chore(deps): update bump-dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@anthropic-ai/claude-code	2.1.161 → 2.1.168
@earendil-works/pi-coding-agent (source)	0.78.0 → 0.78.1
@google/gemini-cli	0.45.0 → 0.45.2
opencode-ai	1.15.13 → 1.16.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

anthropics/claude-code (@​anthropic-ai/claude-code)

v2.1.168

Compare Source

• Bug fixes and reliability improvements

v2.1.167

Compare Source

• Bug fixes and reliability improvements

v2.1.166

Compare Source

• Added fallbackModel setting to configure up to three fallback models tried in order when the primary model is overloaded or unavailable; --fallback-model now also applies to interactive sessions
• Added glob pattern support in deny rule tool-name position ("*" denies all tools); allow rules reject non-MCP globs, and unknown tool names in deny rules warn at startup
• Hardened cross-session messaging: messages relayed via SendMessage from other Claude sessions no longer carry user authority — receivers refuse relayed permission requests, and auto mode blocks them
• MAX_THINKING_TOKENS=0, --thinking disabled, and the per-model thinking toggle now disable thinking on models that think by default via the Claude API (3P providers unchanged)
• Claude Code now retries a turn once on the fallback model when the API rejects an unexpected non-retryable error; auth, rate-limit, request-size, and transport errors still surface immediately
• claude update now announces the target version before downloading instead of going silent
• claude agents: typing a URL into the list now filters to the session whose first prompt contained it
• Fixed a recurring "image could not be processed" error and extra token usage when an unprocessable image was sent in a session
• Fixed remote sessions becoming permanently stuck when a brief backend disruption occurred during worker registration at startup
• Fixed flickering in JetBrains IDE terminals (IntelliJ, PyCharm, WebStorm, etc.) on 2026.1+ by enabling synchronized output
• Fixed Shift+non-ASCII characters (e.g. Shift+ä → Ä) being dropped in terminals using the Kitty keyboard protocol (WezTerm, Ghostty, kitty)
• Fixed PowerShell command validation occasionally hanging far past its time budget on Windows when a killed process's children held its output pipes
• Fixed orphaned claude --bg-pty-host processes spinning at 100% CPU after the daemon dies while connected on macOS
• Fixed voice mode requiring /login to clear a stale auth check after toggling /voice
• Fixed managed settings with an invalid entry silently disabling enforcement of their remaining valid policies
• Fixed managed-settings allowedMcpServers/deniedMcpServers predicates not matching when they use ${VAR} references
• Fixed background agent sessions that entered a git worktree crash-looping with "No conversation found" when reopened from claude agents
• Fixed duplicated thinking text in the Ctrl+O transcript view while streaming
• Fixed /doctor showing a contradictory failed "Not inside a remote session" check when run inside a remote session
• Fixed the cursor sticking at the end of the first line when typing a multiline prompt in the claude agents dispatch and reply inputs
• Fixed blank lines appearing between background agent rows in the task list on terminals without Unicode support

v2.1.165

Compare Source

• Bug fixes and reliability improvements

v2.1.163

Compare Source

• Added requiredMinimumVersion and requiredMaximumVersion managed settings — Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version
• Added /plugin list command to list installed plugins, with --enabled/--disabled filters
• Added a "c to copy" shortcut to /btw that copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere
• Hooks: Stop and SubagentStop hooks can now return hookSpecificOutput.additionalContext to give Claude feedback and keep the turn going without being labeled a hook error
• Skills: added \$ escape syntax to include a literal $ before a digit in command bodies
• stdio MCP servers now receive the same CLAUDE_CODE_SESSION_ID as hooks/Bash on --resume
• Fixed claude -p hanging forever after its final result when a backgrounded command never exits — background shells are now stopped ~5s after the result once stdin closes
• Fixed claude -p failing with "ANTHROPIC_API_KEY required" on Bedrock/Vertex/Foundry when CI=true and no Anthropic API key is set
• Fixed bash commands failing under bazel and EDR-protected Go workflows: $TMPDIR was overridden to /tmp/claude-{uid} for all commands instead of only sandboxed ones (regression in 2.1.154)
• Fixed Bash commands failing on Windows with "EEXIST: file already exists" on the session-env directory when it has the read-only attribute or is inside OneDrive
• Fixed org-managed permission rules not applying for the entire session when the managed settings fetch completed during startup on a fresh config directory
• Fixed background sessions in claude agents losing their running background tasks when reattached after a Claude Code update
• Fixed terminal misalignment and a multi-second hang when exiting the agent view by pressing Esc
• Fixed clicking Stop on a background-task chip in the desktop app not clearing the chip when the underlying process was already gone
• Fixed keyboard input becoming permanently unresponsive after a paste operation whose end marker is dropped by the terminal
• Fixed hook if: "Bash(...)" conditions firing on every Bash command containing $() or $VAR; the pattern now matches against commands inside subshells and backticks too
• Fixed deny rules on home-directory paths (e.g. Read(~/Desktop/**)) not blocking Bash commands that reference the path via $HOME
• Fixed a stray "(no content)" line left in the transcript after closing panel dialogs like /mcp and /plugins
• Background agent sessions now update to a new Claude Code version in the background, so opening a session after an update no longer waits on a cold restart
• Clearer descriptions for built-in commands and skills in the / menu
• The subscription-switch suggestion now shows in the startup announcement slot instead of a toast
• claude agents dispatching from the state-grouped view now starts the session in the directory the agent view was opened from

