/core from 1.2.1 to 1.2.2

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.2

Patch Changes

  • #11171 82bef01 Thanks @​christian-bromann! - fix(core): coerce string v1 AIMessage content to text blocks

    Prevent contentBlocks.push is not a function when constructing an AIMessage with response_metadata.output_version === "v1" and string content (common in serialized LangGraph stream payloads).

Commits
  • cc39f56 chore: version packages (#11172)
  • 82bef01 fix(core): coerce string v1 AIMessage content to text blocks (#11171)
  • 8a7c5f8 chore: version packages (#11170)
  • 988ca7d fix(openai): emit output_text for assistant content in responses input (#11...
  • e233f41 chore: version packages (#11168)
  • 4c7a06e fix(langchain): malformed tool input schemas are unrecoverable (#11167)
  • 1a1fe3c chore(deps): bump the aws group across 1 directory with 7 updates (#11134)
  • 553155b chore(deps): bump js-yaml from 5.0.0 to 5.1.0 (#11142)
  • 24bde73 chore(deps): bump prettier from 3.8.3 to 3.9.4 in the typescript-eslint group...
  • 8db7263 fix: remove duplicate pnpm lockfile entries (#11141)
  • Additional commits viewable in compare view

Updates @langchain/openai from 1.5.3 to 1.5.5

Release notes

Sourced from @​langchain/openai's releases.

@​langchain/openai@​1.5.5

Patch Changes

@​langchain/openai@​1.5.4

Patch Changes

Commits
  • f51f338 chore: version packages (#11176)
  • 09e7f6d fix(openai): drop tool_call content blocks from chat completions input (#11...
  • a9f123a fix(openai): filter out content blocks the chat completions api rejects as in...
  • cc39f56 chore: version packages (#11172)
  • 82bef01 fix(core): coerce string v1 AIMessage content to text blocks (#11171)
  • 8a7c5f8 chore: version packages (#11170)
  • 988ca7d fix(openai): emit output_text for assistant content in responses input (#11...
  • e233f41 chore: version packages (#11168)
  • 4c7a06e fix(langchain): malformed tool input schemas are unrecoverable (#11167)
  • 1a1fe3c chore(deps): bump the aws group across 1 directory with 7 updates (#11134)
  • Additional commits viewable in compare view

Updates @langchain/openrouter from 0.4.3 to 0.4.5

Release notes

Sourced from @​langchain/openrouter's releases.

@​langchain/openrouter@​0.4.5

Patch Changes

@​langchain/openrouter@​0.4.4

Patch Changes

  • Updated dependencies [988ca7d]:
    • @​langchain/openai@​1.5.4
Changelog

Sourced from @​langchain/openrouter's changelog.

0.4.5

Patch Changes

0.4.4

Patch Changes

  • Updated dependencies [988ca7d]:
    • @​langchain/openai@​1.5.4
Commits

Updates @langchain/xai from 1.4.3 to 1.4.5

Release notes

Sourced from @​langchain/xai's releases.

@​langchain/xai@​1.4.5

Patch Changes

@​langchain/xai@​1.4.4

Patch Changes

  • Updated dependencies [988ca7d]:
    • @​langchain/openai@​1.5.4
Commits
  • f51f338 chore: version packages (#11176)
  • 09e7f6d fix(openai): drop tool_call content blocks from chat completions input (#11...
  • a9f123a fix(openai): filter out content blocks the chat completions api rejects as in...
  • cc39f56 chore: version packages (#11172)
  • 82bef01 fix(core): coerce string v1 AIMessage content to text blocks (#11171)
  • 8a7c5f8 chore: version packages (#11170)
  • 988ca7d fix(openai): emit output_text for assistant content in responses input (#11...
  • e233f41 chore: version packages (#11168)
  • 4c7a06e fix(langchain): malformed tool input schemas are unrecoverable (#11167)
  • 1a1fe3c chore(deps): bump the aws group across 1 directory with 7 updates (#11134)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…th 9 updates

Bumps the npm-minor-and-patch group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@copilotkit/aimock](https://github.com/CopilotKit/aimock) | `1.35.1` | `1.36.0` |
| [tsx](https://github.com/privatenumber/tsx) | `4.23.0` | `4.23.1` |
| [turbo](https://github.com/vercel/turborepo) | `2.10.4` | `2.10.5` |
| [verdaccio](https://github.com/verdaccio/verdaccio) | `6.7.4` | `6.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `26.1.0` | `26.1.1` |
| [@langchain/core](https://github.com/langchain-ai/langchainjs) | `1.2.1` | `1.2.2` |
| [@langchain/openai](https://github.com/langchain-ai/langchainjs) | `1.5.3` | `1.5.5` |
| [@langchain/openrouter](https://github.com/langchain-ai/langchainjs/tree/HEAD/libs/providers/langchain-openrouter) | `0.4.3` | `0.4.5` |
| [@langchain/xai](https://github.com/langchain-ai/langchainjs) | `1.4.3` | `1.4.5` |



Updates `@copilotkit/aimock` from 1.35.1 to 1.36.0
- [Release notes](https://github.com/CopilotKit/aimock/releases)
- [Changelog](https://github.com/CopilotKit/aimock/blob/main/CHANGELOG.md)
- [Commits](CopilotKit/aimock@v1.35.1...v1.36.0)

Updates `tsx` from 4.23.0 to 4.23.1
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.23.0...v4.23.1)

Updates `turbo` from 2.10.4 to 2.10.5
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.10.4...v2.10.5)

Updates `verdaccio` from 6.7.4 to 6.8.0
- [Release notes](https://github.com/verdaccio/verdaccio/releases)
- [Changelog](https://github.com/verdaccio/verdaccio/blob/v6.8.0/CHANGELOG.md)
- [Commits](verdaccio/verdaccio@v6.7.4...v6.8.0)

Updates `@types/node` from 26.1.0 to 26.1.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@langchain/core` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core@1.2.1...@langchain/core@1.2.2)

Updates `@langchain/openai` from 1.5.3 to 1.5.5
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/openai@1.5.3...@langchain/openai@1.5.5)

Updates `@langchain/openrouter` from 0.4.3 to 0.4.5
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Changelog](https://github.com/langchain-ai/langchainjs/blob/main/libs/providers/langchain-openrouter/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langchainjs/commits/@langchain/openrouter@0.4.5/libs/providers/langchain-openrouter)

Updates `@langchain/xai` from 1.4.3 to 1.4.5
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/xai@1.4.3...@langchain/xai@1.4.5)

---
updated-dependencies:
- dependency-name: "@copilotkit/aimock"
  dependency-version: 1.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: turbo
  dependency-version: 2.10.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: verdaccio
  dependency-version: 6.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: "@types/node"
  dependency-version: 26.1.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@langchain/core"
  dependency-version: 1.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@langchain/openai"
  dependency-version: 1.5.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@langchain/openrouter"
  dependency-version: 0.4.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@langchain/xai"
  dependency-version: 1.4.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
@dependabot
dependabot Bot requested a review from blove as a code owner July 14, 2026 17:36
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dawnai Ready Ready Preview, Comment Jul 14, 2026 5:37pm

Request Review

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated approval: this PR received an intelligent (AI) code review. See the review comments on this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants