fix(deps): update dependency openai to v4.40.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
openai	4.38.5 -> 4.40.2

---

Release Notes

openai/openai-node (openai)

v4.40.2

Compare Source

Full Changelog: v4.40.1...v4.40.2

Bug Fixes

• package: revert recent client file change (#​819) (fa722c9)
• vectorStores: correct uploadAndPoll method (#​817) (d63f22c)

v4.40.1

Compare Source

Full Changelog: v4.40.0...v4.40.1

Chores

• internal: bump prism version (#​813) (81a6c28)
• internal: move client class to separate file (#​815) (d0b915a)

v4.40.0

Compare Source

Full Changelog: v4.39.1...v4.40.0

Features

• api: delete messages (#​811) (9e37dbd)

v4.39.1

Compare Source

Full Changelog: v4.39.0...v4.39.1

Chores

• internal: add link to openapi spec (#​810) (61b5b83)
• internal: fix release please for deno (#​808) (ecc2eae)
• internal: refactor scripts (#​806) (9283519)

v4.39.0

Compare Source

Full Changelog: v4.38.5...v4.39.0

Features

• api: add required tool_choice (#​803) (99693e6)

Chores

• internal: add scripts/test and scripts/mock (#​801) (6656105)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

anthropic debug - [puLL-Merge] - openai/[email protected]

Description

This PR makes several changes to the OpenAI Node.js library, including:

• Adding tests and building the library when running CI
• Bumping the version to 4.40.2
• Adding support for deleting messages in threads
• Updating the OpenAPI spec and auto-generated code
• Refactoring build scripts to be more modular
• Adding a Node.js JavaScript ecosystem test

Changes

Changes

• .github/workflows/ci.yml: Adds a new test job to the CI workflow that runs the tests
• package.json, CHANGELOG.md, README.md, api.md, .release-please-manifest.json: Version bump to 4.40.2
• src/resources/beta/threads/messages.ts: Adds a new del method to delete messages
• tests/api-resources/beta/threads/messages.test.ts: Adds tests for the new del method
• scripts/*: Refactors the build scripts into a scripts directory with more modular scripts
• ecosystem-tests/node-js/*: Adds a Node.js JavaScript project to the ecosystem tests

Security Hotspots

• scripts/mock: The --daemon flag runs the mock server in the background which could potentially be left running. Make sure the process is properly cleaned up.
• scripts/test: Killing the mock server process based on port number could potentially kill unintended processes using that port.
• scripts/utils/postprocess-files.cjs: Reading and writing to the filesystem based on environment variables could lead to unexpected file access if the env vars are not properly validated.

Overall the changes look good with no major security concerns. The build script refactoring makes the code cleaner and more maintainable. Adding tests to the CI workflow improves quality. I would recommend merging this PR after confirming the minor security points noted above are handled properly.

[github-actions]

bedrock debug - [puLL-Merge] - openai/[email protected]

Description

This PR makes several changes to the OpenAI Node.js library, including:

• Adds tests for the library
• Updates the build process to use scripts in a scripts/ directory
• Bumps the version to 4.40.2
• Updates the changelog, readme, and API docs for the new version
• Adds support for a few new API endpoints and parameters

The motivation seems to be continuing to expand and improve the OpenAI Node.js library, making it easier to use and test.

Changes

Changes

• .github/workflows/ci.yml: Adds a new test job to the CI workflow to run tests
• .gitignore: Ignores Brewfile.lock.json
• .release-please-manifest.json: Bumps version to 4.40.2
• .stats.yml: Increases configured_endpoints count and adds openapi_spec_url
• Brewfile: New file that specifies node as a Homebrew dependency
• CHANGELOG.md: Updates changelog for versions 4.39.0 to 4.40.2
• README.md: Updates import example to use version 4.40.2
• api.md: Adds new deleteMessages endpoint
• ecosystem-tests/: Adds a node-js test
• jest.config.ts: Ignores scripts directory in tests
• package.json: Bumps version, updates build/test/lint scripts
• scripts/: New directory with build, test, lint, mock server scripts
• src/resources/: Updates API resource type definitions
• src/version.ts: Bumps version
• tests/api-resources/beta/threads/messages.test.ts: Adds tests for new del endpoint

Security Hotspots

1. scripts/mock: The mock server downloads and executes an arbitrary OpenAPI spec from a URL. Could potentially execute untrusted code if the URL is compromised. Should validate the URL/spec if from an external source.
2. Bumping the version to 4.40.2 implies this update has been tested, but it's a good idea to thoroughly regression test the changes, especially the API resource updates, before releasing.
3. The new del messages endpoint could be abused to delete data if not properly authenticated/authorized. The implementation and tests should verify this.

Overall the changes look reasonable, with the mock script being the main potential security hotspot to review carefully. The API updates and new scripts will be valuable improvements for library users.

