axios 0.28.0 → 0.29.0

package/CHANGELOG.md

@@ -1,45 +1,66 @@
 # Changelog
 
+## [0.29.0](https://github.com/axios/axios/compare/v0.28.1...v0.29.0) (2024-11-21)
+
+## Release notes:
+
+### Bug Fixes
+
+- fix(backport): backport security fixes in commits #6167 and #6163 (#6402)
+- fix: omit nulls in params (#6394)
+- fix(backport): fix paramsSerializer function validation (#6361)
+- fix: regular expression denial of service (ReDoS) (#6708)
+
+## [0.28.1](https://github.com/axios/axios/compare/v0.28.0...v0.28.1) (2024-03-24)
+
+## Release notes:
+
+### Bug Fixes
+
+- fix(backport): custom params serializer support (#6263)
+- fix(backport): uncaught ReferenceError `req` is not defined (#6307)
+
 ## [0.28.0](https://github.com/axios/axios/compare/v0.27.2...v0.28.0) (2024-02-12)
 
 ## Release notes:
+
 ### Bug Fixes
 
-* fix(security): fixed CVE-2023-45857 by backporting `withXSRFToken` option to v0.x (#6091)
+- fix(security): fixed CVE-2023-45857 by backporting `withXSRFToken` option to v0.x (#6091)
 
 ### Backports from v1.x:
 
-* Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
-* Fixing content-type header repeated #4745
-* Fixed timeout error message for HTTP 4738
-* Added `axios.formToJSON` method (#4735)
-* URL params serializer (#4734)
-* Fixed toFormData Blob issue on node>v17 #4728
-* Adding types for progress event callbacks #4675
-* Fixed max body length defaults #4731
-* Added data URL support for node.js (#4725)
-* Added isCancel type assert (#4293)
-* Added the ability for the `url-encoded-form` serializer to respect the `formSerializer` config (#4721)
-* Add `string[]` to `AxiosRequestHeaders` type (#4322)
-* Allow type definition for axios instance methods (#4224)
-* Fixed `AxiosError` stack capturing; (#4718)
-* Fixed `AxiosError` status code type; (#4717)
-* Adding Canceler parameters config and request (#4711)
-* fix(types): allow to specify partial default headers for instance creation (#4185)
-* Added `blob` to the list of protocols supported by the browser (#4678)
-* Fixing Z_BUF_ERROR when no content (#4701)
-* Fixed race condition on immediate requests cancellation (#4261)
-* Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance https://github.com/axios/axios/pull/4248
-* Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
-* Fix TS definition for AxiosRequestTransformer (#4201)
-* Use type alias instead of interface for AxiosPromise (#4505)
-* Include request and config when creating a CanceledError instance (#4659)
-* Added generic TS types for the exposed toFormData helper (#4668)
-* Optimized the code that checks cancellation (#4587)
-* Replaced webpack with rollup (#4596)
-* Added stack trace to AxiosError (#4624)
-* Updated AxiosError.config to be optional in the type definition (#4665)
-* Removed incorrect argument for NetworkError constructor (#4656)
+- Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
+- Fixing content-type header repeated #4745
+- Fixed timeout error message for HTTP 4738
+- Added `axios.formToJSON` method (#4735)
+- URL params serializer (#4734)
+- Fixed toFormData Blob issue on node>v17 #4728
+- Adding types for progress event callbacks #4675
+- Fixed max body length defaults #4731
+- Added data URL support for node.js (#4725)
+- Added isCancel type assert (#4293)
+- Added the ability for the `url-encoded-form` serializer to respect the `formSerializer` config (#4721)
+- Add `string[]` to `AxiosRequestHeaders` type (#4322)
+- Allow type definition for axios instance methods (#4224)
+- Fixed `AxiosError` stack capturing; (#4718)
+- Fixed `AxiosError` status code type; (#4717)
+- Adding Canceler parameters config and request (#4711)
+- fix(types): allow to specify partial default headers for instance creation (#4185)
+- Added `blob` to the list of protocols supported by the browser (#4678)
+- Fixing Z_BUF_ERROR when no content (#4701)
+- Fixed race condition on immediate requests cancellation (#4261)
+- Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance https://github.com/axios/axios/pull/4248
+- Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
+- Fix TS definition for AxiosRequestTransformer (#4201)
+- Use type alias instead of interface for AxiosPromise (#4505)
+- Include request and config when creating a CanceledError instance (#4659)
+- Added generic TS types for the exposed toFormData helper (#4668)
+- Optimized the code that checks cancellation (#4587)
+- Replaced webpack with rollup (#4596)
+- Added stack trace to AxiosError (#4624)
+- Updated AxiosError.config to be optional in the type definition (#4665)
+- Removed incorrect argument for NetworkError constructor (#4656)
 
