contentful 11.12.3 → 11.12.4

package/dist/contentful.cjs

@@ -5,15 +5,17 @@ var require$$0$1 = require('stream');
 var require$$1$1 = require('path');
 var require$$3 = require('http');
 var require$$4 = require('https');
-var require$$5 = require('url');
+var require$$2 = require('url');
 var require$$6 = require('fs');
 var require$$8 = require('crypto');
-var require$$5$1 = require('http2');
-var require$$4$1 = require('assert');
+var require$$0$5 = require('net');
+var require$$1$2 = require('tls');
+var require$$3$1 = require('assert');
 var require$$0$3 = require('tty');
 var require$$0$2 = require('os');
-var require$$9 = require('zlib');
-var require$$11 = require('events');
+var require$$0$4 = require('events');
+var require$$6$1 = require('http2');
+var require$$10 = require('zlib');
 var process$1 = require('process');
 
 function _OverloadYield(e, d) {
@@ -12536,7 +12538,7 @@ var util$1 = require$$1;
 var path$1 = require$$1$1;
 var http$2 = require$$3;
 var https$2 = require$$4;
-var parseUrl$2 = require$$5.parse;
+var parseUrl$2 = require$$2.parse;
 var fs = require$$6;
 var Stream = require$$0$1.Stream;
 var crypto$1 = require$$8;
@@ -12982,9 +12984,9 @@ setToStringTag(FormData$2.prototype, 'FormData');
 // Public API
 var form_data = FormData$2;
 
-var followRedirects$1 = {exports: {}};
+var agent = {};
 
-var src = {exports: {}};
+var src$1 = {exports: {}};
 
 var browser = {exports: {}};
 
