Latest Threat Research:SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains.Details →
@ai-sdk/provider-utils
Advanced tools
@ai-sdk/provider-utils - npm Package Compare versions
+12
-2
| # @ai-sdk/provider-utils | ||
| ## 3.0.21 | ||
| ### Patch Changes | ||
| - 20565b8: security: prevent unbounded memory growth in download functions | ||
| The `download()` and `downloadBlob()` functions now enforce a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a `DownloadError` instead of consuming unbounded memory and crashing the process. The `abortSignal` parameter is now passed through to `fetch()` in all download call sites. | ||
| Added `download` option to `transcribe()` and `experimental_generateVideo()` for providing a custom download function. Use the new `createDownload({ maxBytes })` factory to configure download size limits. | ||
| ## 3.0.20 | ||
@@ -7,4 +17,4 @@ | ||
| - 4953414: fix: trigger new release for `@ai-v5` dist-tag | ||
| - Updated dependencies [4953414] | ||
| - 526fe8d: fix: trigger new release for `@ai-v5` dist-tag | ||
| - Updated dependencies [526fe8d] | ||
| - @ai-sdk/provider@2.0.1 | ||
@@ -11,0 +21,0 @@ |
+49
-2
@@ -1,2 +0,2 @@ | ||
| import { JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV2Prompt, JSONSchema7, SharedV2ProviderOptions, LanguageModelV2ToolResultOutput, LanguageModelV2ToolResultPart } from '@ai-sdk/provider'; | ||
| import { AISDKError, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV2Prompt, JSONSchema7, SharedV2ProviderOptions, LanguageModelV2ToolResultOutput, LanguageModelV2ToolResultPart } from '@ai-sdk/provider'; | ||
| import * as z4 from 'zod/v4'; | ||
@@ -59,3 +59,50 @@ import { ZodType } from 'zod/v4'; | ||
| declare const symbol: unique symbol; | ||
| declare class DownloadError extends AISDKError { | ||
| private readonly [symbol]; | ||
| readonly url: string; | ||
| readonly statusCode?: number; | ||
| readonly statusText?: string; | ||
| constructor({ url, statusCode, statusText, cause, message, }: { | ||
| url: string; | ||
| statusCode?: number; | ||
| statusText?: string; | ||
| message?: string; | ||
| cause?: unknown; | ||
| }); | ||
| static isInstance(error: unknown): error is DownloadError; | ||
| } | ||
| /** | ||
| * Default maximum download size: 2 GiB. | ||
| * | ||
| * `fetch().arrayBuffer()` has ~2x peak memory overhead (undici buffers the | ||
| * body internally, then creates the JS ArrayBuffer), so very large downloads | ||
| * risk exceeding the default V8 heap limit on 64-bit systems and terminating | ||
| * the process with an out-of-memory error. | ||
| * | ||
| * Setting this limit converts an unrecoverable OOM crash into a catchable | ||
| * `DownloadError`. | ||
| */ | ||
| declare const DEFAULT_MAX_DOWNLOAD_SIZE: number; | ||
| /** | ||
| * Reads a fetch Response body with a size limit to prevent memory exhaustion. | ||
| * | ||
| * Checks the Content-Length header for early rejection, then reads the body | ||
| * incrementally via ReadableStream and aborts with a DownloadError when the | ||
| * limit is exceeded. | ||
| * | ||
| * @param response - The fetch Response to read. | ||
| * @param url - The URL being downloaded (used in error messages). | ||
| * @param maxBytes - Maximum allowed bytes. Defaults to DEFAULT_MAX_DOWNLOAD_SIZE. | ||
| * @returns A Uint8Array containing the response body. | ||
| * @throws DownloadError if the response exceeds maxBytes. | ||
| */ | ||
| declare function readResponseWithSizeLimit({ response, url, maxBytes, }: { | ||
| response: Response; | ||
| url: string; | ||
| maxBytes?: number; | ||
| }): Promise<Uint8Array>; | ||
| /** | ||
| * Fetch function type (standardizes the version of fetch used). | ||
@@ -961,2 +1008,2 @@ */ | ||
| export { type AssistantContent, type AssistantModelMessage, type DataContent, DelayedPromise, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; | ||
| export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; |
+49
-2
@@ -1,2 +0,2 @@ | ||
| import { JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV2Prompt, JSONSchema7, SharedV2ProviderOptions, LanguageModelV2ToolResultOutput, LanguageModelV2ToolResultPart } from '@ai-sdk/provider'; | ||
| import { AISDKError, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV2Prompt, JSONSchema7, SharedV2ProviderOptions, LanguageModelV2ToolResultOutput, LanguageModelV2ToolResultPart } from '@ai-sdk/provider'; | ||
| import * as z4 from 'zod/v4'; | ||
@@ -59,3 +59,50 @@ import { ZodType } from 'zod/v4'; | ||
| declare const symbol: unique symbol; | ||
| declare class DownloadError extends AISDKError { | ||
| private readonly [symbol]; | ||
| readonly url: string; | ||
| readonly statusCode?: number; | ||
| readonly statusText?: string; | ||
| constructor({ url, statusCode, statusText, cause, message, }: { | ||
| url: string; | ||
| statusCode?: number; | ||
| statusText?: string; | ||
| message?: string; | ||
| cause?: unknown; | ||
| }); | ||
| static isInstance(error: unknown): error is DownloadError; | ||
| } | ||
| /** | ||
| * Default maximum download size: 2 GiB. | ||
| * | ||
| * `fetch().arrayBuffer()` has ~2x peak memory overhead (undici buffers the | ||
| * body internally, then creates the JS ArrayBuffer), so very large downloads | ||
| * risk exceeding the default V8 heap limit on 64-bit systems and terminating | ||
| * the process with an out-of-memory error. | ||
| * | ||
| * Setting this limit converts an unrecoverable OOM crash into a catchable | ||
| * `DownloadError`. | ||
| */ | ||
| declare const DEFAULT_MAX_DOWNLOAD_SIZE: number; | ||
| /** | ||
| * Reads a fetch Response body with a size limit to prevent memory exhaustion. | ||
| * | ||
| * Checks the Content-Length header for early rejection, then reads the body | ||
| * incrementally via ReadableStream and aborts with a DownloadError when the | ||
| * limit is exceeded. | ||
| * | ||
| * @param response - The fetch Response to read. | ||
| * @param url - The URL being downloaded (used in error messages). | ||
| * @param maxBytes - Maximum allowed bytes. Defaults to DEFAULT_MAX_DOWNLOAD_SIZE. | ||
| * @returns A Uint8Array containing the response body. | ||
| * @throws DownloadError if the response exceeds maxBytes. | ||
| */ | ||
| declare function readResponseWithSizeLimit({ response, url, maxBytes, }: { | ||
| response: Response; | ||
| url: string; | ||
| maxBytes?: number; | ||
| }): Promise<Uint8Array>; | ||
| /** | ||
| * Fetch function type (standardizes the version of fetch used). | ||
@@ -961,2 +1008,2 @@ */ | ||
| export { type AssistantContent, type AssistantModelMessage, type DataContent, DelayedPromise, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; | ||
| export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; |
+1
-1
| { | ||
| "name": "@ai-sdk/provider-utils", | ||
| "version": "3.0.20", | ||
| "version": "3.0.21", | ||
| "license": "Apache-2.0", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
658267
3.28%- Lines of code
6601
3.3%Worsened metrics
- Number of medium supply chain risk alerts
54
12.5%No dependency changes