@langchain/core 1.1.20 → 1.1.22

package/dist/utils/ssrf.js

@@ -0,0 +1,260 @@
+import { __export } from "../_virtual/rolldown_runtime.js";
+
+//#region src/utils/ssrf.ts
+var ssrf_exports = {};
+__export(ssrf_exports, {
+	isCloudMetadata: () => isCloudMetadata,
+	isLocalhost: () => isLocalhost,
+	isPrivateIp: () => isPrivateIp,
+	isSafeUrl: () => isSafeUrl,
+	isSameOrigin: () => isSameOrigin,
+	validateSafeUrl: () => validateSafeUrl
+});
+const PRIVATE_IP_RANGES = [
+	"10.0.0.0/8",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+	"127.0.0.0/8",
+	"169.254.0.0/16",
+	"0.0.0.0/8",
+	"::1/128",
+	"fc00::/7",
+	"fe80::/10",
+	"ff00::/8"
+];
+const CLOUD_METADATA_IPS = [
+	"169.254.169.254",
+	"169.254.170.2",
+	"100.100.100.200"
+];
+const CLOUD_METADATA_HOSTNAMES = [
+	"metadata.google.internal",
+	"metadata",
+	"instance-data"
+];
+const LOCALHOST_NAMES = ["localhost", "localhost.localdomain"];
+/**
+* IPv4 regex: four octets 0-255
+*/
+const IPV4_REGEX = /^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/;
+/**
+* Check if a string is a valid IPv4 address.
+*/
+function isIPv4(ip) {
+	return IPV4_REGEX.test(ip);
+}
+/**
+* Check if a string is a valid IPv6 address.
+* Uses expandIpv6 for validation.
+*/
+function isIPv6(ip) {
+	return expandIpv6(ip) !== null;
+}
+/**
+* Check if a string is a valid IP address (IPv4 or IPv6).
+*/
+function isIP(ip) {
+	return isIPv4(ip) || isIPv6(ip);
+}
+/**
+* Parse an IP address string to an array of integers (for IPv4) or an array of 16-bit values (for IPv6)
+* Returns null if the IP is invalid.
+*/
+function parseIp(ip) {
+	if (isIPv4(ip)) return ip.split(".").map((octet) => parseInt(octet, 10));
+	else if (isIPv6(ip)) {
+		const expanded = expandIpv6(ip);
+		if (!expanded) return null;
+		const parts = expanded.split(":");
+		const result = [];
+		for (const part of parts) result.push(parseInt(part, 16));
+		return result;
+	}
+	return null;
+}
+/**
+* Expand compressed IPv6 address to full form.
+*/
+function expandIpv6(ip) {
+	if (!ip || typeof ip !== "string") return null;
+	if (!ip.includes(":")) return null;
+	if (!/^[0-9a-fA-F:]+$/.test(ip)) return null;
+	let normalized = ip;
+	if (normalized.includes("::")) {
+		const parts$1 = normalized.split("::");
+		if (parts$1.length > 2) return null;
+		const [left, right] = parts$1;
+		const leftParts = left ? left.split(":") : [];
+		const rightParts = right ? right.split(":") : [];
+		const missing = 8 - (leftParts.length + rightParts.length);
+		if (missing < 0) return null;
+		const zeros = Array(missing).fill("0");
+		normalized = [
+			...leftParts,
+			...zeros,
+			...rightParts
+		].filter((p) => p !== "").join(":");
+	}
+	const parts = normalized.split(":");
+	if (parts.length !== 8) return null;
+	for (const part of parts) {
+		if (part.length === 0 || part.length > 4) return null;
+		if (!/^[0-9a-fA-F]+$/.test(part)) return null;
+	}
+	return parts.map((p) => p.padStart(4, "0").toLowerCase()).join(":");
+}
+/**
+* Parse CIDR notation (e.g., "192.168.0.0/24") into network address and prefix length.
+*/
+function parseCidr(cidr) {
+	const [addrStr, prefixStr] = cidr.split("/");
+	if (!addrStr || !prefixStr) return null;
+	const addr = parseIp(addrStr);
+	if (!addr) return null;
+	const prefixLen = parseInt(prefixStr, 10);
+	if (isNaN(prefixLen)) return null;
+	const isIpv6 = isIPv6(addrStr);
+	if (isIpv6 && prefixLen > 128) return null;
+	if (!isIpv6 && prefixLen > 32) return null;
+	return {
+		addr,
+		prefixLen,
+		isIpv6
+	};
+}
+/**
+* Check if an IP address is in a given CIDR range.
