contentful 11.12.6 → 11.12.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -11232,7 +11232,7 @@ var mimeDb = require$$0;
11232
11232
  * Copyright(c) 2015 Douglas Christopher Wilson
11233
11233
  * MIT Licensed
11234
11234
  */
11235
- (function (exports$1) {
11235
+ (function (exports) {
11236
11236
 
11237
11237
  /**
11238
11238
  * Module dependencies.
@@ -11254,18 +11254,18 @@ var mimeDb = require$$0;
11254
11254
  * @public
11255
11255
  */
11256
11256
 
11257
- exports$1.charset = charset;
11258
- exports$1.charsets = {
11257
+ exports.charset = charset;
11258
+ exports.charsets = {
11259
11259
  lookup: charset
11260
11260
  };
11261
- exports$1.contentType = contentType;
11262
- exports$1.extension = extension;
11263
- exports$1.extensions = Object.create(null);
11264
- exports$1.lookup = lookup;
11265
- exports$1.types = Object.create(null);
11261
+ exports.contentType = contentType;
11262
+ exports.extension = extension;
11263
+ exports.extensions = Object.create(null);
11264
+ exports.lookup = lookup;
11265
+ exports.types = Object.create(null);
11266
11266
 
11267
11267
  // Populate the extensions/types maps
11268
- populateMaps(exports$1.extensions, exports$1.types);
11268
+ populateMaps(exports.extensions, exports.types);
11269
11269
 
11270
11270
  /**
11271
11271
  * Get the default charset for a MIME type.
@@ -11305,14 +11305,14 @@ var mimeDb = require$$0;
11305
11305
  if (!str || typeof str !== 'string') {
11306
11306
  return false;
11307
11307
  }
11308
- var mime = str.indexOf('/') === -1 ? exports$1.lookup(str) : str;
11308
+ var mime = str.indexOf('/') === -1 ? exports.lookup(str) : str;
11309
11309
  if (!mime) {
11310
11310
  return false;
11311
11311
  }
11312
11312
 
11313
11313
  // TODO: use content-type or other module
11314
11314
  if (mime.indexOf('charset') === -1) {
11315
- var charset = exports$1.charset(mime);
11315
+ var charset = exports.charset(mime);
11316
11316
  if (charset) mime += '; charset=' + charset.toLowerCase();
11317
11317
  }
11318
11318
  return mime;
@@ -11334,7 +11334,7 @@ var mimeDb = require$$0;
11334
11334
  var match = EXTRACT_TYPE_REGEXP.exec(type);
11335
11335
 
11336
11336
  // get extensions
11337
- var exts = match && exports$1.extensions[match[1].toLowerCase()];
11337
+ var exts = match && exports.extensions[match[1].toLowerCase()];
11338
11338
  if (!exts || !exts.length) {
11339
11339
  return false;
11340
11340
  }
@@ -11358,7 +11358,7 @@ var mimeDb = require$$0;
11358
11358
  if (!extension) {
11359
11359
  return false;
11360
11360
  }
11361
- return exports$1.types[extension] || false;
11361
+ return exports.types[extension] || false;
11362
11362
  }
11363
11363
 
11364
11364
  /**
@@ -13429,17 +13429,17 @@ var hasRequiredBrowser;
13429
13429
  function requireBrowser() {
13430
13430
  if (hasRequiredBrowser) return browser.exports;
13431
13431
  hasRequiredBrowser = 1;
13432
- (function (module, exports$1) {
13432
+ (function (module, exports) {
13433
13433
  /**
13434
13434
  * This is the web browser implementation of `debug()`.
13435
13435
  */
13436
13436
 
13437
- exports$1.formatArgs = formatArgs;
13438
- exports$1.save = save;
13439
- exports$1.load = load;
13440
- exports$1.useColors = useColors;
13441
- exports$1.storage = localstorage();
13442
- exports$1.destroy = (() => {
13437
+ exports.formatArgs = formatArgs;
13438
+ exports.save = save;
13439
+ exports.load = load;
13440
+ exports.useColors = useColors;
13441
+ exports.storage = localstorage();
13442
+ exports.destroy = (() => {
13443
13443
  let warned = false;
13444
13444
  return () => {
13445
13445
  if (!warned) {
@@ -13453,7 +13453,7 @@ function requireBrowser() {
13453
13453
  * Colors.
13454
13454
  */
13455
13455
 
13456
- exports$1.colors = ['#0000CC', '#0000FF', '#0033CC', '#0033FF', '#0066CC', '#0066FF', '#0099CC', '#0099FF', '#00CC00', '#00CC33', '#00CC66', '#00CC99', '#00CCCC', '#00CCFF', '#3300CC', '#3300FF', '#3333CC', '#3333FF', '#3366CC', '#3366FF', '#3399CC', '#3399FF', '#33CC00', '#33CC33', '#33CC66', '#33CC99', '#33CCCC', '#33CCFF', '#6600CC', '#6600FF', '#6633CC', '#6633FF', '#66CC00', '#66CC33', '#9900CC', '#9900FF', '#9933CC', '#9933FF', '#99CC00', '#99CC33', '#CC0000', '#CC0033', '#CC0066', '#CC0099', '#CC00CC', '#CC00FF', '#CC3300', '#CC3333', '#CC3366', '#CC3399', '#CC33CC', '#CC33FF', '#CC6600', '#CC6633', '#CC9900', '#CC9933', '#CCCC00', '#CCCC33', '#FF0000', '#FF0033', '#FF0066', '#FF0099', '#FF00CC', '#FF00FF', '#FF3300', '#FF3333', '#FF3366', '#FF3399', '#FF33CC', '#FF33FF', '#FF6600', '#FF6633', '#FF9900', '#FF9933', '#FFCC00', '#FFCC33'];
13456
+ exports.colors = ['#0000CC', '#0000FF', '#0033CC', '#0033FF', '#0066CC', '#0066FF', '#0099CC', '#0099FF', '#00CC00', '#00CC33', '#00CC66', '#00CC99', '#00CCCC', '#00CCFF', '#3300CC', '#3300FF', '#3333CC', '#3333FF', '#3366CC', '#3366FF', '#3399CC', '#3399FF', '#33CC00', '#33CC33', '#33CC66', '#33CC99', '#33CCCC', '#33CCFF', '#6600CC', '#6600FF', '#6633CC', '#6633FF', '#66CC00', '#66CC33', '#9900CC', '#9900FF', '#9933CC', '#9933FF', '#99CC00', '#99CC33', '#CC0000', '#CC0033', '#CC0066', '#CC0099', '#CC00CC', '#CC00FF', '#CC3300', '#CC3333', '#CC3366', '#CC3399', '#CC33CC', '#CC33FF', '#CC6600', '#CC6633', '#CC9900', '#CC9933', '#CCCC00', '#CCCC33', '#FF0000', '#FF0033', '#FF0066', '#FF0099', '#FF00CC', '#FF00FF', '#FF3300', '#FF3333', '#FF3366', '#FF3399', '#FF33CC', '#FF33FF', '#FF6600', '#FF6633', '#FF9900', '#FF9933', '#FFCC00', '#FFCC33'];
13457
13457
 
13458
13458
  /**
13459
13459
  * Currently only WebKit-based Web Inspectors, Firefox >= v31,
@@ -13532,7 +13532,7 @@ function requireBrowser() {
13532
13532
  *
13533
13533
  * @api public
13534
13534
  */
13535
- exports$1.log = console.debug || console.log || (() => {});
13535
+ exports.log = console.debug || console.log || (() => {});
13536
13536
 
13537
13537
  /**
13538
13538
  * Save `namespaces`.
@@ -13543,9 +13543,9 @@ function requireBrowser() {
13543
13543
  function save(namespaces) {
13544
13544
  try {
13545
13545
  if (namespaces) {
13546
- exports$1.storage.setItem('debug', namespaces);
13546
+ exports.storage.setItem('debug', namespaces);
13547
13547
  } else {
13548
- exports$1.storage.removeItem('debug');
13548
+ exports.storage.removeItem('debug');
13549
13549
  }
13550
13550
  } catch (error) {
13551
13551
  // Swallow
@@ -13562,7 +13562,7 @@ function requireBrowser() {
13562
13562
  function load() {
13563
13563
  let r;
13564
13564
  try {
13565
- r = exports$1.storage.getItem('debug') || exports$1.storage.getItem('DEBUG');
13565
+ r = exports.storage.getItem('debug') || exports.storage.getItem('DEBUG');
13566
13566
  } catch (error) {
13567
13567
  // Swallow
13568
13568
  // XXX (@Qix-) should we be logging these?
@@ -13596,7 +13596,7 @@ function requireBrowser() {
13596
13596
  // XXX (@Qix-) should we be logging these?
13597
13597
  }
13598
13598
  }
13599
- module.exports = requireCommon()(exports$1);
13599
+ module.exports = requireCommon()(exports);
13600
13600
  const {
13601
13601
  formatters
13602
13602
  } = module.exports;
@@ -13743,7 +13743,7 @@ var hasRequiredNode;
13743
13743
  function requireNode() {
13744
13744
  if (hasRequiredNode) return node.exports;
13745
13745
  hasRequiredNode = 1;
13746
- (function (module, exports$1) {
13746
+ (function (module, exports) {
13747
13747
  const tty = require$$0$3;
13748
13748
  const util = require$$1;
13749
13749
 
@@ -13751,25 +13751,25 @@ function requireNode() {
13751
13751
  * This is the Node.js implementation of `debug()`.
13752
13752
  */
13753
13753
 
