@ai-sdk/provider-utils 5.0.0-canary.48 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,204 @@
1
1
  # @ai-sdk/provider-utils
2
2
 
3
+ ## 5.0.1
4
+
5
+ ### Patch Changes
6
+
7
+ - 6a436e3: Limit JSON response body reads in response handlers to prevent unbounded memory use.
8
+
9
+ ## 5.0.0
10
+
11
+ ### Major Changes
12
+
13
+ - 986c6fd: feat(ai): change type of experimental_context from unknown to generic
14
+ - b0c2869: chore(ai): remove deprecated `media` type part from `ToolResultOutput`
15
+ - f7d4f01: feat(provider): add support for `reasoning-file` type for files that are part of reasoning
16
+ - 776b617: feat(provider): adding new 'custom' content type
17
+ - ef992f8: Remove CommonJS exports from all packages. All packages are now ESM-only (`"type": "module"`). Consumers using `require()` must switch to ESM `import` syntax.
18
+ - 493295c: Remove the deprecated `ToolCallOptions` export.
19
+
20
+ Use `ToolExecutionOptions` instead.
21
+
22
+ - c29a26f: feat(provider): add support for provider references and uploading files as supported per provider
23
+ - 3887c70: feat(provider): add new top-level reasoning parameter to spec and support it in `generateText` and `streamText`
24
+ - 61753c3: ### `@ai-sdk/openai`: remove redundant `name` argument from `openai.tools.customTool()`
25
+
26
+ `openai.tools.customTool()` no longer accepts a `name` field. the tool name is now derived from the sdk tool key (the object key in the `tools` object).
27
+
28
+ migration: remove the `name` property from `customTool()` calls. the object key is now used as the tool name sent to the openai api.
29
+
30
+ before:
31
+
32
+ ```ts
33
+ tools: {
34
+ write_sql: openai.tools.customTool({
35
+ name: 'write_sql',
36
+ description: '...',
37
+ }),
38
+ }
39
+ ```
40
+
41
+ after:
42
+
43
+ ```ts
44
+ tools: {
45
+ write_sql: openai.tools.customTool({
46
+ description: '...',
47
+ }),
48
+ }
49
+ ```
50
+
51
+ ### `@ai-sdk/provider-utils`: `createToolNameMapping()` no longer accepts the `resolveProviderToolName` parameter
52
+
53
+ before: tool name can be set dynamically
54
+
55
+ ```ts
56
+ const toolNameMapping = createToolNameMapping({
57
+ tools,
58
+ providerToolNames: {
59
+ "openai.code_interpreter": "code_interpreter",
60
+ "openai.file_search": "file_search",
61
+ "openai.image_generation": "image_generation",
62
+ "openai.local_shell": "local_shell",
63
+ "openai.shell": "shell",
64
+ "openai.web_search": "web_search",
65
+ "openai.web_search_preview": "web_search_preview",
66
+ "openai.mcp": "mcp",
67
+ "openai.apply_patch": "apply_patch",
68
+ },
69
+ resolveProviderToolName: (tool) =>
70
+ tool.id === "openai.custom"
71
+ ? (tool.args as { name?: string }).name
72
+ : undefined,
73
+ });
74
+ ```
75
+
76
+ after: tool name is static based on `tools` keys
77
+
78
+ ```
79
+ const toolNameMapping = createToolNameMapping({
80
+ tools,
81
+ providerToolNames: {
82
+ 'openai.code_interpreter': 'code_interpreter',
83
+ 'openai.file_search': 'file_search',
84
+ 'openai.image_generation': 'image_generation',
85
+ 'openai.local_shell': 'local_shell',
86
+ 'openai.shell': 'shell',
87
+ 'openai.web_search': 'web_search',
88
+ 'openai.web_search_preview': 'web_search_preview',
89
+ 'openai.mcp': 'mcp',
90
+ 'openai.apply_patch': 'apply_patch',
91
+ }
92
+ });
93
+ ```
94
+
95
+ - 7e26e81: chore: rename experimental_context to context
96
+ - 8359612: Start v7 pre-release
97
+ - 5463d0d: feat(provider): align tool result output content file part types with top-level message file part types
98
+
99
+ ### Patch Changes
100
+
101
+ - 2427d88: feat(ai): change Tool.sensitiveContext to telemetry.includeToolsContext and make it opt-in
102
+ - 785fe16: feat: distinguish provider-defined and provider-executed tools
103
+ - ee798eb: chore(provider-utils): rename `Experimental_Sandbox` to `Experimental_SandboxSession`
104
+ - 531251e: fix(security): validate redirect targets in download functions to prevent SSRF bypass
105
+
106
+ Both `downloadBlob` and `download` now validate the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
107
+
108
+ - 67df0a0: feat: add sensitiveContext property to Tool
109
+ - 105f95b: Ensure the default empty tool input schema includes `type: "object"` for OpenAI-compatible providers that require object schemas.
110
+ - eea8d98: refactoring: rename tool execution events
111
+ - d848405: feat: add optional `abortSignal` parameters to sandbox command execution
112
+ - 46d1149: chore(provider-utils,google): fix grammar errors in error and warning messages
113
+ - 1f509d4: fix(ai): force template check on 'kind' param
114
+ - ca446f8: feat: flexible tool descriptions
115
+ - 3ae1786: fix: better context type inference
116
+ - a7de9c9: fix: make sandbox experimental
117
+ - 9f0e36c: trigger release for all packages after provenance setup
118
+ - befb78c: refactoring: remove real-time delays in unit tests
119
+ - f634bac: feat(mcp): add new McpProviderMetadata type
120
+ - 2e17091: fix(types): move shared tool set utility types into provider-utils
121
+
122
+ Moved `ToolSet`, `InferToolSetContext`, and `UnionToIntersection` into `@ai-sdk/provider-utils` and updated `ai` internals to import them directly from there. This keeps the shared tool typing utilities colocated with the core tool type definitions.
123
+
124
+ - ca39020: Add an optional `workingDirectory` parameter to sandbox command execution.
125
+ - 0458559: fix: deprecate needsApproval on Tool
126
+ - 5852c0a: refactoring(provider-utils): add controller as property to StreamingToolCallTracker
127
+ - 2e98477: fix: retain stack traces on async errors
128
+ - add1126: refactoring: executeTool uses tool as parameter
129
+ - aeda373: fix: only send provider credentials to same-origin response-supplied URLs
130
+
131
+ Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
132
+
133
+ A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
134
+
135
+ - 350ea38: refactoring: introduce Arrayable type
