From 4d0f15a90dbcf344495cb30ac4707a3ca75cfdde Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 29 Jun 2026 04:44:38 +0000 Subject: [PATCH] chore(deps): update dependency node to v24.18.0 --- .github/workflows/dist.yml | 2 +- .github/workflows/test.yml | 2 +- dist/index.js | 2588 +++++++++++++++++++++++++++--------- package-lock.json | 34 +- package.json | 2 +- 5 files changed, 1987 insertions(+), 641 deletions(-) diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml index 0db251ba..b9e2fd2b 100644 --- a/.github/workflows/dist.yml +++ b/.github/workflows/dist.yml @@ -14,7 +14,7 @@ jobs: - name: Setup node 24 uses: actions/setup-node@v6 with: - node-version: 24.11.1 + node-version: 24.18.0 - name: install run: npm ci diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 63c1c660..7fe3f36e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -57,7 +57,7 @@ jobs: - name: Setup node 24 uses: actions/setup-node@v6 with: - node-version: 24.11.1 + node-version: 24.18.0 - name: Install package dependencies run: npm install diff --git a/dist/index.js b/dist/index.js index 01147da3..3a949af2 100644 --- a/dist/index.js +++ b/dist/index.js @@ -12505,6 +12505,241 @@ module.exports = function (/*Buffer|null*/ inBuffer, /** object */ options) { }; +/***/ }), + +/***/ 8207: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const events_1 = __nccwpck_require__(4434); +const debug_1 = __importDefault(__nccwpck_require__(2830)); +const promisify_1 = __importDefault(__nccwpck_require__(8067)); +const debug = debug_1.default('agent-base'); +function isAgent(v) { + return Boolean(v) && typeof v.addRequest === 'function'; +} +function isSecureEndpoint() { + const { stack } = new Error(); + if (typeof stack !== 'string') + return false; + return stack.split('\n').some(l => l.indexOf('(https.js:') !== -1 || l.indexOf('node:https:') !== -1); +} +function createAgent(callback, opts) { + return new createAgent.Agent(callback, opts); +} +(function (createAgent) { + /** + * Base `http.Agent` implementation. + * No pooling/keep-alive is implemented by default. + * + * @param {Function} callback + * @api public + */ + class Agent extends events_1.EventEmitter { + constructor(callback, _opts) { + super(); + let opts = _opts; + if (typeof callback === 'function') { + this.callback = callback; + } + else if (callback) { + opts = callback; + } + // Timeout for the socket to be returned from the callback + this.timeout = null; + if (opts && typeof opts.timeout === 'number') { + this.timeout = opts.timeout; + } + // These aren't actually used by `agent-base`, but are required + // for the TypeScript definition files in `@types/node` :/ + this.maxFreeSockets = 1; + this.maxSockets = 1; + this.maxTotalSockets = Infinity; + this.sockets = {}; + this.freeSockets = {}; + this.requests = {}; + this.options = {}; + } + get defaultPort() { + if (typeof this.explicitDefaultPort === 'number') { + return this.explicitDefaultPort; + } + return isSecureEndpoint() ? 443 : 80; + } + set defaultPort(v) { + this.explicitDefaultPort = v; + } + get protocol() { + if (typeof this.explicitProtocol === 'string') { + return this.explicitProtocol; + } + return isSecureEndpoint() ? 'https:' : 'http:'; + } + set protocol(v) { + this.explicitProtocol = v; + } + callback(req, opts, fn) { + throw new Error('"agent-base" has no default implementation, you must subclass and override `callback()`'); + } + /** + * Called by node-core's "_http_client.js" module when creating + * a new HTTP request with this Agent instance. + * + * @api public + */ + addRequest(req, _opts) { + const opts = Object.assign({}, _opts); + if (typeof opts.secureEndpoint !== 'boolean') { + opts.secureEndpoint = isSecureEndpoint(); + } + if (opts.host == null) { + opts.host = 'localhost'; + } + if (opts.port == null) { + opts.port = opts.secureEndpoint ? 443 : 80; + } + if (opts.protocol == null) { + opts.protocol = opts.secureEndpoint ? 'https:' : 'http:'; + } + if (opts.host && opts.path) { + // If both a `host` and `path` are specified then it's most + // likely the result of a `url.parse()` call... we need to + // remove the `path` portion so that `net.connect()` doesn't + // attempt to open that as a unix socket file. + delete opts.path; + } + delete opts.agent; + delete opts.hostname; + delete opts._defaultAgent; + delete opts.defaultPort; + delete opts.createConnection; + // Hint to use "Connection: close" + // XXX: non-documented `http` module API :( + req._last = true; + req.shouldKeepAlive = false; + let timedOut = false; + let timeoutId = null; + const timeoutMs = opts.timeout || this.timeout; + const onerror = (err) => { + if (req._hadError) + return; + req.emit('error', err); + // For Safety. Some additional errors might fire later on + // and we need to make sure we don't double-fire the error event. + req._hadError = true; + }; + const ontimeout = () => { + timeoutId = null; + timedOut = true; + const err = new Error(`A "socket" was not created for HTTP request before ${timeoutMs}ms`); + err.code = 'ETIMEOUT'; + onerror(err); + }; + const callbackError = (err) => { + if (timedOut) + return; + if (timeoutId !== null) { + clearTimeout(timeoutId); + timeoutId = null; + } + onerror(err); + }; + const onsocket = (socket) => { + if (timedOut) + return; + if (timeoutId != null) { + clearTimeout(timeoutId); + timeoutId = null; + } + if (isAgent(socket)) { + // `socket` is actually an `http.Agent` instance, so + // relinquish responsibility for this `req` to the Agent + // from here on + debug('Callback returned another Agent instance %o', socket.constructor.name); + socket.addRequest(req, opts); + return; + } + if (socket) { + socket.once('free', () => { + this.freeSocket(socket, opts); + }); + req.onSocket(socket); + return; + } + const err = new Error(`no Duplex stream was returned to agent-base for \`${req.method} ${req.path}\``); + onerror(err); + }; + if (typeof this.callback !== 'function') { + onerror(new Error('`callback` is not defined')); + return; + } + if (!this.promisifiedCallback) { + if (this.callback.length >= 3) { + debug('Converting legacy callback function to promise'); + this.promisifiedCallback = promisify_1.default(this.callback); + } + else { + this.promisifiedCallback = this.callback; + } + } + if (typeof timeoutMs === 'number' && timeoutMs > 0) { + timeoutId = setTimeout(ontimeout, timeoutMs); + } + if ('port' in opts && typeof opts.port !== 'number') { + opts.port = Number(opts.port); + } + try { + debug('Resolving socket for %o request: %o', opts.protocol, `${req.method} ${req.path}`); + Promise.resolve(this.promisifiedCallback(req, opts)).then(onsocket, callbackError); + } + catch (err) { + Promise.reject(err).catch(callbackError); + } + } + freeSocket(socket, opts) { + debug('Freeing socket %o %o', socket.constructor.name, opts); + socket.destroy(); + } + destroy() { + debug('Destroying agent %o', this.constructor.name); + } + } + createAgent.Agent = Agent; + // So that `instanceof` works correctly + createAgent.prototype = createAgent.Agent.prototype; +})(createAgent || (createAgent = {})); +module.exports = createAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 8067: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +function promisify(fn) { + return function (req, opts) { + return new Promise((resolve, reject) => { + fn.call(this, req, opts, (err, rtn) => { + if (err) { + reject(err); + } + else { + resolve(rtn); + } + }); + }); + }; +} +exports["default"] = promisify; +//# sourceMappingURL=promisify.js.map + /***/ }), /***/ 1324: @@ -14541,6 +14776,13 @@ catch (error) { useNativeURL = error.code === "ERR_INVALID_URL"; } +// HTTP headers to drop across HTTP/HTTPS and domain boundaries +var sensitiveHeaders = [ + "Authorization", + "Proxy-Authorization", + "Cookie", +]; + // URL fields to preserve in copy operations var preservedUrlFields = [ "auth", @@ -14622,6 +14864,11 @@ function RedirectableRequest(options, responseCallback) { } }; + // Create filter for sensitive HTTP headers + this._headerFilter = new RegExp("^(?:" + + sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") + + ")$", "i"); + // Perform the first request this._performRequest(); } @@ -14805,6 +15052,9 @@ RedirectableRequest.prototype._sanitizeOptions = function (options) { if (!options.headers) { options.headers = {}; } + if (!isArray(options.sensitiveHeaders)) { + options.sensitiveHeaders = []; + } // Since http.request treats host as an alias of hostname, // but the url module interprets host as hostname plus port, @@ -14987,7 +15237,7 @@ RedirectableRequest.prototype._processResponse = function (response) { redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) { - removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); + removeMatchingHeaders(this._headerFilter, this._options.headers); } // Evaluate the beforeRedirect callback @@ -15180,6 +15430,10 @@ function isSubdomain(subdomain, domain) { return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain); } +function isArray(value) { + return value instanceof Array; +} + function isString(value) { return typeof value === "string" || value instanceof String; } @@ -15196,6 +15450,10 @@ function isURL(value) { return URL && value instanceof URL; } +function escapeRegex(regex) { + return regex.replace(/[\]\\/()*+?.$]/g, "\\$&"); +} + // Exports module.exports = wrap({ http: http, https: https }); module.exports.wrap = wrap; @@ -15224,6 +15482,18 @@ var setToStringTag = __nccwpck_require__(8700); var hasOwn = __nccwpck_require__(4076); var populate = __nccwpck_require__(1835); +/** + * Escape CR, LF, and `"` in a multipart `name`/`filename` parameter, so a field + * name or filename can not break out of its header line to inject headers or + * smuggle additional parts. Matches the WHATWG HTML multipart/form-data encoding. + * + * @param {string} str - the parameter value to escape + * @returns {string} the escaped value + */ +function escapeHeaderParam(str) { + return String(str).replace(/\r/g, '%0D').replace(/\n/g, '%0A').replace(/"/g, '%22'); +} + /** * Create readable "multipart/form-data" streams. * Can be used to submit forms @@ -15389,7 +15659,7 @@ FormData.prototype._multiPartHeader = function (field, value, options) { var contents = ''; var headers = { // add custom disposition as third element or keep it two elements if not - 'Content-Disposition': ['form-data', 'name="' + field + '"'].concat(contentDisposition || []), + 'Content-Disposition': ['form-data', 'name="' + escapeHeaderParam(field) + '"'].concat(contentDisposition || []), // if no content type. allow it to be empty array 'Content-Type': [].concat(contentType || []) }; @@ -15443,7 +15713,7 @@ FormData.prototype._getContentDisposition = function (value, options) { // eslin } if (filename) { - return 'filename="' + filename + '"'; + return 'filename="' + escapeHeaderParam(filename) + '"'; } }; @@ -19578,6 +19848,284 @@ var bind = __nccwpck_require__(7564); module.exports = bind.call(call, $hasOwn); +/***/ }), + +/***/ 6904: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const net_1 = __importDefault(__nccwpck_require__(9278)); +const tls_1 = __importDefault(__nccwpck_require__(4756)); +const url_1 = __importDefault(__nccwpck_require__(7016)); +const assert_1 = __importDefault(__nccwpck_require__(2613)); +const debug_1 = __importDefault(__nccwpck_require__(2830)); +const agent_base_1 = __nccwpck_require__(8207); +const parse_proxy_response_1 = __importDefault(__nccwpck_require__(7943)); +const debug = debug_1.default('https-proxy-agent:agent'); +/** + * The `HttpsProxyAgent` implements an HTTP Agent subclass that connects to + * the specified "HTTP(s) proxy server" in order to proxy HTTPS requests. + * + * Outgoing HTTP requests are first tunneled through the proxy server using the + * `CONNECT` HTTP request method to establish a connection to the proxy server, + * and then the proxy server connects to the destination target and issues the + * HTTP request from the proxy server. + * + * `https:` requests have their socket connection upgraded to TLS once + * the connection to the proxy server has been established. + * + * @api public + */ +class HttpsProxyAgent extends agent_base_1.Agent { + constructor(_opts) { + let opts; + if (typeof _opts === 'string') { + opts = url_1.default.parse(_opts); + } + else { + opts = _opts; + } + if (!opts) { + throw new Error('an HTTP(S) proxy server `host` and `port` must be specified!'); + } + debug('creating new HttpsProxyAgent instance: %o', opts); + super(opts); + const proxy = Object.assign({}, opts); + // If `true`, then connect to the proxy server over TLS. + // Defaults to `false`. + this.secureProxy = opts.secureProxy || isHTTPS(proxy.protocol); + // Prefer `hostname` over `host`, and set the `port` if needed. + proxy.host = proxy.hostname || proxy.host; + if (typeof proxy.port === 'string') { + proxy.port = parseInt(proxy.port, 10); + } + if (!proxy.port && proxy.host) { + proxy.port = this.secureProxy ? 443 : 80; + } + // ALPN is supported by Node.js >= v5. + // attempt to negotiate http/1.1 for proxy servers that support http/2 + if (this.secureProxy && !('ALPNProtocols' in proxy)) { + proxy.ALPNProtocols = ['http 1.1']; + } + if (proxy.host && proxy.path) { + // If both a `host` and `path` are specified then it's most likely + // the result of a `url.parse()` call... we need to remove the + // `path` portion so that `net.connect()` doesn't attempt to open + // that as a Unix socket file. + delete proxy.path; + delete proxy.pathname; + } + this.proxy = proxy; + } + /** + * Called when the node-core HTTP client library is creating a + * new HTTP request. + * + * @api protected + */ + callback(req, opts) { + return __awaiter(this, void 0, void 0, function* () { + const { proxy, secureProxy } = this; + // Create a socket connection to the proxy server. + let socket; + if (secureProxy) { + debug('Creating `tls.Socket`: %o', proxy); + socket = tls_1.default.connect(proxy); + } + else { + debug('Creating `net.Socket`: %o', proxy); + socket = net_1.default.connect(proxy); + } + const headers = Object.assign({}, proxy.headers); + const hostname = `${opts.host}:${opts.port}`; + let payload = `CONNECT ${hostname} HTTP/1.1\r\n`; + // Inject the `Proxy-Authorization` header if necessary. + if (proxy.auth) { + headers['Proxy-Authorization'] = `Basic ${Buffer.from(proxy.auth).toString('base64')}`; + } + // The `Host` header should only include the port + // number when it is not the default port. + let { host, port, secureEndpoint } = opts; + if (!isDefaultPort(port, secureEndpoint)) { + host += `:${port}`; + } + headers.Host = host; + headers.Connection = 'close'; + for (const name of Object.keys(headers)) { + payload += `${name}: ${headers[name]}\r\n`; + } + const proxyResponsePromise = parse_proxy_response_1.default(socket); + socket.write(`${payload}\r\n`); + const { statusCode, buffered } = yield proxyResponsePromise; + if (statusCode === 200) { + req.once('socket', resume); + if (opts.secureEndpoint) { + // The proxy is connecting to a TLS server, so upgrade + // this socket connection to a TLS connection. + debug('Upgrading socket connection to TLS'); + const servername = opts.servername || opts.host; + return tls_1.default.connect(Object.assign(Object.assign({}, omit(opts, 'host', 'hostname', 'path', 'port')), { socket, + servername })); + } + return socket; + } + // Some other status code that's not 200... need to re-play the HTTP + // header "data" events onto the socket once the HTTP machinery is + // attached so that the node core `http` can parse and handle the + // error status code. + // Close the original socket, and a new "fake" socket is returned + // instead, so that the proxy doesn't get the HTTP request + // written to it (which may contain `Authorization` headers or other + // sensitive data). + // + // See: https://hackerone.com/reports/541502 + socket.destroy(); + const fakeSocket = new net_1.default.Socket({ writable: false }); + fakeSocket.readable = true; + // Need to wait for the "socket" event to re-play the "data" events. + req.once('socket', (s) => { + debug('replaying proxy buffer for failed request'); + assert_1.default(s.listenerCount('data') > 0); + // Replay the "buffered" Buffer onto the fake `socket`, since at + // this point the HTTP module machinery has been hooked up for + // the user. + s.push(buffered); + s.push(null); + }); + return fakeSocket; + }); + } +} +exports["default"] = HttpsProxyAgent; +function resume(socket) { + socket.resume(); +} +function isDefaultPort(port, secure) { + return Boolean((!secure && port === 80) || (secure && port === 443)); +} +function isHTTPS(protocol) { + return typeof protocol === 'string' ? /^https:?