13754
- exports$1.init = init;
13755
- exports$1.log = log;
13756
- exports$1.formatArgs = formatArgs;
13757
- exports$1.save = save;
13758
- exports$1.load = load;
13759
- exports$1.useColors = useColors;
13760
- exports$1.destroy = util.deprecate(() => {}, 'Instance method `debug.destroy()` is deprecated and no longer does anything. It will be removed in the next major version of `debug`.');
13754
+ exports.init = init;
13755
+ exports.log = log;
13756
+ exports.formatArgs = formatArgs;
13757
+ exports.save = save;
13758
+ exports.load = load;
13759
+ exports.useColors = useColors;
13760
+ exports.destroy = util.deprecate(() => {}, 'Instance method `debug.destroy()` is deprecated and no longer does anything. It will be removed in the next major version of `debug`.');
13761
13761
 
13762
13762
  /**
13763
13763
  * Colors.
13764
13764
  */
13765
13765
 
13766
- exports$1.colors = [6, 2, 3, 4, 5, 1];
13766
+ exports.colors = [6, 2, 3, 4, 5, 1];
13767
13767
  try {
13768
13768
  // Optional dependency (as in, doesn't need to be installed, NOT like optionalDependencies in package.json)
13769
13769
  // eslint-disable-next-line import/no-extraneous-dependencies
13770
13770
  const supportsColor = requireSupportsColor();
13771
13771
  if (supportsColor && (supportsColor.stderr || supportsColor).level >= 2) {
13772
- exports$1.colors = [20, 21, 26, 27, 32, 33, 38, 39, 40, 41, 42, 43, 44, 45, 56, 57, 62, 63, 68, 69, 74, 75, 76, 77, 78, 79, 80, 81, 92, 93, 98, 99, 112, 113, 128, 129, 134, 135, 148, 149, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 178, 179, 184, 185, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 214, 215, 220, 221];
13772
+ exports.colors = [20, 21, 26, 27, 32, 33, 38, 39, 40, 41, 42, 43, 44, 45, 56, 57, 62, 63, 68, 69, 74, 75, 76, 77, 78, 79, 80, 81, 92, 93, 98, 99, 112, 113, 128, 129, 134, 135, 148, 149, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 178, 179, 184, 185, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 214, 215, 220, 221];
13773
13773
  }
13774
13774
  } catch (error) {
13775
13775
  // Swallow - we only care if `supports-color` is available; it doesn't have to be.
@@ -13781,7 +13781,7 @@ function requireNode() {
13781
13781
  * $ DEBUG_COLORS=no DEBUG_DEPTH=10 DEBUG_SHOW_HIDDEN=enabled node script.js
13782
13782
  */
13783
13783
 
13784
- exports$1.inspectOpts = Object.keys(process.env).filter(key => {
13784
+ exports.inspectOpts = Object.keys(process.env).filter(key => {
13785
13785
  return /^debug_/i.test(key);
13786
13786
  }).reduce((obj, key) => {
13787
13787
  // Camel-case
@@ -13809,7 +13809,7 @@ function requireNode() {
13809
13809
  */
13810
13810
 
13811
13811
  function useColors() {
13812
- return 'colors' in exports$1.inspectOpts ? Boolean(exports$1.inspectOpts.colors) : tty.isatty(process.stderr.fd);
13812
+ return 'colors' in exports.inspectOpts ? Boolean(exports.inspectOpts.colors) : tty.isatty(process.stderr.fd);
13813
13813
  }
13814
13814
 
13815
13815
  /**
@@ -13834,7 +13834,7 @@ function requireNode() {
13834
13834
  }
13835
13835
  }
13836
13836
  function getDate() {
13837
- if (exports$1.inspectOpts.hideDate) {
13837
+ if (exports.inspectOpts.hideDate) {
13838
13838
  return '';
13839
13839
  }
13840
13840
  return new Date().toISOString() + ' ';
@@ -13845,7 +13845,7 @@ function requireNode() {
13845
13845
  */
13846
13846
 
13847
13847
  function log(...args) {
13848
- return process.stderr.write(util.formatWithOptions(exports$1.inspectOpts, ...args) + '\n');
13848
+ return process.stderr.write(util.formatWithOptions(exports.inspectOpts, ...args) + '\n');
13849
13849
  }
13850
13850
 
13851
13851
  /**
@@ -13884,12 +13884,12 @@ function requireNode() {
13884
13884
 
13885
13885
  function init(debug) {
13886
13886
  debug.inspectOpts = {};
13887
- const keys = Object.keys(exports$1.inspectOpts);
13887
+ const keys = Object.keys(exports.inspectOpts);
13888
13888
  for (let i = 0; i < keys.length; i++) {
13889
- debug.inspectOpts[keys[i]] = exports$1.inspectOpts[keys[i]];
13889
+ debug.inspectOpts[keys[i]] = exports.inspectOpts[keys[i]];
13890
13890
  }
13891
13891
  }
13892
- module.exports = requireCommon()(exports$1);
13892
+ module.exports = requireCommon()(exports);
13893
13893
  const {
13894
13894
  formatters
13895
13895
  } = module.exports;
@@ -14925,7 +14925,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
14925
14925
  // Wraps the key/value object of protocols with redirect functionality
14926
14926
  function wrap(protocols) {
14927
14927
  // Default settings
14928
- var exports$1 = {
14928
+ var exports = {
14929
14929
  maxRedirects: 21,
14930
14930
  maxBodyLength: 10 * 1024 * 1024
14931
14931
  };
@@ -14935,7 +14935,7 @@ function wrap(protocols) {
14935
14935
  Object.keys(protocols).forEach(function (scheme) {
14936
14936
  var protocol = scheme + ":";
14937
14937
  var nativeProtocol = nativeProtocols[protocol] = protocols[scheme];
14938
- var wrappedProtocol = exports$1[scheme] = Object.create(nativeProtocol);
14938
+ var wrappedProtocol = exports[scheme] = Object.create(nativeProtocol);
14939
14939
 
14940
14940
  // Executes a request, following redirects
14941
14941
  function request(input, options, callback) {
@@ -14958,8 +14958,8 @@ function wrap(protocols) {
14958
14958
 
14959
14959
  // Set defaults
14960
14960
  options = Object.assign({
14961
- maxRedirects: exports$1.maxRedirects,
14962
- maxBodyLength: exports$1.maxBodyLength
14961
+ maxRedirects: exports.maxRedirects,
14962
+ maxBodyLength: exports.maxBodyLength
14963
14963
  }, input, options);
14964
14964
  options.nativeProtocols = nativeProtocols;
14965
14965
  if (!isString$4(options.host) && !isString$4(options.hostname)) {
@@ -14993,7 +14993,7 @@ function wrap(protocols) {
14993
14993
  }
14994
14994
  });
14995
14995
  });
14996
- return exports$1;
14996
+ return exports;
14997
14997
  }
14998
14998
  function noop$2() {/* empty */}
14999
14999
  function parseUrl$1(input) {
@@ -15161,6 +15161,52 @@ const {
15161
15161
  iterator,
15162
15162
  toStringTag: toStringTag$1
15163
15163
  } = Symbol;
15164
+
15165
+ /* Creating a function that will check if an object has a property. */
15166
+ const hasOwnProperty$3 = (({
15167
+ hasOwnProperty
15168
+ }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype);
15169
+
15170
+ /**
15171
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
15172
+ * an own `prop`. This distinguishes genuine own/inherited members — including
15173
+ * class accessors and template prototypes — from members injected via
15174
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
15175
+ * live on Object.prototype itself and are therefore never matched.
15176
+ *
15177
+ * @param {*} thing The value whose chain to inspect
15178
+ * @param {string|symbol} prop The property key to look for
15179
+ *
15180
+ * @returns {boolean} True when `prop` is owned below Object.prototype
15181
+ */
15182
+ const hasOwnInPrototypeChain = (thing, prop) => {
15183
+ let obj = thing;
15184
+ const seen = [];
15185
+ while (obj != null && obj !== Object.prototype) {
15186
+ if (seen.indexOf(obj) !== -1) {
15187
+ return false;
15188
+ }
15189
+ seen.push(obj);
15190
+ if (hasOwnProperty$3(obj, prop)) {
15191
+ return true;
15192
+ }
15193
+ obj = getPrototypeOf$1(obj);
15194
+ }
15195
+ return false;
15196
+ };
15197
+
15198
+ /**
15199
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
15200
+ * properties and members inherited from a non-Object.prototype source (a class
15201
+ * instance or template object) are honored; a value reachable only through a
15202
+ * polluted Object.prototype is ignored and `undefined` is returned.
15203
+ *
15204
+ * @param {*} obj The source object
15205
+ * @param {string|symbol} prop The property key to read
15206
+ *
15207
+ * @returns {*} The resolved value, or undefined when unsafe/absent
15208
+ */
15209
+ const getSafeProp = (obj, prop) => obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
15164
15210
  const kindOf = (cache => thing => {
15165
15211
  const str = toString.call(thing);
15166
15212
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -15279,11 +15325,15 @@ const isBoolean$1 = thing => thing === true || thing === false;
15279
15325
  * @returns {boolean} True if value is a plain Object, otherwise false
15280
15326
  */
15281
15327
  const isPlainObject$2 = val => {
15282
- if (kindOf(val) !== 'object') {
15328
+ if (!isObject(val)) {
15283
15329
  return false;
15284
15330
  }
15285
15331
  const prototype = getPrototypeOf$1(val);
15286
- return (prototype === null || prototype === Object.prototype || Object.getPrototypeOf(prototype) === null) && !(toStringTag$1 in val) && !(iterator in val);
15332
+ return (prototype === null || prototype === Object.prototype || getPrototypeOf$1(prototype) === null) &&
15333
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
15334
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
15335
+ // than a plain object, while ignoring keys injected onto Object.prototype.
15336
+ !hasOwnInPrototypeChain(val, toStringTag$1) && !hasOwnInPrototypeChain(val, iterator);
15287
15337
  };
15288
15338
 
