Skip to content

Bump @ai-sdk/google from 3.0.80 to 3.0.83#42

Merged
will-lamerton merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ai-sdk/google-3.0.83
Jun 22, 2026
Merged

Bump @ai-sdk/google from 3.0.80 to 3.0.83#42
will-lamerton merged 1 commit into
mainfrom
dependabot/npm_and_yarn/ai-sdk/google-3.0.83

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps @ai-sdk/google from 3.0.80 to 3.0.83.

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.83

Patch Changes

  • Updated dependencies [779f5cd]
    • @​ai-sdk/provider-utils@​4.0.30

3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28
Commits
  • caebb44 Version Packages (#16157)
  • bae9bab Version Packages (#16026)
  • 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
  • bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
  • 9ef2c3c Version Packages (#15998)
  • 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@ai-sdk/google](https://github.com/vercel/ai/tree/HEAD/packages/google) from 3.0.80 to 3.0.83.
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/google@3.0.83/packages/google/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/google@3.0.83/packages/google)

---
updated-dependencies:
- dependency-name: "@ai-sdk/google"
  dependency-version: 3.0.83
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 21, 2026
@will-lamerton will-lamerton merged commit fc35fcb into main Jun 22, 2026
6 of 9 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/ai-sdk/google-3.0.83 branch June 22, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant