reflex-search 1.5.1 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/node_modules/.package-lock.json +15 -15
  2. package/node_modules/axios/CHANGELOG.md +126 -1
  3. package/node_modules/axios/README.md +390 -257
  4. package/node_modules/axios/dist/axios.js +511 -154
  5. package/node_modules/axios/dist/axios.min.js +3 -3
  6. package/node_modules/axios/dist/axios.min.js.map +1 -1
  7. package/node_modules/axios/dist/browser/axios.cjs +537 -124
  8. package/node_modules/axios/dist/esm/axios.js +537 -124
  9. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  10. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  11. package/node_modules/axios/dist/node/axios.cjs +753 -226
  12. package/node_modules/axios/index.d.cts +27 -4
  13. package/node_modules/axios/index.d.ts +23 -2
  14. package/node_modules/axios/lib/adapters/adapters.js +1 -1
  15. package/node_modules/axios/lib/adapters/fetch.js +217 -47
  16. package/node_modules/axios/lib/adapters/http.js +274 -169
  17. package/node_modules/axios/lib/adapters/xhr.js +1 -0
  18. package/node_modules/axios/lib/core/Axios.js +4 -2
  19. package/node_modules/axios/lib/core/AxiosError.js +13 -1
  20. package/node_modules/axios/lib/core/AxiosHeaders.js +12 -9
  21. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  22. package/node_modules/axios/lib/core/mergeConfig.js +35 -0
  23. package/node_modules/axios/lib/defaults/transitional.js +2 -0
  24. package/node_modules/axios/lib/env/data.js +1 -1
  25. package/node_modules/axios/lib/helpers/AxiosURLSearchParams.js +1 -3
  26. package/node_modules/axios/lib/helpers/Http2Sessions.js +119 -0
  27. package/node_modules/axios/lib/helpers/buildURL.js +7 -4
  28. package/node_modules/axios/lib/helpers/composeSignals.js +1 -1
  29. package/node_modules/axios/lib/helpers/cookies.js +5 -1
  30. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  31. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  32. package/node_modules/axios/lib/helpers/formDataToStream.js +2 -2
  33. package/node_modules/axios/lib/helpers/fromDataURI.js +4 -2
  34. package/node_modules/axios/lib/helpers/resolveConfig.js +26 -13
  35. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  36. package/node_modules/axios/lib/helpers/toFormData.js +48 -12
  37. package/node_modules/axios/lib/helpers/validator.js +1 -1
  38. package/node_modules/axios/lib/utils.js +97 -12
  39. package/node_modules/axios/package.json +29 -13
  40. package/node_modules/brace-expansion/dist/commonjs/index.js +24 -14
  41. package/node_modules/brace-expansion/dist/commonjs/index.js.map +1 -1
  42. package/node_modules/brace-expansion/dist/esm/index.js +24 -14
  43. package/node_modules/brace-expansion/dist/esm/index.js.map +1 -1
  44. package/node_modules/brace-expansion/package.json +2 -2
  45. package/node_modules/form-data/CHANGELOG.md +29 -2
  46. package/node_modules/form-data/README.md +4 -4
  47. package/node_modules/form-data/lib/form_data.js +14 -2
  48. package/node_modules/form-data/package.json +7 -7
  49. package/node_modules/hasown/CHANGELOG.md +18 -0
  50. package/node_modules/hasown/eslint.config.mjs +6 -0
  51. package/node_modules/hasown/package.json +13 -14
  52. package/npm-shrinkwrap.json +16 -16
  53. package/package.json +2 -2
  54. package/node_modules/axios/dist/axios.js.map +0 -1
  55. package/node_modules/axios/dist/browser/axios.cjs.map +0 -1
  56. package/node_modules/axios/dist/esm/axios.js.map +0 -1
  57. package/node_modules/axios/dist/node/axios.cjs.map +0 -1
  58. package/node_modules/hasown/.eslintrc +0 -5
@@ -1,4 +1,4 @@
1
- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  (function (global, factory) {
3
3
  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
4
4
  typeof define === 'function' && define.amd ? define(factory) :
@@ -463,55 +463,42 @@
463
463
  };
464
464
  }
465
465
  function AsyncGenerator(e) {
466
- var r, t;
467
- function resume(r, t) {
466
+ var t, n;
467
+ function resume(t, n) {
468
468
  try {
469
- var n = e[r](t),
470
- o = n.value,
469
+ var r = e[t](n),
470
+ o = r.value,
471
471
  u = o instanceof _OverloadYield;
472
- Promise.resolve(u ? o.v : o).then(function (t) {
472
+ Promise.resolve(u ? o.v : o).then(function (n) {
473
473
  if (u) {
474
- var i = "return" === r ? "return" : "next";
475
- if (!o.k || t.done) return resume(i, t);
476
- t = e[i](t).value;
474
+ var i = "return" === t && o.k ? t : "next";
475
+ if (!o.k || n.done) return resume(i, n);
476
+ n = e[i](n).value;
477
477
  }
478
- settle(n.done ? "return" : "normal", t);
478
+ settle(!!r.done, n);
479
479
  }, function (e) {
480
480
  resume("throw", e);
481
481
  });
482
482
  } catch (e) {
483
- settle("throw", e);
483
+ settle(2, e);
484
484
  }
485
485
  }
486
- function settle(e, n) {
487
- switch (e) {
488
- case "return":
489
- r.resolve({
490
- value: n,
491
- done: true
492
- });
493
- break;
494
- case "throw":
495
- r.reject(n);
496
- break;
497
- default:
498
- r.resolve({
499
- value: n,
500
- done: false
501
- });
502
- }
503
- (r = r.next) ? resume(r.key, r.arg) : t = null;
486
+ function settle(e, r) {
487
+ 2 === e ? t.reject(r) : t.resolve({
488
+ value: r,
489
+ done: e
490
+ }), (t = t.next) ? resume(t.key, t.arg) : n = null;
504
491
  }
505
- this._invoke = function (e, n) {
492
+ this._invoke = function (e, r) {
506
493
  return new Promise(function (o, u) {
507
494
  var i = {
508
495
  key: e,
509
- arg: n,
496
+ arg: r,
510
497
  resolve: o,
511
498
  reject: u,
512
499
  next: null
513
500
  };
514
- t ? t = t.next = i : (r = t = i, resume(e, n));
501
+ n ? n = n.next = i : (t = n = i, resume(e, r));
515
502
  });
516
503
  }, "function" != typeof e.return && (this.return = void 0);
517
504
  }
@@ -566,6 +553,57 @@
566
553
  var getPrototypeOf = Object.getPrototypeOf;
567
554
  var iterator = Symbol.iterator,
568
555
  toStringTag = Symbol.toStringTag;
556
+
557
+ /* Creating a function that will check if an object has a property. */
558
+ var hasOwnProperty = function (_ref) {
559
+ var hasOwnProperty = _ref.hasOwnProperty;
560
+ return function (obj, prop) {
561
+ return hasOwnProperty.call(obj, prop);
562
+ };
563
+ }(Object.prototype);
564
+
565
+ /**
566
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
567
+ * an own `prop`. This distinguishes genuine own/inherited members — including
568
+ * class accessors and template prototypes — from members injected via
569
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
570
+ * live on Object.prototype itself and are therefore never matched.
571
+ *
572
+ * @param {*} thing The value whose chain to inspect
573
+ * @param {string|symbol} prop The property key to look for
574
+ *
575
+ * @returns {boolean} True when `prop` is owned below Object.prototype
576
+ */
577
+ var hasOwnInPrototypeChain = function hasOwnInPrototypeChain(thing, prop) {
578
+ var obj = thing;
579
+ var seen = [];
580
+ while (obj != null && obj !== Object.prototype) {
581
+ if (seen.indexOf(obj) !== -1) {
582
+ return false;
583
+ }
584
+ seen.push(obj);
585
+ if (hasOwnProperty(obj, prop)) {
586
+ return true;
587
+ }
588
+ obj = getPrototypeOf(obj);
589
+ }
590
+ return false;
591
+ };
592
+
593
+ /**
594
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
595
+ * properties and members inherited from a non-Object.prototype source (a class
596
+ * instance or template object) are honored; a value reachable only through a
597
+ * polluted Object.prototype is ignored and `undefined` is returned.
598
+ *
599
+ * @param {*} obj The source object
600
+ * @param {string|symbol} prop The property key to read
601
+ *
602
+ * @returns {*} The resolved value, or undefined when unsafe/absent
603
+ */
604
+ var getSafeProp = function getSafeProp(obj, prop) {
605
+ return obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
606
+ };
569
607
  var kindOf = function (cache) {
570
608
  return function (thing) {
571
609
  var str = toString.call(thing);
@@ -694,11 +732,15 @@
694
732
  * @returns {boolean} True if value is a plain Object, otherwise false
695
733
  */
696
734
  var isPlainObject = function isPlainObject(val) {
697
- if (kindOf(val) !== 'object') {
735
+ if (!isObject(val)) {
698
736
  return false;
699
737
  }
700
738
  var prototype = getPrototypeOf(val);
701
- return (prototype === null || prototype === Object.prototype || Object.getPrototypeOf(prototype) === null) && !(toStringTag in val) && !(iterator in val);
739
+ return (prototype === null || prototype === Object.prototype || getPrototypeOf(prototype) === null) &&
740
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
741
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
742
+ // than a plain object, while ignoring keys injected onto Object.prototype.
743
+ !hasOwnInPrototypeChain(val, toStringTag) && !hasOwnInPrototypeChain(val, iterator);
702
744
  };
703
745
 
