chore(deps): update bump-dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Update	Pending
@anthropic-ai/claude-code	2.1.121 → 2.1.126			patch	2.1.131 (+2)
@google/gemini-cli	0.39.1 → 0.40.1			minor	0.41.1 (+1)
go (source)	1.26.1 → 1.26.2			patch
opencode-ai	1.14.28 → 1.14.33			patch	1.14.39 (+5)

---

Release Notes

anthropics/claude-code (@​anthropic-ai/claude-code)

v2.1.126

• The /model picker now lists models from your gateway's /v1/models endpoint when ANTHROPIC_BASE_URL points at an Anthropic-compatible gateway
• • Added claude project purge [path] to delete all Claude Code state for a project (transcripts, tasks, file history, config entry) — supports --dry-run, -y/--yes, -i/--interactive, and --all
• --dangerously-skip-permissions now bypasses prompts for writes to .claude/, .git/, .vscode/, shell config files, and other previously-protected paths (catastrophic removal commands still prompt as a safety net)
• claude auth login now accepts the OAuth code pasted into the terminal when the browser callback can't reach localhost (WSL2, SSH, containers)
• claude_code.skill_activated OpenTelemetry event now fires for user-typed slash commands and carries a new invocation_trigger attribute ("user-slash", "claude-proactive", or "nested-skill")
• Auto mode: the spinner now turns red when a permission check stalls, instead of looking like the tool is running
• Host-managed deployments (CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST) no longer auto-disable analytics on Bedrock/Vertex/Foundry
• Windows: PowerShell 7 installed via the Microsoft Store, MSI without PATH, or .NET global tool is now detected
• Windows: when the PowerShell tool is enabled, Claude now treats PowerShell as the primary shell instead of defaulting to Bash
• Read tool: removed the per-file malware-assessment reminder that could cause spurious refusals and "this is not malware" commentary on legacy models
• Security: Fixed allowManagedDomainsOnly / allowManagedReadPathsOnly being ignored when a higher-priority managed-settings source lacked a sandbox block
• Fixed pasting an image larger than 2000px breaking the session — images are now downscaled on paste, and oversized images in history are automatically removed and the request retried
• Fixed showing the login screen for "OAuth not allowed for organization" errors — now shows guidance to contact your admin
• Fixed OAuth login failing with timeout on slow or proxied connections, in IPv6-only devcontainers, and when the browser callback can't reach localhost
• Fixed a rare race where a concurrent credential write could clear a valid OAuth refresh token
• Fixed API retry countdown sticking at "0s" instead of counting down between attempts
• Fixed "Stream idle timeout" error after waking Mac from sleep mid-request
• Fixed background and remote sessions falsely aborting with "Stream idle timeout" during long model thinking pauses
• Fixed a hang where the assistant could finish thinking but show no output after a run of empty turns
• Fixed overly fast trackpad scrolling in Cursor and VS Code 1.92–1.104 integrated terminals
• Fixed claude.ai MCP connectors being suppressed by manual servers stuck in needs-auth state
• Fixed Japanese/Korean/Chinese text rendering as garbled characters on Windows in no-flicker mode
• Fixed Ctrl+L clearing the prompt input — it now only forces a screen redraw, matching readline behavior
• Fixed deferred tools (WebSearch, WebFetch, etc.) not being available to skills with context: fork and other subagents on their first turn
• Fixed plan-mode tools being unavailable in interactive sessions launched with --channels
• Fixed /plugin Uninstall reporting "Enabled" instead of "Uninstalled"
• Bounded total size of file-modified reminders when a linter touches many files at once
• Fixed /remote-control retries appearing stuck on "connecting…" — each retry now shows its result
• Fixed Remote Control failure notification not showing the error reason for initial connection failures
• Windows: clipboard writes no longer expose copied content in process command-line arguments visible to EDR/SIEM telemetry; also fixes >22KB selections not reaching the clipboard
• PowerShell tool: bare -- (e.g. git diff -- file) is no longer mis-flagged as the --% stop-parsing token
• Fixed Agent SDK hang when the model emits a malformed tool name in a parallel tool call batch

