@blockchyp/blockchyp-ts 2.30.5 → 2.30.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -35181,7 +35181,7 @@ exports.Address = Address;
35181
35181
  */
35182
35182
  class MerchantProfile {
35183
35183
  // Constructor with default values for optional fields
35184
- constructor(timeout = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null) {
35184
+ constructor(timeout = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null, followPartnerServiceFeeEnabled = null, serviceFeeEnabled = null, followPartnerCvvCacheEnabled = null, cvvCacheEnabled = null) {
35185
35185
  /**
35186
35186
  * The request timeout in seconds.
35187
35187
  */
@@ -35447,6 +35447,22 @@ class MerchantProfile {
35447
35447
  * Whether the merchant should bypass an auth with TSYS on Enrollment.
35448
35448
  */
35449
35449
  this.bypassEnrollAuthEnabled = null;
35450
+ /**
35451
+ * That the merchant follows the partner's service fee settings.
35452
+ */
35453
+ this.followPartnerServiceFeeEnabled = null;
35454
+ /**
35455
+ * That the merchant is configured to apply a service fee.
35456
+ */
35457
+ this.serviceFeeEnabled = null;
35458
+ /**
35459
+ * That the merchant follows the partner's CVV cache settings.
35460
+ */
35461
+ this.followPartnerCvvCacheEnabled = null;
35462
+ /**
35463
+ * That the merchant is configured to apply a CVV cache.
35464
+ */
35465
+ this.cvvCacheEnabled = null;
35450
35466
  this.timeout = timeout;
35451
35467
  this.test = test;
35452
35468
  this.merchantId = merchantId;
@@ -35511,6 +35527,10 @@ class MerchantProfile {
35511
35527
  this.followPartnerAvsSettings = followPartnerAvsSettings;
35512
35528
  this.accountUpdaterEnrolled = accountUpdaterEnrolled;
35513
35529
  this.bypassEnrollAuthEnabled = bypassEnrollAuthEnabled;
35530
+ this.followPartnerServiceFeeEnabled = followPartnerServiceFeeEnabled;
35531
+ this.serviceFeeEnabled = serviceFeeEnabled;
35532
+ this.followPartnerCvvCacheEnabled = followPartnerCvvCacheEnabled;
35533
+ this.cvvCacheEnabled = cvvCacheEnabled;
35514
35534
  }
35515
35535
  }
35516
35536
  exports.MerchantProfile = MerchantProfile;
@@ -35519,7 +35539,7 @@ exports.MerchantProfile = MerchantProfile;
35519
35539
  */
35520
35540
  class MerchantProfileResponse {
35521
35541
  // Constructor with default values for optional fields
35522
- constructor(success = null, error = null, responseDescription = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null) {
35542
+ constructor(success = null, error = null, responseDescription = null, test = null, merchantId = null, bankMid = null, companyName = null, dbaName = null, invoiceName = null, contactName = null, contactNumber = null, locationName = null, storeNumber = null, partnerRef = null, timeZone = null, batchCloseTime = null, terminalUpdateTime = null, autoBatchClose = null, disableBatchEmails = null, pinEnabled = null, cashBackEnabled = null, storeAndForwardEnabled = null, partialAuthEnabled = null, splitBankAccountsEnabled = null, storeAndForwardFloorLimit = null, publicKey = null, status = null, cashDiscountEnabled = null, surveyTimeout = null, cooldownTimeout = null, tipEnabled = null, promptForTip = null, tipDefaults = null, cashbackPresets = null, ebtEnabled = null, freeRangeRefundsEnabled = null, pinBypassEnabled = null, giftCardsDisabled = null, tcDisabled = null, digitalSignaturesEnabled = null, digitalSignatureReversal = null, billingAddress = null, shippingAddress = null, visa = null, masterCard = null, amex = null, discover = null, jcb = null, unionPay = null, contactlessEmv = null, manualEntryEnabled = null, manualEntryPromptZip = null, manualEntryPromptStreetNumber = null, gatewayOnly = null, bankAccounts = null, passthroughSurchargeEnabled = null, cvvVerificationEnabled = null, cvvVerificationNEnabled = null, cvvVerificationPEnabled = null, cvvVerificationSEnabled = null, cvvVerificationUEnabled = null, followPartnerCvvSettings = null, avsRule = null, followPartnerAvsSettings = null, accountUpdaterEnrolled = null, bypassEnrollAuthEnabled = null, followPartnerServiceFeeEnabled = null, serviceFeeEnabled = null, followPartnerCvvCacheEnabled = null, cvvCacheEnabled = null) {
35523
35543
  /**
35524
35544
  * Whether or not the request succeeded.
35525
35545
  */
@@ -35793,6 +35813,22 @@ class MerchantProfileResponse {
35793
35813
  * Whether the merchant should bypass an auth with TSYS on Enrollment.
35794
35814
  */
35795
35815
  this.bypassEnrollAuthEnabled = null;
35816
+ /**
35817
+ * That the merchant follows the partner's service fee settings.
35818
+ */
35819
+ this.followPartnerServiceFeeEnabled = null;
35820
+ /**
35821
+ * That the merchant is configured to apply a service fee.
35822
+ */
35823
+ this.serviceFeeEnabled = null;
35824
+ /**
35825
+ * That the merchant follows the partner's CVV cache settings.
35826
+ */
35827
+ this.followPartnerCvvCacheEnabled = null;
35828
+ /**
35829
+ * That the merchant is configured to apply a CVV cache.
35830
+ */
35831
+ this.cvvCacheEnabled = null;
35796
35832
  this.success = success;
35797
35833
  this.error = error;
35798
35834
  this.responseDescription = responseDescription;
@@ -35859,6 +35895,10 @@ class MerchantProfileResponse {
35859
35895
  this.followPartnerAvsSettings = followPartnerAvsSettings;
35860
35896
  this.accountUpdaterEnrolled = accountUpdaterEnrolled;
35861
35897
  this.bypassEnrollAuthEnabled = bypassEnrollAuthEnabled;
35898
+ this.followPartnerServiceFeeEnabled = followPartnerServiceFeeEnabled;
35899
+ this.serviceFeeEnabled = serviceFeeEnabled;
35900
+ this.followPartnerCvvCacheEnabled = followPartnerCvvCacheEnabled;
35901
+ this.cvvCacheEnabled = cvvCacheEnabled;
35862
35902
  }
35863
35903
  }
35864
35904
  exports.MerchantProfileResponse = MerchantProfileResponse;
@@ -41309,7 +41349,7 @@ exports.CoreResponse = CoreResponse;
41309
41349
  /***/ ((module, __unused_webpack_exports, __webpack_require__) => {
41310
41350
 
