517 changes shipped across 30 tracked developer tools this week. 3 were critical. Here is what actually needs your attention.
Fixed a security vulnerability where streaming tool calls could finalize prematurely on partial JSON, causing tool execution with incomplete arguments. This affects any application using streaming tool calls with the OpenAI-compatible SDK.
Do this: Update @ai-sdk/openai-compatible to 2.0.58 immediately if using streaming tool calls in production.
Streaming tool calls were being finalized prematurely when partial JSON happened to be valid, causing tool execution with incomplete arguments. This fix ensures tool calls only finalize after the stream is fully consumed, preventing incomplete argument execution.
Do this: Upgrade @ai-sdk/openai to 3.0.82 to prevent tool calls from executing with incomplete arguments.
A security fix in @clerk/backend now enforces the azp authorized party claim when authorizedParties is configured. Previously, session tokens missing the azp claim were accepted even with authorizedParties set, allowing a bypass of authorization checks.
Do this: Review your Clerk backend configuration: if you use authorizedParties, verify that your token generation includes the azp claim, or your requests will be rejected after this update.
This is the critical tier of StackTrace Weekly issue 2, a free weekly email that classifies every changelog entry by severity against a public rubric. Subscribe here.