v2.1.123

Compare Source

• Fixed OAuth authentication failing with a 401 retry loop when CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1 is set

v2.1.122

Compare Source

• Added ANTHROPIC_BEDROCK_SERVICE_TIER environment variable to select a Bedrock service tier (default, flex, or priority), sent as the X-Amzn-Bedrock-Service-Tier header
• Pasting a PR URL into the /resume search box now finds the session that created that PR (GitHub, GitHub Enterprise, GitLab, and Bitbucket)
• /mcp now shows claude.ai connectors hidden by a manually-added server with the same URL, with a hint to remove the duplicate
• Clarified the /mcp message shown when an MCP server is still unauthorized after the browser sign-in flow
• OpenTelemetry: numeric attributes on api_request/api_error log events are now emitted as numbers, not strings
• OpenTelemetry: added claude_code.at_mention log event for @-mention resolution
• Fixed /branch producing forks that fail with "tool_use ids were found without tool_result blocks" when the source session contained entries from rewound timelines
• Fixed /model not showing the Effort option for Bedrock application inference profile ARNs, and those ARNs not receiving output_config.effort
• Fixed Vertex AI / Bedrock returning invalid_request_error: output_config: Extra inputs are not permitted on session-title generation and other structured-output queries
• Fixed Vertex AI count_tokens endpoint returning 400 errors for users behind proxy gateways
• Fixed spinnerTipsOverride.excludeDefault not suppressing the time-based spinner tips
• Fixed ToolSearch missing MCP tools that connected after session start in nonblocking mode
• Fixed !exit / !quit in bash mode terminating the CLI instead of running as a shell command
• Fixed images sent to newer models being resized to 2576px per side instead of the correct 2000px maximum
• Fixed remote control session idle status redrawing twice per second, which could flood tmux -CC control pipes and pause the terminal
• Fixed assistant messages appearing blank in some sessions due to a stale view preference
• Fixed a malformed hooks entry in settings.json no longer invalidating the entire file
• Voice mode: keybindings bound to Caps Lock now show an error since terminals don't deliver Caps Lock as a key event

google-gemini/gemini-cli (@​google/gemini-cli)

v0.40.1

Compare Source

What's Changed

• fix(patch): cherry-pick 2194da2 to release/v0.40.0-pr-26153 to patch version v0.40.0 and create version 0.40.1 by @​gemini-cli-robot in #​26268