41311
41351
  "use strict";
41312
- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
41352
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
41313
41353
 
41314
41354
 
41315
41355
  /**
@@ -41331,6 +41371,57 @@ const { toString } = Object.prototype;
41331
41371
  const { getPrototypeOf } = Object;
41332
41372
  const { iterator, toStringTag } = Symbol;
41333
41373
 
41374
+ /* Creating a function that will check if an object has a property. */
41375
+ const hasOwnProperty = (
41376
+ ({ hasOwnProperty }) =>
41377
+ (obj, prop) =>
41378
+ hasOwnProperty.call(obj, prop)
41379
+ )(Object.prototype);
41380
+
41381
+ /**
41382
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
41383
+ * an own `prop`. This distinguishes genuine own/inherited members — including
41384
+ * class accessors and template prototypes — from members injected via
41385
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
41386
+ * live on Object.prototype itself and are therefore never matched.
41387
+ *
41388
+ * @param {*} thing The value whose chain to inspect
41389
+ * @param {string|symbol} prop The property key to look for
41390
+ *
41391
+ * @returns {boolean} True when `prop` is owned below Object.prototype
41392
+ */
41393
+ const hasOwnInPrototypeChain = (thing, prop) => {
41394
+ let obj = thing;
41395
+ const seen = [];
41396
+
41397
+ while (obj != null && obj !== Object.prototype) {
41398
+ if (seen.indexOf(obj) !== -1) {
41399
+ return false;
41400
+ }
41401
+ seen.push(obj);
41402
+
41403
+ if (hasOwnProperty(obj, prop)) {
41404
+ return true;
41405
+ }
41406
+ obj = getPrototypeOf(obj);
41407
+ }
41408
+ return false;
41409
+ };
41410
+
41411
+ /**
41412
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
41413
+ * properties and members inherited from a non-Object.prototype source (a class
41414
+ * instance or template object) are honored; a value reachable only through a
41415
+ * polluted Object.prototype is ignored and `undefined` is returned.
41416
+ *
41417
+ * @param {*} obj The source object
41418
+ * @param {string|symbol} prop The property key to read
41419
+ *
41420
+ * @returns {*} The resolved value, or undefined when unsafe/absent
41421
+ */
41422
+ const getSafeProp = (obj, prop) =>
41423
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
41424
+
41334
41425
  const kindOf = ((cache) => (thing) => {
41335
41426
  const str = toString.call(thing);
41336
41427
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -41456,7 +41547,7 @@ const isBoolean = (thing) => thing === true || thing === false;
41456
41547
  * @returns {boolean} True if value is a plain Object, otherwise false
41457
41548
  */
41458
41549
  const isPlainObject = (val) => {
41459
- if (kindOf(val) !== 'object') {
41550
+ if (!isObject(val)) {
41460
41551
  return false;
41461
41552
  }
41462
41553
 
@@ -41464,9 +41555,12 @@ const isPlainObject = (val) => {
41464
41555
  return (
41465
41556
  (prototype === null ||
41466
41557
  prototype === Object.prototype ||
41467
- Object.getPrototypeOf(prototype) === null) &&
41468
- !(toStringTag in val) &&
41469
- !(iterator in val)
41558
+ getPrototypeOf(prototype) === null) &&
41559
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
41560
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
41561
+ // than a plain object, while ignoring keys injected onto Object.prototype.
41562
+ !hasOwnInPrototypeChain(val, toStringTag) &&
41563
+ !hasOwnInPrototypeChain(val, iterator)
41470
41564
  );
41471
41565
  };
41472
41566
 
@@ -41735,7 +41829,9 @@ function merge(...objs) {
41735
41829
  return;
41736
41830
  }
41737
41831
 
41738
- const targetKey = (caseless && findKey(result, key)) || key;
41832
+ // findKey lowercases the key, so caseless lookup only applies to strings —
41833
+ // symbol keys are identity-matched.
41834
+ const targetKey = (caseless && typeof key === 'string' && findKey(result, key)) || key;
41739
41835
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
41740
41836
  // chain, so a polluted Object.prototype value could surface here and get
41741
41837
  // copied into the merged result.
@@ -41752,7 +41848,24 @@ function merge(...objs) {
41752
41848
  };
41753
41849
 
41754
41850
  for (let i = 0, l = objs.length; i < l; i++) {
41755
- objs[i] && forEach(objs[i], assignValue);
41851
+ const source = objs[i];
41852
+ if (!source || isBuffer(source)) {
41853
+ continue;
41854
+ }
41855
+
41856
+ forEach(source, assignValue);
41857
+
41858
+ if (typeof source !== 'object' || isArray(source)) {
41859
+ continue;
41860
+ }
41861
+
41862
+ const symbols = Object.getOwnPropertySymbols(source);
41863
+ for (let j = 0; j < symbols.length; j++) {
41864
+ const symbol = symbols[j];
41865
+ if (propertyIsEnumerable.call(source, symbol)) {
41866
+ assignValue(source[symbol], symbol);
41867
+ }
41868
+ }
41756
41869
  }
41757
41870
  return result;
41758
41871
  }
@@ -41974,12 +42087,7 @@ const toCamelCase = (str) => {
41974
42087
  });
41975
42088
  };
41976
42089
 
