chore(deps): bump the minor-and-patch group across 1 directory with 11 updates

[dependabot]

Bumps the minor-and-patch group with 11 updates in the / directory:

Package	From	To
@anthropic-ai/sdk	0.72.1	0.91.1
@browserbasehq/stagehand	3.2.0	3.3.0
@daytonaio/sdk	0.152.1	0.169.0
jose	6.2.2	6.2.3
openai	6.33.0	6.34.0
redis	5.11.0	5.12.1
weave	0.11.1	0.13.1
autoprefixer	10.4.27	10.5.0
jsdom	29.0.2	29.1.0
postcss	8.5.9	8.5.12
prettier	3.8.1	3.8.3

Updates @anthropic-ai/sdk from 0.72.1 to 0.91.1

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.91.1

0.91.1 (2026-04-24)

Full Changelog: sdk-v0.91.0...sdk-v0.91.1

Bug Fixes

• memory: use restrictive file mode for memory files (#901) (6db3b7e)

Chores

• formatter: run prettier and eslint separately (974d22f)

sdk: v0.91.0

0.91.0 (2026-04-23)

Full Changelog: sdk-v0.90.0...sdk-v0.91.0

Features

• api: CMA Memory public beta (ddf732f)
• bedrock: use auth header for mantle client (#866) (aec801a)

Bug Fixes

• api: fix errors in api spec (ae10768)
• api: restore missing features (1a5b47b)

Chores

• internal: more robust bootstrap script (7716e19)
• tests: bump steady to v0.22.1 (219a971)

sdk: v0.90.0

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.91.1 (2026-04-24)

Full Changelog: sdk-v0.91.0...sdk-v0.91.1

Bug Fixes

• memory: use restrictive file mode for memory files (#901) (6db3b7e)

Chores

• formatter: run prettier and eslint separately (974d22f)

0.91.0 (2026-04-23)

Full Changelog: sdk-v0.90.0...sdk-v0.91.0

Features

• api: CMA Memory public beta (ddf732f)
• bedrock: use auth header for mantle client (#866) (aec801a)

Bug Fixes

• api: fix errors in api spec (ae10768)
• api: restore missing features (1a5b47b)

Chores

• internal: more robust bootstrap script (7716e19)
• tests: bump steady to v0.22.1 (219a971)

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

0.89.0 (2026-04-14)

... (truncated)

Commits

• 74ac150 chore: release main (#1014)
• 22cb810 chore: release main (#1008)
• 93ac7c7 chore: release main (#1003)
• 39549e9 chore: release main (#993)
• 089fe05 chore: release main (#987)
• 73f128f chore: release main (#985)
• fd6cf54 chore: release main (#983)
• 79d1d73 chore: release main (#982)
• 4ade5b1 chore: release main (#979)
• 4368602 chore: release main (#978)
• Additional commits viewable in compare view

Updates @browserbasehq/stagehand from 3.2.0 to 3.3.0

Changelog

Sourced from @​browserbasehq/stagehand's changelog.

3.3.0

Minor Changes

• #1980 e471d2e Thanks @​shrey150! - Support Browserbase verified session settings and bump the Browserbase SDK.

Patch Changes

• #1954 732b384 Thanks @​github-actions! - Update Anthropic CUA to use adaptive thinking

• #2001 20b601d Thanks @​shrey150! - Include agent.execute() usage in stagehand.metrics for API-backed sessions.

• #1983 8543c11 Thanks @​github-actions! - Add variable substitution to the keys tool in both live execution and cache replay paths. When keys steps with method="type" contain %variableName% tokens, they are now resolved against the provided variables. This brings the keys tool to parity with the type tool's variable handling.

• #1973 14b64ec Thanks @​monadoid! - Enable strict structured outputs for supported model paths.

• #2028 a500de1 Thanks @​tkattkat! - Remove deprecated provider option

• #1975 8f7192c Thanks @​seanmcguire12! - make file upload elements more explicit in page snapshot

3.2.1

Patch Changes

• #1843 144e18e Thanks @​seanmcguire12! - apply user defined toolTimeout to all agent tools (other than wait & think tools)

• #1872 d3c3736 Thanks @​tkattkat! - Add support for LLM provider middleware

• #1953 5c889df Thanks @​github-actions! - (NEW) Model Gateway: make model api key optional on API

• #1924 a1ab39e Thanks @​seanmcguire12! - fix issue where stagehand could not attach to new tabs that were created manually.

