(fix): Retain a reference to the upstream Response on streaming and SSE response
bodies so that undici’s FinalizationRegistry does not garbage-collect the
Response and cancel the body stream on Node 18+.
(chore): Bump Node.js base image from 24.15 to 24.16.
(fix): Bump @fern-api/generator-cli to 0.9.35, which disables minimatch negation
on .fernignore patterns so a stray !pattern no longer silently inverts
the match and discards generator output.
(fix): Fix request URLs containing duplicate slashes (e.g. /{id}//{nestedId}) when a
base-path, service base-path, and endpoint path are joined together. Consecutive
slashes in the generated URL are now collapsed into a single slash, matching the
URL used in generated wire tests.
(feat): Apply client-default to root path parameters at runtime. When omitted
at client construction, the configured default now lands in the URL
instead of undefined.
(fix): Use hasWebSocketInTree IR field to wire WebSocket sub-clients into the
root client, even when the WebSocket channel lives on a nested sub-resource
rather than the top-level namespace package.
(chore): Update OS packages in the TypeScript SDK generator container from Debian sid to fix
krb5 (CVE-2026-40355, CVE-2026-40356), curl (CVE-2026-1965, CVE-2026-4873,
CVE-2026-5545, CVE-2026-6253, CVE-2026-6429), gnutls28 (CVE-2026-3832),
and expat (CVE-2026-45186).
(fix): Dynamic snippets now render path-parameter arguments in IR (URL / SDK signature) order
rather than in the order they happen to appear in the input request, so generated
examples line up with the actual SDK method signature even when the spec lists path
parameters in a different order.
(chore): Patch TypeScript SDK generator container CVEs flagged in the AWS ECR /
grype scan. Rebuild the embedded oxlint-tsgolint@0.22.1 Go binary from
source under GOTOOLCHAIN=go1.26.3 so the published image no longer
ships the upstream go1.26.2 binary that grype flags for CVE-2026-33811,
CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, and CVE-2026-42499.
(chore): Bump the TypeScript SDK validator container’s Node base image to
node:24.15-trixie-slim. Aligns the validator with the rest of the
Fern generator containers on a single Node major version (Node 24) on
top of the trixie-slim base introduced for typescript-sdk-cli and
typescript-sdk-validator by PR #15779.
(chore): Bump the typescript-sdk-cli and typescript-sdk-validator container base
images from node:*-bookworm-slim to node:*-trixie-slim. Trixie ships
patched versions of glibc, dpkg, nghttp2, libcap2, systemd, libgcrypt20,
krb5, curl, and expat that are not available on bookworm, so dist-upgrade
alone is a no-op for those AWS Inspector findings — the base-image bump
is what actually clears them.
(fix): Honor the auth scheme prefix for HeaderAuthScheme when generating HeaderAuthProvider.
Previously, the generator emitted the raw header value into the configured header (e.g.
Authorization) and dropped any prefix declared in the API definition (e.g. Bearer).
The provider now emits a HEADER_PREFIX constant and prepends it to the header value,
matching the behavior of the Java, Python, Go, C#, PHP, Rust, and Ruby v2 generators.
(chore): Bump the typescript-sdk-validator container’s node:20-slim base image
to node:22.22-bookworm-slim. Node 20 went EOL March 24, 2026, and the
container was carrying the Node 20 EOL alert plus CVE-2025-55130
(Node 20 permission-model symlink bypass).