41977
- /* Creating a function that will check if an object has a property. */
41978
- const hasOwnProperty = (
41979
- ({ hasOwnProperty }) =>
41980
- (obj, prop) =>
41981
- hasOwnProperty.call(obj, prop)
41982
- )(Object.prototype);
42090
+ const { propertyIsEnumerable } = Object.prototype;
41983
42091
 
41984
42092
  /**
41985
42093
  * Determine if a value is a RegExp object
@@ -42192,6 +42300,20 @@ const asap =
42192
42300
 
42193
42301
  const isIterable = (thing) => thing != null && isFunction$1(thing[iterator]);
42194
42302
 
42303
+ /**
42304
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
42305
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
42306
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
42307
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
42308
+ * into an attacker-controlled entries iterator.
42309
+ *
42310
+ * @param {*} thing The value to test
42311
+ *
42312
+ * @returns {boolean} True if value has a non-polluted iterator
42313
+ */
42314
+ const isSafeIterable = (thing) =>
42315
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
42316
+
42195
42317
  var utils$1 = {
42196
42318
  isArray,
42197
42319
  isArrayBuffer,
@@ -42236,6 +42358,8 @@ var utils$1 = {
42236
42358
  isHTMLForm,
42237
42359
  hasOwnProperty,
42238
42360
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
42361
+ hasOwnInPrototypeChain,
42362
+ getSafeProp,
42239
42363
  reduceDescriptors,
42240
42364
  freezeMethods,
42241
42365
  toObjectSet,
@@ -42252,6 +42376,7 @@ var utils$1 = {
42252
42376
  setImmediate: _setImmediate,
42253
42377
  asap,
42254
42378
  isIterable,
42379
+ isSafeIterable,
42255
42380
  };
42256
42381
 
42257
42382
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -42462,7 +42587,7 @@ class AxiosHeaders {
42462
42587
  const lHeader = normalizeHeader(_header);
42463
42588
 
42464
42589
  if (!lHeader) {
42465
- throw new Error('header name must be a non-empty string');
42590
+ return;
42466
42591
  }
42467
42592
 
42468
42593
  const key = utils$1.findKey(self, lHeader);
@@ -42484,20 +42609,23 @@ class AxiosHeaders {
42484
42609
  setHeaders(header, valueOrRewrite);
42485
42610
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
42486
42611
  setHeaders(parseHeaders(header), valueOrRewrite);
42487
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
42488
- let obj = {},
42612
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
42613
+ let obj = Object.create(null),
42489
42614
  dest,
42490
42615
  key;
42491
42616
  for (const entry of header) {
42492
42617
  if (!utils$1.isArray(entry)) {
42493
- throw TypeError('Object iterator must return a key-value pair');
42618
+ throw new TypeError('Object iterator must return a key-value pair');
42494
42619
  }
42495
42620
 
42496
- obj[(key = entry[0])] = (dest = obj[key])
42497
- ? utils$1.isArray(dest)
42498
- ? [...dest, entry[1]]
42499
- : [dest, entry[1]]
42500
- : entry[1];
42621
+ key = entry[0];
42622
+
42623
+ if (utils$1.hasOwnProp(obj, key)) {
42624
+ dest = obj[key];
42625
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
42626
+ } else {
42627
+ obj[key] = entry[1];
42628
+ }
42501
42629
  }
42502
42630
 
42503
42631
  setHeaders(obj, valueOrRewrite);
@@ -42790,7 +42918,19 @@ function redactConfig(config, redactKeys) {
42790
42918
  class AxiosError extends Error {
42791
42919
  static from(error, code, config, request, response, customProps) {
42792
42920
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
42793
- axiosError.cause = error;
42921
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
42922
+ // error often carries circular internals (sockets, requests, agents), so
42923
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
42924
+ // own-property walk throw "Converting circular structure to JSON".
42925
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
42926
+ // `message` descriptor below (prototype-pollution-safe descriptor).
42927
+ Object.defineProperty(axiosError, 'cause', {
42928
+ __proto__: null,
42929
+ value: error,
42930
+ writable: true,
42931
+ enumerable: false,
42932
+ configurable: true,
42933
+ });
42794
42934
  axiosError.name = error.name;
42795
42935
 
42796
42936
  // Preserve status from the original error if not already set from response
@@ -42891,6 +43031,10 @@ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
42891
43031
  // eslint-disable-next-line strict
42892
43032
  var httpAdapter = null;
42893
43033
 
43034
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
43035
+ // the FormData <-> JSON round-trip stays symmetric.
43036
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
43037
+
42894
43038
  /**
42895
43039
  * Determines if the given thing is a array or js object.
42896
43040
  *
@@ -43001,8 +43145,9 @@ function toFormData(obj, formData, options) {
43001
43145
  const dots = options.dots;
43002
43146
  const indexes = options.indexes;
43003
43147
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
43004
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
43148
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
43005
43149
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
43150
+ const stack = [];
43006
43151
 
43007
43152
  if (!utils$1.isFunction(visitor)) {
43008
43153
  throw new TypeError('visitor must be a function');
@@ -43024,12 +43169,50 @@ function toFormData(obj, formData, options) {
43024
43169
  }
43025
43170
 
43026
43171
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
43027
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
43172
+ if (useBlob && typeof _Blob === 'function') {
43173
+ return new _Blob([value]);
43174
+ }
43175
+ if (typeof Buffer !== 'undefined') {
43176
+ return Buffer.from(value);
43177
+ }
43178
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
43028
43179
  }
43029
43180
 
