reflex-search 1.5.2 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/node_modules/.package-lock.json +15 -15
  2. package/node_modules/axios/CHANGELOG.md +126 -1
  3. package/node_modules/axios/README.md +390 -257
  4. package/node_modules/axios/dist/axios.js +511 -154
  5. package/node_modules/axios/dist/axios.min.js +3 -3
  6. package/node_modules/axios/dist/axios.min.js.map +1 -1
  7. package/node_modules/axios/dist/browser/axios.cjs +537 -124
  8. package/node_modules/axios/dist/esm/axios.js +537 -124
  9. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  10. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  11. package/node_modules/axios/dist/node/axios.cjs +753 -226
  12. package/node_modules/axios/index.d.cts +27 -4
  13. package/node_modules/axios/index.d.ts +23 -2
  14. package/node_modules/axios/lib/adapters/adapters.js +1 -1
  15. package/node_modules/axios/lib/adapters/fetch.js +217 -47
  16. package/node_modules/axios/lib/adapters/http.js +274 -169
  17. package/node_modules/axios/lib/adapters/xhr.js +1 -0
  18. package/node_modules/axios/lib/core/Axios.js +4 -2
  19. package/node_modules/axios/lib/core/AxiosError.js +13 -1
  20. package/node_modules/axios/lib/core/AxiosHeaders.js +12 -9
  21. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  22. package/node_modules/axios/lib/core/mergeConfig.js +35 -0
  23. package/node_modules/axios/lib/defaults/transitional.js +2 -0
  24. package/node_modules/axios/lib/env/data.js +1 -1
  25. package/node_modules/axios/lib/helpers/AxiosURLSearchParams.js +1 -3
  26. package/node_modules/axios/lib/helpers/Http2Sessions.js +119 -0
  27. package/node_modules/axios/lib/helpers/buildURL.js +7 -4
  28. package/node_modules/axios/lib/helpers/composeSignals.js +1 -1
  29. package/node_modules/axios/lib/helpers/cookies.js +5 -1
  30. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  31. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  32. package/node_modules/axios/lib/helpers/formDataToStream.js +2 -2
  33. package/node_modules/axios/lib/helpers/fromDataURI.js +4 -2
  34. package/node_modules/axios/lib/helpers/resolveConfig.js +26 -13
  35. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  36. package/node_modules/axios/lib/helpers/toFormData.js +48 -12
  37. package/node_modules/axios/lib/helpers/validator.js +1 -1
  38. package/node_modules/axios/lib/utils.js +97 -12
  39. package/node_modules/axios/package.json +29 -13
  40. package/node_modules/brace-expansion/dist/commonjs/index.js +24 -14
  41. package/node_modules/brace-expansion/dist/commonjs/index.js.map +1 -1
  42. package/node_modules/brace-expansion/dist/esm/index.js +24 -14
  43. package/node_modules/brace-expansion/dist/esm/index.js.map +1 -1
  44. package/node_modules/brace-expansion/package.json +2 -2
  45. package/node_modules/form-data/CHANGELOG.md +29 -2
  46. package/node_modules/form-data/README.md +4 -4
  47. package/node_modules/form-data/lib/form_data.js +14 -2
  48. package/node_modules/form-data/package.json +7 -7
  49. package/node_modules/hasown/CHANGELOG.md +18 -0
  50. package/node_modules/hasown/eslint.config.mjs +6 -0
  51. package/node_modules/hasown/package.json +13 -14
  52. package/npm-shrinkwrap.json +16 -16
  53. package/package.json +2 -2
  54. package/node_modules/axios/dist/axios.js.map +0 -1
  55. package/node_modules/axios/dist/browser/axios.cjs.map +0 -1
  56. package/node_modules/axios/dist/esm/axios.js.map +0 -1
  57. package/node_modules/axios/dist/node/axios.cjs.map +0 -1
  58. package/node_modules/hasown/.eslintrc +0 -5
@@ -1,4 +1,4 @@
1
- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  'use strict';
3
3
 
4
4
  var FormData$1 = require('form-data');
@@ -40,6 +40,52 @@ const {
40
40
  iterator,
41
41
  toStringTag
42
42
  } = Symbol;
43
+
44
+ /* Creating a function that will check if an object has a property. */
45
+ const hasOwnProperty = (({
46
+ hasOwnProperty
47
+ }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype);
48
+
49
+ /**
50
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
51
+ * an own `prop`. This distinguishes genuine own/inherited members — including
52
+ * class accessors and template prototypes — from members injected via
53
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
54
+ * live on Object.prototype itself and are therefore never matched.
55
+ *
56
+ * @param {*} thing The value whose chain to inspect
57
+ * @param {string|symbol} prop The property key to look for
58
+ *
59
+ * @returns {boolean} True when `prop` is owned below Object.prototype
60
+ */
61
+ const hasOwnInPrototypeChain = (thing, prop) => {
62
+ let obj = thing;
63
+ const seen = [];
64
+ while (obj != null && obj !== Object.prototype) {
65
+ if (seen.indexOf(obj) !== -1) {
66
+ return false;
67
+ }
68
+ seen.push(obj);
69
+ if (hasOwnProperty(obj, prop)) {
70
+ return true;
71
+ }
72
+ obj = getPrototypeOf(obj);
73
+ }
74
+ return false;
75
+ };
76
+
77
+ /**
78
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
79
+ * properties and members inherited from a non-Object.prototype source (a class
80
+ * instance or template object) are honored; a value reachable only through a
81
+ * polluted Object.prototype is ignored and `undefined` is returned.
82
+ *
83
+ * @param {*} obj The source object
84
+ * @param {string|symbol} prop The property key to read
85
+ *
86
+ * @returns {*} The resolved value, or undefined when unsafe/absent
87
+ */
88
+ const getSafeProp = (obj, prop) => obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
43
89
  const kindOf = (cache => thing => {
44
90
  const str = toString.call(thing);
45
91
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -158,11 +204,15 @@ const isBoolean = thing => thing === true || thing === false;
158
204
  * @returns {boolean} True if value is a plain Object, otherwise false
159
205
  */
160
206
  const isPlainObject = val => {
161
- if (kindOf(val) !== 'object') {
207
+ if (!isObject(val)) {
162
208
  return false;
163
209
  }
164
210
  const prototype = getPrototypeOf(val);
165
- return (prototype === null || prototype === Object.prototype || Object.getPrototypeOf(prototype) === null) && !(toStringTag in val) && !(iterator in val);
211
+ return (prototype === null || prototype === Object.prototype || getPrototypeOf(prototype) === null) &&
212
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
213
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
214
+ // than a plain object, while ignoring keys injected onto Object.prototype.
215
+ !hasOwnInPrototypeChain(val, toStringTag) && !hasOwnInPrototypeChain(val, iterator);
166
216
  };
167
217
 
168
218
  /**
@@ -417,7 +467,10 @@ function merge(...objs) {
417
467
  if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
418
468
  return;
419
469
  }
420
- const targetKey = caseless && findKey(result, key) || key;
470
+
471
+ // findKey lowercases the key, so caseless lookup only applies to strings —
472
+ // symbol keys are identity-matched.
473
+ const targetKey = caseless && typeof key === 'string' && findKey(result, key) || key;
421
474
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
422
475
  // chain, so a polluted Object.prototype value could surface here and get
423
476
  // copied into the merged result.
@@ -433,7 +486,21 @@ function merge(...objs) {
433
486
  }
434
487
  };
435
488
  for (let i = 0, l = objs.length; i < l; i++) {
436
- objs[i] && forEach(objs[i], assignValue);
489
+ const source = objs[i];
490
+ if (!source || isBuffer(source)) {
491
+ continue;
492
+ }
493
+ forEach(source, assignValue);
494
+ if (typeof source !== 'object' || isArray(source)) {
495
+ continue;
496
+ }
497
+ const symbols = Object.getOwnPropertySymbols(source);
498
+ for (let j = 0; j < symbols.length; j++) {
499
+ const symbol = symbols[j];
500
+ if (propertyIsEnumerable.call(source, symbol)) {
501
+ assignValue(source[symbol], symbol);
502
+ }
503
+ }
437
504
  }
438
505
  return result;
439
506
  }
@@ -645,11 +712,9 @@ const toCamelCase = str => {
645
712
  return p1.toUpperCase() + p2;
646
713
  });
647
714
  };
648
-
649
- /* Creating a function that will check if an object has a property. */
650
- const hasOwnProperty = (({
651
- hasOwnProperty
652
- }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype);
715
+ const {
716
+ propertyIsEnumerable
717
+ } = Object.prototype;
653
718
 
654
719
  /**
655
720
  * Determine if a value is a RegExp object
@@ -824,6 +889,19 @@ const asap = typeof queueMicrotask !== 'undefined' ? queueMicrotask.bind(_global
824
889
  // *********************
825
890
 
826
891
  const isIterable = thing => thing != null && isFunction$1(thing[iterator]);
892
+
893
+ /**
894
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
895
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
896
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
897
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
898
+ * into an attacker-controlled entries iterator.
899
+ *
900
+ * @param {*} thing The value to test
901
+ *
902
+ * @returns {boolean} True if value has a non-polluted iterator
903
+ */
904
+ const isSafeIterable = thing => thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
827
905
  var utils$1 = {
828
906
  isArray,
829
907
  isArrayBuffer,
@@ -869,6 +947,8 @@ var utils$1 = {
869
947
  hasOwnProperty,
870
948
  hasOwnProp: hasOwnProperty,
871
949
  // an alias to avoid ESLint no-prototype-builtins detection
950
+ hasOwnInPrototypeChain,
951
+ getSafeProp,
872
952
  reduceDescriptors,
873
953
  freezeMethods,
874
954
  toObjectSet,
@@ -884,7 +964,8 @@ var utils$1 = {
884
964
  isThenable,
885
965
  setImmediate: _setImmediate,
886
966
  asap,
887
- isIterable
967
+ isIterable,
968
+ isSafeIterable
888
969
  };
889
970
 
