@ai-sdk/provider-utils 5.0.0-canary.47 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -0
- package/dist/index.d.ts +73 -1
- package/dist/index.js +191 -83
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
- package/src/cancel-response-body.ts +19 -0
- package/src/download-blob.ts +8 -9
- package/src/fetch-with-validated-redirects.ts +87 -0
- package/src/index.ts +4 -0
- package/src/is-browser-runtime.ts +13 -0
- package/src/is-same-origin.ts +19 -0
- package/src/read-response-with-size-limit.ts +4 -0
- package/src/validate-download-url.ts +113 -31
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,223 @@
|
|
|
1
1
|
# @ai-sdk/provider-utils
|
|
2
2
|
|
|
3
|
+
## 5.0.0
|
|
4
|
+
|
|
5
|
+
### Major Changes
|
|
6
|
+
|
|
7
|
+
- 986c6fd: feat(ai): change type of experimental_context from unknown to generic
|
|
8
|
+
- b0c2869: chore(ai): remove deprecated `media` type part from `ToolResultOutput`
|
|
9
|
+
- f7d4f01: feat(provider): add support for `reasoning-file` type for files that are part of reasoning
|
|
10
|
+
- 776b617: feat(provider): adding new 'custom' content type
|
|
11
|
+
- ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only (`"type": "module"`). Consumers using `require()` must switch to ESM `import` syntax.
|
|
12
|
+
- 493295c: Remove the deprecated `ToolCallOptions` export.
|
|
13
|
+
|
|
14
|
+
Use `ToolExecutionOptions` instead.
|
|
15
|
+
|
|
16
|
+
- c29a26f: feat(provider): add support for provider references and uploading files as supported per provider
|
|
17
|
+
- 3887c70: feat(provider): add new top-level reasoning parameter to spec and support it in `generateText` and `streamText`
|
|
18
|
+
- 61753c3: ### `@ai-sdk/openai`: remove redundant `name` argument from `openai.tools.customTool()`
|
|
19
|
+
|
|
20
|
+
`openai.tools.customTool()` no longer accepts a `name` field. the tool name is now derived from the sdk tool key (the object key in the `tools` object).
|
|
21
|
+
|
|
22
|
+
migration: remove the `name` property from `customTool()` calls. the object key is now used as the tool name sent to the openai api.
|
|
23
|
+
|
|
24
|
+
before:
|
|
25
|
+
|
|
26
|
+
```ts
|
|
27
|
+
tools: {
|
|
28
|
+
write_sql: openai.tools.customTool({
|
|
29
|
+
name: 'write_sql',
|
|
30
|
+
description: '...',
|
|
31
|
+
}),
|
|
32
|
+
}
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
after:
|
|
36
|
+
|
|
37
|
+
```ts
|
|
38
|
+
tools: {
|
|
39
|
+
write_sql: openai.tools.customTool({
|
|
40
|
+
description: '...',
|
|
41
|
+
}),
|
|
42
|
+
}
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
### `@ai-sdk/provider-utils`: `createToolNameMapping()` no longer accepts the `resolveProviderToolName` parameter
|
|
46
|
+
|
|
47
|
+
before: tool name can be set dynamically
|
|
48
|
+
|
|
49
|
+
```ts
|
|
50
|
+
const toolNameMapping = createToolNameMapping({
|
|
51
|
+
tools,
|
|
52
|
+
providerToolNames: {
|
|
53
|
+
"openai.code_interpreter": "code_interpreter",
|
|
54
|
+
"openai.file_search": "file_search",
|
|
55
|
+
"openai.image_generation": "image_generation",
|
|
56
|
+
"openai.local_shell": "local_shell",
|
|
57
|
+
"openai.shell": "shell",
|
|
58
|
+
"openai.web_search": "web_search",
|
|
59
|
+
"openai.web_search_preview": "web_search_preview",
|
|
60
|