+*/
+function isIpInCidr(ip, cidr) {
+	const ipParsed = parseIp(ip);
+	if (!ipParsed) return false;
+	const cidrParsed = parseCidr(cidr);
+	if (!cidrParsed) return false;
+	const isIpv6 = isIPv6(ip);
+	if (isIpv6 !== cidrParsed.isIpv6) return false;
+	const { addr: cidrAddr, prefixLen } = cidrParsed;
+	if (isIpv6) for (let i = 0; i < Math.ceil(prefixLen / 16); i++) {
+		const bitsToCheck = Math.min(16, prefixLen - i * 16);
+		const mask = 65535 << 16 - bitsToCheck & 65535;
+		if ((ipParsed[i] & mask) !== (cidrAddr[i] & mask)) return false;
+	}
+	else for (let i = 0; i < Math.ceil(prefixLen / 8); i++) {
+		const bitsToCheck = Math.min(8, prefixLen - i * 8);
+		const mask = 255 << 8 - bitsToCheck & 255;
+		if ((ipParsed[i] & mask) !== (cidrAddr[i] & mask)) return false;
+	}
+	return true;
+}
+/**
+* Check if an IP address is private (RFC 1918, loopback, link-local, etc.)
+*/
+function isPrivateIp(ip) {
+	if (!isIP(ip)) return false;
+	for (const range of PRIVATE_IP_RANGES) if (isIpInCidr(ip, range)) return true;
+	return false;
+}
+/**
+* Check if a hostname or IP is a known cloud metadata endpoint.
+*/
+function isCloudMetadata(hostname, ip) {
+	if (CLOUD_METADATA_IPS.includes(ip || "")) return true;
+	const lowerHostname = hostname.toLowerCase();
+	if (CLOUD_METADATA_HOSTNAMES.includes(lowerHostname)) return true;
+	return false;
+}
+/**
+* Check if a hostname or IP is localhost.
+*/
+function isLocalhost(hostname, ip) {
+	if (ip) {
+		if (ip === "127.0.0.1" || ip === "::1" || ip === "0.0.0.0") return true;
+		if (ip.startsWith("127.")) return true;
+	}
+	const lowerHostname = hostname.toLowerCase();
+	if (LOCALHOST_NAMES.includes(lowerHostname)) return true;
+	return false;
+}
+/**
+* Validate that a URL is safe to connect to.
+* Performs static validation checks against hostnames and direct IP addresses.
+* Does not perform DNS resolution.
+*
+* @param url URL to validate
+* @param options.allowPrivate Allow private IPs (default: false)
+* @param options.allowHttp Allow http:// scheme (default: false)
+* @returns The validated URL
+* @throws Error if URL is not safe
+*/
+function validateSafeUrl(url, options) {
+	const allowPrivate = options?.allowPrivate ?? false;
+	const allowHttp = options?.allowHttp ?? false;
+	try {
+		let parsedUrl;
+		try {
+			parsedUrl = new URL(url);
+		} catch {
+			throw new Error(`Invalid URL: ${url}`);
+		}
+		const hostname = parsedUrl.hostname;
+		if (!hostname) throw new Error("URL missing hostname.");
+		if (isCloudMetadata(hostname)) throw new Error(`URL points to cloud metadata endpoint: ${hostname}`);
+		if (isLocalhost(hostname)) {
+			if (!allowPrivate) throw new Error(`URL points to localhost: ${hostname}`);
+			return url;
+		}
+		const scheme = parsedUrl.protocol;
+		if (scheme !== "http:" && scheme !== "https:") throw new Error(`Invalid URL scheme: ${scheme}. Only http and https are allowed.`);
+		if (scheme === "http:" && !allowHttp) throw new Error("HTTP scheme not allowed. Use HTTPS or set allowHttp: true.");
+		if (isIP(hostname)) {
+			const ip = hostname;
+			if (isLocalhost(hostname, ip)) {
+				if (!allowPrivate) throw new Error(`URL points to localhost: ${hostname}`);
+				return url;
+			}
+			if (isCloudMetadata(hostname, ip)) throw new Error(`URL resolves to cloud metadata IP: ${ip} (${hostname})`);
+			if (isPrivateIp(ip)) {
+				if (!allowPrivate) throw new Error(`URL resolves to private IP: ${ip} (${hostname}). Set allowPrivate: true to allow.`);
+			}
+			return url;
+		}
+		return url;
+	} catch (error) {
+		if (error && typeof error === "object" && "message" in error) throw error;
+		throw new Error(`URL validation failed: ${error}`);
+	}
+}
+/**
+* Check if a URL is safe to connect to (non-throwing version).