15289
15339
  /**
@@ -15783,11 +15833,6 @@ const toCamelCase = str => {
15783
15833
  return p1.toUpperCase() + p2;
15784
15834
  });
15785
15835
  };
15786
-
15787
- /* Creating a function that will check if an object has a property. */
15788
- const hasOwnProperty$3 = (({
15789
- hasOwnProperty
15790
- }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype);
15791
15836
  const {
15792
15837
  propertyIsEnumerable: propertyIsEnumerable$1
15793
15838
  } = Object.prototype;
@@ -15965,6 +16010,19 @@ const asap = typeof queueMicrotask !== 'undefined' ? queueMicrotask.bind(_global
15965
16010
  // *********************
15966
16011
 
15967
16012
  const isIterable = thing => thing != null && isFunction$1(thing[iterator]);
16013
+
16014
+ /**
16015
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
16016
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
16017
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
16018
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
16019
+ * into an attacker-controlled entries iterator.
16020
+ *
16021
+ * @param {*} thing The value to test
16022
+ *
16023
+ * @returns {boolean} True if value has a non-polluted iterator
16024
+ */
16025
+ const isSafeIterable = thing => thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
15968
16026
  var utils$1$1 = {
15969
16027
  isArray: isArray$7,
15970
16028
  isArrayBuffer,
@@ -16010,6 +16068,8 @@ var utils$1$1 = {
16010
16068
  hasOwnProperty: hasOwnProperty$3,
16011
16069
  hasOwnProp: hasOwnProperty$3,
16012
16070
  // an alias to avoid ESLint no-prototype-builtins detection
16071
+ hasOwnInPrototypeChain,
16072
+ getSafeProp,
16013
16073
  reduceDescriptors,
16014
16074
  freezeMethods,
16015
16075
  toObjectSet,
@@ -16025,7 +16085,8 @@ var utils$1$1 = {
16025
16085
  isThenable,
16026
16086
  setImmediate: _setImmediate,
16027
16087
  asap,
16028
- isIterable
16088
+ isIterable,
16089
+ isSafeIterable
16029
16090
  };
16030
16091
 
16031
16092
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -16185,15 +16246,21 @@ class AxiosHeaders {
16185
16246
  setHeaders(header, valueOrRewrite);
16186
16247
  } else if (utils$1$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
16187
16248
  setHeaders(parseHeaders(header), valueOrRewrite);
16188
- } else if (utils$1$1.isObject(header) && utils$1$1.isIterable(header)) {
16189
- let obj = {},
16249
+ } else if (utils$1$1.isObject(header) && utils$1$1.isSafeIterable(header)) {
16250
+ let obj = Object.create(null),
16190
16251
  dest,
16191
16252
  key;
16192
16253
  for (const entry of header) {
16193
16254
  if (!utils$1$1.isArray(entry)) {
16194
16255
  throw new TypeError('Object iterator must return a key-value pair');
16195
16256
  }
16196
- obj[key = entry[0]] = (dest = obj[key]) ? utils$1$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1];
16257
+ key = entry[0];
16258
+ if (utils$1$1.hasOwnProp(obj, key)) {
16259
+ dest = obj[key];
16260
+ obj[key] = utils$1$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
16261
+ } else {
16262
+ obj[key] = entry[1];
16263
+ }
16197
16264
  }
16198
16265
  setHeaders(obj, valueOrRewrite);
16199
16266
  } else {
@@ -16404,7 +16471,19 @@ function redactConfig(config, redactKeys) {
16404
16471
  class AxiosError extends Error {
16405
16472
  static from(error, code, config, request, response, customProps) {
16406
16473
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
16407
- axiosError.cause = error;
16474
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
16475
+ // error often carries circular internals (sockets, requests, agents), so
16476
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
16477
+ // own-property walk throw "Converting circular structure to JSON".
16478
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
16479
+ // `message` descriptor below (prototype-pollution-safe descriptor).
16480
+ Object.defineProperty(axiosError, 'cause', {
16481
+ __proto__: null,
16482
+ value: error,
16483
+ writable: true,
16484
+ enumerable: false,
16485
+ configurable: true
16486
+ });
16408
16487
  axiosError.name = error.name;
16409
16488
 
16410
16489
  // Preserve status from the original error if not already set from response
@@ -16495,6 +16574,10 @@ AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT';
16495
16574
  AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL';
16496
16575
  AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
16497
16576
 
16577
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
16578
+ // the FormData <-> JSON round-trip stays symmetric.
16579
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
16580
+
16498
16581
  /**
16499
16582
  * Determines if the given thing is a array or js object.
16500
16583
  *
@@ -16595,8 +16678,9 @@ function toFormData(obj, formData, options) {
16595
16678
  const dots = options.dots;
16596
16679
  const indexes = options.indexes;
16597
16680
  const _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
16598
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
16681
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
16599
16682
  const useBlob = _Blob && utils$1$1.isSpecCompliantForm(formData);
16683
+ const stack = [];
16600
16684
  if (!utils$1$1.isFunction(visitor)) {
16601
16685
  throw new TypeError('visitor must be a function');
16602
16686
  }
@@ -16612,10 +16696,38 @@ function toFormData(obj, formData, options) {
16612
16696
  throw new AxiosError('Blob is not supported. Use a Buffer instead.');
16613
16697
  }
16614
16698
  if (utils$1$1.isArrayBuffer(value) || utils$1$1.isTypedArray(value)) {
16615
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
16699
+ if (useBlob && typeof _Blob === 'function') {
16700
+ return new _Blob([value]);
16701
+ }
16702
+ if (typeof Buffer !== 'undefined') {
16703
+ return Buffer.from(value);
16704
+ }
16705
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
16616
16706
  }
16617
16707
  return value;
16618
16708
  }
16709
+ function throwIfMaxDepthExceeded(depth) {
16710
+ if (depth > maxDepth) {
16711
+ throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
16712
+ }
16713
+ }
16714
+ function stringifyWithDepthLimit(value, depth) {
16715
+ if (maxDepth === Infinity) {
16716
+ return JSON.stringify(value);
16717
+ }
16718
+ const ancestors = [];
16719
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
16720
+ if (!utils$1$1.isObject(currentValue)) {
16721
+ return currentValue;
16722
+ }
16723
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
16724
+ ancestors.pop();
16725
+ }
16726
+ ancestors.push(currentValue);
16727
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
16728
+ return currentValue;
16729
+ });
16730
+ }
16619
16731
 
16620
16732
  /**
16621
16733
  * Default visitor.
@@ -16638,7 +16750,7 @@ function toFormData(obj, formData, options) {
16638
16750
  // eslint-disable-next-line no-param-reassign
16639
16751
  key = metaTokens ? key : key.slice(0, -2);
16640
16752
  // eslint-disable-next-line no-param-reassign
16641
- value = JSON.stringify(value);
16753
+ value = stringifyWithDepthLimit(value, 1);
16642
16754
  } else if (utils$1$1.isArray(value) && isFlatArray(value) || (utils$1$1.isFileList(value) || utils$1$1.endsWith(key, '[]')) && (arr = utils$1$1.toArray(value))) {
16643
16755
  // eslint-disable-next-line no-param-reassign
16644
16756
  key = removeBrackets(key);
@@ -16656,7 +16768,6 @@ function toFormData(obj, formData, options) {
16656
16768
  formData.append(renderKey(path, key, dots), convertValue(value));
16657
16769
  return false;
16658
16770
  }
16659
- const stack = [];
16660
16771
  const exposedHelpers = Object.assign(predicates, {
16661
16772
  defaultVisitor,
16662
16773
  convertValue,
@@ -16664,9 +16775,7 @@ function toFormData(obj, formData, options) {
16664
16775
  });
16665
16776
  function build(value, path, depth = 0) {
16666
16777
  if (utils$1$1.isUndefined(value)) return;
16667
- if (depth > maxDepth) {
16668
- throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
16669
- }
16778
+ throwIfMaxDepthExceeded(depth);
16670
16779
  if (stack.indexOf(value) !== -1) {
16671
16780
  throw new Error('Circular reference detected in ' + path.join('.'));
16672
16781
  }
@@ -16725,9 +16834,7 @@ prototype.append = function append(name, value) {
16725
16834
  this._pairs.push([name, value]);
16726
16835
  };
16727
16836
  prototype.toString = function toString(encoder) {
16728
- const _encode = encoder ? function (value) {
16729
- return encoder.call(this, value, encode$1);
16730
- } : encode$1;
16837
+ const _encode = encoder ? value => encoder.call(this, value, encode$1) : encode$1;
16731
16838
  return this._pairs.map(function each(pair) {
16732
16839
  return _encode(pair[0]) + '=' + _encode(pair[1]);
16733
16840
  }, '').join('&');
@@ -16758,11 +16865,16 @@ function buildURL(url, params, options) {
16758
16865
  if (!params) {
16759
16866
  return url;
16760
16867
  }
16761
- const _encode = options && options.encode || encode$2;
16868
+ url = url || '';
16762
16869
  const _options = utils$1$1.isFunction(options) ? {
16763
16870
  serialize: options
16764
16871
  } : options;
16765
- const serializeFn = _options && _options.serialize;
16872
+
16873
+ // Read serializer options pollution-safely: own properties and methods on a
16874
+ // class/template prototype are honored, but values injected onto a polluted
16875
+ // Object.prototype are ignored.
16876
+ const _encode = utils$1$1.getSafeProp(_options, 'encode') || encode$2;
16877
+ const serializeFn = utils$1$1.getSafeProp(_options, 'serialize');
16766
16878
  let serializedParams;
16767
16879
  if (serializeFn) {
16768
16880
  serializedParams = serializeFn(params, _options);
@@ -16849,7 +16961,8 @@ var transitionalDefaults = {
16849
16961
  forcedJSONParsing: true,
16850
16962
  clarifyTimeoutError: false,
16851
16963
  legacyInterceptorReqResOrdering: true,
16852
- advertiseZstdAcceptEncoding: false
16964
+ advertiseZstdAcceptEncoding: false,
16965
+ validateStatusUndefinedResolves: true
16853
16966
  };
16854
16967
  var URLSearchParams$1 = url.URLSearchParams;
16855
16968
  const ALPHA = 'abcdefghijklmnopqrstuvwxyz';
@@ -16939,6 +17052,12 @@ function toURLEncodedForm(data, options) {
16939
17052
  }
16940
17053
  }, options));
16941
17054
  }
17055
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
17056
+ function throwIfDepthExceeded(index) {
17057
+ if (index > MAX_DEPTH) {
17058
+ throw new AxiosError('FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
17059
+ }
17060
+ }
16942
17061
 