Full Changelog: google-gemini/gemini-cli@v0.40.0...v0.40.1

v0.40.0

Compare Source

What's Changed

• chore(release): bump version to 0.40.0-nightly.20260414.g5b1f7375a by @​gemini-cli-robot in #​25420
• Fix(core): retry additional OpenSSL 3.x SSL errors during streaming (#​16075) by @​rcleveng in #​25187
• fix(core): prevent YOLO mode from being downgraded by @​galz10 in #​25341
• feat: bundle ripgrep binaries into SEA for offline support by @​scidomino in #​25342
• Changelog for v0.39.0-preview.0 by @​gemini-cli-robot in #​25417
• feat(test): add large conversation scenario for performance test by @​cynthialong0-0 in #​25331
• improve(core): require recurrence evidence before extracting skills by @​SandyTao520 in #​25147
• test(evals): add subagent delegation evaluation tests by @​anj-s in #​24619
• feat: add github colorblind themes by @​Z1xus in #​15504
• fix(core): honor GOOGLE_GEMINI_BASE_URL and GOOGLE_VERTEX_BASE_URL by @​chrisjcthomas in #​25357
• fix(cli): clean up slash command IDE listeners by @​jasonmatthewsuhari in #​24397
• Changelog for v0.38.0 by @​gemini-cli-robot in #​25470
• fix(evals): update eval tests for invoke_agent telemetry and project-scoped memory by @​SandyTao520 in #​25502
• Changelog for v0.38.1 by @​gemini-cli-robot in #​25476
• feat(core): integrate skill-creator into skill extraction agent by @​SandyTao520 in #​25421
• feat(cli): provide default post-submit prompt for skill command by @​ruomengz in #​25327
• feat(core): add tools to list and read MCP resources by @​ruomengz in #​25395
• fix(evals): add typecheck coverage for evals, integration-tests, and memory-tests by @​SandyTao520 in #​25480
• Use OSC 777 for terminal notifications by @​jackyliuxx in #​25300
• fix(extensions): fix bundling for examples by @​abhipatel12 in #​25542
• fix(cli): reset plan session state on /clear by @​jasonmatthewsuhari in #​25515
• feat(core): add .mdx support to get-internal-docs tool by @​g-samroberts in #​25090
• docs(policy): mention that workspace policies are broken by @​6112 in #​24367
• fix(core): allow explicit write permissions to override governance file protections in sandboxes by @​galz10 in #​25338
• feat(sandbox): resolve custom seatbelt profiles from $HOME/.gemini first by @​mvanhorn in #​25427
• Reduce blank lines. by @​gundermanc in #​25563
• fix(ui): revert preview theme on dialog unmount by @​JayadityaGit in #​22542
• fix(core): fix ShellExecutionConfig spread and add ProjectRegistry save backoff by @​mahimashanware in #​25382
• feat(core): Disable topic updates for subagents by @​gundermanc in #​25567
• feat(core): enable topic update narration by default and promote to general by @​gundermanc in #​25586
• docs: migrate installation and authentication to mdx with tabbed layouts by @​g-samroberts in #​25155
• feat(config): split memoryManager flag into autoMemory by @​SandyTao520 in #​25601
• fix(core): allow Cloud Shell users to use PRO_MODEL_NO_ACCESS experiment by @​sehoon38 in #​25702
• fix(cli): round slow render latency to avoid opentelemetry float warning by @​scidomino in #​25709
• docs(tracker): introduce experimental task tracker feature by @​anj-s in #​24556
• docs(cli): fix inconsistent system.md casing in system prompt docs by @​Bodlux in #​25414
• feat(cli): add streamlined gemini gemma local model setup by @​Samee24 in #​25498
• Changelog for v0.38.2 by @​gemini-cli-robot in #​25593
• Fix: Disallow overriding IDE stdio via workspace .env (RCE) by @​M0nd0R in #​25022
• feat(test): refactor the memory usage test to use metrics from CLI process instead of test runner by @​cynthialong0-0 in #​25708
• feat(vertex): add settings for Vertex AI request routing by @​gordonhwc in #​25513
• Fix/allow for session persistence by @​ahsanfarooq210 in #​25176
• Allow dots on GEMINI_API_KEY by @​DKbyo in #​25497
• feat(telemetry): add flag for enabling traces specifically by @​spencer426 in #​25343
• fix(core): resolve nested plan directory duplication and relative path policies by @​mahimashanware in #​25138
• feat: detect new files in @​ recommendations with watcher based updates by @​prassamin in #​25256
• fix(cli): use newline in shell command wrapping to avoid breaking heredocs by @​cocosheng-g in #​25537
• fix(cli): ensure theme dialog labels are rendered for all themes by @​JayadityaGit in #​24599
• fix(core): disable detached mode in Bun to prevent immediate SIGHUP of child processes by @​euxaristia in #​22620
• feat: add /new as alias for /clear and refine command description by @​ved015 in #​17865
• fix(cli): start auto memory in ACP sessions by @​jasonmatthewsuhari in #​25626
• fix(core): remove duplicate initialize call on agents refreshed by @​adamfweidman in #​25670
• test(e2e): default integration tests to Flash Preview by @​SandyTao520 in #​25753
• refactor(memory): replace MemoryManagerAgent with prompt-driven memory editing across four tiers by @​SandyTao520 in #​25716
• fix(cli): fix "/clear (new)" command by @​mini2s in #​25801
• fix(core): use dynamic CLI version for IDE client instead of hardcoded '1.0.0' by @​thekishandev in #​24414
• fix(core): handle line endings in ignore file parsing by @​xoma-zver in #​23895
• Fix/command injection shell by @​Famous077 in #​24170
• fix(ui): removed background color for input by @​devr0306 in #​25339
• fix(devtools): reduce memory usage and defer connection by @​SandyTao520 in #​24496
• fix(core): support jsonl session logs in memory and summary services by @​SandyTao520 in #​25816
• fix(release): exclude ripgrep binaries from npm tarballs by @​SandyTao520 in #​25841
• fix(patch): cherry-pick 048bf6e to release/v0.40.0-preview.3-pr-25941 to patch version v0.40.0-preview.3 and create version 0.40.0-preview.4 by @​gemini-cli-robot in #​25942
• fix(patch): cherry-pick 54b7586 to release/v0.40.0-preview.4-pr-26066 [CONFLICTS] by @​gemini-cli-robot in #​26124

