reflex-search 1.5.1 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/node_modules/.package-lock.json +15 -15
  2. package/node_modules/axios/CHANGELOG.md +126 -1
  3. package/node_modules/axios/README.md +390 -257
  4. package/node_modules/axios/dist/axios.js +511 -154
  5. package/node_modules/axios/dist/axios.min.js +3 -3
  6. package/node_modules/axios/dist/axios.min.js.map +1 -1
  7. package/node_modules/axios/dist/browser/axios.cjs +537 -124
  8. package/node_modules/axios/dist/esm/axios.js +537 -124
  9. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  10. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  11. package/node_modules/axios/dist/node/axios.cjs +753 -226
  12. package/node_modules/axios/index.d.cts +27 -4
  13. package/node_modules/axios/index.d.ts +23 -2
  14. package/node_modules/axios/lib/adapters/adapters.js +1 -1
  15. package/node_modules/axios/lib/adapters/fetch.js +217 -47
  16. package/node_modules/axios/lib/adapters/http.js +274 -169
  17. package/node_modules/axios/lib/adapters/xhr.js +1 -0
  18. package/node_modules/axios/lib/core/Axios.js +4 -2
  19. package/node_modules/axios/lib/core/AxiosError.js +13 -1
  20. package/node_modules/axios/lib/core/AxiosHeaders.js +12 -9
  21. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  22. package/node_modules/axios/lib/core/mergeConfig.js +35 -0
  23. package/node_modules/axios/lib/defaults/transitional.js +2 -0
  24. package/node_modules/axios/lib/env/data.js +1 -1
  25. package/node_modules/axios/lib/helpers/AxiosURLSearchParams.js +1 -3
  26. package/node_modules/axios/lib/helpers/Http2Sessions.js +119 -0
  27. package/node_modules/axios/lib/helpers/buildURL.js +7 -4
  28. package/node_modules/axios/lib/helpers/composeSignals.js +1 -1
  29. package/node_modules/axios/lib/helpers/cookies.js +5 -1
  30. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  31. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  32. package/node_modules/axios/lib/helpers/formDataToStream.js +2 -2
  33. package/node_modules/axios/lib/helpers/fromDataURI.js +4 -2
  34. package/node_modules/axios/lib/helpers/resolveConfig.js +26 -13
  35. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  36. package/node_modules/axios/lib/helpers/toFormData.js +48 -12
  37. package/node_modules/axios/lib/helpers/validator.js +1 -1
  38. package/node_modules/axios/lib/utils.js +97 -12
  39. package/node_modules/axios/package.json +29 -13
  40. package/node_modules/brace-expansion/dist/commonjs/index.js +24 -14
  41. package/node_modules/brace-expansion/dist/commonjs/index.js.map +1 -1
  42. package/node_modules/brace-expansion/dist/esm/index.js +24 -14
  43. package/node_modules/brace-expansion/dist/esm/index.js.map +1 -1
  44. package/node_modules/brace-expansion/package.json +2 -2
  45. package/node_modules/form-data/CHANGELOG.md +29 -2
  46. package/node_modules/form-data/README.md +4 -4
  47. package/node_modules/form-data/lib/form_data.js +14 -2
  48. package/node_modules/form-data/package.json +7 -7
  49. package/node_modules/hasown/CHANGELOG.md +18 -0
  50. package/node_modules/hasown/eslint.config.mjs +6 -0
  51. package/node_modules/hasown/package.json +13 -14
  52. package/npm-shrinkwrap.json +16 -16
  53. package/package.json +2 -2
  54. package/node_modules/axios/dist/axios.js.map +0 -1
  55. package/node_modules/axios/dist/browser/axios.cjs.map +0 -1
  56. package/node_modules/axios/dist/esm/axios.js.map +0 -1
  57. package/node_modules/axios/dist/node/axios.cjs.map +0 -1
  58. package/node_modules/hasown/.eslintrc +0 -5
@@ -1,4 +1,4 @@
1
- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  /**
3
3
  * Create a bound version of a function with a specified `this` context
4
4
  *
@@ -18,6 +18,57 @@ const { toString } = Object.prototype;
18
18
  const { getPrototypeOf } = Object;
19
19
  const { iterator, toStringTag } = Symbol;
20
20
 
21
+ /* Creating a function that will check if an object has a property. */
22
+ const hasOwnProperty = (
23
+ ({ hasOwnProperty }) =>
24
+ (obj, prop) =>
25
+ hasOwnProperty.call(obj, prop)
26
+ )(Object.prototype);
27
+
28
+ /**
29
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
30
+ * an own `prop`. This distinguishes genuine own/inherited members — including
31
+ * class accessors and template prototypes — from members injected via
32
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
33
+ * live on Object.prototype itself and are therefore never matched.
34
+ *
35
+ * @param {*} thing The value whose chain to inspect
36
+ * @param {string|symbol} prop The property key to look for
37
+ *
38
+ * @returns {boolean} True when `prop` is owned below Object.prototype
39
+ */
40
+ const hasOwnInPrototypeChain = (thing, prop) => {
41
+ let obj = thing;
42
+ const seen = [];
43
+
44
+ while (obj != null && obj !== Object.prototype) {
45
+ if (seen.indexOf(obj) !== -1) {
46
+ return false;
47
+ }
48
+ seen.push(obj);
49
+
50
+ if (hasOwnProperty(obj, prop)) {
51
+ return true;
52
+ }
53
+ obj = getPrototypeOf(obj);
54
+ }
55
+ return false;
56
+ };
57
+
58
+ /**
59
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
60
+ * properties and members inherited from a non-Object.prototype source (a class
61
+ * instance or template object) are honored; a value reachable only through a
62
+ * polluted Object.prototype is ignored and `undefined` is returned.
63
+ *
64
+ * @param {*} obj The source object
65
+ * @param {string|symbol} prop The property key to read
66
+ *
67
+ * @returns {*} The resolved value, or undefined when unsafe/absent
68
+ */
69
+ const getSafeProp = (obj, prop) =>
70
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
71
+
21
72
  const kindOf = ((cache) => (thing) => {
22
73
  const str = toString.call(thing);
23
74
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -143,7 +194,7 @@ const isBoolean = (thing) => thing === true || thing === false;
143
194
  * @returns {boolean} True if value is a plain Object, otherwise false
144
195
  */
145
196
  const isPlainObject = (val) => {
146
- if (kindOf(val) !== 'object') {
197
+ if (!isObject(val)) {
147
198
  return false;
148
199
  }
149
200
 
