reflex-search 1.5.2 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/node_modules/.package-lock.json +15 -15
  2. package/node_modules/axios/CHANGELOG.md +126 -1
  3. package/node_modules/axios/README.md +390 -257
  4. package/node_modules/axios/dist/axios.js +511 -154
  5. package/node_modules/axios/dist/axios.min.js +3 -3
  6. package/node_modules/axios/dist/axios.min.js.map +1 -1
  7. package/node_modules/axios/dist/browser/axios.cjs +537 -124
  8. package/node_modules/axios/dist/esm/axios.js +537 -124
  9. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  10. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  11. package/node_modules/axios/dist/node/axios.cjs +753 -226
  12. package/node_modules/axios/index.d.cts +27 -4
  13. package/node_modules/axios/index.d.ts +23 -2
  14. package/node_modules/axios/lib/adapters/adapters.js +1 -1
  15. package/node_modules/axios/lib/adapters/fetch.js +217 -47
  16. package/node_modules/axios/lib/adapters/http.js +274 -169
  17. package/node_modules/axios/lib/adapters/xhr.js +1 -0
  18. package/node_modules/axios/lib/core/Axios.js +4 -2
  19. package/node_modules/axios/lib/core/AxiosError.js +13 -1
  20. package/node_modules/axios/lib/core/AxiosHeaders.js +12 -9
  21. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  22. package/node_modules/axios/lib/core/mergeConfig.js +35 -0
  23. package/node_modules/axios/lib/defaults/transitional.js +2 -0
  24. package/node_modules/axios/lib/env/data.js +1 -1
  25. package/node_modules/axios/lib/helpers/AxiosURLSearchParams.js +1 -3
  26. package/node_modules/axios/lib/helpers/Http2Sessions.js +119 -0
  27. package/node_modules/axios/lib/helpers/buildURL.js +7 -4
  28. package/node_modules/axios/lib/helpers/composeSignals.js +1 -1
  29. package/node_modules/axios/lib/helpers/cookies.js +5 -1
  30. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  31. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  32. package/node_modules/axios/lib/helpers/formDataToStream.js +2 -2
  33. package/node_modules/axios/lib/helpers/fromDataURI.js +4 -2
  34. package/node_modules/axios/lib/helpers/resolveConfig.js +26 -13
  35. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  36. package/node_modules/axios/lib/helpers/toFormData.js +48 -12
  37. package/node_modules/axios/lib/helpers/validator.js +1 -1
  38. package/node_modules/axios/lib/utils.js +97 -12
  39. package/node_modules/axios/package.json +29 -13
  40. package/node_modules/brace-expansion/dist/commonjs/index.js +24 -14
  41. package/node_modules/brace-expansion/dist/commonjs/index.js.map +1 -1
  42. package/node_modules/brace-expansion/dist/esm/index.js +24 -14
  43. package/node_modules/brace-expansion/dist/esm/index.js.map +1 -1
  44. package/node_modules/brace-expansion/package.json +2 -2
  45. package/node_modules/form-data/CHANGELOG.md +29 -2
  46. package/node_modules/form-data/README.md +4 -4
  47. package/node_modules/form-data/lib/form_data.js +14 -2
  48. package/node_modules/form-data/package.json +7 -7
  49. package/node_modules/hasown/CHANGELOG.md +18 -0
  50. package/node_modules/hasown/eslint.config.mjs +6 -0
  51. package/node_modules/hasown/package.json +13 -14
  52. package/npm-shrinkwrap.json +16 -16
  53. package/package.json +2 -2
  54. package/node_modules/axios/dist/axios.js.map +0 -1
  55. package/node_modules/axios/dist/browser/axios.cjs.map +0 -1
  56. package/node_modules/axios/dist/esm/axios.js.map +0 -1
  57. package/node_modules/axios/dist/node/axios.cjs.map +0 -1
  58. package/node_modules/hasown/.eslintrc +0 -5
@@ -24,6 +24,7 @@ import { EventEmitter } from 'events';
24
24
  import formDataToStream from '../helpers/formDataToStream.js';
25
25
  import readBlob from '../helpers/readBlob.js';
26
26
  import ZlibHeaderTransformStream from '../helpers/ZlibHeaderTransformStream.js';
27
+ import Http2Sessions from '../helpers/Http2Sessions.js';
27
28
  import callbackify from '../helpers/callbackify.js';
28
29
  import shouldBypassProxy from '../helpers/shouldBypassProxy.js';
29
30
  import { toByteStringHeaderObject } from '../helpers/sanitizeHeaderValue.js';
@@ -44,7 +45,15 @@ const brotliOptions = {
44
45
  finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH,
45
46
  };
46
47
 