@@ -13920,15 +13922,529 @@ function requireNode() {
  */
 var hasRequiredSrc;
 function requireSrc() {
-  if (hasRequiredSrc) return src.exports;
+  if (hasRequiredSrc) return src$1.exports;
   hasRequiredSrc = 1;
   if (typeof process === 'undefined' || process.type === 'renderer' || process.browser === true || process.__nwjs) {
-    src.exports = requireBrowser();
+    src$1.exports = requireBrowser();
   } else {
-    src.exports = requireNode();
+    src$1.exports = requireNode();
   }
-  return src.exports;
+  return src$1.exports;
+}
+
+var promisify$1 = {};
+
+Object.defineProperty(promisify$1, "__esModule", {
+  value: true
+});
+function promisify(fn) {
+  return function (req, opts) {
+    return new Promise((resolve, reject) => {
+      fn.call(this, req, opts, (err, rtn) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(rtn);
+        }
+      });
+    });
+  };
 }
+promisify$1.default = promisify;
+
+var __importDefault$3 = undefined && undefined.__importDefault || function (mod) {
+  return mod && mod.__esModule ? mod : {
+    "default": mod
+  };
+};
+const events_1 = require$$0$4;
+const debug_1$3 = __importDefault$3(requireSrc());
+const promisify_1 = __importDefault$3(promisify$1);
+const debug$4 = debug_1$3.default('agent-base');
+function isAgent(v) {
+  return Boolean(v) && typeof v.addRequest === 'function';
+}
+function isSecureEndpoint() {
+  const {
+    stack
+  } = new Error();
+  if (typeof stack !== 'string') return false;
+  return stack.split('\n').some(l => l.indexOf('(https.js:') !== -1 || l.indexOf('node:https:') !== -1);
+}
+function createAgent(callback, opts) {
+  return new createAgent.Agent(callback, opts);
+}
+(function (createAgent) {
+  /**
+   * Base `http.Agent` implementation.
+   * No pooling/keep-alive is implemented by default.
+   *
+   * @param {Function} callback
+   * @api public
+   */
+  class Agent extends events_1.EventEmitter {
+    constructor(callback, _opts) {
+      super();
+      let opts = _opts;
+      if (typeof callback === 'function') {
+        this.callback = callback;
+      } else if (callback) {
+        opts = callback;
+      }
+      // Timeout for the socket to be returned from the callback
+      this.timeout = null;
+      if (opts && typeof opts.timeout === 'number') {
+        this.timeout = opts.timeout;
+      }
+      // These aren't actually used by `agent-base`, but are required
+      // for the TypeScript definition files in `@types/node` :/
+      this.maxFreeSockets = 1;
+      this.maxSockets = 1;
+      this.maxTotalSockets = Infinity;
+      this.sockets = {};
+      this.freeSockets = {};
+      this.requests = {};
+      this.options = {};
+    }
+    get defaultPort() {
+      if (typeof this.explicitDefaultPort === 'number') {
+        return this.explicitDefaultPort;
+      }
+      return isSecureEndpoint() ? 443 : 80;
+    }
+    set defaultPort(v) {
+      this.explicitDefaultPort = v;
+    }
+    get protocol() {
+      if (typeof this.explicitProtocol === 'string') {
+        return this.explicitProtocol;
+      }
+      return isSecureEndpoint() ? 'https:' : 'http:';
+    }
+    set protocol(v) {
+      this.explicitProtocol = v;
+    }
+    callback(req, opts, fn) {
+      throw new Error('"agent-base" has no default implementation, you must subclass and override `callback()`');
+    }
+    /**
+     * Called by node-core's "_http_client.js" module when creating
+     * a new HTTP request with this Agent instance.
+     *
+     * @api public
+     */
+    addRequest(req, _opts) {
+      const opts = Object.assign({}, _opts);
+      if (typeof opts.secureEndpoint !== 'boolean') {
+        opts.secureEndpoint = isSecureEndpoint();
+      }
+      if (opts.host == null) {
+        opts.host = 'localhost';
+      }
+      if (opts.port == null) {
+        opts.port = opts.secureEndpoint ? 443 : 80;
+      }
+      if (opts.protocol == null) {
+        opts.protocol = opts.secureEndpoint ? 'https:' : 'http:';
+      }
+      if (opts.host && opts.path) {
+        // If both a `host` and `path` are specified then it's most
+        // likely the result of a `url.parse()` call... we need to
+        // remove the `path` portion so that `net.connect()` doesn't
+        // attempt to open that as a unix socket file.
+        delete opts.path;
+      }
+      delete opts.agent;
+      delete opts.hostname;
+      delete opts._defaultAgent;
+      delete opts.defaultPort;
+      delete opts.createConnection;
+      // Hint to use "Connection: close"
+      // XXX: non-documented `http` module API :(
+      req._last = true;
+      req.shouldKeepAlive = false;
+      let timedOut = false;
+      let timeoutId = null;
+      const timeoutMs = opts.timeout || this.timeout;
+      const onerror = err => {
+        if (req._hadError) return;
+        req.emit('error', err);
+        // For Safety. Some additional errors might fire later on
+        // and we need to make sure we don't double-fire the error event.
+        req._hadError = true;
+      };
+      const ontimeout = () => {
+        timeoutId = null;
+        timedOut = true;
+        const err = new Error(`A "socket" was not created for HTTP request before ${timeoutMs}ms`);
+        err.code = 'ETIMEOUT';
+        onerror(err);
+      };
+      const callbackError = err => {
+        if (timedOut) return;
+        if (timeoutId !== null) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        onerror(err);
+      };
+      const onsocket = socket => {
+        if (timedOut) return;
+        if (timeoutId != null) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        if (isAgent(socket)) {
+          // `socket` is actually an `http.Agent` instance, so
+          // relinquish responsibility for this `req` to the Agent
+          // from here on
+          debug$4('Callback returned another Agent instance %o', socket.constructor.name);
+          socket.addRequest(req, opts);
+          return;
+        }
+        if (socket) {
