@zuplo/cli 6.70.71 → 6.71.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Client.md +3 -0
  2. package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Cookies.md +27 -0
  3. package/node_modules/@fastify/reply-from/node_modules/undici/docs/docs/api/Socks5ProxyAgent.md +1 -0
  4. package/node_modules/@fastify/reply-from/node_modules/undici/lib/core/socks5-client.js +14 -4
  5. package/node_modules/@fastify/reply-from/node_modules/undici/lib/core/socks5-utils.js +18 -4
  6. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/agent.js +1 -1
  7. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/balanced-pool.js +1 -1
  8. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/client-h1.js +69 -1
  9. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/client.js +3 -2
  10. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/dispatcher-base.js +19 -0
  11. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/pool.js +1 -1
  12. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/proxy-agent.js +2 -1
  13. package/node_modules/@fastify/reply-from/node_modules/undici/lib/dispatcher/socks5-proxy-agent.js +45 -34
  14. package/node_modules/@fastify/reply-from/node_modules/undici/lib/util/cache.js +8 -2
  15. package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/cookies/parse.js +17 -25
  16. package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/permessage-deflate.js +13 -31
  17. package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/receiver.js +80 -23
  18. package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/stream/websocketstream.js +8 -1
  19. package/node_modules/@fastify/reply-from/node_modules/undici/lib/web/websocket/websocket.js +8 -1
  20. package/node_modules/@fastify/reply-from/node_modules/undici/package.json +1 -1
  21. package/node_modules/@fastify/reply-from/node_modules/undici/types/client.d.ts +16 -0
  22. package/node_modules/@zuplo/core/package.json +1 -1
  23. package/node_modules/@zuplo/graphql/package.json +1 -1
  24. package/node_modules/@zuplo/openapi-tools/package.json +1 -1
  25. package/node_modules/@zuplo/otel/package.json +1 -1
  26. package/node_modules/@zuplo/runtime/package.json +1 -1
  27. package/node_modules/axios/CHANGELOG.md +52 -1
  28. package/node_modules/axios/README.md +30 -2
  29. package/node_modules/axios/dist/axios.js +350 -134
  30. package/node_modules/axios/dist/axios.min.js +3 -3
  31. package/node_modules/axios/dist/axios.min.js.map +1 -1
  32. package/node_modules/axios/dist/browser/axios.cjs +355 -90
  33. package/node_modules/axios/dist/esm/axios.js +355 -90
  34. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  35. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  36. package/node_modules/axios/dist/node/axios.cjs +399 -104
  37. package/node_modules/axios/index.d.cts +2 -0
  38. package/node_modules/axios/index.d.ts +2 -0
  39. package/node_modules/axios/lib/adapters/fetch.js +113 -37
  40. package/node_modules/axios/lib/adapters/http.js +132 -43
  41. package/node_modules/axios/lib/core/Axios.js +3 -2
  42. package/node_modules/axios/lib/core/AxiosHeaders.js +10 -7
  43. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  44. package/node_modules/axios/lib/core/mergeConfig.js +34 -0
  45. package/node_modules/axios/lib/defaults/transitional.js +1 -0
  46. package/node_modules/axios/lib/env/data.js +1 -1
  47. package/node_modules/axios/lib/helpers/buildURL.js +5 -3
  48. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  49. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  50. package/node_modules/axios/lib/helpers/resolveConfig.js +5 -3
  51. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  52. package/node_modules/axios/lib/helpers/toFormData.js +40 -10
  53. package/node_modules/axios/lib/utils.js +75 -11
  54. package/node_modules/axios/package.json +1 -1
  55. package/node_modules/body-parser/README.md +16 -1
  56. package/node_modules/body-parser/index.js +4 -20
  57. package/node_modules/body-parser/lib/read.js +17 -17
  58. package/node_modules/body-parser/lib/types/json.js +60 -32
  59. package/node_modules/body-parser/lib/types/raw.js +3 -3
  60. package/node_modules/body-parser/lib/types/text.js +3 -3
  61. package/node_modules/body-parser/lib/types/urlencoded.js +16 -20
  62. package/node_modules/body-parser/lib/utils.js +18 -16
  63. package/node_modules/body-parser/node_modules/content-type/LICENSE +22 -0
  64. package/node_modules/body-parser/node_modules/content-type/README.md +69 -0
  65. package/node_modules/body-parser/node_modules/content-type/dist/index.d.ts +26 -0
  66. package/node_modules/body-parser/node_modules/content-type/dist/index.js +170 -0
  67. package/node_modules/body-parser/node_modules/content-type/dist/index.js.map +1 -0
  68. package/node_modules/body-parser/node_modules/content-type/package.json +52 -0
  69. package/node_modules/body-parser/node_modules/http-errors/HISTORY.md +186 -0
  70. package/node_modules/body-parser/node_modules/http-errors/LICENSE +23 -0
  71. package/node_modules/body-parser/node_modules/http-errors/README.md +169 -0
  72. package/node_modules/body-parser/node_modules/http-errors/index.js +290 -0
  73. package/node_modules/body-parser/node_modules/http-errors/package.json +54 -0
  74. package/node_modules/body-parser/package.json +23 -10
  75. package/node_modules/form-data/CHANGELOG.md +29 -2
  76. package/node_modules/form-data/README.md +4 -4
  77. package/node_modules/form-data/lib/form_data.js +14 -2
  78. package/node_modules/form-data/package.json +7 -7
  79. package/package.json +6 -6
@@ -1,8 +1,34 @@
1
1
  'use strict';
2
2
 