• #1874 f3fe7ce Thanks @​miguelg719! - Add headers (LLM) to ModelConfig

• #1964 5fb9785 Thanks @​github-actions! - chore: update examples

• #1901 f5d1f1f Thanks @​seanmcguire12! - pass timeout as timeoutMs in goto()

• #1858 8bf5db8 Thanks @​monadoid! - Add explicit SSE event names for local v3 streaming and update the generated SDK contract to match.

• #1899 6dc2276 Thanks @​tkattkat! - fix: include screenshot in openai cua agents first message

Commits

• 5dad639 [feat]: add page.snapshot() (#1518)
• e56c6eb [feat]: add support for page.waitForSelector() (#1509)
• 6fbf5fc Update close tool + add output to agent result (#1505)
• 704cf18 Fix ControlOrMeta key normalization in keyPress (#1511)
• f2537a2 Fix ollama support with AI SDK (#1504)
• 62f2869 Added optional param to force empty object (#1506)
• 723a7fd /end endpoint returns empty object (#1500)
• 72ac775 export tool function & type (#1495)
• 088c4cc [fix]: use correct model on cache replay failure (#1498)
• 808f75f Replace Slack references with Discord (#1492)
• Additional commits viewable in compare view

Updates @daytonaio/sdk from 0.152.1 to 0.169.0

Release notes

Sourced from @​daytonaio/sdk's releases.

v0.169.0

0.169.0 (2026-04-23)

🚀 Features

• api: runtime sandbox network updates (#4538)
• api: cap declarative build sandboxes per runner (#4548)
• docs: add java sdk / refactor references and code snippets (#4389)
• sdk-python: add optional WebSocket handshake concurrency limit (#4527)

🩹 Fixes

• api: add sandbox service jobs locks (#4543)
• docs: update guides list container hover (#4518)
• docs: modify locale handling routes (#4537)

Chores

• sync go.sum for v0.168.0 (#4524)
• sdk-go: bump to v0.169.0 (#4550)
• security: expand CODEOWNERS coverage for CI/CD and supply chain (#4535)
• security: close P0 url parser bypass and P1 content gutting (#4534)

❤️ Thank You

• Ante Projić @​aprojic
• Ivan Dagelic @​idagelic
• Juraj Štefanić @​stefanicjuraj
• Mirko Džaja @​MDzaja
• Toma Puljak @​Tpuljak

v0.168.0

0.168.0 (2026-04-21)

🚀 Features

• api,cli,dashboard,sdk,sdk: expose sandbox last activity timestamp (#4492)
• api,dashboard: surface per-sandbox resource limits in region usage overview (#4514)
• docs: add robots.txt (#4517)
• runner: build resource limits (22187e79f)

🩹 Fixes

• cli: surface actionable hint on 403 Forbidden for all API calls (#4506)
• proxy: preserve raw encoded preview path across proxy hops (#4449, #4448)
• sdk-python: fix unreachable error check in wait_for_resize/snapshot_complete() (#4473)

Refactor

• dashboard: remove suspend-react (#4314)

... (truncated)

Commits

• 7649a70 chore(sdk-go): bump to v0.169.0 (#4550)
• beced19 feat(api): cap declarative build sandboxes per runner (#4548)
• 18f9f6f fix(api): add sandbox service jobs locks (#4543)
• 729e133 fix(docs): modify locale handling routes (#4537)
• 9f40c3c feat(api): runtime sandbox network updates (#4538)
• 1ebd009 feat(sdk-python): add optional WebSocket handshake concurrency limit (#4527)
• c760d87 chore(security): close P0 url parser bypass and P1 content gutting (#4534)
• 6d5fd5e chore(security): expand CODEOWNERS coverage for CI/CD and supply chain (#4535)
• 3a4cab0 feat(docs): add java sdk / refactor references and code snippets (#4389)
• 784ecae fix(docs): update guides list container hover (#4518)
• Additional commits viewable in compare view

Updates jose from 6.2.2 to 6.2.3

Release notes

Sourced from jose's releases.

v6.2.3

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Changelog

Sourced from jose's changelog.