48
+ const zstdOptions = {
49
+ flush: zlib.constants.ZSTD_e_flush,
50
+ finishFlush: zlib.constants.ZSTD_e_flush,
51
+ };
52
+
47
53
  const isBrotliSupported = utils.isFunction(zlib.createBrotliDecompress);
54
+ const isZstdSupported = utils.isFunction(zlib.createZstdDecompress);
55
+ const ACCEPT_ENCODING = 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : '');
56
+ const ACCEPT_ENCODING_WITH_ZSTD = ACCEPT_ENCODING + (isZstdSupported ? ', zstd' : '');
48
57
 
49
58
  const { http: httpFollow, https: httpsFollow } = followRedirects;
50
59
 
@@ -80,6 +89,53 @@ const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel');
80
89
  // so unbounded growth is not a concern in practice.
81
90
  const tunnelingAgentCache = new Map();
82
91
  const tunnelingAgentCacheUser = new WeakMap();
92
+ // Minimum minor versions where Node's HTTP Agent supports native proxyEnv
93
+ // handling. Checking the selected agent below also covers startup modes such
94
+ // as NODE_OPTIONS=--use-env-proxy and --no-use-env-proxy precedence.
95
+ const NODE_NATIVE_ENV_PROXY_SUPPORT = {
96
+ 22: 21,
97
+ 24: 5,
98
+ };
99
+
100
+ function isNodeNativeEnvProxySupported(nodeVersion = process.versions && process.versions.node) {
101
+ if (!nodeVersion) {
102
+ return false;
103
+ }
104
+
105
+ const [major, minor] = nodeVersion.split('.').map((part) => Number(part));
106
+
107
+ if (!Number.isInteger(major) || !Number.isInteger(minor)) {
108
+ return false;
109
+ }
110
+
111
+ if (major > 24) {
112
+ return true;
113
+ }
114
+
115
+ return (
116
+ NODE_NATIVE_ENV_PROXY_SUPPORT[major] != null && minor >= NODE_NATIVE_ENV_PROXY_SUPPORT[major]
117
+ );
118
+ }
119
+
120
+ function isNodeEnvProxyEnabled(agent, nodeVersion = process.versions && process.versions.node) {
121
+ if (!isNodeNativeEnvProxySupported(nodeVersion)) {
122
+ return false;
123
+ }
124
+
125
+ const agentOptions = agent && agent.options;
126
+
127
+ return Boolean(
128
+ agentOptions &&
129
+ utils.hasOwnProp(agentOptions, 'proxyEnv') &&
130
+ agentOptions.proxyEnv != null
131
+ );
132
+ }
133
+
134
+ function getProxyEnvAgent(options, configHttpAgent, configHttpsAgent) {
135
+ return isHttps.test(options.protocol)
136
+ ? (configHttpsAgent || https.globalAgent)
137
+ : (configHttpAgent || http.globalAgent);
138
+ }
83
139
 
84
140
  function getTunnelingAgent(agentOptions, userHttpsAgent) {
85
141
  const key =
@@ -103,6 +159,14 @@ function getTunnelingAgent(agentOptions, userHttpsAgent) {
103
159
  ? { ...userHttpsAgent.options, ...agentOptions }
104
160
  : agentOptions;
105
161
  agent = new HttpsProxyAgent(merged);
162
+ if (userHttpsAgent && userHttpsAgent.options) {
163
+ const originTLSOptions = { ...userHttpsAgent.options };
164
+ const callback = agent.callback;
165
+ agent.callback = function axiosTunnelingAgentCallback(req, opts) {
166
+ // HttpsProxyAgent v5 reads callback opts for the post-CONNECT origin TLS upgrade.
167
+ return callback.call(this, req, { ...originTLSOptions, ...opts });
168
+ };
169
+ }
106
170
  agent[kAxiosInstalledTunnel] = true;
107
171
  cache.set(key, agent);
108
172
  return agent;
@@ -134,114 +198,11 @@ const flushOnFinish = (stream, [throttled, flush]) => {
134
198
  return throttled;
135
199
  };
136
200
 