$/i.test(protocol) : false; +} +function omit(obj, ...keys) { + const ret = {}; + let key; + for (key in obj) { + if (!keys.includes(key)) { + ret[key] = obj[key]; + } + } + return ret; +} +//# sourceMappingURL=agent.js.map + +/***/ }), + +/***/ 3669: +/***/ (function(module, __unused_webpack_exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +const agent_1 = __importDefault(__nccwpck_require__(6904)); +function createHttpsProxyAgent(opts) { + return new agent_1.default(opts); +} +(function (createHttpsProxyAgent) { + createHttpsProxyAgent.HttpsProxyAgent = agent_1.default; + createHttpsProxyAgent.prototype = agent_1.default.prototype; +})(createHttpsProxyAgent || (createHttpsProxyAgent = {})); +module.exports = createHttpsProxyAgent; +//# sourceMappingURL=index.js.map + +/***/ }), + +/***/ 7943: +/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { + +"use strict"; + +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", ({ value: true })); +const debug_1 = __importDefault(__nccwpck_require__(2830)); +const debug = debug_1.default('https-proxy-agent:parse-proxy-response'); +function parseProxyResponse(socket) { + return new Promise((resolve, reject) => { + // we need to buffer any HTTP traffic that happens with the proxy before we get + // the CONNECT response, so that if the response is anything other than an "200" + // response code, then we can re-play the "data" events on the socket once the + // HTTP parser is hooked up... + let buffersLength = 0; + const buffers = []; + function read() { + const b = socket.read(); + if (b) + ondata(b); + else + socket.once('readable', read); + } + function cleanup() { + socket.removeListener('end', onend); + socket.removeListener('error', onerror); + socket.removeListener('close', onclose); + socket.removeListener('readable', read); + } + function onclose(err) { + debug('onclose had error %o', err); + } + function onend() { + debug('onend'); + } + function onerror(err) { + cleanup(); + debug('onerror %o', err); + reject(err); + } + function ondata(b) { + buffers.push(b); + buffersLength += b.length; + const buffered = Buffer.concat(buffers, buffersLength); + const endOfHeaders = buffered.indexOf('\r\n\r\n'); + if (endOfHeaders === -1) { + // keep buffering + debug('have not received end of HTTP headers yet...'); + read(); + return; + } + const firstLine = buffered.toString('ascii', 0, buffered.indexOf('\r\n')); + const statusCode = +firstLine.split(' ')[1]; + debug('got proxy server response: %o', firstLine); + resolve({ + statusCode, + buffered + }); + } + socket.on('error', onerror); + socket.on('close', onclose); + socket.on('end', onend); + read(); + }); +} +exports["default"] = parseProxyResponse; +//# sourceMappingURL=parse-proxy-response.js.map + /***/ }), /***/ 3176: @@ -38805,7 +39353,7 @@ const diff = (version1, version2) => { return prefix + 'patch' } - // high and low are preleases + // high and low are prereleases return 'prerelease' } @@ -39436,8 +39984,8 @@ createToken('MAINVERSIONLOOSE', `(${src[t.NUMERICIDENTIFIERLOOSE]})\\.` + // ## Pre-release Version Identifier // A numeric identifier, or a non-numeric identifier. -// Non-numberic identifiers include numberic identifiers but can be longer. -// Therefore non-numberic identifiers must go first. +// Non-numeric identifiers include numeric identifiers but can be longer. +// Therefore non-numeric identifiers must go first. createToken('PRERELEASEIDENTIFIER', `(?:${src[t.NONNUMERICIDENTIFIER] }|${src[t.NUMERICIDENTIFIER]})`) @@ -39959,7 +40507,7 @@ const compare = __nccwpck_require__(8469) // - If LT // - If LT.semver is greater than any < or <= comp in C, return false // - If LT is <=, and LT.semver does not satisfy every C, return false -// - If GT.semver has a prerelease, and not in prerelease mode +// - If LT.semver has a prerelease, and not in prerelease mode // - If no C has a prerelease and the LT.semver tuple, return false // - Else return true @@ -44885,16 +45433,18 @@ module.exports = require("zlib"); /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { "use strict"; -/*! Axios v1.15.0 Copyright (c) 2026 Matt Zabriskie and contributors */ +/*! Axios v1.17.0 Copyright (c) 2026 Matt Zabriskie and contributors */ var FormData$1 = __nccwpck_require__(6454); var crypto = __nccwpck_require__(6982); var url = __nccwpck_require__(7016); +var HttpsProxyAgent = __nccwpck_require__(3669); var http = __nccwpck_require__(8611); var https = __nccwpck_require__(5692); var http2 = __nccwpck_require__(5675); var util = __nccwpck_require__(9023); +var path = __nccwpck_require__(6928); var followRedirects = __nccwpck_require__(1573); var zlib = __nccwpck_require__(3106); var stream = __nccwpck_require__(2203); @@ -45094,9 +45644,9 @@ const isFile = kindOfTest('File'); * also have a `name` and `type` attribute to specify filename and content type * * @see https://github.com/facebook/react-native/blob/26684cf3adf4094eb6c405d345a75bf8c7c0bf88/Libraries/Network/FormData.js#L68-L71 - * + * * @param {*} value The value to test - * + * * @returns {boolean} True if value is a React Native Blob, otherwise false */ const isReactNativeBlob = value => { @@ -45106,9 +45656,9 @@ const isReactNativeBlob = value => { /** * Determine if environment is React Native * ReactNative `FormData` has a non-standard `getParts()` method - * + * * @param {*} formData The formData to test - * + * * @returns {boolean} True if environment is React Native, otherwise false */ const isReactNative = formData => formData && typeof formData.getParts !== 'undefined'; @@ -45127,7 +45677,7 @@ const isBlob = kindOfTest('Blob'); * * @param {*} val The value to test * - * @returns {boolean} True if value is a File, otherwise false + * @returns {boolean} True if value is a FileList, otherwise false */ const isFileList = kindOfTest('FileList'); @@ -45157,10 +45707,16 @@ function getGlobal() { const G = getGlobal(); const FormDataCtor = typeof G.FormData !== 'undefined' ? G.FormData : undefined; const isFormData = thing => { - let kind; - return thing && (FormDataCtor && thing instanceof FormDataCtor || isFunction$1(thing.append) && ((kind = kindOf(thing)) === 'formdata' || + if (!thing) return false; + if (FormDataCtor && thing instanceof FormDataCtor) return true; + // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData. + const proto = getPrototypeOf(thing); + if (!proto || proto === Object.prototype) return false; + if (!isFunction$1(thing.append)) return false; + const kind = kindOf(thing); + return kind === 'formdata' || // detect form-data instance - kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]')); + kind === 'object' && isFunction$1(thing.toString) && thing.toString() === '[object FormData]'; }; /** @@ -45285,8 +45841,7 @@ const isContextDefined = context => !isUndefined(context) && context !== _global * * @returns {Object} Result of all merge properties */ -function merge(/* obj1, obj2, obj3, ... */ -) { +function merge(...objs) { const { caseless, skipUndefined @@ -45297,9 +45852,16 @@ function merge(/* obj1, obj2, obj3, ... */ if (key === '__proto__' || key === 'constructor' || key === 'prototype') { return; } - const targetKey = caseless && findKey(result, key) || key; - if (isPlainObject(result[targetKey]) && isPlainObject(val)) { - result[targetKey] = merge(result[targetKey], val); + + // findKey lowercases the key, so caseless lookup only applies to strings — + // symbol keys are identity-matched. + const targetKey = caseless && typeof key === 'string' && findKey(result, key) || key; + // Read via own-prop only — a bare `result[targetKey]` walks the prototype + // chain, so a polluted Object.prototype value could surface here and get + // copied into the merged result. + const existing = hasOwnProperty(result, targetKey) ? result[targetKey] : undefined; + if (isPlainObject(existing) && isPlainObject(val)) { + result[targetKey] = merge(existing, val); } else if (isPlainObject(val)) { result[targetKey] = merge({}, val); } else if (isArray(val)) { @@ -45308,8 +45870,22 @@ function merge(/* obj1, obj2, obj3, ... */ result[targetKey] = val; } }; - for (let i = 0, l = arguments.length; i < l; i++) { - arguments[i] && forEach(arguments[i], assignValue); + for (let i = 0, l = objs.length; i < l; i++) { + const source = objs[i]; + if (!source || isBuffer(source)) { + continue; + } + forEach(source, assignValue); + if (typeof source !== 'object' || isArray(source)) { + continue; + } + const symbols = Object.getOwnPropertySymbols(source); + for (let j = 0; j < symbols.length; j++) { + const symbol = symbols[j]; + if (propertyIsEnumerable.call(source, symbol)) { + assignValue(source[symbol], symbol); + } + } } return result; } @@ -45331,6 +45907,9 @@ const extend = (a, b, thisArg, { forEach(b, (val, key) => { if (thisArg && isFunction$1(val)) { Object.defineProperty(a, key, { + // Null-proto descriptor so a polluted Object.prototype.get cannot + // hijack defineProperty's accessor-vs-data resolution. + __proto__: null, value: bind(val, thisArg), writable: true, enumerable: true, @@ -45338,6 +45917,7 @@ const extend = (a, b, thisArg, { }); } else { Object.defineProperty(a, key, { + __proto__: null, value: val, writable: true, enumerable: true, @@ -45376,12 +45956,14 @@ const stripBOM = content => { const inherits = (constructor, superConstructor, props, descriptors) => { constructor.prototype = Object.create(superConstructor.prototype, descriptors); Object.defineProperty(constructor.prototype, 'constructor', { + __proto__: null, value: constructor, writable: true, enumerable: false, configurable: true }); Object.defineProperty(constructor, 'super', { + __proto__: null, value: superConstructor.prototype }); props && Object.assign(constructor.prototype, props); @@ -45520,6 +46102,9 @@ const toCamelCase = str => { const hasOwnProperty = (({ hasOwnProperty }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype); +const { + propertyIsEnumerable +} = Object.prototype; /** * Determine if a value is a RegExp object @@ -45549,7 +46134,7 @@ const reduceDescriptors = (obj, reducer) => { const freezeMethods = obj => { reduceDescriptors(obj, (descriptor, name) => { // skip restricted props in strict mode - if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].indexOf(name) !== -1) { + if (isFunction$1(obj) && ['arguments', 'caller', 'callee'].includes(name)) { return false; } const value = obj[name]; @@ -45608,10 +46193,10 @@ function isSpecCompliantForm(thing) { * @returns {Object} The JSON-compatible object. */ const toJSONObject = obj => { - const stack = new Array(10); - const visit = (source, i) => { + const visited = new WeakSet(); + const visit = source => { if (isObject(source)) { - if (stack.indexOf(source) >= 0) { + if (visited.has(source)) { return; } @@ -45620,19 +46205,20 @@ const toJSONObject = obj => { return source; } if (!('toJSON' in source)) { - stack[i] = source; + // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230). + visited.add(source); const target = isArray(source) ? [] : {}; forEach(source, (value, key) => { - const reducedValue = visit(value, i + 1); + const reducedValue = visit(value); !isUndefined(reducedValue) && (target[key] = reducedValue); }); - stack[i] = undefined; + visited.delete(source); return target; } } return source; }; - return visit(obj, 0); + return visit(obj); }; /** @@ -45756,6 +46342,382 @@ var utils$1 = { isIterable }; +// RawAxiosHeaders whose duplicates are ignored by node +// c.f. https://nodejs.org/api/http.html#http_message_headers +const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); + +/** + * Parse headers into an object + * + * ``` + * Date: Wed, 27 Aug 2014 08:58:49 GMT + * Content-Type: application/json + * Connection: keep-alive + * Transfer-Encoding: chunked + * ``` + * + * @param {String} rawHeaders Headers needing to be parsed + * + * @returns {Object} Headers parsed into an object + */ +var parseHeaders = rawHeaders => { + const parsed = {}; + let key; + let val; + let i; + rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { + i = line.indexOf(':'); + key = line.substring(0, i).trim().toLowerCase(); + val = line.substring(i + 1).trim(); + if (!key || parsed[key] && ignoreDuplicateOf[key]) { + return; + } + if (key === 'set-cookie') { + if (parsed[key]) { + parsed[key].push(val); + } else { + parsed[key] = [val]; + } + } else { + parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; + } + }); + return parsed; +}; + +function trimSPorHTAB(str) { + let start = 0; + let end = str.length; + while (start < end) { + const code = str.charCodeAt(start); + if (code !== 0x09 && code !== 0x20) { + break; + } + start += 1; + } + while (end > start) { + const code = str.charCodeAt(end - 1); + if (code !== 0x09 && code !== 0x20) { + break; + } + end -= 1; + } + return start === 0 && end === str.length ? str : str.slice(start, end); +} + +// The control-code ranges are intentional: header sanitization strips C0/DEL bytes. +// eslint-disable-next-line no-control-regex +const INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp('[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+', 'g'); +// eslint-disable-next-line no-control-regex +const INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp('[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+', 'g'); +function sanitizeValue(value, invalidChars) { + if (utils$1.isArray(value)) { + return value.map(item => sanitizeValue(item, invalidChars)); + } + return trimSPorHTAB(String(value).replace(invalidChars, '')); +} +const sanitizeHeaderValue = value => sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS); +const sanitizeByteStringHeaderValue = value => sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS); +function toByteStringHeaderObject(headers) { + const byteStringHeaders = Object.create(null); + utils$1.forEach(headers.toJSON(), (value, header) => { + byteStringHeaders[header] = sanitizeByteStringHeaderValue(value); + }); + return byteStringHeaders; +} + +const $internals = Symbol('internals'); +function normalizeHeader(header) { + return header && String(header).trim().toLowerCase(); +} +function normalizeValue(value) { + if (value === false || value == null) { + return value; + } + return utils$1.isArray(value) ? value.map(normalizeValue) : sanitizeHeaderValue(String(value)); +} +function parseTokens(str) { + const tokens = Object.create(null); + const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; + let match; + while (match = tokensRE.exec(str)) { + tokens[match[1]] = match[2]; + } + return tokens; +} +const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); +function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { + if (utils$1.isFunction(filter)) { + return filter.call(this, value, header); + } + if (isHeaderNameFilter) { + value = header; + } + if (!utils$1.isString(value)) return; + if (utils$1.isString(filter)) { + return value.indexOf(filter) !