43030
43181
  return value;
43031
43182
  }
43032
43183
 
43184
+ function throwIfMaxDepthExceeded(depth) {
43185
+ if (depth > maxDepth) {
43186
+ throw new AxiosError(
43187
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
43188
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43189
+ );
43190
+ }
43191
+ }
43192
+
43193
+ function stringifyWithDepthLimit(value, depth) {
43194
+ if (maxDepth === Infinity) {
43195
+ return JSON.stringify(value);
43196
+ }
43197
+
43198
+ const ancestors = [];
43199
+
43200
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
43201
+ if (!utils$1.isObject(currentValue)) {
43202
+ return currentValue;
43203
+ }
43204
+
43205
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
43206
+ ancestors.pop();
43207
+ }
43208
+
43209
+ ancestors.push(currentValue);
43210
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
43211
+
43212
+ return currentValue;
43213
+ });
43214
+ }
43215
+
43033
43216
  /**
43034
43217
  * Default visitor.
43035
43218
  *
@@ -43053,7 +43236,7 @@ function toFormData(obj, formData, options) {
43053
43236
  // eslint-disable-next-line no-param-reassign
43054
43237
  key = metaTokens ? key : key.slice(0, -2);
43055
43238
  // eslint-disable-next-line no-param-reassign
43056
- value = JSON.stringify(value);
43239
+ value = stringifyWithDepthLimit(value, 1);
43057
43240
  } else if (
43058
43241
  (utils$1.isArray(value) && isFlatArray(value)) ||
43059
43242
  ((utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value)))
@@ -43086,8 +43269,6 @@ function toFormData(obj, formData, options) {
43086
43269
  return false;
43087
43270
  }
43088
43271
 
43089
- const stack = [];
43090
-
43091
43272
  const exposedHelpers = Object.assign(predicates, {
43092
43273
  defaultVisitor,
43093
43274
  convertValue,
@@ -43097,15 +43278,10 @@ function toFormData(obj, formData, options) {
43097
43278
  function build(value, path, depth = 0) {
43098
43279
  if (utils$1.isUndefined(value)) return;
43099
43280
 
43100
- if (depth > maxDepth) {
43101
- throw new AxiosError(
43102
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
43103
- AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43104
- );
43105
- }
43281
+ throwIfMaxDepthExceeded(depth);
43106
43282
 
43107
43283
  if (stack.indexOf(value) !== -1) {
43108
- throw Error('Circular reference detected in ' + path.join('.'));
43284
+ throw new Error('Circular reference detected in ' + path.join('.'));
43109
43285
  }
43110
43286
 
43111
43287
  stack.push(value);
@@ -43176,9 +43352,7 @@ prototype.append = function append(name, value) {
43176
43352
 
43177
43353
  prototype.toString = function toString(encoder) {
43178
43354
  const _encode = encoder
43179
- ? function (value) {
43180
- return encoder.call(this, value, encode$1);
43181
- }
43355
+ ? (value) => encoder.call(this, value, encode$1)
43182
43356
  : encode$1;
43183
43357
 
43184
43358
  return this._pairs
@@ -43217,8 +43391,7 @@ function buildURL(url, params, options) {
43217
43391
  if (!params) {
43218
43392
  return url;
43219
43393
  }
43220
-
43221
- const _encode = (options && options.encode) || encode;
43394
+ url = url || '';
43222
43395
 
43223
43396
  const _options = utils$1.isFunction(options)
43224
43397
  ? {
@@ -43226,7 +43399,11 @@ function buildURL(url, params, options) {
43226
43399
  }
43227
43400
  : options;
43228
43401
 
43229
- const serializeFn = _options && _options.serialize;
43402
+ // Read serializer options pollution-safely: own properties and methods on a
43403
+ // class/template prototype are honored, but values injected onto a polluted
43404
+ // Object.prototype are ignored.
43405
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
43406
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
43230
43407
 
43231
43408
  let serializedParams;
43232
43409
 
@@ -43322,6 +43499,8 @@ var transitionalDefaults = {
43322
43499
  forcedJSONParsing: true,
43323
43500
  clarifyTimeoutError: false,
43324
43501
  legacyInterceptorReqResOrdering: true,
43502
+ advertiseZstdAcceptEncoding: false,
43503
+ validateStatusUndefinedResolves: true,
43325
43504
  };
43326
43505
 
43327
43506
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -43413,6 +43592,17 @@ function toURLEncodedForm(data, options) {
43413
43592
  });
43414
43593
  }
43415
43594
 
43595
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
43596
+
43597
+ function throwIfDepthExceeded(index) {
43598
+ if (index > MAX_DEPTH) {
43599
+ throw new AxiosError(
43600
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
43601
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
43602
+ );
43603
+ }
43604
+ }
43605
+
43416
43606
  /**
43417
43607
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
43418
43608
  *
@@ -43425,9 +43615,16 @@ function parsePropPath(name) {
43425
43615
  // foo.x.y.z
43426
43616
  // foo-x-y-z
43427
43617
  // foo x y z
43428
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
43429
- return match[0] === '[]' ? '' : match[1] || match[0];
43430
- });
43618
+ const path = [];
43619
+ const pattern = /\w+|\[(\w*)]/g;
43620
+ let match;
43621
+
43622
+ while ((match = pattern.exec(name)) !== null) {
43623
+ throwIfDepthExceeded(path.length);
43624
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
43625
+ }
43626
+
43627
+ return path;
43431
43628
  }
43432
43629
 
43433
43630
  /**
@@ -43459,6 +43656,8 @@ function arrayToObject(arr) {
43459
43656
  */
43460
43657
  function formDataToJSON(formData) {
43461
43658
  function buildPath(path, value, target, index) {
43659
+ throwIfDepthExceeded(index);
43660
+
43462
43661
  let name = path[index++];
43463
43662
 
43464
43663
  if (name === '__proto__') return true;
@@ -43944,7 +44143,11 @@ var cookies = platform.hasStandardBrowserEnv
43944
44143
  const cookie = cookies[i].replace(/^\s+/, '');
43945
44144
  const eq = cookie.indexOf('=');
43946
44145
  if (eq !== -1 && cookie.slice(0, eq) === name) {
43947
- return decodeURIComponent(cookie.slice(eq + 1));
44146
+ try {
44147
+ return decodeURIComponent(cookie.slice(eq + 1));
44148
+ } catch (e) {
44149
+ return cookie.slice(eq + 1);
44150
+ }
43948
44151
  }
43949
44152
  }
43950
44153
  return null;
@@ -43995,6 +44198,31 @@ function combineURLs(baseURL, relativeURL) {
43995
44198
  : baseURL;
43996
44199
  }
43997
44200
 