136
+ - 7fc6bd6: Raise minimum supported Node.js version to 22. Supported versions: 22, 24, and 26.
137
+ - f807e45: Extract shared `StreamingToolCallTracker` class into `@ai-sdk/provider-utils` to deduplicate streaming tool call handling across OpenAI-compatible providers. Also adds missing `generateId()` fallback for `toolCallId` in Alibaba's `doGenerate` path and ensures all providers finalize unfinished tool calls during stream flush.
138
+ - 08d2129: feat(mcp): propagate the server name through dynamic tool parts
139
+ - 0c4c275: trigger initial canary release
140
+ - 6fd51c0: fix(provider): preserve error type prefix in getErrorMessage
141
+ - 69254e0: feat(ai): add toolMetadata for tool specific metdata
142
+ - 6c93e36: feat(provider-utils): add `spawnCommand` method to `Experimental_Sandbox` to allow for detached command execution
143
+ - 9bd6512: feat(provider): change file part data property to be tagged with a type and remove the image part type
144
+ - 258c093: chore: ensure consistent import handling and avoid import duplicates or cycles
145
+ - 375fdd7: fix: harden download URL SSRF guard against hostname and redirect bypasses
146
+
147
+ `validateDownloadUrl` and the file download helpers (`downloadBlob`, `download`) could be bypassed in several ways when handling untrusted URLs:
148
+
149
+ - A fully-qualified hostname with a trailing dot (e.g. `localhost.`, `myhost.local.`) skipped the localhost/`.local` blocklist.
150
+ - IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (`::127.0.0.1`), IPv4-translated (`::ffff:0:127.0.0.1`), and NAT64 (`64:ff9b::127.0.0.1`, including the `64:ff9b:1::/48` local-use prefix) — were not decoded and checked against the private IPv4 ranges.
151
+ - Redirects were validated only _after_ `fetch` had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
152
+ - Several reserved/internal address ranges were not blocked: CGNAT (`100.64.0.0/10`, used by some cloud providers for internal traffic), benchmarking (`198.18.0.0/15`), IETF protocol assignments (`192.0.0.0/24`), the reserved `240.0.0.0/4` block (including the `255.255.255.255` broadcast address), and IPv6 site-local (`fec0::/10`) and multicast (`ff00::/8`).
153
+
154
+ The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (`redirect: 'manual'`), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.
155
+
156
+ - b6783da: refactoring: restructure Tool types
157
+ - 3015fc3: feat: sandbox shell execution abstraction
158
+ - b8396f0: trigger initial beta release
159
+ - daf6637: feat(provider-utils): add `env` option to `spawn` and `run` methods of `Experimental_SandboxSession`
160
+ - a6617c5: feat(provider-utils): add `readFile` and `writeFile` plus convenience wrappers to `Experimental_Sandbox` abstraction
161
+ - 28dfa06: fix: support tools with optional context
162
+ - 083947b: feat(ai): separate toolsContext from context
163
+ - bae5e2b: fix(security): re-validate tool approvals from client message history before execution
164
+
165
+ The approval-replay path in `generateText`/`streamText` (and `WorkflowAgent.stream`) reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-applying the approval policy. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.
166
+
167
+ The replay path now validates HMAC signature (when `experimental_toolApprovalSecret` is configured), re-validates tool-call input against the tool's input schema, and re-resolves the approval policy before execution.
168
+
169
+ - f617ac2: feat(provider-utils): narrow `tool()` return type to `ExecutableTool<...>` when `execute` is provided
170
+ - 90e2d8a: chore: fix unused vars not being flagged by our lint tooling
171
+ - b4507d5: fix(provider-utils): cancel response body on download rejection to prevent socket leak
172
+
173
+ When a download was rejected early — because the `Content-Length` header exceeded the size limit, the response status was not ok, or a redirect resolved to a blocked URL — the fetch response body was left unconsumed and uncancelled. With WHATWG Fetch/undici this leaves the underlying TCP socket open instead of returning it to the connection pool, allowing an attacker-controlled origin to exhaust file descriptors and cause a denial of service. The body is now cancelled on all early-rejection paths in `readResponseWithSizeLimit`, `download`, and `downloadBlob`, and `fetchWithValidatedRedirects` cancels each redirect hop's body before following or rejecting the next hop.
174
+
175
+ - e93fa91: rename Sandbox.executeCommand to Sandbox.runCommand
176
+ - fc92055: feat(ai): automatic tool approval
177
+ - b3976a2: Add workflow serialization support to all provider models.
178
+
179
+ **`@ai-sdk/provider-utils`:** New `serializeModel()` helper that extracts only serializable properties from a model instance, filtering out functions and objects containing functions. Third-party provider authors can use this to add workflow support to their own models.
180
+
181
+ **All providers:** `headers` is now optional in provider config types. This is non-breaking — existing code that passes `headers` continues to work. Custom provider implementations that construct model configs manually can now omit `headers`, which is useful when models are deserialized from a workflow step boundary where auth is provided separately.
182
+
183
+ All provider model classes now include `WORKFLOW_SERIALIZE` and `WORKFLOW_DESERIALIZE` static methods, enabling them to cross workflow step boundaries without serialization errors.
184
+
185
+ - ff5eba1: feat: roll `image-*` tool output types into their equivalent `file-*` types
186
+
187
+ ## 5.0.0-beta.50
188
+
189
+ ### Patch Changes
190
+
191
+ - Updated dependencies [0416e3e]
192
+ - @ai-sdk/provider@4.0.0-beta.20
193
+
194
+ ## 5.0.0-beta.49
195
+
196
+ ### Patch Changes
197
+
198
+ - b8396f0: trigger initial beta release
199
+ - Updated dependencies [b8396f0]
200
+ - @ai-sdk/provider@4.0.0-beta.19
201
+
3
202
  ## 5.0.0-canary.48
4
203
 
