vercel/ai @ai-sdk/black-forest-labs@2.0.0

on GitHub

Major Changes

• ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only ("type": "module"). Consumers using require() must switch to ESM import syntax.

• 8359612: Start v7 pre-release

• 04e9009: chore: make provider implementations code patterns more consistent, including renaming certain exported symbols

  For all externally exported symbols that were renamed, the old names continue to work via deprecated aliases.

Patch Changes

• 53f9cbf: fix(bfl): remove duplicate parseProviderOptions call in doGenerate

• 38fc777: Add AI Gateway hint to provider READMEs

• 9f0e36c: trigger release for all packages after provenance setup

• 23b6aca: fix(bfl): use 'image' field instead of 'input_image' for fill pro model

• aeda373: fix: only send provider credentials to same-origin response-supplied URLs

  Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

  A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

• 7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.

• 0c4c275: trigger initial canary release

• 258c093: chore: ensure consistent import handling and avoid import duplicates or cycles

• b8396f0: trigger initial beta release

• b3976a2: Add workflow serialization support to all provider models.

  @ai-sdk/provider-utils: New serializeModel() helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.

  All providers: headers is now optional in provider config types. This is non-breaking — existing code that passes headers continues to work. Custom provider implementations that construct model configs manually can now omit headers, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.

  All provider model classes now include WORKFLOW_SERIALIZE and WORKFLOW_DESERIALIZE static methods, enabling them to cross workflow step boundaries without serialization errors.