agent-relay 4.0.35 → 4.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (199) hide show
  1. package/README.md +3 -6
  2. package/dist/index.cjs +775 -40
  3. package/dist/src/cli/bootstrap.js.map +1 -1
  4. package/dist/src/cli/commands/cloud.js.map +1 -1
  5. package/dist/src/cli/commands/core.d.ts.map +1 -1
  6. package/dist/src/cli/commands/core.js.map +1 -1
  7. package/dist/src/cli/commands/messaging.d.ts.map +1 -1
  8. package/dist/src/cli/commands/messaging.js.map +1 -1
  9. package/dist/src/cli/commands/monitoring.d.ts.map +1 -1
  10. package/dist/src/cli/commands/monitoring.js.map +1 -1
  11. package/node_modules/@agent-relay/cloud/package.json +2 -2
  12. package/node_modules/@agent-relay/config/package.json +2 -2
  13. package/node_modules/@agent-relay/hooks/package.json +4 -4
  14. package/node_modules/@agent-relay/sdk/dist/relay.d.ts.map +1 -1
  15. package/node_modules/@agent-relay/sdk/dist/relay.js.map +1 -1
  16. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-enforcement.test.d.ts +2 -0
  17. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-enforcement.test.d.ts.map +1 -0
  18. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-enforcement.test.js +437 -0
  19. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-enforcement.test.js.map +1 -0
  20. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-tracker.test.d.ts +2 -0
  21. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-tracker.test.d.ts.map +1 -0
  22. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-tracker.test.js +99 -0
  23. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/budget-tracker.test.js.map +1 -0
  24. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/proxy-env.test.d.ts +2 -0
  25. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/proxy-env.test.d.ts.map +1 -0
  26. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/proxy-env.test.js +135 -0
  27. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/proxy-env.test.js.map +1 -0
  28. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-custom.test.d.ts +2 -0
  29. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-custom.test.d.ts.map +1 -0
  30. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-custom.test.js +236 -0
  31. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-custom.test.js.map +1 -0
  32. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-traceback.test.d.ts +2 -0
  33. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-traceback.test.d.ts.map +1 -0
  34. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-traceback.test.js +448 -0
  35. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification-traceback.test.js.map +1 -0
  36. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification.test.js +71 -4
  37. package/node_modules/@agent-relay/sdk/dist/workflows/__tests__/verification.test.js.map +1 -1
  38. package/node_modules/@agent-relay/sdk/dist/workflows/budget-tracker.d.ts +75 -0
  39. package/node_modules/@agent-relay/sdk/dist/workflows/budget-tracker.d.ts.map +1 -0
  40. package/node_modules/@agent-relay/sdk/dist/workflows/budget-tracker.js +180 -0
  41. package/node_modules/@agent-relay/sdk/dist/workflows/budget-tracker.js.map +1 -0
  42. package/node_modules/@agent-relay/sdk/dist/workflows/builder.d.ts +1 -0
  43. package/node_modules/@agent-relay/sdk/dist/workflows/builder.d.ts.map +1 -1
  44. package/node_modules/@agent-relay/sdk/dist/workflows/builder.js +17 -2
  45. package/node_modules/@agent-relay/sdk/dist/workflows/builder.js.map +1 -1