@@ -151,9 +202,12 @@ const isPlainObject = (val) => {
151
202
  return (
152
203
  (prototype === null ||
153
204
  prototype === Object.prototype ||
154
- Object.getPrototypeOf(prototype) === null) &&
155
- !(toStringTag in val) &&
156
- !(iterator in val)
205
+ getPrototypeOf(prototype) === null) &&
206
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
207
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
208
+ // than a plain object, while ignoring keys injected onto Object.prototype.
209
+ !hasOwnInPrototypeChain(val, toStringTag) &&
210
+ !hasOwnInPrototypeChain(val, iterator)
157
211
  );
158
212
  };
159
213
 
@@ -422,7 +476,9 @@ function merge(...objs) {
422
476
  return;
423
477
  }
424
478
 
425
- const targetKey = (caseless && findKey(result, key)) || key;
479
+ // findKey lowercases the key, so caseless lookup only applies to strings —
480
+ // symbol keys are identity-matched.
481
+ const targetKey = (caseless && typeof key === 'string' && findKey(result, key)) || key;
426
482
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
427
483
  // chain, so a polluted Object.prototype value could surface here and get
428
484
  // copied into the merged result.
@@ -439,7 +495,24 @@ function merge(...objs) {
439
495
  };
440
496
 
441
497
  for (let i = 0, l = objs.length; i < l; i++) {
442
- objs[i] && forEach(objs[i], assignValue);
498
+ const source = objs[i];
499
+ if (!source || isBuffer(source)) {
500
+ continue;
501
+ }
502
+
503
+ forEach(source, assignValue);
504
+
505
+ if (typeof source !== 'object' || isArray(source)) {
506
+ continue;
507
+ }
508
+
509
+ const symbols = Object.getOwnPropertySymbols(source);
510
+ for (let j = 0; j < symbols.length; j++) {
511
+ const symbol = symbols[j];
512
+ if (propertyIsEnumerable.call(source, symbol)) {
513
+ assignValue(source[symbol], symbol);
514
+ }
515
+ }
443
516
  }
444
517
  return result;
445
518
  }
@@ -661,12 +734,7 @@ const toCamelCase = (str) => {
661
734
  });
662
735
  };
663
736
 
664
- /* Creating a function that will check if an object has a property. */
665
- const hasOwnProperty = (
666
- ({ hasOwnProperty }) =>
667
- (obj, prop) =>
668
- hasOwnProperty.call(obj, prop)
669
- )(Object.prototype);
737
+ const { propertyIsEnumerable } = Object.prototype;
670
738
 
671
739
  /**
672
740
  * Determine if a value is a RegExp object
@@ -879,6 +947,20 @@ const asap =
879
947
 
880
948
  const isIterable = (thing) => thing != null && isFunction$1(thing[iterator]);
881
949
 
950
+ /**
951
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
952
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
953
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
954
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
955
+ * into an attacker-controlled entries iterator.
956
+ *
957
+ * @param {*} thing The value to test
958
+ *
959
+ * @returns {boolean} True if value has a non-polluted iterator
960
+ */
961
+ const isSafeIterable = (thing) =>
962
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
963
+
882
964
  var utils$1 = {
883
965
  isArray,
884
966
  isArrayBuffer,
@@ -923,6 +1005,8 @@ var utils$1 = {
923
1005
  isHTMLForm,
924
1006
  hasOwnProperty,
925
1007
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
1008
+ hasOwnInPrototypeChain,
1009
+ getSafeProp,
926
1010
  reduceDescriptors,
927
1011
  freezeMethods,
928
1012
  toObjectSet,
@@ -939,6 +1023,7 @@ var utils$1 = {
939
1023
  setImmediate: _setImmediate,
940
1024
  asap,
941
1025
  isIterable,
1026
+ isSafeIterable,
942
1027
  };
943
1028
 
944
1029
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -1149,7 +1234,7 @@ let AxiosHeaders$1 = class AxiosHeaders {
1149
1234
  const lHeader = normalizeHeader(_header);
1150
1235
 
1151
1236
  if (!lHeader) {
1152
- throw new Error('header name must be a non-empty string');
1237
+ return;
1153
1238
  }
1154
1239
 
1155
1240
  const key = utils$1.findKey(self, lHeader);
@@ -1171,20 +1256,23 @@ let AxiosHeaders$1 = class AxiosHeaders {
1171
1256
  setHeaders(header, valueOrRewrite);
1172
1257
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
1173
1258
  setHeaders(parseHeaders(header), valueOrRewrite);
1174
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
1175
- let obj = {},
1259
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
1260
+ let obj = Object.create(null),
1176
1261
  dest,
1177
1262
  key;
1178
1263
  for (const entry of header) {
1179
1264
  if (!utils$1.isArray(entry)) {
1180
- throw TypeError('Object iterator must return a key-value pair');
1265
+ throw new TypeError('Object iterator must return a key-value pair');
1181
1266
  }
1182
1267
 
