Skip to content

chore(deps): bump @ai-sdk/google from 2.0.75 to 3.0.82#407

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/ai-sdk/google-3.0.73
Open

chore(deps): bump @ai-sdk/google from 2.0.75 to 3.0.82#407
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/ai-sdk/google-3.0.73

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 15, 2026

Copy link
Copy Markdown
Contributor

Bumps @ai-sdk/google from 2.0.75 to 3.0.82.

Release notes

Sourced from @​ai-sdk/google's releases.

@​ai-sdk/google@​3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29
Changelog

Sourced from @​ai-sdk/google's changelog.

3.0.82

Patch Changes

  • 3258f22: fix(google): prevent prototype pollution when streaming tool args

  • bfa5864: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • Updated dependencies [bfa5864]

  • Updated dependencies [f42aa79]

    • @​ai-sdk/provider-utils@​4.0.29

3.0.81

Patch Changes

  • Updated dependencies [942f2f8]
    • @​ai-sdk/provider-utils@​4.0.28

3.0.80

Patch Changes

  • f62ffe0: fix(google): auto-inject skip_thought_signature_validator for Gemini 3 tool-call replays without a signature

    Gemini 3 models reject requests when an assistant functionCall part lacks a thoughtSignature with HTTP 400 "Function call is missing a thought_signature in functionCall parts." This is easy to hit when application code persists/serializes messages and drops providerOptions.google.thoughtSignature (custom DB schemas, useChat server routes that rebuild messages, synthetic tool-call injection).

    The provider now detects this case (Gemini 3 model + missing signature under google, googleVertex, and vertex namespaces) and injects the documented skip_thought_signature_validator sentinel into the outbound functionCall, plus surfaces a one-shot warning per request listing the affected tool names so the developer can find and fix the upstream serialization. Non-Gemini-3 models are unaffected, and real signatures take precedence when present.

3.0.79

Patch Changes

  • cfa0cb2: feat(provider/google): support Google search grounding when using generateImage with Gemini

3.0.78

Patch Changes

  • cf63828: fix(google): read serviceTier from usageMetadata.serviceTier in both generate and stream paths

    The previous implementation read serviceTier from the x-gemini-service-tier response header, which is only populated on non-streaming responses. Gemini streaming includes the value in usageMetadata.serviceTier on every chunk, so providerMetadata.google.serviceTier was always null for streams. Read from usageMetadata for both paths instead.

... (truncated)

Commits
  • bae9bab Version Packages (#16026)
  • 3258f22 Backport: fix(google): prevent prototype pollution when streaming tool args (...
  • bfa5864 Backport: fix(providers): only send credentials to same-origin response-suppl...
  • 9ef2c3c Version Packages (#15998)
  • 7aca1fc backport: chore: update TypeScript references and fix `pnpm update-references...
  • 661127c Version Packages (#15622)
  • f62ffe0 fix(google): auto-inject skip_thought_signature_validator on Gemini 3 tool-ca...
  • fc83fa3 Version Packages (#15532)
  • cfa0cb2 Backport: feat(provider/google): support Google search grounding when using `...
  • 93ad540 Version Packages (#15489)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 15, 2026
@vercel

vercel Bot commented May 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gloved.dev Error Error Jun 13, 2026 11:30pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
svelte.gloved.dev Ignored Ignored Jun 13, 2026 11:30pm

Bumps [@ai-sdk/google](https://github.com/vercel/ai/tree/HEAD/packages/google) from 2.0.75 to 3.0.82.
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/@ai-sdk/google@3.0.82/packages/google/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/google@3.0.82/packages/google)

---
updated-dependencies:
- dependency-name: "@ai-sdk/google"
  dependency-version: 3.0.73
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump @ai-sdk/google from 2.0.72 to 3.0.73 chore(deps): bump @ai-sdk/google from 2.0.75 to 3.0.82 Jun 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ai-sdk/google-3.0.73 branch from 97a8309 to aed6eea Compare June 13, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants