reflex-search 1.5.2 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/node_modules/.package-lock.json +15 -15
  2. package/node_modules/axios/CHANGELOG.md +126 -1
  3. package/node_modules/axios/README.md +390 -257
  4. package/node_modules/axios/dist/axios.js +511 -154
  5. package/node_modules/axios/dist/axios.min.js +3 -3
  6. package/node_modules/axios/dist/axios.min.js.map +1 -1
  7. package/node_modules/axios/dist/browser/axios.cjs +537 -124
  8. package/node_modules/axios/dist/esm/axios.js +537 -124
  9. package/node_modules/axios/dist/esm/axios.min.js +2 -2
  10. package/node_modules/axios/dist/esm/axios.min.js.map +1 -1
  11. package/node_modules/axios/dist/node/axios.cjs +753 -226
  12. package/node_modules/axios/index.d.cts +27 -4
  13. package/node_modules/axios/index.d.ts +23 -2
  14. package/node_modules/axios/lib/adapters/adapters.js +1 -1
  15. package/node_modules/axios/lib/adapters/fetch.js +217 -47
  16. package/node_modules/axios/lib/adapters/http.js +274 -169
  17. package/node_modules/axios/lib/adapters/xhr.js +1 -0
  18. package/node_modules/axios/lib/core/Axios.js +4 -2
  19. package/node_modules/axios/lib/core/AxiosError.js +13 -1
  20. package/node_modules/axios/lib/core/AxiosHeaders.js +12 -9
  21. package/node_modules/axios/lib/core/buildFullPath.js +29 -1
  22. package/node_modules/axios/lib/core/mergeConfig.js +35 -0
  23. package/node_modules/axios/lib/defaults/transitional.js +2 -0
  24. package/node_modules/axios/lib/env/data.js +1 -1
  25. package/node_modules/axios/lib/helpers/AxiosURLSearchParams.js +1 -3
  26. package/node_modules/axios/lib/helpers/Http2Sessions.js +119 -0
  27. package/node_modules/axios/lib/helpers/buildURL.js +7 -4
  28. package/node_modules/axios/lib/helpers/composeSignals.js +1 -1
  29. package/node_modules/axios/lib/helpers/cookies.js +5 -1
  30. package/node_modules/axios/lib/helpers/estimateDataURLDecodedBytes.js +16 -11
  31. package/node_modules/axios/lib/helpers/formDataToJSON.js +25 -3
  32. package/node_modules/axios/lib/helpers/formDataToStream.js +2 -2
  33. package/node_modules/axios/lib/helpers/fromDataURI.js +4 -2
  34. package/node_modules/axios/lib/helpers/resolveConfig.js +26 -13
  35. package/node_modules/axios/lib/helpers/shouldBypassProxy.js +33 -1
  36. package/node_modules/axios/lib/helpers/toFormData.js +48 -12
  37. package/node_modules/axios/lib/helpers/validator.js +1 -1
  38. package/node_modules/axios/lib/utils.js +97 -12
  39. package/node_modules/axios/package.json +29 -13
  40. package/node_modules/brace-expansion/dist/commonjs/index.js +24 -14
  41. package/node_modules/brace-expansion/dist/commonjs/index.js.map +1 -1
  42. package/node_modules/brace-expansion/dist/esm/index.js +24 -14
  43. package/node_modules/brace-expansion/dist/esm/index.js.map +1 -1
  44. package/node_modules/brace-expansion/package.json +2 -2
  45. package/node_modules/form-data/CHANGELOG.md +29 -2
  46. package/node_modules/form-data/README.md +4 -4
  47. package/node_modules/form-data/lib/form_data.js +14 -2
  48. package/node_modules/form-data/package.json +7 -7
  49. package/node_modules/hasown/CHANGELOG.md +18 -0
  50. package/node_modules/hasown/eslint.config.mjs +6 -0
  51. package/node_modules/hasown/package.json +13 -14
  52. package/npm-shrinkwrap.json +16 -16
  53. package/package.json +2 -2
  54. package/node_modules/axios/dist/axios.js.map +0 -1
  55. package/node_modules/axios/dist/browser/axios.cjs.map +0 -1
  56. package/node_modules/axios/dist/esm/axios.js.map +0 -1
  57. package/node_modules/axios/dist/node/axios.cjs.map +0 -1
  58. package/node_modules/hasown/.eslintrc +0 -5
@@ -1,4 +1,4 @@
1
- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  'use strict';
3
3
 
4
4
  /**
@@ -20,6 +20,57 @@ const { toString } = Object.prototype;
20
20
  const { getPrototypeOf } = Object;
21
21
  const { iterator, toStringTag } = Symbol;
22
22
 
