build(deps): bump ai from 3.4.33 to 6.0.116 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: ai.

Updates ai from 3.4.33 to 6.0.116

Release notes

Sourced from ai's releases.

ai@6.0.116

Patch Changes

• ad4cfc2: Add URL validation to downloadBlob and download to prevent blind SSRF attacks. Private/internal IP addresses, localhost, and non-HTTP protocols are now rejected before fetching.
• Updated dependencies [ad4cfc2]
  • @​ai-sdk/provider-utils@​4.0.19
  • @​ai-sdk/gateway@​3.0.66

ai@6.0.115

Patch Changes

• Updated dependencies [824b295]
  • @​ai-sdk/provider-utils@​4.0.18
  • @​ai-sdk/gateway@​3.0.65

ai@5.0.150

Patch Changes

• Updated dependencies [ee7582f]
  • @​ai-sdk/gateway@​2.0.55

ai@5.0.149

Patch Changes

• c66afc5: fix(security): validate redirect targets in download functions to prevent SSRF bypass

  download now validates the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.

ai@5.0.148

Patch Changes

• Updated dependencies [392dc94]
  • @​ai-sdk/gateway@​2.0.54

ai@5.0.147

Patch Changes

• Updated dependencies [7a57a71]
  • @​ai-sdk/gateway@​2.0.53

ai@5.0.146

Patch Changes

• 6a2f01b: Add URL validation to download to prevent blind SSRF attacks. Private/internal IP addresses, localhost, and non-HTTP protocols are now rejected before fetching.
• Updated dependencies [6a2f01b]
• Updated dependencies [17d64e3]
  • @​ai-sdk/provider-utils@​3.0.22
  • @​ai-sdk/gateway@​2.0.52

Commits

• 035d5ad Version Packages (#13087)
• 3fb4e70 feat(provider/anthropic): support fine-grained tool streaming with eagerInput...
• ad4cfc2 fix(security): add URL validation to prevent SSRF in download functions (#13085)
• 4f7ec7f Version Packages (#13084)
• 824b295 fix(provider-utils): prevent unicode escape bypass in secureJsonParse (#13079)
• 7579667 Version Packages (#13074)
• d5801fe fix(xai): ensure strict mode for tools (#12996)
• e70bec4 Version Packages (#13073)
• 89d8b45 fix(google): make urlMetadata optional in urlContextMetadata schema (#12701)
• 39d0544 Version Packages (#13072)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.