ai 6.0.115 → 6.0.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/dist/index.js +2 -1
  3. package/dist/index.js.map +1 -1
  4. package/dist/index.mjs +4 -2
  5. package/dist/index.mjs.map +1 -1
  6. package/dist/internal/index.js +2 -1
  7. package/dist/internal/index.js.map +1 -1
  8. package/dist/internal/index.mjs +4 -2
  9. package/dist/internal/index.mjs.map +1 -1
  10. package/package.json +3 -3
  11. package/src/util/download/download.ts +2 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # ai
2
2
 
3
+ ## 6.0.116
4
+
5
+ ### Patch Changes
6
+
7
+ - ad4cfc2: Add URL validation to `downloadBlob` and `download` to prevent blind SSRF attacks. Private/internal IP addresses, localhost, and non-HTTP protocols are now rejected before fetching.
8
+ - Updated dependencies [ad4cfc2]
9
+ - @ai-sdk/provider-utils@4.0.19
10
+ - @ai-sdk/gateway@3.0.66
11
+
3
12
  ## 6.0.115
4
13
 
5
14
  ### Patch Changes
package/dist/index.js CHANGED
@@ -1230,7 +1230,7 @@ var import_provider_utils3 = require("@ai-sdk/provider-utils");
1230
1230
  var import_provider_utils4 = require("@ai-sdk/provider-utils");
1231
1231
 
1232
1232
  // src/version.ts
1233
- var VERSION = true ? "6.0.115" : "0.0.0-test";
1233
+ var VERSION = true ? "6.0.116" : "0.0.0-test";
1234
1234
 
1235
1235
  // src/util/download/download.ts
1236
1236
  var download = async ({
@@ -1240,6 +1240,7 @@ var download = async ({
1240
1240
  }) => {
1241
1241
  var _a21;
1242
1242
  const urlText = url.toString();
1243
+ (0, import_provider_utils3.validateDownloadUrl)(urlText);
1243
1244
  try {
1244
1245
  const response = await fetch(urlText, {
1245
1246
  headers: (0, import_provider_utils4.withUserAgentSuffix)(