890
971
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -1034,7 +1115,7 @@ class AxiosHeaders {
1034
1115
  function setHeader(_value, _header, _rewrite) {
1035
1116
  const lHeader = normalizeHeader(_header);
1036
1117
  if (!lHeader) {
1037
- throw new Error('header name must be a non-empty string');
1118
+ return;
1038
1119
  }
1039
1120
  const key = utils$1.findKey(self, lHeader);
1040
1121
  if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) {
@@ -1046,15 +1127,21 @@ class AxiosHeaders {
1046
1127
  setHeaders(header, valueOrRewrite);
1047
1128
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
1048
1129
  setHeaders(parseHeaders(header), valueOrRewrite);
1049
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
1050
- let obj = {},
1130
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
1131
+ let obj = Object.create(null),
1051
1132
  dest,
1052
1133
  key;
1053
1134
  for (const entry of header) {
1054
1135
  if (!utils$1.isArray(entry)) {
1055
- throw TypeError('Object iterator must return a key-value pair');
1136
+ throw new TypeError('Object iterator must return a key-value pair');
1137
+ }
1138
+ key = entry[0];
1139
+ if (utils$1.hasOwnProp(obj, key)) {
1140
+ dest = obj[key];
1141
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
1142
+ } else {
1143
+ obj[key] = entry[1];
1056
1144
  }
1057
- obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1];
1058
1145
  }
1059
1146
  setHeaders(obj, valueOrRewrite);
1060
1147
  } else {
@@ -1266,7 +1353,19 @@ function redactConfig(config, redactKeys) {
1266
1353
  class AxiosError extends Error {
1267
1354
  static from(error, code, config, request, response, customProps) {
1268
1355
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
1269
- axiosError.cause = error;
1356
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
1357
+ // error often carries circular internals (sockets, requests, agents), so
1358
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
1359
+ // own-property walk throw "Converting circular structure to JSON".
1360
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
1361
+ // `message` descriptor below (prototype-pollution-safe descriptor).
1362
+ Object.defineProperty(axiosError, 'cause', {
1363
+ __proto__: null,
1364
+ value: error,
1365
+ writable: true,
1366
+ enumerable: false,
1367
+ configurable: true
1368
+ });
1270
1369
  axiosError.name = error.name;
1271
1370
 
1272
1371
  // Preserve status from the original error if not already set from response
@@ -1357,6 +1456,10 @@ AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT';
1357
1456
  AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL';
1358
1457
  AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
1359
1458
 
1459
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
1460
+ // the FormData <-> JSON round-trip stays symmetric.
1461
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
1462
+
1360
1463
  /**
1361
1464
  * Determines if the given thing is a array or js object.
1362
1465
  *
@@ -1457,8 +1560,9 @@ function toFormData(obj, formData, options) {
1457
1560
  const dots = options.dots;
1458
1561
  const indexes = options.indexes;
1459
1562
  const _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
1460
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
1563
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
1461
1564
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
1565
+ const stack = [];
1462
1566
  if (!utils$1.isFunction(visitor)) {
1463
1567
  throw new TypeError('visitor must be a function');
1464
1568
  }
@@ -1474,10 +1578,38 @@ function toFormData(obj, formData, options) {
1474
1578
  throw new AxiosError('Blob is not supported. Use a Buffer instead.');
1475
1579
  }
1476
1580
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
1477
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
1581
+ if (useBlob && typeof _Blob === 'function') {
1582
+ return new _Blob([value]);
1583
+ }
1584
+ if (typeof Buffer !== 'undefined') {
1585
+ return Buffer.from(value);
1586
+ }
1587
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
1478
1588
  }
1479
1589
  return value;
1480
1590
  }
1591
+ function throwIfMaxDepthExceeded(depth) {
1592
+ if (depth > maxDepth) {
1593
+ throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
1594
+ }
1595
+ }
1596
+ function stringifyWithDepthLimit(value, depth) {
1597
+ if (maxDepth === Infinity) {
1598
+ return JSON.stringify(value);
1599
+ }
1600
+ const ancestors = [];
1601
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
1602
+ if (!utils$1.isObject(currentValue)) {
1603
+ return currentValue;
1604
+ }
1605
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
1606
+ ancestors.pop();
1607
+ }
1608
+ ancestors.push(currentValue);
1609
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
1610
+ return currentValue;
1611
+ });
1612
+ }
1481
1613
 
1482
1614
  /**
1483
1615
  * Default visitor.
@@ -1500,7 +1632,7 @@ function toFormData(obj, formData, options) {
1500
1632
  // eslint-disable-next-line no-param-reassign
1501
1633
  key = metaTokens ? key : key.slice(0, -2);
1502
1634
  // eslint-disable-next-line no-param-reassign
1503
- value = JSON.stringify(value);
1635
+ value = stringifyWithDepthLimit(value, 1);
1504
1636
  } else if (utils$1.isArray(value) && isFlatArray(value) || (utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value))) {
1505
1637
  // eslint-disable-next-line no-param-reassign
1506
1638
  key = removeBrackets(key);
@@ -1518,7 +1650,6 @@ function toFormData(obj, formData, options) {
1518
1650
  formData.append(renderKey(path, key, dots), convertValue(value));
1519
1651
  return false;
1520
1652
  }
1521
- const stack = [];
1522
1653
  const exposedHelpers = Object.assign(predicates, {
1523
1654
  defaultVisitor,
1524
1655
  convertValue,
@@ -1526,11 +1657,9 @@ function toFormData(obj, formData, options) {
1526
1657
  });
1527
1658
  function build(value, path, depth = 0) {
1528
1659
  if (utils$1.isUndefined(value)) return;
1529
- if (depth > maxDepth) {
1530
- throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
1531
- }
1660
+ throwIfMaxDepthExceeded(depth);
1532
1661
  if (stack.indexOf(value) !== -1) {
1533
- throw Error('Circular reference detected in ' + path.join('.'));
1662
+ throw new Error('Circular reference detected in ' + path.join('.'));
1534
1663
  }
1535
1664
  stack.push(value);
1536
1665
  utils$1.forEach(value, function each(el, key) {
@@ -1587,9 +1716,7 @@ prototype.append = function append(name, value) {
1587
1716
  this._pairs.push([name, value]);
1588
1717
  };
1589
1718
  prototype.toString = function toString(encoder) {
1590
- const _encode = encoder ? function (value) {
1591
- return encoder.call(this, value, encode$1);
1592
- } : encode$1;
1719
+ const _encode = encoder ? value => encoder.call(this, value, encode$1) : encode$1;
1593
1720
  return this._pairs.map(function each(pair) {
1594
1721
  return _encode(pair[0]) + '=' + _encode(pair[1]);
1595
1722
  }, '').join('&');
@@ -1620,11 +1747,16 @@ function buildURL(url, params, options) {
1620
1747
  if (!params) {
1621
1748
  return url;
1622
1749
  }
1623
- const _encode = options && options.encode || encode;
1750
+ url = url || '';
1624
1751
  const _options = utils$1.isFunction(options) ? {
1625
1752
  serialize: options
1626
1753
  } : options;
1627
- const serializeFn = _options && _options.serialize;
1754
+
1755
+ // Read serializer options pollution-safely: own properties and methods on a
1756
+ // class/template prototype are honored, but values injected onto a polluted
1757
+ // Object.prototype are ignored.
1758
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
1759
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
1628
1760
  let serializedParams;
1629
1761
  if (serializeFn) {
1630
1762
  serializedParams = serializeFn(params, _options);
@@ -1712,7 +1844,9 @@ var transitionalDefaults = {
1712
1844
  silentJSONParsing: true,
1713
1845
  forcedJSONParsing: true,
1714
1846
  clarifyTimeoutError: false,
1715
- legacyInterceptorReqResOrdering: true
1847
+ legacyInterceptorReqResOrdering: true,
1848
+ advertiseZstdAcceptEncoding: false,
1849
+ validateStatusUndefinedResolves: true
1716
1850
  };
1717
1851
 
1718
1852
  var URLSearchParams = url.URLSearchParams;
@@ -1813,6 +1947,13 @@ function toURLEncodedForm(data, options) {
1813
1947
  });
1814
1948
  }
1815
1949
 
1950
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
1951
+ function throwIfDepthExceeded(index) {
1952
+ if (index > MAX_DEPTH) {
1953
+ throw new AxiosError('FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
1954
+ }
1955
+ }
1956
+
1816
1957
  /**
1817
1958
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
1818
1959
  *
@@ -1825,9 +1966,14 @@ function parsePropPath(name) {
1825
1966
  // foo.x.y.z
1826
1967
  // foo-x-y-z
1827
1968
  // foo x y z
1828
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map(match => {
1829
- return match[0] === '[]' ? '' : match[1] || match[0];
1830
- });
1969
+ const path = [];
1970
+ const pattern = /\w+|\[(\w*)]/g;
1971
+ let match;
1972
+ while ((match = pattern.exec(name)) !== null) {
1973
+ throwIfDepthExceeded(path.length);
1974
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
1975
+ }
1976
+ return path;
1831
1977
  }
1832
1978
 
1833
1979
  /**
@@ -1859,6 +2005,7 @@ function arrayToObject(arr) {
1859
2005
  */
1860
2006
  function formDataToJSON(formData) {
1861
2007
  function buildPath(path, value, target, index) {
2008
+ throwIfDepthExceeded(index);
1862
2009
  let name = path[index++];
1863
2010
  if (name === '__proto__') return true;
1864
2011
  const isNumericKey = Number.isFinite(+name);
@@ -2099,6 +2246,24 @@ function combineURLs(baseURL, relativeURL) {
2099
2246
  return relativeURL ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '') : baseURL;
2100
2247
  }
2101
2248
 