44201
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
44202
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
44203
+
44204
+ function stripLeadingC0ControlOrSpace(url) {
44205
+ let i = 0;
44206
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
44207
+ i++;
44208
+ }
44209
+ return url.slice(i);
44210
+ }
44211
+
44212
+ function normalizeURLForProtocolCheck(url) {
44213
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
44214
+ }
44215
+
44216
+ function assertValidHttpProtocolURL(url, config) {
44217
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
44218
+ throw new AxiosError(
44219
+ 'Invalid URL: missing "//" after protocol',
44220
+ AxiosError.ERR_INVALID_URL,
44221
+ config
44222
+ );
44223
+ }
44224
+ }
44225
+
43998
44226
  /**
43999
44227
  * Creates a new URL by combining the baseURL with the requestedURL,
44000
44228
  * only when the requestedURL is not already an absolute URL.
@@ -44005,9 +44233,11 @@ function combineURLs(baseURL, relativeURL) {
44005
44233
  *
44006
44234
  * @returns {string} The combined full path
44007
44235
  */
44008
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
44236
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
44237
+ assertValidHttpProtocolURL(requestedURL, config);
44009
44238
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
44010
44239
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
44240
+ assertValidHttpProtocolURL(baseURL, config);
44011
44241
  return combineURLs(baseURL, requestedURL);
44012
44242
  }
44013
44243
  return requestedURL;
@@ -44026,6 +44256,7 @@ const headersToObject = (thing) => (thing instanceof AxiosHeaders ? { ...thing }
44026
44256
  */
44027
44257
  function mergeConfig(config1, config2) {
44028
44258
  // eslint-disable-next-line no-param-reassign
44259
+ config1 = config1 || {};
44029
44260
  config2 = config2 || {};
44030
44261
 
44031
44262
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -44078,6 +44309,28 @@ function mergeConfig(config1, config2) {
44078
44309
  }
44079
44310
  }
44080
44311
 
44312
+ function getMergedTransitionalOption(prop) {
44313
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
44314
+
44315
+ if (!utils$1.isUndefined(transitional2)) {
44316
+ if (utils$1.isPlainObject(transitional2)) {
44317
+ if (utils$1.hasOwnProp(transitional2, prop)) {
44318
+ return transitional2[prop];
44319
+ }
44320
+ } else {
44321
+ return undefined;
44322
+ }
44323
+ }
44324
+
44325
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
44326
+
44327
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
44328
+ return transitional1[prop];
44329
+ }
44330
+
44331
+ return undefined;
44332
+ }
44333
+
44081
44334
  // eslint-disable-next-line consistent-return
44082
44335
  function mergeDirectKeys(a, b, prop) {
44083
44336
  if (utils$1.hasOwnProp(config2, prop)) {
@@ -44130,6 +44383,18 @@ function mergeConfig(config1, config2) {
44130
44383
  (utils$1.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
44131
44384
  });
44132
44385
 
44386
+ if (
44387
+ utils$1.hasOwnProp(config2, 'validateStatus') &&
44388
+ utils$1.isUndefined(config2.validateStatus) &&
44389
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
44390
+ ) {
44391
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
44392
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
44393
+ } else {
44394
+ delete config.validateStatus;
44395
+ }
44396
+ }
44397
+
44133
44398
  return config;
44134
44399
  }
44135
44400
 
@@ -44141,7 +44406,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
44141
44406
  return;
44142
44407
  }
44143
44408
 
44144
- Object.entries(formHeaders).forEach(([key, val]) => {
44409
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
44145
44410
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
44146
44411
  headers.set(key, val);
44147
44412
  }
@@ -44156,12 +44421,12 @@ function setFormDataHeaders(headers, formHeaders, policy) {
44156
44421
  *
44157
44422
  * @returns {string} UTF-8 bytes as a Latin-1 string
44158
44423
  */
44159
- const encodeUTF8 = (str) =>
44424
+ const encodeUTF8$1 = (str) =>
44160
44425
  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
44161
44426
  String.fromCharCode(parseInt(hex, 16))
44162
44427
  );
44163
44428
 
44164
- var resolveConfig = (config) => {
44429
+ function resolveConfig(config) {
44165
44430
  const newConfig = mergeConfig({}, config);
44166
44431
 
44167
44432
  // Read only own properties to prevent prototype pollution gadgets
@@ -44181,23 +44446,33 @@ var resolveConfig = (config) => {
44181
44446
  newConfig.headers = headers = AxiosHeaders.from(headers);
44182
44447
 
44183
44448
  newConfig.url = buildURL(
44184
- buildFullPath(baseURL, url, allowAbsoluteUrls),
44185
- config.params,
44186
- config.paramsSerializer
44449
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
44450
+ own('params'),
44451
+ own('paramsSerializer')
44187
44452
  );
44188
44453
 
44189
44454
  // HTTP basic authentication
44190
44455
  if (auth) {
44191
- headers.set(
44192
- 'Authorization',
44193
- 'Basic ' +
44194
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
44195
- );
44456
+ const username = utils$1.getSafeProp(auth, 'username') || '';
44457
+ const password = utils$1.getSafeProp(auth, 'password') || '';
44458
+
44459
+ try {
44460
+ headers.set(
44461
+ 'Authorization',
44462
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : ''))
44463
+ );
44464
+ } catch (e) {
44465
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
44466
+ }
44196
44467
  }
44197
44468
 
44198
44469
  if (utils$1.isFormData(data)) {
44199
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
44200
- headers.setContentType(undefined); // browser handles it
44470
+ if (
44471
+ platform.hasStandardBrowserEnv ||
44472
+ platform.hasStandardBrowserWebWorkerEnv ||
44473
+ utils$1.isReactNative(data)
44474
+ ) {
44475
+ headers.setContentType(undefined); // browser/web worker/RN handles it
44201
44476
  } else if (utils$1.isFunction(data.getHeaders)) {
44202
44477
  // Node.js FormData (like form-data package)
44203
44478
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -44229,7 +44504,7 @@ var resolveConfig = (config) => {
44229
44504
  }
44230
44505
 