704
746
  /**
@@ -866,9 +908,9 @@
866
908
  * @returns {any}
867
909
  */
868
910
  function forEach(obj, fn) {
869
- var _ref = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {},
870
- _ref$allOwnKeys = _ref.allOwnKeys,
871
- allOwnKeys = _ref$allOwnKeys === void 0 ? false : _ref$allOwnKeys;
911
+ var _ref2 = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {},
912
+ _ref2$allOwnKeys = _ref2.allOwnKeys,
913
+ allOwnKeys = _ref2$allOwnKeys === void 0 ? false : _ref2$allOwnKeys;
872
914
  // Don't bother if no value provided
873
915
  if (obj === null || typeof obj === 'undefined') {
874
916
  return;
@@ -955,16 +997,19 @@
955
997
  * @returns {Object} Result of all merge properties
956
998
  */
957
999
  function merge() {
958
- var _ref2 = isContextDefined(this) && this || {},
959
- caseless = _ref2.caseless,
960
- skipUndefined = _ref2.skipUndefined;
1000
+ var _ref3 = isContextDefined(this) && this || {},
1001
+ caseless = _ref3.caseless,
1002
+ skipUndefined = _ref3.skipUndefined;
961
1003
  var result = {};
962
1004
  var assignValue = function assignValue(val, key) {
963
1005
  // Skip dangerous property names to prevent prototype pollution
964
1006
  if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
965
1007
  return;
966
1008
  }
967
- var targetKey = caseless && findKey(result, key) || key;
1009
+
1010
+ // findKey lowercases the key, so caseless lookup only applies to strings —
1011
+ // symbol keys are identity-matched.
1012
+ var targetKey = caseless && typeof key === 'string' && findKey(result, key) || key;
968
1013
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
969
1014
  // chain, so a polluted Object.prototype value could surface here and get
970
1015
  // copied into the merged result.
@@ -979,11 +1024,22 @@
979
1024
  result[targetKey] = val;
980
1025
  }
981
1026
  };
982
- for (var _len = arguments.length, objs = new Array(_len), _key2 = 0; _key2 < _len; _key2++) {
983
- objs[_key2] = arguments[_key2];
984
- }
985
- for (var i = 0, l = objs.length; i < l; i++) {
986
- objs[i] && forEach(objs[i], assignValue);
1027
+ for (var i = 0, l = arguments.length; i < l; i++) {
1028
+ var source = i < 0 || arguments.length <= i ? undefined : arguments[i];
1029
+ if (!source || isBuffer(source)) {
1030
+ continue;
1031
+ }
1032
+ forEach(source, assignValue);
1033
+ if (_typeof(source) !== 'object' || isArray(source)) {
1034
+ continue;
1035
+ }
1036
+ var symbols = Object.getOwnPropertySymbols(source);
1037
+ for (var j = 0; j < symbols.length; j++) {
1038
+ var symbol = symbols[j];
1039
+ if (propertyIsEnumerable.call(source, symbol)) {
1040
+ assignValue(source[symbol], symbol);
1041
+ }
1042
+ }
987
1043
  }
988
1044
  return result;
989
1045
  }
@@ -1000,8 +1056,8 @@
1000
1056
  * @returns {Object} The resulting value of object a
1001
1057
  */
1002
1058
  var extend = function extend(a, b, thisArg) {
1003
- var _ref3 = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : {},
1004
- allOwnKeys = _ref3.allOwnKeys;
1059
+ var _ref4 = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : {},
1060
+ allOwnKeys = _ref4.allOwnKeys;
1005
1061
  forEach(b, function (val, key) {
1006
1062
  if (thisArg && isFunction$1(val)) {
1007
1063
  Object.defineProperty(a, key, {
@@ -1195,14 +1251,7 @@
1195
1251
  return p1.toUpperCase() + p2;
1196
1252
  });
1197
1253
  };
1198
-
1199
- /* Creating a function that will check if an object has a property. */
1200
- var hasOwnProperty = function (_ref4) {
1201
- var hasOwnProperty = _ref4.hasOwnProperty;
1202
- return function (obj, prop) {
1203
- return hasOwnProperty.call(obj, prop);
1204
- };
1205
- }(Object.prototype);
1254
+ var propertyIsEnumerable = Object.prototype.propertyIsEnumerable;
1206
1255
 