23
+ /* Creating a function that will check if an object has a property. */
24
+ const hasOwnProperty = (
25
+ ({ hasOwnProperty }) =>
26
+ (obj, prop) =>
27
+ hasOwnProperty.call(obj, prop)
28
+ )(Object.prototype);
29
+
30
+ /**
31
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
32
+ * an own `prop`. This distinguishes genuine own/inherited members — including
33
+ * class accessors and template prototypes — from members injected via
34
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
35
+ * live on Object.prototype itself and are therefore never matched.
36
+ *
37
+ * @param {*} thing The value whose chain to inspect
38
+ * @param {string|symbol} prop The property key to look for
39
+ *
40
+ * @returns {boolean} True when `prop` is owned below Object.prototype
41
+ */
42
+ const hasOwnInPrototypeChain = (thing, prop) => {
43
+ let obj = thing;
44
+ const seen = [];
45
+
46
+ while (obj != null && obj !== Object.prototype) {
47
+ if (seen.indexOf(obj) !== -1) {
48
+ return false;
49
+ }
50
+ seen.push(obj);
51
+
52
+ if (hasOwnProperty(obj, prop)) {
53
+ return true;
54
+ }
55
+ obj = getPrototypeOf(obj);
56
+ }
57
+ return false;
58
+ };
59
+
60
+ /**
61
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
62
+ * properties and members inherited from a non-Object.prototype source (a class
63
+ * instance or template object) are honored; a value reachable only through a
64
+ * polluted Object.prototype is ignored and `undefined` is returned.
65
+ *
66
+ * @param {*} obj The source object
67
+ * @param {string|symbol} prop The property key to read
68
+ *
69
+ * @returns {*} The resolved value, or undefined when unsafe/absent
70
+ */
71
+ const getSafeProp = (obj, prop) =>
72
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
73
+
23
74
  const kindOf = ((cache) => (thing) => {
24
75
  const str = toString.call(thing);
25
76
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -145,7 +196,7 @@ const isBoolean = (thing) => thing === true || thing === false;
145
196
  * @returns {boolean} True if value is a plain Object, otherwise false
146
197
  */
147
198
  const isPlainObject = (val) => {
148
- if (kindOf(val) !== 'object') {
199
+ if (!isObject(val)) {
149
200
  return false;
150
201
  }
151
202
 
@@ -153,9 +204,12 @@ const isPlainObject = (val) => {
153
204
  return (
154
205
  (prototype === null ||
155
206
  prototype === Object.prototype ||
156
- Object.getPrototypeOf(prototype) === null) &&
157
- !(toStringTag in val) &&
158
- !(iterator in val)
207
+ getPrototypeOf(prototype) === null) &&
208
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
209
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
210
+ // than a plain object, while ignoring keys injected onto Object.prototype.
211
+ !hasOwnInPrototypeChain(val, toStringTag) &&
212
+ !hasOwnInPrototypeChain(val, iterator)
159
213
  );
160
214
  };
161
215
 
@@ -424,7 +478,9 @@ function merge(...objs) {
424
478
  return;
425
479
  }
426
480
 
427
- const targetKey = (caseless && findKey(result, key)) || key;
481
+ // findKey lowercases the key, so caseless lookup only applies to strings —
482
+ // symbol keys are identity-matched.
483
+ const targetKey = (caseless && typeof key === 'string' && findKey(result, key)) || key;
428
484
  // Read via own-prop only — a bare `result[targetKey]` walks the prototype
429
485
  // chain, so a polluted Object.prototype value could surface here and get
430
486
  // copied into the merged result.
@@ -441,7 +497,24 @@ function merge(...objs) {
441
497
  };
442
498
 
443
499
  for (let i = 0, l = objs.length; i < l; i++) {
444
- objs[i] && forEach(objs[i], assignValue);
500
+ const source = objs[i];
501
+ if (!source || isBuffer(source)) {
502
+ continue;
503
+ }
504
+
505
+ forEach(source, assignValue);
506
+
507
+ if (typeof source !== 'object' || isArray(source)) {
508
+ continue;
509
+ }
510
+
511
+ const symbols = Object.getOwnPropertySymbols(source);
512
+ for (let j = 0; j < symbols.length; j++) {
513
+ const symbol = symbols[j];
514
+ if (propertyIsEnumerable.call(source, symbol)) {
515
+ assignValue(source[symbol], symbol);
516
+ }
517
+ }
445
518
  }
446
519
  return result;
447
520
  }
@@ -663,12 +736,7 @@ const toCamelCase = (str) => {
663
736
  });
664
737
  };
665
738
 
666
- /* Creating a function that will check if an object has a property. */
667
- const hasOwnProperty = (
668
- ({ hasOwnProperty }) =>
669
- (obj, prop) =>
670
- hasOwnProperty.call(obj, prop)
671
- )(Object.prototype);
739
+ const { propertyIsEnumerable } = Object.prototype;
672
740
 
673
741
  /**
674
742
  * Determine if a value is a RegExp object
@@ -881,6 +949,20 @@ const asap =
881
949
 
882
950
  const isIterable = (thing) => thing != null && isFunction$1(thing[iterator]);
883
951
 
952
+ /**
953
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
954
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
955
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
956
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
957
+ * into an attacker-controlled entries iterator.
958
+ *
959
+ * @param {*} thing The value to test
960
+ *
961
+ * @returns {boolean} True if value has a non-polluted iterator
962
+ */
963
+ const isSafeIterable = (thing) =>
964
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
965
+
884
966
  var utils$1 = {
885
967
  isArray,
886
968
  isArrayBuffer,
@@ -925,6 +1007,8 @@ var utils$1 = {
925
1007
  isHTMLForm,
926
1008
  hasOwnProperty,
927
1009
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
1010
+ hasOwnInPrototypeChain,
1011
+ getSafeProp,
928
1012
  reduceDescriptors,
929
1013
  freezeMethods,
930
1014
  toObjectSet,
@@ -941,6 +1025,7 @@ var utils$1 = {
941
1025
  setImmediate: _setImmediate,
942
1026
  asap,
943
1027
  isIterable,
1028
+ isSafeIterable,
944
1029
  };
945
1030
 
946
1031
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -1151,7 +1236,7 @@ class AxiosHeaders {
1151
1236
  const lHeader = normalizeHeader(_header);
1152
1237
 
1153
1238
  if (!lHeader) {
1154
- throw new Error('header name must be a non-empty string');
1239
+ return;
1155
1240
  }
1156
1241
 
