chore(deps): bump the prod-deps group with 8 updates

[dependabot]

Bumps the prod-deps group with 8 updates:

Package	From	To
@ai-sdk/react	3.0.170	3.0.174
@openrouter/ai-sdk-provider	2.8.0	2.9.0
ai	6.0.168	6.0.172
fumadocs-core	16.8.0	16.8.5
fumadocs-mdx	14.3.1	14.3.2
fumadocs-ui	16.8.0	16.8.5
lucide-react	1.8.0	1.14.0
zod	4.3.6	4.4.1

Updates @ai-sdk/react from 3.0.170 to 3.0.174

Release notes

Sourced from @​ai-sdk/react's releases.

@​ai-sdk/react@​3.0.174

Patch Changes

• ai@6.0.172

@​ai-sdk/react@​3.0.173

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

Changelog

Sourced from @​ai-sdk/react's changelog.

3.0.174

Patch Changes

• ai@6.0.172

3.0.173

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

3.0.172

Patch Changes

• Updated dependencies [19d587a]
  • ai@6.0.170

3.0.171

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [2662bb5]
• Updated dependencies [a7f3c72]
  • ai@6.0.169
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 7ab1e18 Version Packages (#14815)
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/react since your current version.

Updates @openrouter/ai-sdk-provider from 2.8.0 to 2.9.0

Release notes

Sourced from @​openrouter/ai-sdk-provider's releases.

2.9.0

What's Changed

• fix: allow query strings and fragments in image URL regex (#484) by @​robert-j-y in OpenRouterTeam/ai-sdk-provider#485
• fix: allow opting out of response_format strict mode (#483) by @​robert-j-y in OpenRouterTeam/ai-sdk-provider#486
• fix: stop emitting duplicate tool-call events on trailing-whitespace deltas by @​0age in OpenRouterTeam/ai-sdk-provider#489
• Version Packages by @​github-actions[bot] in OpenRouterTeam/ai-sdk-provider#490

New Contributors

• @​0age made their first contribution in OpenRouterTeam/ai-sdk-provider#489

Full Changelog: OpenRouterTeam/ai-sdk-provider@2.8.1...2.9.0

2.8.1

What's Changed

• fix: preserve empty reasoning_details arrays in multi-turn conversations by @​louisgv in OpenRouterTeam/ai-sdk-provider#487
• Version Packages by @​github-actions[bot] in OpenRouterTeam/ai-sdk-provider#488

Full Changelog: OpenRouterTeam/ai-sdk-provider@2.8.0...2.8.1

Changelog

Sourced from @​openrouter/ai-sdk-provider's changelog.

2.9.0

Minor Changes

• #486 82e8014 Thanks @​robert-j-y! - Add structuredOutputs.strict setting to opt out of response_format.json_schema.strict (issue #483).

  Previously the SDK hardcoded strict: true whenever a JSON schema response format was used, which made it impossible to route requests to providers that don't advertise support for strict json_schema. Models like moonshotai/kimi-k2.6 (routed through Parasail/Venice/Io Net) returned HTTP 404 "No endpoints available matching your guardrail restrictions and data policy" because the strict flag eliminated every eligible endpoint.

  Users can now opt out per-model:

  const model = openrouter.chat("moonshotai/kimi-k2.6", {
    structuredOutputs: { strict: false },
  });

  The default remains strict: true for backward compatibility.

Patch Changes

• #485 bf664b1 Thanks @​robert-j-y! - Fix supportedUrls['image/*'] regex to accept image URLs with query strings or fragments (e.g. https://cdn.example.com/photo.png?height=200, .../photo.webp#frag). Previously the $ anchor on the extension caused such URLs to be treated as unsupported, forcing the AI SDK runtime to download and base64-inline them, which bloated conversation history and inflated token usage.

• #489 bb2d4cb Thanks @​0age! - fix: stop emitting duplicate tool-call events when a trailing-whitespace argument delta arrives after a complete tool call

  In the streaming chat handler, the merge-into-existing-tool-call path enqueues a tool-call stream event whenever the accumulated function.arguments is parsable JSON. Because JSON.parse accepts trailing whitespace, any subsequent argument delta for the same tool-call index (e.g. a stray space, newline, or closing-token chunk) leaves the arguments parsable and would re-trigger the emit, producing a second tool-call event with the same toolCallId. Downstream tool runners (e.g. Vercel AI SDK streamText) then execute the tool twice. Observed in production with moonshotai/kimi-k2.6 via OpenRouter, where the user-visible effect was every outbound message being delivered twice.

  src/chat/index.ts:

  • Merge-path tool-call emit is now gated on !toolCall.sent, mirroring the new-path behavior. The sent flag was already being set after the first emit but was never read on this path.

  src/chat/index.test.ts:

  • Adds a regression test that streams a complete tool call followed by a trailing-whitespace-only argument delta for the same index and asserts exactly one tool-call event is emitted.

