chore(deps): bump the production-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the production-dependencies group with 7 updates in the / directory:

Package	From	To
commander	14.0.3	15.0.0
@ai-sdk/anthropic	2.0.77	3.0.81
@ai-sdk/google	2.0.70	3.0.80
@ai-sdk/openai	2.0.103	3.0.67
ai	5.0.179	6.0.193
protobufjs	8.2.1	8.5.0
yauzl	3.3.0	3.3.1

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

• ba6d13d Fix release dates in changelog (#2523)
• a752ed9 Pin GitHub actions with hash (#2521)
• 74d5dfe Drop EOL node 20 from test matrix, and add node 26 (#2520)
• 6df9b68 Update details for 15.0.0 release (#2519)
• 01ce5d0 Remove jest esm examples (#2517)
• d785d8b Update dependencies (#2518)
• 9098b48 Update dependencies (#2506)
• 373f660 Use node:util stripVTControlCharacters instead of own code (#2486)
• 987f289 Use simple match in test (to avoid warning about expensive regex) (#2485)
• 0ea3bb3 Update dependecies and lint (#2489)
• Additional commits viewable in compare view

Updates @ai-sdk/anthropic from 2.0.77 to 3.0.81

Changelog

Sourced from @​ai-sdk/anthropic's changelog.

3.0.81

Patch Changes

• 4084fcd: feat(provider/anthropic): add support for claude-opus-4-8

3.0.80

Patch Changes

• 263d3e6: fix(provider/anthropic): fix remaining errors with Anthropic code_execution tool dynamic calls from latest web_fetch or web_search

3.0.79

Patch Changes

• d61a788: Handle errors from anthropic websearch tool

3.0.78

Patch Changes

• 6e28d25: fix(anthropic): propagate toModelOutput providerOption to anthropic tool results

3.0.77

Patch Changes

• d53314d: feat(anthropic): add the new advisor tool

3.0.76

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

3.0.75

Patch Changes

• 3f06680: Remove stale effort-2025-11-24 beta header — the extended thinking effort parameter is GA and no longer requires the beta flag. Vertex AI's strict validator was actively rejecting requests with this header.

3.0.74

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

... (truncated)

Commits

• 974e161 Version Packages (#15677)
• 4084fcd backport: feat(provider/anthropic): add support for claude-opus-4-8 (#15675)
• 097c1cd Version Packages (#15612)
• 263d3e6 Backport: fix(provider/anthropic): fix remaining errors with Anthropic `code_...
• 7ebba33 Version Packages (#15557)
• d61a788 Backport: Handle errors in anthropic's web search tool (#15555)
• 2e7664b Version Packages (#15315)
• 6e28d25 Backport: fix(anthropic): propagate toModelOutput providerOption to anthropic...
• d37fb1f Version Packages (#15202)
• d53314d Backport: feat(anthropic): add the new advisor tool (#15203)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/anthropic since your current version.

Updates @ai-sdk/google from 2.0.70 to 3.0.80

Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.80

Patch Changes

• f62ffe0: fix(google): auto-inject skip_thought_signature_validator for Gemini 3 tool-call replays without a signature

  Gemini 3 models reject requests when an assistant functionCall part lacks a thoughtSignature with HTTP 400 "Function call is missing a thought_signature in functionCall parts." This is easy to hit when application code persists/serializes messages and drops providerOptions.google.thoughtSignature (custom DB schemas, useChat server routes that rebuild messages, synthetic tool-call injection).

  The provider now detects this case (Gemini 3 model + missing signature under google, googleVertex, and vertex namespaces) and injects the documented skip_thought_signature_validator sentinel into the outbound functionCall, plus surfaces a one-shot warning per request listing the affected tool names so the developer can find and fix the upstream serialization. Non-Gemini-3 models are unaffected, and real signatures take precedence when present.

3.0.79

Patch Changes

• cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

• cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

  The previous implementation read serviceTier from the x-gemini-service-tier response header, which is only populated on non-streaming responses. Gemini streaming includes the value in usageMetadata.serviceTier on every chunk, so providerMetadata.google.serviceTier was always null for streams. Read from usageMetadata for both paths instead.