 ## 0.27.2 (April 27, 2022)
 
@@ -62,9 +83,9 @@ Breaking changes:
 
 - New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData ([#3757](https://github.com/axios/axios/pull/3757))
 - Removed functionality that removed the the `Content-Type` request header when passing FormData ([#3785](https://github.com/axios/axios/pull/3785))
-- **(*)** Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole ([#3645](https://github.com/axios/axios/pull/3645))
+- **(\*)** Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole ([#3645](https://github.com/axios/axios/pull/3645))
 - Separated responsibility for FormData instantiation between `transformRequest` and `toFormData` ([#4470](https://github.com/axios/axios/pull/4470))
-- **(*)** Improved and fixed multiple issues with FormData support ([#4448](https://github.com/axios/axios/pull/4448))
+- **(\*)** Improved and fixed multiple issues with FormData support ([#4448](https://github.com/axios/axios/pull/4448))
 
 QOL and DevX improvements:
 
@@ -85,7 +106,7 @@ Documentation:
 
 Notes:
 
-- **(*)** Please read these pull requests before updating, these changes are very impactful and far reaching.
+- **(\*)** Please read these pull requests before updating, these changes are very impactful and far reaching.
 
 ## 0.26.1 (March 9, 2022)
 

package/dist/axios.js

@@ -1,4 +1,4 @@
-// axios v0.28.0 Copyright (c) 2024 Matt Zabriskie
+// axios v0.29.0 Copyright (c) 2024 Matt Zabriskie
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -744,7 +744,7 @@
           key = removeBrackets(key);
 
           arr.forEach(function each(el, index) {
-            !utils.isUndefined(el) && formData.append(
+            !(utils.isUndefined(el) || el === null) && formData.append(
               // eslint-disable-next-line no-nested-ternary
               indexes === true ? renderKey([key], index, dots) : (indexes === null ? key : key + '[]'),
               convertValue(el)
@@ -781,7 +781,7 @@
       stack.push(value);
 
       utils.forEach(value, function each(el, key) {
-        var result = !utils.isUndefined(el) && visitor.call(
+        var result = !(utils.isUndefined(el) || el === null) && visitor.call(
           formData, el, utils.isString(key) ? key.trim() : key, path, exposedHelpers
         );
 
@@ -875,12 +875,20 @@
 
     var _encode = options && options.encode || encode;
 
-    var serializerParams = utils.isURLSearchParams(params) ?
-      params.toString() :
-      new AxiosURLSearchParams_1(params, options).toString(_encode);
+    var serializeFn = options && options.serialize;
 
-    if (serializerParams) {
-      url += (url.indexOf('?') === -1 ? '?' : '&') + serializerParams;
+    var serializedParams;
+
+    if (serializeFn) {
+      serializedParams = serializeFn(params, options);
+    } else {
+      serializedParams = utils.isURLSearchParams(params) ?
+        params.toString() :
+        new AxiosURLSearchParams_1(params, options).toString(_encode);
+    }
+
+    if (serializedParams) {
+      url += (url.indexOf('?') === -1 ? '?' : '&') + serializedParams;
     }
 
     return url;
@@ -1016,6 +1024,9 @@
   function formDataToJSON(formData) {
     function buildPath(path, value, target, index) {
       var name = path[index++];
+
+      if (name === '__proto__') return true;
+
       var isNumericKey = Number.isFinite(+name);
       var isLast = index >= path.length;
       name = !name && utils.isArray(target) ? target.length : name;
@@ -1152,7 +1163,7 @@
    */
   var combineURLs = function combineURLs(baseURL, relativeURL) {
     return relativeURL
-      ? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '')
+      ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
       : baseURL;
   };
 
@@ -1495,7 +1506,7 @@
           if (!request) {
             return;
           }
-          reject(!cancel || cancel.type ? new CanceledError_1(null, config, req) : cancel);
+          reject(!cancel || cancel.type ? new CanceledError_1(null, config, request) : cancel);
           request.abort();
           request = null;
         };
@@ -1899,7 +1910,7 @@
   };
 
   var data = {
-    "version": "0.28.0"
+    "version": "0.29.0"
   };
 
   var VERSION = data.version;
@@ -2040,7 +2051,18 @@
 
     var paramsSerializer = config.paramsSerializer;
 
-    utils.isFunction(paramsSerializer) && (config.paramsSerializer = {serialize: paramsSerializer});
+    if (paramsSerializer != null) {
+      if (utils.isFunction(paramsSerializer)) {
+        config.paramsSerializer = {
+          serialize: paramsSerializer
+        };
+      } else {
+        validator.assertOptions(paramsSerializer, {
+          encode: validators.function,
+          serialize: validators.function
+        }, true);
+      }
+    }
 
     // filter out skipped interceptors
     var requestInterceptorChain = [];