chore(deps): bump the npm-minor-patch group across 1 directory with 3 updates

[dependabot]

Bumps the npm-minor-patch group with 3 updates in the / directory: @anthropic-ai/claude-agent-sdk, yaml and tsx.

Updates @anthropic-ai/claude-agent-sdk from 0.1.77 to 0.3.143

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.3.143

What's changed

• @anthropic-ai/sdk and @modelcontextprotocol/sdk are now peerDependencies instead of dependencies. Runtime is unaffected (both are bundled); npm/bun/pnpm auto-install them. yarn classic users should add them explicitly for full TypeScript type resolution

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.143
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.143
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.143
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.143

v0.3.142

What's changed

• Breaking: Removed the v2 session API (unstable_v2_createSession, unstable_v2_resumeSession, unstable_v2_prompt, SDKSession, SDKSessionOptions), deprecated since 0.2.133. Use query() — pass an AsyncIterable<SDKUserMessage> for multi-turn, or options.resume to continue a session.
• Breaking: MCP servers now connect in the background by default; sessions start immediately and slow servers report status: "pending" in init until ready. Set MCP_CONNECTION_NONBLOCKING=0 to restore the old behavior of waiting up to 5s before the first query, or mark a server alwaysLoad: true to require it in turn 1.
• Breaking: Headless and SDK sessions now use Task tools (TaskCreate / TaskUpdate / TaskGet / TaskList) instead of TodoWrite, deprecated since 0.2.136. Tool consumers should accumulate by task ID instead of replacing a snapshot list.
• Surfaced request_id, subagent_type, and task_description on SDK message types and task system events
• Headless --sdk-url sessions now exit non-zero with a stderr diagnostic when the remote transport closes permanently (401/403/404 or WS permanent close), instead of silently exiting 0

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.142
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.142
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.142
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.142

v0.2.141

What's changed

• TaskCreateInput, TaskCreateOutput, TaskGetInput, TaskGetOutput, TaskUpdateInput, TaskUpdateOutput, TaskListInput, and TaskListOutput types are now exported from @anthropic-ai/claude-agent-sdk/sdk-tools and included in the ToolInputSchemas/ToolOutputSchemas unions
• Aligned @anthropic-ai/sdk dependency to ^0.93.0

Update

npm install @anthropic-ai/claude-agent-sdk@0.2.141
# or
yarn add @anthropic-ai/claude-agent-sdk@0.2.141
</tr></table> 

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.3.143

• @anthropic-ai/sdk and @modelcontextprotocol/sdk are now peerDependencies instead of dependencies. Runtime is unaffected (both are bundled); npm/bun/pnpm auto-install them. yarn classic users should add them explicitly for full TypeScript type resolution

0.3.142

• Breaking: Removed the v2 session API (unstable_v2_createSession, unstable_v2_resumeSession, unstable_v2_prompt, SDKSession, SDKSessionOptions), deprecated since 0.2.133. Use query() — pass an AsyncIterable<SDKUserMessage> for multi-turn, or options.resume to continue a session.
• Breaking: MCP servers now connect in the background by default; sessions start immediately and slow servers report status: "pending" in init until ready. Set MCP_CONNECTION_NONBLOCKING=0 to restore the old behavior of waiting up to 5s before the first query, or mark a server alwaysLoad: true to require it in turn 1.
• Breaking: Headless and SDK sessions now use Task tools (TaskCreate / TaskUpdate / TaskGet / TaskList) instead of TodoWrite, deprecated since 0.2.136. Tool consumers should accumulate by task ID instead of replacing a snapshot list.
• Surfaced request_id, subagent_type, and task_description on SDK message types and task system events
• Headless --sdk-url sessions now exit non-zero with a stderr diagnostic when the remote transport closes permanently (401/403/404 or WS permanent close), instead of silently exiting 0

0.2.141

• TaskCreateInput, TaskCreateOutput, TaskGetInput, TaskGetOutput, TaskUpdateInput, TaskUpdateOutput, TaskListInput, and TaskListOutput types are now exported from @anthropic-ai/claude-agent-sdk/sdk-tools and included in the ToolInputSchemas/ToolOutputSchemas unions
• Aligned @anthropic-ai/sdk dependency to ^0.93.0

0.2.140

• Updated to parity with Claude Code v2.1.140

0.2.139

• Updated to parity with Claude Code v2.1.139

0.2.138

• Updated to parity with Claude Code v2.1.138

0.2.137

• Updated to parity with Claude Code v2.1.137

0.2.136

• Added resolveSettings() (alpha) to inspect effective merged settings without spawning the Claude CLI; reads MDM (plist/HKLM/HKCU) for parity with CLI startup
• Deprecated TodoWrite tool — future versions will switch to Task tools (TaskCreate, TaskGet, TaskUpdate, TaskList)

0.2.135

• Updated to parity with Claude Code v2.1.135

0.2.134

• Updated to parity with Claude Code v2.1.134

0.2.133

• Deprecated the unstable V2 session API (unstable_v2_createSession / unstable_v2_resumeSession / unstable_v2_prompt) — use query() instead
• Deprecated passing 'Skill' in allowedTools — use the skills option instead

... (truncated)

Commits

• See full diff in compare view

Updates yaml from 2.8.3 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Updates tsx from 4.21.0 to 4.22.1

Release notes

Sourced from tsx's releases.

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.21.1

4.21.1 (2026-05-14)

Bug Fixes

• support Node 20.11/21.2 import.meta paths (acf3d8f)
• support Node.js 24.15.0 (c1d2d45)
• support Node.js 26.1.0 and 25.9.0 (1d7e528)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 6979f28 fix: resolve tsconfig path aliases containing a colon (#780)
• b29f6ee feat: upgrade esbuild to 0.28 (#789)
• 0dd17e9 test: cover registerHooks loader composition
• acf3d8f fix: support Node 20.11/21.2 import.meta paths
• 4bbef80 test: cover configDir paths without baseUrl
• dddc5ce test: cover sync-hook watch reruns and cleanup retries
• 09e8f8c test: assert CLI runs without warnings
• 1d7e528 fix: support Node.js 26.1.0 and 25.9.0
• c1d2d45 fix: support Node.js 24.15.0
• d04672d test: update node version feature gates
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions