Major Changes
-
ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only (
"type": "module"). Consumers usingrequire()must switch to ESMimportsyntax. -
8359612: Start v7 pre-release
-
04e9009: chore: make provider implementations code patterns more consistent, including renaming certain exported symbols
For all externally exported symbols that were renamed, the old names continue to work via deprecated aliases.
Patch Changes
-
38fc777: Add AI Gateway hint to provider READMEs
-
9f0e36c: trigger release for all packages after provenance setup
-
aeda373: fix: only send provider credentials to same-origin response-supplied URLs
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as
polling_url,urls.get,result_url,result.sample, orvideo.uri) and reused the authenticated headers — or appended?key=<API_KEY>— on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.A new
isSameOriginhelper is added to@ai-sdk/provider-utils, and the affected fetches in@ai-sdk/black-forest-labs,@ai-sdk/fireworks,@ai-sdk/replicate,@ai-sdk/gladia,@ai-sdk/fal, and@ai-sdk/googlenow attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential. -
7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.
-
0c4c275: trigger initial canary release
-
258c093: chore: ensure consistent import handling and avoid import duplicates or cycles
-
b8396f0: trigger initial beta release
-
90e2d8a: chore: fix unused vars not being flagged by our lint tooling
-
b3976a2: Add workflow serialization support to all provider models.
@ai-sdk/provider-utils: NewserializeModel()helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.All providers:
headersis now optional in provider config types. This is non-breaking — existing code that passesheaderscontinues to work. Custom provider implementations that construct model configs manually can now omitheaders, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.All provider model classes now include
WORKFLOW_SERIALIZEandWORKFLOW_DESERIALIZEstatic methods, enabling them to cross workflow step boundaries without serialization errors.