+
"openai.mcp": "mcp",
|
|
61
|
+
"openai.apply_patch": "apply_patch",
|
|
62
|
+
},
|
|
63
|
+
resolveProviderToolName: (tool) =>
|
|
64
|
+
tool.id === "openai.custom"
|
|
65
|
+
? (tool.args as { name?: string }).name
|
|
66
|
+
: undefined,
|
|
67
|
+
});
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
after: tool name is static based on `tools` keys
|
|
71
|
+
|
|
72
|
+
```
|
|
73
|
+
const toolNameMapping = createToolNameMapping({
|
|
74
|
+
tools,
|
|
75
|
+
providerToolNames: {
|
|
76
|
+
'openai.code_interpreter': 'code_interpreter',
|
|
77
|
+
'openai.file_search': 'file_search',
|
|
78
|
+
'openai.image_generation': 'image_generation',
|
|
79
|
+
'openai.local_shell': 'local_shell',
|
|
80
|
+
'openai.shell': 'shell',
|
|
81
|
+
'openai.web_search': 'web_search',
|
|
82
|
+
'openai.web_search_preview': 'web_search_preview',
|
|
83
|
+
'openai.mcp': 'mcp',
|
|
84
|
+
'openai.apply_patch': 'apply_patch',
|
|
85
|
+
}
|
|
86
|
+
});
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
- 7e26e81: chore: rename experimental_context to context
|
|
90
|
+
- 8359612: Start v7 pre-release
|
|
91
|
+
- 5463d0d: feat(provider): align tool result output content file part types with top-level message file part types
|
|
92
|
+
|
|
93
|
+
### Patch Changes
|
|
94
|
+
|
|
95
|
+
- 2427d88: feat(ai): change Tool.sensitiveContext to telemetry.includeToolsContext and make it opt-in
|
|
96
|
+
- 785fe16: feat: distinguish provider-defined and provider-executed tools
|
|
97
|
+
- ee798eb: chore(provider-utils): rename `Experimental_Sandbox` to `Experimental_SandboxSession`
|
|
98
|
+
- 531251e: fix(security): validate redirect targets in download functions to prevent SSRF bypass
|
|
99
|
+
|
|
100
|
+
Both `downloadBlob` and `download` now validate the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
|
|
101
|
+
|
|
102
|
+
- 67df0a0: feat: add sensitiveContext property to Tool
|
|
103
|
+
- 105f95b: Ensure the default empty tool input schema includes `type: "object"` for OpenAI-compatible providers that require object schemas.
|
|
104
|
+
- eea8d98: refactoring: rename tool execution events
|
|
105
|
+
- d848405: feat: add optional `abortSignal` parameters to sandbox command execution
|
|
106
|
+
- 46d1149: chore(provider-utils,google): fix grammar errors in error and warning messages
|
|
107
|
+
- 1f509d4: fix(ai): force template check on 'kind' param
|
|
108
|
+
- ca446f8: feat: flexible tool descriptions
|
|
109
|
+
- 3ae1786: fix: better context type inference
|
|
110
|
+
- a7de9c9: fix: make sandbox experimental
|
|
111
|
+
- 9f0e36c: trigger release for all packages after provenance setup
|
|
112
|
+
- befb78c: refactoring: remove real-time delays in unit tests
|
|
113
|
+
- f634bac: feat(mcp): add new McpProviderMetadata type
|
|
114
|
+
- 2e17091: fix(types): move shared tool set utility types into provider-utils
|
|
115
|
+
|
|
116
|
+
Moved `ToolSet`, `InferToolSetContext`, and `UnionToIntersection` into `@ai-sdk/provider-utils` and updated `ai` internals to import them directly from there. This keeps the shared tool typing utilities colocated with the core tool type definitions.
|
|
117
|
+
|
|
118
|
+
- ca39020: Add an optional `workingDirectory` parameter to sandbox command execution.