2249
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
2250
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
2251
+ function stripLeadingC0ControlOrSpace(url) {
2252
+ let i = 0;
2253
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
2254
+ i++;
2255
+ }
2256
+ return url.slice(i);
2257
+ }
2258
+ function normalizeURLForProtocolCheck(url) {
2259
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
2260
+ }
2261
+ function assertValidHttpProtocolURL(url, config) {
2262
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
2263
+ throw new AxiosError('Invalid URL: missing "//" after protocol', AxiosError.ERR_INVALID_URL, config);
2264
+ }
2265
+ }
2266
+
2102
2267
  /**
2103
2268
  * Creates a new URL by combining the baseURL with the requestedURL,
2104
2269
  * only when the requestedURL is not already an absolute URL.
@@ -2109,9 +2274,11 @@ function combineURLs(baseURL, relativeURL) {
2109
2274
  *
2110
2275
  * @returns {string} The combined full path
2111
2276
  */
2112
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
2277
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
2278
+ assertValidHttpProtocolURL(requestedURL, config);
2113
2279
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
2114
2280
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
2281
+ assertValidHttpProtocolURL(baseURL, config);
2115
2282
  return combineURLs(baseURL, requestedURL);
2116
2283
  }
2117
2284
  return requestedURL;
@@ -2213,7 +2380,7 @@ function getEnv(key) {
2213
2380
  return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || '';
2214
2381
  }
2215
2382
 
2216
- const VERSION = "1.16.1";
2383
+ const VERSION = "1.18.1";
2217
2384
 
2218
2385
  function parseProtocol(url) {
2219
2386
  const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url);
@@ -2253,13 +2420,13 @@ function fromDataURI(uri, asBlob, options) {
2253
2420
 
2254
2421
  // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII
2255
2422
  // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec.
2256
- let mime;
2423
+ let mime = '';
2257
2424
  if (type) {
2258
2425
  mime = params ? type + params : type;
2259
2426
  } else if (params) {
2260
2427
  mime = 'text/plain' + params;
2261
2428
  }
2262
- const buffer = Buffer.from(decodeURIComponent(body), encoding);
2429
+ const buffer = encoding === 'base64' ? Buffer.from(body, 'base64') : Buffer.from(decodeURIComponent(body), encoding);
2263
2430
  if (asBlob) {
2264
2431
  if (!_Blob) {
2265
2432
  throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT);
@@ -2452,10 +2619,10 @@ const formDataToStream = (form, headersHandler, options) => {
2452
2619
  boundary = tag + '-' + platform.generateString(size, BOUNDARY_ALPHABET)
2453
2620
  } = options || {};
2454
2621
  if (!utils$1.isFormData(form)) {
2455
- throw TypeError('FormData instance required');
2622
+ throw new TypeError('FormData instance required');
2456
2623
  }
2457
2624
  if (boundary.length < 1 || boundary.length > 70) {
2458
- throw Error('boundary must be 1-70 characters long');
2625
+ throw new Error('boundary must be 1-70 characters long');
2459
2626
  }
2460
2627
  const boundaryBytes = textEncoder.encode('--' + boundary + CRLF);
2461
2628
  const footerBytes = textEncoder.encode('--' + boundary + '--' + CRLF);
@@ -2505,6 +2672,84 @@ class ZlibHeaderTransformStream extends stream.Transform {
2505
2672
  }
2506
2673
  }
2507
2674
 
2675
+ class Http2Sessions {
2676
+ constructor() {
2677
+ this.sessions = Object.create(null);
2678
+ }
2679
+ getSession(authority, options) {
2680
+ options = Object.assign({
2681
+ sessionTimeout: 1000
2682
+ }, options);
2683
+ let authoritySessions = this.sessions[authority];
2684
+ if (authoritySessions) {
2685
+ let len = authoritySessions.length;
2686
+ for (let i = 0; i < len; i++) {
2687
+ const [sessionHandle, sessionOptions] = authoritySessions[i];
2688
+ if (!sessionHandle.destroyed && !sessionHandle.closed && util.isDeepStrictEqual(sessionOptions, options)) {
2689
+ return sessionHandle;
2690
+ }
2691
+ }
2692
+ }
2693
+ const session = http2.connect(authority, options);
2694
+ let removed;
2695
+ let timer;
2696
+ const removeSession = () => {
2697
+ if (removed) {
2698
+ return;
2699
+ }
2700
+ removed = true;
2701
+ if (timer) {
2702
+ clearTimeout(timer);
2703
+ timer = null;
2704
+ }
2705
+ let entries = authoritySessions,
2706
+ len = entries.length,
2707
+ i = len;
2708
+ while (i--) {
2709
+ if (entries[i][0] === session) {
2710
+ if (len === 1) {
2711
+ delete this.sessions[authority];
2712
+ } else {
2713
+ entries.splice(i, 1);
2714
+ }
2715
+ if (!session.closed) {
2716
+ session.close();
2717
+ }
2718
+ return;
2719
+ }
2720
+ }
2721
+ };
2722
+ const originalRequestFn = session.request;
2723
+ const {
2724
+ sessionTimeout
2725
+ } = options;
2726
+ if (sessionTimeout != null) {
2727
+ let streamsCount = 0;
2728
+ session.request = function () {
2729
+ const stream = originalRequestFn.apply(this, arguments);
2730
+ streamsCount++;
2731
+ if (timer) {
2732
+ clearTimeout(timer);
2733
+ timer = null;
2734
+ }
2735
+ stream.once('close', () => {
2736
+ if (! --streamsCount) {
2737
+ timer = setTimeout(() => {
2738
+ timer = null;
2739
+ removeSession();
2740
+ }, sessionTimeout);
2741
+ }
2742
+ });
2743
+ return stream;
2744
+ };
2745
+ }
2746
+ session.once('close', removeSession);
2747
+ let entry = [session, options];
2748
+ authoritySessions ? authoritySessions.push(entry) : authoritySessions = this.sessions[authority] = [entry];
2749
+ return session;
2750
+ }
2751
+ }
2752
+
2508
2753
  const callbackify = (fn, reducer) => {
2509
2754
  return utils$1.isAsyncFn(fn) ? function (...args) {
2510
2755
  const cb = args.pop();
@@ -2518,13 +2763,34 @@ const callbackify = (fn, reducer) => {
2518
2763
  } : fn;
2519
2764
  };
2520
2765
 
2521
- const LOOPBACK_HOSTNAMES = new Set(['localhost']);
2766
+ const LOOPBACK_HOSTNAMES = new Set(['localhost', '0.0.0.0']);
2522
2767
  const isIPv4Loopback = host => {
2523
2768
  const parts = host.split('.');
2524
2769
  if (parts.length !== 4) return false;
2525
2770
  if (parts[0] !== '127') return false;
2526
2771
  return parts.every(p => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255);
2527
2772
  };
2773
+ const isIPv6ZeroGroup = group => /^0{1,4}$/.test(group);
2774
+
2775
+ // The unspecified address (IPv4 0.0.0.0 / IPv6 ::) resolves to the local host
2776
+ // for outbound connections, so treat it as loopback-equivalent for NO_PROXY
2777
+ // matching. 0.0.0.0 is covered by LOOPBACK_HOSTNAMES; this handles compressed
2778
+ // and full IPv6 all-zero forms so both families bypass symmetrically.
2779
+ const isIPv6Unspecified = host => {
2780
+ if (host === '::') return true;
2781
+ const compressionIndex = host.indexOf('::');
2782
+ if (compressionIndex !== -1) {
2783
+ if (compressionIndex !== host.lastIndexOf('::')) return false;
2784
+ const left = host.slice(0, compressionIndex);
2785
+ const right = host.slice(compressionIndex + 2);
2786
+ const leftGroups = left ? left.split(':') : [];
2787
+ const rightGroups = right ? right.split(':') : [];
2788
+ const explicitGroups = leftGroups.length + rightGroups.length;
2789
+ return explicitGroups < 8 && leftGroups.every(isIPv6ZeroGroup) && rightGroups.every(isIPv6ZeroGroup);
2790
+ }
2791
+ const groups = host.split(':');
2792
+ return groups.length === 8 && groups.every(isIPv6ZeroGroup);
2793
+ };
2528
2794
  const isIPv6Loopback = host => {
2529
2795
  // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1
2530
2796
  // First, strip any leading "::" by normalising with Set lookup of common forms,
@@ -2557,6 +2823,7 @@ const isLoopback = host => {
2557
2823
  if (!host) return false;
2558
2824
  if (LOOPBACK_HOSTNAMES.has(host)) return true;
2559
2825
  if (isIPv4Loopback(host)) return true;
2826
+ if (isIPv6Unspecified(host)) return true;
2560
2827
  return isIPv6Loopback(host);
2561
2828
  };
2562
2829
  const DEFAULT_PORTS = {
@@ -2776,11 +3043,13 @@ const asyncDecorator = fn => (...args) => utils$1.asap(() => fn(...args));
2776
3043
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
2777
3044
  * - For base64: compute exact decoded size using length and padding;
2778
3045
  * handle %XX at the character-count level (no string allocation).
2779
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
3046
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
2780
3047
  *
2781
3048
  * @param {string} url
2782
3049
  * @returns {number}
2783
3050
  */
3051
+ const isHexDigit = charCode => charCode >= 48 && charCode <= 57 || charCode >= 65 && charCode <= 70 || charCode >= 97 && charCode <= 102;
3052
+ const isPercentEncodedByte = (str, i, len) => i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
2784
3053
  function estimateDataURLDecodedBytes(url) {
2785
3054
  if (!url || typeof url !== 'string') return 0;
2786
3055
  if (!url.startsWith('data:')) return 0;
@@ -2797,7 +3066,7 @@ function estimateDataURLDecodedBytes(url) {
2797
3066
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
2798
3067
  const a = body.charCodeAt(i + 1);
2799
3068
  const b = body.charCodeAt(i + 2);
2800
- const isHex = (a >= 48 && a <= 57 || a >= 65 && a <= 70 || a >= 97 && a <= 102) && (b >= 48 && b <= 57 || b >= 65 && b <= 70 || b >= 97 && b <= 102);
3069
+ const isHex = isHexDigit(a) && isHexDigit(b);
2801
3070
  if (isHex) {
2802
3071
  effectiveLen -= 2;
2803
3072
  i += 2;
@@ -2832,18 +3101,18 @@ function estimateDataURLDecodedBytes(url) {
2832
3101
  const bytes = groups * 3 - (pad || 0);
2833
3102
  return bytes > 0 ? bytes : 0;
2834
3103
  }
2835
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
2836
- return Buffer.byteLength(body, 'utf8');
2837
- }
2838
3104
 