1207
1256
  /**
1208
1257
  * Determine if a value is a RegExp object
@@ -1382,6 +1431,21 @@
1382
1431
  var isIterable = function isIterable(thing) {
1383
1432
  return thing != null && isFunction$1(thing[iterator]);
1384
1433
  };
1434
+
1435
+ /**
1436
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
1437
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
1438
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
1439
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
1440
+ * into an attacker-controlled entries iterator.
1441
+ *
1442
+ * @param {*} thing The value to test
1443
+ *
1444
+ * @returns {boolean} True if value has a non-polluted iterator
1445
+ */
1446
+ var isSafeIterable = function isSafeIterable(thing) {
1447
+ return thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
1448
+ };
1385
1449
  var utils$1 = {
1386
1450
  isArray: isArray,
1387
1451
  isArrayBuffer: isArrayBuffer,
@@ -1427,6 +1491,8 @@
1427
1491
  hasOwnProperty: hasOwnProperty,
1428
1492
  hasOwnProp: hasOwnProperty,
1429
1493
  // an alias to avoid ESLint no-prototype-builtins detection
1494
+ hasOwnInPrototypeChain: hasOwnInPrototypeChain,
1495
+ getSafeProp: getSafeProp,
1430
1496
  reduceDescriptors: reduceDescriptors,
1431
1497
  freezeMethods: freezeMethods,
1432
1498
  toObjectSet: toObjectSet,
@@ -1442,7 +1508,8 @@
1442
1508
  isThenable: isThenable,
1443
1509
  setImmediate: _setImmediate,
1444
1510
  asap: asap,
1445
- isIterable: isIterable
1511
+ isIterable: isIterable,
1512
+ isSafeIterable: isSafeIterable
1446
1513
  };
1447
1514
 
1448
1515
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -1603,7 +1670,7 @@
1603
1670
  function setHeader(_value, _header, _rewrite) {
1604
1671
  var lHeader = normalizeHeader(_header);
1605
1672
  if (!lHeader) {
1606
- throw new Error('header name must be a non-empty string');
1673
+ return;
1607
1674
  }
1608
1675
  var key = utils$1.findKey(self, lHeader);
1609
1676
  if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) {
@@ -1619,8 +1686,8 @@
1619
1686
  setHeaders(header, valueOrRewrite);
1620
1687
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
1621
1688
  setHeaders(parseHeaders(header), valueOrRewrite);
1622
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
1623
- var obj = {},
1689
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
1690
+ var obj = Object.create(null),
1624
1691
  dest,
1625
1692
  key;
1626
1693
  var _iterator = _createForOfIteratorHelper(header),
@@ -1629,9 +1696,15 @@
1629
1696
  for (_iterator.s(); !(_step = _iterator.n()).done;) {
1630
1697
  var entry = _step.value;
1631
1698
  if (!utils$1.isArray(entry)) {
1632
- throw TypeError('Object iterator must return a key-value pair');
1699
+ throw new TypeError('Object iterator must return a key-value pair');
1700
+ }
1701
+ key = entry[0];
1702
+ if (utils$1.hasOwnProp(obj, key)) {
1703
+ dest = obj[key];
1704
+ obj[key] = utils$1.isArray(dest) ? [].concat(_toConsumableArray(dest), [entry[1]]) : [dest, entry[1]];
1705
+ } else {
1706
+ obj[key] = entry[1];
1633
1707
  }
1634
- obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [].concat(_toConsumableArray(dest), [entry[1]]) : [dest, entry[1]] : entry[1];
1635
1708
  }
1636
1709
  } catch (err) {
1637
1710
  _iterator.e(err);
@@ -1967,7 +2040,19 @@
1967
2040
  key: "from",
1968
2041
  value: function from(error, code, config, request, response, customProps) {
1969
2042
  var axiosError = new AxiosError(error.message, code || error.code, config, request, response);
1970
- axiosError.cause = error;
2043
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
2044
+ // error often carries circular internals (sockets, requests, agents), so
2045
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
2046
+ // own-property walk throw "Converting circular structure to JSON".
2047
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
2048
+ // `message` descriptor below (prototype-pollution-safe descriptor).
2049
+ Object.defineProperty(axiosError, 'cause', {
2050
+ __proto__: null,
2051
+ value: error,
2052
+ writable: true,
2053
+ enumerable: false,
2054
+ configurable: true
2055
+ });
1971
2056
  axiosError.name = error.name;
1972
2057
 
1973
2058
  // Preserve status from the original error if not already set from response
@@ -1997,6 +2082,10 @@
1997
2082
  // eslint-disable-next-line strict
1998
2083
  var httpAdapter = null;
1999
2084
 
2085
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
2086
+ // the FormData <-> JSON round-trip stays symmetric.
2087
+ var DEFAULT_FORM_DATA_MAX_DEPTH = 100;
2088
+
2000
2089
  /**
2001
2090
  * Determines if the given thing is a array or js object.
2002
2091
  *
@@ -2097,8 +2186,9 @@
2097
2186
  var dots = options.dots;
2098
2187
  var indexes = options.indexes;
2099
2188
  var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
2100
- var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
2189
+ var maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
2101
2190
  var useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
2191
+ var stack = [];
2102
2192
  if (!utils$1.isFunction(visitor)) {
2103
2193
  throw new TypeError('visitor must be a function');
2104
2194
  }
@@ -2114,10 +2204,38 @@
2114
2204
  throw new AxiosError('Blob is not supported. Use a Buffer instead.');
2115
2205
  }
2116
2206
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
2117
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
2207
+ if (useBlob && typeof _Blob === 'function') {
2208
+ return new _Blob([value]);
2209
+ }
2210
+ if (typeof Buffer !== 'undefined') {
2211
+ return Buffer.from(value);
2212
+ }
2213
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
2118
2214
  }
2119
2215
  return value;
2120
2216
  }
2217
+ function throwIfMaxDepthExceeded(depth) {
2218
+ if (depth > maxDepth) {
2219
+ throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
2220
+ }
2221
+ }
2222
+ function stringifyWithDepthLimit(value, depth) {
2223
+ if (maxDepth === Infinity) {
2224
+ return JSON.stringify(value);
2225
+ }
2226
+ var ancestors = [];
2227
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
2228
+ if (!utils$1.isObject(currentValue)) {
2229
+ return currentValue;
2230
+ }
2231
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
2232
+ ancestors.pop();
2233
+ }
2234
+ ancestors.push(currentValue);
2235
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
2236
+ return currentValue;
2237
+ });
2238
+ }
2121
2239
 
