@blockchyp/blockchyp-ts 2.30.4 → 2.30.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -31533,7 +31533,7 @@ exports.WhiteListedCard = WhiteListedCard;
31533
31533
  */
31534
31534
  class AuthorizationRequest {
31535
31535
  // Constructor with default values for optional fields
31536
- constructor(timeout = null, test = null, transactionRef = undefined, autogeneratedRef = null, async = null, queue = null, waitForRemovedCard = false, force = false, orderRef = undefined, destinationAccount = undefined, testCase = undefined, token = undefined, track1 = undefined, track2 = undefined, pan = undefined, routingNumber = undefined, cardholderName = undefined, expMonth = undefined, expYear = undefined, cvv = undefined, address = undefined, postalCode = undefined, country = undefined, manualEntry = false, ksn = undefined, pinBlock = undefined, cardType = undefined, paymentType = undefined, currencyCode = null, amount = null, taxExempt = null, surcharge = null, cashDiscount = null, sigFile = undefined, sigFormat = undefined, sigWidth = 0, disableSignature = false, tipAmount = undefined, taxAmount = undefined, terminalName = undefined, resetConnection = null, transactionId = undefined, onlineAuthCode = undefined, enroll = false, bypassDupeFilter = false, description = undefined, promptForTip = false, cashBackEnabled = false, cardOnFile = false, recurring = false, cit = false, mit = false, subscription = false, purchaseOrderNumber = undefined, supplierReferenceNumber = undefined, lineItems = null, altPrices = undefined, customer = undefined, roundingMode = undefined, healthcareMetadata = undefined, cryptocurrency = undefined, cryptoNetwork = undefined, cryptoReceiveAddress = undefined, paymentRequestLabel = undefined, paymentRequestMessage = undefined, simulateChipRejection = false, simulateOutOfOrderReversal = false, asyncReversals = false, passthroughSurcharge = undefined, healthcare = false, healthcareTotal = undefined, ebtTotal = undefined, cardMetadataLookup = false, totalDiscountAmount = undefined, shippingAmount = undefined, dutyAmount = undefined, processorId = undefined, externalCustomerId = undefined, destinationCountryCode = undefined, shipFromPostalCode = undefined, shipToPostalCode = undefined, orderDate = undefined, shipmentCount = null, shipmentNumber = null, externalPartnerMetadata = undefined) {
31536
+ constructor(timeout = null, test = null, transactionRef = undefined, autogeneratedRef = null, async = null, queue = null, waitForRemovedCard = false, force = false, orderRef = undefined, destinationAccount = undefined, testCase = undefined, token = undefined, track1 = undefined, track2 = undefined, pan = undefined, routingNumber = undefined, cardholderName = undefined, expMonth = undefined, expYear = undefined, cvv = undefined, address = undefined, postalCode = undefined, country = undefined, manualEntry = false, ksn = undefined, pinBlock = undefined, cardType = undefined, paymentType = undefined, currencyCode = null, amount = null, taxExempt = null, surcharge = null, cashDiscount = null, sigFile = undefined, sigFormat = undefined, sigWidth = 0, disableSignature = false, tipAmount = undefined, taxAmount = undefined, terminalName = undefined, resetConnection = null, transactionId = undefined, onlineAuthCode = undefined, enroll = false, bypassDupeFilter = false, description = undefined, promptForTip = false, cashBackEnabled = false, cardOnFile = false, recurring = false, cit = false, mit = false, subscription = false, purchaseOrderNumber = undefined, supplierReferenceNumber = undefined, lineItems = null, altPrices = undefined, customer = undefined, roundingMode = undefined, healthcareMetadata = undefined, cryptocurrency = undefined, cryptoNetwork = undefined, cryptoReceiveAddress = undefined, paymentRequestLabel = undefined, paymentRequestMessage = undefined, simulateChipRejection = false, simulateOutOfOrderReversal = false, asyncReversals = false, passthroughSurcharge = undefined, healthcare = false, healthcareTotal = undefined, ebtTotal = undefined, cardMetadataLookup = false, totalDiscountAmount = undefined, shippingAmount = undefined, dutyAmount = undefined, processorId = undefined, externalCustomerId = undefined, destinationCountryCode = undefined, shipFromPostalCode = undefined, shipToPostalCode = undefined, orderDate = undefined, shipmentCount = null, shipmentNumber = null, externalPartnerMetadata = undefined, externalCustomerEmail = undefined, externalCustomerPhone = undefined, externalCustomerCompany = undefined) {
31537
31537
  /**
31538
31538
  * The request timeout in seconds.
31539
31539
  */
@@ -31680,6 +31680,9 @@ class AuthorizationRequest {
31680
31680
  this.shipmentCount = shipmentCount;
31681
31681
  this.shipmentNumber = shipmentNumber;
31682
31682
  this.externalPartnerMetadata = externalPartnerMetadata;
31683
+ this.externalCustomerEmail = externalCustomerEmail;
31684
+ this.externalCustomerPhone = externalCustomerPhone;
31685
+ this.externalCustomerCompany = externalCustomerCompany;
31683
31686
  }
31684
31687
  }
31685
31688
  exports.AuthorizationRequest = AuthorizationRequest;
@@ -35178,7 +35181,7 @@ exports.Address = Address;
35178
35181
  */
35179
35182
  class MerchantProfile {
35180
35183
  // Constructor with default values for optional fields
35181
- constructor(timeout = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null) {
35184
+ constructor(timeout = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null, followPartnerServiceFeeEnabled = null, serviceFeeEnabled = null) {
35182
35185
  /**
35183
35186
  * The request timeout in seconds.
35184
35187
  */
@@ -35444,6 +35447,14 @@ class MerchantProfile {
35444
35447
  * Whether the merchant should bypass an auth with TSYS on Enrollment.
35445
35448
  */
35446
35449
  this.bypassEnrollAuthEnabled = null;
35450
+ /**
35451
+ * That the merchant follows the partner's service fee settings.
35452
+ */
35453
+ this.followPartnerServiceFeeEnabled = null;
35454
+ /**
35455
+ * That the merchant is configured to apply a service fee.
35456
+ */
35457
+ this.serviceFeeEnabled = null;
35447
35458
  this.timeout = timeout;
35448
35459
  this.test = test;
35449
35460
  this.merchantId = merchantId;
@@ -35508,6 +35519,8 @@ class MerchantProfile {
35508
35519
  this.followPartnerAvsSettings = followPartnerAvsSettings;
35509
35520
  this.accountUpdaterEnrolled = accountUpdaterEnrolled;
35510
35521
  this.bypassEnrollAuthEnabled = bypassEnrollAuthEnabled;
35522
+ this.followPartnerServiceFeeEnabled = followPartnerServiceFeeEnabled;
35523
+ this.serviceFeeEnabled = serviceFeeEnabled;
35511
35524
  }
35512
35525
  }
35513
35526
  exports.MerchantProfile = MerchantProfile;
@@ -35516,7 +35529,7 @@ exports.MerchantProfile = MerchantProfile;
35516
35529
  */
35517
35530
  class MerchantProfileResponse {
35518
35531
  // Constructor with default values for optional fields
35519
- constructor(success = null, error = null, responseDescription = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null) {
35532
+ constructor(success = null, error = null, responseDescription = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null, followPartnerServiceFeeEnabled = null, serviceFeeEnabled = null) {
35520
35533
  /**
35521
35534
  * Whether or not the request succeeded.
35522
35535
  */
@@ -35790,6 +35803,14 @@ class MerchantProfileResponse {
35790
35803
  * Whether the merchant should bypass an auth with TSYS on Enrollment.
35791
35804
  */
35792
35805
  this.bypassEnrollAuthEnabled = null;
35806
+ /**
35807
+ * That the merchant follows the partner's service fee settings.
35808
+ */
35809
+ this.followPartnerServiceFeeEnabled = null;
35810
+ /**
35811
+ * That the merchant is configured to apply a service fee.
35812
+ */
35813
+ this.serviceFeeEnabled = null;
35793
35814
  this.success = success;
35794
35815
  this.error = error;
35795
35816
  this.responseDescription = responseDescription;
@@ -35856,6 +35877,8 @@ class MerchantProfileResponse {
35856
35877
  this.followPartnerAvsSettings = followPartnerAvsSettings;
35857
35878
  this.accountUpdaterEnrolled = accountUpdaterEnrolled;
35858
35879
  this.bypassEnrollAuthEnabled = bypassEnrollAuthEnabled;
35880
+ this.followPartnerServiceFeeEnabled = followPartnerServiceFeeEnabled;
35881
+ this.serviceFeeEnabled = serviceFeeEnabled;
35859
35882
  }
35860
35883
  }
35861
35884
  exports.MerchantProfileResponse = MerchantProfileResponse;
@@ -41306,7 +41329,7 @@ exports.CoreResponse = CoreResponse;
41306
41329
  /***/ ((module, __unused_webpack_exports, __webpack_require__) => {
41307
41330
 