1157
1242
  const key = utils$1.findKey(self, lHeader);
@@ -1173,20 +1258,23 @@ class AxiosHeaders {
1173
1258
  setHeaders(header, valueOrRewrite);
1174
1259
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
1175
1260
  setHeaders(parseHeaders(header), valueOrRewrite);
1176
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
1177
- let obj = {},
1261
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
1262
+ let obj = Object.create(null),
1178
1263
  dest,
1179
1264
  key;
1180
1265
  for (const entry of header) {
1181
1266
  if (!utils$1.isArray(entry)) {
1182
- throw TypeError('Object iterator must return a key-value pair');
1267
+ throw new TypeError('Object iterator must return a key-value pair');
1183
1268
  }
1184
1269
 
1185
- obj[(key = entry[0])] = (dest = obj[key])
1186
- ? utils$1.isArray(dest)
1187
- ? [...dest, entry[1]]
1188
- : [dest, entry[1]]
1189
- : entry[1];
1270
+ key = entry[0];
1271
+
1272
+ if (utils$1.hasOwnProp(obj, key)) {
1273
+ dest = obj[key];
1274
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
1275
+ } else {
1276
+ obj[key] = entry[1];
1277
+ }
1190
1278
  }
1191
1279
 
1192
1280
  setHeaders(obj, valueOrRewrite);
@@ -1479,7 +1567,19 @@ function redactConfig(config, redactKeys) {
1479
1567
  class AxiosError extends Error {
1480
1568
  static from(error, code, config, request, response, customProps) {
1481
1569
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
1482
- axiosError.cause = error;
1570
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
1571
+ // error often carries circular internals (sockets, requests, agents), so
1572
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
1573
+ // own-property walk throw "Converting circular structure to JSON".
1574
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
1575
+ // `message` descriptor below (prototype-pollution-safe descriptor).
1576
+ Object.defineProperty(axiosError, 'cause', {
1577
+ __proto__: null,
1578
+ value: error,
1579
+ writable: true,
1580
+ enumerable: false,
1581
+ configurable: true,
1582
+ });
1483
1583
  axiosError.name = error.name;
1484
1584
 
1485
1585
  // Preserve status from the original error if not already set from response
@@ -1580,6 +1680,10 @@ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
1580
1680
  // eslint-disable-next-line strict
1581
1681
  var httpAdapter = null;
1582
1682
 
1683
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
1684
+ // the FormData <-> JSON round-trip stays symmetric.
1685
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
1686
+
1583
1687
  /**
1584
1688
  * Determines if the given thing is a array or js object.
1585
1689
  *
@@ -1690,8 +1794,9 @@ function toFormData(obj, formData, options) {
1690
1794
  const dots = options.dots;
1691
1795
  const indexes = options.indexes;
1692
1796
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
1693
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
1797
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
1694
1798
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
1799
+ const stack = [];
1695
1800
 
1696
1801
  if (!utils$1.isFunction(visitor)) {
1697
1802
  throw new TypeError('visitor must be a function');
@@ -1713,12 +1818,50 @@ function toFormData(obj, formData, options) {
1713
1818
  }
1714
1819
 
1715
1820
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
1716
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
1821
+ if (useBlob && typeof _Blob === 'function') {
1822
+ return new _Blob([value]);
1823
+ }
1824
+ if (typeof Buffer !== 'undefined') {
1825
+ return Buffer.from(value);
1826
+ }
1827
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
1717
1828
  }
1718
1829
 
1719
1830
  return value;
1720
1831
  }
1721
1832
 
1833
+ function throwIfMaxDepthExceeded(depth) {
1834
+ if (depth > maxDepth) {
1835
+ throw new AxiosError(
1836
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1837
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
1838
+ );
1839
+ }
1840
+ }
1841
+
1842
+ function stringifyWithDepthLimit(value, depth) {
1843
+ if (maxDepth === Infinity) {
1844
+ return JSON.stringify(value);
1845
+ }
1846
+
1847
+ const ancestors = [];
1848
+
1849
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
1850
+ if (!utils$1.isObject(currentValue)) {
1851
+ return currentValue;
1852
+ }
1853
+
1854
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
1855
+ ancestors.pop();
1856
+ }
1857
+
1858
+ ancestors.push(currentValue);
1859
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
1860
+
1861
+ return currentValue;
1862
+ });
1863
+ }
1864
+
1722
1865
  /**
1723
1866
  * Default visitor.
1724
1867
  *
@@ -1742,7 +1885,7 @@ function toFormData(obj, formData, options) {
1742
1885
  // eslint-disable-next-line no-param-reassign
1743
1886
  key = metaTokens ? key : key.slice(0, -2);
1744
1887
  // eslint-disable-next-line no-param-reassign
1745
- value = JSON.stringify(value);
1888
+ value = stringifyWithDepthLimit(value, 1);
1746
1889
  } else if (
1747
1890
  (utils$1.isArray(value) && isFlatArray(value)) ||
1748
1891
  ((utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value)))
@@ -1775,8 +1918,6 @@ function toFormData(obj, formData, options) {
1775
1918
  return false;
1776
1919
  }
1777
1920
 
1778
- const stack = [];
1779
-
1780
1921
  const exposedHelpers = Object.assign(predicates, {
1781
1922
  defaultVisitor,
1782
1923
  convertValue,
@@ -1786,15 +1927,10 @@ function toFormData(obj, formData, options) {
1786
1927
  function build(value, path, depth = 0) {
1787
1928
  if (utils$1.isUndefined(value)) return;
1788
1929
 
1789
- if (depth > maxDepth) {
1790
- throw new AxiosError(
1791
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1792
- AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
1793
- );
1794
- }
1930
+ throwIfMaxDepthExceeded(depth);
1795
1931
 