New Contributors

• @​rcleveng made their first contribution in #​25187
• @​Z1xus made their first contribution in #​15504
• @​jackyliuxx made their first contribution in #​25300
• @​6112 made their first contribution in #​24367
• @​mvanhorn made their first contribution in #​25427
• @​Bodlux made their first contribution in #​25414
• @​M0nd0R made their first contribution in #​25022
• @​gordonhwc made their first contribution in #​25513
• @​ahsanfarooq210 made their first contribution in #​25176
• @​DKbyo made their first contribution in #​25497
• @​prassamin made their first contribution in #​25256
• @​mini2s made their first contribution in #​25801
• @​thekishandev made their first contribution in #​24414
• @​xoma-zver made their first contribution in #​23895

Full Changelog: google-gemini/gemini-cli@v0.39.1...v0.40.0

v0.40.0-preview.5

Compare Source

What's Changed

• fix(patch): cherry-pick 54b7586 to release/v0.40.0-preview.4-pr-26066 [CONFLICTS] by @​gemini-cli-robot in #​26124

Full Changelog: google-gemini/gemini-cli@v0.40.0-preview.4...v0.40.0-preview.5

v0.40.0-preview.4

Compare Source

What's Changed

• fix(patch): cherry-pick 048bf6e to release/v0.40.0-preview.3-pr-25941 to patch version v0.40.0-preview.3 and create version 0.40.0-preview.4 by @​gemini-cli-robot in #​25942