2839
3105
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
2840
3106
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
2841
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
2842
- // but 3 UTF-8 bytes).
3107
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
3108
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
2843
3109
  let bytes = 0;
2844
3110
  for (let i = 0, len = body.length; i < len; i++) {
2845
3111
  const c = body.charCodeAt(i);
2846
- if (c < 0x80) {
3112
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
3113
+ bytes += 1;
3114
+ i += 2;
3115
+ } else if (c < 0x80) {
2847
3116
  bytes += 1;
2848
3117
  } else if (c < 0x800) {
2849
3118
  bytes += 2;
@@ -2870,7 +3139,14 @@ const brotliOptions = {
2870
3139
  flush: zlib.constants.BROTLI_OPERATION_FLUSH,
2871
3140
  finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH
2872
3141
  };
3142
+ const zstdOptions = {
3143
+ flush: zlib.constants.ZSTD_e_flush,
3144
+ finishFlush: zlib.constants.ZSTD_e_flush
3145
+ };
2873
3146
  const isBrotliSupported = utils$1.isFunction(zlib.createBrotliDecompress);
3147
+ const isZstdSupported = utils$1.isFunction(zlib.createZstdDecompress);
3148
+ const ACCEPT_ENCODING = 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : '');
3149
+ const ACCEPT_ENCODING_WITH_ZSTD = ACCEPT_ENCODING + (isZstdSupported ? ', zstd' : '');
2874
3150
  const {
2875
3151
  http: httpFollow,
2876
3152
  https: httpsFollow
@@ -2905,6 +3181,36 @@ const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel');
2905
3181
  // so unbounded growth is not a concern in practice.
2906
3182
  const tunnelingAgentCache = new Map();
2907
3183
  const tunnelingAgentCacheUser = new WeakMap();
3184
+ // Minimum minor versions where Node's HTTP Agent supports native proxyEnv
3185
+ // handling. Checking the selected agent below also covers startup modes such
3186
+ // as NODE_OPTIONS=--use-env-proxy and --no-use-env-proxy precedence.
3187
+ const NODE_NATIVE_ENV_PROXY_SUPPORT = {
3188
+ 22: 21,
3189
+ 24: 5
3190
+ };
3191
+ function isNodeNativeEnvProxySupported(nodeVersion = process.versions && process.versions.node) {
3192
+ if (!nodeVersion) {
3193
+ return false;
3194
+ }
3195
+ const [major, minor] = nodeVersion.split('.').map(part => Number(part));
3196
+ if (!Number.isInteger(major) || !Number.isInteger(minor)) {
3197
+ return false;
3198
+ }
3199
+ if (major > 24) {
3200
+ return true;
3201
+ }
3202
+ return NODE_NATIVE_ENV_PROXY_SUPPORT[major] != null && minor >= NODE_NATIVE_ENV_PROXY_SUPPORT[major];
3203
+ }
3204
+ function isNodeEnvProxyEnabled(agent, nodeVersion = process.versions && process.versions.node) {
3205
+ if (!isNodeNativeEnvProxySupported(nodeVersion)) {
3206
+ return false;
3207
+ }
3208
+ const agentOptions = agent && agent.options;
3209
+ return Boolean(agentOptions && utils$1.hasOwnProp(agentOptions, 'proxyEnv') && agentOptions.proxyEnv != null);
3210
+ }
3211
+ function getProxyEnvAgent(options, configHttpAgent, configHttpsAgent) {
3212
+ return isHttps.test(options.protocol) ? configHttpsAgent || https.globalAgent : configHttpAgent || http.globalAgent;
3213
+ }
2908
3214
  function getTunnelingAgent(agentOptions, userHttpsAgent) {
2909
3215
  const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || '');
2910
3216
  const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache;
@@ -2918,6 +3224,19 @@ function getTunnelingAgent(agentOptions, userHttpsAgent) {
2918
3224
  ...agentOptions
2919
3225
  } : agentOptions;
2920
3226
  agent = new HttpsProxyAgent(merged);
3227
+ if (userHttpsAgent && userHttpsAgent.options) {
3228
+ const originTLSOptions = {
3229
+ ...userHttpsAgent.options
3230
+ };
3231
+ const callback = agent.callback;
3232
+ agent.callback = function axiosTunnelingAgentCallback(req, opts) {
3233
+ // HttpsProxyAgent v5 reads callback opts for the post-CONNECT origin TLS upgrade.
3234
+ return callback.call(this, req, {
3235
+ ...originTLSOptions,
3236
+ ...opts
3237
+ });
3238
+ };
3239
+ }
2921
3240
  agent[kAxiosInstalledTunnel] = true;
2922
3241
  cache.set(key, agent);
2923
3242
  return agent;
@@ -2930,7 +3249,7 @@ const supportedProtocols = platform.protocols.map(protocol => {
2930
3249
  // Decode before composing the `auth` option so credentials such as
2931
3250
  // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
2932
3251
  // original value for malformed input so a bad encoding never throws.
2933
- const decodeURIComponentSafe = value => {
3252
+ const decodeURIComponentSafe$1 = value => {
2934
3253
  if (!utils$1.isString(value)) {
2935
3254
  return value;
2936
3255
  }
@@ -2944,84 +3263,11 @@ const flushOnFinish = (stream, [throttled, flush]) => {
2944
3263
  stream.on('end', flush).on('error', flush);
2945
3264
  return throttled;
2946
3265
  };
2947
- class Http2Sessions {
2948
- constructor() {
2949
- this.sessions = Object.create(null);
2950
- }
2951
- getSession(authority, options) {
2952
- options = Object.assign({
2953
- sessionTimeout: 1000
2954
- }, options);
2955
- let authoritySessions = this.sessions[authority];
2956
- if (authoritySessions) {
2957
- let len = authoritySessions.length;
2958
- for (let i = 0; i < len; i++) {
2959
- const [sessionHandle, sessionOptions] = authoritySessions[i];
2960
- if (!sessionHandle.destroyed && !sessionHandle.closed && util.isDeepStrictEqual(sessionOptions, options)) {
2961
- return sessionHandle;
2962
- }
2963
- }
2964
- }
2965
- const session = http2.connect(authority, options);
2966
- let removed;
2967
- const removeSession = () => {
2968
- if (removed) {
2969
- return;
2970
- }
2971
- removed = true;
2972
- let entries = authoritySessions,
2973
- len = entries.length,
2974
- i = len;
2975
- while (i--) {
2976
- if (entries[i][0] === session) {
2977
- if (len === 1) {
2978
- delete this.sessions[authority];
2979
- } else {
2980
- entries.splice(i, 1);
2981
- }
2982
- if (!session.closed) {
2983
- session.close();
2984
- }
2985
- return;
2986
- }
2987
- }
2988
- };
2989
- const originalRequestFn = session.request;
2990
- const {
2991
- sessionTimeout
2992
- } = options;
2993
- if (sessionTimeout != null) {
2994
- let timer;
2995
- let streamsCount = 0;
2996
- session.request = function () {
2997
- const stream = originalRequestFn.apply(this, arguments);
2998
- streamsCount++;
2999
- if (timer) {
3000
- clearTimeout(timer);
3001
- timer = null;
3002
- }
3003
- stream.once('close', () => {
3004
- if (! --streamsCount) {
3005
- timer = setTimeout(() => {
3006
- timer = null;
3007
- removeSession();
3008
- }, sessionTimeout);
3009
- }
3010
- });
3011
- return stream;
3012
- };
3013
- }
3014
- session.once('close', removeSession);
3015
- let entry = [session, options];
3016
- authoritySessions ? authoritySessions.push(entry) : authoritySessions = this.sessions[authority] = [entry];
3017
- return session;
3018
- }
3019
- }
3020
3266
  const http2Sessions = new Http2Sessions();
3021
3267
 
3022
3268
  /**
3023
- * If the proxy or config beforeRedirects functions are defined, call them with the options
3024
- * object.
3269
+ * If the proxy, auth, sensitive header, or config beforeRedirects functions are defined,
3270
+ * call them with the options object.
3025
3271
  *
3026
3272
  * @param {Object<string, any>} options - The options object that was passed to the request.
3027
3273
  *
@@ -3031,10 +3277,37 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
3031
3277
  if (options.beforeRedirects.proxy) {
3032
3278
  options.beforeRedirects.proxy(options);
3033
3279
  }
3280
+ if (options.beforeRedirects.auth) {
3281
+ options.beforeRedirects.auth(options);
3282
+ }
3283
+ if (options.beforeRedirects.sensitiveHeaders) {
3284
+ options.beforeRedirects.sensitiveHeaders(options, requestDetails);
3285
+ }
3034
3286
  if (options.beforeRedirects.config) {
3035
3287
  options.beforeRedirects.config(options, responseDetails, requestDetails);
3036
3288
  }
3037
3289
  }
3290
+ function stripMatchingHeaders(headers, sensitiveSet) {
3291
+ if (!headers) {
3292
+ return;
3293
+ }
3294
+ Object.keys(headers).forEach(header => {
3295
+ if (sensitiveSet.has(header.toLowerCase())) {
3296
+ delete headers[header];
3297
+ }
3298
+ });
3299
+ }
3300
+ function isSameOriginRedirect(redirectOptions, requestDetails) {
3301
+ if (!requestDetails) {
3302
+ return false;
3303
+ }
3304
+ try {
3305
+ return new URL(requestDetails.url).origin === new URL(redirectOptions.href).origin;
3306
+ } catch (e) {
3307
+ // If origin comparison fails, treat the redirect as unsafe.
3308
+ return false;
3309
+ }
3310
+ }
3038
3311
 
