chore(deps)(deps): bump the production-minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the production-minor-and-patch group with 7 updates in the / directory:

Package	From	To
@anthropic-ai/sdk	0.94.0	0.100.1
@browserbasehq/stagehand	3.3.0	3.4.0
axe-core	4.11.4	4.12.0
better-sqlite3	12.9.0	12.10.0
playwright	1.59.1	1.60.0
ws	8.20.0	8.21.0
yaml	2.8.4	2.9.0

Updates @anthropic-ai/sdk from 0.94.0 to 0.100.1

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.100.1

0.100.1 (2026-05-29)

Full Changelog: sdk-v0.100.0...sdk-v0.100.1

Bug Fixes

• streaming: carry encrypted_content on beta compaction blocks (#1025) (eccddf3)

Chores

• client: update lockfiles to have proper dependencies on standardwebhooks (5e9b523)

sdk: v0.100.0

0.100.0 (2026-05-28)

Full Changelog: sdk-v0.99.0...sdk-v0.100.0

Features

• api: Add support for claude-opus-4-8, mid-conversation system blocks, and usage.output_tokens_details (bb0bf27)

Documentation

• replace literal newlines (66ba142)

sdk: v0.99.0

0.99.0 (2026-05-27)

Full Changelog: sdk-v0.98.1...sdk-v0.99.0

Features

• support custom file size caps (#1029) (814cd4c)

Bug Fixes

• streaming: carry stop_details through message_delta accumulation (#1027) (198bc27)

sdk: v0.98.1

0.98.1 (2026-05-26)

Full Changelog: sdk-v0.98.0...sdk-v0.98.1

Bug Fixes

• client: preserve directory prefix in skills.versions.create uploads (#1024) (abbcd6a)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.100.1 (2026-05-29)

Full Changelog: sdk-v0.100.0...sdk-v0.100.1

Bug Fixes

• streaming: carry encrypted_content on beta compaction blocks (#1025) (eccddf3)

Chores

• client: update lockfiles to have proper dependencies on standardwebhooks (5e9b523)

0.100.0 (2026-05-28)

Full Changelog: sdk-v0.99.0...sdk-v0.100.0

Features

• api: Add support for claude-opus-4-8, mid-conversation system blocks, and usage.output_tokens_details (bb0bf27)

Documentation

• replace literal newlines (66ba142)

0.99.0 (2026-05-27)

Full Changelog: sdk-v0.98.1...sdk-v0.99.0

Features

• support custom file size caps (#1029) (814cd4c)

Bug Fixes

• streaming: carry stop_details through message_delta accumulation (#1027) (198bc27)

0.98.1 (2026-05-26)

Full Changelog: sdk-v0.98.0...sdk-v0.98.1

Bug Fixes

• client: preserve directory prefix in skills.versions.create uploads (#1024) (abbcd6a)

Chores

... (truncated)

Commits

• 512605f chore: release main
• d0148df codegen metadata
• 4d836b4 codegen metadata
• 323e350 codegen metadata
• ea36df7 chore(client): update lockfiles to have proper dependencies on standardwebhooks
• 0ea1922 codegen metadata
• 991d88f fix(streaming): carry encrypted_content on beta compaction blocks (#1025)
• 6f97c4d chore: release main
• 1fd7ec7 feat(api): Add support for claude-opus-4-8, mid-conversation system blocks, a...
• f5bfc10 docs: replace literal newlines
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​anthropic-ai/sdk since your current version.

Updates @browserbasehq/stagehand from 3.3.0 to 3.4.0

Release notes

Sourced from @​browserbasehq/stagehand's releases.

@​browserbasehq/stagehand@​3.4.0

Minor Changes

• #2084 0641d44 Thanks @​seanmcguire12! - add ignoreSelectors param to extract()

• #2096 a11603d Thanks @​seanmcguire12! - add ignoreSelectors to observe()

Patch Changes

• #2080 21c78b3 Thanks @​miguelg719! - Add variables support to v3 agentExecute API schema and remove experimental requirement

• #2077 f437f73 Thanks @​monadoid! - Fix frame registry handling for OOPIF pages

• #2098 a783b99 Thanks @​seanmcguire12! - bump transitive deps to patched versions

• #2089 8d2f354 Thanks @​shrey150! - Strengthen observe prompts so LLMs return complete encoded element IDs.

