chore(deps): update dependency ai to v5.0.52 [security]#42
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency ai to v5.0.52 [security]#42renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
from
8f291cf to
459db8b
Compare
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
2 times, most recently
from
48dd6ba to
a1cbda4
Compare
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
from
a1cbda4 to
5374a03
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
2 times, most recently
from
5374a03 to
3df1d06
Compare
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
from
3df1d06 to
83bc34f
Compare
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
from
83bc34f to
ae7b110
Compare
renovate
Bot
force-pushed
the
renovate/npm-ai-vulnerability
branch
from
ae7b110 to
68b9429
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.0.16→5.0.52Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
CVE-2025-48985 / GHSA-rwvc-j5jr-mgvh
More information
Details
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/ai (ai)
v5.0.45Patch Changes
76024fc: fix(ai): fix static tool call and result detection when dynamic is undefined93d8b60: fix(ai): do not filter zero-length text parts that have provider optionsd8eb31f: fix(ai): fix webp image detection from base64v5.0.44Patch Changes
f49f924]v5.0.43Patch Changes
0294b58: feat(ai): setai,@ai-sdk/provider-utils, and runtime inuser-agentheader0294b58]v5.0.42Patch Changes
de5c066: fix(ai): forwarded providerExecuted flag in validateUIMessagesv5.0.41Patch Changes
cd91e4b: fix(ai): use correct type for reasoning outputsv5.0.40Patch Changes
4ee3719]v5.0.39Patch Changes
a0a725f: feat (ai): export createGatewayv5.0.38Patch Changes
350a328]v5.0.37Patch Changes
d6785d7: feat (ai): add tool and agent helpersv5.0.36Patch Changes
ccc2ded: feat (ai): export gateway providerv5.0.35Patch Changes
99c946a: export missing typev5.0.34Patch Changes
v5.0.33Patch Changes
5d59a8c]v5.0.32Patch Changes
b6005cd]v5.0.31Patch Changes
99964ed]v5.0.30Patch Changes
7fcc6be: feat(ai): throw InvalidArgumentError when messages is not providedv5.0.29Patch Changes
e0e9449: feat(ui): sent isAbort, isDisconnect, isError in useChat onFinish callbackv5.0.28Patch Changes
4b81e7d: fix(ai): remove vitest dependency from test exportsd68a4f2: feat(ai): log warningsv5.0.27Patch Changes
ca40fac: feat(ai): support custom download functions (experimental)v5.0.26Patch Changes
33cf848: feat(ai): pass messages touseChat({ onFinish })v5.0.25Patch Changes
ca65923: fix(ai): remove use ofexpect()from production code886e7cd]v5.0.24Patch Changes
f8f3682: fix: call onFinish when stream is cancelled in toUIMessageStreamPreviously, onFinish was only called on normal stream completion. Now it's also called when the reader is cancelled (e.g., browser close, navigation), ensuring partial messages are persisted.
Updated dependencies
v5.0.23Patch Changes
5099b3d: fix(ai): makechat.addToolResult()compatible with dynamic tool calls7a2bf8d: fix(ai): support loop breaking behavior in async iterable streamv5.0.22Patch Changes
v5.0.21Patch Changes
581abea: fix(ai): call abort callback when stream is aborted during tool execution3c178ec: feat(ai): improved type checking for prompt/messages input0857788]v5.0.20Patch Changes
8a87693: fix(ai) Make sure warnings promise in streamObject is resolved and properly collects and passes warningsv5.0.19Patch Changes
8da6e9c: fix(ai): use parsed tool input if possible when validation failsv5.0.18Patch Changes
8b96f99]v5.0.17Patch Changes
4176ecb: feat(ai): add reasoning text to generateObject result20f23f9: feat(ai): export LanguageModelMiddleware typeConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.