137
- class Http2Sessions {
138
- constructor() {
139
- this.sessions = Object.create(null);
140
- }
141
-
142
- getSession(authority, options) {
143
- options = Object.assign(
144
- {
145
- sessionTimeout: 1000,
146
- },
147
- options
148
- );
149
-
150
- let authoritySessions = this.sessions[authority];
151
-
152
- if (authoritySessions) {
153
- let len = authoritySessions.length;
154
-
155
- for (let i = 0; i < len; i++) {
156
- const [sessionHandle, sessionOptions] = authoritySessions[i];
157
- if (
158
- !sessionHandle.destroyed &&
159
- !sessionHandle.closed &&
160
- util.isDeepStrictEqual(sessionOptions, options)
161
- ) {
162
- return sessionHandle;
163
- }
164
- }
165
- }
166
-
167
- const session = http2.connect(authority, options);
168
-
169
- let removed;
170
-
171
- const removeSession = () => {
172
- if (removed) {
173
- return;
174
- }
175
-
176
- removed = true;
177
-
178
- let entries = authoritySessions,
179
- len = entries.length,
180
- i = len;
181
-
182
- while (i--) {
183
- if (entries[i][0] === session) {
184
- if (len === 1) {
185
- delete this.sessions[authority];
186
- } else {
187
- entries.splice(i, 1);
188
- }
189
- if (!session.closed) {
190
- session.close();
191
- }
192
- return;
193
- }
194
- }
195
- };
196
-
197
- const originalRequestFn = session.request;
198
-
199
- const { sessionTimeout } = options;
200
-
201
- if (sessionTimeout != null) {
202
- let timer;
203
- let streamsCount = 0;
204
-
205
- session.request = function () {
206
- const stream = originalRequestFn.apply(this, arguments);
207
-
208
- streamsCount++;
209
-
210
- if (timer) {
211
- clearTimeout(timer);
212
- timer = null;
213
- }
214
-
215
- stream.once('close', () => {
216
- if (!--streamsCount) {
217
- timer = setTimeout(() => {
218
- timer = null;
219
- removeSession();
220
- }, sessionTimeout);
221
- }
222
- });
223
-
224
- return stream;
225
- };
226
- }
227
-
228
- session.once('close', removeSession);
229
-
230
- let entry = [session, options];
231
-
232
- authoritySessions
233
- ? authoritySessions.push(entry)
234
- : (authoritySessions = this.sessions[authority] = [entry]);
235
-
236
- return session;
237
- }
238
- }
239
-
240
201
  const http2Sessions = new Http2Sessions();
241
202
 
242
203
  /**
243
- * If the proxy or config beforeRedirects functions are defined, call them with the options
244
- * object.
204
+ * If the proxy, auth, sensitive header, or config beforeRedirects functions are defined,
205
+ * call them with the options object.
245
206
  *
246
207
  * @param {Object<string, any>} options - The options object that was passed to the request.
247
208
  *
@@ -251,11 +212,42 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
251
212
  if (options.beforeRedirects.proxy) {
252
213
  options.beforeRedirects.proxy(options);
253
214
  }
215
+ if (options.beforeRedirects.auth) {
216
+ options.beforeRedirects.auth(options);
217
+ }
218
+ if (options.beforeRedirects.sensitiveHeaders) {
219
+ options.beforeRedirects.sensitiveHeaders(options, requestDetails);
220
+ }
254
221
  if (options.beforeRedirects.config) {
255
222
  options.beforeRedirects.config(options, responseDetails, requestDetails);
256
223
  }
257
224
  }
258
225
 