3039
3312
  /**
3040
3313
  * If the proxy or config afterRedirects functions are defined, call them with the options
@@ -3045,9 +3318,10 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
3045
3318
  *
3046
3319
  * @returns {http.ClientRequestArgs}
3047
3320
  */
3048
- function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) {
3321
+ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent, configHttpAgent) {
3049
3322
  let proxy = configProxy;
3050
- if (!proxy && proxy !== false) {
3323
+ const proxyEnvAgent = getProxyEnvAgent(options, configHttpAgent, configHttpsAgent);
3324
+ if (!proxy && proxy !== false && !isNodeEnvProxyEnabled(proxyEnvAgent)) {
3051
3325
  const proxyUrl = getProxyForUrl(location);
3052
3326
  if (proxyUrl) {
3053
3327
  if (!shouldBypassProxy(location)) {
@@ -3138,7 +3412,7 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
3138
3412
  }
3139
3413
  const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent);
3140
3414
  // Set both: `options.agent` is consumed by the native https.request path
3141
- // (config.maxRedirects === 0); `options.agents.https` is consumed by
3415
+ // (maxRedirects === 0); `options.agents.https` is consumed by
3142
3416
  // follow-redirects, which ignores `options.agent` when `options.agents`
3143
3417
  // is present.
3144
3418
  options.agent = tunnelingAgent;
@@ -3182,7 +3456,7 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
3182
3456
  options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) {
3183
3457
  // Configure proxy for redirected request, passing the original config proxy to apply
3184
3458
  // the exact same logic as if the redirected request was performed by axios directly.
3185
- setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent);
3459
+ setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent, configHttpAgent);
3186
3460
  };
3187
3461
  }
3188
3462
  const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1.kindOf(process) === 'process';
@@ -3265,16 +3539,30 @@ const http2Transport = {
3265
3539
  /*eslint consistent-return:0*/
3266
3540
  var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3267
3541
  return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) {
3268
- const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined;
3542
+ // Read config pollution-safely: own properties and members inherited from
3543
+ // a non-Object.prototype source (e.g. an Object.create(defaults) template)
3544
+ // are honored, but values injected onto a polluted Object.prototype are
3545
+ // ignored. All behavior-affecting reads in this adapter go through own()
3546
+ // so the protection boundary stays consistent.
3547
+ const own = key => utils$1.getSafeProp(config, key);
3548
+ const transitional = own('transitional') || transitionalDefaults;
3269
3549
  let data = own('data');
3270
3550
  let lookup = own('lookup');
3271
3551
  let family = own('family');
3272
3552
  let httpVersion = own('httpVersion');
3273
3553
  if (httpVersion === undefined) httpVersion = 1;
3274
3554
  let http2Options = own('http2Options');
3555
+ const httpAgent = own('httpAgent');
3556
+ const httpsAgent = own('httpsAgent');
3557
+ const configProxy = own('proxy');
3275
3558
  const responseType = own('responseType');
3276
3559
  const responseEncoding = own('responseEncoding');
3277
- const method = config.method.toUpperCase();
3560
+ const socketPath = own('socketPath');
3561
+ const method = own('method').toUpperCase();
3562
+ const maxRedirects = own('maxRedirects');
3563
+ const maxBodyLength = own('maxBodyLength');
3564
+ const maxContentLength = own('maxContentLength');
3565
+ const decompress = own('decompress');
3278
3566
  let isDone;
3279
3567
  let rejected = false;
3280
3568
  let req;
@@ -3305,7 +3593,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3305
3593
  try {
3306
3594
  abortEmitter.emit('abort', !reason || reason.type ? new CanceledError(null, config, req) : reason);
3307
3595
  } catch (err) {
3308
- console.warn('emit error', err);
3596
+ // ignore emit errors
3309
3597
  }
3310
3598
  }
3311
3599
  function clearConnectPhaseTimer() {
@@ -3315,10 +3603,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3315
3603
  }
3316
3604
  }
3317
3605
  function createTimeoutError() {
3318
- let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded';
3319
- const transitional = config.transitional || transitionalDefaults;
3320
- if (config.timeoutErrorMessage) {
3321
- timeoutErrorMessage = config.timeoutErrorMessage;
3606
+ const configTimeout = own('timeout');
3607
+ let timeoutErrorMessage = configTimeout ? 'timeout of ' + configTimeout + 'ms exceeded' : 'timeout exceeded';
3608
+ const configTimeoutErrorMessage = own('timeoutErrorMessage');
3609
+ if (configTimeoutErrorMessage) {
3610
+ timeoutErrorMessage = configTimeoutErrorMessage;
3322
3611
  }
3323
3612
  return new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req);
3324
3613
  }
@@ -3361,17 +3650,22 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3361
3650
  });
3362
3651
 
3363
3652
  // Parse url
3364
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
3365
- const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);
3653
+ const fullPath = buildFullPath(own('baseURL'), own('url'), own('allowAbsoluteUrls'), config);
3654
+ // Unix-socket requests (own socketPath) commonly pass a path-only url
3655
+ // like '/foo'; supply a synthetic base so new URL() can still parse it.
3656
+ // Use the own-property value (not config.socketPath) so a polluted
3657
+ // prototype cannot influence URL base selection.
3658
+ const urlBase = socketPath ? 'http://localhost' : platform.hasBrowserEnv ? platform.origin : undefined;
3659
+ const parsed = new URL(fullPath, urlBase);
3366
3660
  const protocol = parsed.protocol || supportedProtocols[0];
3367
3661
  if (protocol === 'data:') {
3368
3662
  // Apply the same semantics as HTTP: only enforce if a finite, non-negative cap is set.
3369
- if (config.maxContentLength > -1) {
3370
- // Use the exact string passed to fromDataURI (config.url); fall back to fullPath if needed.
3371
- const dataUrl = String(config.url || fullPath || '');
3663
+ if (maxContentLength > -1) {
3664
+ // Use the exact string passed to fromDataURI (the configured url); fall back to fullPath if needed.
3665
+ const dataUrl = String(own('url') || fullPath || '');
3372
3666
  const estimated = estimateDataURLDecodedBytes(dataUrl);
3373
- if (estimated > config.maxContentLength) {
3374
- return reject(new AxiosError('maxContentLength size of ' + config.maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config));
3667
+ if (estimated > maxContentLength) {
3668
+ return reject(new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config));
3375
3669
  }
3376
3670
  }
3377
3671
  let convertedData;
@@ -3384,7 +3678,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3384
3678
  });
3385
3679
  }
3386
3680
  try {
3387
- convertedData = fromDataURI(config.url, responseType === 'blob', {
3681
+ convertedData = fromDataURI(own('url'), responseType === 'blob', {
3388
3682
  Blob: config.env && config.env.Blob
3389
3683
  });
3390
3684
  } catch (err) {
@@ -3458,7 +3752,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3458
3752
 
3459
3753
  // Add Content-Length header if data exists
3460
3754
  headers.setContentLength(data.length, false);
3461
- if (config.maxBodyLength > -1 && data.length > config.maxBodyLength) {
3755
+ if (maxBodyLength > -1 && data.length > maxBodyLength) {
3462
3756
  return reject(new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config));
3463
3757
  }
3464
3758
  }
@@ -3485,27 +3779,26 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3485
3779
  let auth = undefined;
3486
3780
  const configAuth = own('auth');
3487
3781
  if (configAuth) {
3488
- const username = configAuth.username || '';
3489
- const password = configAuth.password || '';
3782
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
3783
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
3490
3784
  auth = username + ':' + password;
3491
3785
  }
3492
- if (!auth && parsed.username) {
3493
- const urlUsername = decodeURIComponentSafe(parsed.username);
3494
- const urlPassword = decodeURIComponentSafe(parsed.password);
3786
+ if (!auth && (parsed.username || parsed.password)) {
3787
+ const urlUsername = decodeURIComponentSafe$1(parsed.username);
3788
+ const urlPassword = decodeURIComponentSafe$1(parsed.password);
3495
3789
  auth = urlUsername + ':' + urlPassword;
3496
3790
  }
3497
3791
  auth && headers.delete('authorization');
3498
3792
  let path$1;
3499
3793
  try {
3500
- path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, '');
3794
+ path$1 = buildURL(parsed.pathname + parsed.search, own('params'), own('paramsSerializer')).replace(/^\?/, '');
3501
3795
  } catch (err) {
3502
- const customErr = new Error(err.message);
3503
- customErr.config = config;
3504
- customErr.url = config.url;
3505
- customErr.exists = true;
3506
- return reject(customErr);
3796
+ return reject(AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config, null, null, {
3797
+ url: own('url'),
3798
+ exists: true
3799
+ }));
3507
3800
  }
3508
- headers.set('Accept-Encoding', 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''), false);
3801
+ headers.set('Accept-Encoding', utils$1.hasOwnProp(transitional, 'advertiseZstdAcceptEncoding') && transitional.advertiseZstdAcceptEncoding === true ? ACCEPT_ENCODING_WITH_ZSTD : ACCEPT_ENCODING, false);
3509
3802
 
3510
3803
  // Null-prototype to block prototype pollution gadgets on properties read
3511
3804
  // directly by Node's http.request (e.g. insecureHTTPParser, lookup).
@@ -3514,8 +3807,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3514
3807
  method: method,
3515
3808
  headers: toByteStringHeaderObject(headers),
3516
3809
  agents: {
3517
- http: config.httpAgent,
3518
- https: config.httpsAgent
3810
+ http: httpAgent,
3811
+ https: httpsAgent
3519
3812
  },
3520
3813
  auth,
3521
3814
  protocol,
@@ -3527,31 +3820,37 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3527
3820
 