+          socket.once('free', () => {
+            this.freeSocket(socket, opts);
+          });
+          req.onSocket(socket);
+          return;
+        }
+        const err = new Error(`no Duplex stream was returned to agent-base for \`${req.method} ${req.path}\``);
+        onerror(err);
+      };
+      if (typeof this.callback !== 'function') {
+        onerror(new Error('`callback` is not defined'));
+        return;
+      }
+      if (!this.promisifiedCallback) {
+        if (this.callback.length >= 3) {
+          debug$4('Converting legacy callback function to promise');
+          this.promisifiedCallback = promisify_1.default(this.callback);
+        } else {
+          this.promisifiedCallback = this.callback;
+        }
+      }
+      if (typeof timeoutMs === 'number' && timeoutMs > 0) {
+        timeoutId = setTimeout(ontimeout, timeoutMs);
+      }
+      if ('port' in opts && typeof opts.port !== 'number') {
+        opts.port = Number(opts.port);
+      }
+      try {
+        debug$4('Resolving socket for %o request: %o', opts.protocol, `${req.method} ${req.path}`);
+        Promise.resolve(this.promisifiedCallback(req, opts)).then(onsocket, callbackError);
+      } catch (err) {
+        Promise.reject(err).catch(callbackError);
+      }
+    }
+    freeSocket(socket, opts) {
+      debug$4('Freeing socket %o %o', socket.constructor.name, opts);
+      socket.destroy();
+    }
+    destroy() {
+      debug$4('Destroying agent %o', this.constructor.name);
+    }
+  }
+  createAgent.Agent = Agent;
+  // So that `instanceof` works correctly
+  createAgent.prototype = createAgent.Agent.prototype;
+})(createAgent || (createAgent = {}));
+var src = createAgent;
+
+var parseProxyResponse$1 = {};
+
+var __importDefault$2 = undefined && undefined.__importDefault || function (mod) {
+  return mod && mod.__esModule ? mod : {
+    "default": mod
+  };
+};
+Object.defineProperty(parseProxyResponse$1, "__esModule", {
+  value: true
+});
+const debug_1$2 = __importDefault$2(requireSrc());
+const debug$3 = debug_1$2.default('https-proxy-agent:parse-proxy-response');
+function parseProxyResponse(socket) {
+  return new Promise((resolve, reject) => {
+    // we need to buffer any HTTP traffic that happens with the proxy before we get
+    // the CONNECT response, so that if the response is anything other than an "200"
+    // response code, then we can re-play the "data" events on the socket once the
+    // HTTP parser is hooked up...
+    let buffersLength = 0;
+    const buffers = [];
+    function read() {
+      const b = socket.read();
+      if (b) ondata(b);else socket.once('readable', read);
+    }
+    function cleanup() {
+      socket.removeListener('end', onend);
+      socket.removeListener('error', onerror);
+      socket.removeListener('close', onclose);
+      socket.removeListener('readable', read);
+    }
+    function onclose(err) {
+      debug$3('onclose had error %o', err);
+    }
+    function onend() {
+      debug$3('onend');
+    }
+    function onerror(err) {
+      cleanup();
+      debug$3('onerror %o', err);
+      reject(err);
+    }
+    function ondata(b) {
+      buffers.push(b);
+      buffersLength += b.length;
+      const buffered = Buffer.concat(buffers, buffersLength);
+      const endOfHeaders = buffered.indexOf('\r\n\r\n');
+      if (endOfHeaders === -1) {
+        // keep buffering
+        debug$3('have not received end of HTTP headers yet...');
+        read();
+        return;
+      }
+      const firstLine = buffered.toString('ascii', 0, buffered.indexOf('\r\n'));
+      const statusCode = +firstLine.split(' ')[1];
+      debug$3('got proxy server response: %o', firstLine);
+      resolve({
+        statusCode,
+        buffered
+      });
+    }
+    socket.on('error', onerror);
+    socket.on('close', onclose);
+    socket.on('end', onend);
+    read();
+  });
+}
+parseProxyResponse$1.default = parseProxyResponse;
+
+var __awaiter = undefined && undefined.__awaiter || function (thisArg, _arguments, P, generator) {
+  function adopt(value) {
+    return value instanceof P ? value : new P(function (resolve) {
+      resolve(value);
+    });
+  }
+  return new (P || (P = Promise))(function (resolve, reject) {
+    function fulfilled(value) {
+      try {
+        step(generator.next(value));
+      } catch (e) {
+        reject(e);
+      }
+    }
+    function rejected(value) {
+      try {
+        step(generator["throw"](value));
+      } catch (e) {
+        reject(e);
+      }
+    }
+    function step(result) {
+      result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected);
+    }
+    step((generator = generator.apply(thisArg, _arguments || [])).next());
+  });
+};
+var __importDefault$1 = undefined && undefined.__importDefault || function (mod) {
+  return mod && mod.__esModule ? mod : {
+    "default": mod
+  };
+};
+Object.defineProperty(agent, "__esModule", {
+  value: true
+});
+const net_1 = __importDefault$1(require$$0$5);
+const tls_1 = __importDefault$1(require$$1$2);
+const url_1 = __importDefault$1(require$$2);
+const assert_1 = __importDefault$1(require$$3$1);
+const debug_1$1 = __importDefault$1(requireSrc());
+const agent_base_1 = src;
+const parse_proxy_response_1 = __importDefault$1(parseProxyResponse$1);
+const debug$2 = debug_1$1.default('https-proxy-agent:agent');
+/**
+ * The `HttpsProxyAgent` implements an HTTP Agent subclass that connects to
+ * the specified "HTTP(s) proxy server" in order to proxy HTTPS requests.
+ *
+ * Outgoing HTTP requests are first tunneled through the proxy server using the
+ * `CONNECT` HTTP request method to establish a connection to the proxy server,
+ * and then the proxy server connects to the destination target and issues the
+ * HTTP request from the proxy server.
+ *
+ * `https:` requests have their socket connection upgraded to TLS once
+ * the connection to the proxy server has been established.
+ *
+ * @api public
+ */
+let HttpsProxyAgent$1 = class HttpsProxyAgent extends agent_base_1.Agent {