226
+ function stripMatchingHeaders(headers, sensitiveSet) {
227
+ if (!headers) {
228
+ return;
229
+ }
230
+
231
+ Object.keys(headers).forEach((header) => {
232
+ if (sensitiveSet.has(header.toLowerCase())) {
233
+ delete headers[header];
234
+ }
235
+ });
236
+ }
237
+
238
+ function isSameOriginRedirect(redirectOptions, requestDetails) {
239
+ if (!requestDetails) {
240
+ return false;
241
+ }
242
+
243
+ try {
244
+ return new URL(requestDetails.url).origin === new URL(redirectOptions.href).origin;
245
+ } catch (e) {
246
+ // If origin comparison fails, treat the redirect as unsafe.
247
+ return false;
248
+ }
249
+ }
250
+
259
251
  /**
260
252
  * If the proxy or config afterRedirects functions are defined, call them with the options
261
253
  *
@@ -265,9 +257,10 @@ function dispatchBeforeRedirect(options, responseDetails, requestDetails) {
265
257
  *
266
258
  * @returns {http.ClientRequestArgs}
267
259
  */
268
- function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) {
260
+ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent, configHttpAgent) {
269
261
  let proxy = configProxy;
270
- if (!proxy && proxy !== false) {
262
+ const proxyEnvAgent = getProxyEnvAgent(options, configHttpAgent, configHttpsAgent);
263
+ if (!proxy && proxy !== false && !isNodeEnvProxyEnabled(proxyEnvAgent)) {
271
264
  const proxyUrl = getProxyForUrl(location);
272
265
  if (proxyUrl) {
273
266
  if (!shouldBypassProxy(location)) {
@@ -373,7 +366,7 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
373
366
  }
374
367
  const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent);
375
368
  // Set both: `options.agent` is consumed by the native https.request path
376
- // (config.maxRedirects === 0); `options.agents.https` is consumed by
369
+ // (maxRedirects === 0); `options.agents.https` is consumed by
377
370
  // follow-redirects, which ignores `options.agent` when `options.agents`
378
371
  // is present.
379
372
  options.agent = tunnelingAgent;
@@ -418,7 +411,14 @@ function setProxy(options, configProxy, location, isRedirect, configHttpsAgent)
418
411
  options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) {
419
412
  // Configure proxy for redirected request, passing the original config proxy to apply
420
413
  // the exact same logic as if the redirected request was performed by axios directly.
421
- setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent);
414
+ setProxy(
415
+ redirectOptions,
416
+ configProxy,
417
+ redirectOptions.href,
418
+ true,
419
+ configHttpsAgent,
420
+ configHttpAgent
421
+ );
422
422
  };
423
423
  }
424
424
 
@@ -517,16 +517,30 @@ const http2Transport = {
517
517
  export default isHttpAdapterSupported &&
518
518
  function httpAdapter(config) {
519
519
  return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) {
520
- const own = (key) => (utils.hasOwnProp(config, key) ? config[key] : undefined);
520
+ // Read config pollution-safely: own properties and members inherited from
521
+ // a non-Object.prototype source (e.g. an Object.create(defaults) template)
522
+ // are honored, but values injected onto a polluted Object.prototype are
523
+ // ignored. All behavior-affecting reads in this adapter go through own()
524
+ // so the protection boundary stays consistent.
525
+ const own = (key) => utils.getSafeProp(config, key);
526
+ const transitional = own('transitional') || transitionalDefaults;
521
527
  let data = own('data');
522
528
  let lookup = own('lookup');
523
529
  let family = own('family');
524
530
  let httpVersion = own('httpVersion');
525
531
  if (httpVersion === undefined) httpVersion = 1;
526
532
  let http2Options = own('http2Options');
533
+ const httpAgent = own('httpAgent');
534
+ const httpsAgent = own('httpsAgent');
535
+ const configProxy = own('proxy');
527
536
  const responseType = own('responseType');
528
537
  const responseEncoding = own('responseEncoding');
529
- const method = config.method.toUpperCase();
538
+ const socketPath = own('socketPath');
539
+ const method = own('method').toUpperCase();
540
+ const maxRedirects = own('maxRedirects');
541
+ const maxBodyLength = own('maxBodyLength');
542
+ const maxContentLength = own('maxContentLength');
543
+ const decompress = own('decompress');
530
544
  let isDone;
531
545
  let rejected = false;
532
546
  let req;
@@ -571,7 +585,7 @@ export default isHttpAdapterSupported &&
571
585
  !reason || reason.type ? new CanceledError(null, config, req) : reason
572
586
  );
573
587
  } catch (err) {
574
- console.warn('emit error', err);
588
+ // ignore emit errors
575
589
  }
576
590
  }
577
591
 
@@ -583,12 +597,13 @@ export default isHttpAdapterSupported &&
583
597
  }
584
598
 
585
599
  function createTimeoutError() {
586
- let timeoutErrorMessage = config.timeout
587
- ? 'timeout of ' + config.timeout + 'ms exceeded'
600
+ const configTimeout = own('timeout');
601
+ let timeoutErrorMessage = configTimeout
602
+ ? 'timeout of ' + configTimeout + 'ms exceeded'
588
603
  : 'timeout exceeded';
589
- const transitional = config.transitional || transitionalDefaults;
590
- if (config.timeoutErrorMessage) {
591
- timeoutErrorMessage = config.timeoutErrorMessage;
604
+ const configTimeoutErrorMessage = own('timeoutErrorMessage');
605
+ if (configTimeoutErrorMessage) {
606
+ timeoutErrorMessage = configTimeoutErrorMessage;
592
607
  }
593
608
  return new AxiosError(
594
609
  timeoutErrorMessage,
@@ -644,21 +659,28 @@ export default isHttpAdapterSupported &&
644
659
  });
645
660
 