  46. package/node_modules/@agent-relay/sdk/dist/workflows/index.d.ts +2 -0
  47. package/node_modules/@agent-relay/sdk/dist/workflows/index.d.ts.map +1 -1
  48. package/node_modules/@agent-relay/sdk/dist/workflows/index.js +2 -0
  49. package/node_modules/@agent-relay/sdk/dist/workflows/index.js.map +1 -1
  50. package/node_modules/@agent-relay/sdk/dist/workflows/proxy-env.d.ts +52 -0
  51. package/node_modules/@agent-relay/sdk/dist/workflows/proxy-env.d.ts.map +1 -0
  52. package/node_modules/@agent-relay/sdk/dist/workflows/proxy-env.js +92 -0
  53. package/node_modules/@agent-relay/sdk/dist/workflows/proxy-env.js.map +1 -0
  54. package/node_modules/@agent-relay/sdk/dist/workflows/run-summary-table.d.ts +2 -1
  55. package/node_modules/@agent-relay/sdk/dist/workflows/run-summary-table.d.ts.map +1 -1
  56. package/node_modules/@agent-relay/sdk/dist/workflows/run-summary-table.js +41 -9
  57. package/node_modules/@agent-relay/sdk/dist/workflows/run-summary-table.js.map +1 -1
  58. package/node_modules/@agent-relay/sdk/dist/workflows/runner.d.ts +17 -0
  59. package/node_modules/@agent-relay/sdk/dist/workflows/runner.d.ts.map +1 -1
  60. package/node_modules/@agent-relay/sdk/dist/workflows/runner.js +390 -16
  61. package/node_modules/@agent-relay/sdk/dist/workflows/runner.js.map +1 -1
  62. package/node_modules/@agent-relay/sdk/dist/workflows/types.d.ts +47 -1
  63. package/node_modules/@agent-relay/sdk/dist/workflows/types.d.ts.map +1 -1
  64. package/node_modules/@agent-relay/sdk/dist/workflows/types.js.map +1 -1
  65. package/node_modules/@agent-relay/sdk/dist/workflows/verification.d.ts +9 -0
  66. package/node_modules/@agent-relay/sdk/dist/workflows/verification.d.ts.map +1 -1
  67. package/node_modules/@agent-relay/sdk/dist/workflows/verification.js +78 -2
  68. package/node_modules/@agent-relay/sdk/dist/workflows/verification.js.map +1 -1
  69. package/node_modules/@agent-relay/sdk/package.json +7 -3
  70. package/node_modules/@agent-relay/telemetry/dist/config.d.ts.map +1 -1
  71. package/node_modules/@agent-relay/telemetry/dist/config.js +2 -4
  72. package/node_modules/@agent-relay/telemetry/dist/config.js.map +1 -1
  73. package/node_modules/@agent-relay/telemetry/dist/events.d.ts +1 -2
  74. package/node_modules/@agent-relay/telemetry/dist/events.d.ts.map +1 -1
  75. package/node_modules/@agent-relay/telemetry/dist/index.d.ts +1 -1
  76. package/node_modules/@agent-relay/telemetry/dist/index.d.ts.map +1 -1
  77. package/node_modules/@agent-relay/telemetry/dist/index.js +1 -1
  78. package/node_modules/@agent-relay/telemetry/dist/index.js.map +1 -1
  79. package/node_modules/@agent-relay/telemetry/package.json +1 -1
  80. package/node_modules/@agent-relay/trajectory/package.json +2 -2
  81. package/node_modules/@agent-relay/user-directory/package.json +2 -2
  82. package/node_modules/@agent-relay/utils/package.json +2 -2
  83. package/node_modules/@aws-sdk/core/dist-cjs/index.js +2 -0
  84. package/node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.js +3 -0
  85. package/node_modules/@aws-sdk/core/dist-es/submodules/client/setFeature.js +2 -0
  86. package/node_modules/@aws-sdk/core/dist-types/submodules/client/setFeature.d.ts +1 -1
  87. package/node_modules/@aws-sdk/core/package.json +6 -4
  88. package/node_modules/@aws-sdk/credential-provider-env/package.json +2 -2
  89. package/node_modules/@aws-sdk/credential-provider-http/package.json +5 -5