3
+ import AxiosError from './AxiosError.js';
3
4
  import isAbsoluteURL from '../helpers/isAbsoluteURL.js';
4
5
  import combineURLs from '../helpers/combineURLs.js';
5
6
 
7
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
8
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
9
+
10
+ function stripLeadingC0ControlOrSpace(url) {
11
+ let i = 0;
12
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
13
+ i++;
14
+ }
15
+ return url.slice(i);
16
+ }
17
+
18
+ function normalizeURLForProtocolCheck(url) {
19
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
20
+ }
21
+
22
+ function assertValidHttpProtocolURL(url, config) {
23
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
24
+ throw new AxiosError(
25
+ 'Invalid URL: missing "//" after protocol',
26
+ AxiosError.ERR_INVALID_URL,
27
+ config
28
+ );
29
+ }
30
+ }
31
+
6
32
  /**
7
33
  * Creates a new URL by combining the baseURL with the requestedURL,
8
34
  * only when the requestedURL is not already an absolute URL.
@@ -13,9 +39,11 @@ import combineURLs from '../helpers/combineURLs.js';
13
39
  *
14
40
  * @returns {string} The combined full path
15
41
  */
16
- export default function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
42
+ export default function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
43
+ assertValidHttpProtocolURL(requestedURL, config);
17
44
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
18
45
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
46
+ assertValidHttpProtocolURL(baseURL, config);
19
47
  return combineURLs(baseURL, requestedURL);
20
48
  }
21
49
  return requestedURL;
@@ -68,6 +68,28 @@ export default function mergeConfig(config1, config2) {
68
68
  }
69
69
  }
70
70
 
71
+ function getMergedTransitionalOption(prop) {
72
+ const transitional2 = utils.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
73
+
74
+ if (!utils.isUndefined(transitional2)) {
75
+ if (utils.isPlainObject(transitional2)) {
76
+ if (utils.hasOwnProp(transitional2, prop)) {
77
+ return transitional2[prop];
78
+ }
79
+ } else {
80
+ return undefined;
81
+ }
82
+ }
83
+
84
+ const transitional1 = utils.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
85
+
86
+ if (utils.isPlainObject(transitional1) && utils.hasOwnProp(transitional1, prop)) {
87
+ return transitional1[prop];
88
+ }
89
+
90
+ return undefined;
91
+ }
92
+
71
93
  // eslint-disable-next-line consistent-return
72
94
  function mergeDirectKeys(a, b, prop) {
73
95
  if (utils.hasOwnProp(config2, prop)) {
@@ -120,5 +142,17 @@ export default function mergeConfig(config1, config2) {
120
142
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
121
143
  });
122
144
 