646
661
  // Parse url
647
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
648
- const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);
662
+ const fullPath = buildFullPath(own('baseURL'), own('url'), own('allowAbsoluteUrls'), config);
663
+ // Unix-socket requests (own socketPath) commonly pass a path-only url
664
+ // like '/foo'; supply a synthetic base so new URL() can still parse it.
665
+ // Use the own-property value (not config.socketPath) so a polluted
666
+ // prototype cannot influence URL base selection.
667
+ const urlBase = socketPath
668
+ ? 'http://localhost'
669
+ : (platform.hasBrowserEnv ? platform.origin : undefined);
670
+ const parsed = new URL(fullPath, urlBase);
649
671
  const protocol = parsed.protocol || supportedProtocols[0];
650
672
 
651
673
  if (protocol === 'data:') {
652
674
  // Apply the same semantics as HTTP: only enforce if a finite, non-negative cap is set.
653
- if (config.maxContentLength > -1) {
654
- // Use the exact string passed to fromDataURI (config.url); fall back to fullPath if needed.
655
- const dataUrl = String(config.url || fullPath || '');
675
+ if (maxContentLength > -1) {
676
+ // Use the exact string passed to fromDataURI (the configured url); fall back to fullPath if needed.
677
+ const dataUrl = String(own('url') || fullPath || '');
656
678
  const estimated = estimateDataURLDecodedBytes(dataUrl);
657
679
 
658
- if (estimated > config.maxContentLength) {
680
+ if (estimated > maxContentLength) {
659
681
  return reject(
660
682
  new AxiosError(
661
- 'maxContentLength size of ' + config.maxContentLength + ' exceeded',
683
+ 'maxContentLength size of ' + maxContentLength + ' exceeded',
662
684
  AxiosError.ERR_BAD_RESPONSE,
663
685
  config
664
686
  )
@@ -678,7 +700,7 @@ export default isHttpAdapterSupported &&
678
700
  }
679
701
 
680
702
  try {
681
- convertedData = fromDataURI(config.url, responseType === 'blob', {
703
+ convertedData = fromDataURI(own('url'), responseType === 'blob', {
682
704
  Blob: config.env && config.env.Blob,
683
705
  });
684
706
  } catch (err) {
@@ -778,7 +800,7 @@ export default isHttpAdapterSupported &&
778
800
  // Add Content-Length header if data exists
779
801
  headers.setContentLength(data.length, false);
780
802
 
781
- if (config.maxBodyLength > -1 && data.length > config.maxBodyLength) {
803
+ if (maxBodyLength > -1 && data.length > maxBodyLength) {
782
804
  return reject(
783
805
  new AxiosError(
784
806
  'Request body larger than maxBodyLength limit',
@@ -830,12 +852,12 @@ export default isHttpAdapterSupported &&
830
852
  let auth = undefined;
831
853
  const configAuth = own('auth');
832
854
  if (configAuth) {
833
- const username = configAuth.username || '';
834
- const password = configAuth.password || '';
855
+ const username = utils.getSafeProp(configAuth, 'username') || '';
856
+ const password = utils.getSafeProp(configAuth, 'password') || '';
835
857
  auth = username + ':' + password;
836
858
  }
837
859
 
838
- if (!auth && parsed.username) {
860
+ if (!auth && (parsed.username || parsed.password)) {
839
861
  const urlUsername = decodeURIComponentSafe(parsed.username);
840
862
  const urlPassword = decodeURIComponentSafe(parsed.password);
841
863
  auth = urlUsername + ':' + urlPassword;
@@ -848,20 +870,22 @@ export default isHttpAdapterSupported &&
848
870
  try {
849
871
  path = buildURL(
850
872
  parsed.pathname + parsed.search,
851
- config.params,
852
- config.paramsSerializer
873
+ own('params'),
874
+ own('paramsSerializer')
853
875
  ).replace(/^\?/, '');
854
876
  } catch (err) {
855
- const customErr = new Error(err.message);
856
- customErr.config = config;
857
- customErr.url = config.url;
858
- customErr.exists = true;
859
- return reject(customErr);
877
+ return reject(
878
+ AxiosError.from(err, AxiosError.ERR_BAD_REQUEST, config, null, null, {
879
+ url: own('url'),
880
+ exists: true
881
+ })
882
+ );
860
883
  }
861
884
 