  90. package/node_modules/@aws-sdk/credential-provider-ini/package.json +9 -9
  91. package/node_modules/@aws-sdk/credential-provider-login/package.json +3 -3
  92. package/node_modules/@aws-sdk/credential-provider-node/package.json +7 -7
  93. package/node_modules/@aws-sdk/credential-provider-process/package.json +2 -2
  94. package/node_modules/@aws-sdk/credential-provider-sso/package.json +4 -4
  95. package/node_modules/@aws-sdk/credential-provider-web-identity/package.json +3 -3
  96. package/node_modules/@aws-sdk/middleware-flexible-checksums/package.json +4 -4
  97. package/node_modules/@aws-sdk/middleware-sdk-s3/package.json +5 -5
  98. package/node_modules/@aws-sdk/middleware-user-agent/package.json +5 -5
  99. package/node_modules/@aws-sdk/nested-clients/package.json +18 -18
  100. package/node_modules/@aws-sdk/region-config-resolver/package.json +2 -2
  101. package/node_modules/@aws-sdk/signature-v4-multi-region/package.json +2 -2
  102. package/node_modules/@aws-sdk/token-providers/package.json +3 -3
  103. package/node_modules/@aws-sdk/util-endpoints/package.json +2 -2
  104. package/node_modules/@aws-sdk/util-user-agent-node/package.json +2 -2
  105. package/node_modules/axios/CHANGELOG.md +112 -44
  106. package/node_modules/axios/README.md +30 -0
  107. package/node_modules/axios/dist/axios.js +34 -11
  108. package/node_modules/axios/dist/axios.js.map +1 -1
  109. package/node_modules/axios/dist/axios.min.js +2 -2
  110. package/node_modules/axios/dist/axios.min.js.map +1 -1
  111. package/node_modules/axios/dist/browser/axios.cjs +32 -6
  112. package/node_modules/axios/dist/browser/axios.cjs.map +1 -1
  113. package/node_modules/axios/dist/esm/axios.js +32 -6
  114. package/node_modules/axios/dist/esm/axios.js.map +1 -1
  115. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  116. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  117. package/node_modules/axios/dist/node/axios.cjs +91 -37
  118. package/node_modules/axios/dist/node/axios.cjs.map +1 -1
  119. package/node_modules/axios/index.d.cts +1 -0
  120. package/node_modules/axios/index.d.ts +1 -0
  121. package/node_modules/axios/lib/adapters/http.js +69 -22
  122. package/node_modules/axios/lib/core/mergeConfig.js +13 -1
  123. package/node_modules/axios/lib/env/data.js +1 -1
  124. package/node_modules/axios/lib/helpers/resolveConfig.js +14 -2
  125. package/node_modules/axios/lib/helpers/validator.js +3 -1
  126. package/node_modules/axios/package.json +1 -1
  127. package/package.json +9 -9
  128. package/packages/cloud/package.json +2 -2
  129. package/packages/config/package.json +2 -2
  130. package/packages/hooks/package.json +4 -4
  131. package/packages/sdk/dist/relay.d.ts.map +1 -1
  132. package/packages/sdk/dist/relay.js.map +1 -1
  133. package/packages/sdk/dist/workflows/__tests__/budget-enforcement.test.d.ts +2 -0
  134. package/packages/sdk/dist/workflows/__tests__/budget-enforcement.test.d.ts.map +1 -0
  135. package/packages/sdk/dist/workflows/__tests__/budget-enforcement.test.js +437 -0
  136. package/packages/sdk/dist/workflows/__tests__/budget-enforcement.test.js.map +1 -0
  137. package/packages/sdk/dist/workflows/__tests__/budget-tracker.test.d.ts +2 -0
  138. package/packages/sdk/dist/workflows/__tests__/budget-tracker.test.d.ts.map +1 -0
  139. package/packages/sdk/dist/workflows/__tests__/budget-tracker.test.js +99 -0
  140. package/packages/sdk/dist/workflows/__tests__/budget-tracker.test.js.map +1 -0
  141. package/packages/sdk/dist/workflows/__tests__/proxy-env.test.d.ts +2 -0