• #2047 a87c1fc Thanks @​tkattkat! - Set default agent mode to hybrid with auto routing to dom for non compatible models

• #2101 26e6c96 Thanks @​seanmcguire12! - move playwright-core, puppeteer-core, patchright-core from optional dependencies to peer dependencies

• #2068 1d176c4 Thanks @​filip-michalsky! - Remove the default temperature setting from v3 agent AI SDK calls so reasoning models that do not support temperature run without provider warnings.

• #2040 1fa9613 Thanks @​monadoid! - Prefer STAGEHAND_API_URL for Stagehand API overrides while retaining STAGEHAND_BASE_URL as a deprecated fallback.

• #2065 9ff70dd Thanks @​miguelg719! - Add support for CUA models: openai/gpt-5.4-mini, openai/gpt-5.5, and anthropic/claude-haiku-4-5

• #2039 7640381 Thanks @​monadoid! - Deprecate Browserbase project ID configuration.

Changelog

Sourced from @​browserbasehq/stagehand's changelog.

3.4.0

Minor Changes

• #2084 0641d44 Thanks @​seanmcguire12! - add ignoreSelectors param to extract()

• #2096 a11603d Thanks @​seanmcguire12! - add ignoreSelectors to observe()

Patch Changes

• #2080 21c78b3 Thanks @​miguelg719! - Add variables support to v3 agentExecute API schema and remove experimental requirement

• #2077 f437f73 Thanks @​monadoid! - Fix frame registry handling for OOPIF pages

• #2098 a783b99 Thanks @​seanmcguire12! - bump transitive deps to patched versions

• #2089 8d2f354 Thanks @​shrey150! - Strengthen observe prompts so LLMs return complete encoded element IDs.

• #2047 a87c1fc Thanks @​tkattkat! - Set default agent mode to hybrid with auto routing to dom for non compatible models

• #2101 26e6c96 Thanks @​seanmcguire12! - move playwright-core, puppeteer-core, patchright-core from optional dependencies to peer dependencies

• #2068 1d176c4 Thanks @​filip-michalsky! - Remove the default temperature setting from v3 agent AI SDK calls so reasoning models that do not support temperature run without provider warnings.

• #2040 1fa9613 Thanks @​monadoid! - Prefer STAGEHAND_API_URL for Stagehand API overrides while retaining STAGEHAND_BASE_URL as a deprecated fallback.

• #2065 9ff70dd Thanks @​miguelg719! - Add support for CUA models: openai/gpt-5.4-mini, openai/gpt-5.5, and anthropic/claude-haiku-4-5

• #2039 7640381 Thanks @​monadoid! - Deprecate Browserbase project ID configuration.

Commits

• 9b07e99 Version Packages (#2067)
• 26e6c96 [chore]: move integration libs into peer deps (#2101)
• a783b99 [chore]: bump various transitive deps across monorepo (#2098)
• a11603d [feat]: add ignoreSelectors to observe() (#2096)
• 8d2f354 [STG-1935] fix: strengthen observe element ID prompting (#2089)
• c4da2e2 remove default temp (#2076)
• 21c78b3 remove experimental requirement on agent variables (#2079) (#2080)
• 7640381 [STG-1808] Deprecate Browserbase project ID (#2039)
• 0641d44 [feat]: add ignoreSelectors to extract() (#2084)
• 1d176c4 remove hardcoded agent temp (#2068)
• Additional commits viewable in compare view

Updates axe-core from 4.11.4 to 4.12.0

Release notes

Sourced from axe-core's releases.