Full Changelog: google-gemini/gemini-cli@v0.40.0-preview.3...v0.40.0-preview.4

v0.40.0-preview.3

Compare Source

Full Changelog: google-gemini/gemini-cli@v0.40.0-preview.2...v0.40.0-preview.3

v0.40.0-preview.2

Compare Source

What's Changed

• chore(release): bump version to 0.40.0-nightly.20260414.g5b1f7375a by @​gemini-cli-robot in #​25420
• Fix(core): retry additional OpenSSL 3.x SSL errors during streaming (#​16075) by @​rcleveng in #​25187
• fix(core): prevent YOLO mode from being downgraded by @​galz10 in #​25341
• feat: bundle ripgrep binaries into SEA for offline support by @​scidomino in #​25342
• Changelog for v0.39.0-preview.0 by @​gemini-cli-robot in #​25417
• feat(test): add large conversation scenario for performance test by @​cynthialong0-0 in #​25331
• improve(core): require recurrence evidence before extracting skills by @​SandyTao520 in #​25147
• test(evals): add subagent delegation evaluation tests by @​anj-s in #​24619
• feat: add github colorblind themes by @​Z1xus in #​15504
• fix(core): honor GOOGLE_GEMINI_BASE_URL and GOOGLE_VERTEX_BASE_URL by @​chrisjcthomas in #​25357
• fix(cli): clean up slash command IDE listeners by @​jasonmatthewsuhari in #​24397
• Changelog for v0.38.0 by @​gemini-cli-robot in #​25470
• fix(evals): update eval tests for invoke_agent telemetry and project-scoped memory by @​SandyTao520 in #​25502
• Changelog for v0.38.1 by @​gemini-cli-robot in #​25476
• feat(core): integrate skill-creator into skill extraction agent by @​SandyTao520 in #​25421
• feat(cli): provide default post-submit prompt for skill command by @​ruomengz in #​25327
• feat(core): add tools to list and read MCP resources by @​ruomengz in #​25395
• fix(evals): add typecheck coverage for evals, integration-tests, and memory-tests by @​SandyTao520 in #​25480
• Use OSC 777 for terminal notifications by @​jackyliuxx in #​25300
• fix(extensions): fix bundling for examples by @​abhipatel12 in #​25542
• fix(cli): reset plan session state on /clear by @​jasonmatthewsuhari in #​25515
• feat(core): add .mdx support to get-internal-docs tool by @​g-samroberts in #​25090
• docs(policy): mention that workspace policies are broken by @​6112 in #​24367
• fix(core): allow explicit write permissions to override governance file protections in sandboxes by @​galz10 in #​25338
• feat(sandbox): resolve custom seatbelt profiles from $HOME/.gemini first by @​mvanhorn in #​25427
• Reduce blank lines. by @​gundermanc in #​25563
• fix(ui): revert preview theme on dialog unmount by @​JayadityaGit in #​22542
• fix(core): fix ShellExecutionConfig spread and add ProjectRegistry save backoff by @​mahimashanware in #​25382
• feat(core): Disable topic updates for subagents by @​gundermanc in #​25567
• feat(core): enable topic update narration by default and promote to general by @​gundermanc in #​25586
• docs: migrate installation and authentication to mdx with tabbed layouts by @​g-samroberts in #​25155
• feat(config): split memoryManager flag into autoMemory by @​SandyTao520 in #​25601
• fix(core): allow Cloud Shell users to use PRO_MODEL_NO_ACCESS experiment by @​sehoon38 in #​25702
• fix(cli): round slow render latency to avoid opentelemetry float warning by @​scidomino in #​25709
• docs(tracker): introduce experimental task tracker feature by @​anj-s in #​24556
• docs(cli): fix inconsistent system.md casing in system prompt docs by @​Bodlux in #​25414
• feat(cli): add streamlined gemini gemma local model setup by @​Samee24 in #​25498
• Changelog for v0.38.2 by @​gemini-cli-robot in #​25593
• Fix: Disallow overriding IDE stdio via workspace .env (RCE) by @​M0nd0R in #​25022
• feat(test): refactor the memory usage test to use metrics from CLI process instead of test runner by @​cynthialong0-0 in #​25708
• feat(vertex): add settings for Vertex AI request routing by @​gordonhwc in #​25513
• Fix/allow for session persistence by @​ahsanfarooq210 in #​25176
• Allow dots on GEMINI_API_KEY by @​DKbyo in #​25497
• feat(telemetry): add flag for enabling traces specifically by @​spencer426 in #​25343
• fix(core): resolve nested plan directory duplication and relative path policies by @​mahimashanware in #​25138
• feat: detect new files in @​ recommendations with watcher based updates by @​prassamin in #​25256
• fix(cli): use newline in shell command wrapping to avoid breaking heredocs by @​cocosheng-g in #​25537
• fix(cli): ensure theme dialog labels are rendered for all themes by @​JayadityaGit in #​24599
• fix(core): disable detached mode in Bun to prevent immediate SIGHUP of child processes by @​euxaristia in #​22620
• feat: add /new as alias for /clear and refine command description by @​ved015 in #​17865
• fix(cli): start auto memory in ACP sessions by @​jasonmatthewsuhari in #​25626
• fix(core): remove duplicate initialize call on agents refreshed by @​adamfweidman in #​25670
• test(e2e): default integration tests to Flash Preview by @​SandyTao520 in #​25753
• refactor(memory): replace MemoryManagerAgent with prompt-driven memory editing across four tiers by @​SandyTao520 in #​25716
• fix(cli): fix "/clear (new)" command by @​mini2s in #​25801
• fix(core): use dynamic CLI version for IDE client instead of hardcoded '1.0.0' by @​thekishandev in #​24414
• fix(core): handle line endings in ignore file parsing by @​xoma-zver in #​23895
• Fix/command injection shell by @​Famous077 in #​24170
• fix(ui): removed background color for input by @​devr0306 in #​25339
• fix(devtools): reduce memory usage and defer connection by @​SandyTao520 in #​24496
• fix(core): support jsonl session logs in memory and summary services by @​SandyTao520 in #​25816
• fix(release): exclude ripgrep binaries from npm tarballs by @​SandyTao520 in #​25841