16943
17062
  /**
16944
17063
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
@@ -16952,9 +17071,14 @@ function parsePropPath(name) {
16952
17071
  // foo.x.y.z
16953
17072
  // foo-x-y-z
16954
17073
  // foo x y z
16955
- return utils$1$1.matchAll(/\w+|\[(\w*)]/g, name).map(match => {
16956
- return match[0] === '[]' ? '' : match[1] || match[0];
16957
- });
17074
+ const path = [];
17075
+ const pattern = /\w+|\[(\w*)]/g;
17076
+ let match;
17077
+ while ((match = pattern.exec(name)) !== null) {
17078
+ throwIfDepthExceeded(path.length);
17079
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
17080
+ }
17081
+ return path;
16958
17082
  }
16959
17083
 
16960
17084
  /**
@@ -16986,6 +17110,7 @@ function arrayToObject$1(arr) {
16986
17110
  */
16987
17111
  function formDataToJSON(formData) {
16988
17112
  function buildPath(path, value, target, index) {
17113
+ throwIfDepthExceeded(index);
16989
17114
  let name = path[index++];
16990
17115
  if (name === '__proto__') return true;
16991
17116
  const isNumericKey = Number.isFinite(+name);
@@ -17222,6 +17347,23 @@ function isAbsoluteURL(url) {
17222
17347
  function combineURLs(baseURL, relativeURL) {
17223
17348
  return relativeURL ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '') : baseURL;
17224
17349
  }
17350
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
17351
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
17352
+ function stripLeadingC0ControlOrSpace(url) {
17353
+ let i = 0;
17354
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
17355
+ i++;
17356
+ }
17357
+ return url.slice(i);
17358
+ }
17359
+ function normalizeURLForProtocolCheck(url) {
17360
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
17361
+ }
17362
+ function assertValidHttpProtocolURL(url, config) {
17363
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
17364
+ throw new AxiosError('Invalid URL: missing "//" after protocol', AxiosError.ERR_INVALID_URL, config);
17365
+ }
17366
+ }
17225
17367
 
17226
17368
  /**
17227
17369
  * Creates a new URL by combining the baseURL with the requestedURL,
@@ -17233,9 +17375,11 @@ function combineURLs(baseURL, relativeURL) {
17233
17375
  *
17234
17376
  * @returns {string} The combined full path
17235
17377
  */
17236
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
17378
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
17379
+ assertValidHttpProtocolURL(requestedURL, config);
17237
17380
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
17238
17381
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
17382
+ assertValidHttpProtocolURL(baseURL, config);
17239
17383
  return combineURLs(baseURL, requestedURL);
17240
17384
  }
17241
17385
  return requestedURL;
@@ -17335,7 +17479,7 @@ function shouldProxy(hostname, port) {
17335
17479
  function getEnv(key) {
17336
17480
  return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || '';
17337
17481
  }
17338
- const VERSION = "1.17.0";
17482
+ const VERSION = "1.18.1";
17339
17483
  function parseProtocol(url) {
17340
17484
  const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url);
17341
17485
  return match && match[1] || '';
@@ -17374,13 +17518,13 @@ function fromDataURI(uri, asBlob, options) {
17374
17518
 
17375
17519
  // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII
17376
17520
  // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec.
17377
- let mime;
17521
+ let mime = '';
17378
17522
  if (type) {
17379
17523
  mime = params ? type + params : type;
17380
17524
  } else if (params) {
17381
17525
  mime = 'text/plain' + params;
17382
17526
  }
17383
- const buffer = Buffer.from(decodeURIComponent(body), encoding);
17527
+ const buffer = encoding === 'base64' ? Buffer.from(body, 'base64') : Buffer.from(decodeURIComponent(body), encoding);
17384
17528
  if (asBlob) {
17385
17529
  if (!_Blob) {
17386
17530
  throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT);
@@ -17718,13 +17862,34 @@ const callbackify = (fn, reducer) => {
17718
17862
  }, cb);
17719
17863
  } : fn;
17720
17864
  };
17721
- const LOOPBACK_HOSTNAMES = new Set(['localhost']);
17865
+ const LOOPBACK_HOSTNAMES = new Set(['localhost', '0.0.0.0']);
17722
17866
  const isIPv4Loopback = host => {
17723
17867
  const parts = host.split('.');
17724
17868
  if (parts.length !== 4) return false;
17725
17869
  if (parts[0] !== '127') return false;
17726
17870
  return parts.every(p => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255);
17727
17871
  };
17872
+ const isIPv6ZeroGroup = group => /^0{1,4}$/.test(group);
17873
+
17874
+ // The unspecified address (IPv4 0.0.0.0 / IPv6 ::) resolves to the local host
17875
+ // for outbound connections, so treat it as loopback-equivalent for NO_PROXY
17876
+ // matching. 0.0.0.0 is covered by LOOPBACK_HOSTNAMES; this handles compressed
17877
+ // and full IPv6 all-zero forms so both families bypass symmetrically.
17878
+ const isIPv6Unspecified = host => {
17879
+ if (host === '::') return true;
17880
+ const compressionIndex = host.indexOf('::');
17881
+ if (compressionIndex !== -1) {
17882
+ if (compressionIndex !== host.lastIndexOf('::')) return false;
17883
+ const left = host.slice(0, compressionIndex);
17884
+ const right = host.slice(compressionIndex + 2);
17885
+ const leftGroups = left ? left.split(':') : [];
17886
+ const rightGroups = right ? right.split(':') : [];
17887
+ const explicitGroups = leftGroups.length + rightGroups.length;
17888
+ return explicitGroups < 8 && leftGroups.every(isIPv6ZeroGroup) && rightGroups.every(isIPv6ZeroGroup);
17889
+ }
17890
+ const groups = host.split(':');
17891
+ return groups.length === 8 && groups.every(isIPv6ZeroGroup);
17892
+ };
17728
17893
  const isIPv6Loopback = host => {
17729
17894
  // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1
17730
17895
  // First, strip any leading "::" by normalising with Set lookup of common forms,
@@ -17757,6 +17922,7 @@ const isLoopback = host => {
17757
17922
  if (!host) return false;
17758
17923
  if (LOOPBACK_HOSTNAMES.has(host)) return true;
17759
17924
  if (isIPv4Loopback(host)) return true;
17925
+ if (isIPv6Unspecified(host)) return true;
17760
17926
  return isIPv6Loopback(host);
17761
17927
  };
17762
17928
  const DEFAULT_PORTS = {
@@ -17975,11 +18141,13 @@ const asyncDecorator = fn => (...args) => utils$1$1.asap(() => fn(...args));
17975
18141
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
17976
18142
  * - For base64: compute exact decoded size using length and padding;
17977
18143
  * handle %XX at the character-count level (no string allocation).
17978
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
18144
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
17979
18145
  *
17980
18146
  * @param {string} url
17981
18147
  * @returns {number}
17982
18148
  */
18149
+ const isHexDigit = charCode => charCode >= 48 && charCode <= 57 || charCode >= 65 && charCode <= 70 || charCode >= 97 && charCode <= 102;
18150
+ const isPercentEncodedByte = (str, i, len) => i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
17983
18151
  function estimateDataURLDecodedBytes(url) {
17984
18152
  if (!url || typeof url !== 'string') return 0;
17985
18153
  if (!url.startsWith('data:')) return 0;
@@ -17996,7 +18164,7 @@ function estimateDataURLDecodedBytes(url) {
17996
18164
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
17997
18165
  const a = body.charCodeAt(i + 1);
17998
18166
  const b = body.charCodeAt(i + 2);
17999
- const isHex = (a >= 48 && a <= 57 || a >= 65 && a <= 70 || a >= 97 && a <= 102) && (b >= 48 && b <= 57 || b >= 65 && b <= 70 || b >= 97 && b <= 102);
18167
+ const isHex = isHexDigit(a) && isHexDigit(b);
18000
18168
  if (isHex) {
18001
18169
  effectiveLen -= 2;
18002
18170
  i += 2;
@@ -18031,18 +18199,18 @@ function estimateDataURLDecodedBytes(url) {
18031
18199
  const bytes = groups * 3 - (pad || 0);
18032
18200
  return bytes > 0 ? bytes : 0;
18033
18201
  }
18034
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
18035
- return Buffer.byteLength(body, 'utf8');
18036
- }
18037
18202
 