3528
3821
  // cacheable-lookup integration hotfix
3529
3822
  !utils$1.isUndefined(lookup) && (options.lookup = lookup);
3530
- if (config.socketPath) {
3531
- if (typeof config.socketPath !== 'string') {
3823
+ if (socketPath) {
3824
+ if (typeof socketPath !== 'string') {
3532
3825
  return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config));
3533
3826
  }
3534
- if (config.allowedSocketPaths != null) {
3535
- const allowed = Array.isArray(config.allowedSocketPaths) ? config.allowedSocketPaths : [config.allowedSocketPaths];
3536
- const resolvedSocket = path.resolve(config.socketPath);
3827
+ const allowedSocketPaths = own('allowedSocketPaths');
3828
+ if (allowedSocketPaths != null) {
3829
+ const allowed = Array.isArray(allowedSocketPaths) ? allowedSocketPaths : [allowedSocketPaths];
3830
+ const resolvedSocket = path.resolve(socketPath);
3537
3831
  const isAllowed = allowed.some(entry => typeof entry === 'string' && path.resolve(entry) === resolvedSocket);
3538
3832
  if (!isAllowed) {
3539
- return reject(new AxiosError(`socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config));
3833
+ return reject(new AxiosError(`socketPath "${socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config));
3540
3834
  }
3541
3835
  }
3542
- options.socketPath = config.socketPath;
3836
+ options.socketPath = socketPath;
3543
3837
  } else {
3544
3838
  options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname;
3545
3839
  options.port = parsed.port;
3546
- setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent);
3840
+ setProxy(options, configProxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, httpsAgent, httpAgent);
3547
3841
  }
3548
3842
  let transport;
3549
3843
  let isNativeTransport = false;
3844
+ // True only for the follow-redirects transport, which applies
3845
+ // options.maxBodyLength itself. Every other transport (http2, native
3846
+ // http/https, a user-supplied custom transport) needs the explicit
3847
+ // byte-counting pipeline below to enforce maxBodyLength on streamed uploads.
3848
+ let transportEnforcesMaxBodyLength = false;
3550
3849
  const isHttpsRequest = isHttps.test(options.protocol);
3551
3850
  // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an
3552
3851
  // HTTPS target.
3553
3852
  if (options.agent == null) {
3554
- options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
3853
+ options.agent = isHttpsRequest ? httpsAgent : httpAgent;
3555
3854
  }
3556
3855
  if (isHttp2) {
3557
3856
  transport = http2Transport;
@@ -3559,24 +3858,67 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3559
3858
  const configTransport = own('transport');
3560
3859
  if (configTransport) {
3561
3860
  transport = configTransport;
3562
- } else if (config.maxRedirects === 0) {
3861
+ } else if (maxRedirects === 0) {
3563
3862
  transport = isHttpsRequest ? https : http;
3564
3863
  isNativeTransport = true;
3565
3864
  } else {
3566
- if (config.maxRedirects) {
3567
- options.maxRedirects = config.maxRedirects;
3865
+ transportEnforcesMaxBodyLength = true;
3866
+ options.sensitiveHeaders = [];
3867
+ if (maxRedirects) {
3868
+ options.maxRedirects = maxRedirects;
3568
3869
  }
3569
3870
  const configBeforeRedirect = own('beforeRedirect');
3570
3871
  if (configBeforeRedirect) {
3571
3872
  options.beforeRedirects.config = configBeforeRedirect;
3572
3873
  }
3874
+ if (auth) {
3875
+ // Restore HTTP Basic credentials on same-origin redirects only.
3876
+ // follow-redirects >= 1.15.8 strips Authorization on every redirect (see #6929);
3877
+ // cross-origin stripping is the documented mitigation for T-R2 in THREATMODEL.md
3878
+ // and is preserved by deliberately not restoring on origin change.
3879
+ const requestOrigin = parsed.origin;
3880
+ const authToRestore = auth;
3881
+ options.beforeRedirects.auth = function beforeRedirectAuth(redirectOptions) {
3882
+ try {
3883
+ if (new URL(redirectOptions.href).origin === requestOrigin) {
3884
+ redirectOptions.auth = authToRestore;
3885
+ }
3886
+ } catch (e) {
3887
+ // ignore malformed URL: leaving auth stripped is fail-safe
3888
+ }
3889
+ };
3890
+ }
3891
+ const sensitiveHeaders = own('sensitiveHeaders');
3892
+ if (sensitiveHeaders != null) {
3893
+ if (!utils$1.isArray(sensitiveHeaders)) {
3894
+ return reject(new AxiosError('sensitiveHeaders must be an array of strings', AxiosError.ERR_BAD_OPTION_VALUE, config));
3895
+ }
3896
+ const sensitiveSet = new Set();
3897
+ for (const header of sensitiveHeaders) {
3898
+ if (!utils$1.isString(header)) {
3899
+ return reject(new AxiosError('sensitiveHeaders must be an array of strings', AxiosError.ERR_BAD_OPTION_VALUE, config));
3900
+ }
3901
+ sensitiveSet.add(header.toLowerCase());
3902
+ }
3903
+ if (sensitiveSet.size) {
3904
+ options.sensitiveHeaders = Array.from(sensitiveSet);
3905
+ options.beforeRedirects.sensitiveHeaders = function beforeRedirectSensitiveHeaders(redirectOptions, requestDetails) {
3906
+ if (!isSameOriginRedirect(redirectOptions, requestDetails)) {
3907
+ stripMatchingHeaders(redirectOptions.headers, sensitiveSet);
3908
+ }
3909
+ };
3910
+ }
3911
+ }
3573
3912
  transport = isHttpsRequest ? httpsFollow : httpFollow;
3574
3913
  }
3575
3914
  }
3576
- if (config.maxBodyLength > -1) {
3577
- options.maxBodyLength = config.maxBodyLength;
3915
+
3916
+ // Set an explicit maxBodyLength option for transports that inspect it.
3917
+ // When maxBodyLength is -1 (default/unlimited), use Infinity so
3918
+ // follow-redirects does not fall back to its own 10MB default.
3919
+ if (maxBodyLength > -1) {
3920
+ options.maxBodyLength = maxBodyLength;
3578
3921
  } else {
3579
- // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited
3580
3922
  options.maxBodyLength = Infinity;
3581
3923
  }
3582
3924
 
@@ -3606,7 +3948,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3606
3948
  const lastRequest = res.req || req;
3607
3949
 
3608
3950
  // if decompress disabled we should not decompress
3609
- if (config.decompress !== false && res.headers['content-encoding']) {
3951
+ if (decompress !== false && res.headers['content-encoding']) {
3610
3952
  // if no content, but headers still say that it is encoded,
3611
3953
  // remove the header not confuse downstream operations
3612
3954
  if (method === 'HEAD' || res.statusCode === 204) {
@@ -3638,6 +3980,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3638
3980
  streams.push(zlib.createBrotliDecompress(brotliOptions));
3639
3981
  delete res.headers['content-encoding'];
3640
3982
  }
3983
+ break;
3984
+ case 'zstd':
3985
+ if (isZstdSupported) {
3986
+ streams.push(zlib.createZstdDecompress(zstdOptions));
3987
+ delete res.headers['content-encoding'];
3988
+ }
3989
+ break;
3641
3990
  }
3642
3991
  }
3643
3992
  responseStream = streams.length > 1 ? stream.pipeline(streams, utils$1.noop) : streams[0];
@@ -3651,8 +4000,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3651
4000
  if (responseType === 'stream') {
3652
4001
  // Enforce maxContentLength on streamed responses; previously this
3653
4002
  // was applied only to buffered responses.
3654
- if (config.maxContentLength > -1) {
3655
- const limit = config.maxContentLength;
4003
+ if (maxContentLength > -1) {
4004
+ const limit = maxContentLength;
3656
4005
  const source = responseStream;
3657
4006
  async function* enforceMaxContentLength() {
3658
4007
  let totalResponseBytes = 0;
@@ -3678,11 +4027,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3678
4027
  totalResponseBytes += chunk.length;
3679
4028
 
3680
4029
  // make sure the content length is not over the maxContentLength if specified
3681
- if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
4030
+ if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
3682
4031
  // stream.destroy() emit aborted event before calling reject() on Node.js v16
3683
4032
  rejected = true;
3684
4033
  responseStream.destroy();
3685
- abort(new AxiosError('maxContentLength size of ' + config.maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest));
4034
+ abort(new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest));
3686
4035
  }
3687
4036
  });
3688
4037
  responseStream.on('aborted', function handlerStreamAborted() {
@@ -3745,7 +4094,11 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3745
4094
  const boundSockets = new Set();
3746
4095
  req.on('socket', function handleRequestSocket(socket) {
3747
4096
  // default interval of sending ack packet is 1 minute
3748
- socket.setKeepAlive(true, 1000 * 60);
4097
+ // proxy agents (e.g. agent-base) may return a generic Duplex stream
4098
+ // that doesn't have setKeepAlive, so guard before calling
4099
+ if (typeof socket.setKeepAlive === 'function') {
4100
+ socket.setKeepAlive(true, 1000 * 60);
4101
+ }
3749
4102
 
3750
4103
  // Install a single 'error' listener per socket (not per request) to avoid
3751
4104
  // accumulating listeners on pooled keep-alive sockets that get reassigned
@@ -3775,9 +4128,9 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3775
4128
  });
3776
4129
 