2122
2240
  /**
2123
2241
  * Default visitor.
@@ -2140,7 +2258,7 @@
2140
2258
  // eslint-disable-next-line no-param-reassign
2141
2259
  key = metaTokens ? key : key.slice(0, -2);
2142
2260
  // eslint-disable-next-line no-param-reassign
2143
- value = JSON.stringify(value);
2261
+ value = stringifyWithDepthLimit(value, 1);
2144
2262
  } else if (utils$1.isArray(value) && isFlatArray(value) || (utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value))) {
2145
2263
  // eslint-disable-next-line no-param-reassign
2146
2264
  key = removeBrackets(key);
@@ -2158,7 +2276,6 @@
2158
2276
  formData.append(renderKey(path, key, dots), convertValue(value));
2159
2277
  return false;
2160
2278
  }
2161
- var stack = [];
2162
2279
  var exposedHelpers = Object.assign(predicates, {
2163
2280
  defaultVisitor: defaultVisitor,
2164
2281
  convertValue: convertValue,
@@ -2167,11 +2284,9 @@
2167
2284
  function build(value, path) {
2168
2285
  var depth = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 0;
2169
2286
  if (utils$1.isUndefined(value)) return;
2170
- if (depth > maxDepth) {
2171
- throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
2172
- }
2287
+ throwIfMaxDepthExceeded(depth);
2173
2288
  if (stack.indexOf(value) !== -1) {
2174
- throw Error('Circular reference detected in ' + path.join('.'));
2289
+ throw new Error('Circular reference detected in ' + path.join('.'));
2175
2290
  }
2176
2291
  stack.push(value);
2177
2292
  utils$1.forEach(value, function each(el, key) {
@@ -2228,8 +2343,9 @@
2228
2343
  this._pairs.push([name, value]);
2229
2344
  };
2230
2345
  prototype.toString = function toString(encoder) {
2346
+ var _this = this;
2231
2347
  var _encode = encoder ? function (value) {
2232
- return encoder.call(this, value, encode$1);
2348
+ return encoder.call(_this, value, encode$1);
2233
2349
  } : encode$1;
2234
2350
  return this._pairs.map(function each(pair) {
2235
2351
  return _encode(pair[0]) + '=' + _encode(pair[1]);
@@ -2261,11 +2377,16 @@
2261
2377
  if (!params) {
2262
2378
  return url;
2263
2379
  }
2264
- var _encode = options && options.encode || encode;
2380
+ url = url || '';
2265
2381
  var _options = utils$1.isFunction(options) ? {
2266
2382
  serialize: options
2267
2383
  } : options;
2268
- var serializeFn = _options && _options.serialize;
2384
+
2385
+ // Read serializer options pollution-safely: own properties and methods on a
2386
+ // class/template prototype are honored, but values injected onto a polluted
2387
+ // Object.prototype are ignored.
2388
+ var _encode = utils$1.getSafeProp(_options, 'encode') || encode;
2389
+ var serializeFn = utils$1.getSafeProp(_options, 'serialize');
2269
2390
  var serializedParams;
2270
2391
  if (serializeFn) {
2271
2392
  serializedParams = serializeFn(params, _options);
@@ -2363,7 +2484,9 @@
2363
2484
  silentJSONParsing: true,
2364
2485
  forcedJSONParsing: true,
2365
2486
  clarifyTimeoutError: false,
2366
- legacyInterceptorReqResOrdering: true
2487
+ legacyInterceptorReqResOrdering: true,
2488
+ advertiseZstdAcceptEncoding: false,
2489
+ validateStatusUndefinedResolves: true
2367
2490
  };
2368
2491
 
2369
2492
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -2443,6 +2566,13 @@
2443
2566
  }, options));
2444
2567
  }
2445
2568
 
2569
+ var MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
2570
+ function throwIfDepthExceeded(index) {
2571
+ if (index > MAX_DEPTH) {
2572
+ throw new AxiosError('FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
2573
+ }
2574
+ }
2575
+
2446
2576
  /**
2447
2577
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
2448
2578
  *
@@ -2455,9 +2585,14 @@
2455
2585
  // foo.x.y.z
2456
2586
  // foo-x-y-z
2457
2587
  // foo x y z
2458
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map(function (match) {
2459
- return match[0] === '[]' ? '' : match[1] || match[0];
2460
- });
2588
+ var path = [];
2589
+ var pattern = /\w+|\[(\w*)]/g;
2590
+ var match;
2591
+ while ((match = pattern.exec(name)) !== null) {
2592
+ throwIfDepthExceeded(path.length);
2593
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
2594
+ }
2595
+ return path;
2461
2596
  }
2462
2597
 
2463
2598
  /**
@@ -2489,6 +2624,7 @@
2489
2624
  */
2490
2625
  function formDataToJSON(formData) {
2491
2626
  function buildPath(path, value, target, index) {
2627
+ throwIfDepthExceeded(index);
2492
2628
  var name = path[index++];
2493
2629
  if (name === '__proto__') return true;
2494
2630
  var isNumericKey = Number.isFinite(+name);
@@ -2889,7 +3025,11 @@
2889
3025
  var cookie = cookies[i].replace(/^\s+/, '');
2890
3026
  var eq = cookie.indexOf('=');
2891
3027
  if (eq !== -1 && cookie.slice(0, eq) === name) {
2892
- return decodeURIComponent(cookie.slice(eq + 1));
3028
+ try {
3029
+ return decodeURIComponent(cookie.slice(eq + 1));
3030
+ } catch (e) {
3031
+ return cookie.slice(eq + 1);
3032
+ }
2893
3033
  }
2894
3034
  }
2895
3035
  return null;
@@ -2936,6 +3076,24 @@
2936
3076
  return relativeURL ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '') : baseURL;
2937
3077
  }
2938
3078
 
3079
+ var malformedHttpProtocol = /^https?:(?!\/\/)/i;
3080
+ var httpProtocolControlCharacters = /[\t\n\r]/g;
3081
+ function stripLeadingC0ControlOrSpace(url) {
3082
+ var i = 0;
3083
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
3084
+ i++;
3085
+ }
3086
+ return url.slice(i);
3087
+ }
3088
+ function normalizeURLForProtocolCheck(url) {
3089
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
3090
+ }
3091
+ function assertValidHttpProtocolURL(url, config) {
3092
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
3093
+ throw new AxiosError('Invalid URL: missing "//" after protocol', AxiosError.ERR_INVALID_URL, config);
3094
+ }
3095
+ }
3096
+
2939
3097
  /**
2940
3098
  * Creates a new URL by combining the baseURL with the requestedURL,
2941
3099
  * only when the requestedURL is not already an absolute URL.
@@ -2946,9 +3104,11 @@
2946
3104
  *
2947
3105
  * @returns {string} The combined full path
2948
3106
  */
2949
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
3107
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
3108
+ assertValidHttpProtocolURL(requestedURL, config);
2950
3109
  var isRelativeUrl = !isAbsoluteURL(requestedURL);
2951
3110
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
3111
+ assertValidHttpProtocolURL(baseURL, config);
2952
3112
  return combineURLs(baseURL, requestedURL);
2953
3113
  }
2954
3114
  return requestedURL;
@@ -2969,6 +3129,7 @@
2969
3129
  */
2970
3130
  function mergeConfig(config1, config2) {
2971
3131
  // eslint-disable-next-line no-param-reassign
3132
+ config1 = config1 || {};
2972
3133
  config2 = config2 || {};
2973
3134
 
