axios 0.31.0 → 0.31.1

package/README.md

@@ -83,12 +83,6 @@ Using npm:
 $ npm install axios
 ```
 
-Using bower:
-
-```bash
-$ bower install axios
-```
-
 Using yarn:
 
 ```bash
@@ -336,13 +330,21 @@ These are the available config options for making requests. Only the `url` is re
 
   // `params` are the URL parameters to be sent with the request
   // Must be a plain object or a URLSearchParams object
+  // Null bytes in param values stay percent-encoded as `%00` in the resulting query string
+  // (GHSA-xhjh-pmcv-23jw) — Axios does not reverse `encodeURIComponent` output for `%00`,
+  // so null-byte injection cannot be smuggled through the serializer.
   params: {
     ID: 12345
   },
 
   // `paramsSerializer` is an optional config in charge of serializing `params`
+  // Nested objects are walked with a bounded recursion depth (GHSA-62hf-57xw-28j9):
+  // once `maxDepth` is exceeded the serializer throws `ERR_FORM_DATA_DEPTH_EXCEEDED`
+  // instead of overflowing the call stack. The same cap applies to `toFormData` when
+  // `Content-Type: multipart/form-data` triggers automatic FormData serialization.
   paramsSerializer: {
-    indexes: null // array indexes format (null - no brackets, false - empty brackets, true - brackets with indexes)
+    indexes: null, // array indexes format (null - no brackets, false - empty brackets, true - brackets with indexes)
+    maxDepth: 100 // maximum recursion depth for nested params (default: 100, Infinity disables the limit)
   },
 
   // `data` is the data to be sent as the request body
@@ -400,6 +402,9 @@ These are the available config options for making requests. Only the `url` is re
   xsrfHeaderName: 'X-XSRF-TOKEN', // default
 
   // `undefined` (default) - set XSRF header only for the same origin requests
+  // Only an explicit `true` (own property on the config) will add the XSRF header for
+  // cross-origin requests. Values inherited from `Object.prototype` are ignored
+  // (GHSA-xx6v-rp6x-q39c), so a polluted prototype cannot silently enable the token.
   withXSRFToken: boolean | undefined | ((config: AxiosRequestConfig) => boolean | undefined),
 
   // `onUploadProgress` allows handling of progress events for uploads
@@ -415,9 +420,13 @@ These are the available config options for making requests. Only the `url` is re
   },
 
   // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
+  // Also enforced on streamed responses (`responseType: 'stream'`): bytes are counted as they
+  // arrive and the stream is aborted with an error once the cap is exceeded (GHSA-vf2m-468p-8v99).
   maxContentLength: 2000,
 
   // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
+  // Also enforced on stream uploads: uploaded bytes are tracked and the request is aborted
+  // once the cap is exceeded, even when the native http transport is used directly.
   maxBodyLength: 2000,
 
   // `validateStatus` defines whether to resolve or reject the promise for a given
@@ -522,6 +531,7 @@ These are the available config options for making requests. Only the `url` is re
       dots: boolean; // use dots instead of brackets format
       metaTokens: boolean; // keep special endings like {} in parameter key
       indexes: boolean; // array indexes format null - no brackets, false - empty brackets, true - brackets with indexes
+      maxDepth: number; // maximum recursion depth for nested objects (default: 100, Infinity disables the limit)
   }
 }
 ```
@@ -603,6 +613,8 @@ instance.defaults.headers.common['Authorization'] = AUTH_TOKEN;
 
 Config will be merged with an order of precedence. The order is library defaults found in [lib/defaults.js](https://github.com/axios/axios/blob/master/lib/defaults/index.js#L28), then `defaults` property of the instance, and finally `config` argument for the request. The latter will take precedence over the former. Here's an example.
 
+> Note: the merged config object is created with a null prototype (`Object.create(null)`) and only own properties of the inputs are copied across. A polluted `Object.prototype` cannot leak values (for example `transport`, `adapter`, or `transformRequest`) into the outgoing config through inheritance, and keys such as `__proto__`, `constructor`, and `prototype` are dropped during the merge.
+
 ```js
 // Create an instance using the config defaults provided by the library
 // At this point the timeout config value is `0` as is the default for the library
@@ -1011,6 +1023,13 @@ The back-end body-parser could potentially use this meta-information to automati
     - `false`(default) - add empty brackets (`arr[]: 1`, `arr[]: 2`, `arr[]: 3`)
     - `true` - add brackets with indexes  (`arr[0]: 1`, `arr[1]: 2`, `arr[2]: 3`)
 
