@ai-sdk/fal 1.0.32 → 1.0.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/dist/index.js +1 -1
- package/dist/index.mjs +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,19 @@
|
|
|
1
1
|
# @ai-sdk/fal
|
|
2
2
|
|
|
3
|
+
## 1.0.33
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 9f67efe: fix: only send provider credentials to same-origin response-supplied URLs
|
|
8
|
+
|
|
9
|
+
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
|
|
10
|
+
|
|
11
|
+
A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
|
|
12
|
+
|
|
13
|
+
- Updated dependencies [9f67efe]
|
|
14
|
+
- Updated dependencies [eea9166]
|
|
15
|
+
- @ai-sdk/provider-utils@3.0.26
|
|
16
|
+
|
|
3
17
|
## 1.0.32
|
|
4
18
|
|
|
5
19
|
### Patch Changes
|
package/dist/index.js
CHANGED
|
@@ -724,7 +724,7 @@ var falSpeechResponseSchema = import_v45.z.object({
|
|
|
724
724
|
});
|
|
725
725
|
|
|
726
726
|
// src/version.ts
|
|
727
|
-
var VERSION = true ? "1.0.
|
|
727
|
+
var VERSION = true ? "1.0.33" : "0.0.0-test";
|
|
728
728
|
|
|
729
729
|
// src/fal-provider.ts
|
|
730
730
|
var defaultBaseURL = "https://fal.run";
|
package/dist/index.mjs
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ai-sdk/fal",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.33",
|
|
4
4
|
"license": "Apache-2.0",
|
|
5
5
|
"sideEffects": false,
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
},
|
|
21
21
|
"dependencies": {
|
|
22
22
|
"@ai-sdk/provider": "2.0.3",
|
|
23
|
-
"@ai-sdk/provider-utils": "3.0.
|
|
23
|
+
"@ai-sdk/provider-utils": "3.0.26"
|
|
24
24
|
},
|
|
25
25
|
"devDependencies": {
|
|
26
26
|
"@types/node": "20.17.24",
|