@ai-sdk/provider-utils 4.0.19 → 4.0.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/dist/index.js +9 -6
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +6 -3
- package/dist/index.mjs.map +1 -1
- package/dist/test/index.js +3 -3
- package/package.json +1 -1
- package/src/download-blob.ts +5 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,19 @@
|
|
|
1
1
|
# @ai-sdk/provider-utils
|
|
2
2
|
|
|
3
|
+
## 4.0.21
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 055cd68: fix: publish v6 to latest npm dist tag
|
|
8
|
+
|
|
9
|
+
## 4.0.20
|
|
10
|
+
|
|
11
|
+
### Patch Changes
|
|
12
|
+
|
|
13
|
+
- 64ac0fd: fix(security): validate redirect targets in download functions to prevent SSRF bypass
|
|
14
|
+
|
|
15
|
+
Both `downloadBlob` and `download` now validate the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
|
|
16
|
+
|
|
3
17
|
## 4.0.19
|
|
4
18
|
|
|
5
19
|
### Patch Changes
|
package/dist/index.js
CHANGED
|
@@ -28,8 +28,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
|
|
|
28
28
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
29
29
|
|
|
30
30
|
// src/index.ts
|
|
31
|
-
var
|
|
32
|
-
__export(
|
|
31
|
+
var index_exports = {};
|
|
32
|
+
__export(index_exports, {
|
|
33
33
|
DEFAULT_MAX_DOWNLOAD_SIZE: () => DEFAULT_MAX_DOWNLOAD_SIZE,
|
|
34
34
|
DelayedPromise: () => DelayedPromise,
|
|
35
35
|
DownloadError: () => DownloadError,
|
|
@@ -92,7 +92,7 @@ __export(src_exports, {
|
|
|
92
92
|
withoutTrailingSlash: () => withoutTrailingSlash,
|
|
93
93
|
zodSchema: () => zodSchema
|
|
94
94
|
});
|
|
95
|
-
module.exports = __toCommonJS(
|
|
95
|
+
module.exports = __toCommonJS(index_exports);
|
|
96
96
|
|
|
97
97
|
// src/combine-headers.ts
|
|
98
98
|
function combineHeaders(...headers) {
|
|
@@ -488,6 +488,9 @@ async function downloadBlob(url, options) {
|
|
|
488
488
|
const response = await fetch(url, {
|
|
489
489
|
signal: options == null ? void 0 : options.abortSignal
|
|
490
490
|
});
|
|
491
|
+
if (response.redirected) {
|
|
492
|
+
validateDownloadUrl(response.url);
|
|
493
|
+
}
|
|
491
494
|
if (!response.ok) {
|
|
492
495
|
throw new DownloadError({
|
|
493
496
|
url,
|
|
@@ -672,7 +675,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
|
|
|
672
675
|
}
|
|
673
676
|
|
|
674
677
|
// src/version.ts
|
|
675
|
-
var VERSION = true ? "4.0.
|
|
678
|
+
var VERSION = true ? "4.0.21" : "0.0.0-test";
|
|
676
679
|
|
|
677
680
|
// src/get-from-api.ts
|
|
678
681
|
var getOriginalFetch = () => globalThis.fetch;
|
|
@@ -999,7 +1002,7 @@ function visit(def) {
|
|
|
999
1002
|
}
|
|
1000
1003
|
|
|
1001
1004
|
// src/to-json-schema/zod3-to-json-schema/options.ts
|
|
1002
|
-
var ignoreOverride = Symbol(
|
|
1005
|
+
var ignoreOverride = /* @__PURE__ */ Symbol(
|
|
1003
1006
|
"Let zodToJsonSchema decide on which parser to use"
|
|
1004
1007
|
);
|
|
1005
1008
|
var defaultOptions = {
|
|
@@ -2177,7 +2180,7 @@ var zod3ToJsonSchema = (schema, options) => {
|
|
|
2177
2180
|
};
|
|
2178
2181
|
|
|
2179
2182
|
// src/schema.ts
|
|
2180
|
-
var schemaSymbol = Symbol.for("vercel.ai.schema");
|
|
2183
|
+
var schemaSymbol = /* @__PURE__ */ Symbol.for("vercel.ai.schema");
|
|
2181
2184
|
function lazySchema(createSchema) {
|
|
2182
2185
|
let schema;
|
|
2183
2186
|
return () => {
|