Latest Threat Research:SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains.Details →
@ai-sdk/provider-utils
Advanced tools
@ai-sdk/provider-utils - npm Package Compare versions
| import { DownloadError } from './download-error'; | ||
| /** | ||
| * Default maximum download size: 2 GiB. | ||
| * | ||
| * `fetch().arrayBuffer()` has ~2x peak memory overhead (undici buffers the | ||
| * body internally, then creates the JS ArrayBuffer), so very large downloads | ||
| * risk exceeding the default V8 heap limit on 64-bit systems and terminating | ||
| * the process with an out-of-memory error. | ||
| * | ||
| * Setting this limit converts an unrecoverable OOM crash into a catchable | ||
| * `DownloadError`. | ||
| */ | ||
| export const DEFAULT_MAX_DOWNLOAD_SIZE = 2 * 1024 * 1024 * 1024; | ||
| /** | ||
| * Reads a fetch Response body with a size limit to prevent memory exhaustion. | ||
| * | ||
| * Checks the Content-Length header for early rejection, then reads the body | ||
| * incrementally via ReadableStream and aborts with a DownloadError when the | ||
| * limit is exceeded. | ||
| * | ||
| * @param response - The fetch Response to read. | ||
| * @param url - The URL being downloaded (used in error messages). | ||
| * @param maxBytes - Maximum allowed bytes. Defaults to DEFAULT_MAX_DOWNLOAD_SIZE. | ||
| * @returns A Uint8Array containing the response body. | ||
| * @throws DownloadError if the response exceeds maxBytes. | ||
| */ | ||
| export async function readResponseWithSizeLimit({ | ||
| response, | ||
| url, | ||
| maxBytes = DEFAULT_MAX_DOWNLOAD_SIZE, | ||
| }: { | ||
| response: Response; | ||
| url: string; | ||
| maxBytes?: number; | ||
| }): Promise<Uint8Array> { | ||
| // Early rejection based on Content-Length header | ||
| const contentLength = response.headers.get('content-length'); | ||
| if (contentLength != null) { | ||
| const length = parseInt(contentLength, 10); | ||
| if (!isNaN(length) && length > maxBytes) { | ||
| throw new DownloadError({ | ||
| url, | ||
| message: `Download of ${url} exceeded maximum size of ${maxBytes} bytes (Content-Length: ${length}).`, | ||
| }); | ||
| } | ||
| } | ||
| const body = response.body; | ||
| // Handle missing body (empty responses) | ||
| if (body == null) { | ||
| return new Uint8Array(0); | ||
| } | ||
| const reader = body.getReader(); | ||
| const chunks: Uint8Array[] = []; | ||
| let totalBytes = 0; | ||
| try { | ||
| while (true) { | ||
| const { done, value } = await reader.read(); | ||
| if (done) { | ||
| break; | ||
| } | ||
| totalBytes += value.length; | ||
| if (totalBytes > maxBytes) { | ||
| throw new DownloadError({ | ||
| url, | ||
| message: `Download of ${url} exceeded maximum size of ${maxBytes} bytes.`, | ||
| }); | ||
| } | ||
| chunks.push(value); | ||
| } | ||
| } finally { | ||
| try { | ||
| await reader.cancel(); | ||
| } finally { | ||
| reader.releaseLock(); | ||
| } | ||
| } | ||
| // Concatenate chunks into a single Uint8Array | ||
| const result = new Uint8Array(totalBytes); | ||
| let offset = 0; | ||
| for (const chunk of chunks) { | ||
| result.set(chunk, offset); | ||
| offset += chunk.length; | ||
| } | ||
| return result; | ||
| } |
+10
-0
| # @ai-sdk/provider-utils | ||
| ## 4.0.15 | ||
| ### Patch Changes | ||
| - 4024a3a: security: prevent unbounded memory growth in download functions | ||
| The `download()` and `downloadBlob()` functions now enforce a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a `DownloadError` instead of consuming unbounded memory and crashing the process. The `abortSignal` parameter is now passed through to `fetch()` in all download call sites. | ||
| Added `download` option to `transcribe()` and `experimental_generateVideo()` for providing a custom download function. Use the new `createDownload({ maxBytes })` factory to configure download size limits. | ||
| ## 4.0.14 | ||
@@ -4,0 +14,0 @@ |
+40
-3
@@ -142,7 +142,13 @@ import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, TypeValidationContext } from '@ai-sdk/provider'; | ||
| * @param url - The URL to download from. | ||
| * @param options - Optional settings for the download. | ||
| * @param options.maxBytes - Maximum allowed download size in bytes. Defaults to 100 MiB. | ||
| * @param options.abortSignal - An optional abort signal to cancel the download. | ||
| * @returns A Promise that resolves to the downloaded Blob. | ||
| * | ||
| * @throws DownloadError if the download fails. | ||
| * @throws DownloadError if the download fails or exceeds maxBytes. | ||
| */ | ||
| declare function downloadBlob(url: string): Promise<Blob>; | ||