1183
- obj[(key = entry[0])] = (dest = obj[key])
1184
- ? utils$1.isArray(dest)
1185
- ? [...dest, entry[1]]
1186
- : [dest, entry[1]]
1187
- : entry[1];
1268
+ key = entry[0];
1269
+
1270
+ if (utils$1.hasOwnProp(obj, key)) {
1271
+ dest = obj[key];
1272
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
1273
+ } else {
1274
+ obj[key] = entry[1];
1275
+ }
1188
1276
  }
1189
1277
 
1190
1278
  setHeaders(obj, valueOrRewrite);
@@ -1477,7 +1565,19 @@ function redactConfig(config, redactKeys) {
1477
1565
  let AxiosError$1 = class AxiosError extends Error {
1478
1566
  static from(error, code, config, request, response, customProps) {
1479
1567
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
1480
- axiosError.cause = error;
1568
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
1569
+ // error often carries circular internals (sockets, requests, agents), so
1570
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
1571
+ // own-property walk throw "Converting circular structure to JSON".
1572
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
1573
+ // `message` descriptor below (prototype-pollution-safe descriptor).
1574
+ Object.defineProperty(axiosError, 'cause', {
1575
+ __proto__: null,
1576
+ value: error,
1577
+ writable: true,
1578
+ enumerable: false,
1579
+ configurable: true,
1580
+ });
1481
1581
  axiosError.name = error.name;
1482
1582
 
1483
1583
  // Preserve status from the original error if not already set from response
@@ -1578,6 +1678,10 @@ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
1578
1678
  // eslint-disable-next-line strict
1579
1679
  var httpAdapter = null;
1580
1680
 
1681
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
1682
+ // the FormData <-> JSON round-trip stays symmetric.
1683
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
1684
+
1581
1685
  /**
1582
1686
  * Determines if the given thing is a array or js object.
1583
1687
  *
@@ -1688,8 +1792,9 @@ function toFormData$1(obj, formData, options) {
1688
1792
  const dots = options.dots;
1689
1793
  const indexes = options.indexes;
1690
1794
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
1691
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
1795
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
1692
1796
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
1797
+ const stack = [];
1693
1798
 
1694
1799
  if (!utils$1.isFunction(visitor)) {
1695
1800
  throw new TypeError('visitor must be a function');
@@ -1711,12 +1816,50 @@ function toFormData$1(obj, formData, options) {
1711
1816
  }
1712
1817
 
1713
1818
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
1714
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
1819
+ if (useBlob && typeof _Blob === 'function') {
1820
+ return new _Blob([value]);
1821
+ }
1822
+ if (typeof Buffer !== 'undefined') {
1823
+ return Buffer.from(value);
1824
+ }
1825
+ throw new AxiosError$1('Blob is not supported. Use a Buffer instead.', AxiosError$1.ERR_NOT_SUPPORT);
1715
1826
  }
1716
1827
 
1717
1828
  return value;
1718
1829
  }
1719
1830
 
1831
+ function throwIfMaxDepthExceeded(depth) {
1832
+ if (depth > maxDepth) {
1833
+ throw new AxiosError$1(
1834
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1835
+ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
1836
+ );
1837
+ }
1838
+ }
1839
+
1840
+ function stringifyWithDepthLimit(value, depth) {
1841
+ if (maxDepth === Infinity) {
1842
+ return JSON.stringify(value);
1843
+ }
1844
+
1845
+ const ancestors = [];
1846
+
1847
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
1848
+ if (!utils$1.isObject(currentValue)) {
1849
+ return currentValue;
1850
+ }
1851
+
1852
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
1853
+ ancestors.pop();
1854
+ }
1855
+
1856
+ ancestors.push(currentValue);
1857
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
1858
+
1859
+ return currentValue;
1860
+ });
1861
+ }
1862
+
1720
1863
  /**
1721
1864
  * Default visitor.
1722
1865
  *
@@ -1740,7 +1883,7 @@ function toFormData$1(obj, formData, options) {
1740
1883
  // eslint-disable-next-line no-param-reassign
1741
1884
  key = metaTokens ? key : key.slice(0, -2);
1742
1885
  // eslint-disable-next-line no-param-reassign
1743
- value = JSON.stringify(value);
1886
+ value = stringifyWithDepthLimit(value, 1);
1744
1887
  } else if (
1745
1888
  (utils$1.isArray(value) && isFlatArray(value)) ||
1746
1889
  ((utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value)))
@@ -1773,8 +1916,6 @@ function toFormData$1(obj, formData, options) {
1773
1916
  return false;
1774
1917
  }
1775
1918
 
1776
- const stack = [];
1777
-
1778
1919
  const exposedHelpers = Object.assign(predicates, {
1779
1920
  defaultVisitor,
1780
1921
  convertValue,
@@ -1784,15 +1925,10 @@ function toFormData$1(obj, formData, options) {
1784
1925
  function build(value, path, depth = 0) {
1785
1926
  if (utils$1.isUndefined(value)) return;
1786
1927
 
1787
- if (depth > maxDepth) {
1788
- throw new AxiosError$1(
1789
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1790
- AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
1791
- );
1792
- }
1928
+ throwIfMaxDepthExceeded(depth);
1793
1929
 
1794
1930
  if (stack.indexOf(value) !== -1) {
1795
- throw Error('Circular reference detected in ' + path.join('.'));
1931
+ throw new Error('Circular reference detected in ' + path.join('.'));
1796
1932
  }
1797
1933
 
1798
1934
  stack.push(value);
@@ -1863,9 +1999,7 @@ prototype.append = function append(name, value) {
1863
1999
 