1796
1932
  if (stack.indexOf(value) !== -1) {
1797
- throw Error('Circular reference detected in ' + path.join('.'));
1933
+ throw new Error('Circular reference detected in ' + path.join('.'));
1798
1934
  }
1799
1935
 
1800
1936
  stack.push(value);
@@ -1865,9 +2001,7 @@ prototype.append = function append(name, value) {
1865
2001
 
1866
2002
  prototype.toString = function toString(encoder) {
1867
2003
  const _encode = encoder
1868
- ? function (value) {
1869
- return encoder.call(this, value, encode$1);
1870
- }
2004
+ ? (value) => encoder.call(this, value, encode$1)
1871
2005
  : encode$1;
1872
2006
 
1873
2007
  return this._pairs
@@ -1906,8 +2040,7 @@ function buildURL(url, params, options) {
1906
2040
  if (!params) {
1907
2041
  return url;
1908
2042
  }
1909
-
1910
- const _encode = (options && options.encode) || encode;
2043
+ url = url || '';
1911
2044
 
1912
2045
  const _options = utils$1.isFunction(options)
1913
2046
  ? {
@@ -1915,7 +2048,11 @@ function buildURL(url, params, options) {
1915
2048
  }
1916
2049
  : options;
1917
2050
 
1918
- const serializeFn = _options && _options.serialize;
2051
+ // Read serializer options pollution-safely: own properties and methods on a
2052
+ // class/template prototype are honored, but values injected onto a polluted
2053
+ // Object.prototype are ignored.
2054
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
2055
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
1919
2056
 
1920
2057
  let serializedParams;
1921
2058
 
@@ -2011,6 +2148,8 @@ var transitionalDefaults = {
2011
2148
  forcedJSONParsing: true,
2012
2149
  clarifyTimeoutError: false,
2013
2150
  legacyInterceptorReqResOrdering: true,
2151
+ advertiseZstdAcceptEncoding: false,
2152
+ validateStatusUndefinedResolves: true,
2014
2153
  };
2015
2154
 
2016
2155
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -2102,6 +2241,17 @@ function toURLEncodedForm(data, options) {
2102
2241
  });
2103
2242
  }
2104
2243
 
2244
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
2245
+
2246
+ function throwIfDepthExceeded(index) {
2247
+ if (index > MAX_DEPTH) {
2248
+ throw new AxiosError(
2249
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
2250
+ AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
2251
+ );
2252
+ }
2253
+ }
2254
+
2105
2255
  /**
2106
2256
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
2107
2257
  *
@@ -2114,9 +2264,16 @@ function parsePropPath(name) {
2114
2264
  // foo.x.y.z
2115
2265
  // foo-x-y-z
2116
2266
  // foo x y z
2117
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
2118
- return match[0] === '[]' ? '' : match[1] || match[0];
2119
- });
2267
+ const path = [];
2268
+ const pattern = /\w+|\[(\w*)]/g;
2269
+ let match;
2270
+
2271
+ while ((match = pattern.exec(name)) !== null) {
2272
+ throwIfDepthExceeded(path.length);
2273
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
2274
+ }
2275
+
2276
+ return path;
2120
2277
  }
2121
2278
 
2122
2279
  /**
@@ -2148,6 +2305,8 @@ function arrayToObject(arr) {
2148
2305
  */
2149
2306
  function formDataToJSON(formData) {
2150
2307
  function buildPath(path, value, target, index) {
2308
+ throwIfDepthExceeded(index);
2309
+
2151
2310
  let name = path[index++];
2152
2311
 
2153
2312
  if (name === '__proto__') return true;
@@ -2633,7 +2792,11 @@ var cookies = platform.hasStandardBrowserEnv
2633
2792
  const cookie = cookies[i].replace(/^\s+/, '');
2634
2793
  const eq = cookie.indexOf('=');
2635
2794
  if (eq !== -1 && cookie.slice(0, eq) === name) {
2636
- return decodeURIComponent(cookie.slice(eq + 1));
2795
+ try {
2796
+ return decodeURIComponent(cookie.slice(eq + 1));
2797
+ } catch (e) {
2798
+ return cookie.slice(eq + 1);
2799
+ }
2637
2800
  }
2638
2801
  }
2639
2802
  return null;
@@ -2684,6 +2847,31 @@ function combineURLs(baseURL, relativeURL) {
2684
2847
  : baseURL;
2685
2848
  }
2686
2849
 
2850
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
2851
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
2852
+
2853
+ function stripLeadingC0ControlOrSpace(url) {
2854
+ let i = 0;
2855
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
2856
+ i++;
2857
+ }
2858
+ return url.slice(i);
2859
+ }
2860
+
2861
+ function normalizeURLForProtocolCheck(url) {
2862
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
2863
+ }
2864
+
2865
+ function assertValidHttpProtocolURL(url, config) {
2866
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
2867
+ throw new AxiosError(
2868
+ 'Invalid URL: missing "//" after protocol',
2869
+ AxiosError.ERR_INVALID_URL,
2870
+ config
2871
+ );
2872
+ }
2873
+ }
2874
+
2687
2875
  /**
2688
2876
  * Creates a new URL by combining the baseURL with the requestedURL,
2689
2877
  * only when the requestedURL is not already an absolute URL.
@@ -2694,9 +2882,11 @@ function combineURLs(baseURL, relativeURL) {
2694
2882
  *
2695
2883
  * @returns {string} The combined full path
2696
2884
  */
2697
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
2885
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
2886
+ assertValidHttpProtocolURL(requestedURL, config);
2698
2887
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
2699
2888
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
2889
+ assertValidHttpProtocolURL(baseURL, config);
2700
2890
  return combineURLs(baseURL, requestedURL);
2701
2891
  }
2702
2892
  return requestedURL;
@@ -2715,6 +2905,7 @@ const headersToObject = (thing) => (thing instanceof AxiosHeaders ? { ...thing }
2715
2905
  */
2716
2906
  function mergeConfig(config1, config2) {
2717
2907
  // eslint-disable-next-line no-param-reassign
2908
+ config1 = config1 || {};
2718
2909
  config2 = config2 || {};
2719
2910
 