|
|
119
|
+
- 0458559: fix: deprecate needsApproval on Tool
|
|
120
|
+
- 5852c0a: refactoring(provider-utils): add controller as property to StreamingToolCallTracker
|
|
121
|
+
- 2e98477: fix: retain stack traces on async errors
|
|
122
|
+
- add1126: refactoring: executeTool uses tool as parameter
|
|
123
|
+
- aeda373: fix: only send provider credentials to same-origin response-supplied URLs
|
|
124
|
+
|
|
125
|
+
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
|
|
126
|
+
|
|
127
|
+
A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
|
|
128
|
+
|
|
129
|
+
- 350ea38: refactoring: introduce Arrayable type
|
|
130
|
+
- 7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.
|
|
131
|
+
- f807e45: Extract shared `StreamingToolCallTracker` class into `@ai-sdk/provider-utils` to deduplicate streaming tool call handling across OpenAI-compatible providers. Also adds missing `generateId()` fallback for `toolCallId` in Alibaba's `doGenerate` path and ensures all providers finalize unfinished tool calls during stream flush.
|
|
132
|
+
- 08d2129: feat(mcp): propagate the server name through dynamic tool parts
|
|
133
|
+
- 0c4c275: trigger initial canary release
|
|
134
|
+
- 6fd51c0: fix(provider): preserve error type prefix in getErrorMessage
|
|
135
|
+
- 69254e0: feat(ai): add toolMetadata for tool specific metdata
|
|
136
|
+
- 6c93e36: feat(provider-utils): add `spawnCommand` method to `Experimental_Sandbox` to allow for detached command execution
|
|
137
|
+
- 9bd6512: feat(provider): change file part data property to be tagged with a type and remove the image part type
|
|
138
|
+
- 258c093: chore: ensure consistent import handling and avoid import duplicates or cycles
|
|
139
|
+
- 375fdd7: fix: harden download URL SSRF guard against hostname and redirect bypasses
|
|
140
|
+
|
|
141
|
+
`validateDownloadUrl` and the file download helpers (`downloadBlob`, `download`) could be bypassed in several ways when handling untrusted URLs:
|
|
142
|
+
|
|
143
|
+
- A fully-qualified hostname with a trailing dot (e.g. `localhost.`, `myhost.local.`) skipped the localhost/`.local` blocklist.
|
|
144
|
+
- IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (`::127.0.0.1`), IPv4-translated (`::ffff:0:127.0.0.1`), and NAT64 (`64:ff9b::127.0.0.1`, including the `64:ff9b:1::/48` local-use prefix) — were not decoded and checked against the private IPv4 ranges.
|
|
145
|
+
- Redirects were validated only _after_ `fetch` had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
|
|
146
|
+
- Several reserved/internal address ranges were not blocked: CGNAT (`100.64.0.0/10`, used by some cloud providers for internal traffic), benchmarking (`198.18.0.0/15`), IETF protocol assignments (`192.0.0.0/24`), the reserved `240.0.0.0/4` block (including the `255.255.255.255` broadcast address), and IPv6 site-local (`fec0::/10`) and multicast (`ff00::/8`).
|
|
147
|
+
|
|
148
|
+
The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (`redirect: 'manual'`), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.
|
|
149
|
+
|
|
150
|
+
- b6783da: refactoring: restructure Tool types
|
|
151
|
+
- 3015fc3: feat: sandbox shell execution abstraction
|
|
152
|
+
- b8396f0: trigger initial beta release
|
|
153
|
+
- daf6637: feat(provider-utils): add `env` option to `spawn` and `run` methods of `Experimental_SandboxSession`
|
|
154
|
+
- a6617c5: feat(provider-utils): add `readFile` and `writeFile` plus convenience wrappers to `Experimental_Sandbox` abstraction
|
|
155
|
+
- 28dfa06: fix: support tools with optional context
|
|
156
|
+
- 083947b: feat(ai): separate toolsContext from context
|
|
157
|
+
- bae5e2b: fix(security): re-validate tool approvals from client message history before execution
|
|
158
|
+
|
|
159
|
+
The approval-replay path in `generateText`/`streamText` (and `WorkflowAgent.stream`) reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-applying the approval policy. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.