  142. package/packages/sdk/dist/workflows/__tests__/proxy-env.test.d.ts.map +1 -0
  143. package/packages/sdk/dist/workflows/__tests__/proxy-env.test.js +135 -0
  144. package/packages/sdk/dist/workflows/__tests__/proxy-env.test.js.map +1 -0
  145. package/packages/sdk/dist/workflows/__tests__/verification-custom.test.d.ts +2 -0
  146. package/packages/sdk/dist/workflows/__tests__/verification-custom.test.d.ts.map +1 -0
  147. package/packages/sdk/dist/workflows/__tests__/verification-custom.test.js +236 -0
  148. package/packages/sdk/dist/workflows/__tests__/verification-custom.test.js.map +1 -0
  149. package/packages/sdk/dist/workflows/__tests__/verification-traceback.test.d.ts +2 -0
  150. package/packages/sdk/dist/workflows/__tests__/verification-traceback.test.d.ts.map +1 -0
  151. package/packages/sdk/dist/workflows/__tests__/verification-traceback.test.js +448 -0
  152. package/packages/sdk/dist/workflows/__tests__/verification-traceback.test.js.map +1 -0
  153. package/packages/sdk/dist/workflows/__tests__/verification.test.js +71 -4
  154. package/packages/sdk/dist/workflows/__tests__/verification.test.js.map +1 -1
  155. package/packages/sdk/dist/workflows/budget-tracker.d.ts +75 -0
  156. package/packages/sdk/dist/workflows/budget-tracker.d.ts.map +1 -0
  157. package/packages/sdk/dist/workflows/budget-tracker.js +180 -0
  158. package/packages/sdk/dist/workflows/budget-tracker.js.map +1 -0
  159. package/packages/sdk/dist/workflows/builder.d.ts +1 -0
  160. package/packages/sdk/dist/workflows/builder.d.ts.map +1 -1
  161. package/packages/sdk/dist/workflows/builder.js +17 -2
  162. package/packages/sdk/dist/workflows/builder.js.map +1 -1
  163. package/packages/sdk/dist/workflows/index.d.ts +2 -0
  164. package/packages/sdk/dist/workflows/index.d.ts.map +1 -1
  165. package/packages/sdk/dist/workflows/index.js +2 -0
  166. package/packages/sdk/dist/workflows/index.js.map +1 -1
  167. package/packages/sdk/dist/workflows/proxy-env.d.ts +52 -0
  168. package/packages/sdk/dist/workflows/proxy-env.d.ts.map +1 -0
  169. package/packages/sdk/dist/workflows/proxy-env.js +92 -0
  170. package/packages/sdk/dist/workflows/proxy-env.js.map +1 -0
  171. package/packages/sdk/dist/workflows/run-summary-table.d.ts +2 -1
  172. package/packages/sdk/dist/workflows/run-summary-table.d.ts.map +1 -1
  173. package/packages/sdk/dist/workflows/run-summary-table.js +41 -9
  174. package/packages/sdk/dist/workflows/run-summary-table.js.map +1 -1
  175. package/packages/sdk/dist/workflows/runner.d.ts +17 -0
  176. package/packages/sdk/dist/workflows/runner.d.ts.map +1 -1
  177. package/packages/sdk/dist/workflows/runner.js +390 -16
  178. package/packages/sdk/dist/workflows/runner.js.map +1 -1
  179. package/packages/sdk/dist/workflows/types.d.ts +47 -1
  180. package/packages/sdk/dist/workflows/types.d.ts.map +1 -1
  181. package/packages/sdk/dist/workflows/types.js.map +1 -1
  182. package/packages/sdk/dist/workflows/verification.d.ts +9 -0
  183. package/packages/sdk/dist/workflows/verification.d.ts.map +1 -1
  184. package/packages/sdk/dist/workflows/verification.js +78 -2
  185. package/packages/sdk/dist/workflows/verification.js.map +1 -1
  186. package/packages/sdk/package.json +7 -3
  187. package/packages/telemetry/dist/config.d.ts.map +1 -1
  188. package/packages/telemetry/dist/config.js +2 -4
  189. package/packages/telemetry/dist/config.js.map +1 -1
  190. package/packages/telemetry/dist/events.d.ts +1 -2