2974
3135
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -3020,6 +3181,23 @@
3020
3181
  return getMergedValue(undefined, a);
3021
3182
  }
3022
3183
  }
3184
+ function getMergedTransitionalOption(prop) {
3185
+ var transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
3186
+ if (!utils$1.isUndefined(transitional2)) {
3187
+ if (utils$1.isPlainObject(transitional2)) {
3188
+ if (utils$1.hasOwnProp(transitional2, prop)) {
3189
+ return transitional2[prop];
3190
+ }
3191
+ } else {
3192
+ return undefined;
3193
+ }
3194
+ }
3195
+ var transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
3196
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
3197
+ return transitional1[prop];
3198
+ }
3199
+ return undefined;
3200
+ }
3023
3201
 
3024
3202
  // eslint-disable-next-line consistent-return
3025
3203
  function mergeDirectKeys(a, b, prop) {
@@ -3071,6 +3249,13 @@
3071
3249
  var configValue = merge(a, b, prop);
3072
3250
  utils$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue);
3073
3251
  });
3252
+ if (utils$1.hasOwnProp(config2, 'validateStatus') && utils$1.isUndefined(config2.validateStatus) && getMergedTransitionalOption('validateStatusUndefinedResolves') === false) {
3253
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
3254
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
3255
+ } else {
3256
+ delete config.validateStatus;
3257
+ }
3258
+ }
3074
3259
  return config;
3075
3260
  }
3076
3261
 
@@ -3080,7 +3265,7 @@
3080
3265
  headers.set(formHeaders);
3081
3266
  return;
3082
3267
  }
3083
- Object.entries(formHeaders).forEach(function (_ref) {
3268
+ Object.entries(formHeaders || {}).forEach(function (_ref) {
3084
3269
  var _ref2 = _slicedToArray(_ref, 2),
3085
3270
  key = _ref2[0],
3086
3271
  val = _ref2[1];
@@ -3098,12 +3283,12 @@
3098
3283
  *
3099
3284
  * @returns {string} UTF-8 bytes as a Latin-1 string
3100
3285
  */
3101
- var encodeUTF8 = function encodeUTF8(str) {
3286
+ var encodeUTF8$1 = function encodeUTF8(str) {
3102
3287
  return encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, function (_, hex) {
3103
3288
  return String.fromCharCode(parseInt(hex, 16));
3104
3289
  });
3105
3290
  };
3106
- var resolveConfig = (function (config) {
3291
+ function resolveConfig(config) {
3107
3292
  var newConfig = mergeConfig({}, config);
3108
3293
 
3109
3294
  // Read only own properties to prevent prototype pollution gadgets
@@ -3121,15 +3306,21 @@
3121
3306
  var allowAbsoluteUrls = own('allowAbsoluteUrls');
3122
3307
  var url = own('url');
3123
3308
  newConfig.headers = headers = AxiosHeaders.from(headers);
3124
- newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
3309
+ newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig), own('params'), own('paramsSerializer'));
3125
3310
 
3126
3311
  // HTTP basic authentication
3127
3312
  if (auth) {
3128
- headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : '')));
3313
+ var username = utils$1.getSafeProp(auth, 'username') || '';
3314
+ var password = utils$1.getSafeProp(auth, 'password') || '';
3315
+ try {
3316
+ headers.set('Authorization', 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : '')));
3317
+ } catch (e) {
3318
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
3319
+ }
3129
3320
  }
3130
3321
  if (utils$1.isFormData(data)) {
3131
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
3132
- headers.setContentType(undefined); // browser handles it
3322
+ if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1.isReactNative(data)) {
3323
+ headers.setContentType(undefined); // browser/web worker/RN handles it
3133
3324
  } else if (utils$1.isFunction(data.getHeaders)) {
3134
3325
  // Node.js FormData (like form-data package)
3135
3326
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -3157,7 +3348,7 @@
3157
3348
  }
3158
3349
  }
3159
3350
  return newConfig;
3160
- });
3351
+ }
3161
3352
 
3162
3353
  var isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
3163
3354
  var xhrAdapter = isXHRAdapterSupported && function (config) {
@@ -3330,6 +3521,7 @@
3330
3521
  var protocol = parseProtocol(_config.url);
3331
3522
  if (protocol && !platform.protocols.includes(protocol)) {
3332
3523
  reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config));
3524
+ done();
3333
3525
  return;
3334
3526
  }
3335
3527
 
@@ -3369,7 +3561,9 @@
3369
3561
  signals = null;
3370
3562
  };
3371
3563
  signals.forEach(function (signal) {
3372
- return signal.addEventListener('abort', onabort);
3564
+ return signal.addEventListener('abort', onabort, {
3565
+ once: true
3566
+ });
3373
3567
  });
3374
3568
  var signal = controller.signal;
3375
3569
  signal.unsubscribe = function () {
@@ -3585,11 +3779,17 @@
3585
3779
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
3586
3780
  * - For base64: compute exact decoded size using length and padding;
3587
3781
  * handle %XX at the character-count level (no string allocation).
3588
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
3782
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
3589
3783
  *
3590
3784
  * @param {string} url
3591
3785
  * @returns {number}
3592
3786
  */
3787
+ var isHexDigit = function isHexDigit(charCode) {
3788
+ return charCode >= 48 && charCode <= 57 || charCode >= 65 && charCode <= 70 || charCode >= 97 && charCode <= 102;
3789
+ };
3790
+ var isPercentEncodedByte = function isPercentEncodedByte(str, i, len) {
3791
+ return i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
3792
+ };
3593
3793
  function estimateDataURLDecodedBytes(url) {
3594
3794
  if (!url || typeof url !== 'string') return 0;
3595
3795
  if (!url.startsWith('data:')) return 0;
@@ -3606,7 +3806,7 @@
3606
3806
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
3607
3807
  var a = body.charCodeAt(i + 1);
3608
3808
  var b = body.charCodeAt(i + 2);
3609
- var isHex = (a >= 48 && a <= 57 || a >= 65 && a <= 70 || a >= 97 && a <= 102) && (b >= 48 && b <= 57 || b >= 65 && b <= 70 || b >= 97 && b <= 102);
3809
+ var isHex = isHexDigit(a) && isHexDigit(b);
3610
3810
  if (isHex) {
3611
3811
  effectiveLen -= 2;
3612
3812
  i += 2;
@@ -3643,18 +3843,18 @@
3643
3843
  var _bytes = groups * 3 - (pad || 0);
3644
3844
  return _bytes > 0 ? _bytes : 0;
3645
3845
  }
3646
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
3647
- return Buffer.byteLength(body, 'utf8');
3648
- }
3649
3846
 
3650
3847
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
3651
3848
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
3652
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
3653
- // but 3 UTF-8 bytes).
3849
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
3850
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
3654
3851
  var bytes = 0;
3655
3852
  for (var _i = 0, _len = body.length; _i < _len; _i++) {
3656
3853
  var c = body.charCodeAt(_i);
3657
- if (c < 0x80) {
3854
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, _i, _len)) {
3855
+ bytes += 1;
3856
+ _i += 2;
3857
+ } else if (c < 0x80) {
3658
3858
  bytes += 1;
3659
3859
  } else if (c < 0x800) {
3660
3860
  bytes += 2;
@@ -3673,10 +3873,39 @@
3673
3873
  return bytes;
3674
3874
  }
3675
3875
 