18038
18203
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
18039
18204
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
18040
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
18041
- // but 3 UTF-8 bytes).
18205
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
18206
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
18042
18207
  let bytes = 0;
18043
18208
  for (let i = 0, len = body.length; i < len; i++) {
18044
18209
  const c = body.charCodeAt(i);
18045
- if (c < 0x80) {
18210
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
18211
+ bytes += 1;
18212
+ i += 2;
18213
+ } else if (c < 0x80) {
18046
18214
  bytes += 1;
18047
18215
  } else if (c < 0x800) {
18048
18216
  bytes += 2;
@@ -18110,6 +18278,36 @@ const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel');
18110
18278
  // so unbounded growth is not a concern in practice.
18111
18279
  const tunnelingAgentCache = new Map();
18112
18280
  const tunnelingAgentCacheUser = new WeakMap();
18281
+ // Minimum minor versions where Node's HTTP Agent supports native proxyEnv
18282
+ // handling. Checking the selected agent below also covers startup modes such
18283
+ // as NODE_OPTIONS=--use-env-proxy and --no-use-env-proxy precedence.
18284
+ const NODE_NATIVE_ENV_PROXY_SUPPORT = {
18285
+ 22: 21,
18286
+ 24: 5
18287
+ };
18288
+ function isNodeNativeEnvProxySupported(nodeVersion = process.versions && process.versions.node) {
18289
+ if (!nodeVersion) {
18290
+ return false;
18291
+ }
18292
+ const [major, minor] = nodeVersion.split('.').map(part => Number(part));
18293
+ if (!Number.isInteger(major) || !Number.isInteger(minor)) {
18294
+ return false;
18295
+ }
18296
+ if (major > 24) {
18297
+ return true;
18298
+ }
18299
+ return NODE_NATIVE_ENV_PROXY_SUPPORT[major] != null && minor >= NODE_NATIVE_ENV_PROXY_SUPPORT[major];
18300
+ }
18301
+ function isNodeEnvProxyEnabled(agent, nodeVersion = process.versions && process.versions.node) {
18302
+ if (!isNodeNativeEnvProxySupported(nodeVersion)) {
18303
+ return false;
18304
+ }
18305
+ const agentOptions = agent && agent.options;
18306
+ return Boolean(agentOptions && utils$1$1.hasOwnProp(agentOptions, 'proxyEnv') && agentOptions.proxyEnv != null);
18307
+ }
18308
+ function getProxyEnvAgent(options, configHttpAgent, configHttpsAgent) {
18309
+ return isHttps.test(options.protocol) ? configHttpsAgent || https.globalAgent : configHttpAgent || http.globalAgent;
18310
+ }
18113
18311
  function getTunnelingAgent(agentOptions, userHttpsAgent) {
18114
18312
  const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || '');
18115
18313
  const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache;
@@ -18157,8 +18355,8 @@ const flushOnFinish = (stream, [throttled, flush]) => {
18157
18355
  const http2Sessions = new Http2Sessions();
18158
18356
 
18159
18357
  /**
18160
- * If the proxy, auth, or config beforeRedirects functions are defined, call them
18161
- * with the options object.
18358
+ * If the proxy, auth, sensitive header, or config beforeRedirects functions are defined,
18359
+ * call them with the options object.
18162
18360
  *
18163
18361
  * @param {Object<string, any>} options - The options object that was passed to the request.
18164
18362
  *
@@ -18171,10 +18369,34 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
18171
18369
  if (options.beforeRedirects.auth) {
18172
18370
  options.beforeRedirects.auth(options);
18173
18371
  }
18372
+ if (options.beforeRedirects.sensitiveHeaders) {
18373
+ options.beforeRedirects.sensitiveHeaders(options, requestDetails);
18374
+ }
18174
18375
  if (options.beforeRedirects.config) {
18175
18376
  options.beforeRedirects.config(options, responseDetails, requestDetails);
18176
18377
  }
18177
18378
  }
18379
+ function stripMatchingHeaders(headers, sensitiveSet) {
18380
+ if (!headers) {
18381
+ return;
18382
+ }
18383
+ Object.keys(headers).forEach(header => {
18384
+ if (sensitiveSet.has(header.toLowerCase())) {
18385
+ delete headers[header];
18386
+ }
18387
+ });
18388
+ }
18389
+ function isSameOriginRedirect(redirectOptions, requestDetails) {
18390
+ if (!requestDetails) {
18391
+ return false;
18392
+ }
18393
+ try {
18394
+ return new URL(requestDetails.url).origin === new URL(redirectOptions.href).origin;
18395
+ } catch (e) {
18396
+ // If origin comparison fails, treat the redirect as unsafe.
18397
+ return false;
18398
+ }
18399
+ }
18178
18400
 
18179
18401
  /**
18180
18402
  * If the proxy or config afterRedirects functions are defined, call them with the options
@@ -18185,9 +18407,10 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
18185
18407
  *
18186
18408
  * @returns {http.ClientRequestArgs}
18187
18409
  */
18188
- function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) {
18410
+ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent, configHttpAgent) {
18189
18411
  let proxy = configProxy;
18190
- if (!proxy && proxy !== false) {
18412
+ const proxyEnvAgent = getProxyEnvAgent(options, configHttpAgent, configHttpsAgent);
18413
+ if (!proxy && proxy !== false && !isNodeEnvProxyEnabled(proxyEnvAgent)) {
18191
18414
  const proxyUrl = getProxyForUrl(location);
18192
18415
  if (proxyUrl) {
18193
18416
  if (!shouldBypassProxy(location)) {
@@ -18278,7 +18501,7 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
18278
18501
  }
18279
18502
  const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent);
18280
18503
  // Set both: `options.agent` is consumed by the native https.request path
18281
- // (config.maxRedirects === 0); `options.agents.https` is consumed by
18504
+ // (maxRedirects === 0); `options.agents.https` is consumed by
18282
18505
  // follow-redirects, which ignores `options.agent` when `options.agents`
18283
18506
  // is present.
18284
18507
  options.agent = tunnelingAgent;
@@ -18322,7 +18545,7 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
18322
18545
  options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) {
18323
18546
  // Configure proxy for redirected request, passing the original config proxy to apply
18324
18547
  // the exact same logic as if the redirected request was performed by axios directly.
18325
- setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent);
18548
+ setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent, configHttpAgent);
18326
18549
  };
18327
18550
  }
18328
18551
  const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1$1.kindOf(process) === 'process';
@@ -18405,7 +18628,12 @@ const http2Transport = {
18405
18628
  /*eslint consistent-return:0*/
18406
18629
  var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18407
18630
  return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) {
18408
- const own = key => utils$1$1.hasOwnProp(config, key) ? config[key] : undefined;
18631
+ // Read config pollution-safely: own properties and members inherited from
18632
+ // a non-Object.prototype source (e.g. an Object.create(defaults) template)
18633
+ // are honored, but values injected onto a polluted Object.prototype are
18634
+ // ignored. All behavior-affecting reads in this adapter go through own()
18635
+ // so the protection boundary stays consistent.
18636
+ const own = key => utils$1$1.getSafeProp(config, key);
18409
18637
  const transitional = own('transitional') || transitionalDefaults;
18410
18638
  let data = own('data');
18411
18639
  let lookup = own('lookup');
@@ -18413,9 +18641,17 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18413
18641
  let httpVersion = own('httpVersion');
18414
18642
  if (httpVersion === undefined) httpVersion = 1;
18415
18643
  let http2Options = own('http2Options');
18644
+ const httpAgent = own('httpAgent');
18645
+ const httpsAgent = own('httpsAgent');
18646
+ const configProxy = own('proxy');
18416
18647
  const responseType = own('responseType');
18417
18648
  const responseEncoding = own('responseEncoding');
18418
- const method = config.method.toUpperCase();
18649
+ const socketPath = own('socketPath');
18650
+ const method = own('method').toUpperCase();
18651
+ const maxRedirects = own('maxRedirects');
18652
+ const maxBodyLength = own('maxBodyLength');
18653
+ const maxContentLength = own('maxContentLength');
18654
+ const decompress = own('decompress');
18419
18655
  let isDone;
18420
18656
  let rejected = false;
18421
18657
  let req;
@@ -18456,9 +18692,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18456
18692
  }
18457
18693
  }
18458
18694
  function createTimeoutError() {
18459
- let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded';
18460
- if (config.timeoutErrorMessage) {
18461
- timeoutErrorMessage = config.timeoutErrorMessage;
18695
+ const configTimeout = own('timeout');
18696
+ let timeoutErrorMessage = configTimeout ? 'timeout of ' + configTimeout + 'ms exceeded' : 'timeout exceeded';
18697
+ const configTimeoutErrorMessage = own('timeoutErrorMessage');
18698
+ if (configTimeoutErrorMessage) {
18699
+ timeoutErrorMessage = configTimeoutErrorMessage;
18462
18700
  }
18463
18701
  return new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req);
18464
18702
  }
@@ -18501,17 +18739,22 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18501
18739
  });
18502
18740
 