+  constructor(_opts) {
+    let opts;
+    if (typeof _opts === 'string') {
+      opts = url_1.default.parse(_opts);
+    } else {
+      opts = _opts;
+    }
+    if (!opts) {
+      throw new Error('an HTTP(S) proxy server `host` and `port` must be specified!');
+    }
+    debug$2('creating new HttpsProxyAgent instance: %o', opts);
+    super(opts);
+    const proxy = Object.assign({}, opts);
+    // If `true`, then connect to the proxy server over TLS.
+    // Defaults to `false`.
+    this.secureProxy = opts.secureProxy || isHTTPS(proxy.protocol);
+    // Prefer `hostname` over `host`, and set the `port` if needed.
+    proxy.host = proxy.hostname || proxy.host;
+    if (typeof proxy.port === 'string') {
+      proxy.port = parseInt(proxy.port, 10);
+    }
+    if (!proxy.port && proxy.host) {
+      proxy.port = this.secureProxy ? 443 : 80;
+    }
+    // ALPN is supported by Node.js >= v5.
+    // attempt to negotiate http/1.1 for proxy servers that support http/2
+    if (this.secureProxy && !('ALPNProtocols' in proxy)) {
+      proxy.ALPNProtocols = ['http 1.1'];
+    }
+    if (proxy.host && proxy.path) {
+      // If both a `host` and `path` are specified then it's most likely
+      // the result of a `url.parse()` call... we need to remove the
+      // `path` portion so that `net.connect()` doesn't attempt to open
+      // that as a Unix socket file.
+      delete proxy.path;
+      delete proxy.pathname;
+    }
+    this.proxy = proxy;
+  }
+  /**
+   * Called when the node-core HTTP client library is creating a
+   * new HTTP request.
+   *
+   * @api protected
+   */
+  callback(req, opts) {
+    return __awaiter(this, void 0, void 0, function* () {
+      const {
+        proxy,
+        secureProxy
+      } = this;
+      // Create a socket connection to the proxy server.
+      let socket;
+      if (secureProxy) {
+        debug$2('Creating `tls.Socket`: %o', proxy);
+        socket = tls_1.default.connect(proxy);
+      } else {
+        debug$2('Creating `net.Socket`: %o', proxy);
+        socket = net_1.default.connect(proxy);
+      }
+      const headers = Object.assign({}, proxy.headers);
+      const hostname = `${opts.host}:${opts.port}`;
+      let payload = `CONNECT ${hostname} HTTP/1.1\r\n`;
+      // Inject the `Proxy-Authorization` header if necessary.
+      if (proxy.auth) {
+        headers['Proxy-Authorization'] = `Basic ${Buffer.from(proxy.auth).toString('base64')}`;
+      }
+      // The `Host` header should only include the port
+      // number when it is not the default port.
+      let {
+        host,
+        port,
+        secureEndpoint
+      } = opts;
+      if (!isDefaultPort(port, secureEndpoint)) {
+        host += `:${port}`;
+      }
+      headers.Host = host;
+      headers.Connection = 'close';
+      for (const name of Object.keys(headers)) {
+        payload += `${name}: ${headers[name]}\r\n`;
+      }
+      const proxyResponsePromise = parse_proxy_response_1.default(socket);
+      socket.write(`${payload}\r\n`);
+      const {
+        statusCode,
+        buffered
+      } = yield proxyResponsePromise;
+      if (statusCode === 200) {
+        req.once('socket', resume);
+        if (opts.secureEndpoint) {
+          // The proxy is connecting to a TLS server, so upgrade
+          // this socket connection to a TLS connection.
+          debug$2('Upgrading socket connection to TLS');
+          const servername = opts.servername || opts.host;
+          return tls_1.default.connect(Object.assign(Object.assign({}, omit(opts, 'host', 'hostname', 'path', 'port')), {
+            socket,
+            servername
+          }));
+        }
+        return socket;
+      }
+      // Some other status code that's not 200... need to re-play the HTTP
+      // header "data" events onto the socket once the HTTP machinery is
+      // attached so that the node core `http` can parse and handle the
+      // error status code.
+      // Close the original socket, and a new "fake" socket is returned
+      // instead, so that the proxy doesn't get the HTTP request
+      // written to it (which may contain `Authorization` headers or other
+      // sensitive data).
+      //
+      // See: https://hackerone.com/reports/541502
+      socket.destroy();
+      const fakeSocket = new net_1.default.Socket({
+        writable: false
+      });
+      fakeSocket.readable = true;
+      // Need to wait for the "socket" event to re-play the "data" events.
+      req.once('socket', s => {
+        debug$2('replaying proxy buffer for failed request');
+        assert_1.default(s.listenerCount('data') > 0);
+        // Replay the "buffered" Buffer onto the fake `socket`, since at
+        // this point the HTTP module machinery has been hooked up for
+        // the user.
+        s.push(buffered);
+        s.push(null);
+      });
+      return fakeSocket;
+    });
+  }
+};
+agent.default = HttpsProxyAgent$1;
+function resume(socket) {
+  socket.resume();
+}
+function isDefaultPort(port, secure) {
+  return Boolean(!secure && port === 80 || secure && port === 443);
+}
+function isHTTPS(protocol) {
+  return typeof protocol === 'string' ? /^https:?$/i.test(protocol) : false;
+}
+function omit(obj, ...keys) {
+  const ret = {};
+  let key;
+  for (key in obj) {
+    if (!keys.includes(key)) {
+      ret[key] = obj[key];
+    }
+  }
+  return ret;
+}
+
+var __importDefault = undefined && undefined.__importDefault || function (mod) {
+  return mod && mod.__esModule ? mod : {
+    "default": mod
+  };
+};
+const agent_1 = __importDefault(agent);
+function createHttpsProxyAgent(opts) {
+  return new agent_1.default(opts);
+}
+(function (createHttpsProxyAgent) {
+  createHttpsProxyAgent.HttpsProxyAgent = agent_1.default;
+  createHttpsProxyAgent.prototype = agent_1.default.prototype;
+})(createHttpsProxyAgent || (createHttpsProxyAgent = {}));
+var dist = createHttpsProxyAgent;
+
+var followRedirects$1 = {exports: {}};
 