145
+ if (
146
+ utils.hasOwnProp(config2, 'validateStatus') &&
147
+ utils.isUndefined(config2.validateStatus) &&
148
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
149
+ ) {
150
+ if (utils.hasOwnProp(config1, 'validateStatus')) {
151
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
152
+ } else {
153
+ delete config.validateStatus;
154
+ }
155
+ }
156
+
123
157
  return config;
124
158
  }
@@ -6,4 +6,5 @@ export default {
6
6
  clarifyTimeoutError: false,
7
7
  legacyInterceptorReqResOrdering: true,
8
8
  advertiseZstdAcceptEncoding: false,
9
+ validateStatusUndefinedResolves: true,
9
10
  };
@@ -1 +1 @@
1
- export const VERSION = "1.17.0";
1
+ export const VERSION = "1.18.0";
@@ -33,15 +33,17 @@ export default function buildURL(url, params, options) {
33
33
  return url;
34
34
  }
35
35
 
36
- const _encode = (options && options.encode) || encode;
37
-
38
36
  const _options = utils.isFunction(options)
39
37
  ? {
40
38
  serialize: options,
41
39
  }
42
40
  : options;
43
41
 
44
- const serializeFn = _options && _options.serialize;
42
+ // Read serializer options pollution-safely: own properties and methods on a
43
+ // class/template prototype are honored, but values injected onto a polluted
44
+ // Object.prototype are ignored.
45
+ const _encode = utils.getSafeProp(_options, 'encode') || encode;
46
+ const serializeFn = utils.getSafeProp(_options, 'serialize');
45
47
 
46
48
  let serializedParams;
47
49
 
@@ -2,11 +2,19 @@
2
2
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
3
3
  * - For base64: compute exact decoded size using length and padding;
4
4
  * handle %XX at the character-count level (no string allocation).
5
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
5
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
6
6
  *
7
7
  * @param {string} url
8
8
  * @returns {number}
9
9
  */
10
+ const isHexDigit = (charCode) =>
11
+ (charCode >= 48 && charCode <= 57) ||
12
+ (charCode >= 65 && charCode <= 70) ||
13
+ (charCode >= 97 && charCode <= 102);
14
+
15
+ const isPercentEncodedByte = (str, i, len) =>
16
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
17
+
10
18
  export default function estimateDataURLDecodedBytes(url) {
11
19
  if (!url || typeof url !== 'string') return 0;
12
20
  if (!url.startsWith('data:')) return 0;
@@ -26,9 +34,7 @@ export default function estimateDataURLDecodedBytes(url) {
26
34
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
27
35
  const a = body.charCodeAt(i + 1);
28
36
  const b = body.charCodeAt(i + 2);
29
- const isHex =
30
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
31
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
37
+ const isHex = isHexDigit(a) && isHexDigit(b);
32
38
 
33
39
  if (isHex) {
34
40
  effectiveLen -= 2;
@@ -69,18 +75,17 @@ export default function estimateDataURLDecodedBytes(url) {
69
75
  return bytes > 0 ? bytes : 0;
70
76
  }
71
77
 
72
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
73
- return Buffer.byteLength(body, 'utf8');
74
- }
75
-
76
78
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
77
79
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
78
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
79
- // but 3 UTF-8 bytes).
80
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
81
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
80
82
  let bytes = 0;
81
83
  for (let i = 0, len = body.length; i < len; i++) {
82
84
  const c = body.charCodeAt(i);
83
- if (c < 0x80) {
85
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
86
+ bytes += 1;
87
+ i += 2;
88
+ } else if (c < 0x80) {
84
89
  bytes += 1;
85
90
  } else if (c < 0x800) {
86
91
  bytes += 2;
@@ -1,6 +1,19 @@
1
1
  'use strict';
2
2
 
3
3
  import utils from '../utils.js';
4
+ import AxiosError from '../core/AxiosError.js';
5
+ import { DEFAULT_FORM_DATA_MAX_DEPTH } from './toFormData.js';
6
+
7
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
8
+
9
+ function throwIfDepthExceeded(index) {
10
+ if (index > MAX_DEPTH) {
11
+ throw new AxiosError(
12
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
13
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
14
+ );
15
+ }
16
+ }
4
17
 