|
|
160
|
+
|
|
161
|
+
The replay path now validates HMAC signature (when `experimental_toolApprovalSecret` is configured), re-validates tool-call input against the tool's input schema, and re-resolves the approval policy before execution.
|
|
162
|
+
|
|
163
|
+
- f617ac2: feat(provider-utils): narrow `tool()` return type to `ExecutableTool<...>` when `execute` is provided
|
|
164
|
+
- 90e2d8a: chore: fix unused vars not being flagged by our lint tooling
|
|
165
|
+
- b4507d5: fix(provider-utils): cancel response body on download rejection to prevent socket leak
|
|
166
|
+
|
|
167
|
+
When a download was rejected early — because the `Content-Length` header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in `readResponseWithSizeLimit`, `download`, and `downloadBlob`, and `fetchWithValidatedRedirects` cancels each redirect hop's body before following or rejecting the next hop.
|
|
168
|
+
|
|
169
|
+
- e93fa91: rename Sandbox.executeCommand to Sandbox.runCommand
|
|
170
|
+
- fc92055: feat(ai): automatic tool approval
|
|
171
|
+
- b3976a2: Add workflow serialization support to all provider models.
|
|
172
|
+
|
|
173
|
+
**`@ai-sdk/provider-utils`:** New `serializeModel()` helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.
|
|
174
|
+
|
|
175
|
+
**All providers:** `headers` is now optional in provider config types. This is non-breaking — existing code that passes `headers` continues to work. Custom provider implementations that construct model configs manually can now omit `headers`, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.
|
|
176
|
+
|
|
177
|
+
All provider model classes now include `WORKFLOW_SERIALIZE` and `WORKFLOW_DESERIALIZE` static methods, enabling them to cross workflow step boundaries without serialization errors.
|
|
178
|
+
|
|
179
|
+
- ff5eba1: feat: roll `image-*` tool output types into their equivalent `file-*` types
|
|
180
|
+
|
|
181
|
+
## 5.0.0-beta.50
|
|
182
|
+
|
|
183
|
+
### Patch Changes
|
|
184
|
+
|
|
185
|
+
- Updated dependencies [0416e3e]
|
|
186
|
+
- @ai-sdk/provider@4.0.0-beta.20
|
|
187
|
+
|
|
188
|
+
## 5.0.0-beta.49
|
|
189
|
+
|
|
190
|
+
### Patch Changes
|
|
191
|
+
|
|
192
|
+
- b8396f0: trigger initial beta release
|
|
193
|
+
- Updated dependencies [b8396f0]
|
|
194
|
+
- @ai-sdk/provider@4.0.0-beta.19
|
|
195
|
+
|
|
196
|
+
## 5.0.0-canary.48
|
|
197
|
+
|
|
198
|
+
### Patch Changes
|
|
199
|
+
|
|
200
|
+
- aeda373: fix: only send provider credentials to same-origin response-supplied URLs
|
|
201
|
+
|
|
202
|
+
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
|
|
203
|
+
|
|
204
|
+
A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
|
|
205
|
+
|
|
206
|
+
- 375fdd7: fix: harden download URL SSRF guard against hostname and redirect bypasses
|
|
207
|
+
|
|
208
|
+
`validateDownloadUrl` and the file download helpers (`downloadBlob`, `download`) could be bypassed in several ways when handling untrusted URLs:
|
|
209
|
+
|
|
210
|
+
- A fully-qualified hostname with a trailing dot (e.g. `localhost.`, `myhost.local.`) skipped the localhost/`.local` blocklist.
|
|
211
|
+
- IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (`::127.0.0.1`), IPv4-translated (`::ffff:0:127.0.0.1`), and NAT64 (`64:ff9b::127.0.0.1`, including the `64:ff9b:1::/48` local-use prefix) — were not decoded and checked against the private IPv4 ranges.