 var debug$1;
 var debug_1 = function () {
@@ -13944,12 +14460,12 @@ var debug_1 = function () {
   debug$1.apply(null, arguments);
 };
 
-var url$1 = require$$5;
+var url$1 = require$$2;
 var URL$1 = url$1.URL;
 var http$1 = require$$3;
 var https$1 = require$$4;
 var Writable = require$$0$1.Writable;
-var assert = require$$4$1;
+var assert = require$$3$1;
 var debug = debug_1;
 
 // Preventive platform detection
@@ -14609,16 +15125,17 @@ var followRedirectsExports = followRedirects$1.exports;
 
 var FormData$1 = form_data;
 var crypto = require$$8;
-var url = require$$5;
+var url = require$$2;
+var HttpsProxyAgent = dist;
 var http = require$$3;
 var https = require$$4;
-var http2 = require$$5$1;
+var http2 = require$$6$1;
 var util = require$$1;
 var path = require$$1$1;
 var followRedirects = followRedirectsExports;
-var zlib = require$$9;
+var zlib = require$$10;
 var stream = require$$0$1;
-var events = require$$11;
+var events = require$$0$4;
 
 /**
  * Create a bound version of a function with a specified `this` context
@@ -15343,10 +15860,10 @@ function isSpecCompliantForm(thing) {
  * @returns {Object} The JSON-compatible object.
  */
 const toJSONObject = obj => {
-  const stack = new Array(10);
-  const visit = (source, i) => {
+  const visited = new WeakSet();
+  const visit = source => {
     if (isObject(source)) {
-      if (stack.indexOf(source) >= 0) {
+      if (visited.has(source)) {
         return;
       }
 
@@ -15355,19 +15872,20 @@ const toJSONObject = obj => {
         return source;
       }
       if (!('toJSON' in source)) {
-        stack[i] = source;
+        // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230).
+        visited.add(source);
         const target = isArray$7(source) ? [] : {};
         forEach(source, (value, key) => {
-          const reducedValue = visit(value, i + 1);
+          const reducedValue = visit(value);
           !isUndefined(reducedValue) && (target[key] = reducedValue);
         });
-        stack[i] = undefined;
+        visited.delete(source);
         return target;
       }
     }
     return source;
   };
-  return visit(obj, 0);
+  return visit(obj);
 };
 
 /**
@@ -15533,8 +16051,6 @@ var parseHeaders = rawHeaders => {
   });
   return parsed;
 };
-const $internals = Symbol('internals');
-const INVALID_HEADER_VALUE_CHARS_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
 function trimSPorHTAB(str) {
   let start = 0;
   let end = str.length;
@@ -15554,12 +16070,31 @@ function trimSPorHTAB(str) {
   }
   return start === 0 && end === str.length ? str : str.slice(start, end);
 }
+
+// The control-code ranges are intentional: header sanitization strips C0/DEL bytes.
+// eslint-disable-next-line no-control-regex
+const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g');
+// eslint-disable-next-line no-control-regex
+const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g');
+function sanitizeValue(value, invalidChars) {
+  if (utils$1$1.isArray(value)) {
+    return value.map(item => sanitizeValue(item, invalidChars));
+  }
+  return trimSPorHTAB(String(value).replace(invalidChars, ''));
+}
+const sanitizeHeaderValue = value => sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS);
+const sanitizeByteStringHeaderValue = value => sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS);
+function toByteStringHeaderObject(headers) {
+  const byteStringHeaders = Object.create(null);
+  utils$1$1.forEach(headers.toJSON(), (value, header) => {
+    byteStringHeaders[header] = sanitizeByteStringHeaderValue(value);
+  });
+  return byteStringHeaders;
+}
+const $internals = Symbol('internals');
 function normalizeHeader(header) {
   return header && String(header).trim().toLowerCase();
 }
-function sanitizeHeaderValue(str) {
-  return trimSPorHTAB(str.replace(INVALID_HEADER_VALUE_CHARS_RE, ''));
-}
 function normalizeValue(value) {
   if (value === false || value == null) {
     return value;
@@ -16444,7 +16979,7 @@ function formDataToJSON(formData) {
       }
       return !isNumericKey;
     }
-    if (!target[name] || !utils$1$1.isObject(target[name])) {
+    if (!utils$1$1.hasOwnProp(target, name) || !utils$1$1.isObject(target[name])) {
       target[name] = [];
     }
     const result = buildPath(path, value, target[name], index);
@@ -16780,12 +17315,15 @@ function shouldProxy(hostname, port) {
 function getEnv(key) {
   return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || '';
 }
-const VERSION = "1.16.0";
+const VERSION = "1.16.1";
 function parseProtocol(url) {
   const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url);
   return match && match[1] || '';
 }
-const DATA_URL_PATTERN = /^(?:([^;]+);)?(?:[^;]+;)?(base64|),([\s\S]*)$/;
+
+// RFC 2397: data:[<mediatype>][;base64],<data>
+// mediatype = type/subtype followed by optional ;name=value parameters
+const DATA_URL_PATTERN = /^([^,;]+\/[^,;]+)?((?:;[^,;=]+=[^,;]+)*)(;base64)?,([\s\S]*)$/;
 