3.0.77

Patch Changes

• 0f9f9bf: feat(google): read serviceTier from x-gemini-service-tier response header in Gemini API and use PayGo for Vertex

3.0.76

Patch Changes

• f259bd1: fix(google): fix streaming tool call args
• 756fec1: feat(provider/google): add gemini-3.5-flash

3.0.75

Patch Changes

• ab15576: feat(google): update Interactions API implementation to cater for upstream breaking changes coming May 26

3.0.74

Patch Changes

... (truncated)

Commits

• 661127c Version Packages (#15622)
• f62ffe0 fix(google): auto-inject skip_thought_signature_validator on Gemini 3 tool-ca...
• fc83fa3 Version Packages (#15532)
• cfa0cb2 Backport: feat(provider/google): support Google search grounding when using `...
• 93ad540 Version Packages (#15489)
• cf63828 Backport: fix(google): read serviceTier from usageMetadata in stream + genera...
• a15eda9 Version Packages (#15473)
• 0f9f9bf Backport: fix(google): read serviceTier from x-gemini-service-tier response h...
• b9241af Backport: feat(provider/google): add support for managed agents in the Intera...
• e33b836 Version Packages (#15440)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/google since your current version.

Updates @ai-sdk/openai from 2.0.103 to 3.0.67

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai-compatible@​3.0.0-canary.54

Patch Changes

• Updated dependencies [ce769dd]
  • @​ai-sdk/provider@​4.0.0-canary.18
  • @​ai-sdk/provider-utils@​5.0.0-canary.46

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.67

Patch Changes

• c679fec: feat(provider/azure):web search tool in the Azure OpenAI Responses API.

3.0.66

Patch Changes

• c82ab42: feat(openai): forward web_search_call.action.queries from Responses API

3.0.65

Patch Changes

• eb52378: fix(openai): skip passing reasoning items when using previous response id

3.0.64

Patch Changes

• b7ed8bd: feat(openai): add opt-in pass-through for unsupported file media types

3.0.63

Patch Changes

• Updated dependencies [f591416]
  • @​ai-sdk/provider-utils@​4.0.27

3.0.62

Patch Changes

• 65edcca: feat: add allowedTools provider option for OpenAI Responses

3.0.61

Patch Changes

• b93f9b4: feat(provider/openai): forward imageDetail providerOptions on tool-result image content

3.0.60

Patch Changes

• 6dcd8e6: feat(openai): add GPT-5.5 chat model IDs

3.0.59

... (truncated)

Commits

• d4893c4 Version Packages (#15700)
• c679fec Backport: feat(provider/azure): web search tool in the Azure OpenAI Responses...
• 52332bf Version Packages (#15637)
• c82ab42 Backport: feat(openai): forward web_search_call.action.queries from Responses...
• 1a3ec6d Version Packages (#15513)
• eb52378 Backport: fix(openai): skip passing reasoning items when using previous respo...
• 2e7664b Version Packages (#15315)
• b7ed8bd Backport: feat(openai): add opt-in pass-through for unsupported file media ty...
• e3ccdb5 Version Packages (#15094)
• bf9de31 Version Packages (#15046)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates ai from 5.0.179 to 6.0.193

Release notes

Sourced from ai's releases.

ai@5.0.196

Patch Changes

• Updated dependencies [d4617bf]
  • @​ai-sdk/gateway@​2.0.97

Changelog

Sourced from ai's changelog.

6.0.193

Patch Changes

• af580ea: fix(ai): do not re-validate tool input for output-error parts in validateUIMessages

6.0.192

Patch Changes

• Updated dependencies [4084fcd]
  • @​ai-sdk/gateway@​3.0.121

6.0.191

Patch Changes

• Updated dependencies [27a1b22]
  • @​ai-sdk/gateway@​3.0.120

6.0.190

Patch Changes

• Updated dependencies [33b10a2]
• Updated dependencies [f6e4146]
  • @​ai-sdk/gateway@​3.0.119

6.0.189

Patch Changes

• 356c3cf: fix(ai): make input optional on input-streaming UIMessagePart variants

6.0.188

Patch Changes

• c98715a: Add allowSystemInMessages option to ToolLoopAgent.

