vercel/ai @ai-sdk/fireworks@3.0.0

on GitHub

Major Changes

• ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only ("type": "module"). Consumers using require() must switch to ESM import syntax.
• 8359612: Start v7 pre-release

Patch Changes

• 38fc777: Add AI Gateway hint to provider READMEs

• 74d520f: feat: migrate providers to support new top-level reasoning parameter

• 38010a1: Enable includeUsage for Fireworks so streaming responses report token usage

• 7cf47d8: Add the promptCacheKey provider option for Fireworks prompt cache affinity
  and Kimi K2.6 model autocomplete, and remove the deprecated Kimi K2.5
  serverless model from autocomplete.

• 9f0e36c: trigger release for all packages after provenance setup

• 8f3e1da: chore(openai-compat): update v3 specs to v4

• aeda373: fix: only send provider credentials to same-origin response-supplied URLs

  Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as polling_url, urls.get, result_url, result.sample, or video.uri) and reused the authenticated headers — or appended ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.

  A new isSameOrigin helper is added to @ai-sdk/provider-utils, and the affected fetches in @ai-sdk/black-forest-labs, @ai-sdk/fireworks, @ai-sdk/replicate, @ai-sdk/gladia, @ai-sdk/fal, and @ai-sdk/google now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.

• 7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.

• 0c4c275: trigger initial canary release

• 258c093: chore: ensure consistent import handling and avoid import duplicates or cycles

• b8396f0: trigger initial beta release

• 90e2d8a: chore: fix unused vars not being flagged by our lint tooling

• b3976a2: Add workflow serialization support to all provider models.

  @ai-sdk/provider-utils: New serializeModel() helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.

  All providers: headers is now optional in provider config types. This is non-breaking — existing code that passes headers continues to work. Custom provider implementations that construct model configs manually can now omit headers, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.

  All provider model classes now include WORKFLOW_SERIALIZE and WORKFLOW_DESERIALIZE static methods, enabling them to cross workflow step boundaries without serialization errors.