1864
2000
  prototype.toString = function toString(encoder) {
1865
2001
  const _encode = encoder
1866
- ? function (value) {
1867
- return encoder.call(this, value, encode$1);
1868
- }
2002
+ ? (value) => encoder.call(this, value, encode$1)
1869
2003
  : encode$1;
1870
2004
 
1871
2005
  return this._pairs
@@ -1904,8 +2038,7 @@ function buildURL(url, params, options) {
1904
2038
  if (!params) {
1905
2039
  return url;
1906
2040
  }
1907
-
1908
- const _encode = (options && options.encode) || encode;
2041
+ url = url || '';
1909
2042
 
1910
2043
  const _options = utils$1.isFunction(options)
1911
2044
  ? {
@@ -1913,7 +2046,11 @@ function buildURL(url, params, options) {
1913
2046
  }
1914
2047
  : options;
1915
2048
 
1916
- const serializeFn = _options && _options.serialize;
2049
+ // Read serializer options pollution-safely: own properties and methods on a
2050
+ // class/template prototype are honored, but values injected onto a polluted
2051
+ // Object.prototype are ignored.
2052
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
2053
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
1917
2054
 
1918
2055
  let serializedParams;
1919
2056
 
@@ -2009,6 +2146,8 @@ var transitionalDefaults = {
2009
2146
  forcedJSONParsing: true,
2010
2147
  clarifyTimeoutError: false,
2011
2148
  legacyInterceptorReqResOrdering: true,
2149
+ advertiseZstdAcceptEncoding: false,
2150
+ validateStatusUndefinedResolves: true,
2012
2151
  };
2013
2152
 
2014
2153
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -2100,6 +2239,17 @@ function toURLEncodedForm(data, options) {
2100
2239
  });
2101
2240
  }
2102
2241
 
2242
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
2243
+
2244
+ function throwIfDepthExceeded(index) {
2245
+ if (index > MAX_DEPTH) {
2246
+ throw new AxiosError$1(
2247
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
2248
+ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
2249
+ );
2250
+ }
2251
+ }
2252
+
2103
2253
  /**
2104
2254
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
2105
2255
  *
@@ -2112,9 +2262,16 @@ function parsePropPath(name) {
2112
2262
  // foo.x.y.z
2113
2263
  // foo-x-y-z
2114
2264
  // foo x y z
2115
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
2116
- return match[0] === '[]' ? '' : match[1] || match[0];
2117
- });
2265
+ const path = [];
2266
+ const pattern = /\w+|\[(\w*)]/g;
2267
+ let match;
2268
+
2269
+ while ((match = pattern.exec(name)) !== null) {
2270
+ throwIfDepthExceeded(path.length);
2271
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
2272
+ }
2273
+
2274
+ return path;
2118
2275
  }
2119
2276
 
2120
2277
  /**
@@ -2146,6 +2303,8 @@ function arrayToObject(arr) {
2146
2303
  */
2147
2304
  function formDataToJSON(formData) {
2148
2305
  function buildPath(path, value, target, index) {
2306
+ throwIfDepthExceeded(index);
2307
+
2149
2308
  let name = path[index++];
2150
2309
 
2151
2310
  if (name === '__proto__') return true;
@@ -2631,7 +2790,11 @@ var cookies = platform.hasStandardBrowserEnv
2631
2790
  const cookie = cookies[i].replace(/^\s+/, '');
2632
2791
  const eq = cookie.indexOf('=');
2633
2792
  if (eq !== -1 && cookie.slice(0, eq) === name) {
2634
- return decodeURIComponent(cookie.slice(eq + 1));
2793
+ try {
2794
+ return decodeURIComponent(cookie.slice(eq + 1));
2795
+ } catch (e) {
2796
+ return cookie.slice(eq + 1);
2797
+ }
2635
2798
  }
2636
2799
  }
2637
2800
  return null;
@@ -2682,6 +2845,31 @@ function combineURLs(baseURL, relativeURL) {
2682
2845
  : baseURL;
2683
2846
  }
2684
2847
 
2848
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
2849
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
2850
+
2851
+ function stripLeadingC0ControlOrSpace(url) {
2852
+ let i = 0;
2853
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
2854
+ i++;
2855
+ }
2856
+ return url.slice(i);
2857
+ }
2858
+
2859
+ function normalizeURLForProtocolCheck(url) {
2860
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
2861
+ }
2862
+
2863
+ function assertValidHttpProtocolURL(url, config) {
2864
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
2865
+ throw new AxiosError$1(
2866
+ 'Invalid URL: missing "//" after protocol',
2867
+ AxiosError$1.ERR_INVALID_URL,
2868
+ config
2869
+ );
2870
+ }
2871
+ }
2872
+
2685
2873
  /**
2686
2874
  * Creates a new URL by combining the baseURL with the requestedURL,
2687
2875
  * only when the requestedURL is not already an absolute URL.
@@ -2692,9 +2880,11 @@ function combineURLs(baseURL, relativeURL) {
2692
2880
  *
2693
2881
  * @returns {string} The combined full path
2694
2882
  */
2695
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
2883
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
2884
+ assertValidHttpProtocolURL(requestedURL, config);
2696
2885
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
2697
2886
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
2887
+ assertValidHttpProtocolURL(baseURL, config);
2698
2888
  return combineURLs(baseURL, requestedURL);
2699
2889
  }
2700
2890
  return requestedURL;
@@ -2713,6 +2903,7 @@ const headersToObject = (thing) => (thing instanceof AxiosHeaders$1 ? { ...thing
2713
2903
  */
2714
2904
  function mergeConfig$1(config1, config2) {
2715
2905
  // eslint-disable-next-line no-param-reassign
2906
+ config1 = config1 || {};
2716
2907
  config2 = config2 || {};
2717
2908
 