5
18
  /**
6
19
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
@@ -14,9 +27,16 @@ function parsePropPath(name) {
14
27
  // foo.x.y.z
15
28
  // foo-x-y-z
16
29
  // foo x y z
17
- return utils.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
18
- return match[0] === '[]' ? '' : match[1] || match[0];
19
- });
30
+ const path = [];
31
+ const pattern = /\w+|\[(\w*)]/g;
32
+ let match;
33
+
34
+ while ((match = pattern.exec(name)) !== null) {
35
+ throwIfDepthExceeded(path.length);
36
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
37
+ }
38
+
39
+ return path;
20
40
  }
21
41
 
22
42
  /**
@@ -48,6 +68,8 @@ function arrayToObject(arr) {
48
68
  */
49
69
  function formDataToJSON(formData) {
50
70
  function buildPath(path, value, target, index) {
71
+ throwIfDepthExceeded(index);
72
+
51
73
  let name = path[index++];
52
74
 
53
75
  if (name === '__proto__') return true;
@@ -55,17 +55,19 @@ function resolveConfig(config) {
55
55
  newConfig.headers = headers = AxiosHeaders.from(headers);
56
56
 
57
57
  newConfig.url = buildURL(
58
- buildFullPath(baseURL, url, allowAbsoluteUrls),
58
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
59
59
  own('params'),
60
60
  own('paramsSerializer')
61
61
  );
62
62
 
63
63
  // HTTP basic authentication
64
64
  if (auth) {
65
+ const username = utils.getSafeProp(auth, 'username') || '';
66
+ const password = utils.getSafeProp(auth, 'password') || '';
67
+
65
68
  headers.set(
66
69
  'Authorization',
67
- 'Basic ' +
68
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
70
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8(password) : ''))
69
71
  );
70
72
  }
71
73
 
@@ -1,4 +1,4 @@
1
- const LOOPBACK_HOSTNAMES = new Set(['localhost']);
1
+ const LOOPBACK_HOSTNAMES = new Set(['localhost', '0.0.0.0']);
2
2
 
3
3
  const isIPv4Loopback = (host) => {
4
4
  const parts = host.split('.');
@@ -7,6 +7,37 @@ const isIPv4Loopback = (host) => {
7
7
  return parts.every((p) => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255);
8
8
  };
9
9
 
10
+ const isIPv6ZeroGroup = (group) => /^0{1,4}$/.test(group);
11
+
12
+ // The unspecified address (IPv4 0.0.0.0 / IPv6 ::) resolves to the local host
13
+ // for outbound connections, so treat it as loopback-equivalent for NO_PROXY
14
+ // matching. 0.0.0.0 is covered by LOOPBACK_HOSTNAMES; this handles compressed
15
+ // and full IPv6 all-zero forms so both families bypass symmetrically.
16
+ const isIPv6Unspecified = (host) => {
17
+ if (host === '::') return true;
18
+
19
+ const compressionIndex = host.indexOf('::');
20
+
21
+ if (compressionIndex !== -1) {
22
+ if (compressionIndex !== host.lastIndexOf('::')) return false;
23
+
24
+ const left = host.slice(0, compressionIndex);
25
+ const right = host.slice(compressionIndex + 2);
26
+ const leftGroups = left ? left.split(':') : [];
27
+ const rightGroups = right ? right.split(':') : [];
28
+ const explicitGroups = leftGroups.length + rightGroups.length;
29
+
30
+ return (
31
+ explicitGroups < 8 &&
32
+ leftGroups.every(isIPv6ZeroGroup) &&
33
+ rightGroups.every(isIPv6ZeroGroup)
34
+ );
35
+ }
36
+
37
+ const groups = host.split(':');
38
+ return groups.length === 8 && groups.every(isIPv6ZeroGroup);
39
+ };
40
+
10
41
  const isIPv6Loopback = (host) => {
11
42
  // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1
12
43
  // First, strip any leading "::" by normalising with Set lookup of common forms,
@@ -42,6 +73,7 @@ const isLoopback = (host) => {
42
73
  if (!host) return false;
43
74
  if (LOOPBACK_HOSTNAMES.has(host)) return true;
44
75
  if (isIPv4Loopback(host)) return true;
76
+ if (isIPv6Unspecified(host)) return true;
45
77
  return isIPv6Loopback(host);
46
78
  };
47
79
 
