chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/mcp (source)	^1.0.39 → ^1.0.41
@better-auth/api-key (source)	^1.6.9 → ^1.6.10
@changesets/changelog-github (source)	^0.6.0 → ^0.7.0
@iconify-json/lucide	^1.2.105 → ^1.2.106
@iconify-json/simple-icons	^1.2.80 → ^1.2.81
@vue/compiler-sfc (source)	^3.5.33 → ^3.5.34
ai (source)	^6.0.175 → ^6.0.177
better-auth (source)	^1.6.9 → ^1.6.10
docus	^5.10.0 → ^5.11.0
evlog (source)	^2.15.0 → ^2.17.0
pnpm (source)	10.33.3 → 10.33.4
pnpm (source)	10.33.3 → 10.33.4
shaders	^2.5.113 → ^2.5.117
turbo (source)	^2.9.9 → ^2.9.12
vite (source)	^8.0.10 → ^8.0.11
vue (source)	^3.5.33 → ^3.5.34

---

Release Notes

vercel/ai (@​ai-sdk/mcp)

v1.0.41

Compare Source

Patch Changes

• f591416: feat(ai): add toolMetadata for tool specific metdata
• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

v1.0.40

Compare Source

Patch Changes

• 221a984: Add resource_link content type to CallToolResultSchema and PromptMessageSchema per MCP spec. Fixes hard rejection when MCP servers return resource_link content parts with zod ≥ 4.4.x.
• 0084974: feat(mcp): deprecate name and use clientName for MCPClient

better-auth/better-auth (@​better-auth/api-key)

v1.6.10

Compare Source

Patch Changes

• #​9393 62c4050 Thanks @​IcanDivideBy0! - api.verifyApiKey now validate the key configId is matching the one in the body

• Updated dependencies [1e0f26d, 8c1e917, b2d655c, 09f1327, 906b7b3, e9c978e, e71aad3, 80a655d, 15ff28a, 88a7c67, 9a7b51d, 1b25902, cf59136, a597ee0, fc02ced, 9f1ef1f, 36ef808, c1336c5, 3a9a2c3, fde0432, 2220a6d]:

  • better-auth@​1.6.10
  • @​better-auth/core@​1.6.10

changesets/changesets (@​changesets/changelog-github)

v0.7.0

Compare Source

Minor Changes

• #​1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

vuejs/core (@​vue/compiler-sfc)

v3.5.34

Compare Source

Bug Fixes

• compiler-sfc: infer Vue ref wrapper types when source is unresolvable (#​14758) (7f46fd4), closes #​14729
• compiler-sfc: preserve hash hrefs on <image> elements (#​14756) (090b2e3)
• compiler-sfc: resolve type re-exports inside declare global (#​14766) (acfffe3)
• reactivity: prevent orphan effect when created in a stopped scope (#​14778) (c8e2d4a), closes #​14777
• runtime-core: avoid symbol coercion during props validation (#​8539) (23d4fb5), closes #​8487
• suspense: avoid DOM leak with out-in transition in v-if fragment (#​14762) (9667e0d), closes #​14761

better-auth/better-auth (better-auth)

v1.6.10

Compare Source

Patch Changes

• #​8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

• #​9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

• #​9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

• #​9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in
  callbacks and magic-link verification) no longer emit each Set-Cookie
  entry twice on the response.

• #​9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging
  its session token into the request Cookie header. Previously the merged
  header could carry two entries for the same name if the request already
  had a stale session cookie, which would surface to downstream code that
  picks the first occurrence.

• #​9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

  The endpoint accepted a callbackURL body field but ignored it, so
  authClient.signIn.username({ ..., callbackURL }) silently did nothing
  while authClient.signIn.email redirected as expected. The handler now
  sets a Location header when callbackURL is provided and returns
  { redirect, url } alongside token/user, matching the email flow.

• #​9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

• #​9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

• #​9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

• #​9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

• #​8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

• #​9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

• #​9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

• #​9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

• #​9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

• #​9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

• #​9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

• #​9239 c1336c5 Thanks @​GautamBytes! - Fix organization.setActiveTeam so it only accepts teams from the current active organization.

• #​7764 3a9a2c3 Thanks @​programming-with-ia! - chore: expose refreshUserSessions on internal adapter

• #​9521 fde0432 Thanks @​ping-maxwell! - fix: improve link accessibility issues

• Updated dependencies [2220a6d]:

  • @​better-auth/core@​1.6.10
  • @​better-auth/drizzle-adapter@​1.6.10
  • @​better-auth/kysely-adapter@​1.6.10
  • @​better-auth/memory-adapter@​1.6.10
  • @​better-auth/mongo-adapter@​1.6.10
  • @​better-auth/prisma-adapter@​1.6.10
  • @​better-auth/telemetry@​1.6.10

nuxt-content/docus (docus)

v5.11.0

Compare Source

Features

• css: add support for app/app.css to avoid duplicate tailwind (#​1364) (98f68d5)
• layer: set ContentTOC default variant to circuit (#​1360) (7d90d20)
• toc: improve main grid to make it wider (#​1363) (45c65cc)

Bug Fixes

• css: don't use @​layer base for prod hydration (73606b7)
• layer: incorrect MCP tools when app.baseURL is set (#​1361) (f7e42eb)
• mcp: respect mcp.route in page header dropdown (#​1362) (5c36cd4)

v5.10.1

Compare Source

Bug Fixes

• ai: make sure to set markdown headers as response (#​1348) (cc0fc5b)
• assistant: use internal fetch for MCP on workers (#​1309) (596d027)