2720
2911
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -2767,6 +2958,28 @@ function mergeConfig(config1, config2) {
2767
2958
  }
2768
2959
  }
2769
2960
 
2961
+ function getMergedTransitionalOption(prop) {
2962
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
2963
+
2964
+ if (!utils$1.isUndefined(transitional2)) {
2965
+ if (utils$1.isPlainObject(transitional2)) {
2966
+ if (utils$1.hasOwnProp(transitional2, prop)) {
2967
+ return transitional2[prop];
2968
+ }
2969
+ } else {
2970
+ return undefined;
2971
+ }
2972
+ }
2973
+
2974
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
2975
+
2976
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
2977
+ return transitional1[prop];
2978
+ }
2979
+
2980
+ return undefined;
2981
+ }
2982
+
2770
2983
  // eslint-disable-next-line consistent-return
2771
2984
  function mergeDirectKeys(a, b, prop) {
2772
2985
  if (utils$1.hasOwnProp(config2, prop)) {
@@ -2819,6 +3032,18 @@ function mergeConfig(config1, config2) {
2819
3032
  (utils$1.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
2820
3033
  });
2821
3034
 
3035
+ if (
3036
+ utils$1.hasOwnProp(config2, 'validateStatus') &&
3037
+ utils$1.isUndefined(config2.validateStatus) &&
3038
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
3039
+ ) {
3040
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
3041
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
3042
+ } else {
3043
+ delete config.validateStatus;
3044
+ }
3045
+ }
3046
+
2822
3047
  return config;
2823
3048
  }
2824
3049
 
@@ -2830,7 +3055,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
2830
3055
  return;
2831
3056
  }
2832
3057
 
2833
- Object.entries(formHeaders).forEach(([key, val]) => {
3058
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
2834
3059
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
2835
3060
  headers.set(key, val);
2836
3061
  }
@@ -2845,12 +3070,12 @@ function setFormDataHeaders(headers, formHeaders, policy) {
2845
3070
  *
2846
3071
  * @returns {string} UTF-8 bytes as a Latin-1 string
2847
3072
  */
2848
- const encodeUTF8 = (str) =>
3073
+ const encodeUTF8$1 = (str) =>
2849
3074
  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
2850
3075
  String.fromCharCode(parseInt(hex, 16))
2851
3076
  );
2852
3077
 
2853
- var resolveConfig = (config) => {
3078
+ function resolveConfig(config) {
2854
3079
  const newConfig = mergeConfig({}, config);
2855
3080
 
2856
3081
  // Read only own properties to prevent prototype pollution gadgets
@@ -2870,23 +3095,33 @@ var resolveConfig = (config) => {
2870
3095
  newConfig.headers = headers = AxiosHeaders.from(headers);
2871
3096
 
2872
3097
  newConfig.url = buildURL(
2873
- buildFullPath(baseURL, url, allowAbsoluteUrls),
2874
- config.params,
2875
- config.paramsSerializer
3098
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
3099
+ own('params'),
3100
+ own('paramsSerializer')
2876
3101
  );
2877
3102
 
2878
3103
  // HTTP basic authentication
2879
3104
  if (auth) {
2880
- headers.set(
2881
- 'Authorization',
2882
- 'Basic ' +
2883
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
2884
- );
3105
+ const username = utils$1.getSafeProp(auth, 'username') || '';
3106
+ const password = utils$1.getSafeProp(auth, 'password') || '';
3107
+
3108
+ try {
3109
+ headers.set(
3110
+ 'Authorization',
3111
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : ''))
3112
+ );
3113
+ } catch (e) {
3114
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
3115
+ }
2885
3116
  }
2886
3117
 
2887
3118
  if (utils$1.isFormData(data)) {
2888
- if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
2889
- headers.setContentType(undefined); // browser handles it
3119
+ if (
3120
+ platform.hasStandardBrowserEnv ||
3121
+ platform.hasStandardBrowserWebWorkerEnv ||
3122
+ utils$1.isReactNative(data)
3123
+ ) {
3124
+ headers.setContentType(undefined); // browser/web worker/RN handles it
2890
3125
  } else if (utils$1.isFunction(data.getHeaders)) {
2891
3126
  // Node.js FormData (like form-data package)
2892
3127
  setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -2918,7 +3153,7 @@ var resolveConfig = (config) => {
2918
3153
  }
2919
3154
 
2920
3155
  return newConfig;
2921
- };
3156
+ }
2922
3157
 
2923
3158
  const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
2924
3159
 
@@ -3128,6 +3363,7 @@ var xhrAdapter = isXHRAdapterSupported &&
3128
3363
  config
3129
3364
  )
3130
3365
  );
3366
+ done();
3131
3367
  return;
3132
3368
  }
3133
3369
 
@@ -3179,7 +3415,7 @@ const composeSignals = (signals, timeout) => {
3179
3415
  signals = null;
3180
3416
  };
3181
3417
 
3182
- signals.forEach((signal) => signal.addEventListener('abort', onabort));
3418
+ signals.forEach((signal) => signal.addEventListener('abort', onabort, { once: true }));
3183
3419
 