18503
18741
  // Parse url
18504
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
18505
- const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);
18742
+ const fullPath = buildFullPath(own('baseURL'), own('url'), own('allowAbsoluteUrls'), config);
18743
+ // Unix-socket requests (own socketPath) commonly pass a path-only url
18744
+ // like '/foo'; supply a synthetic base so new URL() can still parse it.
18745
+ // Use the own-property value (not config.socketPath) so a polluted
18746
+ // prototype cannot influence URL base selection.
18747
+ const urlBase = socketPath ? 'http://localhost' : platform.hasBrowserEnv ? platform.origin : undefined;
18748
+ const parsed = new URL(fullPath, urlBase);
18506
18749
  const protocol = parsed.protocol || supportedProtocols[0];
18507
18750
  if (protocol === 'data:') {
18508
18751
  // Apply the same semantics as HTTP: only enforce if a finite, non-negative cap is set.
18509
- if (config.maxContentLength > -1) {
18510
- // Use the exact string passed to fromDataURI (config.url); fall back to fullPath if needed.
18511
- const dataUrl = String(config.url || fullPath || '');
18752
+ if (maxContentLength > -1) {
18753
+ // Use the exact string passed to fromDataURI (the configured url); fall back to fullPath if needed.
18754
+ const dataUrl = String(own('url') || fullPath || '');
18512
18755
  const estimated = estimateDataURLDecodedBytes(dataUrl);
18513
- if (estimated > config.maxContentLength) {
18514
- return reject(new AxiosError('maxContentLength size of ' + config.maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config));
18756
+ if (estimated > maxContentLength) {
18757
+ return reject(new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config));
18515
18758
  }
18516
18759
  }
18517
18760
  let convertedData;
@@ -18524,7 +18767,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18524
18767
  });
18525
18768
  }
18526
18769
  try {
18527
- convertedData = fromDataURI(config.url, responseType === 'blob', {
18770
+ convertedData = fromDataURI(own('url'), responseType === 'blob', {
18528
18771
  Blob: config.env && config.env.Blob
18529
18772
  });
18530
18773
  } catch (err) {
@@ -18598,7 +18841,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18598
18841
 
18599
18842
  // Add Content-Length header if data exists
18600
18843
  headers.setContentLength(data.length, false);
18601
- if (config.maxBodyLength > -1 && data.length > config.maxBodyLength) {
18844
+ if (maxBodyLength > -1 && data.length > maxBodyLength) {
18602
18845
  return reject(new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config));
18603
18846
  }
18604
18847
  }
@@ -18625,8 +18868,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18625
18868
  let auth = undefined;
18626
18869
  const configAuth = own('auth');
18627
18870
  if (configAuth) {
18628
- const username = configAuth.username || '';
18629
- const password = configAuth.password || '';
18871
+ const username = utils$1$1.getSafeProp(configAuth, 'username') || '';
18872
+ const password = utils$1$1.getSafeProp(configAuth, 'password') || '';
18630
18873
  auth = username + ':' + password;
18631
18874
  }
18632
18875
  if (!auth && (parsed.username || parsed.password)) {
@@ -18637,13 +18880,12 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18637
18880
  auth && headers.delete('authorization');
18638
18881
  let path$1;
18639
18882
  try {
18640
- path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, '');
18883
+ path$1 = buildURL(parsed.pathname + parsed.search, own('params'), own('paramsSerializer')).replace(/^\?/, '');
18641
18884
  } catch (err) {
18642
- const customErr = new Error(err.message);
18643
- customErr.config = config;
18644
- customErr.url = config.url;
18645
- customErr.exists = true;
18646
- return reject(customErr);
18885
+ return reject(AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config, null, null, {
18886
+ url: own('url'),
18887
+ exists: true
18888
+ }));
18647
18889
  }
18648
18890
  headers.set('Accept-Encoding', utils$1$1.hasOwnProp(transitional, 'advertiseZstdAcceptEncoding') && transitional.advertiseZstdAcceptEncoding === true ? ACCEPT_ENCODING_WITH_ZSTD : ACCEPT_ENCODING, false);
18649
18891
 
@@ -18654,8 +18896,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18654
18896
  method: method,
18655
18897
  headers: toByteStringHeaderObject(headers),
18656
18898
  agents: {
18657
- http: config.httpAgent,
18658
- https: config.httpsAgent
18899
+ http: httpAgent,
18900
+ https: httpsAgent
18659
18901
  },
18660
18902
  auth,
18661
18903
  protocol,
@@ -18667,7 +18909,6 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18667
18909
 
18668
18910
  // cacheable-lookup integration hotfix
18669
18911
  !utils$1$1.isUndefined(lookup) && (options.lookup = lookup);
18670
- const socketPath = own('socketPath');
18671
18912
  if (socketPath) {
18672
18913
  if (typeof socketPath !== 'string') {
18673
18914
  return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config));
@@ -18685,15 +18926,20 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18685
18926
  } else {
18686
18927
  options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname;
18687
18928
  options.port = parsed.port;
18688
- setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent);
18929
+ setProxy(options, configProxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, httpsAgent, httpAgent);
18689
18930
  }
18690
18931
  let transport;
18691
18932
  let isNativeTransport = false;
18933
+ // True only for the follow-redirects transport, which applies
18934
+ // options.maxBodyLength itself. Every other transport (http2, native
18935
+ // http/https, a user-supplied custom transport) needs the explicit
18936
+ // byte-counting pipeline below to enforce maxBodyLength on streamed uploads.
18937
+ let transportEnforcesMaxBodyLength = false;
18692
18938
  const isHttpsRequest = isHttps.test(options.protocol);
18693
18939
  // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an
18694
18940
  // HTTPS target.
18695
18941
  if (options.agent == null) {
18696
- options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
18942
+ options.agent = isHttpsRequest ? httpsAgent : httpAgent;
18697
18943
  }
18698
18944
  if (isHttp2) {
18699
18945
  transport = http2Transport;
@@ -18701,12 +18947,14 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18701
18947
  const configTransport = own('transport');
18702
18948
  if (configTransport) {
18703
18949
  transport = configTransport;
18704
- } else if (config.maxRedirects === 0) {
18950
+ } else if (maxRedirects === 0) {
18705
18951
  transport = isHttpsRequest ? https : http;
18706
18952
  isNativeTransport = true;
18707
18953
  } else {
18708
- if (config.maxRedirects) {
18709
- options.maxRedirects = config.maxRedirects;
18954
+ transportEnforcesMaxBodyLength = true;
18955
+ options.sensitiveHeaders = [];
18956
+ if (maxRedirects) {
18957
+ options.maxRedirects = maxRedirects;
18710
18958
  }
18711
18959
  const configBeforeRedirect = own('beforeRedirect');
18712
18960
  if (configBeforeRedirect) {
@@ -18729,13 +18977,37 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18729
18977
  }
18730
18978
  };
18731
18979
  }
18980
+ const sensitiveHeaders = own('sensitiveHeaders');
18981
+ if (sensitiveHeaders != null) {
18982
+ if (!utils$1$1.isArray(sensitiveHeaders)) {
18983
+ return reject(new AxiosError('sensitiveHeaders must be an array of strings', AxiosError.ERR_BAD_OPTION_VALUE, config));
18984
+ }
18985
+ const sensitiveSet = new Set();
18986
+ for (const header of sensitiveHeaders) {
18987
+ if (!utils$1$1.isString(header)) {
18988
+ return reject(new AxiosError('sensitiveHeaders must be an array of strings', AxiosError.ERR_BAD_OPTION_VALUE, config));
18989
+ }
18990
+ sensitiveSet.add(header.toLowerCase());
18991
+ }
18992
+ if (sensitiveSet.size) {
18993
+ options.sensitiveHeaders = Array.from(sensitiveSet);
18994
+ options.beforeRedirects.sensitiveHeaders = function beforeRedirectSensitiveHeaders(redirectOptions, requestDetails) {
18995
+ if (!isSameOriginRedirect(redirectOptions, requestDetails)) {
18996
+ stripMatchingHeaders(redirectOptions.headers, sensitiveSet);
18997
+ }
18998
+ };
18999
+ }
19000
+ }
18732
19001
  transport = isHttpsRequest ? httpsFollow : httpFollow;
18733
19002
  }
18734
19003
  }
18735
- if (config.maxBodyLength > -1) {
18736
- options.maxBodyLength = config.maxBodyLength;
19004
+
19005
+ // Set an explicit maxBodyLength option for transports that inspect it.
19006
+ // When maxBodyLength is -1 (default/unlimited), use Infinity so
19007
+ // follow-redirects does not fall back to its own 10MB default.
19008
+ if (maxBodyLength > -1) {
19009
+ options.maxBodyLength = maxBodyLength;
18737
19010
  } else {
18738
- // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited
18739
19011
  options.maxBodyLength = Infinity;
18740
19012
  }
18741
19013
 
@@ -18765,7 +19037,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18765
19037
  const lastRequest = res.req || req;
18766
19038
 
18767
19039
  // if decompress disabled we should not decompress
18768
- if (config.decompress !== false && res.headers['content-encoding']) {
19040
+ if (decompress !== false && res.headers['content-encoding']) {
18769
19041
  // if no content, but headers still say that it is encoded,
18770
19042
  // remove the header not confuse downstream operations
18771
19043
  if (method === 'HEAD' || res.statusCode === 204) {
@@ -18817,8 +19089,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18817
19089
  if (responseType === 'stream') {
18818
19090
  // Enforce maxContentLength on streamed responses; previously this
18819
19091
  // was applied only to buffered responses.
18820
- if (config.maxContentLength > -1) {
18821
- const limit = config.maxContentLength;
19092
+ if (maxContentLength > -1) {
19093
+ const limit = maxContentLength;
18822
19094
  const source = responseStream;
18823
19095
  function enforceMaxContentLength() {
18824
19096
  return _enforceMaxContentLength.apply(this, arguments);
@@ -18871,11 +19143,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18871
19143
  totalResponseBytes += chunk.length;
18872
19144
 