  191. package/packages/telemetry/dist/events.d.ts.map +1 -1
  192. package/packages/telemetry/dist/index.d.ts +1 -1
  193. package/packages/telemetry/dist/index.d.ts.map +1 -1
  194. package/packages/telemetry/dist/index.js +1 -1
  195. package/packages/telemetry/dist/index.js.map +1 -1
  196. package/packages/telemetry/package.json +1 -1
  197. package/packages/trajectory/package.json +2 -2
  198. package/packages/user-directory/package.json +2 -2
  199. package/packages/utils/package.json +2 -2
package/node_modules/axios/dist/node/axios.cjs CHANGED
@@ -1,4 +1,4 @@
1
- /*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  'use strict';
3
3
 
4
4
  var FormData$1 = require('form-data');
@@ -8,6 +8,7 @@ var http = require('http');
8
8
  var https = require('https');
9
9
  var http2 = require('http2');
10
10
  var util = require('util');
11
+ var path = require('path');
11
12
  var followRedirects = require('follow-redirects');
12
13
  var zlib = require('zlib');
13
14
  var stream = require('stream');
@@ -2113,7 +2114,7 @@ function getEnv(key) {
2113
2114
  return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || '';
2114
2115
  }
2115
2116
 
2116
- const VERSION = "1.15.1";
2117
+ const VERSION = "1.15.2";
2117
2118
 
2118
2119
  function parseProtocol(url) {
2119
2120
  const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url);
@@ -2713,6 +2714,11 @@ const {
2713
2714
  https: httpsFollow
2714
2715
  } = followRedirects;
2715
2716
  const isHttps = /https:?/;
2717
+
2718
+ // Symbols used to bind a single 'error' listener to a pooled socket and track
2719
+ // the request currently owning that socket across keep-alive reuse (issue #10780).
2720
+ const kAxiosSocketListener = Symbol('axios.http.socketListener');
2721
+ const kAxiosCurrentReq = Symbol('axios.http.currentReq');
2716
2722
  const supportedProtocols = platform.protocols.map(protocol => {
2717
2723
  return protocol + ':';
2718
2724
  });
@@ -3147,9 +3153,10 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3147
3153
 
3148
3154
  // HTTP basic authentication
3149
3155
  let auth = undefined;
3150
- if (config.auth) {
3151
- const username = config.auth.username || '';
3152
- const password = config.auth.password || '';
3156
+ const configAuth = own('auth');
3157
+ if (configAuth) {
3158
+ const username = configAuth.username || '';
3159
+ const password = configAuth.password || '';
3153
3160
  auth = username + ':' + password;
3154
3161
  }
3155
3162
  if (!auth && parsed.username) {
@@ -3158,9 +3165,9 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3158
3165
  auth = urlUsername + ':' + urlPassword;
3159
3166
  }
3160
3167
  auth && headers.delete('authorization');
3161
- let path;
3168
+ let path$1;
3162
3169
  try {
3163
- path = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, '');
3170
+ path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, '');
3164
3171
  } catch (err) {
3165
3172
  const customErr = new Error(err.message);
3166
3173
  customErr.config = config;
@@ -3169,8 +3176,12 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3169
3176
  return reject(customErr);
3170
3177
  }
3171
3178
  headers.set('Accept-Encoding', 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''), false);
3172
- const options = {
3173
- path,
3179
+
3180
+ // Null-prototype to block prototype pollution gadgets on properties read
3181
+ // directly by Node's http.request (e.g. insecureHTTPParser, lookup).
3182
+ // See GHSA-q8qp-cvcw-x6jj.
