npm - ai - Versions diffs - 6.0.117 → 6.0.118 - Mend

ai 6.0.117 → 6.0.118

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +12 -0
package/dist/index.js +4 -1
package/dist/index.js.map +1 -1
package/dist/index.mjs +4 -1
package/dist/index.mjs.map +1 -1
package/dist/internal/index.js +4 -1
package/dist/internal/index.js.map +1 -1
package/dist/internal/index.mjs +4 -1
package/dist/internal/index.mjs.map +1 -1
package/package.json +3 -3
package/src/util/download/download.ts +5 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,17 @@
 # ai
+## 6.0.118
+### Patch Changes
+- 64ac0fd: fix(security): validate redirect targets in download functions to prevent SSRF bypass
+  Both `downloadBlob` and `download` now validate the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
+- Updated dependencies [64ac0fd]
+  - @ai-sdk/provider-utils@4.0.20
+  - @ai-sdk/gateway@3.0.68
 ## 6.0.117
 ### Patch Changes

package/dist/index.js CHANGED Viewed

@@ -1230,7 +1230,7 @@ var import_provider_utils3 = require("@ai-sdk/provider-utils");
 var import_provider_utils4 = require("@ai-sdk/provider-utils");
 // src/version.ts
-var VERSION = true ? "6.0.117" : "0.0.0-test";
+var VERSION = true ? "6.0.118" : "0.0.0-test";
 // src/util/download/download.ts
 var download = async ({
@@ -1250,6 +1250,9 @@ var download = async ({
       ),
       signal: abortSignal
     });
+    if (response.redirected) {
+      (0, import_provider_utils3.validateDownloadUrl)(response.url);
+    }
     if (!response.ok) {
       throw new import_provider_utils3.DownloadError({
         url: urlText,