44231
44506
  return newConfig;
44232
- };
44507
+ }
44233
44508
 
44234
44509
  const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
44235
44510
 
@@ -44439,6 +44714,7 @@ var xhrAdapter = isXHRAdapterSupported &&
44439
44714
  config
44440
44715
  )
44441
44716
  );
44717
+ done();
44442
44718
  return;
44443
44719
  }
44444
44720
 
@@ -44490,7 +44766,7 @@ const composeSignals = (signals, timeout) => {
44490
44766
  signals = null;
44491
44767
  };
44492
44768
 
44493
- signals.forEach((signal) => signal.addEventListener('abort', onabort));
44769
+ signals.forEach((signal) => signal.addEventListener('abort', onabort, { once: true }));
44494
44770
 
44495
44771
  const { signal } = controller;
44496
44772
 
@@ -44593,11 +44869,19 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => {
44593
44869
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
44594
44870
  * - For base64: compute exact decoded size using length and padding;
44595
44871
  * handle %XX at the character-count level (no string allocation).
44596
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
44872
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
44597
44873
  *
44598
44874
  * @param {string} url
44599
44875
  * @returns {number}
44600
44876
  */
44877
+ const isHexDigit = (charCode) =>
44878
+ (charCode >= 48 && charCode <= 57) ||
44879
+ (charCode >= 65 && charCode <= 70) ||
44880
+ (charCode >= 97 && charCode <= 102);
44881
+
44882
+ const isPercentEncodedByte = (str, i, len) =>
44883
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
44884
+
44601
44885
  function estimateDataURLDecodedBytes(url) {
44602
44886
  if (!url || typeof url !== 'string') return 0;
44603
44887
  if (!url.startsWith('data:')) return 0;
@@ -44617,9 +44901,7 @@ function estimateDataURLDecodedBytes(url) {
44617
44901
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
44618
44902
  const a = body.charCodeAt(i + 1);
44619
44903
  const b = body.charCodeAt(i + 2);
44620
- const isHex =
44621
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
44622
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
44904
+ const isHex = isHexDigit(a) && isHexDigit(b);
44623
44905
 
44624
44906
  if (isHex) {
44625
44907
  effectiveLen -= 2;
@@ -44660,18 +44942,17 @@ function estimateDataURLDecodedBytes(url) {
44660
44942
  return bytes > 0 ? bytes : 0;
44661
44943
  }
44662
44944
 
44663
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
44664
- return Buffer.byteLength(body, 'utf8');
44665
- }
44666
-
44667
44945
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
44668
44946
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
44669
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
44670
- // but 3 UTF-8 bytes).
44947
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
44948
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
44671
44949
  let bytes = 0;
44672
44950
  for (let i = 0, len = body.length; i < len; i++) {
44673
44951
  const c = body.charCodeAt(i);
44674
- if (c < 0x80) {
44952
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
44953
+ bytes += 1;
44954
+ i += 2;
44955
+ } else if (c < 0x80) {
44675
44956
  bytes += 1;
44676
44957
  } else if (c < 0x800) {
44677
44958
  bytes += 2;
@@ -44690,12 +44971,41 @@ function estimateDataURLDecodedBytes(url) {
44690
44971
  return bytes;
44691
44972
  }
44692
44973
 
44693
- const VERSION = "1.16.1";
44974
+ const VERSION = "1.18.1";
44694
44975
 
44695
44976
  const DEFAULT_CHUNK_SIZE = 64 * 1024;
44696
44977
 
44697
44978
  const { isFunction } = utils$1;
44698
44979
 
44980
+ /**
44981
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
44982
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
44983
+ *
44984
+ * @param {string} str The string to encode
44985
+ *
44986
+ * @returns {string} UTF-8 bytes as a Latin-1 string
44987
+ */
44988
+ const encodeUTF8 = (str) =>
44989
+ encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
44990
+ String.fromCharCode(parseInt(hex, 16))
44991
+ );
44992
+
44993
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
44994
+ // Decode before composing the `auth` option so credentials such as
44995
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
44996
+ // original value for malformed input so a bad encoding never throws.
44997
+ const decodeURIComponentSafe = (value) => {
44998
+ if (!utils$1.isString(value)) {
44999
+ return value;
45000
+ }
45001
+
45002
+ try {
45003
+ return decodeURIComponent(value);
45004
+ } catch (error) {
45005
+ return value;
45006
+ }
45007
+ };
45008
+
44699
45009
  const test = (fn, ...args) => {
44700
45010
  try {
44701
45011
  return !!fn(...args);
@@ -44704,6 +45014,15 @@ const test = (fn, ...args) => {
44704
45014
  }
44705
45015
  };
44706
45016
 
45017
+ const maybeWithAuthCredentials = (url) => {
45018
+ const protocolIndex = url.indexOf('://');
45019
+ let urlToCheck = url;
45020
+ if (protocolIndex !== -1) {
45021
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
45022
+ }
45023
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
45024
+ };
45025
+
44707
45026
  const factory = (env) => {
44708
45027
  const globalObject =
44709
45028
  utils$1.global !== undefined && utils$1.global !== null
@@ -44851,6 +45170,7 @@ const factory = (env) => {
44851
45170
 
44852
45171
  const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
44853
45172
  const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
45173
+ const own = (key) => (utils$1.hasOwnProp(config, key) ? config[key] : undefined);
44854
45174
 
