axios 0.28.1 → 0.30.0

package/CHANGELOG.md

@@ -1,53 +1,78 @@
 # Changelog
 
+## [0.30.0](https://github.com/axios/axios/compare/v0.29.0...v0.30.0) (2025-03-26)
+
+## Release notes:
+
+### Bug Fixes
+
+- fix: modify log while request is aborted ([#4917](https://github.com/axios/axios/pull/4917))
+- fix: update CHANGELOG.md for v0.x ([#6271](https://github.com/axios/axios/pull/6271))
+- fix: modify upgrade guide for 0.28.1's breaking change ([#6787](https://github.com/axios/axios/pull/6787))
+- fix: backport allowAbsoluteUrls vulnerability fix to v0.x ([#6829](https://github.com/axios/axios/pull/6829))
+- fix: add allowAbsoluteUrls type ([#6849](https://github.com/axios/axios/pull/6849))
+
+## [0.29.0](https://github.com/axios/axios/compare/v0.28.1...v0.29.0) (2024-11-21)
+
+## Release notes:
+
+### Bug Fixes
+
+- fix(backport): backport security fixes in commits #6167 and #6163 (#6402)
+- fix: omit nulls in params (#6394)
+- fix(backport): fix paramsSerializer function validation (#6361)
+- fix: regular expression denial of service (ReDoS) (#6708)
+
 ## [0.28.1](https://github.com/axios/axios/compare/v0.28.0...v0.28.1) (2024-03-24)
 
 ## Release notes:
+
 ### Bug Fixes
 
-* fix(backport): custom params serializer support (#6263)
-* fix(backport): uncaught ReferenceError `req` is not defined (#6307)
+- fix(backport): custom params serializer support (#6263)
+- fix(backport): uncaught ReferenceError `req` is not defined (#6307)
 
 ## [0.28.0](https://github.com/axios/axios/compare/v0.27.2...v0.28.0) (2024-02-12)
 
 ## Release notes:
+
 ### Bug Fixes
 
-* fix(security): fixed CVE-2023-45857 by backporting `withXSRFToken` option to v0.x (#6091)
+- fix(security): fixed CVE-2023-45857 by backporting `withXSRFToken` option to v0.x ([#6091](https://github.com/axios/axios/pull/6091))
 