== -1; + } + if (utils$1.isRegExp(filter)) { + return filter.test(value); + } +} +function formatHeader(header) { + return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { + return char.toUpperCase() + str; + }); +} +function buildAccessors(obj, header) { + const accessorName = utils$1.toCamelCase(' ' + header); + ['get', 'set', 'has'].forEach(methodName => { + Object.defineProperty(obj, methodName + accessorName, { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: function (arg1, arg2, arg3) { + return this[methodName].call(this, header, arg1, arg2, arg3); + }, + configurable: true + }); + }); +} +class AxiosHeaders { + constructor(headers) { + headers && this.set(headers); + } + set(header, valueOrRewrite, rewrite) { + const self = this; + function setHeader(_value, _header, _rewrite) { + const lHeader = normalizeHeader(_header); + if (!lHeader) { + return; + } + const key = utils$1.findKey(self, lHeader); + if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { + self[key || _header] = normalizeValue(_value); + } + } + const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); + if (utils$1.isPlainObject(header) || header instanceof this.constructor) { + setHeaders(header, valueOrRewrite); + } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { + setHeaders(parseHeaders(header), valueOrRewrite); + } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { + let obj = {}, + dest, + key; + for (const entry of header) { + if (!utils$1.isArray(entry)) { + throw new TypeError('Object iterator must return a key-value pair'); + } + obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; + } + setHeaders(obj, valueOrRewrite); + } else { + header != null && setHeader(valueOrRewrite, header, rewrite); + } + return this; + } + get(header, parser) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + if (key) { + const value = this[key]; + if (!parser) { + return value; + } + if (parser === true) { + return parseTokens(value); + } + if (utils$1.isFunction(parser)) { + return parser.call(this, value, key); + } + if (utils$1.isRegExp(parser)) { + return parser.exec(value); + } + throw new TypeError('parser must be boolean|regexp|function'); + } + } + } + has(header, matcher) { + header = normalizeHeader(header); + if (header) { + const key = utils$1.findKey(this, header); + return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); + } + return false; + } + delete(header, matcher) { + const self = this; + let deleted = false; + function deleteHeader(_header) { + _header = normalizeHeader(_header); + if (_header) { + const key = utils$1.findKey(self, _header); + if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { + delete self[key]; + deleted = true; + } + } + } + if (utils$1.isArray(header)) { + header.forEach(deleteHeader); + } else { + deleteHeader(header); + } + return deleted; + } + clear(matcher) { + const keys = Object.keys(this); + let i = keys.length; + let deleted = false; + while (i--) { + const key = keys[i]; + if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { + delete this[key]; + deleted = true; + } + } + return deleted; + } + normalize(format) { + const self = this; + const headers = {}; + utils$1.forEach(this, (value, header) => { + const key = utils$1.findKey(headers, header); + if (key) { + self[key] = normalizeValue(value); + delete self[header]; + return; + } + const normalized = format ? formatHeader(header) : String(header).trim(); + if (normalized !== header) { + delete self[header]; + } + self[normalized] = normalizeValue(value); + headers[normalized] = true; + }); + return this; + } + concat(...targets) { + return this.constructor.concat(this, ...targets); + } + toJSON(asStrings) { + const obj = Object.create(null); + utils$1.forEach(this, (value, header) => { + value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); + }); + return obj; + } + [Symbol.iterator]() { + return Object.entries(this.toJSON())[Symbol.iterator](); + } + toString() { + return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); + } + getSetCookie() { + return this.get('set-cookie') || []; + } + get [Symbol.toStringTag]() { + return 'AxiosHeaders'; + } + static from(thing) { + return thing instanceof this ? thing : new this(thing); + } + static concat(first, ...targets) { + const computed = new this(first); + targets.forEach(target => computed.set(target)); + return computed; + } + static accessor(header) { + const internals = this[$internals] = this[$internals] = { + accessors: {} + }; + const accessors = internals.accessors; + const prototype = this.prototype; + function defineAccessor(_header) { + const lHeader = normalizeHeader(_header); + if (!accessors[lHeader]) { + buildAccessors(prototype, _header); + accessors[lHeader] = true; + } + } + utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); + return this; + } +} +AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); + +// reserved names hotfix +utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ + value +}, key) => { + let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` + return { + get: () => value, + set(headerValue) { + this[mapped] = headerValue; + } + }; +}); +utils$1.freezeMethods(AxiosHeaders); + +const REDACTED = '[REDACTED ****]'; +function hasOwnOrPrototypeToJSON(source) { + if (utils$1.hasOwnProp(source, 'toJSON')) { + return true; + } + let prototype = Object.getPrototypeOf(source); + while (prototype && prototype !== Object.prototype) { + if (utils$1.hasOwnProp(prototype, 'toJSON')) { + return true; + } + prototype = Object.getPrototypeOf(prototype); + } + return false; +} + +// Build a plain-object snapshot of `config` and replace the value of any key +// (case-insensitive) listed in `redactKeys` with REDACTED. Walks through arrays +// and AxiosHeaders, and short-circuits on circular references. +function redactConfig(config, redactKeys) { + const lowerKeys = new Set(redactKeys.map(k => String(k).toLowerCase())); + const seen = []; + const visit = source => { + if (source === null || typeof source !== 'object') return source; + if (utils$1.isBuffer(source)) return source; + if (seen.indexOf(source) !== -1) return undefined; + if (source instanceof AxiosHeaders) { + source = source.toJSON(); + } + seen.push(source); + let result; + if (utils$1.isArray(source)) { + result = []; + source.forEach((v, i) => { + const reducedValue = visit(v); + if (!utils$1.isUndefined(reducedValue)) { + result[i] = reducedValue; + } + }); + } else { + if (!utils$1.isPlainObject(source) && hasOwnOrPrototypeToJSON(source)) { + seen.pop(); + return source; + } + result = Object.create(null); + for (const [key, value] of Object.entries(source)) { + const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value); + if (!utils$1.isUndefined(reducedValue)) { + result[key] = reducedValue; + } + } + } + seen.pop(); + return result; + }; + return visit(config); +} class AxiosError extends Error { static from(error, code, config, request, response, customProps) { const axiosError = new AxiosError(error.message, code || error.code, config, request, response); @@ -45788,6 +46750,9 @@ class AxiosError extends Error { // The native Error constructor sets message as non-enumerable, // but axios < v1.13.3 had it as enumerable Object.defineProperty(this, 'message', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, value: message, enumerable: true, writable: true, @@ -45804,6 +46769,13 @@ class AxiosError extends Error { } } toJSON() { + // Opt-in redaction: when the request config carries a `redact` array, the + // value of any matching key (case-insensitive, at any depth) is replaced + // with REDACTED in the serialized snapshot. Undefined or empty leaves the + // existing serialization behavior unchanged. + const config = this.config; + const redactKeys = config && utils$1.hasOwnProp(config, 'redact') ? config.redact : undefined; + const serializedConfig = utils$1.isArray(redactKeys) && redactKeys.length > 0 ? redactConfig(config, redactKeys) : utils$1.toJSONObject(config); return { // Standard message: this.message, @@ -45817,7 +46789,7 @@ class AxiosError extends Error { columnNumber: this.columnNumber, stack: this.stack, // Axios - config: utils$1.toJSONObject(this.config), + config: serializedConfig, code: this.code, status: this.status }; @@ -45829,6 +46801,7 @@ AxiosError.ERR_BAD_OPTION_VALUE = 'ERR_BAD_OPTION_VALUE'; AxiosError.ERR_BAD_OPTION = 'ERR_BAD_OPTION'; AxiosError.ECONNABORTED = 'ECONNABORTED'; AxiosError.ETIMEDOUT = 'ETIMEDOUT'; +AxiosError.ECONNREFUSED = 'ECONNREFUSED'; AxiosError.ERR_NETWORK = 'ERR_NETWORK'; AxiosError.ERR_FR_TOO_MANY_REDIRECTS = 'ERR_FR_TOO_MANY_REDIRECTS'; AxiosError.ERR_DEPRECATED = 'ERR_DEPRECATED'; @@ -45837,6 +46810,7 @@ AxiosError.ERR_BAD_REQUEST = 'ERR_BAD_REQUEST'; AxiosError.ERR_CANCELED = 'ERR_CANCELED'; AxiosError.ERR_NOT_SUPPORT = 'ERR_NOT_SUPPORT'; AxiosError.ERR_INVALID_URL = 'ERR_INVALID_URL'; +AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED'; /** * Determines if the given thing is a array or js object. @@ -45938,6 +46912,7 @@ function toFormData(obj, formData, options) { const dots = options.dots; const indexes = options.indexes; const _Blob = options.Blob || typeof Blob !== 'undefined' && Blob; + const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth; const useBlob = _Blob && utils$1.isSpecCompliantForm(formData); if (!utils$1.isFunction(visitor)) { throw new TypeError('visitor must be a function'); @@ -46004,16 +46979,19 @@ function toFormData(obj, formData, options) { convertValue, isVisitable }); - function build(value, path) { + function build(value, path, depth = 0) { if (utils$1.isUndefined(value)) return; + if (depth > maxDepth) { + throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED); + } if (stack.indexOf(value) !== -1) { - throw Error('Circular reference detected in ' + path.join('.')); + throw new Error('Circular reference detected in ' + path.join('.')); } stack.push(value); utils$1.forEach(value, function each(el, key) { const result = !(utils$1.isUndefined(el) || el === null) && visitor.call(formData, el, utils$1.isString(key) ? key.trim() : key, path, exposedHelpers); if (result === true) { - build(el, path ? path.concat(key) : [key]); + build(el, path ? path.concat(key) : [key], depth + 1); } }); stack.pop(); @@ -46040,10 +47018,9 @@ function encode$1(str) { '(': '%28', ')': '%29', '~': '%7E', - '%20': '+', - '%00': '\x00' + '%20': '+' }; - return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) { + return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) { return charMap[match]; }); } @@ -46190,7 +47167,8 @@ var transitionalDefaults = { silentJSONParsing: true, forcedJSONParsing: true, clarifyTimeoutError: false, - legacyInterceptorReqResOrdering: true + legacyInterceptorReqResOrdering: true, + advertiseZstdAcceptEncoding: false }; var URLSearchParams = url.URLSearchParams; @@ -46344,13 +47322,13 @@ function formDataToJSON(formData) { name = !name && utils$1.isArray(target) ? target.length : name; if (isLast) { if (utils$1.hasOwnProp(target, name)) { - target[name] = [target[name], value]; + target[name] = utils$1.isArray(target[name]) ? target[name].concat(value) : [target[name], value]; } else { target[name] = value; } return !isNumericKey; } - if (!target[name] || !utils$1.isObject(target[name])) { + if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) { target[name] = []; } const result = buildPath(path, value, target[name], index); @@ -46369,6 +47347,8 @@ function formDataToJSON(formData) { return null; } +const own = (obj, key) => obj != null && utils$1.hasOwnProp(obj, key) ? obj[key] : undefined; + /** * It takes a string, tries to parse it, and if it fails, it returns the stringified version * of the input @@ -46418,14 +47398,16 @@ const defaults = { } let isFileList; if (isObjectPayload) { + const formSerializer = own(this, 'formSerializer'); if (contentType.indexOf('application/x-www-form-urlencoded') > -1) { - return toURLEncodedForm(data, this.formSerializer).toString(); + return toURLEncodedForm(data, formSerializer).toString(); } if ((isFileList = utils$1.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) { - const _FormData = this.env && this.env.FormData; + const env = own(this, 'env'); + const _FormData = env && env.FormData; return toFormData(isFileList ? { 'files[]': data - } : data, _FormData && new _FormData(), this.formSerializer); + } : data, _FormData && new _FormData(), formSerializer); } } if (isObjectPayload || hasJSONContentType) { @@ -46435,21 +47417,22 @@ const defaults = { return data; }], transformResponse: [function transformResponse(data) { - const transitional = this.transitional || defaults.transitional; + const transitional = own(this, 'transitional') || defaults.transitional; const forcedJSONParsing = transitional && transitional.forcedJSONParsing; - const JSONRequested = this.responseType === 'json'; + const responseType = own(this, 'responseType'); + const JSONRequested = responseType === 'json'; if (utils$1.isResponse(data) || utils$1.isReadableStream(data)) { return data; } - if (data && utils$1.isString(data) && (forcedJSONParsing && !this.responseType || JSONRequested)) { + if (data && utils$1.isString(data) && (forcedJSONParsing && !responseType || JSONRequested)) { const silentJSONParsing = transitional && transitional.silentJSONParsing; const strictJSONParsing = !silentJSONParsing && JSONRequested; try { - return JSON.parse(data, this.parseReviver); + return JSON.parse(data, own(this, 'parseReviver')); } catch (e) { if (strictJSONParsing) { if (e.name === 'SyntaxError') { - throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, this.response); + throw AxiosError.from(e, AxiosError.ERR_BAD_RESPONSE, this, null, own(this, 'response')); } throw e; } @@ -46480,311 +47463,10 @@ const defaults = { } } }; -utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch'], method => { +utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query'], method => { defaults.headers[method] = {}; }); -// RawAxiosHeaders whose duplicates are ignored by node -// c.f. https://nodejs.org/api/http.html#http_message_headers -const ignoreDuplicateOf = utils$1.toObjectSet(['age', 'authorization', 'content-length', 'content-type', 'etag', 'expires', 'from', 'host', 'if-modified-since', 'if-unmodified-since', 'last-modified', 'location', 'max-forwards', 'proxy-authorization', 'referer', 'retry-after', 'user-agent']); - -/** - * Parse headers into an object - * - * ``` - * Date: Wed, 27 Aug 2014 08:58:49 GMT - * Content-Type: application/json - * Connection: keep-alive - * Transfer-Encoding: chunked - * ``` - * - * @param {String} rawHeaders Headers needing to be parsed - * - * @returns {Object} Headers parsed into an object - */ -var parseHeaders = rawHeaders => { - const parsed = {}; - let key; - let val; - let i; - rawHeaders && rawHeaders.split('\n').forEach(function parser(line) { - i = line.indexOf(':'); - key = line.substring(0, i).trim().toLowerCase(); - val = line.substring(i + 1).trim(); - if (!key || parsed[key] && ignoreDuplicateOf[key]) { - return; - } - if (key === 'set-cookie') { - if (parsed[key]) { - parsed[key].push(val); - } else { - parsed[key] = [val]; - } - } else { - parsed[key] = parsed[key] ? parsed[key] + ', ' + val : val; - } - }); - return parsed; -}; - -const $internals = Symbol('internals'); -const isValidHeaderValue = value => !