3184
3420
  const { signal } = controller;
3185
3421
 
@@ -3282,11 +3518,19 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => {
3282
3518
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
3283
3519
  * - For base64: compute exact decoded size using length and padding;
3284
3520
  * handle %XX at the character-count level (no string allocation).
3285
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
3521
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
3286
3522
  *
3287
3523
  * @param {string} url
3288
3524
  * @returns {number}
3289
3525
  */
3526
+ const isHexDigit = (charCode) =>
3527
+ (charCode >= 48 && charCode <= 57) ||
3528
+ (charCode >= 65 && charCode <= 70) ||
3529
+ (charCode >= 97 && charCode <= 102);
3530
+
3531
+ const isPercentEncodedByte = (str, i, len) =>
3532
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
3533
+
3290
3534
  function estimateDataURLDecodedBytes(url) {
3291
3535
  if (!url || typeof url !== 'string') return 0;
3292
3536
  if (!url.startsWith('data:')) return 0;
@@ -3306,9 +3550,7 @@ function estimateDataURLDecodedBytes(url) {
3306
3550
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
3307
3551
  const a = body.charCodeAt(i + 1);
3308
3552
  const b = body.charCodeAt(i + 2);
3309
- const isHex =
3310
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
3311
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
3553
+ const isHex = isHexDigit(a) && isHexDigit(b);
3312
3554
 
3313
3555
  if (isHex) {
3314
3556
  effectiveLen -= 2;
@@ -3349,18 +3591,17 @@ function estimateDataURLDecodedBytes(url) {
3349
3591
  return bytes > 0 ? bytes : 0;
3350
3592
  }
3351
3593
 
3352
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
3353
- return Buffer.byteLength(body, 'utf8');
3354
- }
3355
-
3356
3594
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
3357
3595
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
3358
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
3359
- // but 3 UTF-8 bytes).
3596
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
3597
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
3360
3598
  let bytes = 0;
3361
3599
  for (let i = 0, len = body.length; i < len; i++) {
3362
3600
  const c = body.charCodeAt(i);
3363
- if (c < 0x80) {
3601
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
3602
+ bytes += 1;
3603
+ i += 2;
3604
+ } else if (c < 0x80) {
3364
3605
  bytes += 1;
3365
3606
  } else if (c < 0x800) {
3366
3607
  bytes += 2;
@@ -3379,12 +3620,41 @@ function estimateDataURLDecodedBytes(url) {
3379
3620
  return bytes;
3380
3621
  }
3381
3622
 
3382
- const VERSION = "1.16.1";
3623
+ const VERSION = "1.18.1";
3383
3624
 
3384
3625
  const DEFAULT_CHUNK_SIZE = 64 * 1024;
3385
3626
 
3386
3627
  const { isFunction } = utils$1;
3387
3628
 
3629
+ /**
3630
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
3631
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
3632
+ *
3633
+ * @param {string} str The string to encode
3634
+ *
3635
+ * @returns {string} UTF-8 bytes as a Latin-1 string
3636
+ */
3637
+ const encodeUTF8 = (str) =>
3638
+ encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
3639
+ String.fromCharCode(parseInt(hex, 16))
3640
+ );
3641
+
3642
+ // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
3643
+ // Decode before composing the `auth` option so credentials such as
3644
+ // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
3645
+ // original value for malformed input so a bad encoding never throws.
3646
+ const decodeURIComponentSafe = (value) => {
3647
+ if (!utils$1.isString(value)) {
3648
+ return value;
3649
+ }
3650
+
3651
+ try {
3652
+ return decodeURIComponent(value);
3653
+ } catch (error) {
3654
+ return value;
3655
+ }
3656
+ };
3657
+
3388
3658
  const test = (fn, ...args) => {
3389
3659
  try {
3390
3660
  return !!fn(...args);
@@ -3393,6 +3663,15 @@ const test = (fn, ...args) => {
3393
3663
  }
3394
3664
  };
3395
3665
 
3666
+ const maybeWithAuthCredentials = (url) => {
3667
+ const protocolIndex = url.indexOf('://');
3668
+ let urlToCheck = url;
3669
+ if (protocolIndex !== -1) {
3670
+ urlToCheck = urlToCheck.slice(protocolIndex + 3);
3671
+ }
3672
+ return urlToCheck.includes('@') || urlToCheck.includes(':');
3673
+ };
3674
+
3396
3675
  const factory = (env) => {
3397
3676
  const globalObject =
3398
3677
  utils$1.global !== undefined && utils$1.global !== null
@@ -3540,6 +3819,7 @@ const factory = (env) => {
3540
3819
 
3541
3820
  const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
3542
3821
  const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
3822
+ const own = (key) => (utils$1.hasOwnProp(config, key) ? config[key] : undefined);
3543
3823
 