6.2.3 (2026-04-27)

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Commits

• 41ad7e9 chore(release): 6.2.3
• 988e90f chore: account for commit-and-tag-version instead of standard-version
• 4b24656 chore: update CHANGELOG.md header
• 0cdb851 refactor: cleanly reject invalid PBES2 p2c
• a0b261e test: update Bun expectations
• b39dc1a chore: use fs.globSync
• 0675be1 build: replace rollup umd build with a custom esbuild iife wrap
• 9b03323 chore: bump packages
• 914b73d chore(deps-dev): bump lodash
• 9dce817 chore: bump packages
• Additional commits viewable in compare view

Updates openai from 6.33.0 to 6.34.0

Release notes

Sourced from openai's releases.

v6.34.0

6.34.0 (2026-04-08)

Full Changelog: v6.33.0...v6.34.0

Features

• api: add phase field to Message in conversations (eb7cbc1)
• client: add support for short-lived tokens (#839) (a72ebcf)

Bug Fixes

• api: remove web_search_call.results from ResponseIncludable in responses (1f6968e)

Chores

• internal: codegen related update (1081460)
• internal: update multipart form array serialization (3faee8d)
• tests: bump steady to v0.20.1 (b73cc6b)

Documentation

• api: add multi-file ingestion recommendations to vector-stores files/file-batches (1bc32a3)

Changelog

Sourced from openai's changelog.

6.34.0 (2026-04-08)

Full Changelog: v6.33.0...v6.34.0

Features

• api: add phase field to Message in conversations (eb7cbc1)
• client: add support for short-lived tokens (#839) (a72ebcf)

Bug Fixes

• api: remove web_search_call.results from ResponseIncludable in responses (1f6968e)

Chores

• internal: codegen related update (1081460)
• internal: update multipart form array serialization (3faee8d)
• tests: bump steady to v0.20.1 (b73cc6b)

Documentation

• api: add multi-file ingestion recommendations to vector-stores files/file-batches (1bc32a3)

Commits

• 35feb53 Merge pull request #1797 from openai/release-please--branches--master--change...
• 398e589 release: 6.34.0
• a72ebcf feat(client): add support for short-lived tokens (#839)
• b73cc6b chore(tests): bump steady to v0.20.1
• eb7cbc1 feat(api): add phase field to Message in conversations
• 1f6968e fix(api): remove web_search_call.results from ResponseIncludable in responses
• 1081460 chore(internal): codegen related update
• 1bc32a3 docs(api): add multi-file ingestion recommendations to vector-stores files/fi...
• 3faee8d chore(internal): update multipart form array serialization
• be64904 Merge pull request #1798 from openai/codex/pin-github-workflow-refs-20260326-...
• Additional commits viewable in compare view

Updates redis from 5.11.0 to 5.12.1

Release notes

Sourced from redis's releases.

redis@5.12.0

✨ What's Changed

🚀 Features

• feat: expose sendCommand on multi for all clients by @​nkaradzhov in redis/node-redis#3181
• feat(sentinel): add sSubscribe/sUnsubscribe methods to Sentinel client by @​nkaradzhov in redis/node-redis#3178

🐛 Fixes

• fix(search): correct INDEXMISSING placement by @​nkaradzhov in redis/node-redis#3179
• Pool fixes by @​nkaradzhov in redis/node-redis#3182
• fix(search): use @redis/client dist imports in CREATE command by @​PavelPashov in redis/node-redis#3187
• fix(sentinel): preserve root seeds for outage recovery by @​nkaradzhov in redis/node-redis#3188
• fix: fallthrough bug in transformDoubleReply by @​rhymincymon in redis/node-redis#3213

🔭 Observability (OTEL + Diagnostics)

Node Redis now ships with first-class observability via OpenTelemetry metrics and Node.js diagnostics_channel. Initialize OpenTelemetry before creating clients (OpenTelemetry.init({ metrics: { enabled: true } })) and you can plug Redis client telemetry into your existing OTel SDK/exporter pipeline.

This enables visibility into command latency, connection lifecycle, resiliency/errors, Pub/Sub traffic, streaming behavior, and client-side caching activity. On top of metrics, diagnostics channels provide a more abstract, higher-level way to track runtime behavior through low-overhead event streams (commands, batches, connection events, maintenance notifications, pub/sub, cache, and pool wait timing), so APM tools or custom subscribers can observe the system without changing application code.