@@ -5,6 +5,10 @@ import AxiosError from '../core/AxiosError.js';
5
5
  // temporary hotfix to avoid circular references until AxiosURLSearchParams is refactored
6
6
  import PlatformFormData from '../platform/node/classes/FormData.js';
7
7
 
8
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
9
+ // the FormData <-> JSON round-trip stays symmetric.
10
+ export const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
11
+
8
12
  /**
9
13
  * Determines if the given thing is a array or js object.
10
14
  *
@@ -115,8 +119,9 @@ function toFormData(obj, formData, options) {
115
119
  const dots = options.dots;
116
120
  const indexes = options.indexes;
117
121
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
118
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
122
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
119
123
  const useBlob = _Blob && utils.isSpecCompliantForm(formData);
124
+ const stack = [];
120
125
 
121
126
  if (!utils.isFunction(visitor)) {
122
127
  throw new TypeError('visitor must be a function');
@@ -144,6 +149,38 @@ function toFormData(obj, formData, options) {
144
149
  return value;
145
150
  }
146
151
 
152
+ function throwIfMaxDepthExceeded(depth) {
153
+ if (depth > maxDepth) {
154
+ throw new AxiosError(
155
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
156
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
157
+ );
158
+ }
159
+ }
160
+
161
+ function stringifyWithDepthLimit(value, depth) {
162
+ if (maxDepth === Infinity) {
163
+ return JSON.stringify(value);
164
+ }
165
+
166
+ const ancestors = [];
167
+
168
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
169
+ if (!utils.isObject(currentValue)) {
170
+ return currentValue;
171
+ }
172
+
173
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
174
+ ancestors.pop();
175
+ }
176
+
177
+ ancestors.push(currentValue);
178
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
179
+
180
+ return currentValue;
181
+ });
182
+ }
183
+
147
184
  /**
148
185
  * Default visitor.
149
186
  *
@@ -167,7 +204,7 @@ function toFormData(obj, formData, options) {
167
204
  // eslint-disable-next-line no-param-reassign
168
205
  key = metaTokens ? key : key.slice(0, -2);
169
206
  // eslint-disable-next-line no-param-reassign
170
- value = JSON.stringify(value);
207
+ value = stringifyWithDepthLimit(value, 1);
171
208
  } else if (
172
209
  (utils.isArray(value) && isFlatArray(value)) ||
173
210
  ((utils.isFileList(value) || utils.endsWith(key, '[]')) && (arr = utils.toArray(value)))
@@ -200,8 +237,6 @@ function toFormData(obj, formData, options) {
200
237
  return false;
201
238
  }
202
239
 
203
- const stack = [];
204
-
205
240
  const exposedHelpers = Object.assign(predicates, {
206
241
  defaultVisitor,
207
242
  convertValue,
@@ -211,12 +246,7 @@ function toFormData(obj, formData, options) {
211
246
  function build(value, path, depth = 0) {
212
247
  if (utils.isUndefined(value)) return;
213
248
 
214
- if (depth > maxDepth) {
215
- throw new AxiosError(
216
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
217
- AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
218
- );
219
- }
249
+ throwIfMaxDepthExceeded(depth);
220
250
 
221
251
  if (stack.indexOf(value) !== -1) {
222
252
  throw new Error('Circular reference detected in ' + path.join('.'));
@@ -8,6 +8,57 @@ const { toString } = Object.prototype;
8
8
  const { getPrototypeOf } = Object;
9
9
  const { iterator, toStringTag } = Symbol;
10
10
 