3676
- var VERSION = "1.16.1";
3876
+ var VERSION = "1.18.1";
3677
3877
 
3678
3878
  var DEFAULT_CHUNK_SIZE = 64 * 1024;
3679
3879
  var isFunction = utils$1.isFunction;
3880
+
3881
+ /**
3882
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
3883
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
3884
+ *
3885
+ * @param {string} str The string to encode
3886
+ *
3887
+ * @returns {string} UTF-8 bytes as a Latin-1 string
3888
+ */
3889
+ var encodeUTF8 = function encodeUTF8(str) {
3890
+ return encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, function (_, hex) {
3891
+ return String.fromCharCode(parseInt(hex, 16));
3892
+ });
3893
+ };
3894
+
3895
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
3896
+ // Decode before composing the `auth` option so credentials such as
3897
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
3898
+ // original value for malformed input so a bad encoding never throws.
3899
+ var decodeURIComponentSafe = function decodeURIComponentSafe(value) {
3900
+ if (!utils$1.isString(value)) {
3901
+ return value;
3902
+ }
3903
+ try {
3904
+ return decodeURIComponent(value);
3905
+ } catch (error) {
3906
+ return value;
3907
+ }
3908
+ };
3680
3909
  var test = function test(fn) {
3681
3910
  try {
3682
3911
  for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
@@ -3687,6 +3916,14 @@
3687
3916
  return false;
3688
3917
  }
3689
3918
  };
3919
+ var maybeWithAuthCredentials = function maybeWithAuthCredentials(url) {
3920
+ var protocolIndex = url.indexOf('://');
3921
+ var urlToCheck = url;
3922
+ if (protocolIndex !== -1) {
3923
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
3924
+ }
3925
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
3926
+ };
3690
3927
  var factory = function factory(env) {
3691
3928
  var globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis;
3692
3929
  var ReadableStream = globalObject.ReadableStream,
@@ -3840,13 +4077,16 @@
3840
4077
  }();
3841
4078
  return /*#__PURE__*/function () {
3842
4079
  var _ref4 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee4(config) {
3843
- var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, _fetch, composedSignal, request, unsubscribe, requestContentLength, estimated, outboundLength, _request, contentTypeHeader, _progressEventDecorat, _progressEventDecorat2, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, declaredLength, isStreamResponse, options, responseContentLength, _ref5, _ref6, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, _t3, _t4, _t5;
4080
+ var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, own, _fetch, composedSignal, request, unsubscribe, requestContentLength, pendingBodyError, maxBodyLengthError, auth, configAuth, username, password, parsedURL, urlUsername, urlPassword, estimated, outboundLength, mustEnforceStreamBody, trackRequestStream, _request, contentTypeHeader, _ref5, _ref6, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, responseHeaders, declaredLength, isStreamResponse, options, responseContentLength, _ref7, _ref8, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, networkError, _t3, _t4;
3844
4081
  return _regenerator().w(function (_context4) {
3845
4082
  while (1) switch (_context4.p = _context4.n) {
3846
4083
  case 0:
3847
4084
  _resolveConfig = resolveConfig(config), url = _resolveConfig.url, method = _resolveConfig.method, data = _resolveConfig.data, signal = _resolveConfig.signal, cancelToken = _resolveConfig.cancelToken, timeout = _resolveConfig.timeout, onDownloadProgress = _resolveConfig.onDownloadProgress, onUploadProgress = _resolveConfig.onUploadProgress, responseType = _resolveConfig.responseType, headers = _resolveConfig.headers, _resolveConfig$withCr = _resolveConfig.withCredentials, withCredentials = _resolveConfig$withCr === void 0 ? 'same-origin' : _resolveConfig$withCr, fetchOptions = _resolveConfig.fetchOptions, maxContentLength = _resolveConfig.maxContentLength, maxBodyLength = _resolveConfig.maxBodyLength;
3848
4085
  hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
3849
4086
  hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
4087
+ own = function own(key) {
4088
+ return utils$1.hasOwnProp(config, key) ? config[key] : undefined;
4089
+ };
3850
4090
  _fetch = envFetch || fetch;
3851
4091
  responseType = responseType ? (responseType + '').toLowerCase() : 'text';
3852
4092
  composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout);
@@ -3854,7 +4094,50 @@
3854
4094
  unsubscribe = composedSignal && composedSignal.unsubscribe && function () {
3855
4095
  composedSignal.unsubscribe();
3856
4096
  };
4097
+ // AxiosError we raise while the request body is being streamed. Captured
4098
+ // by identity so the catch block can surface it directly, regardless of
4099
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
4100
+ // as `err.cause`; some browsers drop the original error entirely).
4101
+ pendingBodyError = null;
4102
+ maxBodyLengthError = function maxBodyLengthError() {
4103
+ return new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
4104
+ };
3857
4105
  _context4.p = 1;
4106
+ // HTTP basic authentication
4107
+ auth = undefined;
4108
+ configAuth = own('auth');
4109
+ if (configAuth) {
4110
+ username = utils$1.getSafeProp(configAuth, 'username') || '';
4111
+ password = utils$1.getSafeProp(configAuth, 'password') || '';
4112
+ auth = {
4113
+ username: username,
4114
+ password: password
4115
+ };
4116
+ }
4117
+ if (maybeWithAuthCredentials(url)) {
4118
+ parsedURL = new URL(url, platform.origin);
4119
+ if (!auth && (parsedURL.username || parsedURL.password)) {
4120
+ urlUsername = decodeURIComponentSafe(parsedURL.username);
4121
+ urlPassword = decodeURIComponentSafe(parsedURL.password);
4122
+ auth = {
4123
+ username: urlUsername,
4124
+ password: urlPassword
4125
+ };
4126
+ }
4127
+ if (parsedURL.username || parsedURL.password) {
4128
+ parsedURL.username = '';
4129
+ parsedURL.password = '';
4130
+ url = parsedURL.href;
4131
+ }
4132
+ }
4133
+ if (auth) {
4134
+ headers["delete"]('authorization');
4135
+ headers.set('Authorization', 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || ''))));
4136
+ }
4137
+
4138
+ // Enforce maxContentLength for data: URLs up-front so we never materialize
4139
+ // an oversized payload. The HTTP adapter applies the same check (see http.js
4140
+ // "if (protocol === 'data:')" branch).
3858
4141
  if (!(hasMaxContentLength && typeof url === 'string' && url.startsWith('data:'))) {
3859
4142
  _context4.n = 2;
3860
4143
  break;
@@ -3871,43 +4154,82 @@
3871
4154
  break;
3872
4155
  }
3873
4156
  _context4.n = 3;
3874
- return resolveBodyLength(headers, data);
4157
+ return getBodyLength(data);
3875
4158
  case 3:
3876
4159
  outboundLength = _context4.v;
3877
- if (!(typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength)) {
4160
+ if (!(typeof outboundLength === 'number' && isFinite(outboundLength))) {
4161
+ _context4.n = 4;
4162
+ break;
4163
+ }
4164
+ requestContentLength = outboundLength;
4165
+ if (!(outboundLength > maxBodyLength)) {
3878
4166
  _context4.n = 4;
3879
4167
  break;
3880
4168
  }
3881
- throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