18873
19145
  // make sure the content length is not over the maxContentLength if specified
18874
- if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
19146
+ if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
18875
19147
  // stream.destroy() emit aborted event before calling reject() on Node.js v16
18876
19148
  rejected = true;
18877
19149
  responseStream.destroy();
18878
- abort(new AxiosError('maxContentLength size of ' + config.maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest));
19150
+ abort(new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest));
18879
19151
  }
18880
19152
  });
18881
19153
  responseStream.on('aborted', function handlerStreamAborted() {
@@ -18938,7 +19210,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18938
19210
  const boundSockets = new Set();
18939
19211
  req.on('socket', function handleRequestSocket(socket) {
18940
19212
  // default interval of sending ack packet is 1 minute
18941
- socket.setKeepAlive(true, 1000 * 60);
19213
+ // proxy agents (e.g. agent-base) may return a generic Duplex stream
19214
+ // that doesn't have setKeepAlive, so guard before calling
19215
+ if (typeof socket.setKeepAlive === 'function') {
19216
+ socket.setKeepAlive(true, 1000 * 60);
19217
+ }
18942
19218
 
18943
19219
  // Install a single 'error' listener per socket (not per request) to avoid
18944
19220
  // accumulating listeners on pooled keep-alive sockets that get reassigned
@@ -18968,9 +19244,9 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
18968
19244
  });
18969
19245
 
18970
19246
  // Handle request timeout
18971
- if (config.timeout) {
19247
+ if (own('timeout')) {
18972
19248
  // This is forcing a int timeout to avoid problems if the `req` interface doesn't handle other types.
18973
- const timeout = parseInt(config.timeout, 10);
19249
+ const timeout = parseInt(own('timeout'), 10);
18974
19250
  if (Number.isNaN(timeout)) {
18975
19251
  abort(new AxiosError('error trying to parse `config.timeout` to int', AxiosError.ERR_BAD_OPTION_VALUE, config, req));
18976
19252
  return;
@@ -19014,12 +19290,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
19014
19290
  }
19015
19291
  });
19016
19292
 
19017
- // Enforce maxBodyLength for streamed uploads on the native http/https
19018
- // transport (maxRedirects === 0); follow-redirects enforces it on the
19019
- // other path.
19293
+ // Enforce maxBodyLength for streamed uploads on every transport that
19294
+ // does not apply options.maxBodyLength itself (native http/https, http2,
19295
+ // and user-supplied custom transports). The follow-redirects transport
19296
+ // enforces it on the redirected HTTP/1 path.
19020
19297
  let uploadStream = data;
19021
- if (config.maxBodyLength > -1 && config.maxRedirects === 0) {
19022
- const limit = config.maxBodyLength;
19298
+ if (maxBodyLength > -1 && !transportEnforcesMaxBodyLength) {
19299
+ const limit = maxBodyLength;
19023
19300
  let bytesSent = 0;
19024
19301
  uploadStream = stream.pipeline([data, new stream.Transform({
19025
19302
  transform(chunk, _enc, cb) {
@@ -19080,7 +19357,11 @@ var cookies = platform.hasStandardBrowserEnv ?
19080
19357
  const cookie = cookies[i].replace(/^\s+/, '');
19081
19358
  const eq = cookie.indexOf('=');
19082
19359
  if (eq !== -1 && cookie.slice(0, eq) === name) {
19083
- return decodeURIComponent(cookie.slice(eq + 1));
19360
+ try {
19361
+ return decodeURIComponent(cookie.slice(eq + 1));
19362
+ } catch (e) {
19363
+ return cookie.slice(eq + 1);
19364
+ }
19084
19365
  }
19085
19366
  }
19086
19367
  return null;
@@ -19110,6 +19391,7 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? _objectSpread2(
19110
19391
  */
19111
19392
  function mergeConfig(config1, config2) {
19112
19393
  // eslint-disable-next-line no-param-reassign
19394
+ config1 = config1 || {};
19113
19395
  config2 = config2 || {};
19114
19396
 
19115
19397
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -19161,6 +19443,23 @@ function mergeConfig(config1, config2) {
19161
19443
  return getMergedValue(undefined, a);
19162
19444
  }
19163
19445
  }
19446
+ function getMergedTransitionalOption(prop) {
19447
+ const transitional2 = utils$1$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
19448
+ if (!utils$1$1.isUndefined(transitional2)) {
19449
+ if (utils$1$1.isPlainObject(transitional2)) {
19450
+ if (utils$1$1.hasOwnProp(transitional2, prop)) {
19451
+ return transitional2[prop];
19452
+ }
19453
+ } else {
19454
+ return undefined;
19455
+ }
19456
+ }
19457
+ const transitional1 = utils$1$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
19458
+ if (utils$1$1.isPlainObject(transitional1) && utils$1$1.hasOwnProp(transitional1, prop)) {
19459
+ return transitional1[prop];
19460
+ }
19461
+ return undefined;
19462
+ }
19164
19463
 
19165
19464
  // eslint-disable-next-line consistent-return
19166
19465
  function mergeDirectKeys(a, b, prop) {
@@ -19210,6 +19509,13 @@ function mergeConfig(config1, config2) {
19210
19509
  const configValue = merge(a, b, prop);
19211
19510
  utils$1$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue);
19212
19511
  });
19512
+ if (utils$1$1.hasOwnProp(config2, 'validateStatus') && utils$1$1.isUndefined(config2.validateStatus) && getMergedTransitionalOption('validateStatusUndefinedResolves') === false) {
19513
+ if (utils$1$1.hasOwnProp(config1, 'validateStatus')) {
19514
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
19515
+ } else {
19516
+ delete config.validateStatus;
19517
+ }
19518
+ }
19213
19519
  return config;
19214
19520
  }
19215
19521
  const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length'];
@@ -19218,7 +19524,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
19218
19524
  headers.set(formHeaders);
19219
19525
  return;
19220
19526
  }
19221
- Object.entries(formHeaders).forEach(([key, val]) => {
19527
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
19222
19528
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
19223
19529
  headers.set(key, val);
19224
19530
  }
@@ -19250,11 +19556,17 @@ function resolveConfig(config) {
19250
19556
  const allowAbsoluteUrls = own('allowAbsoluteUrls');
19251
19557
  const url = own('url');
19252
19558
  newConfig.headers = headers = AxiosHeaders.from(headers);
19253
- newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), own('params'), own('paramsSerializer'));
19559
+ newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig), own('params'), own('paramsSerializer'));
19254
19560
 
19255
19561
  // HTTP basic authentication
19256
19562
  if (auth) {
19257
- headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8$1(auth.password) : '')));
19563
+ const username = utils$1$1.getSafeProp(auth, 'username') || '';
19564
+ const password = utils$1$1.getSafeProp(auth, 'password') || '';
19565
+ try {
19566
+ headers.set('Authorization', 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : '')));
19567
+ } catch (e) {
19568
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
19569
+ }
19258
19570
  }
19259
19571
  if (utils$1$1.isFormData(data)) {
19260
19572
  if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1$1.isReactNative(data)) {
@@ -19454,6 +19766,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) {
19454
19766
  const protocol = parseProtocol(_config.url);
19455
19767
  if (protocol && !platform.protocols.includes(protocol)) {
19456
19768
  reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config));
19769
+ done();
19457
19770
  return;
19458
19771
  }
19459
19772
 
@@ -19491,7 +19804,9 @@ const composeSignals = (signals, timeout) => {
19491
19804
  });
19492
19805
  signals = null;
19493
19806
  };
19494
- signals.forEach(signal => signal.addEventListener('abort', onabort));
19807
+ signals.forEach(signal => signal.addEventListener('abort', onabort, {
19808
+ once: true
19809
+ }));
19495
19810
  const {
19496
19811
  signal
19497
19812
  } = controller;
@@ -19766,13 +20081,20 @@ const factory = env => {
19766
20081
  composedSignal.unsubscribe();
19767
20082
  });
19768
20083
  let requestContentLength;
20084
+
20085
+ // AxiosError we raise while the request body is being streamed. Captured
20086
+ // by identity so the catch block can surface it directly, regardless of
20087
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
20088
+ // as `err.cause`; some browsers drop the original error entirely).
20089
+ let pendingBodyError = null;
20090
+ const maxBodyLengthError = () => new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
19769
20091
  try {
19770
20092
  // HTTP basic authentication
19771
20093
  let auth = undefined;
19772
20094
  const configAuth = own('auth');
19773
20095
  if (configAuth) {
19774
- const username = configAuth.username || '';
19775
- const password = configAuth.password || '';
20096
+ const username = utils$1$1.getSafeProp(configAuth, 'username') || '';
20097
+ const password = utils$1$1.getSafeProp(configAuth, 'password') || '';
19776
20098
  auth = {
19777
20099
  username,
19778
20100
  password
@@ -19809,30 +20131,54 @@ const factory = env => {
19809
20131
  }
19810
20132
  }
19811
20133
 