2.8.1

Patch Changes

• #487 4588197 Thanks @​louisgv! - fix: preserve empty reasoning_details arrays in multi-turn conversations

  Some providers (notably DeepSeek V4 in thinking mode) return reasoning_details: [] on turns where they produced no visible reasoning tokens. They require this empty array to be sent back in subsequent requests to maintain conversation state; omitting it causes 4xx errors on follow-up turns.

  src/chat/index.ts:

  • Stream finish event now always sets openrouterMetadata.reasoning_details, even when the accumulated array is empty (previously guarded by length > 0).
  • Both reasoning-end emit sites now always include providerMetadata.openrouter.reasoning_details,

... (truncated)

Commits

• 5cef3c5 Version Packages (#490)
• bb2d4cb fix: stop emitting duplicate tool-call events on trailing-whitespace deltas (...
• 82e8014 fix: allow opting out of response_format strict mode (#483) (#486)
• bf664b1 fix: allow query strings and fragments in image URL regex (#484) (#485)
• 310ba3d Version Packages (#488)
• 4588197 fix: preserve empty reasoning_details arrays in multi-turn conversations (#487)
• See full diff in compare view

Updates ai from 6.0.168 to 6.0.172

Release notes

Sourced from ai's releases.

ai@6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

ai@6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

Changelog

Sourced from ai's changelog.

6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

6.0.170

Patch Changes

• 19d587a: fix(ai): add allowSystemInMessages option and warn by default when system messages are found in prompt or messages

6.0.169

Patch Changes

• 2662bb5: skip validation for tool parts in terminal states when tool schema is no longer registered
• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [a7f3c72]
• Updated dependencies [4368079]
• Updated dependencies [c71ad14]
  • @​ai-sdk/gateway@​3.0.105
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• 48f842a backport v6: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent (...
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 5fee301 backport v6: fix(mcp): prevent prototype pollution by using secureJsonParse (...
• 7ab1e18 Version Packages (#14815)
• 19d587a v6: fix(ai): warn about system messages in messages or prompt (#14810)
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• 2662bb5 Backport: fix(ai): skip tool validation for terminal states when schema is mi...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates fumadocs-core from 16.8.0 to 16.8.5

Release notes

Sourced from fumadocs-core's releases.

fumadocs-core@16.8.5

Patch Changes

• 79d3209: Narrow schema type for private OpenAPI properties

fumadocs-core@16.8.4

Patch Changes

• 61b15e9: fix Shiki languages not loaded under lazy mode
• 1a5433c: Support $ in locale for page tree generation

fumadocs-core@16.8.3

No release notes provided.

fumadocs-core@16.8.2

No release notes provided.

fumadocs-core@16.8.1

No release notes provided.

Commits

• See full diff in compare view

Updates fumadocs-mdx from 14.3.1 to 14.3.2

Release notes

Sourced from fumadocs-mdx's releases.

fumadocs-mdx@14.3.2

Patch Changes

• 79d3209: Deprecate forwarded schemas at fumadocs-mdx/config, recommend fumadocs-core/source/schema instead.
• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

Commits

• d6bf3e0 Merge pull request #3235 from fuma-nama/changeset-release/dev
• af7ee2d CLI: fix layout preserve plugin
• 970b1bf OpenAPI: fix inconsistency in option names
• 2eff8e9 Chore: update showcases
• fa781f1 fix jsdoc omitted from output
• a83709f clean code
• 3e85c69 Docs: add more docs for MDX Remote
• 79d3209 Core: narrow schema types
• 387e659 UI: relocate toc width
• e1f19c7 Version Packages (#3232)
• Additional commits viewable in compare view

Updates fumadocs-ui from 16.8.0 to 16.8.5

Release notes

Sourced from fumadocs-ui's releases.

fumadocs-ui@16.8.5

Patch Changes

• Updated dependencies [79d3209]
  • fumadocs-core@16.8.5

fumadocs-ui@16.8.4

Patch Changes

• b5ff03b: Support new OG image design for Takumi
• Updated dependencies [61b15e9]
• Updated dependencies [1a5433c]
  • fumadocs-core@16.8.4

fumadocs-ui@16.8.3

Patch Changes

• 8082ef6: Add legacy/layout for versions prior to 16.2
• 8082ef6: Add css/preset-legacy.css for versions prior to 16.2
• 8082ef6: Add legacy/sidebar for versions prior to 16.2
  • fumadocs-core@16.8.3

fumadocs-ui@16.8.2

Patch Changes

• 0e8405a: Update default OG image
  • fumadocs-core@16.8.2

fumadocs-ui@16.8.1

Patch Changes

• 3ae8809: Improve TOC sizing
  • fumadocs-core@16.8.1

Commits

• See full diff in compare view

Updates lucide-react from 1.8.0 to 1.14.0

Release notes

Sourced from lucide-react's releases.