  This exposes the same option that exists on streamText and generateText, whether role: "system" messages are allowed in the prompt or messages fields. When unset, system messages are rejected because they can create a prompt injection attack risk. Ideally, use the instructions option instead. Set to true to allow system messages, or false to explicitly reject them.

  const agent = new ToolLoopAgent({
    model,
    allowSystemInMessages: true,
  });
  await agent.generate({
  messages: [

... (truncated)

Commits

• 2412dfc Version Packages (#15697)
• af580ea Backport: fix(ai): do not re-validate tool input for output-error parts in va...
• 974e161 Version Packages (#15677)
• 0838d52 Version Packages (#15565)
• 1a3ec6d Version Packages (#15513)
• bde7d0f Version Packages (#15494)
• 356c3cf Backport: fix(ai): make input optional on input-streaming UIMessagePart varia...
• 93ad540 Version Packages (#15489)
• c98715a Backport: [tool-loop-agent] adding support for messages with system role with...
• a15eda9 Version Packages (#15473)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates protobufjs from 8.2.1 to 8.5.0

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.5.0

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

protobufjs: v8.4.2

8.4.2 (2026-05-22)

Bug Fixes

• Align reserved range semantics (#2277) (48aa10f)
• Coerce int32 values before writer sizing (#2281) (53c2e54)

protobufjs: v8.4.1

8.4.1 (2026-05-21)

Bug Fixes

• Correct util helper typing (#2279) (664a3d1)
• Decode omitted long map values as Long (#2264) (a71254b)
• Expose Field rule declaration (#2261) (1664cbf)
• Improve message return typings (#2274) (0f54489)
• Misc utility hardening (#2272) (3de631b)
• Omit proto3 synthetic oneofs in toObject (#2273) (9a78a4a)
• Preserve writer state in static encodeDelimited (#2275) (d28ec57)
• Register empty common in light build (#2262) (6cc4bc2)
• Treat fixed64 as unsigned in converters (#2265) (d8a6983)

protobufjs: v8.4.0

8.4.0 (2026-05-18)

Features

• Support BigInt conversions (#2257) (36873e6)

protobufjs: v8.3.0

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

8.4.2 (2026-05-22)

Bug Fixes

• Align reserved range semantics (#2277) (48aa10f)
• Coerce int32 values before writer sizing (#2281) (53c2e54)

8.4.1 (2026-05-21)

Bug Fixes

• Correct util helper typing (#2279) (664a3d1)
• Decode omitted long map values as Long (#2264) (a71254b)
• Expose Field rule declaration (#2261) (1664cbf)
• Improve message return typings (#2274) (0f54489)
• Misc utility hardening (#2272) (3de631b)
• Omit proto3 synthetic oneofs in toObject (#2273) (9a78a4a)
• Preserve writer state in static encodeDelimited (#2275) (d28ec57)
• Register empty common in light build (#2262) (6cc4bc2)
• Treat fixed64 as unsigned in converters (#2265) (d8a6983)

8.4.0 (2026-05-18)

Features

• Support BigInt conversions (#2257) (36873e6)

8.3.0 (2026-05-13)

Features

... (truncated)

Commits

• 4655f8d chore: release master (#2292)
• 9e80030 fix(cli): Consistently handle derived names (#2293)
• f8c489b feat: Add option to discard unknown fields (#2289)
• 4b4c703 fix: Prefer nested type resolution over global fallback (#2288)
• 0f6178d fix: Consistently reject null message argument in fromObject (#2287)
• 711a279 feat: Expose RPC metadata on service methods (#2286)
• 6a594f1 chore: Add minimal contribution guidelines (#2284)
• 07b2fc1 chore: release master (#2282)
• 48aa10f fix: Align reserved range semantics (#2277)
• 53c2e54 fix: Coerce int32 values before writer sizing (#2281)
• Additional commits viewable in compare view

Updates yauzl from 3.3.0 to 3.3.1

Commits

• 84df2f2 version 3.3.1
• cd9bd23 Fix destroy() usage in fd-slicer (#170)
• bac0725 add tests for unusual compression method
• See full diff in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​ai-sdk/​google@​3.0.80
	@​ai-sdk/​openai@​3.0.67
	@​ai-sdk/​anthropic@​3.0.81
	commander@​15.0.0
	yauzl@​3.3.1
	ai@​6.0.193
	protobufjs@​8.5.0

View full report

[github-actions]

Bundle Size Report

Package	dist size
@gpc-cli/cli	3.6M
@gpc-cli/core	1.1M
@gpc-cli/api	376K
@gpc-cli/auth	44K
@gpc-cli/config	44K

Largest CLI ESM chunk: 40K

Sizes are uncompressed. Published npm tarballs are ~30-40% smaller.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.