npm - @zuplo/cli - Versions diffs - 6.70.61 → 6.70.63 - Mend

@zuplo/cli 6.70.61 → 6.70.63

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/node_modules/@zuplo/runtime/out/types/index.d.ts CHANGED Viewed

@@ -176,6 +176,22 @@ export declare class AIGatewayMeteringInboundPolicy extends InboundPolicy<AIGate
     increments: AIGatewayMeterIncrements
   ): void;
   static getIncrements(context: ZuploContext): AIGatewayMeterIncrements;
+  /**
+   * Record the global quota fallback models for the current request. Set by the
+   * metering policy when a quota is exceeded and a fallback is configured; read
+   * by the LLM translation handler, which routes to the capability-appropriate
+   * model instead of the (over-budget) primary.
+   *
+   * @param context - The ZuploContext
+   * @param quotaFallback - The validated quota fallback models.
+   */
+  static setQuotaFallback(
+    context: ZuploContext,
+    quotaFallback: QuotaFallbackModels
+  ): void;
+  static getQuotaFallback(
+    context: ZuploContext
+  ): QuotaFallbackModels | undefined;
   constructor(
     options: AIGatewayMeteringInboundPolicyOptions,
     policyName: string
@@ -185,6 +201,23 @@ export declare class AIGatewayMeteringInboundPolicy extends InboundPolicy<AIGate
     context: ZuploContext
   ): Promise<Response | ZuploRequest<RequestGeneric_2>>;
   private fetchCurrentMeters;
+  /**
+   * The capability a request targets, derived from its path, or `undefined` for
+   * paths that do not support quota fallback (e.g. `/v1/responses`, which the LLM
+   * handler serves without the fallback chain). Used to decide whether a quota
+   * fallback actually applies to *this* request.
+   */
+  private requestCapability;
+  /**
+   * Validate and return the configured quota fallback when it applies to *this*
+   * request's capability, or `undefined` otherwise (no config, malformed config,
+   * an unsupported path, or no model configured for the request's capability).
+   * Returning `undefined` blocks the request with a 429 — so a fallback is only
+   * counted and applied when the handler can actually serve the request with it.
+   * The config is customer-authored and reaches us through an `unknown` cast, so
+   * we validate it through Zod before acting on it.
+   */
+  private resolveQuotaFallback;
   private checkHierarchicalQuotaLimits;
   /**
    * Increment meters via API. Can be used by providers for streaming responses.
@@ -2969,6 +3002,7 @@ declare const EventType: {
   readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
   readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
   readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
   readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
   readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
   readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
@@ -2995,6 +3029,7 @@ declare const EventType: {
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED: "mcp_auth_upstream_credential_resolved";
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING: "mcp_auth_upstream_credential_missing";
   readonly MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED: "mcp_auth_upstream_reconsent_required";
+  readonly GRAPHQL_OPERATION: "graphql_operation";
 };
 declare type EventType = (typeof EventType)[keyof typeof EventType];
@@ -6843,6 +6878,12 @@ export declare interface MockApiInboundOptions {
  */
 export declare const MockApiInboundPolicy: InboundPolicyHandler<MockApiInboundOptions>;
+declare interface ModelConfiguration {
+  environmentVariable: string;
+  model: string;
+  provider: string;
+}
 declare type Modify<T, R> = Omit<T, keyof R> & R;
 declare interface MoesifContext {
@@ -8666,6 +8707,15 @@ export declare interface QuotaDetail {
   };
 }
+/**
+ * Global quota fallback models, keyed by capability. Applied whenever any
+ * configured quota limit (any meter/period) is exceeded.
+ */
+declare interface QuotaFallbackModels {
+  completions?: ModelConfiguration;
+  embeddings?: ModelConfiguration;
+}
 /**
  * The Quota policy enables you to set monthly, weekly, daily or hourly quotas on your API.
  *
@@ -11211,7 +11261,8 @@ declare interface ZuploAnalyticsContext {
     value: number,
     eventType: EventType,
     metadata: JsonObject,
-    unit?: string
+    unit?: string,
+    eventId?: string
   ): void;
   flushAnalyticsEvents(): ZuploAnalyticsEvent[];
   getAnalyticsEvents(): ZuploAnalyticsEvent[];

package/node_modules/@zuplo/runtime/out/types/mcp-gateway/index.d.ts CHANGED Viewed