+- `maxDepth: number = 100` - maximum recursion depth when serializing nested objects. Throws an `AxiosError` with
+code `ERR_FORM_DATA_DEPTH_EXCEEDED` if the limit is exceeded. Set to `Infinity` to disable the limit.
+
+> **Security note:** If your server-side code forwards client-supplied objects to axios as request `data` or `params`,
+> keep `maxDepth` at a reasonable value (the default of 100 is sufficient for most use cases) to prevent
+> denial-of-service via deeply nested payloads.
+
 Let's say we have an object like this one:
 
 ```js

package/UPGRADE_GUIDE.md

@@ -159,8 +159,8 @@ axios.get('some/url')
 Previous versions of axios shipped with an AMD, CommonJS, and Global build. This has all been rolled into a single UMD build.
 
 ```js
-// AMD
-require(['bower_components/axios/dist/axios'], function (axios) {
+// AMD (for example with a RequireJS path mapped to `axios/dist/axios`)
+require(['axios/dist/axios'], function (axios) {
   /* ... */
 });
 

package/dist/axios.js

@@ -1,4 +1,4 @@
-// axios v0.31.0 Copyright (c) 2026 Matt Zabriskie
+// axios v0.31.1 Copyright (c) 2026 Matt Zabriskie
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -215,11 +215,17 @@
    */
   function isFormData(thing) {
     var pattern = '[object FormData]';
-    return thing && (
-      (typeof FormData === 'function' && thing instanceof FormData) ||
-      toString.call(thing) === pattern ||
-      (isFunction(thing.toString) && thing.toString() === pattern)
-    );
+    if (!thing) return false;
+    if (typeof FormData === 'function' && thing instanceof FormData) return true;
+    // Reject non-objects (strings, numbers, booleans) up front — Object.getPrototypeOf
+    // throws a TypeError on primitives in ES5 environments.
+    if (!isObject(thing)) return false;
+    // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData (GHSA-6chq-wfr3-2hj9).
+    var proto = Object.getPrototypeOf(thing);
+    if (!proto || proto === Object.prototype) return false;
+    if (!isFunction(thing.append)) return false;
+    return toString.call(thing) === pattern ||
+      (isFunction(thing.toString) && thing.toString() === pattern);
   }
 
   /**
@@ -606,7 +612,8 @@
     'ERR_BAD_REQUEST',
     'ERR_CANCELED',
     'ERR_NOT_SUPPORT',
-    'ERR_INVALID_URL'
+    'ERR_INVALID_URL',
+    'ERR_FORM_DATA_DEPTH_EXCEEDED'
   // eslint-disable-next-line func-names
   ].forEach(function(code) {
     descriptors[code] = {value: code};
@@ -707,6 +714,7 @@
     var dots = options.dots;
     var indexes = options.indexes;
     var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
+    var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
     var useBlob = _Blob && isSpecCompliant(formData);
 
     if (!utils.isFunction(visitor)) {
@@ -783,9 +791,19 @@
       isVisitable: isVisitable
     });
 
-    function build(value, path) {
+    function build(value, path, depth) {
       if (utils.isUndefined(value)) return;
 
+      // eslint-disable-next-line no-param-reassign
+      depth = depth || 0;
+
+      if (depth > maxDepth) {
+        throw new AxiosError_1(
+          'Maximum object depth of ' + maxDepth + ' exceeded (got ' + depth + ' levels)',
+          AxiosError_1.ERR_FORM_DATA_DEPTH_EXCEEDED
+        );
+      }
+
       if (stack.indexOf(value) !== -1) {
         throw Error('Circular reference detected in ' + path.join('.'));
       }
@@ -798,7 +816,7 @@
         );
 
         if (result === true) {
-          build(el, path ? path.concat(key) : [key]);
+          build(el, path ? path.concat(key) : [key], depth + 1);
         }
       });
 