HugoRCD/evlog (evlog)

v2.17.0

Compare Source

What's Changed

Features 🚀

• feat(evlog): add error and audit catalog primitives by @​HugoRCD in #​325
• feat(evlog): tag drain requests with User-Agent + X-Evlog-Source by @​HugoRCD in #​328
• feat(fs): add readFsLogs and tailFsLogs readers by @​HugoRCD in #​329
• feat(stream): local SSE stream server by @​HugoRCD in #​332

Bug Fixes 🐞

• fix(better-auth): narrow getSession headers type to Headers by @​HugoRCD in #​333
• fix: emit wide event on client disconnect in express and nestjs by @​HugoRCD in #​336

Documentation 📚

• docs: add changeset requirement to agent guidelines by @​HugoRCD in #​334
• docs: restructure into 6 audience-driven categories by @​HugoRCD in #​335

Performance Improvements ⚡️

• chore(bench): update size baseline by @​github-actions[bot] in #​313
• chore(bench): update size baseline by @​github-actions[bot] in #​326

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.16.0...evlog@2.17.0

v2.16.0

Compare Source

What's Changed

Features 🚀

• feat(evlog): expose error code in createError, parseError, wide events by @​HugoRCD in #​318

Bug Fixes 🐞

• fix(ai): emit per-flush deltas to keep ai.toolCalls linear step count by @​HugoRCD in #​322
• fix(evlog): support primitive values in defineEnricher by @​payton-burr in #​320

New Contributors

• @​payton-burr made their first contribution in #​320

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.15.0...evlog@2.16.0

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

vercel/turborepo (turbo)

v2.9.12: Turborepo v2.9.12

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in #​12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in #​12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

v2.9.11: Turborepo v2.9.11

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in #​12745
• ci: Publish VS Code extension on release by @​anthonyshew in #​12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in #​12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in #​12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in #​12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in #​12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in #​12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in #​12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in #​12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in #​12750
• ci: Parallelize LSP release publishing by @​anthonyshew in #​12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in #​12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in #​12760
• fix: Remove VS Code task key gradient by @​anthonyshew in #​12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in #​12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in #​12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in #​12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in #​12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in #​12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in #​12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in #​12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in #​12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in #​12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

v2.9.10: Turborepo v2.9.10

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.4 by @​github-actions[bot] in #​12716
• release(turborepo): 2.9.9 by @​github-actions[bot] in #​12719
• fix: Respect SCM env vars in turbo query affected by @​anthonyshew in #​12722
• ci: Package VSCode extension in release workflow by @​anthonyshew in #​12723
• fix: Avoid some raw create-turbo example telemetry by @​anthonyshew in #​12725
• fix: Escape graph HTML payloads by @​anthonyshew in #​12726
• fix: Prevent OTEL token injection to spoofed origins by @​anthonyshew in #​12727
• fix: Retry HTTP status failures by @​anthonyshew in #​12728
• fix: Validate microfrontend proxy Host header by @​anthonyshew in #​12730
• fix: Redact task hash env debug logs by @​anthonyshew in #​12733
• fix: Filter microfrontend proxy environments by @​anthonyshew in #​12732
• fix: Preserve FSEvents mount points for device-relative paths by @​anthonyshew in #​12729
• fix: Validate proxy Host headers by @​anthonyshew in #​12731
• fix: Resolve TypeScript .js extension imports to .ts files in boundaries by @​maschwenk in #​12644
• fix: Use random temp path for repo downloads by @​anthonyshew in #​12736
• release(turborepo): 2.9.10-canary.1 by @​github-actions[bot] in #​12734
• fix: Reject OTel endpoints with userinfo by @​anthonyshew in #​12737
• fix: Authenticate local devtools WebSocket by @​anthonyshew in #​12738
• fix: Handle clipboard exec errors by @​anthonyshew in #​12739
• fix: Restrict Vercel token reuse to trusted API origins by @​anthonyshew in #​12740
• fix: Keep workspace config discovery inside root by @​anthonyshew in #​12741
• fix: Hardening for daemon IPC endpoints by @​anthonyshew in #​12742
• fix: Enforce cache filesystem boundaries by @​anthonyshew in #​12743

Full Changelog: vercel/turborepo@v2.9.9...v2.9.10

vitejs/vite (vite)

v8.0.11

Compare Source

Features

• update rolldown to 1.0.0-rc.18 (#​22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#​22334) (672c962)
• deps: update all non-major dependencies (#​22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#​22306) (30028f9)
• make separate object instance for each environment (#​22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#​22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#​22325) (2151f70)
• mention native config loader in CLI options (#​22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#​22333) (3b51e05)
• deps: update rolldown-related dependencies (#​22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#​22316) (86aee62)

Code Refactoring

• devtools integration (#​22312) (3c8bf06)
• remove unnecessary async (#​22296) (b31fd35)
• show direct path type in bad character warning (#​22339) (0c162e9)

Tests

• create-vite: use short help alias (#​22389) (994ab66)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt-mcp-toolkit-docs	Ready	Preview, Comment	May 11, 2026 2:41am

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxtjs/mcp-toolkit@251

commit: 8ee13b7