ai 5.0.145 → 5.0.146

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/CHANGELOG.md +10 -0
  2. package/dist/index.js +2 -1
  3. package/dist/index.js.map +1 -1
  4. package/dist/index.mjs +4 -2
  5. package/dist/index.mjs.map +1 -1
  6. package/dist/internal/index.js +2 -1
  7. package/dist/internal/index.js.map +1 -1
  8. package/dist/internal/index.mjs +4 -2
  9. package/dist/internal/index.mjs.map +1 -1
  10. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -1,5 +1,15 @@
1
1
  # ai
2
2
 
3
+ ## 5.0.146
4
+
5
+ ### Patch Changes
6
+
7
+ - 6a2f01b: Add URL validation to `download` to prevent blind SSRF attacks. Private/internal IP addresses, localhost, and non-HTTP protocols are now rejected before fetching.
8
+ - Updated dependencies [6a2f01b]
9
+ - Updated dependencies [17d64e3]
10
+ - @ai-sdk/provider-utils@3.0.22
11
+ - @ai-sdk/gateway@2.0.52
12
+
3
13
  ## 5.0.145
4
14
 
5
15
  ### Patch Changes
package/dist/index.js CHANGED
@@ -779,7 +779,7 @@ var import_provider_utils2 = require("@ai-sdk/provider-utils");
779
779
  var import_provider_utils3 = require("@ai-sdk/provider-utils");
780
780
 
781
781
  // src/version.ts
782
- var VERSION = true ? "5.0.145" : "0.0.0-test";
782
+ var VERSION = true ? "5.0.146" : "0.0.0-test";
783
783
 
784
784
  // src/util/download/download.ts
785
785
  var download = async ({
@@ -789,6 +789,7 @@ var download = async ({
789
789
  }) => {
790
790
  var _a16;
791
791
  const urlText = url.toString();
792
+ (0, import_provider_utils2.validateDownloadUrl)(urlText);
792
793
  try {
793
794
  const response = await fetch(urlText, {
794
795
  headers: (0, import_provider_utils3.withUserAgentSuffix)(