v2.1.162

Compare Source

• claude agents --json now includes waitingFor showing what a waiting session is blocked on (e.g. permission prompt)
• --tools: explicitly listing Grep/Glob now provides the dedicated search tools on native builds with embedded search (previously these names were silently ignored)
• /effort now confirms when your chosen level will persist as the default for new sessions
• Clicking a slash command in the autocomplete menu now fills it into your prompt instead of running it immediately; press Enter to run
• Remote Control now shows as a persistent footer pill (with a link to the session) instead of a startup message
• Renamed Windsurf to Devin Desktop in the /ide menu, /terminal-setup, and /scroll-speed, following the editor's rebrand
• Fixed a silent startup hang when the config directory is read-only or unwritable — Claude Code now starts with in-memory config and surfaces startup errors instead of showing a blank screen
• Fixed WebFetch permission rules not being applied to built-in preapproved domains; explicit WebFetch(domain:...) deny/ask/allow rules now take precedence over the preapproved-host auto-allow
• Fixed Windows permission rules never matching when spelled with backslashes (~\, \\server\share) or case-variant paths, and Read deny rules not hiding files from Glob/Grep results
• Fixed an interrupt (Esc) sent at the very start of a turn being silently dropped in stream-json/SDK sessions, leaving the turn running with no "Interrupted" feedback
• Fixed API 400 no low surrogate in string errors for classifier side-queries and MCP server descriptions containing emoji near a truncation boundary
• Fixed MCP per-server timeout config values below 1000 ms being floored to a 1-second watchdog that aborted every tool call; sub-1000 ms values are now ignored (falling back to MCP_TOOL_TIMEOUT or default), and claude mcp get annotates them accordingly
• Fixed the LSP tool's workspaceSymbol operation returning no results; it now accepts a query parameter and passes it to the language server
• Fixed claude agents cutting live status text (tool args, replies, prompts, exec output) at 60–120 columns on wide terminals; the status detail now uses the full terminal width
• Fixed claude agents truncating long session names at 40 columns; the name column now grows with terminal width
• Fixed claude agents attach occasionally bouncing straight back to the session list on the first try after a background-service restart
• Fixed claude agents Ctrl+V image paste doing nothing in the dispatch input and the session reply box; pasting with no image now shows a hint
• Fixed backgrounding a session with ← silently losing the conversation when the background service cannot start; the session stays in the list as a failed row you can wake with Enter
• Fixed replies from the agents view that fail to send being lost; they are now queued for delivery on the next session start
• Fixed cross-session messaging (SendMessage) silently breaking when CLAUDE_CODE_TMPDIR or $TMPDIR points at a deep directory
• Fixed opening a running background session from claude agents stalling for 5 seconds before attaching
• Quieter startup: notices group by severity, and session info and announcements share a single line per launch
• Startup warnings rewritten to be shorter and clearer, each with a concrete fix
• Launch-prompt warnings (deep link/pre-filled prompt) now stay pinned below the input until you act instead of scrolling away
• Failed turns now show a compact warning line instead of a multi-line red error block
• Improved background service startup and claude update verification to wait out endpoint-security scanning of new binaries instead of failing after 5 seconds
• Background dispatch spawn failures now report the error class name when no errno is available
• Removed the "Claude in Chrome enabled" and "marketplace installed" startup messages; model auto-updates and the team-onboarding tip now show as quiet notices under the logo

earendil-works/pi (@​earendil-works/pi-coding-agent)

v0.78.1

Compare Source

New Features

• More built-in provider coverage - Added Ant Ling and NVIDIA NIM provider setup, plus MiniMax-M3 support for the direct MiniMax providers. See Providers.
• Richer extension context - Extensions can use ctx.mode and ctx.getSystemPromptOptions() to adapt behavior across TUI, RPC, JSON, and print modes and inspect base system prompt inputs. See Extensions.