3777
4130
  // Handle request timeout
3778
- if (config.timeout) {
4131
+ if (own('timeout')) {
3779
4132
  // This is forcing a int timeout to avoid problems if the `req` interface doesn't handle other types.
3780
- const timeout = parseInt(config.timeout, 10);
4133
+ const timeout = parseInt(own('timeout'), 10);
3781
4134
  if (Number.isNaN(timeout)) {
3782
4135
  abort(new AxiosError('error trying to parse `config.timeout` to int', AxiosError.ERR_BAD_OPTION_VALUE, config, req));
3783
4136
  return;
@@ -3821,12 +4174,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) {
3821
4174
  }
3822
4175
  });
3823
4176
 
3824
- // Enforce maxBodyLength for streamed uploads on the native http/https
3825
- // transport (maxRedirects === 0); follow-redirects enforces it on the
3826
- // other path.
4177
+ // Enforce maxBodyLength for streamed uploads on every transport that
4178
+ // does not apply options.maxBodyLength itself (native http/https, http2,
4179
+ // and user-supplied custom transports). The follow-redirects transport
4180
+ // enforces it on the redirected HTTP/1 path.
3827
4181
  let uploadStream = data;
3828
- if (config.maxBodyLength > -1 && config.maxRedirects === 0) {
3829
- const limit = config.maxBodyLength;
4182
+ if (maxBodyLength > -1 && !transportEnforcesMaxBodyLength) {
4183
+ const limit = maxBodyLength;
3830
4184
  let bytesSent = 0;
3831
4185
  uploadStream = stream.pipeline([data, new stream.Transform({
3832
4186
  transform(chunk, _enc, cb) {
@@ -3889,7 +4243,11 @@ var cookies = platform.hasStandardBrowserEnv ?
3889
4243
  const cookie = cookies[i].replace(/^\s+/, '');
3890
4244
  const eq = cookie.indexOf('=');
3891
4245
  if (eq !== -1 && cookie.slice(0, eq) === name) {
3892
- return decodeURIComponent(cookie.slice(eq + 1));
4246
+ try {
4247
+ return decodeURIComponent(cookie.slice(eq + 1));
4248
+ } catch (e) {
4249
+ return cookie.slice(eq + 1);
4250
+ }
3893
4251
  }
3894
4252
  }
3895
4253
  return null;
@@ -3922,6 +4280,7 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? {
3922
4280
  */
3923
4281
  function mergeConfig(config1, config2) {
3924
4282
  // eslint-disable-next-line no-param-reassign
4283
+ config1 = config1 || {};
3925
4284
  config2 = config2 || {};
3926
4285
 
3927
4286
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -3973,6 +4332,23 @@ function mergeConfig(config1, config2) {
3973
4332
  return getMergedValue(undefined, a);
3974
4333
  }
3975
4334
  }
4335
+ function getMergedTransitionalOption(prop) {
4336
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
4337
+ if (!utils$1.isUndefined(transitional2)) {
4338
+ if (utils$1.isPlainObject(transitional2)) {
4339
+ if (utils$1.hasOwnProp(transitional2, prop)) {
4340
+ return transitional2[prop];
4341
+ }
4342
+ } else {
4343
+ return undefined;
4344
+ }
4345
+ }
4346
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
4347
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
4348
+ return transitional1[prop];
4349
+ }
4350
+ return undefined;
4351
+ }
3976
4352
 
3977
4353
  // eslint-disable-next-line consistent-return
3978
4354
  function mergeDirectKeys(a, b, prop) {
@@ -4025,6 +4401,13 @@ function mergeConfig(config1, config2) {
4025
4401
  const configValue = merge(a, b, prop);
4026
4402
  utils$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue);
4027
4403
  });
4404
+ if (utils$1.hasOwnProp(config2, 'validateStatus') && utils$1.isUndefined(config2.validateStatus) && getMergedTransitionalOption('validateStatusUndefinedResolves') === false) {
4405
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
4406
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
4407
+ } else {
4408
+ delete config.validateStatus;
4409
+ }
4410
+ }
4028
4411
  return config;
4029
4412
  }
4030
4413
 
@@ -4034,7 +4417,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
4034
4417
  headers.set(formHeaders);
4035
4418
  return;
4036
4419
  }
4037
- Object.entries(formHeaders).forEach(([key, val]) => {
4420
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
4038
4421
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
4039
4422
  headers.set(key, val);
4040
4423
  }
@@ -4049,8 +4432,8 @@ function setFormDataHeaders(headers, formHeaders, policy) {
4049
4432
  *
4050
4433
  * @returns {string} UTF-8 bytes as a Latin-1 string
4051
4434
  */
4052
- const encodeUTF8 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
4053
- var resolveConfig = config => {
4435
+ const encodeUTF8$1 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
4436
+ function resolveConfig(config) {
4054
4437
  const newConfig = mergeConfig({}, config);
4055
4438
 
4056
4439
  // Read only own properties to prevent prototype pollution gadgets
@@ -4066,15 +4449,21 @@ var resolveConfig = config => {
4066
4449
  const allowAbsoluteUrls = own('allowAbsoluteUrls');
4067
4450
  const url = own('url');
4068
4451
  newConfig.headers = headers = AxiosHeaders.from(headers);
4069
- newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
4452
+ newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig), own('params'), own('paramsSerializer'));
4070
4453
 
4071
4454
  // HTTP basic authentication
4072
4455
  if (auth) {
4073
- headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : '')));
4456
+ const username = utils$1.getSafeProp(auth, 'username') || '';
4457
+ const password = utils$1.getSafeProp(auth, 'password') || '';
4458
+ try {
4459
+ headers.set('Authorization', 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : '')));
4460
+ } catch (e) {
4461
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
4462
+ }
4074
4463
  }
4075
4464
  if (utils$1.isFormData(data)) {
4076
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
4077
- headers.setContentType(undefined); // browser handles it
4465
+ if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1.isReactNative(data)) {
4466
+ headers.setContentType(undefined); // browser/web worker/RN handles it
4078
4467
  } else if (utils$1.isFunction(data.getHeaders)) {
4079
4468
  // Node.js FormData (like form-data package)
4080
4469
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -4102,7 +4491,7 @@ var resolveConfig = config => {
4102
4491
  }
4103
4492
  }
4104
4493
  return newConfig;
4105
- };
4494
+ }
4106
4495
 
4107
4496
  const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
4108
4497
  var xhrAdapter = isXHRAdapterSupported && function (config) {
@@ -4271,6 +4660,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) {
4271
4660
  const protocol = parseProtocol(_config.url);
4272
4661
  if (protocol && !platform.protocols.includes(protocol)) {
4273
4662
  reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config));
4663
+ done();
4274
4664
  return;
4275
4665
  }
4276
4666
 
@@ -4309,7 +4699,9 @@ const composeSignals = (signals, timeout) => {
4309
4699
  });
4310
4700
  signals = null;
4311
4701
  };
4312
- signals.forEach(signal => signal.addEventListener('abort', onabort));
4702
+ signals.forEach(signal => signal.addEventListener('abort', onabort, {
4703
+ once: true
4704
+ }));
4313
4705
  const {
4314
4706
  signal
4315
4707
  } = controller;
@@ -4403,6 +4795,31 @@ const DEFAULT_CHUNK_SIZE = 64 * 1024;
4403
4795
  const {
4404
4796
  isFunction
4405
4797
  } = utils$1;
4798
+
4799
+ /**
4800
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
4801
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
4802
+ *
4803
+ * @param {string} str The string to encode
4804
+ *
4805
+ * @returns {string} UTF-8 bytes as a Latin-1 string
4806
+ */
4807
+ const encodeUTF8 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
4808
+
4809
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
4810
+ // Decode before composing the `auth` option so credentials such as
4811
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
4812
+ // original value for malformed input so a bad encoding never throws.
4813
+ const decodeURIComponentSafe = value => {
4814
+ if (!utils$1.isString(value)) {
4815
+ return value;
4816
+ }
4817
+ try {
4818
+ return decodeURIComponent(value);
4819
+ } catch (error) {
4820
+ return value;
4821
+ }
4822
+ };
4406
4823
  const test = (fn, ...args) => {
4407
4824
  try {
4408
4825
  return !!fn(...args);
@@ -4410,6 +4827,14 @@ const test = (fn, ...args) => {
4410
4827
  return false;
4411
4828
  }
4412
4829
  };
4830
+ const maybeWithAuthCredentials = url => {
4831
+ const protocolIndex = url.indexOf('://');
4832
+ let urlToCheck = url;
4833
+ if (protocolIndex !== -1) {
4834
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
4835
+ }
4836
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
4837
+ };
4413
4838
  const factory = env => {
4414
4839
  const globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis;
4415
4840
  const {
@@ -4513,6 +4938,7 @@ const factory = env => {
4513
4938
  } = resolveConfig(config);
4514
4939
  const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
4515
4940
  const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
4941
+ const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined;
4516
4942
  let _fetch = envFetch || fetch;
4517
4943
  responseType = responseType ? (responseType + '').toLowerCase() : 'text';
4518
4944
  let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout);
@@ -4521,7 +4947,46 @@ const factory = env => {
4521
4947
  composedSignal.unsubscribe();
4522
4948
  });
4523
4949
  let requestContentLength;
4950
+
4951
+ // AxiosError we raise while the request body is being streamed. Captured
4952
+ // by identity so the catch block can surface it directly, regardless of
4953
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
4954
+ // as `err.cause`; some browsers drop the original error entirely).
4955
+ let pendingBodyError = null;
4956
+ const maxBodyLengthError = () => new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
4524
4957
  try {
4958
+ // HTTP basic authentication
4959
+ let auth = undefined;
4960
+ const configAuth = own('auth');
4961
+ if (configAuth) {
4962
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
4963
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
4964
+ auth = {
4965
+ username,
4966
+ password
4967
+ };
4968
+ }
4969
+ if (maybeWithAuthCredentials(url)) {
4970
+ const parsedURL = new URL(url, platform.origin);
4971
+ if (!auth && (parsedURL.username || parsedURL.password)) {
4972
+ const urlUsername = decodeURIComponentSafe(parsedURL.username);
4973
+ const urlPassword = decodeURIComponentSafe(parsedURL.password);
4974
+ auth = {
4975
+ username: urlUsername,
4976
+ password: urlPassword
4977
+ };
4978
+ }
4979
+ if (parsedURL.username || parsedURL.password) {
4980
+ parsedURL.username = '';
4981
+ parsedURL.password = '';
4982
+ url = parsedURL.href;
4983
+ }
4984
+ }
4985
+ if (auth) {
4986
+ headers.delete('authorization');
4987
+ headers.set('Authorization', 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || ''))));
4988
+ }
4989
+
4525
4990
  // Enforce maxContentLength for data: URLs up-front so we never materialize
4526
4991
  // an oversized payload. The HTTP adapter applies the same check (see http.js
4527
4992
  // "if (protocol === 'data:')" branch).
@@ -4532,30 +4997,54 @@ const factory = env => {
4532
4997
  }
4533
4998
  }
4534
4999
 