3544
3824
  let _fetch = envFetch || fetch;
3545
3825
 
@@ -3561,7 +3841,61 @@ const factory = (env) => {
3561
3841
 
3562
3842
  let requestContentLength;
3563
3843
 
3844
+ // AxiosError we raise while the request body is being streamed. Captured
3845
+ // by identity so the catch block can surface it directly, regardless of
3846
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
3847
+ // as `err.cause`; some browsers drop the original error entirely).
3848
+ let pendingBodyError = null;
3849
+
3850
+ const maxBodyLengthError = () =>
3851
+ new AxiosError(
3852
+ 'Request body larger than maxBodyLength limit',
3853
+ AxiosError.ERR_BAD_REQUEST,
3854
+ config,
3855
+ request
3856
+ );
3857
+
3564
3858
  try {
3859
+ // HTTP basic authentication
3860
+ let auth = undefined;
3861
+ const configAuth = own('auth');
3862
+
3863
+ if (configAuth) {
3864
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
3865
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
3866
+ auth = {
3867
+ username,
3868
+ password
3869
+ };
3870
+ }
3871
+
3872
+ if (maybeWithAuthCredentials(url)) {
3873
+ const parsedURL = new URL(url, platform.origin);
3874
+
3875
+ if (!auth && (parsedURL.username || parsedURL.password)) {
3876
+ const urlUsername = decodeURIComponentSafe(parsedURL.username);
3877
+ const urlPassword = decodeURIComponentSafe(parsedURL.password);
3878
+ auth = {
3879
+ username: urlUsername,
3880
+ password: urlPassword
3881
+ };
3882
+ }
3883
+
3884
+ if (parsedURL.username || parsedURL.password) {
3885
+ parsedURL.username = '';
3886
+ parsedURL.password = '';
3887
+ url = parsedURL.href;
3888
+ }
3889
+ }
3890
+
3891
+ if (auth) {
3892
+ headers.delete('authorization');
3893
+ headers.set(
3894
+ 'Authorization',
3895
+ 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))
3896
+ );
3897
+ }
3898
+
3565
3899
  // Enforce maxContentLength for data: URLs up-front so we never materialize
3566
3900
  // an oversized payload. The HTTP adapter applies the same check (see http.js
3567
3901
  // "if (protocol === 'data:')" branch).
@@ -3577,53 +3911,96 @@ const factory = (env) => {
3577
3911
  }
3578
3912
  }
3579
3913
 
3580
- // Enforce maxBodyLength against the outbound request body before dispatch.
3581
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
3582
- // maxBodyLength limit'). Skip when the body length cannot be determined
3583
- // (e.g. a live ReadableStream supplied by the caller).
3914
+ // Enforce maxBodyLength against known-size bodies before dispatch using
3915
+ // the body's *actual* size never a caller-declared Content-Length,
3916
+ // which could under-report to slip an oversized body past the check.
3917
+ // Unknown-size streams return undefined here and are counted per-chunk
3918
+ // below as fetch consumes them.
3584
3919
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
3585
- const outboundLength = await resolveBodyLength(headers, data);
3586
- if (
3587
- typeof outboundLength === 'number' &&
3588
- isFinite(outboundLength) &&
3589
- outboundLength > maxBodyLength
3590
- ) {
3591
- throw new AxiosError(
3592
- 'Request body larger than maxBodyLength limit',
3593
- AxiosError.ERR_BAD_REQUEST,
3594
- config,
3595
- request
3596
- );
3920
+ const outboundLength = await getBodyLength(data);
3921
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
3922
+ requestContentLength = outboundLength;
3923
+ if (outboundLength > maxBodyLength) {
3924
+ throw maxBodyLengthError();
3925
+ }
3597
3926
  }
3598
3927
  }
3599
3928
 
3929
+ // A streamed body under maxBodyLength must be counted as fetch consumes
3930
+ // it; its size is never trusted from a caller-declared Content-Length.
3931
+ const mustEnforceStreamBody =
3932
+ hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
3933
+
3934
+ const trackRequestStream = (stream, onProgress, flush) =>
3935
+ trackStream(
3936
+ stream,
3937
+ DEFAULT_CHUNK_SIZE,
3938
+ (loadedBytes) => {
3939
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
3940
+ throw (pendingBodyError = maxBodyLengthError());
3941
+ }
3942
+ onProgress && onProgress(loadedBytes);
3943
+ },
3944
+ flush
3945
+ );
3946
+
3600
3947
  if (
3601
- onUploadProgress &&
3602
3948
  supportsRequestStream &&
3603
3949
  method !== 'get' &&
3604
3950
  method !== 'head' &&
3605
- (requestContentLength = await resolveBodyLength(headers, data)) !== 0
3951
+ (onUploadProgress || mustEnforceStreamBody)
3606
3952
  ) {
3607
- let _request = new Request(url, {
3608
- method: 'POST',
3609
- body: data,
3610
- duplex: 'half',
3611
- });
3953
+ requestContentLength =
3954
+ requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
3955
+
3956
+ // A declared length of 0 is only trusted to skip the wrap when we are
3957
+ // not enforcing a stream limit (which must not rely on that header).
3958
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
3959
+ let _request = new Request(url, {
3960
+ method: 'POST',
3961
+ body: data,
3962
+ duplex: 'half',
3963
+ });
3612
3964
 
3613
- let contentTypeHeader;
3965
+ let contentTypeHeader;
3614
3966
 
3615
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3616
- headers.setContentType(contentTypeHeader);
3617
- }
3967
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3968
+ headers.setContentType(contentTypeHeader);
3969
+ }
3618
3970
 
3619
- if (_request.body) {
3620
- const [onProgress, flush] = progressEventDecorator(
3621
- requestContentLength,
3622
- progressEventReducer(asyncDecorator(onUploadProgress))
3623
- );
3971
+ if (_request.body) {
3972
+ const [onProgress, flush] =
3973
+ (onUploadProgress &&
3974
+ progressEventDecorator(
3975
+ requestContentLength,
3976
+ progressEventReducer(asyncDecorator(onUploadProgress))
3977
+ )) ||
3978
+ [];
3624
3979
 
3625
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
3980
+ data = trackRequestStream(_request.body, onProgress, flush);
3981
+ }
3626
3982
  }
3983
+ } else if (
3984
+ mustEnforceStreamBody &&
3985
+ !isRequestSupported &&
3986
+ isReadableStreamSupported &&
3987
+ method !== 'get' &&
3988
+ method !== 'head'
3989
+ ) {
3990
+ data = trackRequestStream(data);
3991
+ } else if (
3992
+ mustEnforceStreamBody &&
3993
+ isRequestSupported &&
3994
+ !supportsRequestStream &&
3995
+ method !== 'get' &&
3996
+ method !== 'head'
3997
+ ) {
3998
+ throw new AxiosError(
3999
+ 'Stream request bodies are not supported by the current fetch implementation',
4000
+ AxiosError.ERR_NOT_SUPPORT,
4001
+ config,
4002
+ request
4003
+ );
3627
4004
  }
3628
4005
 