41308
41331
  "use strict";
41309
- /*! Axios v1.16.0 Copyright (c) 2026 Matt Zabriskie and contributors */
41332
+ /*! Axios v1.18.0 Copyright (c) 2026 Matt Zabriskie and contributors */
41310
41333
 
41311
41334
 
41312
41335
  /**
@@ -41328,6 +41351,57 @@ const { toString } = Object.prototype;
41328
41351
  const { getPrototypeOf } = Object;
41329
41352
  const { iterator, toStringTag } = Symbol;
41330
41353
 
41354
+ /* Creating a function that will check if an object has a property. */
41355
+ const hasOwnProperty = (
41356
+ ({ hasOwnProperty }) =>
41357
+ (obj, prop) =>
41358
+ hasOwnProperty.call(obj, prop)
41359
+ )(Object.prototype);
41360
+
41361
+ /**
41362
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
41363
+ * an own `prop`. This distinguishes genuine own/inherited members — including
41364
+ * class accessors and template prototypes — from members injected via
41365
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
41366
+ * live on Object.prototype itself and are therefore never matched.
41367
+ *
41368
+ * @param {*} thing The value whose chain to inspect
41369
+ * @param {string|symbol} prop The property key to look for
41370
+ *
41371
+ * @returns {boolean} True when `prop` is owned below Object.prototype
41372
+ */
41373
+ const hasOwnInPrototypeChain = (thing, prop) => {
41374
+ let obj = thing;
41375
+ const seen = [];
41376
+
41377
+ while (obj != null && obj !== Object.prototype) {
41378
+ if (seen.indexOf(obj) !== -1) {
41379
+ return false;
41380
+ }
41381
+ seen.push(obj);
41382
+
41383
+ if (hasOwnProperty(obj, prop)) {
41384
+ return true;
41385
+ }
41386
+ obj = getPrototypeOf(obj);
41387
+ }
41388
+ return false;
41389
+ };
41390
+
41391
+ /**
41392
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
41393
+ * properties and members inherited from a non-Object.prototype source (a class
41394
+ * instance or template object) are honored; a value reachable only through a
41395
+ * polluted Object.prototype is ignored and `undefined` is returned.
41396
+ *
41397
+ * @param {*} obj The source object
41398
+ * @param {string|symbol} prop The property key to read
41399
+ *
41400
+ * @returns {*} The resolved value, or undefined when unsafe/absent
41401
+ */
41402
+ const getSafeProp = (obj, prop) =>
41403
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
41404
+
41331
41405
  const kindOf = ((cache) => (thing) => {
41332
41406
  const str = toString.call(thing);
41333
41407
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -41453,7 +41527,7 @@ const isBoolean = (thing) => thing === true || thing === false;
41453
41527
  * @returns {boolean} True if value is a plain Object, otherwise false
41454
41528
  */
41455
41529
  const isPlainObject = (val) => {
41456
- if (kindOf(val) !== 'object') {
41530
+ if (!isObject(val)) {
41457
41531
  return false;
41458
41532
  }
41459
41533
 
@@ -41461,9 +41535,12 @@ const isPlainObject = (val) => {
41461
41535
  return (
41462
41536
  (prototype === null ||
41463
41537
  prototype === Object.prototype ||
41464
- Object.getPrototypeOf(prototype) === null) &&
41465
- !(toStringTag in val) &&
41466
- !(iterator in val)
41538
+ getPrototypeOf(prototype) === null) &&
41539
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
41540
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
41541
+ // than a plain object, while ignoring keys injected onto Object.prototype.
41542
+ !hasOwnInPrototypeChain(val, toStringTag) &&
41543
+ !hasOwnInPrototypeChain(val, iterator)
41467
41544
  );
41468
41545
  };
41469
41546
 
@@ -41732,7 +41809,9 @@ function merge(...objs) {
41732
41809
  return;
41733
41810
  }
41734
41811
 
41735
- const targetKey = (caseless && findKey(result, key)) || key;
41812
+ // findKey lowercases the key, so caseless lookup only applies to strings —
41813
+ // symbol keys are identity-matched.
41814
+ const targetKey = (caseless && typeof key === 'string' && findKey(result, key)) || key;
41736
41815
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
41737
41816
  // chain, so a polluted Object.prototype value could surface here and get
41738
41817
  // copied into the merged result.
@@ -41749,7 +41828,24 @@ function merge(...objs) {
41749
41828
  };
41750
41829
 