 ### Backports from v1.x:
 
-* Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
-* Fixing content-type header repeated #4745
-* Fixed timeout error message for HTTP 4738
-* Added `axios.formToJSON` method (#4735)
-* URL params serializer (#4734)
-* Fixed toFormData Blob issue on node>v17 #4728
-* Adding types for progress event callbacks #4675
-* Fixed max body length defaults #4731
-* Added data URL support for node.js (#4725)
-* Added isCancel type assert (#4293)
-* Added the ability for the `url-encoded-form` serializer to respect the `formSerializer` config (#4721)
-* Add `string[]` to `AxiosRequestHeaders` type (#4322)
-* Allow type definition for axios instance methods (#4224)
-* Fixed `AxiosError` stack capturing; (#4718)
-* Fixed `AxiosError` status code type; (#4717)
-* Adding Canceler parameters config and request (#4711)
-* fix(types): allow to specify partial default headers for instance creation (#4185)
-* Added `blob` to the list of protocols supported by the browser (#4678)
-* Fixing Z_BUF_ERROR when no content (#4701)
-* Fixed race condition on immediate requests cancellation (#4261)
-* Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance https://github.com/axios/axios/pull/4248
-* Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
-* Fix TS definition for AxiosRequestTransformer (#4201)
-* Use type alias instead of interface for AxiosPromise (#4505)
-* Include request and config when creating a CanceledError instance (#4659)
-* Added generic TS types for the exposed toFormData helper (#4668)
-* Optimized the code that checks cancellation (#4587)
-* Replaced webpack with rollup (#4596)
-* Added stack trace to AxiosError (#4624)
-* Updated AxiosError.config to be optional in the type definition (#4665)
-* Removed incorrect argument for NetworkError constructor (#4656)
+- Allow null indexes on formSerializer and paramsSerializer v0.x ([#4961](https://github.com/axios/axios/pull/4961))
+- Fixing content-type header repeated ([#4745](https://github.com/axios/axios/pull/4745))
+- Fixed timeout error message for HTTP ([#4738](https://github.com/axios/axios/pull/4738))
+- Added `axios.formToJSON` method ([#4735](https://github.com/axios/axios/pull/4735))
+- URL params serializer ([#4734](https://github.com/axios/axios/pull/4734))
+- Fixed toFormData Blob issue on node>v17 ([#4728](https://github.com/axios/axios/pull/4728))
+- Adding types for progress event callbacks ([#4675](https://github.com/axios/axios/pull/4675))
+- Fixed max body length defaults ([#4731](https://github.com/axios/axios/pull/4731))
+- Added data URL support for node.js ([#4725](https://github.com/axios/axios/pull/4725))
+- Added isCancel type assert ([#4293](https://github.com/axios/axios/pull/4293))
+- Added the ability for the `url-encoded-form` serializer to respect the `formSerializer` config ([#4721](https://github.com/axios/axios/pull/4721))
+- Add `string[]` to `AxiosRequestHeaders` type ([#4322](https://github.com/axios/axios/pull/4224))
+- Allow type definition for axios instance methods ([#4224](https://github.com/axios/axios/pull/4224))
+- Fixed `AxiosError` stack capturing; ([#4718](https://github.com/axios/axios/pull/4718))
+- Fixed `AxiosError` status code type; ([#4717](https://github.com/axios/axios/pull/4717))
+- Adding Canceler parameters config and request ([#4711](https://github.com/axios/axios/pull/4711))
+- fix(types): allow to specify partial default headers for instance creation ([#4185](https://github.com/axios/axios/pull/4185))
+- Added `blob` to the list of protocols supported by the browser ([#4678](https://github.com/axios/axios/pull/4678))
+- Fixing Z_BUF_ERROR when no content ([#4701](https://github.com/axios/axios/pull/4701))
+- Fixed race condition on immediate requests cancellation ([#4261](https://github.com/axios/axios/pull/4261))
+- Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance ([#4248](https://github.com/axios/axios/pull/4248))
+- Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill ([#4229](https://github.com/axios/axios/pull/4229))
+- Fix TS definition for AxiosRequestTransformer ([#4201](https://github.com/axios/axios/pull/4201))
+- Use type alias instead of interface for AxiosPromise ([#4505](https://github.com/axios/axios/pull/4505))
+- Include request and config when creating a CanceledError instance ([#4659](https://github.com/axios/axios/pull/4659))
+- Added generic TS types for the exposed toFormData helper ([#4668](https://github.com/axios/axios/pull/4668))
+- Optimized the code that checks cancellation ([#4587](https://github.com/axios/axios/pull/4587))
+- Replaced webpack with rollup ([#4596](https://github.com/axios/axios/pull/4596))
+- Added stack trace to AxiosError ([#4624](https://github.com/axios/axios/pull/4624))
+- Updated AxiosError.config to be optional in the type definition ([#4665](https://github.com/axios/axios/pull/4665))
+- Removed incorrect argument for NetworkError constructor ([#4656](https://github.com/axios/axios/pull/4656))
 
 ## 0.27.2 (April 27, 2022)
 
@@ -70,9 +95,9 @@ Breaking changes:
 
 - New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData ([#3757](https://github.com/axios/axios/pull/3757))
 - Removed functionality that removed the the `Content-Type` request header when passing FormData ([#3785](https://github.com/axios/axios/pull/3785))
-- **(*)** Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole ([#3645](https://github.com/axios/axios/pull/3645))
+- **(\*)** Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole ([#3645](https://github.com/axios/axios/pull/3645))
 - Separated responsibility for FormData instantiation between `transformRequest` and `toFormData` ([#4470](https://github.com/axios/axios/pull/4470))
-- **(*)** Improved and fixed multiple issues with FormData support ([#4448](https://github.com/axios/axios/pull/4448))
+- **(\*)** Improved and fixed multiple issues with FormData support ([#4448](https://github.com/axios/axios/pull/4448))
 
 QOL and DevX improvements:
 
@@ -93,7 +118,7 @@ Documentation:
 
 Notes:
 
-- **(*)** Please read these pull requests before updating, these changes are very impactful and far reaching.
+- **(\*)** Please read these pull requests before updating, these changes are very impactful and far reaching.
 