44855
45175
  let _fetch = envFetch || fetch;
44856
45176
 
@@ -44872,7 +45192,61 @@ const factory = (env) => {
44872
45192
 
44873
45193
  let requestContentLength;
44874
45194
 
45195
+ // AxiosError we raise while the request body is being streamed. Captured
45196
+ // by identity so the catch block can surface it directly, regardless of
45197
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
45198
+ // as `err.cause`; some browsers drop the original error entirely).
45199
+ let pendingBodyError = null;
45200
+
45201
+ const maxBodyLengthError = () =>
45202
+ new AxiosError(
45203
+ 'Request body larger than maxBodyLength limit',
45204
+ AxiosError.ERR_BAD_REQUEST,
45205
+ config,
45206
+ request
45207
+ );
45208
+
44875
45209
  try {
45210
+ // HTTP basic authentication
45211
+ let auth = undefined;
45212
+ const configAuth = own('auth');
45213
+
45214
+ if (configAuth) {
45215
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
45216
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
45217
+ auth = {
45218
+ username,
45219
+ password
45220
+ };
45221
+ }
45222
+
45223
+ if (maybeWithAuthCredentials(url)) {
45224
+ const parsedURL = new URL(url, platform.origin);
45225
+
45226
+ if (!auth && (parsedURL.username || parsedURL.password)) {
45227
+ const urlUsername = decodeURIComponentSafe(parsedURL.username);
45228
+ const urlPassword = decodeURIComponentSafe(parsedURL.password);
45229
+ auth = {
45230
+ username: urlUsername,
45231
+ password: urlPassword
45232
+ };
45233
+ }
45234
+
45235
+ if (parsedURL.username || parsedURL.password) {
45236
+ parsedURL.username = '';
45237
+ parsedURL.password = '';
45238
+ url = parsedURL.href;
45239
+ }
45240
+ }
45241
+
45242
+ if (auth) {
45243
+ headers.delete('authorization');
45244
+ headers.set(
45245
+ 'Authorization',
45246
+ 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))
45247
+ );
45248
+ }
45249
+
44876
45250
  // Enforce maxContentLength for data: URLs up-front so we never materialize
44877
45251
  // an oversized payload. The HTTP adapter applies the same check (see http.js
44878
45252
  // "if (protocol === 'data:')" branch).
@@ -44888,53 +45262,96 @@ const factory = (env) => {
44888
45262
  }
44889
45263
  }
44890
45264
 
44891
- // Enforce maxBodyLength against the outbound request body before dispatch.
44892
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
44893
- // maxBodyLength limit'). Skip when the body length cannot be determined
44894
- // (e.g. a live ReadableStream supplied by the caller).
45265
+ // Enforce maxBodyLength against known-size bodies before dispatch using
45266
+ // the body's *actual* size never a caller-declared Content-Length,
45267
+ // which could under-report to slip an oversized body past the check.
45268
+ // Unknown-size streams return undefined here and are counted per-chunk
45269
+ // below as fetch consumes them.
44895
45270
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
44896
- const outboundLength = await resolveBodyLength(headers, data);
44897
- if (
44898
- typeof outboundLength === 'number' &&
44899
- isFinite(outboundLength) &&
44900
- outboundLength > maxBodyLength
44901
- ) {
44902
- throw new AxiosError(
44903
- 'Request body larger than maxBodyLength limit',
44904
- AxiosError.ERR_BAD_REQUEST,
44905
- config,
44906
- request
44907
- );
45271
+ const outboundLength = await getBodyLength(data);
45272
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
45273
+ requestContentLength = outboundLength;
45274
+ if (outboundLength > maxBodyLength) {
45275
+ throw maxBodyLengthError();
45276
+ }
44908
45277
  }
44909
45278
  }
44910
45279
 
45280
+ // A streamed body under maxBodyLength must be counted as fetch consumes
45281
+ // it; its size is never trusted from a caller-declared Content-Length.
45282
+ const mustEnforceStreamBody =
45283
+ hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
45284
+
45285
+ const trackRequestStream = (stream, onProgress, flush) =>
45286
+ trackStream(
45287
+ stream,
45288
+ DEFAULT_CHUNK_SIZE,
45289
+ (loadedBytes) => {
45290
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
45291
+ throw (pendingBodyError = maxBodyLengthError());
45292
+ }
45293
+ onProgress && onProgress(loadedBytes);
45294
+ },
45295
+ flush
45296
+ );
45297
+
44911
45298
  if (
44912
- onUploadProgress &&
44913
45299
  supportsRequestStream &&
44914
45300
  method !== 'get' &&
44915
45301
  method !== 'head' &&
44916
- (requestContentLength = await resolveBodyLength(headers, data)) !== 0
45302
+ (onUploadProgress || mustEnforceStreamBody)
44917
45303
  ) {
44918
- let _request = new Request(url, {
44919
- method: 'POST',
44920
- body: data,
44921
- duplex: 'half',
44922
- });
45304
+ requestContentLength =
45305
+ requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
45306
+
45307
+ // A declared length of 0 is only trusted to skip the wrap when we are
45308
+ // not enforcing a stream limit (which must not rely on that header).
45309
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
45310
+ let _request = new Request(url, {
45311
+ method: 'POST',
45312
+ body: data,
45313
+ duplex: 'half',
45314
+ });
44923
45315
 
44924
- let contentTypeHeader;
45316
+ let contentTypeHeader;
44925
45317
 
44926
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
44927
- headers.setContentType(contentTypeHeader);
44928
- }
45318
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
45319
+ headers.setContentType(contentTypeHeader);
45320
+ }
44929
45321
 
44930
- if (_request.body) {
44931
- const [onProgress, flush] = progressEventDecorator(
44932
- requestContentLength,
44933
- progressEventReducer(asyncDecorator(onUploadProgress))
44934
- );
45322
+ if (_request.body) {
45323
+ const [onProgress, flush] =
45324
+ (onUploadProgress &&
45325
+ progressEventDecorator(
45326
+ requestContentLength,
45327
+ progressEventReducer(asyncDecorator(onUploadProgress))
45328
+ )) ||
45329
+ [];
44935
45330
 