|
|
212
|
+
- Redirects were validated only _after_ `fetch` had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
|
|
213
|
+
- Several reserved/internal address ranges were not blocked: CGNAT (`100.64.0.0/10`, used by some cloud providers for internal traffic), benchmarking (`198.18.0.0/15`), IETF protocol assignments (`192.0.0.0/24`), the reserved `240.0.0.0/4` block (including the `255.255.255.255` broadcast address), and IPv6 site-local (`fec0::/10`) and multicast (`ff00::/8`).
|
|
214
|
+
|
|
215
|
+
The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (`redirect: 'manual'`), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.
|
|
216
|
+
|
|
217
|
+
- b4507d5: fix(provider-utils): cancel response body on download rejection to prevent socket leak
|
|
218
|
+
|
|
219
|
+
When a download was rejected early — because the `Content-Length` header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in `readResponseWithSizeLimit`, `download`, and `downloadBlob`, and `fetchWithValidatedRedirects` cancels each redirect hop's body before following or rejecting the next hop.
|
|
220
|
+
|
|
3
221
|
## 5.0.0-canary.47
|
|
4
222
|
|
|
5
223
|
### Patch Changes
|
package/dist/index.d.ts
CHANGED
|
@@ -738,6 +738,36 @@ declare class DownloadError extends AISDKError {
|
|
|
738
738
|
static isInstance(error: unknown): error is DownloadError;
|
|
739
739
|
}
|
|
740
740
|
|
|
741
|
+
/**
|
|
742
|
+
* Fetches a URL while enforcing the SSRF download guard on every hop.
|
|
743
|
+
*
|
|
744
|
+
* Redirects are followed manually (`redirect: 'manual'`) so each hop is
|
|
745
|
+
* validated with {@link validateDownloadUrl} *before* it is requested. Relying
|
|
746
|
+
* on the default `redirect: 'follow'` would issue the request to a redirect
|
|
747
|
+
* target (e.g. an internal address) before we ever see its URL, defeating the
|
|
748
|
+
* SSRF guard.
|
|
749
|
+
*
|
|
750
|
+
* A `redirect: 'manual'` request yields an unreadable opaque response in the
|
|
751
|
+
* browser (and in other spec-compliant fetch implementations), so the redirect
|
|
752
|
+
* target cannot be validated here. In a real browser this is safe to follow
|
|
753
|
+
* natively because SSRF is not reachable (fetch is constrained by CORS and
|
|
754
|
+
* cannot reach a server's internal network or cloud-metadata). On any other
|
|
755
|
+
* runtime we cannot validate the hop, so we fail closed rather than follow it
|
|
756
|
+
* blindly and bypass the SSRF guard.
|
|
757
|
+
*
|
|
758
|
+
* The returned response is the final (non-redirect) response. The caller is
|
|
759
|
+
* responsible for checking `response.ok` and reading the body.
|
|
760
|
+
*
|
|
761
|
+
* @throws DownloadError if a hop is unsafe, the redirect limit is exceeded, or
|
|
762
|
+
* a redirect cannot be validated on a non-browser runtime.
|
|
763
|
+
*/
|
|
764
|
+
declare function fetchWithValidatedRedirects({ url, headers, abortSignal, maxRedirects, }: {
|
|
765
|
+
url: string;
|
|
766
|
+
headers?: HeadersInit;
|
|
767
|
+
abortSignal?: AbortSignal;
|
|
768
|
+
maxRedirects?: number;
|
|
769
|
+
}): Promise<Response>;
|
|
770
|
+
|
|
741
771
|
/**
|
|
742
772
|
* Extracts a 1-based inclusive line range from `text`, auto-detecting the
|
|
743
773
|
* file's line ending (`\r\n`, `\n`, or `\r`, in that priority).
|
|
@@ -971,6 +1001,16 @@ declare function injectJsonInstructionIntoMessages({ messages, schema, schemaPre
|
|
|
971
1001
|
|
|
972
1002
|
declare function isAbortError(error: unknown): error is Error;
|
|
973
1003
|
|
|
1004
|
+
/**
|
|
1005
|
+
* Returns `true` when running in a browser.