862
885
  headers.set(
863
886
  'Accept-Encoding',
864
- 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''),
887
+ utils.hasOwnProp(transitional, 'advertiseZstdAcceptEncoding') &&
888
+ transitional.advertiseZstdAcceptEncoding === true ? ACCEPT_ENCODING_WITH_ZSTD : ACCEPT_ENCODING,
865
889
  false
866
890
  );
867
891
 
@@ -871,7 +895,7 @@ export default isHttpAdapterSupported &&
871
895
  path,
872
896
  method: method,
873
897
  headers: toByteStringHeaderObject(headers),
874
- agents: { http: config.httpAgent, https: config.httpsAgent },
898
+ agents: { http: httpAgent, https: httpsAgent },
875
899
  auth,
876
900
  protocol,
877
901
  family,
@@ -883,19 +907,20 @@ export default isHttpAdapterSupported &&
883
907
  // cacheable-lookup integration hotfix
884
908
  !utils.isUndefined(lookup) && (options.lookup = lookup);
885
909
 
886
- if (config.socketPath) {
887
- if (typeof config.socketPath !== 'string') {
910
+ if (socketPath) {
911
+ if (typeof socketPath !== 'string') {
888
912
  return reject(
889
913
  new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config)
890
914
  );
891
915
  }
892
916
 
893
- if (config.allowedSocketPaths != null) {
894
- const allowed = Array.isArray(config.allowedSocketPaths)
895
- ? config.allowedSocketPaths
896
- : [config.allowedSocketPaths];
917
+ const allowedSocketPaths = own('allowedSocketPaths');
918
+ if (allowedSocketPaths != null) {
919
+ const allowed = Array.isArray(allowedSocketPaths)
920
+ ? allowedSocketPaths
921
+ : [allowedSocketPaths];
897
922
 
898
- const resolvedSocket = resolvePath(config.socketPath);
923
+ const resolvedSocket = resolvePath(socketPath);
899
924
  const isAllowed = allowed.some(
900
925
  (entry) => typeof entry === 'string' && resolvePath(entry) === resolvedSocket
901
926
  );
@@ -903,7 +928,7 @@ export default isHttpAdapterSupported &&
903
928
  if (!isAllowed) {
904
929
  return reject(
905
930
  new AxiosError(
906
- `socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`,
931
+ `socketPath "${socketPath}" is not permitted by allowedSocketPaths`,
907
932
  AxiosError.ERR_BAD_OPTION_VALUE,
908
933
  config
909
934
  )
@@ -911,7 +936,7 @@ export default isHttpAdapterSupported &&
911
936
  }
912
937
  }
913
938
 
914
- options.socketPath = config.socketPath;
939
+ options.socketPath = socketPath;
915
940
  } else {
916
941
  options.hostname = parsed.hostname.startsWith('[')
917
942
  ? parsed.hostname.slice(1, -1)
@@ -919,19 +944,25 @@ export default isHttpAdapterSupported &&
919
944
  options.port = parsed.port;
920
945
  setProxy(
921
946
  options,
922
- config.proxy,
947
+ configProxy,
923
948
  protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path,
924
949
  false,
925
- config.httpsAgent
950
+ httpsAgent,
951
+ httpAgent
926
952
  );
927
953
  }
928
954
  let transport;
929
955
  let isNativeTransport = false;
956
+ // True only for the follow-redirects transport, which applies
957
+ // options.maxBodyLength itself. Every other transport (http2, native
958
+ // http/https, a user-supplied custom transport) needs the explicit
959
+ // byte-counting pipeline below to enforce maxBodyLength on streamed uploads.
960
+ let transportEnforcesMaxBodyLength = false;
930
961
  const isHttpsRequest = isHttps.test(options.protocol);
931
962
  // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an
932
963
  // HTTPS target.
933
964
  if (options.agent == null) {
934
- options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent;
965
+ options.agent = isHttpsRequest ? httpsAgent : httpAgent;
935
966
  }
936
967
 