4535
- // Enforce maxBodyLength against the outbound request body before dispatch.
4536
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
4537
- // maxBodyLength limit'). Skip when the body length cannot be determined
4538
- // (e.g. a live ReadableStream supplied by the caller).
5000
+ // Enforce maxBodyLength against known-size bodies before dispatch using
5001
+ // the body's *actual* size never a caller-declared Content-Length,
5002
+ // which could under-report to slip an oversized body past the check.
5003
+ // Unknown-size streams return undefined here and are counted per-chunk
5004
+ // below as fetch consumes them.
4539
5005
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
4540
- const outboundLength = await resolveBodyLength(headers, data);
4541
- if (typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength) {
4542
- throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request);
5006
+ const outboundLength = await getBodyLength(data);
5007
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
5008
+ requestContentLength = outboundLength;
5009
+ if (outboundLength > maxBodyLength) {
5010
+ throw maxBodyLengthError();
5011
+ }
4543
5012
  }
4544
5013
  }
4545
- if (onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head' && (requestContentLength = await resolveBodyLength(headers, data)) !== 0) {
4546
- let _request = new Request(url, {
4547
- method: 'POST',
4548
- body: data,
4549
- duplex: 'half'
4550
- });
4551
- let contentTypeHeader;
4552
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
4553
- headers.setContentType(contentTypeHeader);
5014
+
5015
+ // A streamed body under maxBodyLength must be counted as fetch consumes
5016
+ // it; its size is never trusted from a caller-declared Content-Length.
5017
+ const mustEnforceStreamBody = hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
5018
+ const trackRequestStream = (stream, onProgress, flush) => trackStream(stream, DEFAULT_CHUNK_SIZE, loadedBytes => {
5019
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
5020
+ throw pendingBodyError = maxBodyLengthError();
4554
5021
  }
4555
- if (_request.body) {
4556
- const [onProgress, flush] = progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress)));
4557
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
5022
+ onProgress && onProgress(loadedBytes);
5023
+ }, flush);
5024
+ if (supportsRequestStream && method !== 'get' && method !== 'head' && (onUploadProgress || mustEnforceStreamBody)) {
5025
+ requestContentLength = requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
5026
+
5027
+ // A declared length of 0 is only trusted to skip the wrap when we are
5028
+ // not enforcing a stream limit (which must not rely on that header).
5029
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
5030
+ let _request = new Request(url, {
5031
+ method: 'POST',
5032
+ body: data,
5033
+ duplex: 'half'
5034
+ });
5035
+ let contentTypeHeader;
5036
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
5037
+ headers.setContentType(contentTypeHeader);
5038
+ }
5039
+ if (_request.body) {
5040
+ const [onProgress, flush] = onUploadProgress && progressEventDecorator(requestContentLength, progressEventReducer(asyncDecorator(onUploadProgress))) || [];
5041
+ data = trackRequestStream(_request.body, onProgress, flush);
5042
+ }
4558
5043
  }
5044
+ } else if (mustEnforceStreamBody && !isRequestSupported && isReadableStreamSupported && method !== 'get' && method !== 'head') {
5045
+ data = trackRequestStream(data);
5046
+ } else if (mustEnforceStreamBody && isRequestSupported && !supportsRequestStream && method !== 'get' && method !== 'head') {
5047
+ throw new AxiosError('Stream request bodies are not supported by the current fetch implementation', AxiosError.ERR_NOT_SUPPORT, config, request);
4559
5048
  }
4560
5049
  if (!utils$1.isString(withCredentials)) {
4561
5050
  withCredentials = withCredentials ? 'include' : 'omit';
@@ -4587,11 +5076,12 @@ const factory = env => {
4587
5076
  };
4588
5077
  request = isRequestSupported && new Request(url, resolvedOptions);
4589
5078
  let response = await (isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions));
5079
+ const responseHeaders = AxiosHeaders.from(response.headers);
4590
5080
 
4591
5081
  // Cheap pre-check: if the server honestly declares a content-length that
4592
5082
  // already exceeds the cap, reject before we start streaming.
4593
5083
  if (hasMaxContentLength) {
4594
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
5084
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
4595
5085
  if (declaredLength != null && declaredLength > maxContentLength) {
4596
5086
  throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request);
4597
5087
  }
@@ -4602,7 +5092,7 @@ const factory = env => {
4602
5092
  ['status', 'statusText', 'headers'].forEach(prop => {
4603
5093
  options[prop] = response[prop];
4604
5094
  });
4605
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
5095
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
4606
5096
  const [onProgress, flush] = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || [];
4607
5097
  let bytesRead = 0;
4608
5098
  const onChunkProgress = loadedBytes => {
@@ -4661,13 +5151,48 @@ const factory = env => {
4661
5151
  const canceledError = composedSignal.reason;
4662
5152
  canceledError.config = config;
4663
5153
  request && (canceledError.request = request);
4664
- err !== canceledError && (canceledError.cause = err);
5154
+ if (err !== canceledError) {
5155
+ // Non-enumerable to match native Error `cause` semantics so loggers
5156
+ // don't recurse into circular fetch internals (see #7205).
5157
+ Object.defineProperty(canceledError, 'cause', {
5158
+ __proto__: null,
5159
+ value: err,
5160
+ writable: true,
5161
+ enumerable: false,
5162
+ configurable: true
5163
+ });
5164
+ }
4665
5165
  throw canceledError;
4666
5166
  }
5167
+
5168
+ // Surface a maxBodyLength violation we raised while the request body was
5169
+ // being streamed. Matching by identity (rather than reading
5170
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
5171
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
5172
+ // AxiosError that merely happened to land in `err.cause`.
5173
+ if (pendingBodyError) {
5174
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
5175
+ throw pendingBodyError;
5176
+ }
5177
+
5178
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
5179
+ // pre-checks, response size enforcement) without re-wrapping them.
5180
+ if (err instanceof AxiosError) {
5181
+ request && !err.request && (err.request = request);
5182
+ throw err;
5183
+ }
4667
5184
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
4668
- throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response), {
4669
- cause: err.cause || err
5185
+ const networkError = new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response);
5186
+ // Non-enumerable to match native Error `cause` semantics so loggers
5187
+ // don't recurse into circular fetch internals (see #7205).
5188
+ Object.defineProperty(networkError, 'cause', {
5189
+ __proto__: null,
5190
+ value: err.cause || err,
5191
+ writable: true,
5192
+ enumerable: false,
5193
+ configurable: true
4670
5194
  });
5195
+ throw networkError;
4671
5196
  }
4672
5197
  throw AxiosError.from(err, err && err.code, config, request, err && err.response);
4673
5198
  }
@@ -4786,7 +5311,7 @@ function getAdapter(adapters, config) {
4786
5311
  if (!adapter) {
4787
5312
  const reasons = Object.entries(rejectedReasons).map(([id, state]) => `adapter ${id} ` + (state === false ? 'is not supported by the environment' : 'is not available in the build'));
4788
5313
  let s = length ? reasons.length > 1 ? 'since :\n' + reasons.map(renderReason).join('\n') : ' ' + renderReason(reasons[0]) : 'as no adapter specified';
4789
- throw new AxiosError(`There is no suitable adapter to dispatch the request ` + s, 'ERR_NOT_SUPPORT');
5314
+ throw new AxiosError(`There is no suitable adapter to dispatch the request ` + s, AxiosError.ERR_NOT_SUPPORT);
4790
5315
  }
4791
5316
  return adapter;
4792
5317
  }
@@ -4929,7 +5454,7 @@ validators$1.spelling = function spelling(correctSpelling) {
4929
5454
  */
4930
5455
 
4931
5456
  function assertOptions(options, schema, allowUnknown) {
4932
- if (typeof options !== 'object') {
5457
+ if (typeof options !== 'object' || options === null) {
4933
5458
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
4934
5459
  }
4935
5460
  const keys = Object.keys(options);
@@ -5038,7 +5563,9 @@ class Axios {
5038
5563
  silentJSONParsing: validators.transitional(validators.boolean),
5039
5564
  forcedJSONParsing: validators.transitional(validators.boolean),
5040
5565
  clarifyTimeoutError: validators.transitional(validators.boolean),
5041
- legacyInterceptorReqResOrdering: validators.transitional(validators.boolean)
5566
+ legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
5567
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
5568
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean)
5042
5569
  }, false);
5043
5570
  }
5044
5571
  if (paramsSerializer != null) {
@@ -5135,7 +5662,7 @@ class Axios {
5135
5662
  }
5136
5663
  getUri(config) {
5137
5664
  config = mergeConfig(this.defaults, config);
5138
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
5665
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
5139
5666
  return buildURL(fullPath, config.params, config.paramsSerializer);
5140
5667
  }
5141
5668
  }
@@ -5147,7 +5674,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
5147
5674
  return this.request(mergeConfig(config || {}, {
5148
5675
  method,
5149
5676
  url,
5150
- data: (config || {}).data
5677
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined
5151
5678
  }));
5152
5679
  };
5153
5680
  });