• add OpenTelemetry metrics instrumentation by @​PavelPashov in redis/node-redis#3110
• feat: implement diagnostic channels for observability by @​logaretm in redis/node-redis#3195

🧪 Tests & CI

• test(scho oss): add smigrating checks for new connections by @​nkaradzhov in redis/node-redis#3186
• Add self-report metrics step to CI workflow by @​bobymicroby in redis/node-redis#3199
• Add run tests action by @​dariaguy in redis/node-redis#3221

📚 Docs

• improve sentinel docs by @​cutiepoka in redis/node-redis#3189
• docs: clarify DUMP/RESTORE binary payload usage by @​nkaradzhov in redis/node-redis#3201
• fix(docs): configure typedoc entry points for monorepo by @​nkaradzhov in redis/node-redis#3220

🙌 New Contributors

• @​cutiepoka made their first contribution in redis/node-redis#3189
• @​rhymincymon made their first contribution in redis/node-redis#3213
• @​logaretm made their first contribution in redis/node-redis#3195
• @​dariaguy made their first contribution in redis/node-redis#3221

Full Changelog: https://github.com/redis/node-redis/compare/redis@5.11.0...redis@5.12.0

Commits

• 5cdad1b Release redis@5.12.1
• 6a44726 Release entraid@5.12.1
• 9f930f9 Release time-series@5.12.1
• de70920 Release search@5.12.1
• 9e7767c Release json@5.12.1
• 02cfd5a Release bloom@5.12.1
• 838c28d Release client@5.12.1
• 789d6d5 fix: decouple OTel public types from @​opentelemetry/api (#3228)
• 07aff33 Release redis@5.12.0
• b91d88f Release entraid@5.12.0
• Additional commits viewable in compare view

Updates weave from 0.11.1 to 0.13.1

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for weave since your current version.

Updates autoprefixer from 10.4.27 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• See full diff in compare view

Updates jsdom from 29.0.2 to 29.1.0

Release notes

Sourced from jsdom's releases.

v29.1.0

• Added basic support for the ratio CSS type. (@​asamuzaK)
• Fixed getComputedStyle() sometimes returning outdated results after CSS was modified. (@​asamuzaK)

Commits

• 5a3e88e 29.1.0
• 73db204 Update dependencies and dev dependencies
• a7168a5 Support ratio CSS unit type
• 15346e0 Fix style cache invalidation
• See full diff in compare view

Updates postcss from 8.5.9 to 8.5.12

Release notes

Sourced from postcss's releases.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

Changelog

Sourced from postcss's changelog.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

Commits

• 9bc81c4 Release 8.5.12 version
• 85c4d7d Another try to fix coverage
• 94484ca Try to fix coverage
• c64b748 Load only .map source maps
• aaec7b7 Avoid throwing JSON parsing errors for non-JSON source maps
• 233fb26 Mention original author of the solution
• 2502f75 Release 8.5.11 version
• 5ca1901 Speed up parsing many nested brackets
• 42b5337 Update dependencies
• 7e36e15 Cache node.raws locally in Stringifier hot methods
• Additional commits viewable in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Summary by cubic

Update 11 dependencies to the latest minor/patch versions to pick up security fixes and SDK improvements. Notable: postcss security fixes, redis OpenTelemetry/diagnostics, and new features in @anthropic-ai/sdk and openai.

• Dependencies

  • LLM SDKs: @anthropic-ai/sdk → 0.91.1 (Memory beta, spec fixes); openai → 6.34.0 (short‑lived tokens).
  • Infra: redis → 5.12.1 (OpenTelemetry metrics, diagnostics channels).
  • CSS/tooling: postcss → 8.5.12 (security fixes); autoprefixer → 10.5.0; jsdom → 29.1.0; prettier → 3.8.3.
  • Other SDKs: @browserbasehq/stagehand → 3.3.0; @daytonaio/sdk → 0.169.0; jose → 6.2.3; weave → 0.13.1.

• Migration

  • Reinstall and run tests; no code changes expected. Redis OTel/diagnostics are opt‑in and inactive unless initialized.

^{Written for commit 71db2d8. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

No issues found across 2 files