|
|
1006
|
+
*
|
|
1007
|
+
* Detection keys on the presence of a global `window`, matching the browser
|
|
1008
|
+
* check used elsewhere in this package (see `getRuntimeEnvironmentUserAgent`)
|
|
1009
|
+
* so the SDK has a single, consistent definition of "browser". Server runtimes
|
|
1010
|
+
* (Node.js, Deno, Bun, edge/workers) do not define `window`.
|
|
1011
|
+
*/
|
|
1012
|
+
declare function isBrowserRuntime(globalThisAny?: any): boolean;
|
|
1013
|
+
|
|
974
1014
|
/**
|
|
975
1015
|
* Type-guard for Node.js `Buffer` instances.
|
|
976
1016
|
*
|
|
@@ -979,6 +1019,20 @@ declare function isAbortError(error: unknown): error is Error;
|
|
|
979
1019
|
*/
|
|
980
1020
|
declare function isBuffer(value: unknown): value is Buffer;
|
|
981
1021
|
|
|
1022
|
+
/**
|
|
1023
|
+
* Returns true when `url` has the same origin (scheme + host + port) as
|
|
1024
|
+
* `baseUrl`.
|
|
1025
|
+
*
|
|
1026
|
+
* Used to decide whether provider credentials may be attached to a request to a
|
|
1027
|
+
* URL taken from a provider response (e.g. a polling or media-download URL).
|
|
1028
|
+
* Credentials must only be sent to the provider's own origin; a response that
|
|
1029
|
+
* names a foreign host (a CDN, or an attacker-controlled host if the response
|
|
1030
|
+
* is tampered with) must not receive the API key.
|
|
1031
|
+
*
|
|
1032
|
+
* Returns false if either value is not a valid absolute URL (fail-closed).
|
|
1033
|
+
*/
|
|
1034
|
+
declare function isSameOrigin(url: string, baseUrl: string): boolean;
|
|
1035
|
+
|
|
982
1036
|
/**
|
|
983
1037
|
* Type guard that checks whether a value is not `null` or `undefined`.
|
|
984
1038
|
*
|
|
@@ -1870,6 +1924,20 @@ declare function createProviderExecutedToolFactory<INPUT, OUTPUT, ARGS extends o
|
|
|
1870
1924
|
supportsDeferredResults?: boolean;
|
|
1871
1925
|
}): ProviderExecutedToolFactory<INPUT, OUTPUT, ARGS, CONTEXT>;
|
|
1872
1926
|
|
|
1927
|
+
/**
|
|
1928
|
+
* Cancels a response body to release the underlying connection.
|
|
1929
|
+
*
|
|
1930
|
+
* When a fetch Response is rejected without consuming its body (e.g. a failed
|
|
1931
|
+
* status code, an open-redirect rejection, or a Content-Length that exceeds the
|
|
1932
|
+
* size limit), the underlying TCP socket is not returned to the connection pool
|
|
1933
|
+
* and may stay open until the process runs out of file descriptors. Cancelling
|
|
1934
|
+
* the body avoids this leak.
|
|
1935
|
+
*
|
|
1936
|
+
* Errors thrown while cancelling are ignored: the body may already be locked,
|
|
1937
|
+
* disturbed, or absent, none of which should mask the original rejection.
|
|
1938
|
+
*/
|
|
1939
|
+
declare function cancelResponseBody(response: Response): Promise<void>;
|
|
1940
|
+
|
|
1873
1941
|
/**
|
|
1874
1942
|
* Default maximum download size: 2 GiB.
|
|
1875
1943
|
*
|
|
@@ -2076,6 +2144,10 @@ declare function convertToBase64(value: string | Uint8Array): string;
|
|
|
2076
2144
|
* Validates that a URL is safe to download from, blocking private/internal addresses
|
|
2077
2145
|
* to prevent SSRF attacks.
|
|
2078
2146
|
*
|
|
2147
|
+
* Note: this performs string/literal-IP checks only. It does not resolve DNS, so a
|
|
2148
|
+
* hostname that resolves to a private address is not blocked here (see callers, which
|
|
2149
|
+
* should additionally constrain egress at the network layer when handling untrusted URLs).