/[\r\n]/.test(value); -function assertValidHeaderValue(value, header) { - if (value === false || value == null) { - return; - } - if (utils$1.isArray(value)) { - value.forEach(v => assertValidHeaderValue(v, header)); - return; - } - if (!isValidHeaderValue(String(value))) { - throw new Error(`Invalid character in header content ["${header}"]`); - } -} -function normalizeHeader(header) { - return header && String(header).trim().toLowerCase(); -} -function stripTrailingCRLF(str) { - let end = str.length; - while (end > 0) { - const charCode = str.charCodeAt(end - 1); - if (charCode !== 10 && charCode !== 13) { - break; - } - end -= 1; - } - return end === str.length ? str : str.slice(0, end); -} -function normalizeValue(value) { - if (value === false || value == null) { - return value; - } - return utils$1.isArray(value) ? value.map(normalizeValue) : stripTrailingCRLF(String(value)); -} -function parseTokens(str) { - const tokens = Object.create(null); - const tokensRE = /([^\s,;=]+)\s*(?:=\s*([^,;]+))?/g; - let match; - while (match = tokensRE.exec(str)) { - tokens[match[1]] = match[2]; - } - return tokens; -} -const isValidHeaderName = str => /^[-_a-zA-Z0-9^`|~,!#$%&'*+.]+$/.test(str.trim()); -function matchHeaderValue(context, value, header, filter, isHeaderNameFilter) { - if (utils$1.isFunction(filter)) { - return filter.call(this, value, header); - } - if (isHeaderNameFilter) { - value = header; - } - if (!utils$1.isString(value)) return; - if (utils$1.isString(filter)) { - return value.indexOf(filter) !== -1; - } - if (utils$1.isRegExp(filter)) { - return filter.test(value); - } -} -function formatHeader(header) { - return header.trim().toLowerCase().replace(/([a-z\d])(\w*)/g, (w, char, str) => { - return char.toUpperCase() + str; - }); -} -function buildAccessors(obj, header) { - const accessorName = utils$1.toCamelCase(' ' + header); - ['get', 'set', 'has'].forEach(methodName => { - Object.defineProperty(obj, methodName + accessorName, { - value: function (arg1, arg2, arg3) { - return this[methodName].call(this, header, arg1, arg2, arg3); - }, - configurable: true - }); - }); -} -class AxiosHeaders { - constructor(headers) { - headers && this.set(headers); - } - set(header, valueOrRewrite, rewrite) { - const self = this; - function setHeader(_value, _header, _rewrite) { - const lHeader = normalizeHeader(_header); - if (!lHeader) { - throw new Error('header name must be a non-empty string'); - } - const key = utils$1.findKey(self, lHeader); - if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) { - assertValidHeaderValue(_value, _header); - self[key || _header] = normalizeValue(_value); - } - } - const setHeaders = (headers, _rewrite) => utils$1.forEach(headers, (_value, _header) => setHeader(_value, _header, _rewrite)); - if (utils$1.isPlainObject(header) || header instanceof this.constructor) { - setHeaders(header, valueOrRewrite); - } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) { - setHeaders(parseHeaders(header), valueOrRewrite); - } else if (utils$1.isObject(header) && utils$1.isIterable(header)) { - let obj = {}, - dest, - key; - for (const entry of header) { - if (!utils$1.isArray(entry)) { - throw TypeError('Object iterator must return a key-value pair'); - } - obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1]; - } - setHeaders(obj, valueOrRewrite); - } else { - header != null && setHeader(valueOrRewrite, header, rewrite); - } - return this; - } - get(header, parser) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - if (key) { - const value = this[key]; - if (!parser) { - return value; - } - if (parser === true) { - return parseTokens(value); - } - if (utils$1.isFunction(parser)) { - return parser.call(this, value, key); - } - if (utils$1.isRegExp(parser)) { - return parser.exec(value); - } - throw new TypeError('parser must be boolean|regexp|function'); - } - } - } - has(header, matcher) { - header = normalizeHeader(header); - if (header) { - const key = utils$1.findKey(this, header); - return !!(key && this[key] !== undefined && (!matcher || matchHeaderValue(this, this[key], key, matcher))); - } - return false; - } - delete(header, matcher) { - const self = this; - let deleted = false; - function deleteHeader(_header) { - _header = normalizeHeader(_header); - if (_header) { - const key = utils$1.findKey(self, _header); - if (key && (!matcher || matchHeaderValue(self, self[key], key, matcher))) { - delete self[key]; - deleted = true; - } - } - } - if (utils$1.isArray(header)) { - header.forEach(deleteHeader); - } else { - deleteHeader(header); - } - return deleted; - } - clear(matcher) { - const keys = Object.keys(this); - let i = keys.length; - let deleted = false; - while (i--) { - const key = keys[i]; - if (!matcher || matchHeaderValue(this, this[key], key, matcher, true)) { - delete this[key]; - deleted = true; - } - } - return deleted; - } - normalize(format) { - const self = this; - const headers = {}; - utils$1.forEach(this, (value, header) => { - const key = utils$1.findKey(headers, header); - if (key) { - self[key] = normalizeValue(value); - delete self[header]; - return; - } - const normalized = format ? formatHeader(header) : String(header).trim(); - if (normalized !== header) { - delete self[header]; - } - self[normalized] = normalizeValue(value); - headers[normalized] = true; - }); - return this; - } - concat(...targets) { - return this.constructor.concat(this, ...targets); - } - toJSON(asStrings) { - const obj = Object.create(null); - utils$1.forEach(this, (value, header) => { - value != null && value !== false && (obj[header] = asStrings && utils$1.isArray(value) ? value.join(', ') : value); - }); - return obj; - } - [Symbol.iterator]() { - return Object.entries(this.toJSON())[Symbol.iterator](); - } - toString() { - return Object.entries(this.toJSON()).map(([header, value]) => header + ': ' + value).join('\n'); - } - getSetCookie() { - return this.get('set-cookie') || []; - } - get [Symbol.toStringTag]() { - return 'AxiosHeaders'; - } - static from(thing) { - return thing instanceof this ? thing : new this(thing); - } - static concat(first, ...targets) { - const computed = new this(first); - targets.forEach(target => computed.set(target)); - return computed; - } - static accessor(header) { - const internals = this[$internals] = this[$internals] = { - accessors: {} - }; - const accessors = internals.accessors; - const prototype = this.prototype; - function defineAccessor(_header) { - const lHeader = normalizeHeader(_header); - if (!accessors[lHeader]) { - buildAccessors(prototype, _header); - accessors[lHeader] = true; - } - } - utils$1.isArray(header) ? header.forEach(defineAccessor) : defineAccessor(header); - return this; - } -} -AxiosHeaders.accessor(['Content-Type', 'Content-Length', 'Accept', 'Accept-Encoding', 'User-Agent', 'Authorization']); - -// reserved names hotfix -utils$1.reduceDescriptors(AxiosHeaders.prototype, ({ - value -}, key) => { - let mapped = key[0].toUpperCase() + key.slice(1); // map `set` => `Set` - return { - get: () => value, - set(headerValue) { - this[mapped] = headerValue; - } - }; -}); -utils$1.freezeMethods(AxiosHeaders); - /** * Transform the data for a request or a response * @@ -46840,7 +47522,7 @@ function settle(resolve, reject, response) { if (!response.status || !validateStatus || validateStatus(response.status)) { resolve(response); } else { - reject(new AxiosError('Request failed with status code ' + response.status, [AxiosError.ERR_BAD_REQUEST, AxiosError.ERR_BAD_RESPONSE][Math.floor(response.status / 100) - 4], response.config, response.request, response)); + reject(new AxiosError('Request failed with status code ' + response.status, response.status >= 400 && response.status < 500 ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE, response.config, response.request, response)); } } @@ -46885,7 +47567,7 @@ function combineURLs(baseURL, relativeURL) { */ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) { let isRelativeUrl = !isAbsoluteURL(requestedURL); - if (baseURL && (isRelativeUrl || allowAbsoluteUrls == false)) { + if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) { return combineURLs(baseURL, requestedURL); } return requestedURL; @@ -46987,14 +47669,16 @@ function getEnv(key) { return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || ''; } -const VERSION = "1.15.0"; +const VERSION = "1.17.0"; function parseProtocol(url) { - const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url); + const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url); return match && match[1] || ''; } -const DATA_URL_PATTERN = /^(?:([^;]+);)?(?:[^;]+;)?(base64|),([\s\S]*)$/; +// RFC 2397: data:[][;base64], +// mediatype = type/subtype followed by optional ;name=value parameters +const DATA_URL_PATTERN = /^([^,;]+\/[^,;]+)?((?:;[^,;=]+=[^,;]+)*)(;base64)?,([\s\S]*)$/; /** * Parse data uri to a Buffer or Blob @@ -47018,10 +47702,20 @@ function fromDataURI(uri, asBlob, options) { if (!match) { throw new AxiosError('Invalid URL', AxiosError.ERR_INVALID_URL); } - const mime = match[1]; - const isBase64 = match[2]; - const body = match[3]; - const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); + const type = match[1]; + const params = match[2]; + const encoding = match[3] ? 'base64' : 'utf8'; + const body = match[4]; + + // RFC 2397 section 3: default mediatype is text/plain;charset=US-ASCII + // Bare `data:,` leaves mime undefined; Blob normalises that to "" per spec. + let mime; + if (type) { + mime = params ? type + params : type; + } else if (params) { + mime = 'text/plain' + params; + } + const buffer = Buffer.from(decodeURIComponent(body), encoding); if (asBlob) { if (!_Blob) { throw new AxiosError('Blob is not supported', AxiosError.ERR_NOT_SUPPORT); @@ -47178,7 +47872,8 @@ class FormDataPart { if (isStringValue) { value = textEncoder.encode(String(value).replace(/\r?\n|\r\n?/g, CRLF)); } else { - headers += `Content-Type: ${value.type || 'application/octet-stream'}${CRLF}`; + const safeType = String(value.type || 'application/octet-stream').replace(/[\r\n]/g, ''); + headers += `Content-Type: ${safeType}${CRLF}`; } this.headers = textEncoder.encode(headers + CRLF); this.contentLength = isStringValue ? value.byteLength : value.size; @@ -47213,10 +47908,10 @@ const formDataToStream = (form, headersHandler, options) => { boundary = tag + '-' + platform.generateString(size, BOUNDARY_ALPHABET) } = options || {}; if (!utils$1.isFormData(form)) { - throw TypeError('FormData instance required'); + throw new TypeError('FormData instance required'); } if (boundary.length < 1 || boundary.length > 70) { - throw Error('boundary must be 10-70 characters long'); + throw new Error('boundary must be 1-70 characters long'); } const boundaryBytes = textEncoder.encode('--' + boundary + CRLF); const footerBytes = textEncoder.encode('--' + boundary + '--' + CRLF); @@ -47266,6 +47961,84 @@ class ZlibHeaderTransformStream extends stream.Transform { } } +class Http2Sessions { + constructor() { + this.sessions = Object.create(null); + } + getSession(authority, options) { + options = Object.assign({ + sessionTimeout: 1000 + }, options); + let authoritySessions = this.sessions[authority]; + if (authoritySessions) { + let len = authoritySessions.length; + for (let i = 0; i < len; i++) { + const [sessionHandle, sessionOptions] = authoritySessions[i]; + if (!sessionHandle.destroyed && !sessionHandle.closed && util.isDeepStrictEqual(sessionOptions, options)) { + return sessionHandle; + } + } + } + const session = http2.connect(authority, options); + let removed; + let timer; + const removeSession = () => { + if (removed) { + return; + } + removed = true; + if (timer) { + clearTimeout(timer); + timer = null; + } + let entries = authoritySessions, + len = entries.length, + i = len; + while (i--) { + if (entries[i][0] === session) { + if (len === 1) { + delete this.sessions[authority]; + } else { + entries.splice(i, 1); + } + if (!session.closed) { + session.close(); + } + return; + } + } + }; + const originalRequestFn = session.request; + const { + sessionTimeout + } = options; + if (sessionTimeout != null) { + let streamsCount = 0; + session.request = function () { + const stream = originalRequestFn.apply(this, arguments); + streamsCount++; + if (timer) { + clearTimeout(timer); + timer = null; + } + stream.once('close', () => { + if (! --streamsCount) { + timer = setTimeout(() => { + timer = null; + removeSession(); + }, sessionTimeout); + } + }); + return stream; + }; + } + session.once('close', removeSession); + let entry = [session, options]; + authoritySessions ? authoritySessions.push(entry) : authoritySessions = this.sessions[authority] = [entry]; + return session; + } +} + const callbackify = (fn, reducer) => { return utils$1.isAsyncFn(fn) ? function (...args) { const cb = args.pop(); @@ -47279,6 +48052,47 @@ const callbackify = (fn, reducer) => { } : fn; }; +const LOOPBACK_HOSTNAMES = new Set(['localhost']); +const isIPv4Loopback = host => { + const parts = host.split('.'); + if (parts.length !== 4) return false; + if (parts[0] !== '127') return false; + return parts.every(p => /^\d+$/.test(p) && Number(p) >= 0 && Number(p) <= 255); +}; +const isIPv6Loopback = host => { + // Collapse all-zero groups: any form of ::1 / 0:0:...:0:1 + // First, strip any leading "::" by normalising with Set lookup of common forms, + // then fall back to structural check. + if (host === '::1') return true; + + // Check IPv4-mapped IPv6 loopback: ::ffff: or ::ffff: + // Node's URL parser normalises ::ffff:127.0.0.1 → ::ffff:7f00:1 + const v4MappedDotted = host.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i); + if (v4MappedDotted) return isIPv4Loopback(v4MappedDotted[1]); + const v4MappedHex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i); + if (v4MappedHex) { + const high = parseInt(v4MappedHex[1], 16); + // High 16 bits must start with 127 (0x7f) — i.e. 0x7f00..0x7fff + return high >= 0x7f00 && high <= 0x7fff; + } + + // Full-form ::1 variants: any number of zero groups followed by trailing 1 + // e.g. 0:0:0:0:0:0:0:1, 0000:...:0001 + const groups = host.split(':'); + if (groups.length === 8) { + for (let i = 0; i < 7; i++) { + if (!/^0+$/.test(groups[i])) return false; + } + return /^0*1$/.test(groups[7]); + } + return false; +}; +const isLoopback = host => { + if (!host) return false; + if (LOOPBACK_HOSTNAMES.has(host)) return true; + if (isIPv4Loopback(host)) return true; + return isIPv6Loopback(host); +}; const DEFAULT_PORTS = { http: 80, https: 443, @@ -47308,6 +48122,27 @@ const parseNoProxyEntry = entry => { } return [entryHost, entryPort]; }; + +// Convert IPv4-mapped IPv6 (::ffff:0:0/96 prefix) to IPv4 dotted form so both +// sides of a NO_PROXY comparison see the same canonical address. Without this, +// `NO_PROXY=192.168.1.5` would not match a request to `http://[::ffff:192.168.1.5]/` +// (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa, +// allowing the proxy-bypass policy to be circumvented by using the alternate +// representation. Returns the input unchanged when not IPv4-mapped. +const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i; +const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; +const unmapIPv4MappedIPv6 = host => { + if (typeof host !