937
968
  if (isHttp2) {
@@ -940,25 +971,85 @@ export default isHttpAdapterSupported &&
940
971
  const configTransport = own('transport');
941
972
  if (configTransport) {
942
973
  transport = configTransport;
943
- } else if (config.maxRedirects === 0) {
974
+ } else if (maxRedirects === 0) {
944
975
  transport = isHttpsRequest ? https : http;
945
976
  isNativeTransport = true;
946
977
  } else {
947
- if (config.maxRedirects) {
948
- options.maxRedirects = config.maxRedirects;
978
+ transportEnforcesMaxBodyLength = true;
979
+ options.sensitiveHeaders = [];
980
+ if (maxRedirects) {
981
+ options.maxRedirects = maxRedirects;
949
982
  }
950
983
  const configBeforeRedirect = own('beforeRedirect');
951
984
  if (configBeforeRedirect) {
952
985
  options.beforeRedirects.config = configBeforeRedirect;
953
986
  }
987
+ if (auth) {
988
+ // Restore HTTP Basic credentials on same-origin redirects only.
989
+ // follow-redirects >= 1.15.8 strips Authorization on every redirect (see #6929);
990
+ // cross-origin stripping is the documented mitigation for T-R2 in THREATMODEL.md
991
+ // and is preserved by deliberately not restoring on origin change.
992
+ const requestOrigin = parsed.origin;
993
+ const authToRestore = auth;
994
+ options.beforeRedirects.auth = function beforeRedirectAuth(redirectOptions) {
995
+ try {
996
+ if (new URL(redirectOptions.href).origin === requestOrigin) {
997
+ redirectOptions.auth = authToRestore;
998
+ }
999
+ } catch (e) {
1000
+ // ignore malformed URL: leaving auth stripped is fail-safe
1001
+ }
1002
+ };
1003
+ }
1004
+ const sensitiveHeaders = own('sensitiveHeaders');
1005
+ if (sensitiveHeaders != null) {
1006
+ if (!utils.isArray(sensitiveHeaders)) {
1007
+ return reject(
1008
+ new AxiosError(
1009
+ 'sensitiveHeaders must be an array of strings',
1010
+ AxiosError.ERR_BAD_OPTION_VALUE,
1011
+ config
1012
+ )
1013
+ );
1014
+ }
1015
+
1016
+ const sensitiveSet = new Set();
1017
+ for (const header of sensitiveHeaders) {
1018
+ if (!utils.isString(header)) {
1019
+ return reject(
1020
+ new AxiosError(
1021
+ 'sensitiveHeaders must be an array of strings',
1022
+ AxiosError.ERR_BAD_OPTION_VALUE,
1023
+ config
1024
+ )
1025
+ );
1026
+ }
1027
+
1028
+ sensitiveSet.add(header.toLowerCase());
1029
+ }
1030
+
1031
+ if (sensitiveSet.size) {
1032
+ options.sensitiveHeaders = Array.from(sensitiveSet);
1033
+ options.beforeRedirects.sensitiveHeaders = function beforeRedirectSensitiveHeaders(
1034
+ redirectOptions,
1035
+ requestDetails
1036
+ ) {
1037
+ if (!isSameOriginRedirect(redirectOptions, requestDetails)) {
1038
+ stripMatchingHeaders(redirectOptions.headers, sensitiveSet);
1039
+ }
1040
+ };
1041
+ }
1042
+ }
954
1043
  transport = isHttpsRequest ? httpsFollow : httpFollow;
955
1044
  }
956
1045
  }
957
1046
 
958
- if (config.maxBodyLength > -1) {
959
- options.maxBodyLength = config.maxBodyLength;
1047
+ // Set an explicit maxBodyLength option for transports that inspect it.
1048
+ // When maxBodyLength is -1 (default/unlimited), use Infinity so
1049
+ // follow-redirects does not fall back to its own 10MB default.
1050
+ if (maxBodyLength > -1) {
1051
+ options.maxBodyLength = maxBodyLength;
960
1052
  } else {
961
- // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited
962
1053
  options.maxBodyLength = Infinity;
963
1054
  }
964
1055
 
@@ -1004,7 +1095,7 @@ export default isHttpAdapterSupported &&
1004
1095
  const lastRequest = res.req || req;
1005
1096
 
1006
1097
  // if decompress disabled we should not decompress
1007
- if (config.decompress !== false && res.headers['content-encoding']) {
1098
+ if (decompress !== false && res.headers['content-encoding']) {
1008
1099
  // if no content, but headers still say that it is encoded,
1009
1100
  // remove the header not confuse downstream operations
1010
1101
  if (method === 'HEAD' || res.statusCode === 204) {
@@ -1037,6 +1128,13 @@ export default isHttpAdapterSupported &&
1037
1128
  streams.push(zlib.createBrotliDecompress(brotliOptions));
1038
1129
  delete res.headers['content-encoding'];
1039
1130
  }
1131
+ break;
1132
+ case 'zstd':
1133
+ if (isZstdSupported) {
1134
+ streams.push(zlib.createZstdDecompress(zstdOptions));
1135
+ delete res.headers['content-encoding'];
1136
+ }
1137
+ break;
1040
1138
  }
1041
1139
  }
1042
1140
 