|
|
2150
|
+
*
|
|
2079
2151
|
* @param url - The URL string to validate.
|
|
2080
2152
|
* @throws DownloadError if the URL is unsafe.
|
|
2081
2153
|
*/
|
|
@@ -2287,4 +2359,4 @@ interface ToolResult<NAME extends string, INPUT, OUTPUT> {
|
|
|
2287
2359
|
dynamic?: boolean;
|
|
2288
2360
|
}
|
|
2289
2361
|
|
|
2290
|
-
export { type Arrayable, type AssistantContent, type AssistantModelMessage, type Context, type CustomPart, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type DynamicTool, type ExecutableTool, type SandboxProcess as Experimental_SandboxProcess, type SandboxSession as Experimental_SandboxSession, type FetchFunction, type FileData, type FileDataData, type FileDataReference, type FileDataText, type FileDataUrl, type FilePart, type FlexibleSchema, type FunctionTool, type HasRequiredKey, type IdGenerator, type ImagePart, type InferSchema, type InferToolContext, type InferToolInput, type InferToolOutput, type InferToolSetContext, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderDefinedTool, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderExecutedTool, type ProviderExecutedToolFactory, type ProviderOptions, type ProviderReference, type ReasoningFilePart, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type StreamingToolCallDelta, StreamingToolCallTracker, type StreamingToolCallTrackerOptions, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type ToolSet, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asArray, asSchema, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertInlineFileDataToUint8Array, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createProviderExecutedToolFactory, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, detectMediaType, downloadBlob, dynamicTool, executeTool, extractLines, extractResponseHeaders, filterNullable, generateId, getFromApi, getRuntimeEnvironmentUserAgent, getTopLevelMediaType, injectJsonInstructionIntoMessages, isAbortError, isBuffer, isCustomReasoning, isExecutableTool, isFullMediaType, isNonNullable, isParsableJson, isProviderReference, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mapReasoningToProviderBudget, mapReasoningToProviderEffort, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, resolveFullMediaType, resolveProviderReference, safeParseJSON, safeValidateTypes, serializeModelOptions, stripFileExtension, tool, validateDownloadUrl, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema };
|
|
2362
|
+
export { type Arrayable, type AssistantContent, type AssistantModelMessage, type Context, type CustomPart, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type DynamicTool, type ExecutableTool, type SandboxProcess as Experimental_SandboxProcess, type SandboxSession as Experimental_SandboxSession, type FetchFunction, type FileData, type FileDataData, type FileDataReference, type FileDataText, type FileDataUrl, type FilePart, type FlexibleSchema, type FunctionTool, type HasRequiredKey, type IdGenerator, type ImagePart, type InferSchema, type InferToolContext, type InferToolInput, type InferToolOutput, type InferToolSetContext, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderDefinedTool, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderExecutedTool, type ProviderExecutedToolFactory, type ProviderOptions, type ProviderReference, type ReasoningFilePart, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type StreamingToolCallDelta, StreamingToolCallTracker, type StreamingToolCallTrackerOptions, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type ToolSet, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asArray, asSchema, cancelResponseBody, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertInlineFileDataToUint8Array, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createProviderExecutedToolFactory, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, detectMediaType, downloadBlob, dynamicTool, executeTool, extractLines, extractResponseHeaders, fetchWithValidatedRedirects, filterNullable, generateId, getFromApi, getRuntimeEnvironmentUserAgent, getTopLevelMediaType, injectJsonInstructionIntoMessages, isAbortError, isBrowserRuntime, isBuffer, isCustomReasoning, isExecutableTool, isFullMediaType, isNonNullable, isParsableJson, isProviderReference, isSameOrigin, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mapReasoningToProviderBudget, mapReasoningToProviderEffort, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, resolveFullMediaType, resolveProviderReference, safeParseJSON, safeValidateTypes, serializeModelOptions, stripFileExtension, tool, validateDownloadUrl, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema };
|