41751
41830
  for (let i = 0, l = objs.length; i < l; i++) {
41752
- objs[i] && forEach(objs[i], assignValue);
41831
+ const source = objs[i];
41832
+ if (!source || isBuffer(source)) {
41833
+ continue;
41834
+ }
41835
+
41836
+ forEach(source, assignValue);
41837
+
41838
+ if (typeof source !== 'object' || isArray(source)) {
41839
+ continue;
41840
+ }
41841
+
41842
+ const symbols = Object.getOwnPropertySymbols(source);
41843
+ for (let j = 0; j < symbols.length; j++) {
41844
+ const symbol = symbols[j];
41845
+ if (propertyIsEnumerable.call(source, symbol)) {
41846
+ assignValue(source[symbol], symbol);
41847
+ }
41848
+ }
41753
41849
  }
41754
41850
  return result;
41755
41851
  }
@@ -41971,12 +42067,7 @@ const toCamelCase = (str) => {
41971
42067
  });
41972
42068
  };
41973
42069
 
41974
- /* Creating a function that will check if an object has a property. */
41975
- const hasOwnProperty = (
41976
- ({ hasOwnProperty }) =>
41977
- (obj, prop) =>
41978
- hasOwnProperty.call(obj, prop)
41979
- )(Object.prototype);
42070
+ const { propertyIsEnumerable } = Object.prototype;
41980
42071
 
41981
42072
  /**
41982
42073
  * Determine if a value is a RegExp object
@@ -42083,11 +42174,11 @@ function isSpecCompliantForm(thing) {
42083
42174
  * @returns {Object} The JSON-compatible object.
42084
42175
  */
42085
42176
  const toJSONObject = (obj) => {
42086
- const stack = new Array(10);
42177
+ const visited = new WeakSet();
42087
42178
 
42088
- const visit = (source, i) => {
42179
+ const visit = (source) => {
42089
42180
  if (isObject(source)) {
42090
- if (stack.indexOf(source) >= 0) {
42181
+ if (visited.has(source)) {
42091
42182
  return;
42092
42183
  }
42093
42184
 
@@ -42097,15 +42188,16 @@ const toJSONObject = (obj) => {
42097
42188
  }
42098
42189
 
42099
42190
  if (!('toJSON' in source)) {
42100
- stack[i] = source;
42191
+ // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230).
42192
+ visited.add(source);
42101
42193
  const target = isArray(source) ? [] : {};
42102
42194
 
42103
42195
  forEach(source, (value, key) => {
42104
- const reducedValue = visit(value, i + 1);
42196
+ const reducedValue = visit(value);
42105
42197
  !isUndefined(reducedValue) && (target[key] = reducedValue);
42106
42198
  });
42107
42199
 
42108
- stack[i] = undefined;
42200
+ visited.delete(source);
42109
42201
 
42110
42202
  return target;
42111
42203
  }
@@ -42114,7 +42206,7 @@ const toJSONObject = (obj) => {
42114
42206
  return source;
42115
42207
  };
42116
42208
 
42117
- return visit(obj, 0);
42209
+ return visit(obj);
42118
42210
  };
42119
42211
 
42120
42212
  /**
@@ -42188,6 +42280,20 @@ const asap =
42188
42280
 
42189
42281
  const isIterable = (thing) => thing != null && isFunction$1(thing[iterator]);
42190
42282
 
42283
+ /**
42284
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
42285
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
42286
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
42287
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
42288
+ * into an attacker-controlled entries iterator.
42289
+ *
42290
+ * @param {*} thing The value to test
42291
+ *
42292
+ * @returns {boolean} True if value has a non-polluted iterator
42293
+ */
42294
+ const isSafeIterable = (thing) =>
42295
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
42296
+
42191
42297
  var utils$1 = {
42192
42298
  isArray,
42193
42299
  isArrayBuffer,
@@ -42232,6 +42338,8 @@ var utils$1 = {
42232
42338
  isHTMLForm,
42233
42339
  hasOwnProperty,
42234
42340
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
42341
+ hasOwnInPrototypeChain,
42342
+ getSafeProp,
42235
42343
  reduceDescriptors,
42236
42344
  freezeMethods,
42237
42345
  toObjectSet,
@@ -42248,6 +42356,7 @@ var utils$1 = {
42248
42356
  setImmediate: _setImmediate,
42249
42357
  asap,
42250
42358
  isIterable,
42359
+ isSafeIterable,
42251
42360
  };
42252
42361
 
42253
42362
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -42316,10 +42425,6 @@ var parseHeaders = (rawHeaders) => {
42316
42425
  return parsed;
42317
42426
  };
42318
42427
 
42319
- const $internals = Symbol('internals');
42320
-
42321
- const INVALID_HEADER_VALUE_CHARS_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
42322
-
42323
42428
  function trimSPorHTAB(str) {
42324
42429
  let start = 0;
42325
42430
  let end = str.length;
@@ -42347,12 +42452,40 @@ function trimSPorHTAB(str) {
42347
42452
  return start === 0 && end === str.length ? str : str.slice(start, end);
42348
42453
  }
42349
42454
 
42350
- function normalizeHeader(header) {
42351
- return header && String(header).trim().toLowerCase();
42455
+ // The control-code ranges are intentional: header sanitization strips C0/DEL bytes.
42456
+ // eslint-disable-next-line no-control-regex
42457
+ const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g');
42458
+ // eslint-disable-next-line no-control-regex
42459
+ const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g');
42460
+
42461
+ function sanitizeValue(value, invalidChars) {
42462
+ if (utils$1.isArray(value)) {
42463
+ return value.map((item) => sanitizeValue(item, invalidChars));
42464
+ }
42465
+
42466
+ return trimSPorHTAB(String(value).replace(invalidChars, ''));
42467
+ }
42468
+
42469
+ const sanitizeHeaderValue = (value) =>
42470
+ sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS);
42471
+
42472
+ const sanitizeByteStringHeaderValue = (value) =>
42473
+ sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS);
42474
+
42475
+ function toByteStringHeaderObject(headers) {
42476
+ const byteStringHeaders = Object.create(null);
42477
+
42478
+ utils$1.forEach(headers.toJSON(), (value, header) => {
42479
+ byteStringHeaders[header] = sanitizeByteStringHeaderValue(value);
42480
+ });
42481
+
42482
+ return byteStringHeaders;
42352
42483
  }
42353
42484
 
42354
- function sanitizeHeaderValue(str) {
42355
- return trimSPorHTAB(str.replace(INVALID_HEADER_VALUE_CHARS_RE, ''));
42485
+ const $internals = Symbol('internals');
42486
+
42487
+ function normalizeHeader(header) {
42488
+ return header && String(header).trim().toLowerCase();
42356
42489
  }
42357
42490
 