2718
2909
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -2765,6 +2956,28 @@ function mergeConfig$1(config1, config2) {
2765
2956
  }
2766
2957
  }
2767
2958
 
2959
+ function getMergedTransitionalOption(prop) {
2960
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
2961
+
2962
+ if (!utils$1.isUndefined(transitional2)) {
2963
+ if (utils$1.isPlainObject(transitional2)) {
2964
+ if (utils$1.hasOwnProp(transitional2, prop)) {
2965
+ return transitional2[prop];
2966
+ }
2967
+ } else {
2968
+ return undefined;
2969
+ }
2970
+ }
2971
+
2972
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
2973
+
2974
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
2975
+ return transitional1[prop];
2976
+ }
2977
+
2978
+ return undefined;
2979
+ }
2980
+
2768
2981
  // eslint-disable-next-line consistent-return
2769
2982
  function mergeDirectKeys(a, b, prop) {
2770
2983
  if (utils$1.hasOwnProp(config2, prop)) {
@@ -2817,6 +3030,18 @@ function mergeConfig$1(config1, config2) {
2817
3030
  (utils$1.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
2818
3031
  });
2819
3032
 
3033
+ if (
3034
+ utils$1.hasOwnProp(config2, 'validateStatus') &&
3035
+ utils$1.isUndefined(config2.validateStatus) &&
3036
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
3037
+ ) {
3038
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
3039
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
3040
+ } else {
3041
+ delete config.validateStatus;
3042
+ }
3043
+ }
3044
+
2820
3045
  return config;
2821
3046
  }
2822
3047
 
@@ -2828,7 +3053,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
2828
3053
  return;
2829
3054
  }
2830
3055
 
2831
- Object.entries(formHeaders).forEach(([key, val]) => {
3056
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
2832
3057
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
2833
3058
  headers.set(key, val);
2834
3059
  }
@@ -2843,12 +3068,12 @@ function setFormDataHeaders(headers, formHeaders, policy) {
2843
3068
  *
2844
3069
  * @returns {string} UTF-8 bytes as a Latin-1 string
2845
3070
  */
2846
- const encodeUTF8 = (str) =>
3071
+ const encodeUTF8$1 = (str) =>
2847
3072
  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
2848
3073
  String.fromCharCode(parseInt(hex, 16))
2849
3074
  );
2850
3075
 
2851
- var resolveConfig = (config) => {
3076
+ function resolveConfig(config) {
2852
3077
  const newConfig = mergeConfig$1({}, config);
2853
3078
 
2854
3079
  // Read only own properties to prevent prototype pollution gadgets
@@ -2868,23 +3093,33 @@ var resolveConfig = (config) => {
2868
3093
  newConfig.headers = headers = AxiosHeaders$1.from(headers);
2869
3094
 
2870
3095
  newConfig.url = buildURL(
2871
- buildFullPath(baseURL, url, allowAbsoluteUrls),
2872
- config.params,
2873
- config.paramsSerializer
3096
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
3097
+ own('params'),
3098
+ own('paramsSerializer')
2874
3099
  );
2875
3100
 
2876
3101
  // HTTP basic authentication
2877
3102
  if (auth) {
2878
- headers.set(
2879
- 'Authorization',
2880
- 'Basic ' +
2881
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
2882
- );
3103
+ const username = utils$1.getSafeProp(auth, 'username') || '';
3104
+ const password = utils$1.getSafeProp(auth, 'password') || '';
3105
+
3106
+ try {
3107
+ headers.set(
3108
+ 'Authorization',
3109
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : ''))
3110
+ );
3111
+ } catch (e) {
3112
+ throw AxiosError$1.from(e, AxiosError$1.ERR_BAD_OPTION_VALUE, config);
3113
+ }
2883
3114
  }
2884
3115
 
2885
3116
  if (utils$1.isFormData(data)) {
2886
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
2887
- headers.setContentType(undefined); // browser handles it
3117
+ if (
3118
+ platform.hasStandardBrowserEnv ||
3119
+ platform.hasStandardBrowserWebWorkerEnv ||
3120
+ utils$1.isReactNative(data)
3121
+ ) {
3122
+ headers.setContentType(undefined); // browser/web worker/RN handles it
2888
3123
  } else if (utils$1.isFunction(data.getHeaders)) {
2889
3124
  // Node.js FormData (like form-data package)
2890
3125
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -2916,7 +3151,7 @@ var resolveConfig = (config) => {
2916
3151
  }
2917
3152
 
2918
3153
  return newConfig;
2919
- };
3154
+ }
2920
3155
 
2921
3156
  const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
2922
3157
 
@@ -3126,6 +3361,7 @@ var xhrAdapter = isXHRAdapterSupported &&
3126
3361
  config
3127
3362
  )
3128
3363
  );
3364
+ done();
3129
3365
  return;
3130
3366
  }
3131
3367
 
@@ -3177,7 +3413,7 @@ const composeSignals = (signals, timeout) => {
3177
3413
  signals = null;
3178
3414
  };
3179
3415
 
3180
- signals.forEach((signal) => signal.addEventListener('abort', onabort));
3416
+ signals.forEach((signal) => signal.addEventListener('abort', onabort, { once: true }));
3181
3417
 
