Skip to content

Backport: Backport: fix(security): add URL validation to prevent SSRF in download functions#13090

Draft
vercel-ai-sdk[bot] wants to merge 1 commit intorelease-v4.3from
backport-pr-13086-to-release-v4.3
Draft

Backport: Backport: fix(security): add URL validation to prevent SSRF in download functions#13090
vercel-ai-sdk[bot] wants to merge 1 commit intorelease-v4.3from
backport-pr-13086-to-release-v4.3

Conversation

@vercel-ai-sdk
Copy link
Copy Markdown
Contributor

@vercel-ai-sdk vercel-ai-sdk bot commented Mar 5, 2026

This is an automated backport of #13086 to the release-v4.3 branch. FYI @vercel-ai-sdk[bot]
This backport has conflicts that need to be resolved manually.

git cherry-pick output

CONFLICT (modify/delete): packages/ai/src/util/download/download.test.ts deleted in HEAD and modified in 6a2f01b14 (Backport: fix(security): add URL validation to prevent SSRF in download functions (#13086)).  Version 6a2f01b14 (Backport: fix(security): add URL validation to prevent SSRF in download functions (#13086)) of packages/ai/src/util/download/download.test.ts left in tree.
CONFLICT (modify/delete): packages/ai/src/util/download/download.ts deleted in HEAD and modified in 6a2f01b14 (Backport: fix(security): add URL validation to prevent SSRF in download functions (#13086)).  Version 6a2f01b14 (Backport: fix(security): add URL validation to prevent SSRF in download functions (#13086)) of packages/ai/src/util/download/download.ts left in tree.
Auto-merging packages/provider-utils/src/index.ts
error: could not apply 6a2f01b14... Backport: fix(security): add URL validation to prevent SSRF in download functions (#13086)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

@vercel-ai-sdk vercel-ai-sdk bot mentioned this pull request Mar 5, 2026
Merged
@tigent tigent bot added ai/core core functions like generateText, streamText, etc. Provider utils, and provider spec. ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label backport Admins only: add this label to a pull request in order to backport it to the prior version bug Something isn't working as documented labels Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@gr2m gr2m

Labels

ai/core core functions like generateText, streamText, etc. Provider utils, and provider spec. ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label backport Admins only: add this label to a pull request in order to backport it to the prior version bug Something isn't working as documented

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gr2m