@@ -103,6 +103,7 @@ declare const EventType: {
   readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
   readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
   readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
   readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
   readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
   readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
@@ -129,6 +130,7 @@ declare const EventType: {
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED: "mcp_auth_upstream_credential_resolved";
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING: "mcp_auth_upstream_credential_missing";
   readonly MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED: "mcp_auth_upstream_reconsent_required";
+  readonly GRAPHQL_OPERATION: "graphql_operation";
 };
 declare type EventType = (typeof EventType)[keyof typeof EventType];
@@ -3277,7 +3279,8 @@ declare interface ZuploAnalyticsContext {
     value: number,
     eventType: EventType,
     metadata: JsonObject,
-    unit?: string
+    unit?: string,
+    eventId?: string
   ): void;
   flushAnalyticsEvents(): ZuploAnalyticsEvent[];
   getAnalyticsEvents(): ZuploAnalyticsEvent[];

package/node_modules/@zuplo/runtime/out/types/mocks/index.d.ts CHANGED Viewed

@@ -84,6 +84,7 @@ declare const EventType: {
   readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
   readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
   readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
   readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
   readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
   readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
@@ -110,6 +111,7 @@ declare const EventType: {
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED: "mcp_auth_upstream_credential_resolved";
   readonly MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING: "mcp_auth_upstream_credential_missing";
   readonly MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED: "mcp_auth_upstream_reconsent_required";
+  readonly GRAPHQL_OPERATION: "graphql_operation";
 };
 declare type EventType = (typeof EventType)[keyof typeof EventType];
@@ -1621,7 +1623,8 @@ declare interface ZuploAnalyticsContext {
     value: number,
     eventType: EventType,
     metadata: JsonObject,
-    unit?: string
+    unit?: string,
+    eventId?: string
   ): void;
   flushAnalyticsEvents(): ZuploAnalyticsEvent[];
   getAnalyticsEvents(): ZuploAnalyticsEvent[];

package/node_modules/@zuplo/runtime/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.61",
+  "version": "6.70.63",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/axios/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,47 @@
 # Changelog
+## v1.16.1 — May 13, 2026
+This release ships a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
+## 🔒 Security Fixes
+* **Prototype Pollution Defence-in-Depth:** Hardened `formDataToJSON` against already-polluted `Object.prototype` by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (__#7413__)
+* **Proxy Cleartext Leak:** Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (__#10858__)
+* **CI Cache Removal:** Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (__#10882__)
+## 🐛 Bug Fixes
+* **Data URI Parsing:** Updated the `fromDataURI` regex to match RFC 2397 more strictly, fixing edge cases in `data:` URL handling. (__#10829__)
+* **Unicode Headers:** Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (__#10850__)
+* **XHR Upload Progress:** Guarded against malformed `ProgressEvent` payloads emitted by some environments during XHR upload, preventing crashes when `loaded` / `total` are missing or invalid. (__#10868__)
+* **Webpack 4 Fetch Adapter:** Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (__#10864__)
+* **Type Definitions:** Made `parseReviver` `context.source` optional in the type definitions to align with the ES2023 specification. (__#10837__)
+* **URL Object Support Reverted:** Reverted the change that allowed passing a `URL` object as `config.url` (originally __#10866__) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (__#10874__)
+## 🔧 Maintenance & Chores
+* **Cycle Detection Refactor:** Replaced the array-based cycle tracker in `toJSONObject` with a `WeakSet`, improving performance and memory behaviour on large nested structures. (__#10832__)
+* **composeSignals Cleanup:** Refactored `composeSignals` to use a clearer early-return structure, simplifying the cancellation/abort composition path. (__#10844__)
+* **AI Readiness & Repo Docs:** Added `AGENTS.md` and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (__#10835__, __#10841__)
+* **Docs Improvements:** Clarified the GET request example, fixed the interceptor `eject` example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (__#10836__, __#10853__, __#10856__)
+* **Sponsorship Tooling:** Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (__#10843__, __#10859__, __#10869__)
+* **Dependencies:** Bumped `@commitlint/cli` from 20.5.0 to 20.5.2. (__#10846__)
+## 🌟 New Contributors
+We are thrilled to welcome our new contributors. Thank you for helping improve axios:
+* __@hpinmetaverse__ (__#10836__)
+* __@tommyhgunz14__ (__#7413__)
+* __@abhu85__ (__#10829__)
+* __@divyanshuraj1095__ (__#10853__)
+* __@sagodi97__ (__#10856__)
+* __@rkdfx__ (__#10868__)
+* __@Liuwei1125__ (__#10866__)
+[Full Changelog](https://github.com/axios/axios/compare/v1.16.0...v1.16.1)
 ## v1.16.0 — May 2, 2026
 This release adds support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.