chore(deps)(deps): bump the production-minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the production-minor-and-patch group with 6 updates in the / directory:

Package	From	To
@anthropic-ai/sdk	0.94.0	0.96.0
@browserbasehq/stagehand	3.3.0	3.4.0
better-sqlite3	12.9.0	12.10.0
playwright	1.59.1	1.60.0
ws	8.20.0	8.20.1
yaml	2.8.4	2.9.0

Updates @anthropic-ai/sdk from 0.94.0 to 0.96.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.96.0

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

• zod: ensure only zod/v4 types are used (#992) (9e08bcc)

Chores

• api: spec updates (27d64ef)

sdk: v0.95.2

0.95.2 (2026-05-11)

Full Changelog: sdk-v0.95.1...sdk-v0.95.2

sdk: v0.95.1

0.95.1 (2026-05-07)

Full Changelog: sdk-v0.95.0...sdk-v0.95.1

Chores

• redact api-key headers in debug logs (fad8fee)

sdk: v0.95.0

0.95.0 (2026-05-06)

Full Changelog: sdk-v0.94.0...sdk-v0.95.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (e0c0e9b)

Bug Fixes

• api: Adjust webhook configuration (deed3f6)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

• zod: ensure only zod/v4 types are used (#992) (9e08bcc)

Chores

• api: spec updates (27d64ef)

0.95.2 (2026-05-11)

Full Changelog: sdk-v0.95.1...sdk-v0.95.2

0.95.1 (2026-05-07)

Full Changelog: sdk-v0.95.0...sdk-v0.95.1

Chores

• redact api-key headers in debug logs (fad8fee)

0.95.0 (2026-05-06)

Full Changelog: sdk-v0.94.0...sdk-v0.95.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (e0c0e9b)

Bug Fixes

• api: Adjust webhook configuration (deed3f6)

Commits

• a53f60d chore: release main
• d1b8d04 feat(api): Add support for cache diagnostics beta
• 8e43bf8 chore(api): spec updates
• 697e4d5 codegen metadata
• cd5801c feat(api): Add BetaManagedAgentsSearchResultBlock types
• dce6bc7 ci: pin GitHub Actions to commit SHAs
• 4eee523 fix(zod): ensure only zod/v4 types are used (#992)
• e3bcdd4 chore: release main
• 08943f1 feat(aws): Add AWS client for Claude Platform on AWS
• 7834ceb ci(release-please): exclude subpackages from root changelog (#991)
• Additional commits viewable in compare view

Updates @browserbasehq/stagehand from 3.3.0 to 3.4.0

Release notes

Sourced from @​browserbasehq/stagehand's releases.

@​browserbasehq/stagehand@​3.4.0

Minor Changes

• #2084 0641d44 Thanks @​seanmcguire12! - add ignoreSelectors param to extract()

• #2096 a11603d Thanks @​seanmcguire12! - add ignoreSelectors to observe()

Patch Changes

• #2080 21c78b3 Thanks @​miguelg719! - Add variables support to v3 agentExecute API schema and remove experimental requirement

• #2077 f437f73 Thanks @​monadoid! - Fix frame registry handling for OOPIF pages

• #2098 a783b99 Thanks @​seanmcguire12! - bump transitive deps to patched versions

• #2089 8d2f354 Thanks @​shrey150! - Strengthen observe prompts so LLMs return complete encoded element IDs.

• #2047 a87c1fc Thanks @​tkattkat! - Set default agent mode to hybrid with auto routing to dom for non compatible models

• #2101 26e6c96 Thanks @​seanmcguire12! - move playwright-core, puppeteer-core, patchright-core from optional dependencies to peer dependencies

• #2068 1d176c4 Thanks @​filip-michalsky! - Remove the default temperature setting from v3 agent AI SDK calls so reasoning models that do not support temperature run without provider warnings.

• #2040 1fa9613 Thanks @​monadoid! - Prefer STAGEHAND_API_URL for Stagehand API overrides while retaining STAGEHAND_BASE_URL as a deprecated fallback.