Release 4.12.0

In this release you'll find:

1. A new aria-tab-name rule that tests role="tab" elements have an accessible name
2. The landmark-complementary-is-top-level rule is deprecated, as ARIA no longer requires this
3. Preparations for Element Internal support (behind a feature flag)
4. Various other bug fixes for target-size, scrollable-region-focusable, and more

This release can see reveal new issues, as well as close out a few existing ones that might have come from false positives or the now deprecated rule.

Features

• add gather-internals.js external script (#5099) (c61d58b), closes #5080
• aria-allowed/prohibited-attr, aria-required-parent/children: partially support element internals role (#5080) (417b48a), closes #5039 #4259
• axe.externalAPIs: add public api for setting elementInternal data (#5105) (63bab8f)
• core: expose normalizeRunOptions (#4998) (b8e6a59)
• expose axe.resetLocale() to restore the default locale (#5108) (c2b5292), closes #5107
• getRules: include rule enabled state in returned objects (#5118) (75bf772), closes #5116
• list,listitem: support element internals role (#5119) (7d9d696)
• new-rule: check that aria-tab have an accessible name (#5001) (0d4e4e7), closes #4842
• rules: deprecate landmark-complementary-is-top-level rules (#4992) (9e09139), closes #4950
• utils: add getElementInternals function (#5077) (1c15f82)

Bug Fixes

• aria-allowed-attr: restrict br and wbr elements to aria-hidden only (#4974) (c6245e7)
• aria-conditional-attr: add support for radio (#5100) (8223c98)
• aria-valid-attr-value: handle multiple aria-errormessage IDs (#4973) (0489e30)
• aria: prevent getOwnedVirtual from returning duplicate nodes (#4987) (48ca955), closes #4840
• commons/text: exclude natively hidden elements from aria-labelledby accessible name (#5076) (ea7202c), closes #4704
• DqElement: avoid calling constructors with cloneNode (#5013) (0281fa1)
• existing-rule: aria-busy now shows an error message for a use with unallowed children (#5017) (2067b87)
• helpUrl: ensure axe.configure always updates the help URLs (#5114) (c4f60ff)
• label-content-name-mismatch: match visible text with aria-label and exclude invisible text (#5096) (3a012a1)
• locale: ensure all subtags are correctly set (#5112) (13005ed)
• scrollable-region-focusable: clarify the issue is in safari (#4995) (4ec5211), closes WebKit#190870 WebKit#277290
• scrollable-region-focusable: do not fail scroll areas when all content is visible without scrolling (#4993) (838707a)
• target-size: determine offset using clientRects if target is display:inline (#5012) (a4b8091)
• target-size: ignore position: fixed elements that are offscreen when page is scrolled (#5066) (1229a6e), closes #5065
• target-size: ignore widgets that are inline with other inline elements (#5000) (a8dd81b)
• utils/getAncestry: escape node name (#5079) (d1fabaa), closes #5078
• utils: Add null check to parseCrossOriginStylesheet, closes #5074 (#5075) (f12ef32)
• utils: update isShadowRoot to use spec-compliant custom element regex (#5059) (edc6ce2), closes #5030

Changelog

Sourced from axe-core's changelog.

4.12.0 (2026-06-01)

Features

• add gather-internals.js external script (#5099) (c61d58b), closes #5080
• aria-allowed/prohibited-attr, aria-required-parent/children: partially support element internals role (#5080) (417b48a), closes #5039 #4259
• axe.externalAPIs: add public api for setting elementInternal data (#5105) (63bab8f)
• core: expose normalizeRunOptions (#4998) (b8e6a59)
• expose axe.resetLocale() to restore the default locale (#5108) (c2b5292), closes #5107
• getRules: include rule enabled state in returned objects (#5118) (75bf772), closes #5116
• list,listitem: support element internals role (#5119) (7d9d696)
• new-rule: check that aria-tab have an accessible name (#5001) (0d4e4e7), closes #4842
• rules: deprecate landmark-complementary-is-top-level rules (#4992) (9e09139), closes #4950
• utils: add getElementInternals function (#5077) (1c15f82)