== 'string' || host.indexOf(':') === -1) return host; + const dotted = host.match(IPV4_MAPPED_DOTTED_RE); + if (dotted) return dotted[1]; + const hex = host.match(IPV4_MAPPED_HEX_RE); + if (hex) { + const high = parseInt(hex[1], 16); + const low = parseInt(hex[2], 16); + return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`; + } + return host; +}; const normalizeNoProxyHost = hostname => { if (!hostname) { return hostname; @@ -47315,7 +48150,7 @@ const normalizeNoProxyHost = hostname => { if (hostname.charAt(0) === '[' && hostname.charAt(hostname.length - 1) === ']') { hostname = hostname.slice(1, -1); } - return hostname.replace(/\.+$/, ''); + return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, '')); }; function shouldBypassProxy(location) { let parsed; @@ -47351,7 +48186,7 @@ function shouldBypassProxy(location) { if (entryHost.charAt(0) === '.') { return hostname.endsWith(entryHost); } - return hostname === entryHost; + return hostname === entryHost || isLoopback(hostname) && isLoopback(entryHost); }); } @@ -47438,19 +48273,22 @@ const progressEventReducer = (listener, isDownloadStream, freq = 3) => { let bytesNotified = 0; const _speedometer = speedometer(50, 250); return throttle(e => { - const loaded = e.loaded; + if (!e || typeof e.loaded !== 'number') { + return; + } + const rawLoaded = e.loaded; const total = e.lengthComputable ? e.total : undefined; - const progressBytes = loaded - bytesNotified; + const loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded; + const progressBytes = Math.max(0, loaded - bytesNotified); const rate = _speedometer(progressBytes); - const inRange = loaded <= total; - bytesNotified = loaded; + bytesNotified = Math.max(bytesNotified, loaded); const data = { loaded, total, progress: total ? loaded / total : undefined, bytes: progressBytes, rate: rate ? rate : undefined, - estimated: rate && total && inRange ? (total - loaded) / rate : undefined, + estimated: rate && total ? (total - loaded) / rate : undefined, event: e, lengthComputable: total != null, [isDownloadStream ? 'download' : 'upload']: true @@ -47528,7 +48366,34 @@ function estimateDataURLDecodedBytes(url) { const bytes = groups * 3 - (pad || 0); return bytes > 0 ? bytes : 0; } - return Buffer.byteLength(body, 'utf8'); + if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') { + return Buffer.byteLength(body, 'utf8'); + } + + // Compute UTF-8 byte length directly from UTF-16 code units without allocating + // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies). + // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit + // but 3 UTF-8 bytes). + let bytes = 0; + for (let i = 0, len = body.length; i < len; i++) { + const c = body.charCodeAt(i); + if (c < 0x80) { + bytes += 1; + } else if (c < 0x800) { + bytes += 2; + } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) { + const next = body.charCodeAt(i + 1); + if (next >= 0xdc00 && next <= 0xdfff) { + bytes += 4; + i++; + } else { + bytes += 3; + } + } else { + bytes += 3; + } + } + return bytes; } const zlibOptions = { @@ -47539,108 +48404,119 @@ const brotliOptions = { flush: zlib.constants.BROTLI_OPERATION_FLUSH, finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH }; +const zstdOptions = { + flush: zlib.constants.ZSTD_e_flush, + finishFlush: zlib.constants.ZSTD_e_flush +}; const isBrotliSupported = utils$1.isFunction(zlib.createBrotliDecompress); +const isZstdSupported = utils$1.isFunction(zlib.createZstdDecompress); +const ACCEPT_ENCODING = 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''); +const ACCEPT_ENCODING_WITH_ZSTD = ACCEPT_ENCODING + (isZstdSupported ? ', zstd' : ''); const { http: httpFollow, https: httpsFollow } = followRedirects; const isHttps = /https:?/; +const FORM_DATA_CONTENT_HEADERS$1 = ['content-type', 'content-length']; +function setFormDataHeaders$1(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS$1.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +// Symbols used to bind a single 'error' listener to a pooled socket and track +// the request currently owning that socket across keep-alive reuse (issue #10780). +const kAxiosSocketListener = Symbol('axios.http.socketListener'); +const kAxiosCurrentReq = Symbol('axios.http.currentReq'); + +// Tags HttpsProxyAgent instances installed by setProxy() so the redirect path +// can strip them without clobbering a user-supplied agent that happens to be +// an HttpsProxyAgent. +const kAxiosInstalledTunnel = Symbol('axios.http.installedTunnel'); + +// Cache of CONNECT-tunneling agents keyed by proxy config so repeat requests +// through the same proxy reuse a single agent (and its socket pool). The +// keyspace is bounded by the set of distinct proxy configs the process uses, +// so unbounded growth is not a concern in practice. +const tunnelingAgentCache = new Map(); +const tunnelingAgentCacheUser = new WeakMap(); +function getTunnelingAgent(agentOptions, userHttpsAgent) { + const key = agentOptions.protocol + '//' + agentOptions.hostname + ':' + (agentOptions.port || '') + '#' + (agentOptions.auth || ''); + const cache = userHttpsAgent ? tunnelingAgentCacheUser.get(userHttpsAgent) || tunnelingAgentCacheUser.set(userHttpsAgent, new Map()).get(userHttpsAgent) : tunnelingAgentCache; + let agent = cache.get(key); + if (agent) return agent; + // Forward the user's TLS options (custom CA, rejectUnauthorized, client cert, + // etc.) into the tunneling agent so they apply to the origin TLS upgrade + // performed after CONNECT. Our proxy fields take precedence on conflict. + const merged = userHttpsAgent && userHttpsAgent.options ? { + ...userHttpsAgent.options, + ...agentOptions + } : agentOptions; + agent = new HttpsProxyAgent(merged); + if (userHttpsAgent && userHttpsAgent.options) { + const originTLSOptions = { + ...userHttpsAgent.options + }; + const callback = agent.callback; + agent.callback = function axiosTunnelingAgentCallback(req, opts) { + // HttpsProxyAgent v5 reads callback opts for the post-CONNECT origin TLS upgrade. + return callback.call(this, req, { + ...originTLSOptions, + ...opts + }); + }; + } + agent[kAxiosInstalledTunnel] = true; + cache.set(key, agent); + return agent; +} const supportedProtocols = platform.protocols.map(protocol => { return protocol + ':'; }); + +// Node's WHATWG URL parser returns `username` and `password` percent-encoded. +// Decode before composing the `auth` option so credentials such as +// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the +// original value for malformed input so a bad encoding never throws. +const decodeURIComponentSafe$1 = value => { + if (!utils$1.isString(value)) { + return value; + } + try { + return decodeURIComponent(value); + } catch (error) { + return value; + } +}; const flushOnFinish = (stream, [throttled, flush]) => { stream.on('end', flush).on('error', flush); return throttled; }; -class Http2Sessions { - constructor() { - this.sessions = Object.create(null); - } - getSession(authority, options) { - options = Object.assign({ - sessionTimeout: 1000 - }, options); - let authoritySessions = this.sessions[authority]; - if (authoritySessions) { - let len = authoritySessions.length; - for (let i = 0; i < len; i++) { - const [sessionHandle, sessionOptions] = authoritySessions[i]; - if (!sessionHandle.destroyed && !sessionHandle.closed && util.isDeepStrictEqual(sessionOptions, options)) { - return sessionHandle; - } - } - } - const session = http2.connect(authority, options); - let removed; - const removeSession = () => { - if (removed) { - return; - } - removed = true; - let entries = authoritySessions, - len = entries.length, - i = len; - while (i--) { - if (entries[i][0] === session) { - if (len === 1) { - delete this.sessions[authority]; - } else { - entries.splice(i, 1); - } - if (!session.closed) { - session.close(); - } - return; - } - } - }; - const originalRequestFn = session.request; - const { - sessionTimeout - } = options; - if (sessionTimeout != null) { - let timer; - let streamsCount = 0; - session.request = function () { - const stream = originalRequestFn.apply(this, arguments); - streamsCount++; - if (timer) { - clearTimeout(timer); - timer = null; - } - stream.once('close', () => { - if (! --streamsCount) { - timer = setTimeout(() => { - timer = null; - removeSession(); - }, sessionTimeout); - } - }); - return stream; - }; - } - session.once('close', removeSession); - let entry = [session, options]; - authoritySessions ? authoritySessions.push(entry) : authoritySessions = this.sessions[authority] = [entry]; - return session; - } -} const http2Sessions = new Http2Sessions(); /** - * If the proxy or config beforeRedirects functions are defined, call them with the options - * object. + * If the proxy, auth, or config beforeRedirects functions are defined, call them + * with the options object. * * @param {Object} options - The options object that was passed to the request. * * @returns {Object} */ -function dispatchBeforeRedirect(options, responseDetails) { +function dispatchBeforeRedirect(options, responseDetails, requestDetails) { if (options.beforeRedirects.proxy) { options.beforeRedirects.proxy(options); } + if (options.beforeRedirects.auth) { + options.beforeRedirects.auth(options); + } if (options.beforeRedirects.config) { - options.beforeRedirects.config(options, responseDetails); + options.beforeRedirects.config(options, responseDetails, requestDetails); } } @@ -47653,7 +48529,7 @@ function dispatchBeforeRedirect(options, responseDetails) { * * @returns {http.ClientRequestArgs} */ -function setProxy(options, configProxy, location) { +function setProxy(options, configProxy, location, isRedirect, configHttpsAgent) { let proxy = configProxy; if (!proxy && proxy !== false) { const proxyUrl = getProxyForUrl(location); @@ -47663,39 +48539,134 @@ function setProxy(options, configProxy, location) { } } } + // On redirect re-invocation, strip any stale Proxy-Authorization header carried + // over from the prior request (e.g. new target no longer uses a proxy, or uses + // a different proxy). Skip on the initial request so user-supplied headers are + // preserved. Header names are case-insensitive, so remove every case variant. + if (isRedirect && options.headers) { + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'proxy-authorization') { + delete options.headers[name]; + } + } + } + // Strip any tunneling agent we installed for the previous hop so a redirect + // that drops the proxy or crosses an HTTPS↔HTTP boundary doesn't reuse a + // stale one. Match on our Symbol marker so a user-supplied HttpsProxyAgent + // (which won't carry the marker) is left alone. + if (isRedirect && options.agent && options.agent[kAxiosInstalledTunnel]) { + options.agent = undefined; + } if (proxy) { + // Read proxy fields without traversing the prototype chain. URL instances expose + // username/password/hostname/host/port/protocol via getters on URL.prototype (so + // direct reads are shielded), but plain object proxies — and the `auth` field + // (which URL does not expose) — must be guarded so a polluted Object.prototype + // (e.g. Object.prototype.auth = { username, password }) cannot inject + // attacker-controlled credentials into the Proxy-Authorization header or + // redirect proxying to an attacker-controlled host. + const isProxyURL = proxy instanceof URL; + const readProxyField = key => isProxyURL || utils$1.hasOwnProp(proxy, key) ? proxy[key] : undefined; + const proxyUsername = readProxyField('username'); + const proxyPassword = readProxyField('password'); + let proxyAuth = utils$1.hasOwnProp(proxy, 'auth') ? proxy.auth : undefined; + // Basic proxy authorization - if (proxy.username) { - proxy.auth = (proxy.username || '') + ':' + (proxy.password || ''); - } - if (proxy.auth) { - // Support proxy auth object form - const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password); + if (proxyUsername) { + proxyAuth = (proxyUsername || '') + ':' + (proxyPassword || ''); + } + if (proxyAuth) { + // Support proxy auth object form. Read sub-fields via own-prop checks so a + // plain object inheriting from polluted Object.prototype cannot leak creds. + const authIsObject = typeof proxyAuth === 'object'; + const authUsername = authIsObject && utils$1.hasOwnProp(proxyAuth, 'username') ? proxyAuth.username : undefined; + const authPassword = authIsObject && utils$1.hasOwnProp(proxyAuth, 'password') ? proxyAuth.password : undefined; + const validProxyAuth = Boolean(authUsername || authPassword); if (validProxyAuth) { - proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || ''); - } else if (typeof proxy.auth === 'object') { + proxyAuth = (authUsername || '') + ':' + (authPassword || ''); + } else if (authIsObject) { throw new AxiosError('Invalid proxy authorization', AxiosError.ERR_BAD_OPTION, { proxy }); } - const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64'); - options.headers['Proxy-Authorization'] = 'Basic ' + base64; } - options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); - const proxyHost = proxy.hostname || proxy.host; - options.hostname = proxyHost; - // Replace 'host' since options is not a URL object - options.host = proxyHost; - options.port = proxy.port; - options.path = location; - if (proxy.protocol) { - options.protocol = proxy.protocol.includes(':') ? proxy.protocol : `${proxy.protocol}:`; + const targetIsHttps = isHttps.test(options.protocol); + if (targetIsHttps) { + // CONNECT-tunneling path for HTTPS targets. Preserves end-to-end TLS to + // the origin so the proxy cannot inspect the URL, headers, or body — the + // behavior already promised by THREATMODEL.md (T-R9). HttpsProxyAgent + // sends Proxy-Authorization on the CONNECT request only, never on the + // wrapped TLS request, which is why we don't stamp it onto + // options.headers here. If the user already supplied an HttpsProxyAgent, + // they own tunneling end-to-end and we leave them alone; otherwise we + // install our own tunneling agent and forward their TLS options (if any) + // so a custom httpsAgent for cert pinning / rejectUnauthorized still + // applies to the origin TLS upgrade. + if (!