3182
3418
  const { signal } = controller;
3183
3419
 
@@ -3280,11 +3516,19 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => {
3280
3516
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
3281
3517
  * - For base64: compute exact decoded size using length and padding;
3282
3518
  * handle %XX at the character-count level (no string allocation).
3283
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
3519
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
3284
3520
  *
3285
3521
  * @param {string} url
3286
3522
  * @returns {number}
3287
3523
  */
3524
+ const isHexDigit = (charCode) =>
3525
+ (charCode >= 48 && charCode <= 57) ||
3526
+ (charCode >= 65 && charCode <= 70) ||
3527
+ (charCode >= 97 && charCode <= 102);
3528
+
3529
+ const isPercentEncodedByte = (str, i, len) =>
3530
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
3531
+
3288
3532
  function estimateDataURLDecodedBytes(url) {
3289
3533
  if (!url || typeof url !== 'string') return 0;
3290
3534
  if (!url.startsWith('data:')) return 0;
@@ -3304,9 +3548,7 @@ function estimateDataURLDecodedBytes(url) {
3304
3548
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
3305
3549
  const a = body.charCodeAt(i + 1);
3306
3550
  const b = body.charCodeAt(i + 2);
3307
- const isHex =
3308
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
3309
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
3551
+ const isHex = isHexDigit(a) && isHexDigit(b);
3310
3552
 
3311
3553
  if (isHex) {
3312
3554
  effectiveLen -= 2;
@@ -3347,18 +3589,17 @@ function estimateDataURLDecodedBytes(url) {
3347
3589
  return bytes > 0 ? bytes : 0;
3348
3590
  }
3349
3591
 
3350
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
3351
- return Buffer.byteLength(body, 'utf8');
3352
- }
3353
-
3354
3592
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
3355
3593
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
3356
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
3357
- // but 3 UTF-8 bytes).
3594
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
3595
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
3358
3596
  let bytes = 0;
3359
3597
  for (let i = 0, len = body.length; i < len; i++) {
3360
3598
  const c = body.charCodeAt(i);
3361
- if (c < 0x80) {
3599
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
3600
+ bytes += 1;
3601
+ i += 2;
3602
+ } else if (c < 0x80) {
3362
3603
  bytes += 1;
3363
3604
  } else if (c < 0x800) {
3364
3605
  bytes += 2;
@@ -3377,12 +3618,41 @@ function estimateDataURLDecodedBytes(url) {
3377
3618
  return bytes;
3378
3619
  }
3379
3620
 
3380
- const VERSION$1 = "1.16.1";
3621
+ const VERSION$1 = "1.18.1";
3381
3622
 
3382
3623
  const DEFAULT_CHUNK_SIZE = 64 * 1024;
3383
3624
 
3384
3625
  const { isFunction } = utils$1;
3385
3626
 
3627
+ /**
3628
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
3629
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
3630
+ *
3631
+ * @param {string} str The string to encode
3632
+ *
3633
+ * @returns {string} UTF-8 bytes as a Latin-1 string
3634
+ */
3635
+ const encodeUTF8 = (str) =>
3636
+ encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
3637
+ String.fromCharCode(parseInt(hex, 16))
3638
+ );
3639
+
3640
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
3641
+ // Decode before composing the `auth` option so credentials such as
3642
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
3643
+ // original value for malformed input so a bad encoding never throws.
3644
+ const decodeURIComponentSafe = (value) => {
3645
+ if (!utils$1.isString(value)) {
3646
+ return value;
3647
+ }
3648
+
3649
+ try {
3650
+ return decodeURIComponent(value);
3651
+ } catch (error) {
3652
+ return value;
3653
+ }
3654
+ };
3655
+
3386
3656
  const test = (fn, ...args) => {
3387
3657
  try {
3388
3658
  return !!fn(...args);
@@ -3391,6 +3661,15 @@ const test = (fn, ...args) => {
3391
3661
  }
3392
3662
  };
3393
3663
 
3664
+ const maybeWithAuthCredentials = (url) => {
3665
+ const protocolIndex = url.indexOf('://');
3666
+ let urlToCheck = url;
3667
+ if (protocolIndex !== -1) {
3668
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
3669
+ }
3670
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
3671
+ };
3672
+
3394
3673
  const factory = (env) => {
3395
3674
  const globalObject =
3396
3675
  utils$1.global !== undefined && utils$1.global !== null
@@ -3538,6 +3817,7 @@ const factory = (env) => {
3538
3817
 
3539
3818
  const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
3540
3819
  const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
3820
+ const own = (key) => (utils$1.hasOwnProp(config, key) ? config[key] : undefined);
3541
3821
 