+*
+* @param url URL to check
+* @param options.allowPrivate Allow private IPs (default: false)
+* @param options.allowHttp Allow http:// scheme (default: false)
+* @returns true if URL is safe, false otherwise
+*/
+function isSafeUrl(url, options) {
+	try {
+		validateSafeUrl(url, options);
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+* Check if two URLs have the same origin (scheme, host, port).
+* Uses semantic URL parsing to prevent SSRF bypasses via URL variations.
+*
+* @param url1 First URL
+* @param url2 Second URL
+* @returns true if both URLs have the same origin, false otherwise
+*/
+function isSameOrigin(url1, url2) {
+	try {
+		return new URL(url1).origin === new URL(url2).origin;
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+export { isCloudMetadata, isLocalhost, isPrivateIp, isSafeUrl, isSameOrigin, ssrf_exports, validateSafeUrl };
+//# sourceMappingURL=ssrf.js.map

package/dist/utils/ssrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf.js","names":["ip: string","result: number[]","parts","cidr: string","hostname: string","ip?: string","url: string","options?: { allowPrivate?: boolean; allowHttp?: boolean }","parsedUrl: URL","url1: string","url2: string"],"sources":["../../src/utils/ssrf.ts"],"sourcesContent":["// Private IP ranges (RFC 1918, loopback, link-local, etc.)\nconst PRIVATE_IP_RANGES = [\n  \"10.0.0.0/8\",\n  \"172.16.0.0/12\",\n  \"192.168.0.0/16\",\n  \"127.0.0.0/8\",\n  \"169.254.0.0/16\",\n  \"0.0.0.0/8\",\n  \"::1/128\",\n  \"fc00::/7\",\n  \"fe80::/10\",\n  \"ff00::/8\",\n];\n\n// Cloud metadata IPs\nconst CLOUD_METADATA_IPS = [\n  \"169.254.169.254\",\n  \"169.254.170.2\",\n  \"100.100.100.200\",\n];\n\n// Cloud metadata hostnames (case-insensitive)\nconst CLOUD_METADATA_HOSTNAMES = [\n  \"metadata.google.internal\",\n  \"metadata\",\n  \"instance-data\",\n];\n\n// Localhost variations\nconst LOCALHOST_NAMES = [\"localhost\", \"localhost.localdomain\"];\n\n/**\n * IPv4 regex: four octets 0-255\n */\nconst IPV4_REGEX =\n  /^(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.){3}(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)$/;\n\n/**\n * Check if a string is a valid IPv4 address.\n */\nfunction isIPv4(ip: string): boolean {\n  return IPV4_REGEX.test(ip);\n}\n\n/**\n * Check if a string is a valid IPv6 address.\n * Uses expandIpv6 for validation.\n */\nfunction isIPv6(ip: string): boolean {\n  return expandIpv6(ip) !== null;\n}\n\n/**\n * Check if a string is a valid IP address (IPv4 or IPv6).\n */\nfunction isIP(ip: string): boolean {\n  return isIPv4(ip) || isIPv6(ip);\n}\n\n/**\n * Parse an IP address string to an array of integers (for IPv4) or an array of 16-bit values (for IPv6)\n * Returns null if the IP is invalid.\n */\nfunction parseIp(ip: string): number[] | null {\n  if (isIPv4(ip)) {\n    return ip.split(\".