Version 1.14.0

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in lucide-icons/lucide#3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

Version 1.13.0

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in lucide-icons/lucide#4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in lucide-icons/lucide#3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

Version 1.12.0

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in lucide-icons/lucide#4262
• docs(readme): Update readme files by @​ericfennis in lucide-icons/lucide#4320
• feat(icons): added astroid icon by @​whoisBugsbunny in lucide-icons/lucide#4217

Full Changelog: lucide-icons/lucide@1.10.0...1.12.0

Version 1.11.0

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in lucide-icons/lucide#4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in lucide-icons/lucide#4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in lucide-icons/lucide#4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in lucide-icons/lucide#4310
• feat(icons): add power and quick tags to zap and zap-off by @​swastik7805 in lucide-icons/lucide#4268
• test(build-font): added comprehensive unit tests on build-font tool by @​karsa-mistmere in lucide-icons/lucide#4315
• feat(docs): blur background of framework-select by @​Spleefies in lucide-icons/lucide#4238
• feat(icon): add heart-x icon by @​swastik7805 in lucide-icons/lucide#4264
• fix(icons): optimised rotate-3d icon by @​jamiemlaw in lucide-icons/lucide#4299
• feat(icons): added layers-minus icon by @​Spleefies in lucide-icons/lucide#4005
• feat(icons): added bell-check icon by @​pettelau in lucide-icons/lucide#4152

New Contributors

• @​jglu made their first contribution in lucide-icons/lucide#4309
• @​pettelau made their first contribution in lucide-icons/lucide#4152

Full Changelog: lucide-icons/lucide@1.9.0...1.11.0

Version 1.10.0

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in lucide-icons/lucide#4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in lucide-icons/lucide#4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in lucide-icons/lucide#4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in lucide-icons/lucide#4310

... (truncated)

Commits

• 50d8af5 docs(readme): Update readme files (#4320)
• 653e44b feat(packages): use .mjs for ESM bundles (#4285)
• See full diff in compare view

Updates zod from 4.3.6 to 4.4.1

Release notes

Sourced from zod's releases.

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

Tuple defaults now materialize output values correctly

Fixed in #5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.

const schema = z.tuple([
  z.string(),
  z.string().default("fallback"),
]);
schema.parse(["a"]);
// ["a", "fallback"]

Trailing optional elements that are absent still stay absent; they are not filled with undefined.

const schema = z.tuple([
  z.string(),
  z.string().optional(),
]);
schema.parse(["a"]);
// ["a"]

But explicit undefined values supplied by the caller are preserved.

schema.parse(["a", undefined]);
// ["a", undefined]

When optional elements appear before later defaults, the parsed tuple is now dense so array operations behave predictably.

... (truncated)

Commits

• 180d83d docs: remove Jazz featured sponsor
• edd0bf0 release: 4.4.1
• cede2c6 fix(v4): reject tuple holes before required defaults (#5900)
• 95ccab4 test(v3): restore optional undefined expectations
• 481f7be ci: gate release publishing on full test workflow
• d05f026 release: 4.4.0
• f778e02 build: bump zshy for JSR wildcard exports
• 6db607b fix(release): keep JSR manifest publishable
• ad0b827 ci: update release workflow for trusted publishing
• b6066b3 fix(v4): align object and tuple optionality handling (#5661)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mogplex-docs	Ready	Preview, Comment	May 1, 2026 6:11am

[mogplex]

Mogplex PR Review

Status: No material issues found

Summary

This is a Dependabot batch update of 8 production dependencies. The diff covers only package.json and pnpm-lock.yaml version range changes — no application code modified.

Critical Issues

None. All updated packages are well-maintained with no known CVEs or security regressions in the target versions.

Notable Changes Worth Knowing

1. ai 6.0.168 → 6.0.172 includes fix(mcp): prevent prototype pollution — a security improvement.
2. @openrouter/ai-sdk-provider 2.8.0 → 2.9.0 fixes duplicate tool-call streaming events on trailing-whitespace deltas.
3. zod 4.3.6 → 4.4.1 includes "potentially breaking bug fixes" for tuple defaults and optionality alignment. This is a minor version bump and typically safe, but run your test suite to confirm no schema-parse regressions.
4. lucide-react 1.8.0 → 1.14.0 spans ~6 minor versions; new icons added only, no API breaking changes expected for existing icon usage.

Recommendations

• Run the test suite after applying this PR to catch any Zod tuple schema regressions.
• Consider tightening the zod range to ~4.4.1 if you want to avoid future minor bumps with behavioral changes, since Zod 4.x has been making correctness fixes that can change parse output.
• All other dependency updates are routine and safe to merge.

Verdict: ✅ APPROVE — No blockers. Verify tests pass, particularly any schemas that use Zod tuples with defaults.

Affected files:

• package.json
• pnpm-lock.yaml

Warnings

• Zod 4.4.x tuple default behavioral change (package.json:L44)
  The zod 4.4.0 release includes 'potentially breaking bug fixes' for tuple defaults and object/tuple optionality alignment. While this is a minor version bump, the changelog explicitly warns that code depending on previously accepted invalid or ambiguous inputs may need updates. The risk is low for most schemas, but the test suite should be run to confirm no parse output regressions.

View check run