3542
3822
  let _fetch = envFetch || fetch;
3543
3823
 
@@ -3559,7 +3839,61 @@ const factory = (env) => {
3559
3839
 
3560
3840
  let requestContentLength;
3561
3841
 
3842
+ // AxiosError we raise while the request body is being streamed. Captured
3843
+ // by identity so the catch block can surface it directly, regardless of
3844
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
3845
+ // as `err.cause`; some browsers drop the original error entirely).
3846
+ let pendingBodyError = null;
3847
+
3848
+ const maxBodyLengthError = () =>
3849
+ new AxiosError$1(
3850
+ 'Request body larger than maxBodyLength limit',
3851
+ AxiosError$1.ERR_BAD_REQUEST,
3852
+ config,
3853
+ request
3854
+ );
3855
+
3562
3856
  try {
3857
+ // HTTP basic authentication
3858
+ let auth = undefined;
3859
+ const configAuth = own('auth');
3860
+
3861
+ if (configAuth) {
3862
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
3863
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
3864
+ auth = {
3865
+ username,
3866
+ password
3867
+ };
3868
+ }
3869
+
3870
+ if (maybeWithAuthCredentials(url)) {
3871
+ const parsedURL = new URL(url, platform.origin);
3872
+
3873
+ if (!auth && (parsedURL.username || parsedURL.password)) {
3874
+ const urlUsername = decodeURIComponentSafe(parsedURL.username);
3875
+ const urlPassword = decodeURIComponentSafe(parsedURL.password);
3876
+ auth = {
3877
+ username: urlUsername,
3878
+ password: urlPassword
3879
+ };
3880
+ }
3881
+
3882
+ if (parsedURL.username || parsedURL.password) {
3883
+ parsedURL.username = '';
3884
+ parsedURL.password = '';
3885
+ url = parsedURL.href;
3886
+ }
3887
+ }
3888
+
3889
+ if (auth) {
3890
+ headers.delete('authorization');
3891
+ headers.set(
3892
+ 'Authorization',
3893
+ 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))
3894
+ );
3895
+ }
3896
+
3563
3897
  // Enforce maxContentLength for data: URLs up-front so we never materialize
3564
3898
  // an oversized payload. The HTTP adapter applies the same check (see http.js
3565
3899
  // "if (protocol === 'data:')" branch).
@@ -3575,53 +3909,96 @@ const factory = (env) => {
3575
3909
  }
3576
3910
  }
3577
3911
 
3578
- // Enforce maxBodyLength against the outbound request body before dispatch.
3579
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
3580
- // maxBodyLength limit'). Skip when the body length cannot be determined
3581
- // (e.g. a live ReadableStream supplied by the caller).
3912
+ // Enforce maxBodyLength against known-size bodies before dispatch using
3913
+ // the body's *actual* size never a caller-declared Content-Length,
3914
+ // which could under-report to slip an oversized body past the check.
3915
+ // Unknown-size streams return undefined here and are counted per-chunk
3916
+ // below as fetch consumes them.
3582
3917
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
3583
- const outboundLength = await resolveBodyLength(headers, data);
3584
- if (
3585
- typeof outboundLength === 'number' &&
3586
- isFinite(outboundLength) &&
3587
- outboundLength > maxBodyLength
3588
- ) {
3589
- throw new AxiosError$1(
3590
- 'Request body larger than maxBodyLength limit',
3591
- AxiosError$1.ERR_BAD_REQUEST,
3592
- config,
3593
- request
3594
- );
3918
+ const outboundLength = await getBodyLength(data);
3919
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
3920
+ requestContentLength = outboundLength;
3921
+ if (outboundLength > maxBodyLength) {
3922
+ throw maxBodyLengthError();
3923
+ }
3595
3924
  }
3596
3925
  }
3597
3926
 
3927
+ // A streamed body under maxBodyLength must be counted as fetch consumes
3928
+ // it; its size is never trusted from a caller-declared Content-Length.
3929
+ const mustEnforceStreamBody =
3930
+ hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
3931
+
3932
+ const trackRequestStream = (stream, onProgress, flush) =>
3933
+ trackStream(
3934
+ stream,
3935
+ DEFAULT_CHUNK_SIZE,
3936
+ (loadedBytes) => {
3937
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
3938
+ throw (pendingBodyError = maxBodyLengthError());
3939
+ }
3940
+ onProgress && onProgress(loadedBytes);
3941
+ },
3942
+ flush
3943
+ );
3944
+
3598
3945
  if (
3599
- onUploadProgress &&
3600
3946
  supportsRequestStream &&
3601
3947
  method !== 'get' &&
3602
3948
  method !== 'head' &&
3603
- (requestContentLength = await resolveBodyLength(headers, data)) !== 0
3949
+ (onUploadProgress || mustEnforceStreamBody)
3604
3950
  ) {
3605
- let _request = new Request(url, {
3606
- method: 'POST',
3607
- body: data,
3608
- duplex: 'half',
3609
- });
3951
+ requestContentLength =
3952
+ requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
3953
+
3954
+ // A declared length of 0 is only trusted to skip the wrap when we are
3955
+ // not enforcing a stream limit (which must not rely on that header).
3956
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
3957
+ let _request = new Request(url, {
3958
+ method: 'POST',
3959
+ body: data,
3960
+ duplex: 'half',
3961
+ });
3610
3962
 
3611
- let contentTypeHeader;
3963
+ let contentTypeHeader;
3612
3964
 
3613
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3614
- headers.setContentType(contentTypeHeader);
3615
- }
3965
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3966
+ headers.setContentType(contentTypeHeader);
3967
+ }
3616
3968
 
3617
- if (_request.body) {
3618
- const [onProgress, flush] = progressEventDecorator(
3619
- requestContentLength,
3620
- progressEventReducer(asyncDecorator(onUploadProgress))
3621
- );
3969
+ if (_request.body) {
3970
+ const [onProgress, flush] =
3971
+ (onUploadProgress &&
3972
+ progressEventDecorator(
3973
+ requestContentLength,
3974
+ progressEventReducer(asyncDecorator(onUploadProgress))
3975
+ )) ||
3976
+ [];
3622
3977
 
3623
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
3978
+ data = trackRequestStream(_request.body, onProgress, flush);
3979
+ }
3624
3980
  }
3981
+ } else if (
3982
+ mustEnforceStreamBody &&
3983
+ !isRequestSupported &&
3984
+ isReadableStreamSupported &&
3985
+ method !== 'get' &&
3986
+ method !== 'head'
3987
+ ) {
3988
+ data = trackRequestStream(data);
3989
+ } else if (
3990
+ mustEnforceStreamBody &&
3991
+ isRequestSupported &&
3992
+ !supportsRequestStream &&
3993
+ method !== 'get' &&
3994
+ method !== 'head'
3995
+ ) {
3996
+ throw new AxiosError$1(
3997
+ 'Stream request bodies are not supported by the current fetch implementation',
3998
+ AxiosError$1.ERR_NOT_SUPPORT,
3999
+ config,
4000
+ request
4001
+ );
3625
4002
  }
3626
4003
 