3629
4006
  if (!utils$1.isString(withCredentials)) {
@@ -3666,10 +4043,12 @@ const factory = (env) => {
3666
4043
  ? _fetch(request, fetchOptions)
3667
4044
  : _fetch(url, resolvedOptions));
3668
4045
 
4046
+ const responseHeaders = AxiosHeaders.from(response.headers);
4047
+
3669
4048
  // Cheap pre-check: if the server honestly declares a content-length that
3670
4049
  // already exceeds the cap, reject before we start streaming.
3671
4050
  if (hasMaxContentLength) {
3672
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4051
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3673
4052
  if (declaredLength != null && declaredLength > maxContentLength) {
3674
4053
  throw new AxiosError(
3675
4054
  'maxContentLength size of ' + maxContentLength + ' exceeded',
@@ -3694,7 +4073,7 @@ const factory = (env) => {
3694
4073
  options[prop] = response[prop];
3695
4074
  });
3696
4075
 
3697
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4076
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3698
4077
 
3699
4078
  const [onProgress, flush] =
3700
4079
  (onDownloadProgress &&
@@ -3785,23 +4164,55 @@ const factory = (env) => {
3785
4164
  const canceledError = composedSignal.reason;
3786
4165
  canceledError.config = config;
3787
4166
  request && (canceledError.request = request);
3788
- err !== canceledError && (canceledError.cause = err);
4167
+ if (err !== canceledError) {
4168
+ // Non-enumerable to match native Error `cause` semantics so loggers
4169
+ // don't recurse into circular fetch internals (see #7205).
4170
+ Object.defineProperty(canceledError, 'cause', {
4171
+ __proto__: null,
4172
+ value: err,
4173
+ writable: true,
4174
+ enumerable: false,
4175
+ configurable: true,
4176
+ });
4177
+ }
3789
4178
  throw canceledError;
3790
4179
  }
3791
4180
 
4181
+ // Surface a maxBodyLength violation we raised while the request body was
4182
+ // being streamed. Matching by identity (rather than reading
4183
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
4184
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
4185
+ // AxiosError that merely happened to land in `err.cause`.
4186
+ if (pendingBodyError) {
4187
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
4188
+ throw pendingBodyError;
4189
+ }
4190
+
4191
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
4192
+ // pre-checks, response size enforcement) without re-wrapping them.
4193
+ if (err instanceof AxiosError) {
4194
+ request && !err.request && (err.request = request);
4195
+ throw err;
4196
+ }
4197
+
3792
4198
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
3793
- throw Object.assign(
3794
- new AxiosError(
3795
- 'Network Error',
3796
- AxiosError.ERR_NETWORK,
3797
- config,
3798
- request,
3799
- err && err.response
3800
- ),
3801
- {
3802
- cause: err.cause || err,
3803
- }
4199
+ const networkError = new AxiosError(
4200
+ 'Network Error',
4201
+ AxiosError.ERR_NETWORK,
4202
+ config,
4203
+ request,
4204
+ err && err.response
3804
4205
  );
4206
+ // Non-enumerable to match native Error `cause` semantics so loggers
4207
+ // don't recurse into circular fetch internals (see #7205).
4208
+ Object.defineProperty(networkError, 'cause', {
4209
+ __proto__: null,
4210
+ value: err.cause || err,
4211
+ writable: true,
4212
+ enumerable: false,
4213
+ configurable: true,
4214
+ });
4215
+ throw networkError;
3805
4216
  }
3806
4217
 
3807
4218
  throw AxiosError.from(err, err && err.code, config, request, err && err.response);
@@ -3939,7 +4350,7 @@ function getAdapter(adapters, config) {
3939
4350
 
3940
4351
  throw new AxiosError(
3941
4352
  `There is no suitable adapter to dispatch the request ` + s,
3942
- 'ERR_NOT_SUPPORT'
4353
+ AxiosError.ERR_NOT_SUPPORT
3943
4354
  );
3944
4355
  }
3945
4356
 
@@ -4120,7 +4531,7 @@ validators$1.spelling = function spelling(correctSpelling) {
4120
4531
  */
4121
4532
 
4122
4533
  function assertOptions(options, schema, allowUnknown) {
4123
- if (typeof options !== 'object') {
4534
+ if (typeof options !== 'object' || options === null) {
4124
4535
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
4125
4536
  }
4126
4537
  const keys = Object.keys(options);
@@ -4243,6 +4654,8 @@ class Axios {
4243
4654
  forcedJSONParsing: validators.transitional(validators.boolean),
4244
4655
  clarifyTimeoutError: validators.transitional(validators.boolean),
4245
4656
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
4657
+ advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
4658
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean),
4246
4659
  },
4247
4660
  false
4248
4661
  );
@@ -4372,7 +4785,7 @@ class Axios {
4372
4785
 
4373
4786
  getUri(config) {
4374
4787
  config = mergeConfig(this.defaults, config);
4375
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
4788
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
4376
4789
  return buildURL(fullPath, config.params, config.paramsSerializer);
4377
4790
  }
4378
4791
  }
@@ -4385,7 +4798,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
4385
4798
  mergeConfig(config || {}, {
4386
4799
  method,
4387
4800
  url,
4388
- data: (config || {}).data,
4801
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined,
4389
4802
  })
4390
4803
  );
4391
4804
  };