 ## 0.26.1 (March 9, 2022)
 

package/UPGRADE_GUIDE.md

@@ -167,3 +167,24 @@ require(['bower_components/axios/dist/axios'], function (axios) {
 // CommonJS
 var axios = require('axios/dist/axios');
 ```
+
+## 0.28.x -> 0.28.1
+
+The way to pass in a custom parameter serializer has changed
+
+0.28.0
+```js
+axios.create({
+    paramsSerializer: (params) => {
+        return qs.stringify(params, { arrayFormat: 'repeat', skipNulls: true })
+    }, ...config);
+```
+now the serializer needs to be in under a new key:
+
+0.28.1
+```js
+axios.create({
+    paramsSerializer: {
+        serialize: (params) => qs.stringify(params, { arrayFormat: 'repeat', skipNulls: true }),
+    }, ...config);
+```

package/dist/axios.js

@@ -1,4 +1,4 @@
-// axios v0.28.1 Copyright (c) 2024 Matt Zabriskie
+// axios v0.30.0 Copyright (c) 2025 Matt Zabriskie
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -744,7 +744,7 @@
           key = removeBrackets(key);
 
           arr.forEach(function each(el, index) {
-            !utils.isUndefined(el) && formData.append(
+            !(utils.isUndefined(el) || el === null) && formData.append(
               // eslint-disable-next-line no-nested-ternary
               indexes === true ? renderKey([key], index, dots) : (indexes === null ? key : key + '[]'),
               convertValue(el)
@@ -781,7 +781,7 @@
       stack.push(value);
 
       utils.forEach(value, function each(el, key) {
-        var result = !utils.isUndefined(el) && visitor.call(
+        var result = !(utils.isUndefined(el) || el === null) && visitor.call(
           formData, el, utils.isString(key) ? key.trim() : key, path, exposedHelpers
         );
 
@@ -1024,6 +1024,9 @@
   function formDataToJSON(formData) {
     function buildPath(path, value, target, index) {
       var name = path[index++];
+
+      if (name === '__proto__') return true;
+
       var isNumericKey = Number.isFinite(+name);
       var isLast = index >= path.length;
       name = !name && utils.isArray(target) ? target.length : name;
@@ -1160,7 +1163,7 @@
    */
   var combineURLs = function combineURLs(baseURL, relativeURL) {
     return relativeURL
-      ? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '')
+      ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
       : baseURL;
   };
 
@@ -1171,10 +1174,13 @@
    *
    * @param {string} baseURL The base URL
    * @param {string} requestedURL Absolute or relative URL to combine
+   * @param {boolean} allowAbsoluteUrls Set to true to allow absolute URLs
+   *
    * @returns {string} The combined full path
    */
-  var buildFullPath = function buildFullPath(baseURL, requestedURL) {
-    if (baseURL && !isAbsoluteURL(requestedURL)) {
+  var buildFullPath = function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
+    var isRelativeURL = !isAbsoluteURL(requestedURL);
+    if (baseURL && (isRelativeURL || allowAbsoluteUrls === false)) {
       return combineURLs(baseURL, requestedURL);
     }
     return requestedURL;
@@ -1350,7 +1356,7 @@
         requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);
       }
 
-      var fullPath = buildFullPath(config.baseURL, config.url);
+      var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
 
       request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);
 
@@ -1907,7 +1913,7 @@
   };
 
   var data = {
-    "version": "0.28.1"
+    "version": "0.30.0"
   };
 
   var VERSION = data.version;
@@ -2048,15 +2054,19 @@
 
     var paramsSerializer = config.paramsSerializer;
 
-    if (paramsSerializer !== undefined) {
-      validator.assertOptions(paramsSerializer, {
-        encode: validators.function,
-        serialize: validators.function
-      }, true);
+    if (paramsSerializer != null) {
+      if (utils.isFunction(paramsSerializer)) {
+        config.paramsSerializer = {
+          serialize: paramsSerializer
+        };
+      } else {
+        validator.assertOptions(paramsSerializer, {
+          encode: validators.function,
+          serialize: validators.function
+        }, true);
+      }
     }
 
-    utils.isFunction(paramsSerializer) && (config.paramsSerializer = {serialize: paramsSerializer});
-
     // filter out skipped interceptors
     var requestInterceptorChain = [];
     var synchronousRequestInterceptors = true;
@@ -2119,7 +2129,7 @@
 
   Axios.prototype.getUri = function getUri(config) {
     config = mergeConfig(this.defaults, config);
-    var fullPath = buildFullPath(config.baseURL, config.url);
+    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
     return buildURL(fullPath, config.params, config.paramsSerializer);
   };