42358
42491
  function normalizeValue(value) {
@@ -42434,7 +42567,7 @@ class AxiosHeaders {
42434
42567
  const lHeader = normalizeHeader(_header);
42435
42568
 
42436
42569
  if (!lHeader) {
42437
- throw new Error('header name must be a non-empty string');
42570
+ return;
42438
42571
  }
42439
42572
 
42440
42573
  const key = utils$1.findKey(self, lHeader);
@@ -42456,20 +42589,23 @@ class AxiosHeaders {
42456
42589
  setHeaders(header, valueOrRewrite);
42457
42590
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
42458
42591
  setHeaders(parseHeaders(header), valueOrRewrite);
42459
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
42460
- let obj = {},
42592
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
42593
+ let obj = Object.create(null),
42461
42594
  dest,
42462
42595
  key;
42463
42596
  for (const entry of header) {
42464
42597
  if (!utils$1.isArray(entry)) {
42465
- throw TypeError('Object iterator must return a key-value pair');
42598
+ throw new TypeError('Object iterator must return a key-value pair');
42466
42599
  }
42467
42600
 
42468
- obj[(key = entry[0])] = (dest = obj[key])
42469
- ? utils$1.isArray(dest)
42470
- ? [...dest, entry[1]]
42471
- : [dest, entry[1]]
42472
- : entry[1];
42601
+ key = entry[0];
42602
+
42603
+ if (utils$1.hasOwnProp(obj, key)) {
42604
+ dest = obj[key];
42605
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
42606
+ } else {
42607
+ obj[key] = entry[1];
42608
+ }
42473
42609
  }
42474
42610
 
42475
42611
  setHeaders(obj, valueOrRewrite);
@@ -42863,6 +42999,10 @@ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
42863
42999
  // eslint-disable-next-line strict
42864
43000
  var httpAdapter = null;
42865
43001
 
43002
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
43003
+ // the FormData <-> JSON round-trip stays symmetric.
43004
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
43005
+
42866
43006
  /**
42867
43007
  * Determines if the given thing is a array or js object.
42868
43008
  *
@@ -42973,8 +43113,9 @@ function toFormData(obj, formData, options) {
42973
43113
  const dots = options.dots;
42974
43114
  const indexes = options.indexes;
42975
43115
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
42976
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
43116
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
42977
43117
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
43118
+ const stack = [];
42978
43119
 
42979
43120
  if (!utils$1.isFunction(visitor)) {
42980
43121
  throw new TypeError('visitor must be a function');
@@ -43002,6 +43143,38 @@ function toFormData(obj, formData, options) {
43002
43143
  return value;
43003
43144
  }
43004
43145
 
43146
+ function throwIfMaxDepthExceeded(depth) {
43147
+ if (depth > maxDepth) {
43148
+ throw new AxiosError(
43149
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
43150
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43151
+ );
43152
+ }
43153
+ }
43154
+
43155
+ function stringifyWithDepthLimit(value, depth) {
43156
+ if (maxDepth === Infinity) {
43157
+ return JSON.stringify(value);
43158
+ }
43159
+
43160
+ const ancestors = [];
43161
+
43162
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
43163
+ if (!utils$1.isObject(currentValue)) {
43164
+ return currentValue;
43165
+ }
43166
+
43167
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
43168
+ ancestors.pop();
43169
+ }
43170
+
43171
+ ancestors.push(currentValue);
43172
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
43173
+
43174
+ return currentValue;
43175
+ });
43176
+ }
43177
+
43005
43178
  /**
43006
43179
  * Default visitor.
43007
43180
  *
@@ -43025,7 +43198,7 @@ function toFormData(obj, formData, options) {
43025
43198
  // eslint-disable-next-line no-param-reassign
43026
43199
  key = metaTokens ? key : key.slice(0, -2);
43027
43200
  // eslint-disable-next-line no-param-reassign
43028
- value = JSON.stringify(value);
43201
+ value = stringifyWithDepthLimit(value, 1);
43029
43202
  } else if (
43030
43203
  (utils$1.isArray(value) && isFlatArray(value)) ||
43031
43204
  ((utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value)))
@@ -43058,8 +43231,6 @@ function toFormData(obj, formData, options) {
43058
43231
  return false;
43059
43232
  }
43060
43233
 
43061
- const stack = [];
43062
-
43063
43234
  const exposedHelpers = Object.assign(predicates, {
43064
43235
  defaultVisitor,
43065
43236
  convertValue,
@@ -43069,15 +43240,10 @@ function toFormData(obj, formData, options) {
43069
43240
  function build(value, path, depth = 0) {
43070
43241
  if (utils$1.isUndefined(value)) return;
43071
43242
 
43072
- if (depth > maxDepth) {
43073
- throw new AxiosError(
43074
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
43075
- AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43076
- );
43077
- }
43243
+ throwIfMaxDepthExceeded(depth);
43078
43244
 
43079
43245
  if (stack.indexOf(value) !== -1) {
43080
- throw Error('Circular reference detected in ' + path.join('.'));
43246
+ throw new Error('Circular reference detected in ' + path.join('.'));
43081
43247
  }
43082
43248
 
43083
43249
  stack.push(value);
@@ -43190,15 +43356,17 @@ function buildURL(url, params, options) {
43190
43356
  return url;
43191
43357
  }
43192
43358
 
43193
- const _encode = (options && options.encode) || encode;
43194
-
43195
43359
  const _options = utils$1.isFunction(options)
43196
43360
  ? {
43197
43361
  serialize: options,
43198
43362
  }
43199
43363
  : options;
43200
43364
 
43201
- const serializeFn = _options && _options.serialize;
43365
+ // Read serializer options pollution-safely: own properties and methods on a
43366
+ // class/template prototype are honored, but values injected onto a polluted
43367
+ // Object.prototype are ignored.
43368
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
43369
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
43202
43370
 
43203
43371
  let serializedParams;
43204
43372
 
@@ -43294,6 +43462,8 @@ var transitionalDefaults = {
43294
43462
  forcedJSONParsing: true,
43295
43463
  clarifyTimeoutError: false,
43296
43464
  legacyInterceptorReqResOrdering: true,
43465
+ advertiseZstdAcceptEncoding: false,
43466
+ validateStatusUndefinedResolves: true,
43297
43467
  };
43298
43468
 
43299
43469
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -43385,6 +43555,17 @@ function toURLEncodedForm(data, options) {
43385
43555
  });
43386
43556
  }
43387
43557
 