11
+ /* Creating a function that will check if an object has a property. */
12
+ const hasOwnProperty = (
13
+ ({ hasOwnProperty }) =>
14
+ (obj, prop) =>
15
+ hasOwnProperty.call(obj, prop)
16
+ )(Object.prototype);
17
+
18
+ /**
19
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
20
+ * an own `prop`. This distinguishes genuine own/inherited members — including
21
+ * class accessors and template prototypes — from members injected via
22
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
23
+ * live on Object.prototype itself and are therefore never matched.
24
+ *
25
+ * @param {*} thing The value whose chain to inspect
26
+ * @param {string|symbol} prop The property key to look for
27
+ *
28
+ * @returns {boolean} True when `prop` is owned below Object.prototype
29
+ */
30
+ const hasOwnInPrototypeChain = (thing, prop) => {
31
+ let obj = thing;
32
+ const seen = [];
33
+
34
+ while (obj != null && obj !== Object.prototype) {
35
+ if (seen.indexOf(obj) !== -1) {
36
+ return false;
37
+ }
38
+ seen.push(obj);
39
+
40
+ if (hasOwnProperty(obj, prop)) {
41
+ return true;
42
+ }
43
+ obj = getPrototypeOf(obj);
44
+ }
45
+ return false;
46
+ };
47
+
48
+ /**
49
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
50
+ * properties and members inherited from a non-Object.prototype source (a class
51
+ * instance or template object) are honored; a value reachable only through a
52
+ * polluted Object.prototype is ignored and `undefined` is returned.
53
+ *
54
+ * @param {*} obj The source object
55
+ * @param {string|symbol} prop The property key to read
56
+ *
57
+ * @returns {*} The resolved value, or undefined when unsafe/absent
58
+ */
59
+ const getSafeProp = (obj, prop) =>
60
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
61
+
11
62
  const kindOf = ((cache) => (thing) => {
12
63
  const str = toString.call(thing);
13
64
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -133,7 +184,7 @@ const isBoolean = (thing) => thing === true || thing === false;
133
184
  * @returns {boolean} True if value is a plain Object, otherwise false
134
185
  */
135
186
  const isPlainObject = (val) => {
136
- if (kindOf(val) !== 'object') {
187
+ if (!isObject(val)) {
137
188
  return false;
138
189
  }
139
190
 
@@ -141,9 +192,12 @@ const isPlainObject = (val) => {
141
192
  return (
142
193
  (prototype === null ||
143
194
  prototype === Object.prototype ||
144
- Object.getPrototypeOf(prototype) === null) &&
145
- !(toStringTag in val) &&
146
- !(iterator in val)
195
+ getPrototypeOf(prototype) === null) &&
196
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
197
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
198
+ // than a plain object, while ignoring keys injected onto Object.prototype.
199
+ !hasOwnInPrototypeChain(val, toStringTag) &&
200
+ !hasOwnInPrototypeChain(val, iterator)
147
201
  );
148
202
  };
149
203
 
@@ -670,13 +724,6 @@ const toCamelCase = (str) => {
670
724
  });
671
725
  };
672
726
 
673
- /* Creating a function that will check if an object has a property. */
674
- const hasOwnProperty = (
675
- ({ hasOwnProperty }) =>
676
- (obj, prop) =>
677
- hasOwnProperty.call(obj, prop)
678
- )(Object.prototype);
679
-
680
727
  const { propertyIsEnumerable } = Object.prototype;
681
728
 
682
729
  /**
@@ -890,6 +937,20 @@ const asap =
890
937
 
891
938
  const isIterable = (thing) => thing != null && isFunction(thing[iterator]);
892
939
 
940
+ /**
941
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
942
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
943
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
944
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
945
+ * into an attacker-controlled entries iterator.
946
+ *
947
+ * @param {*} thing The value to test
948
+ *
949
+ * @returns {boolean} True if value has a non-polluted iterator
950
+ */
951
+ const isSafeIterable = (thing) =>
952
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
953
+
893
954
  export default {
894
955
  isArray,
895
956
  isArrayBuffer,
@@ -934,6 +995,8 @@ export default {
934
995
  isHTMLForm,
935
996
  hasOwnProperty,
936
997
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
998
+ hasOwnInPrototypeChain,
999
+ getSafeProp,
937
1000
  reduceDescriptors,
938
1001
  freezeMethods,
939
1002
  toObjectSet,
@@ -950,4 +1013,5 @@ export default {
950
1013
  setImmediate: _setImmediate,
951
1014
  asap,
952
1015
  isIterable,
1016
+ isSafeIterable,
953
1017
  };
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "axios",
3
- "version": "1.17.0",
3
+ "version": "1.18.0",
4
4
  "description": "Promise based HTTP client for the browser and node.js",
5
5
  "main": "./dist/node/axios.cjs",
6
6
  "module": "./index.js",
@@ -51,7 +51,14 @@ $ npm install body-parser
51
51
  ## API
52
52
 