5
204
  ### Patch Changes
package/dist/index.js CHANGED
@@ -971,7 +971,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
971
971
  }
972
972
 
973
973
  // src/version.ts
974
- var VERSION = true ? "5.0.0-canary.48" : "0.0.0-test";
974
+ var VERSION = true ? "5.0.1" : "0.0.0-test";
975
975
 
976
976
  // src/get-from-api.ts
977
977
  var getOriginalFetch = () => globalThis.fetch;
@@ -3074,12 +3074,24 @@ function resolveProviderReference({
3074
3074
 
3075
3075
  // src/response-handler.ts
3076
3076
  import { APICallError as APICallError4, EmptyResponseBodyError } from "@ai-sdk/provider";
3077
+ var textDecoder = new TextDecoder();
3078
+ async function readResponseBodyAsText({
3079
+ response,
3080
+ url
3081
+ }) {
3082
+ return textDecoder.decode(
3083
+ await readResponseWithSizeLimit({
3084
+ response,
3085
+ url
3086
+ })
3087
+ );
3088
+ }
3077
3089
  var createJsonErrorResponseHandler = ({
3078
3090
  errorSchema,
3079
3091
  errorToMessage,
3080
3092
  isRetryable
3081
3093
  }) => async ({ response, url, requestBodyValues }) => {
3082
- const responseBody = await response.text();
3094
+ const responseBody = await readResponseBodyAsText({ response, url });
3083
3095
  const responseHeaders = extractResponseHeaders(response);
3084
3096
  if (responseBody.trim() === "") {
3085
3097
  return {
@@ -3142,7 +3154,7 @@ var createEventSourceResponseHandler = (chunkSchema) => async ({ response }) =>
3142
3154
  };
3143
3155
  };
3144
3156
  var createJsonResponseHandler = (responseSchema) => async ({ response, url, requestBodyValues }) => {
3145
- const responseBody = await response.text();
3157
+ const responseBody = await readResponseBodyAsText({ response, url });
3146
3158
  const parsedResult = await safeParseJSON({
3147
3159
  text: responseBody,
3148
3160
  schema: responseSchema
@@ -3197,7 +3209,7 @@ var createBinaryResponseHandler = () => async ({ response, url, requestBodyValue
3197
3209
  };
3198
3210
  var createStatusCodeErrorResponseHandler = () => async ({ response, url, requestBodyValues }) => {
3199
3211
  const responseHeaders = extractResponseHeaders(response);
3200
- const responseBody = await response.text();
3212
+ const responseBody = await readResponseBodyAsText({ response, url });
3201
3213
  return {
3202
3214
  responseHeaders,
3203
3215
  value: new APICallError4({