build(deps-dev): bump @earendil-works/pi-ai from 0.75.3 to 0.75.5

[dependabot]

Bumps @earendil-works/pi-ai from 0.75.3 to 0.75.5.

Release notes

Sourced from @​earendil-works/pi-ai's releases.

v0.75.5

New Features

• Cleaner read tool output - Collapsed read tool cards now show only the read line by default, while Ctrl+O still expands the full file content.
• Faster file tools on Windows - Built-in file tools now use async filesystem operations during streaming, and image resizes run off the main TUI thread in a worker.
• More reliable package updates - pi update and git package installs now reconcile pinned git refs and keep package settings intact. See Packages.
• Custom Anthropic-compatible adaptive thinking - Custom provider model configs can opt into adaptive-thinking Claude behavior with compat.forceAdaptiveThinking. See Custom providers and Models.

Added

• Added compat.forceAdaptiveThinking support to custom Anthropic-compatible model configuration docs and validation (#4797 by @​mbazso).
• Added a standard unified patch to edit tool result details for SDK consumers (#4821).

Changed

• Changed collapsed read tool cards to show only the read line until expanded (#4916).
• Replaced the inherited optional koffi dependency for Windows VT input with a tiny vendored native helper, reducing install size while preserving Shift+Tab handling (#4480).
• Changed the root development install documentation to use npm install --ignore-scripts (#4868).

Fixed

• Fixed pi update to reconcile git-pinned packages to their configured ref (#4869).
• Fixed package/resource path handling for Windows and glob/pattern resolution (#4873 by @​mitsuhiko).
• Fixed config pattern matching to resolve patterns from the correct base directory (#4898 by @​haoqixu).
• Fixed theme pickers to list themes by their content name instead of file stem (#4830 by @​Perlence).
• Fixed OpenCode Zen/Go requests to send per-session OpenCode routing headers (#4847).
• Fixed Amazon Bedrock provider loading under strict package managers by inheriting the declared @smithy/node-http-handler dependency from @earendil-works/pi-ai (#4842).
• Fixed inherited Amazon Bedrock Claude requests to send the model output token cap by default, avoiding Bedrock's 4096-token default truncation (#4848).
• Fixed exported session HTML to escape quote characters in attribute values (#4832).
• Fixed GitHub Copilot device-code login to keep opening the verification URL in browser-capable environments while ignoring browser launch failures for headless use (#4788 by @​vegarsti).
• Fixed git package installs to reconcile existing checkouts to the requested ref and update package settings without losing filters (#4870).
• Published a 0.74.2 rescue release that tells Node 20 users to upgrade Node before updating to newer Pi versions (#4876).
• Fixed final bash tool cards to avoid rendering duplicate full-output truncation paths (#4819).
• Fixed bash tool truncation line counts to ignore the trailing newline as an extra output line (#4818).
• Fixed footer home-directory abbreviation to avoid shortening sibling paths that only share the same prefix (#4878).
• Fixed macOS Bun release binaries to resolve the native clipboard sidecar so Ctrl+V image paste can load @mariozechner/clipboard (#4307).
• Fixed coding-agent tools to avoid synchronous filesystem operations during streaming and moved image resizing off the main TUI thread (#4756 by @​mitsuhiko).

v0.75.4

New Features

• Hardened npm install and release path - Pi now ships the CLI with a generated shrinkwrap for transitive dependencies, blocks accidental lockfile changes, verifies dependency pinning and lifecycle-script allowlists in checks, disables lifecycle scripts for self-update and local release installs where supported, and smoke-tests isolated npm and Bun installs before release. See Supply-chain hardening.

Added

• Added interactive update notes after pi update runs, so users can see the installed version's changelog before continuing (#4724 by @​mitsuhiko).
• Exported image resize utilities from the package root for SDK consumers (#4775 by @​xl0).

... (truncated)

Changelog

Sourced from @​earendil-works/pi-ai's changelog.

[0.75.5] - 2026-05-23

Breaking Changes

• Changed OAuthLoginCallbacks to require onDeviceCode and onSelect, so OAuth providers can rely on pi supplying device-code and selection UI callbacks (#4788 by @​vegarsti).

Fixed

• Fixed custom Anthropic-compatible model aliases for adaptive-thinking Claude models by adding compat.forceAdaptiveThinking model metadata and moving built-in adaptive-thinking selection out of provider id substring checks (#4797 by @​mbazso).
• Fixed GitHub Copilot OAuth login to rely on the required device-code callback without a runtime callback availability guard (#4788 by @​vegarsti).
• Fixed Amazon Bedrock provider loading under strict package managers by declaring its direct @smithy/node-http-handler dependency (#4842).
• Fixed Amazon Bedrock Claude requests to send the model output token cap by default, matching Anthropic requests and avoiding Bedrock's 4096-token default truncation (#4848).

[0.75.4] - 2026-05-20

Changed

• Changed source syntax to avoid TypeScript constructs that require JavaScript emit, keeping the package compatible with Node.js strip-only TypeScript checks.
• Removed the package-level development watch scripts now that the root TypeScript check validates strip-only-compatible sources.

Added

• Added first-class OAuth device-code callback metadata, shared polling support, and GitHub Copilot OAuth integration.

Fixed

• Fixed OpenAI-compatible streamSimple() requests to stop sending model-derived default output token caps, avoiding context-window reservation failures on servers such as vLLM while preserving explicit maxTokens and required Anthropic max_tokens handling (#4675).
• Fixed OpenAI prompt cache keys to clamp session-derived values to the 64-character API limit across OpenAI Responses, Chat Completions, Codex Responses, and Azure OpenAI Responses (#4720).

Commits

• 83a227a Update release instructions and generated models
• ea2b70d Release v0.75.5
• b9566fc Audit unreleased changelog entries
• d80bcc3 test(ai): avoid hardcoded Fireworks router id
• 9b62f1f Fix Anthropic eager tool input compat test
• d801d88 Support adaptive thinking for Anthropic-compatible aliases
• 7002c68 fix(ai): declare Bedrock Smithy HTTP handler dependency
• c841a6c Clean up OAuth device-code callbacks
• 11e868b Merge pull request #4788 from earendil-works/refactor-device-code-login
• 1a2a536 chore: update PR prompt template
• Additional commits viewable in compare view

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​earendil-works/​pi-ai@​0.75.5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm typebox is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@earendil-works/pi-ai@0.75.5 → npm/typebox@1.1.38 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typebox@1.1.38. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #43.