3627
4004
  if (!utils$1.isString(withCredentials)) {
@@ -3664,10 +4041,12 @@ const factory = (env) => {
3664
4041
  ? _fetch(request, fetchOptions)
3665
4042
  : _fetch(url, resolvedOptions));
3666
4043
 
4044
+ const responseHeaders = AxiosHeaders$1.from(response.headers);
4045
+
3667
4046
  // Cheap pre-check: if the server honestly declares a content-length that
3668
4047
  // already exceeds the cap, reject before we start streaming.
3669
4048
  if (hasMaxContentLength) {
3670
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4049
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3671
4050
  if (declaredLength != null && declaredLength > maxContentLength) {
3672
4051
  throw new AxiosError$1(
3673
4052
  'maxContentLength size of ' + maxContentLength + ' exceeded',
@@ -3692,7 +4071,7 @@ const factory = (env) => {
3692
4071
  options[prop] = response[prop];
3693
4072
  });
3694
4073
 
3695
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4074
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3696
4075
 
3697
4076
  const [onProgress, flush] =
3698
4077
  (onDownloadProgress &&
@@ -3783,23 +4162,55 @@ const factory = (env) => {
3783
4162
  const canceledError = composedSignal.reason;
3784
4163
  canceledError.config = config;
3785
4164
  request && (canceledError.request = request);
3786
- err !== canceledError && (canceledError.cause = err);
4165
+ if (err !== canceledError) {
4166
+ // Non-enumerable to match native Error `cause` semantics so loggers
4167
+ // don't recurse into circular fetch internals (see #7205).
4168
+ Object.defineProperty(canceledError, 'cause', {
4169
+ __proto__: null,
4170
+ value: err,
4171
+ writable: true,
4172
+ enumerable: false,
4173
+ configurable: true,
4174
+ });
4175
+ }
3787
4176
  throw canceledError;
3788
4177
  }
3789
4178
 
4179
+ // Surface a maxBodyLength violation we raised while the request body was
4180
+ // being streamed. Matching by identity (rather than reading
4181
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
4182
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
4183
+ // AxiosError that merely happened to land in `err.cause`.
4184
+ if (pendingBodyError) {
4185
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
4186
+ throw pendingBodyError;
4187
+ }
4188
+
4189
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
4190
+ // pre-checks, response size enforcement) without re-wrapping them.
4191
+ if (err instanceof AxiosError$1) {
4192
+ request && !err.request && (err.request = request);
4193
+ throw err;
4194
+ }
4195
+
3790
4196
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
3791
- throw Object.assign(
3792
- new AxiosError$1(
3793
- 'Network Error',
3794
- AxiosError$1.ERR_NETWORK,
3795
- config,
3796
- request,
3797
- err && err.response
3798
- ),
3799
- {
3800
- cause: err.cause || err,
3801
- }
4197
+ const networkError = new AxiosError$1(
4198
+ 'Network Error',
4199
+ AxiosError$1.ERR_NETWORK,
4200
+ config,
4201
+ request,
4202
+ err && err.response
3802
4203
  );
4204
+ // Non-enumerable to match native Error `cause` semantics so loggers
4205
+ // don't recurse into circular fetch internals (see #7205).
4206
+ Object.defineProperty(networkError, 'cause', {
4207
+ __proto__: null,
4208
+ value: err.cause || err,
4209
+ writable: true,
4210
+ enumerable: false,
4211
+ configurable: true,
4212
+ });
4213
+ throw networkError;
3803
4214
  }
3804
4215
 
3805
4216
  throw AxiosError$1.from(err, err && err.code, config, request, err && err.response);
@@ -3937,7 +4348,7 @@ function getAdapter$1(adapters, config) {
3937
4348
 
3938
4349
  throw new AxiosError$1(
3939
4350
  `There is no suitable adapter to dispatch the request ` + s,
3940
- 'ERR_NOT_SUPPORT'
4351
+ AxiosError$1.ERR_NOT_SUPPORT
3941
4352
  );
3942
4353
  }
3943
4354
 
@@ -4118,7 +4529,7 @@ validators$1.spelling = function spelling(correctSpelling) {
4118
4529
  */
4119
4530
 
4120
4531
  function assertOptions(options, schema, allowUnknown) {
4121
- if (typeof options !== 'object') {
4532
+ if (typeof options !== 'object' || options === null) {
4122
4533
  throw new AxiosError$1('options must be an object', AxiosError$1.ERR_BAD_OPTION_VALUE);
4123
4534
  }
4124
4535
  const keys = Object.keys(options);
@@ -4241,6 +4652,8 @@ let Axios$1 = class Axios {
4241
4652
  forcedJSONParsing: validators.transitional(validators.boolean),
4242
4653
  clarifyTimeoutError: validators.transitional(validators.boolean),
4243
4654
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
4655
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
4656
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean),
4244
4657
  },
4245
4658
  false
4246
4659
  );
@@ -4370,7 +4783,7 @@ let Axios$1 = class Axios {
4370
4783
 
4371
4784
  getUri(config) {
4372
4785
  config = mergeConfig$1(this.defaults, config);
4373
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
4786
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
4374
4787
  return buildURL(fullPath, config.params, config.paramsSerializer);
4375
4788
  }
4376
4789
  };
@@ -4383,7 +4796,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
4383
4796
  mergeConfig$1(config || {}, {
4384
4797
  method,
4385
4798
  url,
4386
- data: (config || {}).data,
4799
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined,
4387
4800
  })
4388
4801
  );
4389
4802
  };