Added

• Added containerization documentation and a Gondolin extension example for routing built-in tools into a local micro-VM.
• Added Ant Ling provider selection and setup documentation.
• Added MiniMax-M3 model support inherited from @earendil-works/pi-ai for the minimax and minimax-cn direct providers (#​5313).
• Added NVIDIA NIM provider selection, setup documentation, and direct NIM request attribution headers.
• Added ctx.mode to extension contexts so extensions can distinguish TUI, RPC, JSON, and print mode.
• Added ctx.getSystemPromptOptions() for extension commands to inspect the current base system prompt inputs (#​5306 by @​xl0).

Fixed

• Fixed temporary extension package installs to use a private ~/.pi/agent/tmp/extensions directory with 0700 permissions instead of os.tmpdir()/pi-extensions.
• Fixed git package source handling to reject unsafe host/path components and keep managed clone paths inside install roots.
• Fixed stored XSS in HTML session exports by sanitizing Markdown link and image URLs with a scheme allow-list after stripping control characters.
• Fixed SDK embedding in bundled Node apps failing with ENOENT when package.json is not present next to the bundle entrypoint. The package metadata reader now gracefully handles missing package.json by using defaults, enabling createAgentSession() without requiring package-adjacent files at runtime (#​5226).
• Fixed HTTP timeout setting not being respected for non-Codex providers (e.g., llama.cpp via OpenAI-compatible API). The httpIdleTimeoutMs setting (set via /settings HTTP timeout) now applies as the default SDK request timeout for all providers that support it, not just OpenAI Codex Responses. Disabling the timeout (HTTP timeout = false) now correctly disables SDK timeouts for all supported providers by sending a maximum int32 value (effectively infinite) instead of 0, since SDKs treat timeout=0 as an immediate timeout (#​5294).
• Fixed inherited Amazon Bedrock requests to replace blank required user/tool-result text with a placeholder and skip blank replay text blocks (#​4975).
• Fixed inherited Anthropic Claude Opus 4.7+ requests to suppress deprecated temperature parameters (#​5251 by @​yzhg1983).
• Fixed inherited OpenAI GPT-5.5 generated metadata to omit unsupported minimal thinking (#​5243).
• Fixed inherited OpenRouter Kimi K2.6 thinking replay and developer-role instruction handling (#​5309).
• Fixed inherited OpenRouter reasoning instruction requests to preserve the system role when required (#​5221 by @​PriNova).
• Fixed inherited overlay focus restoration so non-capturing overlays remain interactive after UI rerenders and explicit focus release (#​5235 by @​nicobailon).
• Fixed inherited tab width accounting in column slicing and overlay compositing so tab-containing output cannot exceed the terminal width (#​5218).
• Fixed opening and listing very large JSONL session files by reading session entries line-by-line instead of materializing the full file as one string (#​5231).
• Fixed the footer branch display in WSL /mnt/... repositories to refresh after branch changes (#​5264 by @​psoukie).
• Fixed renderShell: "self" tool renderers that emit no component lines leaving a blank chat row (#​5299).
• Restored inherited NVIDIA Qwen 3.5 122B NIM model support.

google-gemini/gemini-cli (@​google/gemini-cli)

v0.45.2

Compare Source

What's Changed

• fix(patch): cherry-pick f40498d to release/v0.45.1-pr-27676 to patch version v0.45.1 and create version 0.45.2 by @​gemini-cli-robot in #​27700

Full Changelog: google-gemini/gemini-cli@v0.45.1...v0.45.2

v0.45.1

Compare Source

What's Changed

• fix(patch): cherry-pick 665228e to release/v0.45.0-pr-27570 to patch version v0.45.0 and create version 0.45.1 by @​gemini-cli-robot in #​27667

Full Changelog: google-gemini/gemini-cli@v0.45.0...v0.45.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Wednesday (* * * * 3)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.