[github-actions]

openai debug - [puLL-Merge] - openai/[email protected]

Description

The pull request introduces a series of updates primarily focused on enhancing the CI/CD workflow, adjusting project structure, updating versioning and dependencies, refactoring code, and expanding the API functionalities. These changes appear to be part of an ongoing effort to improve software quality, streamline processes, and expand the scope of the repository's functionalities.

Changes

Changes

.github/workflows/ci.yml

• Added a new test job setup for testing on Ubuntu latest with Node version 18, which includes steps for repository checkout, node setup, and running tests.

.gitignore

• Added Brewfile.lock.json to the list of ignored files.

.release-please-manifest.json & CHANGELOG.md

• Updated the project version from 4.38.5 to 4.40.2 and documented changes in CHANGELOG.md, including fixes and new API features.

.stats.yml

• Included an OpenAPI spec URL and incremented the configured endpoints from 63 to 64.

Brewfile

• Introduced a Brewfile for managing OSX dependencies, notably Node.

README.md & api.md

• Updated the import version for Deno to 4.40.2 in README.md.
• Added new API method documentation for deletion of thread messages.

ecosystem-tests Directory

• Added a new JavaScript environment setup in ecosystem-tests, with associated package.json adjustments for node testing.

jest.config.ts

• Inserted a pattern to ignore the scripts directory during test runs.

package.json

• Updated package version to 4.40.2 and made modifications to scripts pointing to the new directory structure for build and linting scripts.

release-please-config.json

• Updated script paths under extra-files.

Scripts Directory

• Comprehensive reorganization and script refactoring; scripts for building, linting, and testing are now structured under the scripts directory for better maintenance.

src (Source)

• Implemented new functionality across several modules within the src directory, including endpoints for message deletion and fine-tuning job details.

Tests

• Added testing for the new functionality of message deletion.

Security Hotspots

1. Public Repository & Script Execution: Any script alterations and CI/CD config changes in a public repository should be thoroughly reviewed to prevent potential misuse. For example, the use of scripts like ./scripts/test and ./scripts/build could be exploited if not properly secured or if malicious changes were subtly introduced.
2. External Dependency Changes: Introduction of the new Brewfile and changes to how dependencies are managed (scripts/bootstrap) can introduce risks if external packages are compromised or not properly validated.
3. API Key Exposure in Tests: The mock setup in ecosystem-tests (node-js/test.js) uses a placeholder for an OpenAI key which could potentially be mistakenly replaced with a real key and exposed if proper care is not taken.
4. Data Handling in API Expansion: With new API endpoints and changes to the backend logic, ensure that data handling remains secure, particularly with user data manipulation and deletion capabilities (e.g., the new delete message endpoint). Data validation and sanitation need to be rigorously maintained to prevent injection attacks or unauthorized actions.

[github-actions]

[puLL-Merge] - openai/[email protected]

Description

This PR adds various changes and improvements to the openai-node library, including:

• Adding support for testing the library in plain Node.js (without TypeScript)
• Adding scripts for building, testing, linting, mocking the API, and bootstrapping the dev environment
• Updating the OpenAPI spec and regenerating the API client code
• Fixing a few bugs in the vectorStores and client modules
• Updating the changelog and documentation

The motivation appears to be to enhance the developer experience, fix some bugs, and keep the library up-to-date with the latest OpenAPI spec.

Changes

Changes

• .github/workflows/ci.yml: Adds a new test job to the CI workflow to run the test suite
• .gitignore: Ignores the Brewfile.lock.json file
• .release-please-manifest.json: Updates the library version to 4.40.2
• .stats.yml: Increments the configured_endpoints count and adds a link to the OpenAPI spec
• Brewfile: New file that specifies Homebrew dependencies (Node.js)
• CHANGELOG.md: Updates the changelog with changes from version 4.38.5 to 4.40.2
• README.md: Updates the example Deno import to use version 4.40.2
• api.md: Adds the del method to the threads messages API docs
• ecosystem-tests/: Adds tests for using the library in a plain Node.js project
• jest.config.ts: Ignores the scripts directory in tests
• package.json: Updates the version, scripts, and dependencies
• release-please-config.json: Updates the path to the build-deno script
• scripts/:
  • Moves utility scripts to scripts/utils/
  • Adds scripts for bootstrapping, building, testing, linting, and mocking
• src/: Regenerates API client code from OpenAPI spec and fixes a few bugs

Security Hotspots

1. Moderate risk: The scripts/mock script runs an external prism command with unsanitized input from a file. This could allow arbitrary command injection if the .stats.yml file is compromised. Recommend validating/escaping the URL variable.

2. Low risk: The uploadAndPoll method fix in src/resources/beta/vector-stores/files.ts could potentially change behavior if other code was relying on the broken behavior. Recommend verifying dependent code.

3. Low risk: The client module restructuring in src/ could potentially cause regressions. Recommend thorough testing, especially of the streaming endpoints.

In summary, this is a substantial PR that touches many parts of the codebase. The changes look reasonable, but there are a few areas that warrant extra scrutiny and testing before merging. The expanded test coverage is a positive change to help catch any regressions. Nice work!