44936
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
45331
+ data = trackRequestStream(_request.body, onProgress, flush);
45332
+ }
44937
45333
  }
45334
+ } else if (
45335
+ mustEnforceStreamBody &&
45336
+ !isRequestSupported &&
45337
+ isReadableStreamSupported &&
45338
+ method !== 'get' &&
45339
+ method !== 'head'
45340
+ ) {
45341
+ data = trackRequestStream(data);
45342
+ } else if (
45343
+ mustEnforceStreamBody &&
45344
+ isRequestSupported &&
45345
+ !supportsRequestStream &&
45346
+ method !== 'get' &&
45347
+ method !== 'head'
45348
+ ) {
45349
+ throw new AxiosError(
45350
+ 'Stream request bodies are not supported by the current fetch implementation',
45351
+ AxiosError.ERR_NOT_SUPPORT,
45352
+ config,
45353
+ request
45354
+ );
44938
45355
  }
44939
45356
 
44940
45357
  if (!utils$1.isString(withCredentials)) {
@@ -44977,10 +45394,12 @@ const factory = (env) => {
44977
45394
  ? _fetch(request, fetchOptions)
44978
45395
  : _fetch(url, resolvedOptions));
44979
45396
 
45397
+ const responseHeaders = AxiosHeaders.from(response.headers);
45398
+
44980
45399
  // Cheap pre-check: if the server honestly declares a content-length that
44981
45400
  // already exceeds the cap, reject before we start streaming.
44982
45401
  if (hasMaxContentLength) {
44983
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
45402
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
44984
45403
  if (declaredLength != null && declaredLength > maxContentLength) {
44985
45404
  throw new AxiosError(
44986
45405
  'maxContentLength size of ' + maxContentLength + ' exceeded',
@@ -45005,7 +45424,7 @@ const factory = (env) => {
45005
45424
  options[prop] = response[prop];
45006
45425
  });
45007
45426
 
45008
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
45427
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
45009
45428
 
45010
45429
  const [onProgress, flush] =
45011
45430
  (onDownloadProgress &&
@@ -45096,23 +45515,55 @@ const factory = (env) => {
45096
45515
  const canceledError = composedSignal.reason;
45097
45516
  canceledError.config = config;
45098
45517
  request && (canceledError.request = request);
45099
- err !== canceledError && (canceledError.cause = err);
45518
+ if (err !== canceledError) {
45519
+ // Non-enumerable to match native Error `cause` semantics so loggers
45520
+ // don't recurse into circular fetch internals (see #7205).
45521
+ Object.defineProperty(canceledError, 'cause', {
45522
+ __proto__: null,
45523
+ value: err,
45524
+ writable: true,
45525
+ enumerable: false,
45526
+ configurable: true,
45527
+ });
45528
+ }
45100
45529
  throw canceledError;
45101
45530
  }
45102
45531
 
45532
+ // Surface a maxBodyLength violation we raised while the request body was
45533
+ // being streamed. Matching by identity (rather than reading
45534
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
45535
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
45536
+ // AxiosError that merely happened to land in `err.cause`.
45537
+ if (pendingBodyError) {
45538
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
45539
+ throw pendingBodyError;
45540
+ }
45541
+
45542
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
45543
+ // pre-checks, response size enforcement) without re-wrapping them.
45544
+ if (err instanceof AxiosError) {
45545
+ request && !err.request && (err.request = request);
45546
+ throw err;
45547
+ }
45548
+
45103
45549
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
45104
- throw Object.assign(
45105
- new AxiosError(
45106
- 'Network Error',
45107
- AxiosError.ERR_NETWORK,
45108
- config,
45109
- request,
45110
- err && err.response
45111
- ),
45112
- {
45113
- cause: err.cause || err,
45114
- }
45550
+ const networkError = new AxiosError(
45551
+ 'Network Error',
45552
+ AxiosError.ERR_NETWORK,
45553
+ config,
45554
+ request,
45555
+ err && err.response
45115
45556
  );
45557
+ // Non-enumerable to match native Error `cause` semantics so loggers
45558
+ // don't recurse into circular fetch internals (see #7205).
45559
+ Object.defineProperty(networkError, 'cause', {
45560
+ __proto__: null,
45561
+ value: err.cause || err,
45562
+ writable: true,
45563
+ enumerable: false,
45564
+ configurable: true,
45565
+ });
45566
+ throw networkError;
45116
45567
  }
45117
45568
 
45118
45569
  throw AxiosError.from(err, err && err.code, config, request, err && err.response);
@@ -45250,7 +45701,7 @@ function getAdapter(adapters, config) {
45250
45701
 
45251
45702
  throw new AxiosError(
45252
45703
  `There is no suitable adapter to dispatch the request ` + s,
45253
- 'ERR_NOT_SUPPORT'
45704
+ AxiosError.ERR_NOT_SUPPORT
45254
45705
  );
45255
45706
  }
45256
45707
 
@@ -45431,7 +45882,7 @@ validators$1.spelling = function spelling(correctSpelling) {
45431
45882
  */
45432
45883
 
45433
45884
  function assertOptions(options, schema, allowUnknown) {
45434
- if (typeof options !== 'object') {
45885
+ if (typeof options !== 'object' || options === null) {
45435
45886
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
45436
45887
  }
45437
45888
  const keys = Object.keys(options);
@@ -45554,6 +46005,8 @@ class Axios {
45554
46005
  forcedJSONParsing: validators.transitional(validators.boolean),
45555
46006
  clarifyTimeoutError: validators.transitional(validators.boolean),
45556
46007
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
46008
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
46009
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean),
45557
46010
  },
45558
46011
  false
45559
46012
  );
@@ -45683,7 +46136,7 @@ class Axios {
45683
46136
 
45684
46137
  getUri(config) {
45685
46138
  config = mergeConfig(this.defaults, config);
45686
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
46139
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
45687
46140
  return buildURL(fullPath, config.params, config.paramsSerializer);
45688
46141
  }
45689
46142
  }
@@ -45696,7 +46149,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
45696
46149
  mergeConfig(config || {}, {
45697
46150
  method,
45698
46151
  url,
45699
- data: (config || {}).data,
46152
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined,
45700
46153
  })
45701
46154
  );
45702
46155
  };