 /**
  * Parse data uri to a Buffer or Blob
@@ -16809,10 +17347,20 @@ function fromDataURI(uri, asBlob, options) {
     if (!match) {
       throw new AxiosError('Invalid URL', AxiosError.ERR_INVALID_URL);
     }
-    const mime = match[1];
-    const isBase64 = match[2];
-    const body = match[3];
-    const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');
+    const type = match[1];
+    const params = match[2];
+    const encoding = match[3] ? 'base64' : 'utf8';
+    const body = match[4];
+
+    // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII
+    // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec.
+    let mime;
+    if (type) {
+      mime = params ? type + params : type;
+    } else if (params) {
+      mime = 'text/plain' + params;
+    }
+    const buffer = Buffer.from(decodeURIComponent(body), encoding);
     if (asBlob) {
       if (!_Blob) {
         throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT);
@@ -17293,6 +17841,9 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => {
   let bytesNotified = 0;
   const _speedometer = speedometer(50, 250);
   return throttle(e => {
+    if (!e || typeof e.loaded !== 'number') {
+      return;
+    }
     const rawLoaded = e.loaded;
     const total = e.lengthComputable ? e.total : undefined;
     const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded;
@@ -17443,6 +17994,32 @@ function setFormDataHeaders$1(headers, formHeaders, policy) {
 // the request currently owning that socket across keep-alive reuse (issue #10780).
 const kAxiosSocketListener = Symbol('axios.http.socketListener');
 const kAxiosCurrentReq = Symbol('axios.http.currentReq');
+
+// Tags HttpsProxyAgent instances installed by setProxy() so the redirect path
+// can strip them without clobbering a user-supplied agent that happens to be
+// an HttpsProxyAgent.
+const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel');
+
+// Cache of CONNECT-tunneling agents keyed by proxy config so repeat requests
+// through the same proxy reuse a single agent (and its socket pool). The
+// keyspace is bounded by the set of distinct proxy configs the process uses,
+// so unbounded growth is not a concern in practice.
+const tunnelingAgentCache = new Map();
+const tunnelingAgentCacheUser = new WeakMap();
+function getTunnelingAgent(agentOptions, userHttpsAgent) {
+  const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || '');
+  const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache;
+  let agent = cache.get(key);
+  if (agent) return agent;
+  // Forward the user's TLS options (custom CA, rejectUnauthorized, client cert,
+  // etc.) into the tunneling agent so they apply to the origin TLS upgrade
+  // performed after CONNECT. Our proxy fields take precedence on conflict.
+  const merged = userHttpsAgent && userHttpsAgent.options ? _objectSpread2(_objectSpread2({}, userHttpsAgent.options), agentOptions) : agentOptions;
+  agent = new HttpsProxyAgent(merged);
+  agent[kAxiosInstalledTunnel] = true;
+  cache.set(key, agent);
+  return agent;
+}
 const supportedProtocols = platform.protocols.map(protocol => {
   return protocol + ':';
 });
@@ -17566,7 +18143,7 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
  *
  * @returns {http.ClientRequestArgs}
  */
-function setProxy(options, configProxy, location, isRedirect) {
+function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) {
   let proxy = configProxy;
   if (!proxy && proxy !== false) {
     const proxyUrl = getProxyForUrl(location);
@@ -17587,6 +18164,13 @@ function setProxy(options, configProxy, location, isRedirect) {
       }
     }
   }
+  // Strip any tunneling agent we installed for the previous hop so a redirect
+  // that drops the proxy or crosses an HTTPS↔HTTP boundary doesn't reuse a
+  // stale one. Match on our Symbol marker so a user-supplied HttpsProxyAgent
+  // (which won't carry the marker) is left alone.
+  if (isRedirect && options.agent && options.agent[kAxiosInstalledTunnel]) {
+    options.agent = undefined;
+  }
   if (proxy) {
     // Read proxy fields without traversing the prototype chain. URL instances expose
     // username/password/hostname/host/port/protocol via getters on URL.prototype (so
@@ -17619,37 +18203,84 @@ function setProxy(options, configProxy, location, isRedirect) {
           proxy
         });
       }
-      const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64');
-      options.headers['Proxy-Authorization'] = 'Basic ' + base64;
     }
+    const targetIsHttps = isHttps.test(options.protocol);
+    if (targetIsHttps) {
+      // CONNECT-tunneling path for HTTPS targets. Preserves end-to-end TLS to
+      // the origin so the proxy cannot inspect the URL, headers, or body — the
+      // behavior already promised by THREATMODEL.md (T-R9). HttpsProxyAgent
+      // sends Proxy-Authorization on the CONNECT request only, never on the
+      // wrapped TLS request, which is why we don't stamp it onto
+      // options.headers here. If the user already supplied an HttpsProxyAgent,
+      // they own tunneling end-to-end and we leave them alone; otherwise we
+      // install our own tunneling agent and forward their TLS options (if any)
+      // so a custom httpsAgent for cert pinning / rejectUnauthorized still
+      // applies to the origin TLS upgrade.
+      if (!(configHttpsAgent instanceof HttpsProxyAgent)) {
+        const proxyHost = readProxyField('hostname') || readProxyField('host');
+        const proxyPort = readProxyField('port');
+        const rawProxyProtocol = readProxyField('protocol');
+        const normalizedProtocol = rawProxyProtocol ? rawProxyProtocol.includes(':') ? rawProxyProtocol : `${rawProxyProtocol}:` : 'http:';
+        // Bracket IPv6 literals for URL parsing; URL.hostname strips the
+        // brackets again on read so the agent receives the raw form.
+        const proxyHostForURL = proxyHost && proxyHost.includes(':') && !proxyHost.startsWith('[') ? `[${proxyHost}]` : proxyHost;
+        const proxyURL = new URL(`${normalizedProtocol}//${proxyHostForURL}${proxyPort ? ':' + proxyPort : ''}`);
+        const agentOptions = {
+          protocol: proxyURL.protocol,
+          hostname: proxyURL.hostname.replace(/^\[|\]$/g, ''),
+          port: proxyURL.port,
+          auth: proxyAuth && typeof proxyAuth === 'string' ? proxyAuth : undefined
+        };
+        if (proxyURL.protocol === 'https:') {
+          agentOptions.ALPNProtocols = ['http/1.1'];
+        }
+        const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent);
+        // Set both: `options.agent` is consumed by the native https.request path
+        // (config.maxRedirects === 0); `options.agents.https` is consumed by
+        // follow-redirects, which ignores `options.agent` when `options.agents`
+        // is present.
+        options.agent = tunnelingAgent;
+        if (options.agents) {
+          options.agents.https = tunnelingAgent;
+        }
+      }
+    } else {
+      // Forward-proxy mode for plaintext HTTP targets. The request line carries
+      // the absolute URL and the proxy sees everything — acceptable for plain
+      // HTTP since the wire was already plaintext.
+      if (proxyAuth) {
+        const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64');
+        options.headers['Proxy-Authorization'] = 'Basic ' + base64;
+      }
 
