ai 5.0.147 → 5.0.149
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -1
- package/dist/index.js +4 -1
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +4 -1
- package/dist/index.mjs.map +1 -1
- package/dist/internal/index.js +4 -1
- package/dist/internal/index.js.map +1 -1
- package/dist/internal/index.mjs +4 -1
- package/dist/internal/index.mjs.map +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,20 @@
|
|
|
1
1
|
# ai
|
|
2
2
|
|
|
3
|
+
## 5.0.149
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- c66afc5: fix(security): validate redirect targets in download functions to prevent SSRF bypass
|
|
8
|
+
|
|
9
|
+
`download` now validates the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
|
|
10
|
+
|
|
11
|
+
## 5.0.148
|
|
12
|
+
|
|
13
|
+
### Patch Changes
|
|
14
|
+
|
|
15
|
+
- Updated dependencies [392dc94]
|
|
16
|
+
- @ai-sdk/gateway@2.0.54
|
|
17
|
+
|
|
3
18
|
## 5.0.147
|
|
4
19
|
|
|
5
20
|
### Patch Changes
|
|
@@ -129,7 +144,7 @@
|
|
|
129
144
|
|
|
130
145
|
- 20565b8: security: prevent unbounded memory growth in download functions
|
|
131
146
|
|
|
132
|
-
The `download()`
|
|
147
|
+
The `download()` function now enforces a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a `DownloadError` instead of consuming unbounded memory and crashing the process. The `abortSignal` parameter is now passed through to `fetch()` in all download call sites.
|
|
133
148
|
|
|
134
149
|
Added `download` option to `transcribe()` and `experimental_generateVideo()` for providing a custom download function. Use the new `createDownload({ maxBytes })` factory to configure download size limits.
|
|
135
150
|
|
package/dist/index.js
CHANGED
|
@@ -779,7 +779,7 @@ var import_provider_utils2 = require("@ai-sdk/provider-utils");
|
|
|
779
779
|
var import_provider_utils3 = require("@ai-sdk/provider-utils");
|
|
780
780
|
|
|
781
781
|
// src/version.ts
|
|
782
|
-
var VERSION = true ? "5.0.
|
|
782
|
+
var VERSION = true ? "5.0.149" : "0.0.0-test";
|
|
783
783
|
|
|
784
784
|
// src/util/download/download.ts
|
|
785
785
|
var download = async ({
|
|
@@ -799,6 +799,9 @@ var download = async ({
|
|
|
799
799
|
),
|
|
800
800
|
signal: abortSignal
|
|
801
801
|
});
|
|
802
|
+
if (response.redirected) {
|
|
803
|
+
(0, import_provider_utils2.validateDownloadUrl)(response.url);
|
|
804
|
+
}
|
|
802
805
|
if (!response.ok) {
|
|
803
806
|
throw new DownloadError({
|
|
804
807
|
url: urlText,
|