43558
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
43559
+
43560
+ function throwIfDepthExceeded(index) {
43561
+ if (index > MAX_DEPTH) {
43562
+ throw new AxiosError(
43563
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
43564
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43565
+ );
43566
+ }
43567
+ }
43568
+
43388
43569
  /**
43389
43570
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
43390
43571
  *
@@ -43397,9 +43578,16 @@ function parsePropPath(name) {
43397
43578
  // foo.x.y.z
43398
43579
  // foo-x-y-z
43399
43580
  // foo x y z
43400
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
43401
- return match[0] === '[]' ? '' : match[1] || match[0];
43402
- });
43581
+ const path = [];
43582
+ const pattern = /\w+|\[(\w*)]/g;
43583
+ let match;
43584
+
43585
+ while ((match = pattern.exec(name)) !== null) {
43586
+ throwIfDepthExceeded(path.length);
43587
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
43588
+ }
43589
+
43590
+ return path;
43403
43591
  }
43404
43592
 
43405
43593
  /**
@@ -43431,6 +43619,8 @@ function arrayToObject(arr) {
43431
43619
  */
43432
43620
  function formDataToJSON(formData) {
43433
43621
  function buildPath(path, value, target, index) {
43622
+ throwIfDepthExceeded(index);
43623
+
43434
43624
  let name = path[index++];
43435
43625
 
43436
43626
  if (name === '__proto__') return true;
@@ -43451,7 +43641,7 @@ function formDataToJSON(formData) {
43451
43641
  return !isNumericKey;
43452
43642
  }
43453
43643
 
43454
- if (!target[name] || !utils$1.isObject(target[name])) {
43644
+ if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) {
43455
43645
  target[name] = [];
43456
43646
  }
43457
43647
 
@@ -43816,6 +44006,9 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => {
43816
44006
  const _speedometer = speedometer(50, 250);
43817
44007
 
43818
44008
  return throttle((e) => {
44009
+ if (!e || typeof e.loaded !== 'number') {
44010
+ return;
44011
+ }
43819
44012
  const rawLoaded = e.loaded;
43820
44013
  const total = e.lengthComputable ? e.total : undefined;
43821
44014
  const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded;
@@ -43964,6 +44157,31 @@ function combineURLs(baseURL, relativeURL) {
43964
44157
  : baseURL;
43965
44158
  }
43966
44159
 
44160
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
44161
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
44162
+
44163
+ function stripLeadingC0ControlOrSpace(url) {
44164
+ let i = 0;
44165
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
44166
+ i++;
44167
+ }
44168
+ return url.slice(i);
44169
+ }
44170
+
44171
+ function normalizeURLForProtocolCheck(url) {
44172
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
44173
+ }
44174
+
44175
+ function assertValidHttpProtocolURL(url, config) {
44176
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
44177
+ throw new AxiosError(
44178
+ 'Invalid URL: missing "//" after protocol',
44179
+ AxiosError.ERR_INVALID_URL,
44180
+ config
44181
+ );
44182
+ }
44183
+ }
44184
+
43967
44185
  /**
43968
44186
  * Creates a new URL by combining the baseURL with the requestedURL,
43969
44187
  * only when the requestedURL is not already an absolute URL.
@@ -43974,9 +44192,11 @@ function combineURLs(baseURL, relativeURL) {
43974
44192
  *
43975
44193
  * @returns {string} The combined full path
43976
44194
  */
43977
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
44195
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
44196
+ assertValidHttpProtocolURL(requestedURL, config);
43978
44197
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
43979
44198
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
44199
+ assertValidHttpProtocolURL(baseURL, config);
43980
44200
  return combineURLs(baseURL, requestedURL);
43981
44201
  }
43982
44202
  return requestedURL;
@@ -44047,6 +44267,28 @@ function mergeConfig(config1, config2) {
44047
44267
  }
44048
44268
  }
44049
44269
 
44270
+ function getMergedTransitionalOption(prop) {
44271
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
44272
+
44273
+ if (!utils$1.isUndefined(transitional2)) {
44274
+ if (utils$1.isPlainObject(transitional2)) {
44275
+ if (utils$1.hasOwnProp(transitional2, prop)) {
44276
+ return transitional2[prop];
44277
+ }
44278
+ } else {
44279
+ return undefined;
44280
+ }
44281
+ }
44282
+
44283
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
44284
+
44285
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
44286
+ return transitional1[prop];
44287
+ }
44288
+
44289
+ return undefined;
44290
+ }
44291
+
44050
44292
  // eslint-disable-next-line consistent-return
44051
44293
  function mergeDirectKeys(a, b, prop) {
44052
44294
  if (utils$1.hasOwnProp(config2, prop)) {
@@ -44099,6 +44341,18 @@ function mergeConfig(config1, config2) {
44099
44341
  (utils$1.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
44100
44342
  });
44101
44343
 
44344
+ if (
44345
+ utils$1.hasOwnProp(config2, 'validateStatus') &&
44346
+ utils$1.isUndefined(config2.validateStatus) &&
44347
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
44348
+ ) {
44349
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
44350
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
44351
+ } else {
44352
+ delete config.validateStatus;
44353
+ }
44354
+ }
44355
+
44102
44356
  return config;
44103
44357
  }
44104
44358
 
@@ -44125,12 +44379,12 @@ function setFormDataHeaders(headers, formHeaders, policy) {
44125
44379
  *
44126
44380
  * @returns {string} UTF-8 bytes as a Latin-1 string
44127
44381
  */
44128
- const encodeUTF8 = (str) =>
44382
+ const encodeUTF8$1 = (str) =>
44129
44383
  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
44130
44384
  String.fromCharCode(parseInt(hex, 16))
44131
44385
  );
44132
44386
 
44133
- var resolveConfig = (config) => {
44387
+ function resolveConfig(config) {
44134
44388
  const newConfig = mergeConfig({}, config);
44135
44389
 
44136
44390
  // Read only own properties to prevent prototype pollution gadgets
@@ -44150,23 +44404,29 @@ var resolveConfig = (config) => {
44150
44404
  newConfig.headers = headers = AxiosHeaders.from(headers);
44151
44405
 
44152
44406
  newConfig.url = buildURL(
44153
- buildFullPath(baseURL, url, allowAbsoluteUrls),
44154
- config.params,
44155
- config.paramsSerializer
44407
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
44408
+ own('params'),
44409
+ own('paramsSerializer')
44156
44410
  );
44157
44411
 
44158
44412
  // HTTP basic authentication
44159
44413
  if (auth) {
44414
+ const username = utils$1.getSafeProp(auth, 'username') || '';
44415
+ const password = utils$1.getSafeProp(auth, 'password') || '';
44416
+
44160
44417
  headers.set(
44161
44418
  'Authorization',
44162
- 'Basic ' +
44163
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
44419
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : ''))
44164
44420
  );
44165
44421
  }
44166
44422
 