\").map((octet) => parseInt(octet, 10));\n  } else if (isIPv6(ip)) {\n    // Normalize IPv6\n    const expanded = expandIpv6(ip);\n    if (!expanded) return null;\n    const parts = expanded.split(\":\");\n    const result: number[] = [];\n    for (const part of parts) {\n      result.push(parseInt(part, 16));\n    }\n    return result;\n  }\n  return null;\n}\n\n/**\n * Expand compressed IPv6 address to full form.\n */\nfunction expandIpv6(ip: string): string | null {\n  // Basic structural validation\n  if (!ip || typeof ip !== \"string\") return null;\n\n  // Must contain at least one colon\n  if (!ip.includes(\":\")) return null;\n\n  // Check for invalid characters\n  if (!/^[0-9a-fA-F:]+$/.test(ip)) return null;\n\n  let normalized = ip;\n\n  // Handle :: compression\n  if (normalized.includes(\"::\")) {\n    const parts = normalized.split(\"::\");\n    if (parts.length > 2) return null; // Multiple :: is invalid\n\n    const [left, right] = parts;\n    const leftParts = left ? left.split(\":\") : [];\n    const rightParts = right ? right.split(\":\") : [];\n    const missing = 8 - (leftParts.length + rightParts.length);\n\n    if (missing < 0) return null;\n\n    const zeros = Array(missing).fill(\"0\");\n    normalized = [...leftParts, ...zeros, ...rightParts]\n      .filter((p) => p !== \"\")\n      .join(\":\");\n  }\n\n  const parts = normalized.split(\":\");\n  if (parts.length !== 8) return null;\n\n  // Validate each part is a valid hex group (1-4 chars)\n  for (const part of parts) {\n    if (part.length === 0 || part.length > 4) return null;\n    if (!/^[0-9a-fA-F]+$/.test(part)) return null;\n  }\n\n  return parts.map((p) => p.padStart(4, \"0\").toLowerCase()).join(\":\");\n}\n\n/**\n * Parse CIDR notation (e.g., \"192.168.0.0/24\") into network address and prefix length.\n */\nfunction parseCidr(\n  cidr: string\n): { addr: number[]; prefixLen: number; isIpv6: boolean } | null {\n  const [addrStr, prefixStr] = cidr.split(\"/\");\n  if (!addrStr || !prefixStr) {\n    return null;\n  }\n\n  const addr = parseIp(addrStr);\n  if (!addr) {\n    return null;\n  }\n\n  const prefixLen = parseInt(prefixStr, 10);\n  if (isNaN(prefixLen)) {\n    return null;\n  }\n\n  const isIpv6 = isIPv6(addrStr);\n\n  if (isIpv6 && prefixLen > 128) {\n    return null;\n  }\n  if (!isIpv6 && prefixLen > 32) {\n    return null;\n  }\n\n  return { addr, prefixLen, isIpv6 };\n}\n\n/**\n * Check if an IP address is in a given CIDR range.\n */\nfunction isIpInCidr(ip: string, cidr: string): boolean {\n  const ipParsed = parseIp(ip);\n  if (!ipParsed) {\n    return false;\n  }\n\n  const cidrParsed = parseCidr(cidr);\n  if (!cidrParsed) {\n    return false;\n  }\n\n  // Check IPv4 vs IPv6 mismatch\n  const isIpv6 = isIPv6(ip);\n  if (isIpv6 !