@@ -809,7 +827,7 @@
       throw new TypeError('data must be an object');
     }
 
-    build(obj);
+    build(obj, null, 0);
 
     return formData;
   }
@@ -817,16 +835,17 @@
   var toFormData_1 = toFormData;
 
   function encode$1(str) {
+    // Do not map `%00` back to a raw null byte (GHSA-xhjh-pmcv-23jw): that reversed
+    // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
     var charMap = {
       '!': '%21',
       "'": '%27',
       '(': '%28',
       ')': '%29',
       '~': '%7E',
-      '%20': '+',
-      '%00': '\x00'
+      '%20': '+'
     };
-    return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
+    return encodeURIComponent(str).replace(/[!'\(\)~]|%20/g, function replacer(match) {
       return charMap[match];
     });
   }
@@ -1343,7 +1362,8 @@
       var requestData = config.data;
       var requestHeaders = config.headers;
       var responseType = config.responseType;
-      var withXSRFToken = config.withXSRFToken;
+      // Guard against prototype pollution (GHSA-xx6v-rp6x-q39c): only honor own properties.
+      var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken') ? config.withXSRFToken : undefined;
       var onCanceled;
       function done() {
         if (config.cancelToken) {
@@ -1471,8 +1491,11 @@
       // Specifically not if we're in a web worker, or react-native.
       if (utils.isStandardBrowserEnv()) {
         // Add xsrf header
-        withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-        if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+        if (utils.isFunction(withXSRFToken)) {
+          withXSRFToken = withXSRFToken(config);
+        }
+        // Strict boolean check (GHSA-xx6v-rp6x-q39c): only `true` short-circuits the same-origin guard.
+        if (withXSRFToken === true || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
           // Add xsrf header
           var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
           if (xsrfValue) {
@@ -1630,17 +1653,20 @@
       var isFileList;
 
       if (isObjectPayload) {
+        var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+        var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
+
         if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-          return toURLEncodedForm(data, this.formSerializer).toString();
+          return toURLEncodedForm(data, formSerializer).toString();
         }
 
         if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-          var _FormData = this.env && this.env.FormData;
+          var _FormData = envOption && envOption.FormData;
 
           return toFormData_1(
             isFileList ? {'files[]': data} : data,
             _FormData && new _FormData(),
-            this.formSerializer
+            formSerializer
           );
         }
       }
@@ -1858,7 +1884,17 @@
   var mergeConfig = function mergeConfig(config1, config2) {
     // eslint-disable-next-line no-param-reassign
     config2 = config2 || {};
-    var config = {};
+    // Use a null-prototype object so a polluted Object.prototype cannot leak
+    // values (e.g. transport, adapter) into the returned config via inheritance.
+    var config = Object.create(null);
+
+    function getOwn(source, prop) {
+      return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+    }
+
+    function hasOwn(source, prop) {
+      return utils.hasOwnProperty(source, prop);
+    }
 
     function getMergedValue(target, source) {
       if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -1875,34 +1911,34 @@
 
     // eslint-disable-next-line consistent-return
     function mergeDeepProperties(prop) {
-      if (!utils.isUndefined(config2[prop])) {
-        return getMergedValue(config1[prop], config2[prop]);
-      } else if (!utils.isUndefined(config1[prop])) {
+      if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+        return getMergedValue(getOwn(config1, prop), config2[prop]);
+      } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
         return getMergedValue(undefined, config1[prop]);
       }
     }
 
     // eslint-disable-next-line consistent-return
     function valueFromConfig2(prop) {
-      if (!utils.isUndefined(config2[prop])) {
+      if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
         return getMergedValue(undefined, config2[prop]);
       }
     }
 
     // eslint-disable-next-line consistent-return
     function defaultToConfig2(prop) {
-      if (!utils.isUndefined(config2[prop])) {
+      if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
         return getMergedValue(undefined, config2[prop]);
-      } else if (!utils.isUndefined(config1[prop])) {
+      } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
         return getMergedValue(undefined, config1[prop]);
       }
     }
 
     // eslint-disable-next-line consistent-return
     function mergeDirectKeys(prop) {
-      if (prop in config2) {
-        return getMergedValue(config1[prop], config2[prop]);
-      } else if (prop in config1) {
+      if (hasOwn(config2, prop)) {
+        return getMergedValue(getOwn(config1, prop), config2[prop]);
+      } else if (hasOwn(config1, prop)) {
         return getMergedValue(undefined, config1[prop]);
       }
     }
@@ -1951,7 +1987,7 @@
   };
 
   var data = {
-    "version": "0.31.0"
+    "version": "0.31.1"
   };
 
   var VERSION = data.version;