New Contributors

• @​rcleveng made their first contribution in #​25187
• @​Z1xus made their first contribution in #​15504
• @​jackyliuxx made their first contribution in #​25300
• @​6112 made their first contribution in #​24367
• @​mvanhorn made their first contribution in #​25427
• @​Bodlux made their first contribution in #​25414
• @​M0nd0R made their first contribution in #​25022
• @​gordonhwc made their first contribution in #​25513
• @​ahsanfarooq210 made their first contribution in #​25176
• @​DKbyo made their first contribution in #​25497
• @​prassamin made their first contribution in #​25256
• @​mini2s made their first contribution in #​25801
• @​thekishandev made their first contribution in #​24414
• @​xoma-zver made their first contribution in #​23895

Full Changelog: google-gemini/gemini-cli@v0.39.0-preview.2...v0.40.0-preview.2

v0.40.0-nightly.20260415.g06e7621b2

Compare Source

What's Changed

• docs(core): update generalist agent documentation by @​abhipatel12 in #​25325
• chore(mcp): check MCP error code over brittle string match by @​jackwotherspoon in #​25381
• feat(plan): update plan mode prompt to allow showing plan content by @​ruomengz in #​25058
• test(core): improve sandbox integration test coverage and fix OS-specific failures by @​ehedlund in #​25307
• fix(core): use debug level for keychain fallback logging by @​ehedlund in #​25398
• feat(test): add a performance test in asian language by @​cynthialong0-0 in #​25392
• feat(cli): enable mouse clicking for cursor positioning in AskUser multi-line answers by @​Adib234 in #​24630
• fix(core): detect kmscon terminal as supporting true color by @​claygeo in #​25282
• ci: add agent session drift check workflow by @​adamfweidman in #​25389
• use macos-latest-large runner where applicable. by @​scidomino in #​25413
• Changelog for v0.37.2 by @​gemini-cli-robot in #​25336
• chore(release): bump version to 0.40.0-nightly.20260414.g5b1f7375a by @​gemini-cli-robot in #​25420
• Fix(core): retry additional OpenSSL 3.x SSL errors during streaming (#​16075) by @​rcleveng in #​25187

New Contributors

• @​claygeo made their first contribution in #​25282
• @​rcleveng made their first contribution in #​25187

Full Changelog: google-gemini/gemini-cli@v0.39.0-nightly.20260414.gdaf500623...v0.40.0-nightly.20260415.g06e7621b2

golang/go (go)

v1.26.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Wednesday (* * * * 3)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Dockerfile

Post-upgrade command './scripts/update-go-shas.sh' has not been added to the allowed list in allowedCommands