44167
44423
  if (utils$1.isFormData(data)) {
44168
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
44169
- headers.setContentType(undefined); // browser handles it
44424
+ if (
44425
+ platform.hasStandardBrowserEnv ||
44426
+ platform.hasStandardBrowserWebWorkerEnv ||
44427
+ utils$1.isReactNative(data)
44428
+ ) {
44429
+ headers.setContentType(undefined); // browser/web worker/RN handles it
44170
44430
  } else if (utils$1.isFunction(data.getHeaders)) {
44171
44431
  // Node.js FormData (like form-data package)
44172
44432
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -44198,7 +44458,7 @@ var resolveConfig = (config) => {
44198
44458
  }
44199
44459
 
44200
44460
  return newConfig;
44201
- };
44461
+ }
44202
44462
 
44203
44463
  const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
44204
44464
 
@@ -44347,7 +44607,7 @@ var xhrAdapter = isXHRAdapterSupported &&
44347
44607
 
44348
44608
  // Add headers to the request
44349
44609
  if ('setRequestHeader' in request) {
44350
- utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) {
44610
+ utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) {
44351
44611
  request.setRequestHeader(key, val);
44352
44612
  });
44353
44613
  }
@@ -44417,54 +44677,55 @@ var xhrAdapter = isXHRAdapterSupported &&
44417
44677
  };
44418
44678
 
44419
44679
  const composeSignals = (signals, timeout) => {
44420
- const { length } = (signals = signals ? signals.filter(Boolean) : []);
44421
-
44422
- if (timeout || length) {
44423
- let controller = new AbortController();
44424
-
44425
- let aborted;
44426
-
44427
- const onabort = function (reason) {
44428
- if (!aborted) {
44429
- aborted = true;
44430
- unsubscribe();
44431
- const err = reason instanceof Error ? reason : this.reason;
44432
- controller.abort(
44433
- err instanceof AxiosError
44434
- ? err
44435
- : new CanceledError(err instanceof Error ? err.message : err)
44436
- );
44437
- }
44438
- };
44680
+ signals = signals ? signals.filter(Boolean) : [];
44439
44681
 
44440
- let timer =
44441
- timeout &&
44442
- setTimeout(() => {
44443
- timer = null;
44444
- onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT));
44445
- }, timeout);
44446
-
44447
- const unsubscribe = () => {
44448
- if (signals) {
44449
- timer && clearTimeout(timer);
44450
- timer = null;
44451
- signals.forEach((signal) => {
44452
- signal.unsubscribe
44453
- ? signal.unsubscribe(onabort)
44454
- : signal.removeEventListener('abort', onabort);
44455
- });
44456
- signals = null;
44457
- }
44458
- };
44682
+ if (!timeout && !signals.length) {
44683
+ return;
44684
+ }
44685
+
44686
+ const controller = new AbortController();
44687
+
44688
+ let aborted = false;
44459
44689
 
44460
- signals.forEach((signal) => signal.addEventListener('abort', onabort));
44690
+ const onabort = function (reason) {
44691
+ if (!aborted) {
44692
+ aborted = true;
44693
+ unsubscribe();
44694
+ const err = reason instanceof Error ? reason : this.reason;
44695
+ controller.abort(
44696
+ err instanceof AxiosError
44697
+ ? err
44698
+ : new CanceledError(err instanceof Error ? err.message : err)
44699
+ );
44700
+ }
44701
+ };
44702
+
44703
+ let timer =
44704
+ timeout &&
44705
+ setTimeout(() => {
44706
+ timer = null;
44707
+ onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT));
44708
+ }, timeout);
44709
+
44710
+ const unsubscribe = () => {
44711
+ if (!signals) { return; }
44712
+ timer && clearTimeout(timer);
44713
+ timer = null;
44714
+ signals.forEach((signal) => {
44715
+ signal.unsubscribe
44716
+ ? signal.unsubscribe(onabort)
44717
+ : signal.removeEventListener('abort', onabort);
44718
+ });
44719
+ signals = null;
44720
+ };
44461
44721
 
44462
- const { signal } = controller;
44722
+ signals.forEach((signal) => signal.addEventListener('abort', onabort));
44463
44723
 
44464
- signal.unsubscribe = () => utils$1.asap(unsubscribe);
44724
+ const { signal } = controller;
44465
44725
 
44466
- return signal;
44467
- }
44726
+ signal.unsubscribe = () => utils$1.asap(unsubscribe);
44727
+
44728
+ return signal;
44468
44729
  };
44469
44730
 
44470
44731
  const streamChunk = function* (chunk, chunkSize) {
@@ -44561,11 +44822,19 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => {
44561
44822
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
44562
44823
  * - For base64: compute exact decoded size using length and padding;
44563
44824
  * handle %XX at the character-count level (no string allocation).
44564
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
44825
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
44565
44826
  *
44566
44827
  * @param {string} url
44567
44828
  * @returns {number}
44568
44829
  */
44830
+ const isHexDigit = (charCode) =>
44831
+ (charCode >= 48 && charCode <= 57) ||
44832
+ (charCode >= 65 && charCode <= 70) ||
44833
+ (charCode >= 97 && charCode <= 102);
44834
+
44835
+ const isPercentEncodedByte = (str, i, len) =>
44836
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
44837
+
44569
44838
  function estimateDataURLDecodedBytes(url) {
44570
44839
  if (!url || typeof url !== 'string') return 0;
44571
44840
  if (!url.startsWith('data:')) return 0;
@@ -44585,9 +44854,7 @@ function estimateDataURLDecodedBytes(url) {
44585
44854
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
44586
44855
  const a = body.charCodeAt(i + 1);
44587
44856
  const b = body.charCodeAt(i + 2);
44588
- const isHex =
44589
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
44590
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
44857
+ const isHex = isHexDigit(a) && isHexDigit(b);
44591
44858
 
44592
44859
  if (isHex) {
44593
44860
  effectiveLen -= 2;
@@ -44628,18 +44895,17 @@ function estimateDataURLDecodedBytes(url) {
44628
44895
  return bytes > 0 ? bytes : 0;
44629
44896
  }
44630
44897
 