3183
+ const options = Object.assign(Object.create(null), {
3184
+ path: path$1,
3174
3185
  method: method,
3175
3186
  headers: headers.toJSON(),
3176
3187
  agents: {
@@ -3181,13 +3192,24 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3181
3192
  protocol,
3182
3193
  family,
3183
3194
  beforeRedirect: dispatchBeforeRedirect,
3184
- beforeRedirects: {},
3195
+ beforeRedirects: Object.create(null),
3185
3196
  http2Options
3186
- };
3197
+ });
3187
3198
 
3188
3199
  // cacheable-lookup integration hotfix
3189
3200
  !utils$1.isUndefined(lookup) && (options.lookup = lookup);
3190
3201
  if (config.socketPath) {
3202
+ if (typeof config.socketPath !== 'string') {
3203
+ return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config));
3204
+ }
3205
+ if (config.allowedSocketPaths != null) {
3206
+ const allowed = Array.isArray(config.allowedSocketPaths) ? config.allowedSocketPaths : [config.allowedSocketPaths];
3207
+ const resolvedSocket = path.resolve(config.socketPath);
3208
+ const isAllowed = allowed.some(entry => typeof entry === 'string' && path.resolve(entry) === resolvedSocket);
3209
+ if (!isAllowed) {
3210
+ return reject(new AxiosError(`socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config));
3211
+ }
3212
+ }
3191
3213
  options.socketPath = config.socketPath;
3192
3214
  } else {
3193
3215
  options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname;
@@ -3209,8 +3231,9 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3209
3231
  if (config.maxRedirects) {
3210
3232
  options.maxRedirects = config.maxRedirects;
3211
3233
  }
3212
- if (config.beforeRedirect) {
3213
- options.beforeRedirects.config = config.beforeRedirect;
3234
+ const configBeforeRedirect = own('beforeRedirect');
3235
+ if (configBeforeRedirect) {
3236
+ options.beforeRedirects.config = configBeforeRedirect;
3214
3237
  }
3215
3238
  transport = isHttpsRequest ? httpsFollow : httpFollow;
3216
3239
  }
@@ -3221,9 +3244,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3221
3244
  // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited
3222
3245
  options.maxBodyLength = Infinity;
3223
3246
  }
3224
- if (config.insecureHTTPParser) {
3225
- options.insecureHTTPParser = config.insecureHTTPParser;
3226
- }
3247
+
3248
+ // Always set an explicit own value so a polluted
3249
+ // Object.prototype.insecureHTTPParser cannot enable the lenient parser
3250
+ // through Node's internal options copy (GHSA-q8qp-cvcw-x6jj).
3251
+ options.insecureHTTPParser = Boolean(own('insecureHTTPParser'));
3227
3252
 
3228
3253
  // Create the request
3229
3254
  req = transport.request(options, function handleResponse(res) {
@@ -3376,17 +3401,27 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3376
3401
  req.on('socket', function handleRequestSocket(socket) {
3377
3402
  // default interval of sending ack packet is 1 minute
3378
3403
  socket.setKeepAlive(true, 1000 * 60);
3379
- const removeSocketErrorListener = () => {
3380
- socket.removeListener('error', handleRequestSocketError);
3381
- };
3382
- function handleRequestSocketError(err) {
3383
- removeSocketErrorListener();
3384
- if (!req.destroyed) {
3385
- req.destroy(err);
3386
- }
3404
+
3405
+ // Install a single 'error' listener per socket (not per request) to avoid
3406
+ // accumulating listeners on pooled keep-alive sockets that get reassigned
3407
+ // to new requests before the previous request's 'close' fires (issue #10780).
3408
+ // The listener is bound to the socket's currently-active request via a
3409
+ // symbol, which is swapped as the socket is reassigned.
