My Release Notes

by Tiny Tools

/vercel/ai/@ai-sdk/[email protected]
@ai-sdk/[email protected]
@ai-sdk/[email protected]
ai
View on GitHubView PackagePublished: Jun 25, 2026

Release Notes

Major Changes

  • ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only ("type": "module"). Consumers using require() must switch to ESM import syntax.
  • 8359612: Start v7 pre-release

Patch Changes

  • 38fc777: Add AI Gateway hint to provider READMEs

  • 74d520f: feat: migrate providers to support new top-level reasoning parameter

  • 38010a1: Enable includeUsage for Fireworks so streaming responses report token usage

  • 7cf47d8: Add the promptCacheKey provider option for Fireworks prompt cache affinity and Kimi K2.6 model autocomplete, and remove the deprecated Kimi K2.5 serverless model from autocomplete.

  • 9f0e36c: trigger release for all packages after provenance setup

  • 8f3e1da: chore(openai-compat): update v3 specs to v4

  • aeda373: fix: only send provider credentials to same-origin response-supplied URLs

    Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

    A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

  • 7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.

  • 0c4c275: trigger initial canary release

  • 258c093: chore: ensure consistent import handling and avoid import duplicates or cycles

  • b8396f0: trigger initial beta release

  • 90e2d8a: chore: fix unused vars not being flagged by our lint tooling

  • b3976a2: Add workflow serialization support to all provider models.

    @ai-sdk/provider-utils: New serializeModel() helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.

    All providers: headers is now optional in provider config types. This is non-breaking — existing code that passes headers continues to work. Custom provider implementations that construct model configs manually can now omit headers, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.

    All provider model classes now include WORKFLOW_SERIALIZE and WORKFLOW_DESERIALIZE static methods, enabling them to cross workflow step boundaries without serialization errors.