== cidrParsed.isIpv6) {\n    return false;\n  }\n\n  const { addr: cidrAddr, prefixLen } = cidrParsed;\n\n  // Convert to bits and compare\n  if (isIpv6) {\n    // IPv6: each element is 16 bits\n    for (let i = 0; i < Math.ceil(prefixLen / 16); i++) {\n      const bitsToCheck = Math.min(16, prefixLen - i * 16);\n      const mask = (0xffff << (16 - bitsToCheck)) & 0xffff;\n      if ((ipParsed[i] & mask) !== (cidrAddr[i] & mask)) {\n        return false;\n      }\n    }\n  } else {\n    // IPv4: each element is 8 bits\n    for (let i = 0; i < Math.ceil(prefixLen / 8); i++) {\n      const bitsToCheck = Math.min(8, prefixLen - i * 8);\n      const mask = (0xff << (8 - bitsToCheck)) & 0xff;\n      if ((ipParsed[i] & mask) !== (cidrAddr[i] & mask)) {\n        return false;\n      }\n    }\n  }\n\n  return true;\n}\n\n/**\n * Check if an IP address is private (RFC 1918, loopback, link-local, etc.)\n */\nexport function isPrivateIp(ip: string): boolean {\n  // Validate it's a proper IP\n  if (!isIP(ip)) {\n    return false;\n  }\n\n  for (const range of PRIVATE_IP_RANGES) {\n    if (isIpInCidr(ip, range)) {\n      return true;\n    }\n  }\n\n  return false;\n}\n\n/**\n * Check if a hostname or IP is a known cloud metadata endpoint.\n */\nexport function isCloudMetadata(hostname: string, ip?: string): boolean {\n  // Check if it's a known metadata IP\n  if (CLOUD_METADATA_IPS.includes(ip || \"\")) {\n    return true;\n  }\n\n  // Check if hostname matches (case-insensitive)\n  const lowerHostname = hostname.toLowerCase();\n  if (CLOUD_METADATA_HOSTNAMES.includes(lowerHostname)) {\n    return true;\n  }\n\n  return false;\n}\n\n/**\n * Check if a hostname or IP is localhost.\n */\nexport function isLocalhost(hostname: string, ip?: string): boolean {\n  // Check if it's a localhost IP\n  if (ip) {\n    // Check for typical localhost IPs (loopback range)\n    if (ip === \"127.0.0.1\" || ip === \"::1\" || ip === \"0.0.0.0\") {\n      return true;\n    }\n    // Check if IP starts with 127. (entire loopback range)\n    if (ip.startsWith(\"127.\")) {\n      return true;\n    }\n  }\n\n  // Check if hostname is localhost\n  const lowerHostname = hostname.toLowerCase();\n  if (LOCALHOST_NAMES.includes(lowerHostname)) {\n    return true;\n  }\n\n  return false;\n}\n\n/**\n * Validate that a URL is safe to connect to.\n * Performs static validation checks against hostnames and direct IP addresses.\n * Does not perform DNS resolution.\n *\n * @param url URL to validate\n * @param options.allowPrivate Allow private IPs (default: false)\n * @param options.allowHttp Allow http:// scheme (default: false)\n * @returns The validated URL\n * @throws Error if URL is not safe\n */\nexport function validateSafeUrl(\n  url: string,\n  options?: { allowPrivate?: boolean; allowHttp?: boolean }\n): string {\n  const allowPrivate = options?.allowPrivate ?? false;\n  const allowHttp = options?.allowHttp ?? false;\n\n  try {\n    let parsedUrl: URL;\n    try {\n      parsedUrl = new URL(url);\n    } catch {\n      throw new Error(`Invalid URL: ${url}`);\n    }\n\n    const hostname = parsedUrl.hostname;\n    if (!hostname) {\n      throw new Error(\"URL missing hostname.