3410
+ if (!socket[kAxiosSocketListener]) {
3411
+ socket.on('error', function handleSocketError(err) {
3412
+ const current = socket[kAxiosCurrentReq];
3413
+ if (current && !current.destroyed) {
3414
+ current.destroy(err);
3415
+ }
3416
+ });
3417
+ socket[kAxiosSocketListener] = true;
3387
3418
  }
3388
- socket.on('error', handleRequestSocketError);
3389
- req.once('close', removeSocketErrorListener);
3419
+ socket[kAxiosCurrentReq] = req;
3420
+ req.once('close', function clearCurrentReq() {
3421
+ if (socket[kAxiosCurrentReq] === req) {
3422
+ socket[kAxiosCurrentReq] = null;
3423
+ }
3424
+ });
3390
3425
  });
3391
3426
 
3392
3427
  // Handle request timeout
@@ -3524,7 +3559,18 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? {
3524
3559
  function mergeConfig(config1, config2) {
3525
3560
  // eslint-disable-next-line no-param-reassign
3526
3561
  config2 = config2 || {};
3527
- const config = {};
3562
+
3563
+ // Use a null-prototype object so that downstream reads such as `config.auth`
3564
+ // or `config.baseURL` cannot inherit polluted values from Object.prototype
3565
+ // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
3566
+ // own slot to preserve ergonomics for user code that relies on it.
3567
+ const config = Object.create(null);
3568
+ Object.defineProperty(config, 'hasOwnProperty', {
3569
+ value: Object.prototype.hasOwnProperty,
3570
+ enumerable: false,
3571
+ writable: true,
3572
+ configurable: true
3573
+ });
3528
3574
  function getMergedValue(target, source, prop, caseless) {
3529
3575
  if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) {
3530
3576
  return utils$1.merge.call({
@@ -3596,6 +3642,7 @@ function mergeConfig(config1, config2) {
3596
3642
  httpsAgent: defaultToConfig2,
3597
3643
  cancelToken: defaultToConfig2,
3598
3644
  socketPath: defaultToConfig2,
3645
+ allowedSocketPaths: defaultToConfig2,
3599
3646
  responseEncoding: defaultToConfig2,
3600
3647
  validateStatus: mergeDirectKeys,
3601
3648
  headers: (a, b, prop) => mergeDeepProperties(headersToObject(a), headersToObject(b), prop, true)
@@ -3616,16 +3663,21 @@ function mergeConfig(config1, config2) {
3616
3663
 
3617
3664
  var resolveConfig = config => {
3618
3665
  const newConfig = mergeConfig({}, config);
3619
- let {
3620
- data,
3621
- withXSRFToken,
3622
- xsrfHeaderName,
3623
- xsrfCookieName,
3624
- headers,
3625
- auth
3626
- } = newConfig;
3666
+
3667
+ // Read only own properties to prevent prototype pollution gadgets
3668
+ // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
3669
+ const own = key => utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined;
3670
+ const data = own('data');
3671
+ let withXSRFToken = own('withXSRFToken');
3672
+ const xsrfHeaderName = own('xsrfHeaderName');
3673
+ const xsrfCookieName = own('xsrfCookieName');
3674
+ let headers = own('headers');
3675
+ const auth = own('auth');
3676
+ const baseURL = own('baseURL');
3677
+ const allowAbsoluteUrls = own('allowAbsoluteUrls');
3678
+ const url = own('url');
3627
3679
  newConfig.headers = headers = AxiosHeaders.from(headers);
3628
- newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer);
3680
+ newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
3629
3681
 
3630
3682
  // HTTP basic authentication
3631
3683
  if (auth) {
@@ -4409,7 +4461,9 @@ function assertOptions(options, schema, allowUnknown) {
4409
4461
  let i = keys.length;
4410
4462
  while (i-- > 0) {
4411
4463
  const opt = keys[i];
4412
- const validator = schema[opt];
4464
+ // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
4465
+ // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.
4466
+ const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
4413
4467
  if (validator) {
4414
4468
  const value = options[opt];
4415
4469
  const result = value === undefined || validator(value, opt, options);