Weekly updates

Google deprecated Vertex AI Extensions and said the service will shut down after 2026-11-26, directing teams to migrate agent integrations to Agent Platform to avoid disruption.

LangFlow 1.9.3 shipped as a critical security release with SSRF protection, DNS rebinding prevention, dependency CVE fixes, and an explicit immediate-upgrade recommendation.

Microsoft Agent Framework 1.4.0 introduced experimental skills API breaking changes, migrated its A2A layer to a2a-sdk v1.0, and tightened default DevUI access controls and CORS posture.

Dify 1.14.1 hardened self-hosted SECRET_KEY handling, protected internal metrics endpoints, fixed tenant-isolation issues, and refreshed dependencies for CVE-2026-42208 and related risks.

OpenAI Agents SDK 0.16.0 changed the default model to gpt-5.4-mini for runs without an explicit model, altering baseline behavior, reasoning defaults, and potential cost/perf expectations.

Mastra 1.32.0 introduced fine-grained authorization checks across agent runs, tool and workflow execution, memory thread access, server adapters, and MCP paths.

Google made 50+ fully managed MCP servers available for Google Cloud services, expanding protocol-aligned tool integration options for Vertex AI and Gemini Enterprise agent builds.

OpenAI Agents SDK 0.15.0 changed refusal handling to raise ModelRefusalError explicitly instead of surfacing empty outputs, a behavior change that can affect run-loop integrations.

LangFlow 1.9.1 shipped security fixes for MCP path traversal, cross-user disclosure, upload auth, IDOR, XSS handling, and webhook auth defaults, alongside Gemini 3 tool-calling updates.

Microsoft Agent Framework Python 1.2.0 added a functional workflow API, OpenTelemetry support for GitHubCopilotAgent, and an A2A bridge, extending interoperability and observability for production agent deployments.

Google launched Gemini Enterprise Agent Platform, folding Vertex AI and Agent Builder capabilities under a renamed platform with Agent Runtime, Agent Registry, Agent Identity, and related governance surfaces.

Microsoft announced hosted agents preview, Toolbox preview, memory preview, and Foundry Toolkit for VS Code GA as part of the developer path from local builds to production deployment.

Haystack 2.28.0 introduced breaking API changes around request exception handling, LLM initialization, and agent invocation signatures, with new runtime State injection for tools.

Flowise's April 14 release focused on security hardening, including a fix for a hardcoded CORS wildcard on the TTS endpoint and additional MCP server configuration protections.

GitHub announced that, from April 24, interaction data from Copilot Free, Pro, and Pro+ users will be used for model improvement unless users opt out, making data-governance review more important for enterprises.

Check Point announced an agreement to acquire Lakera, positioning the startup's AI-native protection stack inside a broader end-to-end enterprise AI security portfolio.

IBM said it would acquire DataStax, explicitly naming Langflow as part of the transaction and tying the low-code AI builder into IBM's watsonx roadmap.