(configHttpsAgent instanceof HttpsProxyAgent)) { + const proxyHost = readProxyField('hostname') || readProxyField('host'); + const proxyPort = readProxyField('port'); + const rawProxyProtocol = readProxyField('protocol'); + const normalizedProtocol = rawProxyProtocol ? rawProxyProtocol.includes(':') ? rawProxyProtocol : `${rawProxyProtocol}:` : 'http:'; + // Bracket IPv6 literals for URL parsing; URL.hostname strips the + // brackets again on read so the agent receives the raw form. + const proxyHostForURL = proxyHost && proxyHost.includes(':') && !proxyHost.startsWith('[') ? `[${proxyHost}]` : proxyHost; + const proxyURL = new URL(`${normalizedProtocol}//${proxyHostForURL}${proxyPort ? ':' + proxyPort : ''}`); + const agentOptions = { + protocol: proxyURL.protocol, + hostname: proxyURL.hostname.replace(/^\[|\]$/g, ''), + port: proxyURL.port, + auth: proxyAuth && typeof proxyAuth === 'string' ? proxyAuth : undefined + }; + if (proxyURL.protocol === 'https:') { + agentOptions.ALPNProtocols = ['http/1.1']; + } + const tunnelingAgent = getTunnelingAgent(agentOptions, configHttpsAgent); + // Set both: `options.agent` is consumed by the native https.request path + // (config.maxRedirects === 0); `options.agents.https` is consumed by + // follow-redirects, which ignores `options.agent` when `options.agents` + // is present. + options.agent = tunnelingAgent; + if (options.agents) { + options.agents.https = tunnelingAgent; + } + } + } else { + // Forward-proxy mode for plaintext HTTP targets. The request line carries + // the absolute URL and the proxy sees everything — acceptable for plain + // HTTP since the wire was already plaintext. + if (proxyAuth) { + const base64 = Buffer.from(proxyAuth, 'utf8').toString('base64'); + options.headers['Proxy-Authorization'] = 'Basic ' + base64; + } + + // Preserve a user-supplied Host header (case-insensitive) so callers can override + // the value forwarded to the proxy; otherwise default to the request URL's host. + let hasUserHostHeader = false; + for (const name of Object.keys(options.headers)) { + if (name.toLowerCase() === 'host') { + hasUserHostHeader = true; + break; + } + } + if (!hasUserHostHeader) { + options.headers.host = options.hostname + (options.port ? ':' + options.port : ''); + } + const proxyHost = readProxyField('hostname') || readProxyField('host'); + options.hostname = proxyHost; + // Replace 'host' since options is not a URL object + options.host = proxyHost; + options.port = readProxyField('port'); + options.path = location; + const proxyProtocol = readProxyField('protocol'); + if (proxyProtocol) { + options.protocol = proxyProtocol.includes(':') ? proxyProtocol : `${proxyProtocol}:`; + } } } options.beforeRedirects.proxy = function beforeRedirect(redirectOptions) { // Configure proxy for redirected request, passing the original config proxy to apply // the exact same logic as if the redirected request was performed by axios directly. - setProxy(redirectOptions, configProxy, redirectOptions.href); + setProxy(redirectOptions, configProxy, redirectOptions.href, true, configHttpsAgent); }; } const isHttpAdapterSupported = typeof process !== 'undefined' && utils$1.kindOf(process) === 'process'; @@ -47778,21 +48749,21 @@ const http2Transport = { /*eslint consistent-return:0*/ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { return wrapAsync(async function dispatchHttpRequest(resolve, reject, onDone) { - let { - data, - lookup, - family, - httpVersion = 1, - http2Options - } = config; - const { - responseType, - responseEncoding - } = config; + const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined; + const transitional = own('transitional') || transitionalDefaults; + let data = own('data'); + let lookup = own('lookup'); + let family = own('family'); + let httpVersion = own('httpVersion'); + if (httpVersion === undefined) httpVersion = 1; + let http2Options = own('http2Options'); + const responseType = own('responseType'); + const responseEncoding = own('responseEncoding'); const method = config.method.toUpperCase(); let isDone; let rejected = false; let req; + let connectPhaseTimer; httpVersion = +httpVersion; if (Number.isNaN(httpVersion)) { throw TypeError(`Invalid protocol version: '${config.httpVersion}' is not a number`); @@ -47819,11 +48790,25 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { try { abortEmitter.emit('abort', !reason || reason.type ? new CanceledError(null, config, req) : reason); } catch (err) { - console.warn('emit error', err); + // ignore emit errors + } + } + function clearConnectPhaseTimer() { + if (connectPhaseTimer) { + clearTimeout(connectPhaseTimer); + connectPhaseTimer = null; } } + function createTimeoutError() { + let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; + if (config.timeoutErrorMessage) { + timeoutErrorMessage = config.timeoutErrorMessage; + } + return new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req); + } abortEmitter.once('abort', reject); const onFinished = () => { + clearConnectPhaseTimer(); if (config.cancelToken) { config.cancelToken.unsubscribe(abort); } @@ -47840,6 +48825,7 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { } onDone((response, isRejected) => { isDone = true; + clearConnectPhaseTimer(); if (isRejected) { rejected = true; onFinished(); @@ -47932,8 +48918,8 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { boundary: userBoundary && userBoundary[1] || undefined }); // support for https://www.npmjs.com/package/form-data api - } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders)) { - headers.set(data.getHeaders()); + } else if (utils$1.isFormData(data) && utils$1.isFunction(data.getHeaders) && data.getHeaders !== Object.prototype.getHeaders) { + setFormDataHeaders$1(headers, data.getHeaders(), own('formDataHeaderPolicy')); if (!headers.hasContentLength()) { try { const knownLength = await util.promisify(data.getLength).call(data); @@ -47981,20 +48967,21 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // HTTP basic authentication let auth = undefined; - if (config.auth) { - const username = config.auth.username || ''; - const password = config.auth.password || ''; + const configAuth = own('auth'); + if (configAuth) { + const username = configAuth.username || ''; + const password = configAuth.password || ''; auth = username + ':' + password; } - if (!auth && parsed.username) { - const urlUsername = parsed.username; - const urlPassword = parsed.password; + if (!auth && (parsed.username || parsed.password)) { + const urlUsername = decodeURIComponentSafe$1(parsed.username); + const urlPassword = decodeURIComponentSafe$1(parsed.password); auth = urlUsername + ':' + urlPassword; } auth && headers.delete('authorization'); - let path; + let path$1; try { - path = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); + path$1 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, ''); } catch (err) { const customErr = new Error(err.message); customErr.config = config; @@ -48002,11 +48989,14 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { customErr.exists = true; return reject(customErr); } - headers.set('Accept-Encoding', 'gzip, compress, deflate' + (isBrotliSupported ? ', br' : ''), false); - const options = { - path, + headers.set('Accept-Encoding', utils$1.hasOwnProp(transitional, 'advertiseZstdAcceptEncoding') && transitional.advertiseZstdAcceptEncoding === true ? ACCEPT_ENCODING_WITH_ZSTD : ACCEPT_ENCODING, false); + + // Null-prototype to block prototype pollution gadgets on properties read + // directly by Node's http.request (e.g. insecureHTTPParser, lookup). + const options = Object.assign(Object.create(null), { + path: path$1, method: method, - headers: headers.toJSON(), + headers: toByteStringHeaderObject(headers), agents: { http: config.httpAgent, https: config.httpsAgent @@ -48015,35 +49005,73 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { protocol, family, beforeRedirect: dispatchBeforeRedirect, - beforeRedirects: {}, + beforeRedirects: Object.create(null), http2Options - }; + }); // cacheable-lookup integration hotfix !utils$1.isUndefined(lookup) && (options.lookup = lookup); - if (config.socketPath) { - options.socketPath = config.socketPath; + const socketPath = own('socketPath'); + if (socketPath) { + if (typeof socketPath !== 'string') { + return reject(new AxiosError('socketPath must be a string', AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + const allowedSocketPaths = own('allowedSocketPaths'); + if (allowedSocketPaths != null) { + const allowed = Array.isArray(allowedSocketPaths) ? allowedSocketPaths : [allowedSocketPaths]; + const resolvedSocket = path.resolve(socketPath); + const isAllowed = allowed.some(entry => typeof entry === 'string' && path.resolve(entry) === resolvedSocket); + if (!isAllowed) { + return reject(new AxiosError(`socketPath "${socketPath}" is not permitted by allowedSocketPaths`, AxiosError.ERR_BAD_OPTION_VALUE, config)); + } + } + options.socketPath = socketPath; } else { options.hostname = parsed.hostname.startsWith('[') ? parsed.hostname.slice(1, -1) : parsed.hostname; options.port = parsed.port; - setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path); + setProxy(options, config.proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path, false, config.httpsAgent); } let transport; + let isNativeTransport = false; const isHttpsRequest = isHttps.test(options.protocol); - options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + // Don't clobber a CONNECT-tunneling agent installed by setProxy() for an + // HTTPS target. + if (options.agent == null) { + options.agent = isHttpsRequest ? config.httpsAgent : config.httpAgent; + } if (isHttp2) { transport = http2Transport; } else { - if (config.transport) { - transport = config.transport; + const configTransport = own('transport'); + if (configTransport) { + transport = configTransport; } else if (config.maxRedirects === 0) { transport = isHttpsRequest ? https : http; + isNativeTransport = true; } else { if (config.maxRedirects) { options.maxRedirects = config.maxRedirects; } - if (config.beforeRedirect) { - options.beforeRedirects.config = config.beforeRedirect; + const configBeforeRedirect = own('beforeRedirect'); + if (configBeforeRedirect) { + options.beforeRedirects.config = configBeforeRedirect; + } + if (auth) { + // Restore HTTP Basic credentials on same-origin redirects only. + // follow-redirects >= 1.15.8 strips Authorization on every redirect (see #6929); + // cross-origin stripping is the documented mitigation for T-R2 in THREATMODEL.md + // and is preserved by deliberately not restoring on origin change. + const requestOrigin = parsed.origin; + const authToRestore = auth; + options.beforeRedirects.auth = function beforeRedirectAuth(redirectOptions) { + try { + if (new URL(redirectOptions.href).origin === requestOrigin) { + redirectOptions.auth = authToRestore; + } + } catch (e) { + // ignore malformed URL: leaving auth stripped is fail-safe + } + }; } transport = isHttpsRequest ? httpsFollow : httpFollow; } @@ -48054,12 +49082,15 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { // follow-redirects does not skip comparison, so it should always succeed for axios -1 unlimited options.maxBodyLength = Infinity; } - if (config.insecureHTTPParser) { - options.insecureHTTPParser = config.insecureHTTPParser; - } + + // Always set an explicit own value so a polluted + // Object.prototype.insecureHTTPParser cannot enable the lenient parser + // through Node's internal options copy + options.insecureHTTPParser = Boolean(own('insecureHTTPParser')); // Create the request req = transport.request(options, function handleResponse(res) { + clearConnectPhaseTimer(); if (req.destroyed) return; const streams = [res]; const responseLength = utils$1.toFiniteNumber(res.headers['content-length']); @@ -48110,6 +49141,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { streams.push(zlib.createBrotliDecompress(brotliOptions)); delete res.headers['content-encoding']; } + break; + case 'zstd': + if (isZstdSupported) { + streams.push(zlib.createZstdDecompress(zstdOptions)); + delete res.headers['content-encoding']; + } + break; } } responseStream = streams.length > 1 ? stream.pipeline(streams, utils$1.noop) : streams[0]; @@ -48121,6 +49159,25 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { request: lastRequest }; if (responseType === 'stream') { + // Enforce maxContentLength on streamed responses; previously this + // was applied only to buffered responses. + if (config.maxContentLength > -1) { + const limit = config.maxContentLength; + const source = responseStream; + async function* enforceMaxContentLength() { + let totalResponseBytes = 0; + for await (const chunk of source) { + totalResponseBytes += chunk.length; + if (totalResponseBytes > limit) { + throw new AxiosError('maxContentLength size of ' + limit + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + } + yield chunk; + } + } + responseStream = stream.Readable.from(enforceMaxContentLength(), { + objectMode: false + }); + } response.data = responseStream; settle(resolve, reject, response); } else { @@ -48142,13 +49199,13 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { if (rejected) { return; } - const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest); + const err = new AxiosError('stream has been aborted', AxiosError.ERR_BAD_RESPONSE, config, lastRequest, response); responseStream.destroy(err); reject(err); }); responseStream.on('error', function handleStreamError(err) { - if (req.destroyed) return; - reject(AxiosError.from(err, null, config, lastRequest)); + if (rejected) return; + reject(AxiosError.from(err, null, config, lastRequest, response)); }); responseStream.on('end', function handleStreamEnd() { try { @@ -48187,9 +49244,44 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { }); // set tcp keep alive to prevent drop connection by peer + // Track every socket bound to this outer RedirectableRequest so a single + // 'close' listener can release ownership on all of them. follow-redirects + // re-emits the 'socket' event for each hop's native request onto the same + // outer request, so attaching per-request listeners inside this handler + // would accumulate across hops and trigger MaxListenersExceededWarning at + // >= 11 redirects. Clearing only the last-bound socket would leave stale + // kAxiosCurrentReq refs on earlier hop sockets returned to the keep-alive + // pool, causing an idle-pool 'error' to be attributed to a closed req. + const boundSockets = new Set(); req.on('socket', function handleRequestSocket(socket) { // default interval of sending ack packet is 1 minute socket.setKeepAlive(true, 1000 * 60); + + // Install a single 'error' listener per socket (not per request) to avoid + // accumulating listeners on pooled keep-alive sockets that get reassigned + // to new requests before the previous request's 'close' fires (issue #10780). + // The listener is bound to the socket's currently-active request via a + // symbol, which is swapped as the socket is reassigned. + if (!socket[kAxiosSocketListener]) { + socket.on('error', function handleSocketError(err) { + const current = socket[kAxiosCurrentReq]; + if (current && !current.destroyed) { + current.destroy(err); + } + }); + socket[kAxiosSocketListener] = true; + } + socket[kAxiosCurrentReq] = req; + boundSockets.add(socket); + }); + req.once('close', function clearCurrentReq() { + clearConnectPhaseTimer(); + for (const socket of boundSockets) { + if (socket[kAxiosCurrentReq] === req) { + socket[kAxiosCurrentReq] = null; + } + } + boundSockets.clear(); }); // Handle request timeout @@ -48200,21 +49292,23 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new AxiosError('error trying to parse `config.timeout` to int', AxiosError.ERR_BAD_OPTION_VALUE, config, req)); return; } + const handleTimeout = function handleTimeout() { + if (isDone) return; + abort(createTimeoutError()); + }; + if (isNativeTransport && timeout > 0) { + // Native ClientRequest#setTimeout starts from the socket lifecycle and + // may not fire while TCP connect is still pending. Mirror the + // follow-redirects wall-clock timer for the maxRedirects === 0 path. + connectPhaseTimer = setTimeout(handleTimeout, timeout); + } // Sometime, the response will be very slow, and does not respond, the connect event will be block by event loop system. // And timer callback will be fired, and abort() will be invoked before connection, then get "socket hang up" and code ECONNRESET. // At this time, if we have a large number of request, nodejs will hang up some socket on background. and the number will up and up. // And then these socket which be hang up will devouring CPU little by little. // ClientRequest.setTimeout will be fired on the specify milliseconds, and can make sure that abort() will be fired after connect. - req.setTimeout(timeout, function handleRequestTimeout() { - if (isDone) return; - let timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded'; - const transitional = config.transitional || transitionalDefaults; - if (config.timeoutErrorMessage) { - timeoutErrorMessage = config.timeoutErrorMessage; - } - abort(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, req)); - }); + req.setTimeout(timeout, handleTimeout); } else { // explicitly reset the socket timeout value for a possible `keep-alive` request req.setTimeout(0); @@ -48236,7 +49330,28 @@ var httpAdapter = isHttpAdapterSupported && function httpAdapter(config) { abort(new CanceledError('Request stream has been aborted', config, req)); } }); - data.pipe(req); + + // Enforce maxBodyLength for streamed uploads on the native http/https + // transport (maxRedirects === 0); follow-redirects enforces it on the + // other path. + let uploadStream = data; + if (config.maxBodyLength > -1 && config.maxRedirects === 0) { + const limit = config.maxBodyLength; + let bytesSent = 0; + uploadStream = stream.pipeline([data, new stream.Transform({ + transform(chunk, _enc, cb) { + bytesSent += chunk.length; + if (bytesSent > limit) { + return cb(new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, req)); + } + cb(null, chunk); + } + })], utils$1.noop); + uploadStream.on('error', err => { + if (!req.destroyed) req.destroy(err); + }); + } + uploadStream.pipe(req); } else { data && req.write(data); req.end(); @@ -48274,8 +49389,20 @@ var cookies = platform.hasStandardBrowserEnv ? }, read(name) { if (typeof document === 'undefined') return null; - const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)')); - return match ? decodeURIComponent(match[1]) : null; + // Match name=value by splitting on the semicolon separator instead of building a + // RegExp from `name` — interpolating an unescaped string into a RegExp would let + // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or + // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or + // "; ", so ignore optional whitespace before each cookie name. + const cookies = document.cookie.split(';'); + for (let i = 0; i < cookies.length; i++) { + const cookie = cookies[i].replace(/^\s+/, ''); + const eq = cookie.indexOf('='); + if (eq !== -1 && cookie.slice(0, eq) === name) { + return decodeURIComponent(cookie.slice(eq + 1)); + } + } + return null; }, remove(name) { this.write(name, '', Date.now() - 86400000, '/'); @@ -48306,7 +49433,21 @@ const headersToObject = thing => thing instanceof AxiosHeaders ? { function mergeConfig(config1, config2) { // eslint-disable-next-line no-param-reassign config2 = config2 || {}; - const config = {}; + + // Use a null-prototype object so that downstream reads such as `config.auth` + // or `config.baseURL` cannot inherit polluted values from Object.prototype. + // `hasOwnProperty` is restored as a non-enumerable own slot to preserve + // ergonomics for user code that relies on it. + const config = Object.create(null); + Object.defineProperty(config, 'hasOwnProperty', { + // Null-proto descriptor so a polluted Object.prototype.get cannot turn + // this data descriptor into an accessor descriptor on the way in. + __proto__: null, + value: Object.prototype.hasOwnProperty, + enumerable: false, + writable: true, + configurable: true + }); function getMergedValue(target, source, prop, caseless) { if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { return utils$1.merge.call({ @@ -48345,9 +49486,9 @@ function mergeConfig(config1, config2) { // eslint-disable-next-line consistent-return function mergeDirectKeys(a, b, prop) { - if (prop in config2) { + if (utils$1.hasOwnProp(config2, prop)) { return getMergedValue(a, b); - } else if (prop in config1) { + } else if (utils$1.hasOwnProp(config1, prop)) { return getMergedValue(undefined, a); } } @@ -48378,6 +49519,7 @@ function mergeConfig(config1, config2) { httpsAgent: defaultToConfig2, cancelToken: defaultToConfig2, socketPath: defaultToConfig2, + allowedSocketPaths: defaultToConfig2, responseEncoding: defaultToConfig2, validateStatus: mergeDirectKeys, headers: (a, b, prop) => mergeDeepProperties(headersToObject(a), headersToObject(b), prop, true) @@ -48388,42 +49530,64 @@ function mergeConfig(config1, config2) { }), function computeConfigValue(prop) { if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') return; const merge = utils$1.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties; - const configValue = merge(config1[prop], config2[prop], prop); + const a = utils$1.hasOwnProp(config1, prop) ? config1[prop] : undefined; + const b = utils$1.hasOwnProp(config2, prop) ? config2[prop] : undefined; + const configValue = merge(a, b, prop); utils$1.isUndefined(configValue) && merge !== mergeDirectKeys || (config[prop] = configValue); }); return config; } -var resolveConfig = config => { +const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length']; +function setFormDataHeaders(headers, formHeaders, policy) { + if (policy !== 'content-only') { + headers.set(formHeaders); + return; + } + Object.entries(formHeaders).forEach(([key, val]) => { + if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) { + headers.set(key, val); + } + }); +} + +/** + * Encode a UTF-8 string to a Latin-1 byte string for use with btoa(). + * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern. + * + * @param {string} str The string to encode + * + * @returns {string} UTF-8 bytes as a Latin-1 string + */ +const encodeUTF8$1 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))); +function resolveConfig(config) { const newConfig = mergeConfig({}, config); - let { - data, - withXSRFToken, - xsrfHeaderName, - xsrfCookieName, - headers, - auth - } = newConfig; + + // Read only own properties to prevent prototype pollution gadgets + // (e.g. Object.prototype.baseURL = 'https://evil.com'). + const own = key => utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined; + const data = own('data'); + let withXSRFToken = own('withXSRFToken'); + const xsrfHeaderName = own('xsrfHeaderName'); + const xsrfCookieName = own('xsrfCookieName'); + let headers = own('headers'); + const auth = own('auth'); + const baseURL = own('baseURL'); + const allowAbsoluteUrls = own('allowAbsoluteUrls'); + const url = own('url'); newConfig.headers = headers = AxiosHeaders.from(headers); - newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer); + newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), own('params'), own('paramsSerializer')); // HTTP basic authentication if (auth) { - headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? unescape(encodeURIComponent(auth.password)) : ''))); + headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8$1(auth.password) : ''))); } if (utils$1.isFormData(data)) { - if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) { - headers.setContentType(undefined); // browser handles it + if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1.isReactNative(data)) { + headers.setContentType(undefined); // browser/web worker/RN handles it } else if (utils$1.isFunction(data.getHeaders)) { // Node.js FormData (like form-data package) - const formHeaders = data.getHeaders(); - // Only set safe headers to avoid overwriting security headers - const allowedHeaders = ['content-type', 'content-length']; - Object.entries(formHeaders).forEach(([key, val]) => { - if (allowedHeaders.includes(key.toLowerCase())) { - headers.set(key, val); - } - }); + setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy')); } } @@ -48432,9 +49596,15 @@ var resolveConfig = config => { // Specifically not if we're in a web worker, or react-native. if (platform.hasStandardBrowserEnv) { - withXSRFToken && utils$1.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig)); - if (withXSRFToken || withXSRFToken !== false && isURLSameOrigin(newConfig.url)) { - // Add xsrf header + if (utils$1.isFunction(withXSRFToken)) { + withXSRFToken = withXSRFToken(newConfig); + } + + // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1) + // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking + // the XSRF token cross-origin. + const shouldSendXSRF = withXSRFToken === true || withXSRFToken == null && isURLSameOrigin(newConfig.url); + if (shouldSendXSRF) { const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName); if (xsrfValue) { headers.set(xsrfHeaderName, xsrfValue); @@ -48442,7 +49612,7 @@ var resolveConfig = config => { } } return newConfig; -}; +} const isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined'; var xhrAdapter = isXHRAdapterSupported && function (config) { @@ -48510,7 +49680,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // handled by onerror instead // With one exception: request that using file: protocol, most browsers // will return status as 0 even though it's a successful request - if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf('file:') === 0)) { + if (request.status === 0 && !(request.responseURL && request.responseURL.startsWith('file:'))) { return; } // readystate handler is calling before onerror or ontimeout handlers, @@ -48525,6 +49695,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { return; } reject(new AxiosError('Request aborted', AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -48540,6 +49711,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // attach the underlying event for consumers who want details err.event = event || null; reject(err); + done(); request = null; }; @@ -48551,6 +49723,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { timeoutErrorMessage = _config.timeoutErrorMessage; } reject(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, request)); + done(); // Clean up request request = null; @@ -48561,7 +49734,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { // Add headers to the request if ('setRequestHeader' in request) { - utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) { + utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) { request.setRequestHeader(key, val); }); } @@ -48597,6 +49770,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel); request.abort(); + done(); request = null; }; _config.cancelToken && _config.cancelToken.subscribe(onCanceled); @@ -48605,7 +49779,7 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { } } const protocol = parseProtocol(_config.url); - if (protocol && platform.protocols.indexOf(protocol) === -1) { + if (protocol && !platform.protocols.includes(protocol)) { reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config)); return; } @@ -48616,41 +49790,41 @@ var xhrAdapter = isXHRAdapterSupported && function (config) { }; const composeSignals = (signals, timeout) => { - const { - length - } = signals = signals ? signals.filter(Boolean) : []; - if (timeout || length) { - let controller = new AbortController(); - let aborted; - const onabort = function (reason) { - if (!aborted) { - aborted = true; - unsubscribe(); - const err = reason instanceof Error ? reason : this.reason; - controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); - } - }; - let timer = timeout && setTimeout(() => { - timer = null; - onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); - }, timeout); - const unsubscribe = () => { - if (signals) { - timer && clearTimeout(timer); - timer = null; - signals.forEach(signal => { - signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); - }); - signals = null; - } - }; - signals.forEach(signal => signal.addEventListener('abort', onabort)); - const { - signal - } = controller; - signal.unsubscribe = () => utils$1.asap(unsubscribe); - return signal; + signals = signals ? signals.filter(Boolean) : []; + if (!timeout && !signals.length) { + return; } + const controller = new AbortController(); + let aborted = false; + const onabort = function (reason) { + if (!aborted) { + aborted = true; + unsubscribe(); + const err = reason instanceof Error ? reason : this.reason; + controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err)); + } + }; + let timer = timeout && setTimeout(() => { + timer = null; + onabort(new AxiosError(`timeout of ${timeout}ms exceeded`, AxiosError.ETIMEDOUT)); + }, timeout); + const unsubscribe = () => { + if (!signals) { + return; + } + timer && clearTimeout(timer); + timer = null; + signals.forEach(signal => { + signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort); + }); + signals = null; + }; + signals.forEach(signal => signal.addEventListener('abort', onabort)); + const { + signal + } = controller; + signal.unsubscribe = () => utils$1.asap(unsubscribe); + return signal; }; const streamChunk = function* (chunk, chunkSize) { @@ -48739,17 +49913,31 @@ const DEFAULT_CHUNK_SIZE = 64 * 1024; const { isFunction } = utils$1; -const globalFetchAPI = (({ - Request, - Response -}) => ({ - Request, - Response -}))(utils$1.global); -const { - ReadableStream: ReadableStream$1, - TextEncoder: TextEncoder$1 -} = utils$1.global; + +/** + * Encode a UTF-8 string to a Latin-1 byte string for use with btoa(). + * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern. + * + * @param {string} str The string to encode + * + * @returns {string} UTF-8 bytes as a Latin-1 string + */ +const encodeUTF8 = str => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))); + +// Node's WHATWG URL parser returns `username` and `password` percent-encoded. +// Decode before composing the `auth` option so credentials such as +// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the +// original value for malformed input so a bad encoding never throws. +const decodeURIComponentSafe = value => { + if (!utils$1.isString(value)) { + return value; + } + try { + return decodeURIComponent(value); + } catch (error) { + return value; + } +}; const test = (fn, ...args) => { try { return !!fn(...args); @@ -48757,10 +49945,26 @@ const test = (fn, ...args) => { return false; } }; +const maybeWithAuthCredentials = url => { + const protocolIndex = url.indexOf('://'); + let urlToCheck = url; + if (protocolIndex !