| declare function downloadBlob(url: string, options?: { | ||
| maxBytes?: number; | ||
| abortSignal?: AbortSignal; | ||
| }): Promise<Blob>; | ||
@@ -166,2 +172,33 @@ declare const symbol: unique symbol; | ||
| /** | ||
| * Default maximum download size: 2 GiB. | ||
| * | ||
| * `fetch().arrayBuffer()` has ~2x peak memory overhead (undici buffers the | ||
| * body internally, then creates the JS ArrayBuffer), so very large downloads | ||
| * risk exceeding the default V8 heap limit on 64-bit systems and terminating | ||
| * the process with an out-of-memory error. | ||
| * | ||
| * Setting this limit converts an unrecoverable OOM crash into a catchable | ||
| * `DownloadError`. | ||
| */ | ||
| declare const DEFAULT_MAX_DOWNLOAD_SIZE: number; | ||
| /** | ||
| * Reads a fetch Response body with a size limit to prevent memory exhaustion. | ||
| * | ||
| * Checks the Content-Length header for early rejection, then reads the body | ||
| * incrementally via ReadableStream and aborts with a DownloadError when the | ||
| * limit is exceeded. | ||
| * | ||
| * @param response - The fetch Response to read. | ||
| * @param url - The URL being downloaded (used in error messages). | ||
| * @param maxBytes - Maximum allowed bytes. Defaults to DEFAULT_MAX_DOWNLOAD_SIZE. | ||
| * @returns A Uint8Array containing the response body. | ||
| * @throws DownloadError if the response exceeds maxBytes. | ||
| */ | ||
| declare function readResponseWithSizeLimit({ response, url, maxBytes, }: { | ||
| response: Response; | ||
| url: string; | ||
| maxBytes?: number; | ||
| }): Promise<Uint8Array>; | ||
| /** | ||
| * Fetch function type (standardizes the version of fetch used). | ||
@@ -1374,2 +1411,2 @@ */ | ||
| export { type AssistantContent, type AssistantModelMessage, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderOptions, type ProviderToolFactory, type ProviderToolFactoryWithOutputSchema, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asSchema, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, downloadBlob, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isNonNullable, isParsableJson, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, tool, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; | ||
| export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderOptions, type ProviderToolFactory, type ProviderToolFactoryWithOutputSchema, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asSchema, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, downloadBlob, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isNonNullable, isParsableJson, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, tool, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; |
+40
-3
@@ -142,7 +142,13 @@ import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, TypeValidationContext } from '@ai-sdk/provider'; | ||
| * @param url - The URL to download from. | ||
| * @param options - Optional settings for the download. | ||
| * @param options.maxBytes - Maximum allowed download size in bytes. Defaults to 100 MiB. | ||
| * @param options.abortSignal - An optional abort signal to cancel the download. | ||
| * @returns A Promise that resolves to the downloaded Blob. | ||
| * | ||
| * @throws DownloadError if the download fails. | ||
| * @throws DownloadError if the download fails or exceeds maxBytes. | ||
| */ | ||
| declare function downloadBlob(url: string): Promise<Blob>; | ||
| declare function downloadBlob(url: string, options?: { | ||
| maxBytes?: number; | ||
| abortSignal?: AbortSignal; | ||
| }): Promise<Blob>; | ||
@@ -166,2 +172,33 @@ declare const symbol: unique symbol; | ||
| /** | ||
| * Default maximum download size: 2 GiB. | ||
| * | ||
| * `fetch().arrayBuffer()` has ~2x peak memory overhead (undici buffers the | ||
| * body internally, then creates the JS ArrayBuffer), so very large downloads | ||
| * risk exceeding the default V8 heap limit on 64-bit systems and terminating | ||
| * the process with an out-of-memory error. | ||
| * | ||
| * Setting this limit converts an unrecoverable OOM crash into a catchable | ||
| * `DownloadError`. | ||
| */ | ||
| declare const DEFAULT_MAX_DOWNLOAD_SIZE: number; | ||
| /** | ||
| * Reads a fetch Response body with a size limit to prevent memory exhaustion. | ||
| * | ||
| * Checks the Content-Length header for early rejection, then reads the body | ||
| * incrementally via ReadableStream and aborts with a DownloadError when the | ||
| * limit is exceeded. | ||
| * | ||
| * @param response - The fetch Response to read. | ||
| * @param url - The URL being downloaded (used in error messages). | ||