Bug Fixes

• aria-allowed-attr: restrict br and wbr elements to aria-hidden only (#4974) (c6245e7)
• aria-conditional-attr: add support for radio (#5100) (8223c98)
• aria-valid-attr-value: handle multiple aria-errormessage IDs (#4973) (0489e30)
• aria: prevent getOwnedVirtual from returning duplicate nodes (#4987) (48ca955), closes #4840
• commons/text: exclude natively hidden elements from aria-labelledby accessible name (#5076) (ea7202c), closes #4704
• DqElement: avoid calling constructors with cloneNode (#5013) (0281fa1)
• existing-rule: aria-busy now shows an error message for a use with unallowed children (#5017) (2067b87)
• helpUrl: ensure axe.configure always updates the help URLs (#5114) (c4f60ff)
• label-content-name-mismatch: match visible text with aria-label and exclude invisible text (#5096) (3a012a1)
• locale: ensure all subtags are correctly set (#5112) (13005ed)
• scrollable-region-focusable: clarify the issue is in safari (#4995) (4ec5211), closes WebKit#190870 WebKit#277290
• scrollable-region-focusable: do not fail scroll areas when all content is visible without scrolling (#4993) (838707a)
• target-size: determine offset using clientRects if target is display:inline (#5012) (a4b8091)
• target-size: ignore position: fixed elements that are offscreen when page is scrolled (#5066) (1229a6e), closes #5065
• target-size: ignore widgets that are inline with other inline elements (#5000) (a8dd81b)
• utils/getAncestry: escape node name (#5079) (d1fabaa), closes #5078
• utils: Add null check to parseCrossOriginStylesheet, closes #5074 (#5075) (f12ef32)
• utils: update isShadowRoot to use spec-compliant custom element regex (#5059) (edc6ce2), closes #5030

Commits

• e260c7e ci: continue-on-error for text_examples (#5124)
• 90e6c45 ci: continue-on-error for text_examples
• 0016ef9 chore(release): v4.12.0 (#5122)
• 1e9df5a chore(release): 4.12.0
• 75bf772 feat(getRules): include rule enabled state in returned objects (#5118)
• c621011 docs(check-options): fix duplicate "the" (passLength/failLength rows) (#5113)
• f12ef32 fix(utils): Add null check to parseCrossOriginStylesheet, closes #5074 (#5075)
• 7d9d696 feat(list,listitem): support element internals role (#5119)
• c01a37d ci: ignore gather-internals.js from import deploy validation (#5110)
• edc6ce2 fix(utils): update isShadowRoot to use spec-compliant custom element regex (#...
• Additional commits viewable in compare view

Updates better-sqlite3 from 12.9.0 to 12.10.0

Release notes

Sourced from better-sqlite3's releases.

v12.10.0

What's Changed

• Update SQLite to version 3.53.1 by @​JoshuaWise in WiseLibs/better-sqlite3#1467
• Add support for Node.js v26 prebuilds and remove EOL builds (Node.js v20, v23) by @​m4heshd in WiseLibs/better-sqlite3#1468
• Temporarily rollback support for Electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1470
• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.1...v12.10.0

v12.9.1

⚠️CAUTION: NOT A VIABLE RELEASE

Electron v39+ prebuilds are not building successfully at the moment. Stick to v12.9.0 for now.

What's Changed

• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447
• Add support for electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1466

New Contributors

• @​Maxime-J made their first contribution in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.0...v12.9.1

Commits

• d8885f9 12.10.0
• 3f89324 Temporarily rollback support for Electron v42 prebuilds (#1470)
• a640028 Add support for Node.js v26 prebuilds and remove EOL builds (#1468)
• a69f03c Update SQLite to version 3.53.1 (#1467)
• d116f32 12.9.1
• 04d9b65 Add support for electron v42 prebuilds (#1466)
• ef7d940 Enable percentile functions (#1447)
• See full diff in compare view

Updates playwright from 1.59.1 to 1.60.0

Release notes

Sourced from playwright's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.