4169
+ throw maxBodyLengthError();
3882
4170
  case 4:
3883
- _t3 = onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head';
3884
- if (!_t3) {
4171
+ // A streamed body under maxBodyLength must be counted as fetch consumes
4172
+ // it; its size is never trusted from a caller-declared Content-Length.
4173
+ mustEnforceStreamBody = hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
4174
+ trackRequestStream = function trackRequestStream(stream, onProgress, flush) {
4175
+ return trackStream(stream, DEFAULT_CHUNK_SIZE, function (loadedBytes) {
4176
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
4177
+ throw pendingBodyError = maxBodyLengthError();
4178
+ }
4179
+ onProgress && onProgress(loadedBytes);
4180
+ }, flush);
4181
+ };
4182
+ if (!(supportsRequestStream && method !== 'get' && method !== 'head' && (onUploadProgress || mustEnforceStreamBody))) {
4183
+ _context4.n = 8;
4184
+ break;
4185
+ }
4186
+ if (!(requestContentLength == null)) {
3885
4187
  _context4.n = 6;
3886
4188
  break;
3887
4189
  }
3888
4190
  _context4.n = 5;
3889
4191
  return resolveBodyLength(headers, data);
3890
4192
  case 5:
3891
- _t4 = requestContentLength = _context4.v;
3892
- _t3 = _t4 !== 0;
4193
+ _t3 = _context4.v;
4194
+ _context4.n = 7;
4195
+ break;
3893
4196
  case 6:
3894
- if (!_t3) {
3895
- _context4.n = 7;
3896
- break;
4197
+ _t3 = requestContentLength;
4198
+ case 7:
4199
+ requestContentLength = _t3;
4200
+ // A declared length of 0 is only trusted to skip the wrap when we are
4201
+ // not enforcing a stream limit (which must not rely on that header).
4202
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
4203
+ _request = new Request(url, {
4204
+ method: 'POST',
4205
+ body: data,
4206
+ duplex: 'half'
4207
+ });
4208
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
4209
+ headers.setContentType(contentTypeHeader);
4210
+ }
4211
+ if (_request.body) {
4212
+ _ref5 = onUploadProgress && progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress))) || [], _ref6 = _slicedToArray(_ref5, 2), onProgress = _ref6[0], flush = _ref6[1];
4213
+ data = trackRequestStream(_request.body, onProgress, flush);
4214
+ }
3897
4215
  }
3898
- _request = new Request(url, {
3899
- method: 'POST',
3900
- body: data,
3901
- duplex: 'half'
3902
- });
3903
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3904
- headers.setContentType(contentTypeHeader);
4216
+ _context4.n = 10;
4217
+ break;
4218
+ case 8:
4219
+ if (!(mustEnforceStreamBody && !isRequestSupported && isReadableStreamSupported && method !== 'get' && method !== 'head')) {
4220
+ _context4.n = 9;
4221
+ break;
3905
4222
  }
3906
- if (_request.body) {
3907
- _progressEventDecorat = progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress))), _progressEventDecorat2 = _slicedToArray(_progressEventDecorat, 2), onProgress = _progressEventDecorat2[0], flush = _progressEventDecorat2[1];
3908
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
4223
+ data = trackRequestStream(data);
4224
+ _context4.n = 10;
4225
+ break;
4226
+ case 9:
4227
+ if (!(mustEnforceStreamBody && isRequestSupported && !supportsRequestStream && method !== 'get' && method !== 'head')) {
4228
+ _context4.n = 10;
4229
+ break;
3909
4230
  }
3910
- case 7:
4231
+ throw new AxiosError('Stream request bodies are not supported by the current fetch implementation', AxiosError.ERR_NOT_SUPPORT, config, request);
4232
+ case 10:
3911
4233
  if (!utils$1.isString(withCredentials)) {
3912
4234
  withCredentials = withCredentials ? 'include' : 'omit';
3913
4235
  }
@@ -3934,29 +4256,31 @@
3934
4256
  credentials: isCredentialsSupported ? withCredentials : undefined
3935
4257
  });
3936
4258
  request = isRequestSupported && new Request(url, resolvedOptions);
3937
- _context4.n = 8;
4259
+ _context4.n = 11;
3938
4260
  return isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions);
3939
- case 8:
4261
+ case 11:
3940
4262
  response = _context4.v;
4263
+ responseHeaders = AxiosHeaders.from(response.headers); // Cheap pre-check: if the server honestly declares a content-length that
4264
+ // already exceeds the cap, reject before we start streaming.
3941
4265
  if (!hasMaxContentLength) {
3942
- _context4.n = 9;
4266
+ _context4.n = 12;
3943
4267
  break;
3944
4268
  }
3945
- declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4269
+ declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3946
4270
  if (!(declaredLength != null && declaredLength > maxContentLength)) {
3947
- _context4.n = 9;
4271
+ _context4.n = 12;
3948
4272
  break;
3949
4273
  }
3950
4274
  throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request);
3951
- case 9:
4275
+ case 12:
3952
4276
  isStreamResponse = supportsResponseStream && (responseType === 'stream' || responseType === 'response');
3953
4277
  if (supportsResponseStream && response.body && (onDownloadProgress || hasMaxContentLength || isStreamResponse && unsubscribe)) {
3954
4278
  options = {};
3955
4279
  ['status', 'statusText', 'headers'].forEach(function (prop) {
3956
4280
  options[prop] = response[prop];
3957
4281
  });
3958
- responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
3959
- _ref5 = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || [], _ref6 = _slicedToArray(_ref5, 2), _onProgress = _ref6[0], _flush = _ref6[1];
4282
+ responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
4283
+ _ref7 = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || [], _ref8 = _slicedToArray(_ref7, 2), _onProgress = _ref8[0], _flush = _ref8[1];
3960
4284
  bytesRead = 0;
3961
4285
  onChunkProgress = function onChunkProgress(loadedBytes) {
3962
4286
  if (hasMaxContentLength) {
@@ -3973,12 +4297,12 @@
3973
4297
  }), options);
3974
4298
  }
3975
4299
  responseType = responseType || 'text';
3976
- _context4.n = 10;
4300
+ _context4.n = 13;
3977
4301
  return resolvers[utils$1.findKey(resolvers, responseType) || 'text'](response, config);
3978
- case 10:
4302
+ case 13:
3979
4303
  responseData = _context4.v;
3980
4304
  if (!(hasMaxContentLength && !supportsResponseStream && !isStreamResponse)) {
3981
- _context4.n = 11;
4305
+ _context4.n = 14;
3982
4306
  break;
3983
4307
  }
3984
4308
  if (responseData != null) {
@@ -3991,13 +4315,13 @@
3991
4315
  }
3992
4316
  }
3993
4317
  if (!(typeof materializedSize === 'number' && materializedSize > maxContentLength)) {
3994
- _context4.n = 11;
4318
+ _context4.n = 14;
3995
4319
  break;
3996
4320
  }
3997
4321
  throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request);
3998
- case 11:
4322
+ case 14:
3999
4323
  !isStreamResponse && unsubscribe && unsubscribe();
4000
- _context4.n = 12;
4324
+ _context4.n = 15;
4001
4325
  return new Promise(function (resolve, reject) {
4002
4326
  settle(resolve, reject, {
4003
4327
  data: responseData,
@@ -4008,39 +4332,70 @@
4008
4332
  request: request
4009
4333
  });
4010
4334
  });
4011
- case 12:
4335
+ case 15:
4012
4336
  return _context4.a(2, _context4.v);
4013
- case 13:
4014
- _context4.p = 13;
4015
- _t5 = _context4.v;
4337
+ case 16:
4338
+ _context4.p = 16;
4339
+ _t4 = _context4.v;
4016
4340
  unsubscribe && unsubscribe();
4017
4341
 