== -1) { + urlToCheck = urlToCheck.slice(protocolIndex + 3); + } + return urlToCheck.includes('@') || urlToCheck.includes(':'); +}; const factory = env => { + const globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis; + const { + ReadableStream, + TextEncoder + } = globalObject; env = utils$1.merge.call({ skipUndefined: true - }, globalFetchAPI, env); + }, { + Request: globalObject.Request, + Response: globalObject.Response + }, env); const { fetch: envFetch, Request, @@ -48772,20 +49976,22 @@ const factory = env => { if (!isFetchSupported) { return false; } - const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream$1); - const encodeText = isFetchSupported && (typeof TextEncoder$1 === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder$1()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); + const isReadableStreamSupported = isFetchSupported && isFunction(ReadableStream); + const encodeText = isFetchSupported && (typeof TextEncoder === 'function' ? (encoder => str => encoder.encode(str))(new TextEncoder()) : async str => new Uint8Array(await new Request(str).arrayBuffer())); const supportsRequestStream = isRequestSupported && isReadableStreamSupported && test(() => { let duplexAccessed = false; - const body = new ReadableStream$1(); - const hasContentType = new Request(platform.origin, { - body, + const request = new Request(platform.origin, { + body: new ReadableStream(), method: 'POST', get duplex() { duplexAccessed = true; return 'half'; } - }).headers.has('Content-Type'); - body.cancel(); + }); + const hasContentType = request.headers.has('Content-Type'); + if (request.body != null) { + request.body.cancel(); + } return duplexAccessed && !hasContentType; }); const supportsResponseStream = isResponseSupported && isReadableStreamSupported && test(() => utils$1.isReadableStream(new Response('').body)); @@ -48844,8 +50050,13 @@ const factory = env => { responseType, headers, withCredentials = 'same-origin', - fetchOptions + fetchOptions, + maxContentLength, + maxBodyLength } = resolveConfig(config); + const hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1; + const hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1; + const own = key => utils$1.hasOwnProp(config, key) ? config[key] : undefined; let _fetch = envFetch || fetch; responseType = responseType ? (responseType + '').toLowerCase() : 'text'; let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout); @@ -48855,6 +50066,58 @@ const factory = env => { }); let requestContentLength; try { + // HTTP basic authentication + let auth = undefined; + const configAuth = own('auth'); + if (configAuth) { + const username = configAuth.username || ''; + const password = configAuth.password || ''; + auth = { + username, + password + }; + } + if (maybeWithAuthCredentials(url)) { + const parsedURL = new URL(url, platform.origin); + if (!auth && (parsedURL.username || parsedURL.password)) { + const urlUsername = decodeURIComponentSafe(parsedURL.username); + const urlPassword = decodeURIComponentSafe(parsedURL.password); + auth = { + username: urlUsername, + password: urlPassword + }; + } + if (parsedURL.username || parsedURL.password) { + parsedURL.username = ''; + parsedURL.password = ''; + url = parsedURL.href; + } + } + if (auth) { + headers.delete('authorization'); + headers.set('Authorization', 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))); + } + + // Enforce maxContentLength for data: URLs up-front so we never materialize + // an oversized payload. The HTTP adapter applies the same check (see http.js + // "if (protocol === 'data:')" branch). + if (hasMaxContentLength && typeof url === 'string' && url.startsWith('data:')) { + const estimated = estimateDataURLDecodedBytes(url); + if (estimated > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + + // Enforce maxBodyLength against the outbound request body before dispatch. + // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than + // maxBodyLength limit'). Skip when the body length cannot be determined + // (e.g. a live ReadableStream supplied by the caller). + if (hasMaxBodyLength && method !== 'get' && method !== 'head') { + const outboundLength = await resolveBodyLength(headers, data); + if (typeof outboundLength === 'number' && isFinite(outboundLength) && outboundLength > maxBodyLength) { + throw new AxiosError('Request body larger than maxBodyLength limit', AxiosError.ERR_BAD_REQUEST, config, request); + } + } if (onUploadProgress && supportsRequestStream && method !== 'get' && method !== 'head' && (requestContentLength = await resolveBodyLength(headers, data)) !== 0) { let _request = new Request(url, { method: 'POST', @@ -48877,32 +50140,82 @@ const factory = env => { // Cloudflare Workers throws when credentials are defined // see https://github.com/cloudflare/workerd/issues/902 const isCredentialsSupported = isRequestSupported && 'credentials' in Request.prototype; + + // If data is FormData and Content-Type is multipart/form-data without boundary, + // delete it so fetch can set it correctly with the boundary + if (utils$1.isFormData(data)) { + const contentType = headers.getContentType(); + if (contentType && /^multipart\/form-data/i.test(contentType) && !/boundary=/i.test(contentType)) { + headers.delete('content-type'); + } + } + + // Set User-Agent header if not already set (fetch defaults to 'node' in Node.js) + headers.set('User-Agent', 'axios/' + VERSION, false); const resolvedOptions = { ...fetchOptions, signal: composedSignal, method: method.toUpperCase(), - headers: headers.normalize().toJSON(), + headers: toByteStringHeaderObject(headers.normalize()), body: data, duplex: 'half', credentials: isCredentialsSupported ? withCredentials : undefined }; request = isRequestSupported && new Request(url, resolvedOptions); let response = await (isRequestSupported ? _fetch(request, fetchOptions) : _fetch(url, resolvedOptions)); + + // Cheap pre-check: if the server honestly declares a content-length that + // already exceeds the cap, reject before we start streaming. + if (hasMaxContentLength) { + const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length')); + if (declaredLength != null && declaredLength > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } const isStreamResponse = supportsResponseStream && (responseType === 'stream' || responseType === 'response'); - if (supportsResponseStream && (onDownloadProgress || isStreamResponse && unsubscribe)) { + if (supportsResponseStream && response.body && (onDownloadProgress || hasMaxContentLength || isStreamResponse && unsubscribe)) { const options = {}; ['status', 'statusText', 'headers'].forEach(prop => { options[prop] = response[prop]; }); const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length')); const [onProgress, flush] = onDownloadProgress && progressEventDecorator(responseContentLength, progressEventReducer(asyncDecorator(onDownloadProgress), true)) || []; - response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onProgress, () => { + let bytesRead = 0; + const onChunkProgress = loadedBytes => { + if (hasMaxContentLength) { + bytesRead = loadedBytes; + if (bytesRead > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } + onProgress && onProgress(loadedBytes); + }; + response = new Response(trackStream(response.body, DEFAULT_CHUNK_SIZE, onChunkProgress, () => { flush && flush(); unsubscribe && unsubscribe(); }), options); } responseType = responseType || 'text'; let responseData = await resolvers[utils$1.findKey(resolvers, responseType) || 'text'](response, config); + + // Fallback enforcement for environments without ReadableStream support + // (legacy runtimes). Detect materialized size from typed output; skip + // streams/Response passthrough since the user will read those themselves. + if (hasMaxContentLength && !supportsResponseStream && !isStreamResponse) { + let materializedSize; + if (responseData != null) { + if (typeof responseData.byteLength === 'number') { + materializedSize = responseData.byteLength; + } else if (typeof responseData.size === 'number') { + materializedSize = responseData.size; + } else if (typeof responseData === 'string') { + materializedSize = typeof TextEncoder === 'function' ? new TextEncoder().encode(responseData).byteLength : responseData.length; + } + } + if (typeof materializedSize === 'number' && materializedSize > maxContentLength) { + throw new AxiosError('maxContentLength size of ' + maxContentLength + ' exceeded', AxiosError.ERR_BAD_RESPONSE, config, request); + } + } !isStreamResponse && unsubscribe && unsubscribe(); return await new Promise((resolve, reject) => { settle(resolve, reject, { @@ -48916,6 +50229,17 @@ const factory = env => { }); } catch (err) { unsubscribe && unsubscribe(); + + // Safari can surface fetch aborts as a DOMException-like object whose + // branded getters throw. Prefer our composed signal reason before reading + // the caught error, preserving timeout vs cancellation semantics. + if (composedSignal && composedSignal.aborted && composedSignal.reason instanceof AxiosError) { + const canceledError = composedSignal.reason; + canceledError.config = config; + request && (canceledError.request = request); + err !== canceledError && (canceledError.cause = err); + throw canceledError; + } if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) { throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, err && err.response), { cause: err.cause || err @@ -48970,13 +50294,17 @@ const knownAdapters = { utils$1.forEach(knownAdapters, (fn, value) => { if (fn) { try { + // Null-proto descriptors so a polluted Object.prototype.get cannot turn + // these data descriptors into accessor descriptors on the way in. Object.defineProperty(fn, 'name', { + __proto__: null, value }); } catch (e) { // eslint-disable-next-line no-empty } Object.defineProperty(fn, 'adapterName', { + __proto__: null, value }); } @@ -49091,8 +50419,15 @@ function dispatchRequest(config) { return adapter(config).then(function onAdapterResolution(response) { throwIfCancellationRequested(config); - // Transform response data - response.data = transformData.call(config, config.transformResponse, response); + // Expose the current response on config so that transformResponse can + // attach it to any AxiosError it throws (e.g. on JSON parse failure). + // We clean it up afterwards to avoid polluting the config object. + config.response = response; + try { + response.data = transformData.call(config, config.transformResponse, response); + } finally { + delete config.response; + } response.headers = AxiosHeaders.from(response.headers); return response; }, function onAdapterRejection(reason) { @@ -49101,7 +50436,12 @@ function dispatchRequest(config) { // Transform response data if (reason && reason.response) { - reason.response.data = transformData.call(config, config.transformResponse, reason.response); + config.response = reason.response; + try { + reason.response.data = transformData.call(config, config.transformResponse, reason.response); + } finally { + delete config.response; + } reason.response.headers = AxiosHeaders.from(reason.response.headers); } } @@ -49172,7 +50512,9 @@ function assertOptions(options, schema, allowUnknown) { let i = keys.length; while (i-- > 0) { const opt = keys[i]; - const validator = schema[opt]; + // Use hasOwnProperty so a polluted Object.prototype. cannot supply + // a non-function validator and cause a TypeError. + const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; if (validator) { const value = options[opt]; const result = value === undefined || validator(value, opt, options); @@ -49272,7 +50614,8 @@ class Axios { silentJSONParsing: validators.transitional(validators.boolean), forcedJSONParsing: validators.transitional(validators.boolean), clarifyTimeoutError: validators.transitional(validators.boolean), - legacyInterceptorReqResOrdering: validators.transitional(validators.boolean) + legacyInterceptorReqResOrdering: validators.transitional(validators.boolean), + advertiseZstdAcceptEncoding: validators.transitional(validators.boolean) }, false); } if (paramsSerializer != null) { @@ -49304,7 +50647,7 @@ class Axios { // Flatten headers let contextHeaders = headers && utils$1.merge(headers.common, headers[config.method]); - headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'common'], method => { + headers && utils$1.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query', 'common'], method => { delete headers[method]; }); config.headers = AxiosHeaders.concat(contextHeaders, headers); @@ -49385,7 +50728,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa })); }; }); -utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) { +utils$1.forEach(['post', 'put', 'patch', 'query'], function forEachMethodWithData(method) { function generateHTTPMethod(isForm) { return function httpMethod(url, data, config) { return this.request(mergeConfig(config || {}, { @@ -49399,7 +50742,12 @@ utils$1.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) }; } Axios.prototype[method] = generateHTTPMethod(); - Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + + // QUERY is a safe/idempotent read method; multipart form bodies don't fit + // its semantics, so no queryForm shorthand is generated. + if (method !== 'query') { + Axios.prototype[method + 'Form'] = generateHTTPMethod(true); + } }); /** diff --git a/package-lock.json b/package-lock.json index 9f96976b..1bea5c4a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -22,7 +22,7 @@ "@types/jest": "29.5.14", "@types/json-patch": "0.0.33", "@types/lodash": "4.17.24", - "@types/node": "24.7.2", + "@types/node": "24.13.2", "@types/tmp": "0.2.6", "@typescript-eslint/eslint-plugin": "8.59.2", "@typescript-eslint/parser": "8.59.2", @@ -1559,13 +1559,12 @@ "dev": true }, "node_modules/@types/node": { - "version": "24.7.2", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.7.2.tgz", - "integrity": "sha512-/NbVmcGTP+lj5oa4yiYxxeBjRivKQ5Ns1eSZeB99ExsEQ6rX5XYU1Zy/gGxY/ilqtD4Etx9mKyrPxZRetiahhA==", + "version": "24.13.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.13.2.tgz", + "integrity": "sha512-fRa09kZTgu8o71KFcDjUFuc7F+dEbZYZmkI0mg5YBTRs0yMKjYHsq/c0urDKeDb+D5qVgXOdFcuu+DZPKOITwA==", "dev": true, - "license": "MIT", "dependencies": { - "undici-types": "~7.14.0" + "undici-types": "~7.18.0" } }, "node_modules/@types/stack-utils": { @@ -7891,11 +7890,10 @@ } }, "node_modules/undici-types": { - "version": "7.14.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.14.0.tgz", - "integrity": "sha512-QQiYxHuyZ9gQUIrmPo3IA+hUl4KYk8uSA7cHrcKd/l3p1OTpZcM0Tbp9x7FAtXdAYhlasd60ncPpgu6ihG6TOA==", - "dev": true, - "license": "MIT" + "version": "7.18.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz", + "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==", + "dev": true }, "node_modules/update-browserslist-db": { "version": "1.2.2", @@ -9337,12 +9335,12 @@ "dev": true }, "@types/node": { - "version": "24.7.2", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.7.2.tgz", - "integrity": "sha512-/NbVmcGTP+lj5oa4yiYxxeBjRivKQ5Ns1eSZeB99ExsEQ6rX5XYU1Zy/gGxY/ilqtD4Etx9mKyrPxZRetiahhA==", + "version": "24.13.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.13.2.tgz", + "integrity": "sha512-fRa09kZTgu8o71KFcDjUFuc7F+dEbZYZmkI0mg5YBTRs0yMKjYHsq/c0urDKeDb+D5qVgXOdFcuu+DZPKOITwA==", "dev": true, "requires": { - "undici-types": "~7.14.0" + "undici-types": "~7.18.0" } }, "@types/stack-utils": { @@ -13554,9 +13552,9 @@ } }, "undici-types": { - "version": "7.14.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.14.0.tgz", - "integrity": "sha512-QQiYxHuyZ9gQUIrmPo3IA+hUl4KYk8uSA7cHrcKd/l3p1OTpZcM0Tbp9x7FAtXdAYhlasd60ncPpgu6ihG6TOA==", + "version": "7.18.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz", + "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==", "dev": true }, "update-browserslist-db": { diff --git a/package.json b/package.json index 287b4f16..e6d70a23 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ "@types/jest": "29.5.14", "@types/json-patch": "0.0.33", "@types/lodash": "4.17.24", - "@types/node": "24.7.2", + "@types/node": "24.13.2", "@types/tmp": "0.2.6", "@typescript-eslint/eslint-plugin": "8.59.2", "@typescript-eslint/parser": "8.59.2",