• #2065 9ff70dd Thanks @​miguelg719! - Add support for CUA models: openai/gpt-5.4-mini, openai/gpt-5.5, and anthropic/claude-haiku-4-5

• #2039 7640381 Thanks @​monadoid! - Deprecate Browserbase project ID configuration.

Changelog

Sourced from @​browserbasehq/stagehand's changelog.

3.4.0

Minor Changes

• #2084 0641d44 Thanks @​seanmcguire12! - add ignoreSelectors param to extract()

• #2096 a11603d Thanks @​seanmcguire12! - add ignoreSelectors to observe()

Patch Changes

• #2080 21c78b3 Thanks @​miguelg719! - Add variables support to v3 agentExecute API schema and remove experimental requirement

• #2077 f437f73 Thanks @​monadoid! - Fix frame registry handling for OOPIF pages

• #2098 a783b99 Thanks @​seanmcguire12! - bump transitive deps to patched versions

• #2089 8d2f354 Thanks @​shrey150! - Strengthen observe prompts so LLMs return complete encoded element IDs.

• #2047 a87c1fc Thanks @​tkattkat! - Set default agent mode to hybrid with auto routing to dom for non compatible models

• #2101 26e6c96 Thanks @​seanmcguire12! - move playwright-core, puppeteer-core, patchright-core from optional dependencies to peer dependencies

• #2068 1d176c4 Thanks @​filip-michalsky! - Remove the default temperature setting from v3 agent AI SDK calls so reasoning models that do not support temperature run without provider warnings.

• #2040 1fa9613 Thanks @​monadoid! - Prefer STAGEHAND_API_URL for Stagehand API overrides while retaining STAGEHAND_BASE_URL as a deprecated fallback.

• #2065 9ff70dd Thanks @​miguelg719! - Add support for CUA models: openai/gpt-5.4-mini, openai/gpt-5.5, and anthropic/claude-haiku-4-5

• #2039 7640381 Thanks @​monadoid! - Deprecate Browserbase project ID configuration.

Commits

• 9b07e99 Version Packages (#2067)
• 26e6c96 [chore]: move integration libs into peer deps (#2101)
• a783b99 [chore]: bump various transitive deps across monorepo (#2098)
• a11603d [feat]: add ignoreSelectors to observe() (#2096)
• 8d2f354 [STG-1935] fix: strengthen observe element ID prompting (#2089)
• c4da2e2 remove default temp (#2076)
• 21c78b3 remove experimental requirement on agent variables (#2079) (#2080)
• 7640381 [STG-1808] Deprecate Browserbase project ID (#2039)
• 0641d44 [feat]: add ignoreSelectors to extract() (#2084)
• 1d176c4 remove hardcoded agent temp (#2068)
• Additional commits viewable in compare view

Updates better-sqlite3 from 12.9.0 to 12.10.0

Release notes

Sourced from better-sqlite3's releases.

v12.10.0

What's Changed

• Update SQLite to version 3.53.1 by @​JoshuaWise in WiseLibs/better-sqlite3#1467
• Add support for Node.js v26 prebuilds and remove EOL builds (Node.js v20, v23) by @​m4heshd in WiseLibs/better-sqlite3#1468
• Temporarily rollback support for Electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1470
• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.1...v12.10.0

v12.9.1

⚠️CAUTION: NOT A VIABLE RELEASE

Electron v39+ prebuilds are not building successfully at the moment. Stick to v12.9.0 for now.

What's Changed

• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447
• Add support for electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1466

New Contributors

• @​Maxime-J made their first contribution in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.0...v12.9.1

Commits

• d8885f9 12.10.0
• 3f89324 Temporarily rollback support for Electron v42 prebuilds (#1470)
• a640028 Add support for Node.js v26 prebuilds and remove EOL builds (#1468)
• a69f03c Update SQLite to version 3.53.1 (#1467)
• d116f32 12.9.1
• 04d9b65 Add support for electron v42 prebuilds (#1466)
• ef7d940 Enable percentile functions (#1447)
• See full diff in compare view

Updates playwright from 1.59.1 to 1.60.0

Release notes

Sourced from playwright's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates ws from 8.20.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.