-    // Preserve a user-supplied Host header (case-insensitive) so callers can override
-    // the value forwarded to the proxy; otherwise default to the request URL's host.
-    let hasUserHostHeader = false;
-    for (const name of Object.keys(options.headers)) {
-      if (name.toLowerCase() === 'host') {
-        hasUserHostHeader = true;
-        break;
+      // Preserve a user-supplied Host header (case-insensitive) so callers can override
+      // the value forwarded to the proxy; otherwise default to the request URL's host.
+      let hasUserHostHeader = false;
+      for (const name of Object.keys(options.headers)) {
+        if (name.toLowerCase() === 'host') {
+          hasUserHostHeader = true;
+          break;
+        }
+      }
+      if (!hasUserHostHeader) {
+        options.headers.host = options.hostname + (options.port ? ':' + options.port : '');
+      }
+      const proxyHost = readProxyField('hostname') || readProxyField('host');
+      options.hostname = proxyHost;
+      // Replace 'host' since options is not a URL object
+      options.host = proxyHost;
+      options.port = readProxyField('port');
+      options.path = location;
+      const proxyProtocol = readProxyField('protocol');
+      if (proxyProtocol) {
+        options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`;
       }
-    }
-    if (!hasUserHostHeader) {
-      options.headers.host = options.hostname + (options.port ? ':' + options.port : '');
-    }
-    const proxyHost = readProxyField('hostname') || readProxyField('host');
-    options.hostname = proxyHost;
-    // Replace 'host' since options is not a URL object
-    options.host = proxyHost;
-    options.port = readProxyField('port');
-    options.path = location;
-    const proxyProtocol = readProxyField('protocol');
-    if (proxyProtocol) {
-      options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`;
     }
   }
   options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) {
     // Configure proxy for redirected request, passing the original config proxy to apply
     // the exact same logic as if the redirected request was performed by axios directly.
-    setProxy(redirectOptions, configProxy, redirectOptions.href, true);
+    setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent);
   };
 }
 const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1$1.kindOf(process) === 'process';
@@ -17979,7 +18610,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
     const options = Object.assign(Object.create(null), {
       path: path$1,
       method: method,
-      headers: headers.toJSON(),
+      headers: toByteStringHeaderObject(headers),
       agents: {
         http: config.httpAgent,
         https: config.httpsAgent
@@ -18010,12 +18641,16 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
     } else {
       options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname;
       options.port = parsed.port;
-      setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path);
+      setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent);
     }
     let transport;
     let isNativeTransport = false;
     const isHttpsRequest = isHttps.test(options.protocol);
-    options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
+    // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an
+    // HTTPS target.
+    if (options.agent == null) {
+      options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
+    }
     if (isHttp2) {
       transport = http2Transport;
     } else {
@@ -18704,7 +19339,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) {
 