4018
4342
  // Safari can surface fetch aborts as a DOMException-like object whose
4019
4343
  // branded getters throw. Prefer our composed signal reason before reading
4020
4344
  // the caught error, preserving timeout vs cancellation semantics.
4021
4345
  if (!(composedSignal && composedSignal.aborted && composedSignal.reason instanceof AxiosError)) {
4022
- _context4.n = 14;
4346
+ _context4.n = 17;
4023
4347
  break;
4024
4348
  }
4025
4349
  canceledError = composedSignal.reason;
4026
4350
  canceledError.config = config;
4027
4351
  request && (canceledError.request = request);
4028
- _t5 !== canceledError && (canceledError.cause = _t5);
4352
+ if (_t4 !== canceledError) {
4353
+ // Non-enumerable to match native Error `cause` semantics so loggers
4354
+ // don't recurse into circular fetch internals (see #7205).
4355
+ Object.defineProperty(canceledError, 'cause', {
4356
+ __proto__: null,
4357
+ value: _t4,
4358
+ writable: true,
4359
+ enumerable: false,
4360
+ configurable: true
4361
+ });
4362
+ }
4029
4363
  throw canceledError;
4030
- case 14:
4031
- if (!(_t5 && _t5.name === 'TypeError' && /Load failed|fetch/i.test(_t5.message))) {
4032
- _context4.n = 15;
4364
+ case 17:
4365
+ if (!pendingBodyError) {
4366
+ _context4.n = 18;
4033
4367
  break;
4034
4368
  }
4035
- throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, _t5 && _t5.response), {
4036
- cause: _t5.cause || _t5
4369
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
4370
+ throw pendingBodyError;
4371
+ case 18:
4372
+ if (!(_t4 instanceof AxiosError)) {
4373
+ _context4.n = 19;
4374
+ break;
4375
+ }
4376
+ request && !_t4.request && (_t4.request = request);
4377
+ throw _t4;
4378
+ case 19:
4379
+ if (!(_t4 && _t4.name === 'TypeError' && /Load failed|fetch/i.test(_t4.message))) {
4380
+ _context4.n = 20;
4381
+ break;
4382
+ }
4383
+ networkError = new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, _t4 && _t4.response); // Non-enumerable to match native Error `cause` semantics so loggers
4384
+ // don't recurse into circular fetch internals (see #7205).
4385
+ Object.defineProperty(networkError, 'cause', {
4386
+ __proto__: null,
4387
+ value: _t4.cause || _t4,
4388
+ writable: true,
4389
+ enumerable: false,
4390
+ configurable: true
4037
4391
  });
4038
- case 15:
4039
- throw AxiosError.from(_t5, _t5 && _t5.code, config, request, _t5 && _t5.response);
4040
- case 16:
4392
+ throw networkError;
4393
+ case 20:
4394
+ throw AxiosError.from(_t4, _t4 && _t4.code, config, request, _t4 && _t4.response);
4395
+ case 21:
4041
4396
  return _context4.a(2);
4042
4397
  }
4043
- }, _callee4, null, [[1, 13]]);
4398
+ }, _callee4, null, [[1, 16]]);
4044
4399
  }));
4045
4400
  return function (_x5) {
4046
4401
  return _ref4.apply(this, arguments);
@@ -4166,7 +4521,7 @@
4166
4521
  return "adapter ".concat(id, " ") + (state === false ? 'is not supported by the environment' : 'is not available in the build');
4167
4522
  });
4168
4523
  var s = length ? reasons.length > 1 ? 'since :\n' + reasons.map(renderReason).join('\n') : ' ' + renderReason(reasons[0]) : 'as no adapter specified';
4169
- throw new AxiosError("There is no suitable adapter to dispatch the request " + s, 'ERR_NOT_SUPPORT');
4524
+ throw new AxiosError("There is no suitable adapter to dispatch the request " + s, AxiosError.ERR_NOT_SUPPORT);
4170
4525
  }
4171
4526
  return adapter;
4172
4527
  }
@@ -4309,7 +4664,7 @@
4309
4664
  */
4310
4665
 
4311
4666
  function assertOptions(options, schema, allowUnknown) {
4312
- if (_typeof(options) !== 'object') {
4667
+ if (_typeof(options) !== 'object' || options === null) {
4313
4668
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
4314
4669
  }
4315
4670
  var keys = Object.keys(options);
@@ -4440,7 +4795,9 @@
4440
4795
  silentJSONParsing: validators.transitional(validators["boolean"]),
4441
4796
  forcedJSONParsing: validators.transitional(validators["boolean"]),
4442
4797
  clarifyTimeoutError: validators.transitional(validators["boolean"]),
4443
- legacyInterceptorReqResOrdering: validators.transitional(validators["boolean"])
4798
+ legacyInterceptorReqResOrdering: validators.transitional(validators["boolean"]),
4799
+ advertiseZstdAcceptEncoding: validators.transitional(validators["boolean"]),
4800
+ validateStatusUndefinedResolves: validators.transitional(validators["boolean"])
4444
4801
  }, false);
4445
4802
  }
4446
4803
  if (paramsSerializer != null) {
@@ -4539,7 +4896,7 @@
4539
4896
  key: "getUri",
4540
4897
  value: function getUri(config) {
4541
4898
  config = mergeConfig(this.defaults, config);
4542
- var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
4899
+ var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
4543
4900
  return buildURL(fullPath, config.params, config.paramsSerializer);
4544
4901
  }
4545
4902
  }]);
@@ -4550,7 +4907,7 @@
4550
4907
  return this.request(mergeConfig(config || {}, {
4551
4908
  method: method,
4552
4909
  url: url,
4553
- data: (config || {}).data
4910
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined
4554
4911
  }));
4555
4912
  };
4556
4913
  });