\");\n    }\n\n    // Check if it's a cloud metadata endpoint (always blocked)\n    if (isCloudMetadata(hostname)) {\n      throw new Error(`URL points to cloud metadata endpoint: ${hostname}`);\n    }\n\n    // Check if it's localhost (blocked unless allowPrivate is true)\n    if (isLocalhost(hostname)) {\n      if (!allowPrivate) {\n        throw new Error(`URL points to localhost: ${hostname}`);\n      }\n      return url;\n    }\n\n    // Check scheme (after localhost checks to give better error messages)\n    const scheme = parsedUrl.protocol;\n    if (scheme !== \"http:\" && scheme !== \"https:\") {\n      throw new Error(\n        `Invalid URL scheme: ${scheme}. Only http and https are allowed.`\n      );\n    }\n\n    if (scheme === \"http:\" && !allowHttp) {\n      throw new Error(\n        \"HTTP scheme not allowed. Use HTTPS or set allowHttp: true.\"\n      );\n    }\n\n    // If hostname is already an IP, validate it directly\n    if (isIP(hostname)) {\n      const ip = hostname;\n\n      // Check if it's localhost first (before private IP check)\n      if (isLocalhost(hostname, ip)) {\n        if (!allowPrivate) {\n          throw new Error(`URL points to localhost: ${hostname}`);\n        }\n        return url;\n      }\n\n      // Cloud metadata is always blocked\n      if (isCloudMetadata(hostname, ip)) {\n        throw new Error(\n          `URL resolves to cloud metadata IP: ${ip} (${hostname})`\n        );\n      }\n\n      // Check private IPs\n      if (isPrivateIp(ip)) {\n        if (!allowPrivate) {\n          throw new Error(\n            `URL resolves to private IP: ${ip} (${hostname}). Set allowPrivate: true to allow.`\n          );\n        }\n      }\n\n      return url;\n    }\n\n    // For regular hostnames, we've already done all hostname-based checks above\n    // (cloud metadata, localhost). If those passed, the URL is safe.\n    // We don't perform DNS resolution in this environment-agnostic function.\n    return url;\n  } catch (error) {\n    if (error && typeof error === \"object\" && \"message\" in error) {\n      throw error;\n    }\n    throw new Error(`URL validation failed: ${error}`);\n  }\n}\n\n/**\n * Check if a URL is safe to connect to (non-throwing version).\n *\n * @param url URL to check\n * @param options.allowPrivate Allow private IPs (default: false)\n * @param options.allowHttp Allow http:// scheme (default: false)\n * @returns true if URL is safe, false otherwise\n */\nexport function isSafeUrl(\n  url: string,\n  options?: { allowPrivate?: boolean; allowHttp?: boolean }\n): boolean {\n  try {\n    validateSafeUrl(url, options);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Check if two URLs have the same origin (scheme, host, port).\n * Uses semantic URL parsing to prevent SSRF bypasses via URL variations.