🚀 Socket Launch Week Day 4:Socket MCP Adds Org Alerts, Threat Feed Review, and Package Inspection.Learn more
Sign In

@ai-sdk/provider-utils

Package Overview
Dependencies
Maintainers
3
Versions
297
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@ai-sdk/provider-utils - npm Package Compare versions

Comparing version
4.0.27
 to
4.0.28
+10
-0
CHANGELOG.md
# @ai-sdk/provider-utils
## 4.0.28
### Patch Changes
- 942f2f8: fix(security): re-validate tool approvals from client message history before execution
The approval-replay path in `generateText`/`streamText` reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-checking that the tool actually requires approval. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.
The replay path now verifies the HMAC signature (when `experimental_toolApprovalSecret` is configured), re-validates tool-call input against the tool's input schema, and re-resolves whether the tool requires approval before execution.
## 4.0.27

@@ -4,0 +14,0 @@ 

+5
-0
dist/index.d.mts

@@ -877,2 +877,7 @@ import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, JSONObject, TypeValidationContext } from '@ai-sdk/provider';

toolCallId: string;
/**
* HMAC-SHA256 signature binding this approval to its tool call.
* Present only when `experimental_toolApprovalSecret` is configured.
*/
signature?: string;
};

@@ -879,0 +884,0 @@ 

+5
-0
dist/index.d.ts

@@ -877,2 +877,7 @@ import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, JSONObject, TypeValidationContext } from '@ai-sdk/provider';

toolCallId: string;
/**
* HMAC-SHA256 signature binding this approval to its tool call.
* Present only when `experimental_toolApprovalSecret` is configured.
*/
signature?: string;
};

@@ -879,0 +884,0 @@ 

+1
-1
package.json
{
"name": "@ai-sdk/provider-utils",
"version": "4.0.27",
"version": "4.0.28",
"license": "Apache-2.0",

@@ -5,0 +5,0 @@ "sideEffects": false,

+6
-0
src/types/tool-approval-request.ts

@@ -16,2 +16,8 @@ /**

toolCallId: string;
/**
* HMAC-SHA256 signature binding this approval to its tool call.
* Present only when `experimental_toolApprovalSecret` is configured.
*/
signature?: string;
};
dist/index.js

Sorry, the diff of this file is too big to display

dist/index.mjs

Sorry, the diff of this file is too big to display