44631
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
44632
- return Buffer.byteLength(body, 'utf8');
44633
- }
44634
-
44635
44898
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
44636
44899
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
44637
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
44638
- // but 3 UTF-8 bytes).
44900
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
44901
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
44639
44902
  let bytes = 0;
44640
44903
  for (let i = 0, len = body.length; i < len; i++) {
44641
44904
  const c = body.charCodeAt(i);
44642
- if (c < 0x80) {
44905
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
44906
+ bytes += 1;
44907
+ i += 2;
44908
+ } else if (c < 0x80) {
44643
44909
  bytes += 1;
44644
44910
  } else if (c < 0x800) {
44645
44911
  bytes += 2;
@@ -44658,12 +44924,41 @@ function estimateDataURLDecodedBytes(url) {
44658
44924
  return bytes;
44659
44925
  }
44660
44926
 
44661
- const VERSION = "1.16.0";
44927
+ const VERSION = "1.18.0";
44662
44928
 
44663
44929
  const DEFAULT_CHUNK_SIZE = 64 * 1024;
44664
44930
 
44665
44931
  const { isFunction } = utils$1;
44666
44932
 
44933
+ /**
44934
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
44935
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
44936
+ *
44937
+ * @param {string} str The string to encode
44938
+ *
44939
+ * @returns {string} UTF-8 bytes as a Latin-1 string
44940
+ */
44941
+ const encodeUTF8 = (str) =>
44942
+ encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
44943
+ String.fromCharCode(parseInt(hex, 16))
44944
+ );
44945
+
44946
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
44947
+ // Decode before composing the `auth` option so credentials such as
44948
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
44949
+ // original value for malformed input so a bad encoding never throws.
44950
+ const decodeURIComponentSafe = (value) => {
44951
+ if (!utils$1.isString(value)) {
44952
+ return value;
44953
+ }
44954
+
44955
+ try {
44956
+ return decodeURIComponent(value);
44957
+ } catch (error) {
44958
+ return value;
44959
+ }
44960
+ };
44961
+
44667
44962
  const test = (fn, ...args) => {
44668
44963
  try {
44669
44964
  return !!fn(...args);
@@ -44672,8 +44967,20 @@ const test = (fn, ...args) => {
44672
44967
  }
44673
44968
  };
44674
44969
 
44970
+ const maybeWithAuthCredentials = (url) => {
44971
+ const protocolIndex = url.indexOf('://');
44972
+ let urlToCheck = url;
44973
+ if (protocolIndex !== -1) {
44974
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
44975
+ }
44976
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
44977
+ };
44978
+
44675
44979
  const factory = (env) => {
44676
- const globalObject = utils$1.global ?? globalThis;
44980
+ const globalObject =
44981
+ utils$1.global !== undefined && utils$1.global !== null
44982
+ ? utils$1.global
44983
+ : globalThis;
44677
44984
  const { ReadableStream, TextEncoder } = globalObject;
44678
44985
 
44679
44986
  env = utils$1.merge.call(
@@ -44816,6 +45123,7 @@ const factory = (env) => {
44816
45123
 
44817
45124
  const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
44818
45125
  const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
45126
+ const own = (key) => (utils$1.hasOwnProp(config, key) ? config[key] : undefined);
44819
45127
 
44820
45128
  let _fetch = envFetch || fetch;
44821
45129
 
@@ -44837,7 +45145,61 @@ const factory = (env) => {
44837
45145
 
44838
45146
  let requestContentLength;
44839
45147
 
45148
+ // AxiosError we raise while the request body is being streamed. Captured
45149
+ // by identity so the catch block can surface it directly, regardless of
45150
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
45151
+ // as `err.cause`; some browsers drop the original error entirely).
45152
+ let pendingBodyError = null;
45153
+
45154
+ const maxBodyLengthError = () =>
45155
+ new AxiosError(
45156
+ 'Request body larger than maxBodyLength limit',
45157
+ AxiosError.ERR_BAD_REQUEST,
45158
+ config,
45159
+ request
45160
+ );
45161
+
44840
45162
  try {
45163
+ // HTTP basic authentication
45164
+ let auth = undefined;
45165
+ const configAuth = own('auth');
45166
+
45167
+ if (configAuth) {
45168
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
45169
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
45170
+ auth = {
45171
+ username,
45172
+ password
45173
+ };
45174
+ }
45175
+
45176
+ if (maybeWithAuthCredentials(url)) {
45177
+ const parsedURL = new URL(url, platform.origin);
45178
+
45179
+ if (!auth && (parsedURL.username || parsedURL.password)) {
45180
+ const urlUsername = decodeURIComponentSafe(parsedURL.username);
45181
+ const urlPassword = decodeURIComponentSafe(parsedURL.password);
45182
+ auth = {
45183
+ username: urlUsername,
45184
+ password: urlPassword
45185
+ };
45186
+ }
45187
+
45188
+ if (parsedURL.username || parsedURL.password) {
45189
+ parsedURL.username = '';
45190
+ parsedURL.password = '';
45191
+ url = parsedURL.href;
45192
+ }
45193
+ }
45194
+
45195
+ if (auth) {
45196
+ headers.delete('authorization');
45197
+ headers.set(
45198
+ 'Authorization',
45199
+ 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))
45200
+ );
45201
+ }
45202
+
44841
45203
  // Enforce maxContentLength for data: URLs up-front so we never materialize
44842
45204
  // an oversized payload. The HTTP adapter applies the same check (see http.js
44843
45205
  // "if (protocol === 'data:')" branch).
@@ -44853,53 +45215,96 @@ const factory = (env) => {
44853
45215
  }
44854
45216
  }
44855
45217
 
44856
- // Enforce maxBodyLength against the outbound request body before dispatch.
44857
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
44858
- // maxBodyLength limit'). Skip when the body length cannot be determined
44859
- // (e.g. a live ReadableStream supplied by the caller).
45218
+ // Enforce maxBodyLength against known-size bodies before dispatch using
45219
+ // the body's *actual* size never a caller-declared Content-Length,
45220
+ // which could under-report to slip an oversized body past the check.
45221
+ // Unknown-size streams return undefined here and are counted per-chunk
45222
+ // below as fetch consumes them.
44860
45223
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
44861
- const outboundLength = await resolveBodyLength(headers, data);
44862
- if (
44863
- typeof outboundLength === 'number' &&
44864
- isFinite(outboundLength) &&
44865
- outboundLength > maxBodyLength
44866
- ) {
44867
- throw new AxiosError(
44868
- 'Request body larger than maxBodyLength limit',
44869
- AxiosError.ERR_BAD_REQUEST,
44870
- config,
44871
- request
44872
- );
45224
+ const outboundLength = await getBodyLength(data);
45225
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
45226
+ requestContentLength = outboundLength;
45227
+ if (outboundLength > maxBodyLength) {
45228
+ throw maxBodyLengthError();
45229
+ }
44873
45230
  }
44874
45231
  }
44875
45232
 