     // Add headers to the request
     if ('setRequestHeader' in request) {
-      utils$1$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) {
+      utils$1$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) {
         request.setRequestHeader(key, val);
       });
     }
@@ -18759,41 +19394,41 @@ var xhrAdapter = isXHRAdapterSupported && function (config) {
   });
 };
 const composeSignals = (signals, timeout) => {
-  const {
-    length
-  } = signals = signals ? signals.filter(Boolean) : [];
-  if (timeout || length) {
-    let controller = new AbortController();
-    let aborted;
-    const onabort = function (reason) {
-      if (!aborted) {
-        aborted = true;
-        unsubscribe();
-        const err = reason instanceof Error ? reason : this.reason;
-        controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
-      }
-    };
-    let timer = timeout && setTimeout(() => {
-      timer = null;
-      onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT));
-    }, timeout);
-    const unsubscribe = () => {
-      if (signals) {
-        timer && clearTimeout(timer);
-        timer = null;
-        signals.forEach(signal => {
-          signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
-        });
-        signals = null;
-      }
-    };
-    signals.forEach(signal => signal.addEventListener('abort', onabort));
-    const {
-      signal
-    } = controller;
-    signal.unsubscribe = () => utils$1$1.asap(unsubscribe);
-    return signal;
+  signals = signals ? signals.filter(Boolean) : [];
+  if (!timeout && !signals.length) {
+    return;
   }
+  const controller = new AbortController();
+  let aborted = false;
+  const onabort = function (reason) {
+    if (!aborted) {
+      aborted = true;
+      unsubscribe();
+      const err = reason instanceof Error ? reason : this.reason;
+      controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
+    }
+  };
+  let timer = timeout && setTimeout(() => {
+    timer = null;
+    onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT));
+  }, timeout);
+  const unsubscribe = () => {
+    if (!signals) {
+      return;
+    }
+    timer && clearTimeout(timer);
+    timer = null;
+    signals.forEach(signal => {
+      signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
+    });
+    signals = null;
+  };
+  signals.forEach(signal => signal.addEventListener('abort', onabort));
+  const {
+    signal
+  } = controller;
+  signal.unsubscribe = () => utils$1$1.asap(unsubscribe);
+  return signal;
 };
 const streamChunk = function* (chunk, chunkSize) {
   let len = chunk.byteLength;
@@ -18919,8 +19554,7 @@ const test = (fn, ...args) => {
   }
 };
 const factory = env => {
-  var _utils$global;
-  const globalObject = (_utils$global = utils$1$1.global) !== null && _utils$global !== void 0 ? _utils$global : globalThis;
+  const globalObject = utils$1$1.global !== undefined && utils$1$1.global !== null ? utils$1$1.global : globalThis;
   const {
     ReadableStream,
     TextEncoder
@@ -19088,7 +19722,7 @@ const factory = env => {
       const resolvedOptions = _objectSpread2(_objectSpread2({}, fetchOptions), {}, {
         signal: composedSignal,
         method: method.toUpperCase(),
-        headers: headers.normalize().toJSON(),
+        headers: toByteStringHeaderObject(headers.normalize()),
         body: data,
         duplex: 'half',
         credentials: isCredentialsSupported ? withCredentials : undefined
@@ -23978,8 +24612,13 @@ function checkEnableTimelinePreviewIsAllowed(host, timelinePreview) {
   }
   const isValidConfig = isValidTimelinePreviewConfig(timelinePreview);
   // Show error if used outside of CPA.
-  // Opt-out of the error if a custom domain is used and CPA could not be idenfified
-  const isValidHost = typeof host === 'string' && (!host.includes('contentful') || host.startsWith('preview'));
+  // Opt-out of the error if a custom domain is used and CPA could not be identified.
+  // Use an exact domain match to avoid false-positives on proxy hostnames that contain
+  // "contentful" as a substring (e.g. api-contentful-proxy.example.com).
+  const PREVIEW_HOST_REGEX = /^preview(\.eu)?\.contentful\.com$/;
+  const isContentfulHost = typeof host === 'string' && PREVIEW_HOST_REGEX.test(host);
+  const isCustomHost = typeof host !== 'string' || !host.endsWith('.contentful.com');
+  const isValidHost = isContentfulHost || isCustomHost;
   if (isValidConfig && !isValidHost) {
     throw new ValidationError('timelinePreview', `The 'timelinePreview' parameter can only be used with the CPA. Please set host to 'preview.contentful.com' or 'preview.eu.contentful.com' to enable Timeline Preview.
       `);