@ai-sdk/fireworks 1.0.40 → 1.0.41
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/dist/index.js +1 -1
- package/dist/index.mjs +1 -1
- package/package.json +4 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,20 @@
|
|
|
1
1
|
# @ai-sdk/fireworks
|
|
2
2
|
|
|
3
|
+
## 1.0.41
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 9f67efe: fix: only send provider credentials to same-origin response-supplied URLs
|
|
8
|
+
|
|
9
|
+
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
|
|
10
|
+
|
|
11
|
+
A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
|
|
12
|
+
|
|
13
|
+
- Updated dependencies [9f67efe]
|
|
14
|
+
- Updated dependencies [eea9166]
|
|
15
|
+
- @ai-sdk/provider-utils@3.0.26
|
|
16
|
+
- @ai-sdk/openai-compatible@1.0.40
|
|
17
|
+
|
|
3
18
|
## 1.0.40
|
|
4
19
|
|
|
5
20
|
### Patch Changes
|
package/dist/index.js
CHANGED
|
@@ -140,7 +140,7 @@ var import_provider_utils2 = require("@ai-sdk/provider-utils");
|
|
|
140
140
|
var import_v4 = require("zod/v4");
|
|
141
141
|
|
|
142
142
|
// src/version.ts
|
|
143
|
-
var VERSION = true ? "1.0.
|
|
143
|
+
var VERSION = true ? "1.0.41" : "0.0.0-test";
|
|
144
144
|
|
|
145
145
|
// src/fireworks-provider.ts
|
|
146
146
|
var fireworksErrorSchema = import_v4.z.object({
|
package/dist/index.mjs
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ai-sdk/fireworks",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.41",
|
|
4
4
|
"license": "Apache-2.0",
|
|
5
5
|
"sideEffects": false,
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -19,9 +19,9 @@
|
|
|
19
19
|
}
|
|
20
20
|
},
|
|
21
21
|
"dependencies": {
|
|
22
|
-
"@ai-sdk/openai-compatible": "1.0.
|
|
23
|
-
"@ai-sdk/provider": "
|
|
24
|
-
"@ai-sdk/provider
|
|
22
|
+
"@ai-sdk/openai-compatible": "1.0.40",
|
|
23
|
+
"@ai-sdk/provider-utils": "3.0.26",
|
|
24
|
+
"@ai-sdk/provider": "2.0.3"
|
|
25
25
|
},
|
|
26
26
|
"devDependencies": {
|
|
27
27
|
"@types/node": "20.17.24",
|