53
53
  ```js
54
+ // Import all parsers
54
55
  const bodyParser = require('body-parser')
56
+
57
+ // Or import individual parsers directly
58
+ const json = require('body-parser/json')
59
+ const urlencoded = require('body-parser/urlencoded')
60
+ const raw = require('body-parser/raw')
61
+ const text = require('body-parser/text')
55
62
  ```
56
63
 
57
64
  The `bodyParser` object exposes various factories to create middlewares. All
@@ -93,11 +100,13 @@ specifies the number of bytes; if it is a string, the value is passed to the
93
100
  [bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
94
101
  to `'100kb'`.
95
102
 
103
+ > It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
104
+
96
105
  ##### reviver
97
106
 
98
107
  The `reviver` option is passed directly to `JSON.parse` as the second
99
108
  argument. You can find more information on this argument
100
- [in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#Example.3A_Using_the_reviver_parameter).
109
+ [in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#the_reviver_parameter).
101
110
 
102
111
  ##### strict
103
112
 
@@ -149,6 +158,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
149
158
  [bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
150
159
  to `'100kb'`.
151
160
 
161
+ > It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
162
+
152
163
  ##### type
153
164
 
154
165
  The `type` option is used to determine what media type the middleware will
@@ -200,6 +211,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
200
211
  [bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
201
212
  to `'100kb'`.
202
213
 
214
+ > It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
215
+
203
216
  ##### type
204
217
 
205
218
  The `type` option is used to determine what media type the middleware will
@@ -255,6 +268,8 @@ specifies the number of bytes; if it is a string, the value is passed to the
255
268
  [bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults
256
269
  to `'100kb'`.
257
270
 
271
+ > It’s recommended not to configure a very high limit and to use the default value whenever possible. Allowing larger payloads increases memory usage because of the resources required for decoding and transformations, and it can also lead to longer response times as more data is processed. By ‘very high’, we mean values above the default, for example payloads of 5 MB or more can already start to introduce these risks. With the default limits, these issues do not occur.
272
+
258
273
  ##### parameterLimit
259
274
 
260
275
  The `parameterLimit` option controls the maximum number of parameters that
@@ -24,41 +24,25 @@ exports = module.exports = bodyParser
24
24
  * JSON parser.
25
25
  * @public
26
26
  */
27
- Object.defineProperty(exports, 'json', {
28
- configurable: true,
29
- enumerable: true,
30
- get: () => require('./lib/types/json')
31
- })
27
+ exports.json = require('./lib/types/json')
32
28
 
33
29
  /**
34
30
  * Raw parser.
35
31
  * @public
36
32
  */
37
- Object.defineProperty(exports, 'raw', {
38
- configurable: true,
39
- enumerable: true,
40
- get: () => require('./lib/types/raw')
41
- })
33
+ exports.raw = require('./lib/types/raw')
42
34
 
43
35
  /**
44
36
  * Text parser.
45
37
  * @public
46
38
  */
47
- Object.defineProperty(exports, 'text', {
48
- configurable: true,
49
- enumerable: true,
50
- get: () => require('./lib/types/text')
51
- })
39
+ exports.text = require('./lib/types/text')
52
40
 
53
41
  /**
54
42
  * URL-encoded parser.
55
43
  * @public
56
44
  */
57
- Object.defineProperty(exports, 'urlencoded', {
58
- configurable: true,
59
- enumerable: true,
60
- get: () => require('./lib/types/urlencoded')
61
- })
45
+ exports.urlencoded = require('./lib/types/urlencoded')
62
46
 
63
47
  /**
64
48
  * Create a middleware to parse json and urlencoded bodies.