@@ -1053,8 +1151,8 @@ export default isHttpAdapterSupported &&
1053
1151
  if (responseType === 'stream') {
1054
1152
  // Enforce maxContentLength on streamed responses; previously this
1055
1153
  // was applied only to buffered responses.
1056
- if (config.maxContentLength > -1) {
1057
- const limit = config.maxContentLength;
1154
+ if (maxContentLength > -1) {
1155
+ const limit = maxContentLength;
1058
1156
  const source = responseStream;
1059
1157
  async function* enforceMaxContentLength() {
1060
1158
  let totalResponseBytes = 0;
@@ -1086,13 +1184,13 @@ export default isHttpAdapterSupported &&
1086
1184
  totalResponseBytes += chunk.length;
1087
1185
 
1088
1186
  // make sure the content length is not over the maxContentLength if specified
1089
- if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
1187
+ if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
1090
1188
  // stream.destroy() emit aborted event before calling reject() on Node.js v16
1091
1189
  rejected = true;
1092
1190
  responseStream.destroy();
1093
1191
  abort(
1094
1192
  new AxiosError(
1095
- 'maxContentLength size of ' + config.maxContentLength + ' exceeded',
1193
+ 'maxContentLength size of ' + maxContentLength + ' exceeded',
1096
1194
  AxiosError.ERR_BAD_RESPONSE,
1097
1195
  config,
1098
1196
  lastRequest
@@ -1174,7 +1272,11 @@ export default isHttpAdapterSupported &&
1174
1272
 
1175
1273
  req.on('socket', function handleRequestSocket(socket) {
1176
1274
  // default interval of sending ack packet is 1 minute
1177
- socket.setKeepAlive(true, 1000 * 60);
1275
+ // proxy agents (e.g. agent-base) may return a generic Duplex stream
1276
+ // that doesn't have setKeepAlive, so guard before calling
1277
+ if (typeof socket.setKeepAlive === 'function') {
1278
+ socket.setKeepAlive(true, 1000 * 60);
1279
+ }
1178
1280
 
1179
1281
  // Install a single 'error' listener per socket (not per request) to avoid
1180
1282
  // accumulating listeners on pooled keep-alive sockets that get reassigned
@@ -1207,9 +1309,9 @@ export default isHttpAdapterSupported &&
1207
1309
  });
1208
1310
 
1209
1311
  // Handle request timeout
1210
- if (config.timeout) {
1312
+ if (own('timeout')) {
1211
1313
  // This is forcing a int timeout to avoid problems if the `req` interface doesn't handle other types.
1212
- const timeout = parseInt(config.timeout, 10);
1314
+ const timeout = parseInt(own('timeout'), 10);
1213
1315
 
1214
1316
  if (Number.isNaN(timeout)) {
1215
1317
  abort(
@@ -1267,12 +1369,13 @@ export default isHttpAdapterSupported &&
1267
1369
  }
1268
1370
  });
1269
1371
 
1270
- // Enforce maxBodyLength for streamed uploads on the native http/https
1271
- // transport (maxRedirects === 0); follow-redirects enforces it on the
1272
- // other path.
1372
+ // Enforce maxBodyLength for streamed uploads on every transport that
1373
+ // does not apply options.maxBodyLength itself (native http/https, http2,
1374
+ // and user-supplied custom transports). The follow-redirects transport
1375
+ // enforces it on the redirected HTTP/1 path.
1273
1376
  let uploadStream = data;
1274
- if (config.maxBodyLength > -1 && config.maxRedirects === 0) {
1275
- const limit = config.maxBodyLength;
1377
+ if (maxBodyLength > -1 && !transportEnforcesMaxBodyLength) {
1378
+ const limit = maxBodyLength;
1276
1379
  let bytesSent = 0;
1277
1380
  uploadStream = stream.pipeline(
1278
1381
  [
@@ -1310,3 +1413,5 @@ export default isHttpAdapterSupported &&
1310
1413
  };
1311
1414
 
1312
1415
  export const __setProxy = setProxy;
1416
+ export const __isNodeEnvProxyEnabled = isNodeEnvProxyEnabled;
1417
+ export const __isSameOriginRedirect = isSameOriginRedirect;