45233
+ // A streamed body under maxBodyLength must be counted as fetch consumes
45234
+ // it; its size is never trusted from a caller-declared Content-Length.
45235
+ const mustEnforceStreamBody =
45236
+ hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
45237
+
45238
+ const trackRequestStream = (stream, onProgress, flush) =>
45239
+ trackStream(
45240
+ stream,
45241
+ DEFAULT_CHUNK_SIZE,
45242
+ (loadedBytes) => {
45243
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
45244
+ throw (pendingBodyError = maxBodyLengthError());
45245
+ }
45246
+ onProgress && onProgress(loadedBytes);
45247
+ },
45248
+ flush
45249
+ );
45250
+
44876
45251
  if (
44877
- onUploadProgress &&
44878
45252
  supportsRequestStream &&
44879
45253
  method !== 'get' &&
44880
45254
  method !== 'head' &&
44881
- (requestContentLength = await resolveBodyLength(headers, data)) !== 0
45255
+ (onUploadProgress || mustEnforceStreamBody)
44882
45256
  ) {
44883
- let _request = new Request(url, {
44884
- method: 'POST',
44885
- body: data,
44886
- duplex: 'half',
44887
- });
45257
+ requestContentLength =
45258
+ requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
45259
+
45260
+ // A declared length of 0 is only trusted to skip the wrap when we are
45261
+ // not enforcing a stream limit (which must not rely on that header).
45262
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
45263
+ let _request = new Request(url, {
45264
+ method: 'POST',
45265
+ body: data,
45266
+ duplex: 'half',
45267
+ });
44888
45268
 
44889
- let contentTypeHeader;
45269
+ let contentTypeHeader;
44890
45270
 
44891
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
44892
- headers.setContentType(contentTypeHeader);
44893
- }
45271
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
45272
+ headers.setContentType(contentTypeHeader);
45273
+ }
44894
45274
 
44895
- if (_request.body) {
44896
- const [onProgress, flush] = progressEventDecorator(
44897
- requestContentLength,
44898
- progressEventReducer(asyncDecorator(onUploadProgress))
44899
- );
45275
+ if (_request.body) {
45276
+ const [onProgress, flush] =
45277
+ (onUploadProgress &&
45278
+ progressEventDecorator(
45279
+ requestContentLength,
45280
+ progressEventReducer(asyncDecorator(onUploadProgress))
45281
+ )) ||
45282
+ [];
44900
45283
 
44901
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
45284
+ data = trackRequestStream(_request.body, onProgress, flush);
45285
+ }
44902
45286
  }
45287
+ } else if (
45288
+ mustEnforceStreamBody &&
45289
+ !isRequestSupported &&
45290
+ isReadableStreamSupported &&
45291
+ method !== 'get' &&
45292
+ method !== 'head'
45293
+ ) {
45294
+ data = trackRequestStream(data);
45295
+ } else if (
45296
+ mustEnforceStreamBody &&
45297
+ isRequestSupported &&
45298
+ !supportsRequestStream &&
45299
+ method !== 'get' &&
45300
+ method !== 'head'
45301
+ ) {
45302
+ throw new AxiosError(
45303
+ 'Stream request bodies are not supported by the current fetch implementation',
45304
+ AxiosError.ERR_NOT_SUPPORT,
45305
+ config,
45306
+ request
45307
+ );
44903
45308
  }
44904
45309
 
44905
45310
  if (!utils$1.isString(withCredentials)) {
@@ -44930,7 +45335,7 @@ const factory = (env) => {
44930
45335
  ...fetchOptions,
44931
45336
  signal: composedSignal,
44932
45337
  method: method.toUpperCase(),
44933
- headers: headers.normalize().toJSON(),
45338
+ headers: toByteStringHeaderObject(headers.normalize()),
44934
45339
  body: data,
44935
45340
  duplex: 'half',
44936
45341
  credentials: isCredentialsSupported ? withCredentials : undefined,
@@ -44942,10 +45347,12 @@ const factory = (env) => {
44942
45347
  ? _fetch(request, fetchOptions)
44943
45348
  : _fetch(url, resolvedOptions));
44944
45349
 
45350
+ const responseHeaders = AxiosHeaders.from(response.headers);
45351
+
44945
45352
  // Cheap pre-check: if the server honestly declares a content-length that
44946
45353
  // already exceeds the cap, reject before we start streaming.
44947
45354
  if (hasMaxContentLength) {
44948
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
45355
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
44949
45356
  if (declaredLength != null && declaredLength > maxContentLength) {
44950
45357
  throw new AxiosError(
44951
45358
  'maxContentLength size of ' + maxContentLength + ' exceeded',
@@ -44970,7 +45377,7 @@ const factory = (env) => {
44970
45377
  options[prop] = response[prop];
44971
45378
  });
44972
45379
 
44973
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
45380
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
44974
45381
 
44975
45382
  const [onProgress, flush] =
44976
45383
  (onDownloadProgress &&
@@ -45065,6 +45472,23 @@ const factory = (env) => {
45065
45472
  throw canceledError;
45066
45473
  }
45067
45474
 
45475
+ // Surface a maxBodyLength violation we raised while the request body was
45476
+ // being streamed. Matching by identity (rather than reading
45477
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
45478
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
45479
+ // AxiosError that merely happened to land in `err.cause`.
45480
+ if (pendingBodyError) {
45481
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
45482
+ throw pendingBodyError;
45483
+ }
45484
+
45485
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
45486
+ // pre-checks, response size enforcement) without re-wrapping them.
45487
+ if (err instanceof AxiosError) {
45488
+ request && !err.request && (err.request = request);
45489
+ throw err;
45490
+ }
45491
+
45068
45492
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
45069
45493
  throw Object.assign(
45070
45494
  new AxiosError(
@@ -45519,6 +45943,8 @@ class Axios {
45519
45943
  forcedJSONParsing: validators.transitional(validators.boolean),
45520
45944
  clarifyTimeoutError: validators.transitional(validators.boolean),
45521
45945
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
45946
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
45947
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean),
45522
45948
  },
45523
45949
  false
45524
45950
  );
@@ -45648,7 +46074,7 @@ class Axios {
45648
46074
 
45649
46075
  getUri(config) {
45650
46076
  config = mergeConfig(this.defaults, config);
45651
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
46077
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
45652
46078
  return buildURL(fullPath, config.params, config.paramsSerializer);
45653
46079
  }
45654
46080
  }
@@ -45661,7 +46087,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
45661
46087
  mergeConfig(config || {}, {
45662
46088
  method,
45663
46089
  url,
45664
- data: (config || {}).data,
46090
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined,
45665
46091
  })
45666
46092
  );
45667
46093
  };