@ai-sdk/[email protected]
@ai-sdk/[email protected]
ai
Release Notes
Patch Changes
48e7e78: Harden MCP Apps handling of server-supplied resource metadata and the host/iframe bridge:
- Runtime-validate
_meta.uiand drop malformed or non-string fields. - Gate iframe permissions deny-by-default via a new
sandbox.allowedPermissionsallowlist. - Derive a concrete
postMessagetarget origin and validate inbound message origins. - Validate inbound bridge params: limit
resources/readtoui://resources and allow onlyhttps/http/mailtoinui/open-link. - Add
fingerprintMCPAppResource/detectMCPAppResourceDriftfor pinning and comparing app resources.
- Runtime-validate
Updated dependencies [48e7e78]
- @ai-sdk/[email protected]