19812
- // Enforce maxBodyLength against the outbound request body before dispatch.
19813
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
19814
- // maxBodyLength limit'). Skip when the body length cannot be determined
19815
- // (e.g. a live ReadableStream supplied by the caller).
20134
+ // Enforce maxBodyLength against known-size bodies before dispatch using
20135
+ // the body's *actual* size never a caller-declared Content-Length,
20136
+ // which could under-report to slip an oversized body past the check.
20137
+ // Unknown-size streams return undefined here and are counted per-chunk
20138
+ // below as fetch consumes them.
19816
20139
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
19817
- const outboundLength = await resolveBodyLength(headers, data);
19818
- if (typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength) {
19819
- throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
20140
+ const outboundLength = await getBodyLength(data);
20141
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
20142
+ requestContentLength = outboundLength;
20143
+ if (outboundLength > maxBodyLength) {
20144
+ throw maxBodyLengthError();
20145
+ }
19820
20146
  }
19821
20147
  }
19822
- if (onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head' && (requestContentLength = await resolveBodyLength(headers, data)) !== 0) {
19823
- let _request = new Request(url, {
19824
- method: 'POST',
19825
- body: data,
19826
- duplex: 'half'
19827
- });
19828
- let contentTypeHeader;
19829
- if (utils$1$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
19830
- headers.setContentType(contentTypeHeader);
20148
+
20149
+ // A streamed body under maxBodyLength must be counted as fetch consumes
20150
+ // it; its size is never trusted from a caller-declared Content-Length.
20151
+ const mustEnforceStreamBody = hasMaxBodyLength && (utils$1$1.isReadableStream(data) || utils$1$1.isStream(data));
20152
+ const trackRequestStream = (stream, onProgress, flush) => trackStream(stream, DEFAULT_CHUNK_SIZE, loadedBytes => {
20153
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
20154
+ throw pendingBodyError = maxBodyLengthError();
19831
20155
  }
19832
- if (_request.body) {
19833
- const [onProgress, flush] = progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress)));
19834
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
20156
+ onProgress && onProgress(loadedBytes);
20157
+ }, flush);
20158
+ if (supportsRequestStream && method !== 'get' && method !== 'head' && (onUploadProgress || mustEnforceStreamBody)) {
20159
+ requestContentLength = requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
20160
+
20161
+ // A declared length of 0 is only trusted to skip the wrap when we are
20162
+ // not enforcing a stream limit (which must not rely on that header).
20163
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
20164
+ let _request = new Request(url, {
20165
+ method: 'POST',
20166
+ body: data,
20167
+ duplex: 'half'
20168
+ });
20169
+ let contentTypeHeader;
20170
+ if (utils$1$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
20171
+ headers.setContentType(contentTypeHeader);
20172
+ }
20173
+ if (_request.body) {
20174
+ const [onProgress, flush] = onUploadProgress && progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress))) || [];
20175
+ data = trackRequestStream(_request.body, onProgress, flush);
20176
+ }
19835
20177
  }
20178
+ } else if (mustEnforceStreamBody && !isRequestSupported && isReadableStreamSupported && method !== 'get' && method !== 'head') {
20179
+ data = trackRequestStream(data);
20180
+ } else if (mustEnforceStreamBody && isRequestSupported && !supportsRequestStream && method !== 'get' && method !== 'head') {
20181
+ throw new AxiosError('Stream request bodies are not supported by the current fetch implementation', AxiosError.ERR_NOT_SUPPORT, config, request);
19836
20182
  }
19837
20183
  if (!utils$1$1.isString(withCredentials)) {
19838
20184
  withCredentials = withCredentials ? 'include' : 'omit';
@@ -19863,11 +20209,12 @@ const factory = env => {
19863
20209
  });
19864
20210
  request = isRequestSupported && new Request(url, resolvedOptions);
19865
20211
  let response = await (isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions));
20212
+ const responseHeaders = AxiosHeaders.from(response.headers);
19866
20213
 
19867
20214
  // Cheap pre-check: if the server honestly declares a content-length that
19868
20215
  // already exceeds the cap, reject before we start streaming.
19869
20216
  if (hasMaxContentLength) {
19870
- const declaredLength = utils$1$1.toFiniteNumber(response.headers.get('content-length'));
20217
+ const declaredLength = utils$1$1.toFiniteNumber(responseHeaders.getContentLength());
19871
20218
  if (declaredLength != null && declaredLength > maxContentLength) {
19872
20219
  throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request);
19873
20220
  }
@@ -19878,7 +20225,7 @@ const factory = env => {
19878
20225
  ['status', 'statusText', 'headers'].forEach(prop => {
19879
20226
  options[prop] = response[prop];
19880
20227
  });
19881
- const responseContentLength = utils$1$1.toFiniteNumber(response.headers.get('content-length'));
20228
+ const responseContentLength = utils$1$1.toFiniteNumber(responseHeaders.getContentLength());
19882
20229
  const [onProgress, flush] = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || [];
19883
20230
  let bytesRead = 0;
19884
20231
  const onChunkProgress = loadedBytes => {
@@ -19937,13 +20284,48 @@ const factory = env => {
19937
20284
  const canceledError = composedSignal.reason;
19938
20285
  canceledError.config = config;
19939
20286
  request && (canceledError.request = request);
19940
- err !== canceledError && (canceledError.cause = err);
20287
+ if (err !== canceledError) {
20288
+ // Non-enumerable to match native Error `cause` semantics so loggers
20289
+ // don't recurse into circular fetch internals (see #7205).
20290
+ Object.defineProperty(canceledError, 'cause', {
20291
+ __proto__: null,
20292
+ value: err,
20293
+ writable: true,
20294
+ enumerable: false,
20295
+ configurable: true
20296
+ });
20297
+ }
19941
20298
  throw canceledError;
19942
20299
  }
20300
+
20301
+ // Surface a maxBodyLength violation we raised while the request body was
20302
+ // being streamed. Matching by identity (rather than reading
20303
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
20304
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
20305
+ // AxiosError that merely happened to land in `err.cause`.
20306
+ if (pendingBodyError) {
20307
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
20308
+ throw pendingBodyError;
20309
+ }
20310
+
20311
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
20312
+ // pre-checks, response size enforcement) without re-wrapping them.
20313
+ if (err instanceof AxiosError) {
20314
+ request && !err.request && (err.request = request);
20315
+ throw err;
20316
+ }
19943
20317
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
19944
- throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response), {
19945
- cause: err.cause || err
20318
+ const networkError = new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response);
20319
+ // Non-enumerable to match native Error `cause` semantics so loggers
20320
+ // don't recurse into circular fetch internals (see #7205).
20321
+ Object.defineProperty(networkError, 'cause', {
20322
+ __proto__: null,
20323
+ value: err.cause || err,
20324
+ writable: true,
20325
+ enumerable: false,
20326
+ configurable: true
19946
20327
  });
20328
+ throw networkError;
19947
20329
  }
19948
20330
  throw AxiosError.from(err, err && err.code, config, request, err && err.response);
19949
20331
  }
@@ -20062,7 +20444,7 @@ function getAdapter(adapters, config) {
20062
20444
  if (!adapter) {
20063
20445
  const reasons = Object.entries(rejectedReasons).map(([id, state]) => `adapter ${id} ` + (state === false ? 'is not supported by the environment' : 'is not available in the build'));
20064
20446
  let s = length ? reasons.length > 1 ? 'since :\n' + reasons.map(renderReason).join('\n') : ' ' + renderReason(reasons[0]) : 'as no adapter specified';
20065
- throw new AxiosError(`There is no suitable adapter to dispatch the request ` + s, 'ERR_NOT_SUPPORT');
20447
+ throw new AxiosError(`There is no suitable adapter to dispatch the request ` + s, AxiosError.ERR_NOT_SUPPORT);
20066
20448
  }
20067
20449
  return adapter;
20068
20450
  }
@@ -20204,7 +20586,7 @@ validators$1.spelling = function spelling(correctSpelling) {
20204
20586
  */
20205
20587
 
20206
20588
  function assertOptions(options, schema, allowUnknown) {
20207
- if (typeof options !== 'object') {
20589
+ if (typeof options !== 'object' || options === null) {
20208
20590
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
20209
20591
  }
20210
20592
  const keys = Object.keys(options);
@@ -20313,7 +20695,8 @@ class Axios {
20313
20695
  forcedJSONParsing: validators.transitional(validators.boolean),
20314
20696
  clarifyTimeoutError: validators.transitional(validators.boolean),
20315
20697
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
20316
- advertiseZstdAcceptEncoding: validators.transitional(validators.boolean)
20698
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
20699
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean)
20317
20700
  }, false);
20318
20701
  }
20319
20702
  if (paramsSerializer != null) {
@@ -20410,7 +20793,7 @@ class Axios {
20410
20793
  }
20411
20794
  getUri(config) {
20412
20795
  config = mergeConfig(this.defaults, config);
20413
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
20796
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
20414
20797
  return buildURL(fullPath, config.params, config.paramsSerializer);
20415
20798
  }
20416
20799
  }
@@ -20422,7 +20805,7 @@ utils$1$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNo
20422
20805
  return this.request(mergeConfig(config || {}, {
20423
20806
  method,
20424
20807
  url,
20425
- data: (config || {}).data
20808
+ data: config && utils$1$1.hasOwnProp(config, 'data') ? config.data : undefined
20426
20809
  }));
20427
20810
  };
20428
20811
  });
@@ -24420,9 +24803,9 @@ var resolveResponse = function resolveResponse(response, options) {
24420
24803
 
24421
24804
  var stringify = {exports: {}};
24422
24805
 
24423
- (function (module, exports$1) {
24424
- exports$1 = module.exports = stringify;
24425
- exports$1.getSerialize = serializer;
24806
+ (function (module, exports) {
24807
+ exports = module.exports = stringify;
24808
+ exports.getSerialize = serializer;
24426
24809
  function stringify(obj, replacer, spaces, cycleReplacer) {
24427
24810
  return JSON.stringify(obj, serializer(replacer, cycleReplacer), spaces);
24428
24811
  }