| * @param maxBytes - Maximum allowed bytes. Defaults to DEFAULT_MAX_DOWNLOAD_SIZE. | ||
| * @returns A Uint8Array containing the response body. | ||
| * @throws DownloadError if the response exceeds maxBytes. | ||
| */ | ||
| declare function readResponseWithSizeLimit({ response, url, maxBytes, }: { | ||
| response: Response; | ||
| url: string; | ||
| maxBytes?: number; | ||
| }): Promise<Uint8Array>; | ||
| /** | ||
| * Fetch function type (standardizes the version of fetch used). | ||
@@ -1374,2 +1411,2 @@ */ | ||
| export { type AssistantContent, type AssistantModelMessage, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderOptions, type ProviderToolFactory, type ProviderToolFactoryWithOutputSchema, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asSchema, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, downloadBlob, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isNonNullable, isParsableJson, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, tool, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; | ||
| export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type LazySchema, type MaybePromiseLike, type ModelMessage, type ParseResult, type ProviderOptions, type ProviderToolFactory, type ProviderToolFactoryWithOutputSchema, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolApprovalRequest, type ToolApprovalResponse, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolExecutionOptions, type ToolModelMessage, type ToolNameMapping, type ToolNeedsApprovalFunction, type ToolResult, type ToolResultOutput, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, asSchema, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertImageModelFileToDataUri, convertToBase64, convertToFormData, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createProviderToolFactory, createProviderToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, createToolNameMapping, delay, downloadBlob, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isNonNullable, isParsableJson, isUrlSupported, jsonSchema, lazySchema, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, tool, validateTypes, withUserAgentSuffix, withoutTrailingSlash, zodSchema }; |
+1
-1
| { | ||
| "name": "@ai-sdk/provider-utils", | ||
| "version": "4.0.14", | ||
| "version": "4.0.15", | ||
| "license": "Apache-2.0", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
+23
-4
| import { DownloadError } from './download-error'; | ||
| import { | ||
| readResponseWithSizeLimit, | ||
| DEFAULT_MAX_DOWNLOAD_SIZE, | ||
| } from './read-response-with-size-limit'; | ||
@@ -7,9 +11,17 @@ /** | ||
| * @param url - The URL to download from. | ||
| * @param options - Optional settings for the download. | ||
| * @param options.maxBytes - Maximum allowed download size in bytes. Defaults to 100 MiB. | ||
| * @param options.abortSignal - An optional abort signal to cancel the download. | ||
| * @returns A Promise that resolves to the downloaded Blob. | ||
| * | ||
| * @throws DownloadError if the download fails. | ||
| * @throws DownloadError if the download fails or exceeds maxBytes. | ||
| */ | ||
| export async function downloadBlob(url: string): Promise<Blob> { | ||
| export async function downloadBlob( | ||
| url: string, | ||
| options?: { maxBytes?: number; abortSignal?: AbortSignal }, | ||
| ): Promise<Blob> { | ||
| try { | ||
| const response = await fetch(url); | ||
| const response = await fetch(url, { | ||
| signal: options?.abortSignal, | ||
| }); | ||
@@ -24,3 +36,10 @@ if (!response.ok) { | ||
| return await response.blob(); | ||
| const data = await readResponseWithSizeLimit({ | ||
| response, | ||
| url, | ||
| maxBytes: options?.maxBytes ?? DEFAULT_MAX_DOWNLOAD_SIZE, | ||
| }); | ||
| const contentType = response.headers.get('content-type') ?? undefined; | ||
| return new Blob([data], contentType ? { type: contentType } : undefined); | ||
| } catch (error) { | ||
@@ -27,0 +46,0 @@ if (DownloadError.isInstance(error)) { |
+4
-0
@@ -14,2 +14,6 @@ export * from './combine-headers'; | ||
| export { DownloadError } from './download-error'; | ||
| export { | ||
| readResponseWithSizeLimit, | ||
| DEFAULT_MAX_DOWNLOAD_SIZE, | ||
| } from './read-response-with-size-limit'; | ||
| export * from './fetch-function'; | ||
@@ -16,0 +20,0 @@ export { createIdGenerator, generateId, type IdGenerator } from './generate-id'; |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
835068
2.6%- Number of package files
124
0.81%- Lines of code
11640
2.42%Worsened metrics
- Number of medium supply chain risk alerts
80
12.68%No dependency changes