\n *\n * @param url1 First URL\n * @param url2 Second URL\n * @returns true if both URLs have the same origin, false otherwise\n */\nexport function isSameOrigin(url1: string, url2: string): boolean {\n  try {\n    return new URL(url1).origin === new URL(url2).origin;\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;;;;AACA,MAAM,oBAAoB;CACxB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AACD;AAGD,MAAM,qBAAqB;CACzB;CACA;CACA;AACD;AAGD,MAAM,2BAA2B;CAC/B;CACA;CACA;AACD;AAGD,MAAM,kBAAkB,CAAC,aAAa,uBAAwB;;;;AAK9D,MAAM,aACJ;;;;AAKF,SAAS,OAAOA,IAAqB;AACnC,QAAO,WAAW,KAAK,GAAG;AAC3B;;;;;AAMD,SAAS,OAAOA,IAAqB;AACnC,QAAO,WAAW,GAAG,KAAK;AAC3B;;;;AAKD,SAAS,KAAKA,IAAqB;AACjC,QAAO,OAAO,GAAG,IAAI,OAAO,GAAG;AAChC;;;;;AAMD,SAAS,QAAQA,IAA6B;AAC5C,KAAI,OAAO,GAAG,CACZ,QAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,SAAS,OAAO,GAAG,CAAC;UAC/C,OAAO,GAAG,EAAE;EAErB,MAAM,WAAW,WAAW,GAAG;AAC/B,MAAI,CAAC,SAAU,QAAO;EACtB,MAAM,QAAQ,SAAS,MAAM,IAAI;EACjC,MAAMC,SAAmB,CAAE;AAC3B,OAAK,MAAM,QAAQ,OACjB,OAAO,KAAK,SAAS,MAAM,GAAG,CAAC;AAEjC,SAAO;CACR;AACD,QAAO;AACR;;;;AAKD,SAAS,WAAWD,IAA2B;AAE7C,KAAI,CAAC,MAAM,OAAO,OAAO,SAAU,QAAO;AAG1C,KAAI,CAAC,GAAG,SAAS,IAAI,CAAE,QAAO;AAG9B,KAAI,CAAC,kBAAkB,KAAK,GAAG,CAAE,QAAO;CAExC,IAAI,aAAa;AAGjB,KAAI,WAAW,SAAS,KAAK,EAAE;EAC7B,MAAME,UAAQ,WAAW,MAAM,KAAK;AACpC,MAAIA,QAAM,SAAS,EAAG,QAAO;EAE7B,MAAM,CAAC,MAAM,MAAM,GAAGA;EACtB,MAAM,YAAY,OAAO,KAAK,MAAM,IAAI,GAAG,CAAE;EAC7C,MAAM,aAAa,QAAQ,MAAM,MAAM,IAAI,GAAG,CAAE;EAChD,MAAM,UAAU,KAAK,UAAU,SAAS,WAAW;AAEnD,MAAI,UAAU,EAAG,QAAO;EAExB,MAAM,QAAQ,MAAM,QAAQ,CAAC,KAAK,IAAI;EACtC,aAAa;GAAC,GAAG;GAAW,GAAG;GAAO,GAAG;EAAW,EACjD,OAAO,CAAC,MAAM,MAAM,GAAG,CACvB,KAAK,IAAI;CACb;CAED,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,EAAG,QAAO;AAG/B,MAAK,MAAM,QAAQ,OAAO;AACxB,MAAI,KAAK,WAAW,KAAK,KAAK,SAAS,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,KAAK,KAAK,CAAE,QAAO;CAC1C;AAED,QAAO,MAAM,IAAI,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,IAAI;AACpE;;;;AAKD,SAAS,UACPC,MAC+D;CAC/D,MAAM,CAAC,SAAS,UAAU,GAAG,KAAK,MAAM,IAAI;AAC5C,KAAI,CAAC,WAAW,CAAC,UACf,QAAO;CAGT,MAAM,OAAO,QAAQ,QAAQ;AAC7B,KAAI,CAAC,KACH,QAAO;CAGT,MAAM,YAAY,SAAS,WAAW,GAAG;AACzC,KAAI,MAAM,UAAU,CAClB,QAAO;CAGT,MAAM,SAAS,OAAO,QAAQ;AAE9B,KAAI,UAAU,YAAY,IACxB,QAAO;AAET,KAAI,CAAC,UAAU,YAAY,GACzB,QAAO;AAGT,QAAO;EAAE;EAAM;EAAW;CAAQ;AACnC;;;;AAKD,SAAS,WAAWH,IAAYG,MAAuB;CACrD,MAAM,WAAW,QAAQ,GAAG;AAC5B,KAAI,CAAC,SACH,QAAO;CAGT,MAAM,aAAa,UAAU,KAAK;AAClC,KAAI,CAAC,WACH,QAAO;CAIT,MAAM,SAAS,OAAO,GAAG;AACzB,KAAI,WAAW,WAAW,OACxB,QAAO;CAGT,MAAM,EAAE,MAAM,UAAU,WAAW,GAAG;AAGtC,KAAI,OAEF,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,KAAK,YAAY,GAAG,EAAE,KAAK;EAClD,MAAM,cAAc,KAAK,IAAI,IAAI,YAAY,IAAI,GAAG;EACpD,MAAM,OAAQ,SAAW,KAAK,cAAgB;AAC9C,OAAK,SAAS,KAAK,WAAW,SAAS,KAAK,MAC1C,QAAO;CAEV;KAGD,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,KAAK,YAAY,EAAE,EAAE,KAAK;EACjD,MAAM,cAAc,KAAK,IAAI,GAAG,YAAY,IAAI,EAAE;EAClD,MAAM,OAAQ,OAAS,IAAI,cAAgB;AAC3C,OAAK,SAAS,KAAK,WAAW,SAAS,KAAK,MAC1C,QAAO;CAEV;AAGH,QAAO;AACR;;;;AAKD,SAAgB,YAAYH,IAAqB;AAE/C,KAAI,CAAC,KAAK,GAAG,CACX,QAAO;AAGT,MAAK,MAAM,SAAS,kBAClB,KAAI,WAAW,IAAI,MAAM,CACvB,QAAO;AAIX,QAAO;AACR;;;;AAKD,SAAgB,gBAAgBI,UAAkBC,IAAsB;AAEtE,KAAI,mBAAmB,SAAS,MAAM,GAAG,CACvC,QAAO;CAIT,MAAM,gBAAgB,SAAS,aAAa;AAC5C,KAAI,yBAAyB,SAAS,cAAc,CAClD,QAAO;AAGT,QAAO;AACR;;;;AAKD,SAAgB,YAAYD,UAAkBC,IAAsB;AAElE,KAAI,IAAI;AAEN,MAAI,OAAO,eAAe,OAAO,SAAS,OAAO,UAC/C,QAAO;AAGT,MAAI,GAAG,WAAW,OAAO,CACvB,QAAO;CAEV;CAGD,MAAM,gBAAgB,SAAS,aAAa;AAC5C,KAAI,gBAAgB,SAAS,cAAc,CACzC,QAAO;AAGT,QAAO;AACR;;;;;;;;;;;;AAaD,SAAgB,gBACdC,KACAC,SACQ;CACR,MAAM,eAAe,SAAS,gBAAgB;CAC9C,MAAM,YAAY,SAAS,aAAa;AAExC,KAAI;EACF,IAAIC;AACJ,MAAI;GACF,YAAY,IAAI,IAAI;EACrB,QAAO;AACN,SAAM,IAAI,MAAM,CAAC,aAAa,EAAE,KAAK;EACtC;EAED,MAAM,WAAW,UAAU;AAC3B,MAAI,CAAC,SACH,OAAM,IAAI,MAAM;AAIlB,MAAI,gBAAgB,SAAS,CAC3B,OAAM,IAAI,MAAM,CAAC,uCAAuC,EAAE,UAAU;AAItE,MAAI,YAAY,SAAS,EAAE;AACzB,OAAI,CAAC,aACH,OAAM,IAAI,MAAM,CAAC,yBAAyB,EAAE,UAAU;AAExD,UAAO;EACR;EAGD,MAAM,SAAS,UAAU;AACzB,MAAI,WAAW,WAAW,WAAW,SACnC,OAAM,IAAI,MACR,CAAC,oBAAoB,EAAE,OAAO,kCAAkC,CAAC;AAIrE,MAAI,WAAW,WAAW,CAAC,UACzB,OAAM,IAAI,MACR;AAKJ,MAAI,KAAK,SAAS,EAAE;GAClB,MAAM,KAAK;AAGX,OAAI,YAAY,UAAU,GAAG,EAAE;AAC7B,QAAI,CAAC,aACH,OAAM,IAAI,MAAM,CAAC,yBAAyB,EAAE,UAAU;AAExD,WAAO;GACR;AAGD,OAAI,gBAAgB,UAAU,GAAG,CAC/B,OAAM,IAAI,MACR,CAAC,mCAAmC,EAAE,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;AAK5D,OAAI,YAAY,GAAG,EACjB;QAAI,CAAC,aACH,OAAM,IAAI,MACR,CAAC,4BAA4B,EAAE,GAAG,EAAE,EAAE,SAAS,mCAAmC,CAAC;GAEtF;AAGH,UAAO;EACR;AAKD,SAAO;CACR,SAAQ,OAAO;AACd,MAAI,SAAS,OAAO,UAAU,YAAY,aAAa,MACrD,OAAM;AAER,QAAM,IAAI,MAAM,CAAC,uBAAuB,EAAE,OAAO;CAClD;AACF;;;;;;;;;AAUD,SAAgB,UACdF,KACAC,SACS;AACT,KAAI;EACF,gBAAgB,KAAK,QAAQ;AAC7B,SAAO;CACR,QAAO;AACN,SAAO;CACR;AACF;;;;;;;;;AAUD,SAAgB,aAAaE,MAAcC,MAAuB;AAChE,KAAI;AACF,SAAO,IAAI,IAAI,MAAM,WAAW,IAAI,IAAI,MAAM;CAC/C,QAAO;AACN,SAAO;CACR;AACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@langchain/core",
-  "version": "1.1.20",
+  "version": "1.1.22",
   "description": "Core LangChain.js abstractions and schemas",
   "type": "module",
   "engines": {
@@ -688,6 +688,17 @@
         "default": "./dist/utils/math.js"
       }
     },
+    "./utils/ssrf": {
+      "input": "./src/utils/ssrf.ts",
+      "require": {
+        "types": "./dist/utils/ssrf.d.cts",
+        "default": "./dist/utils/ssrf.cjs"
+      },
+      "import": {
+        "types": "./dist/utils/ssrf.d.ts",
+        "default": "./dist/utils/ssrf.js"
+      }
+    },
     "./utils/stream": {
       "input": "./src/utils/stream.ts",
       "require": {

package/utils/ssrf.cjs

@@ -0,0 +1 @@
+module.exports = require("../dist/utils/ssrf.cjs");

package/utils/ssrf.d.cts

@@ -0,0 +1 @@
+export * from "../dist/utils/ssrf.js";

package/utils/ssrf.d.ts

@@ -0,0 +1 @@
+export * from "../dist/utils/ssrf.js";

package/utils/ssrf.js

@@ -0,0 +1 @@
+export * from "../dist/utils/ssrf.js";