npm - axios - Versions diffs - 0.31.0 → 0.31.1 - Mend

axios 0.31.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.md +26 -7
package/UPGRADE_GUIDE.md +2 -2
package/dist/axios.js +66 -30
package/dist/axios.js.map +1 -1
package/dist/axios.min.js +1 -1
package/dist/axios.min.js.map +1 -1
package/dist/esm/axios.js +66 -30
package/dist/esm/axios.js.map +1 -1
package/dist/esm/axios.min.js +1 -1
package/dist/esm/axios.min.js.map +1 -1
package/index.d.ts +1 -0
package/lib/adapters/http.js +82 -6
package/lib/adapters/xhr.js +7 -3
package/lib/core/AxiosError.js +2 -1
package/lib/core/mergeConfig.js +20 -10
package/lib/defaults/index.js +6 -3
package/lib/env/data.js +1 -1
package/lib/helpers/AxiosURLSearchParams.js +4 -3
package/lib/helpers/toFormData.js +14 -3
package/lib/utils.js +11 -5
package/package.json +2 -2

package/dist/esm/axios.js CHANGED Viewed

@@ -1,4 +1,4 @@
-// axios v0.31.0 Copyright (c) 2026 Matt Zabriskie
+// axios v0.31.1 Copyright (c) 2026 Matt Zabriskie
 var bind = function bind(fn, thisArg) {
   return function wrap() {
     return fn.apply(thisArg, arguments);
@@ -209,11 +209,17 @@ function isStream(val) {
  */
 function isFormData(thing) {
   var pattern = '[object FormData]';
-  return thing && (
-    (typeof FormData === 'function' && thing instanceof FormData) ||
-    toString.call(thing) === pattern ||
-    (isFunction(thing.toString) && thing.toString() === pattern)
-  );
+  if (!thing) return false;
+  if (typeof FormData === 'function' && thing instanceof FormData) return true;
+  // Reject non-objects (strings, numbers, booleans) up front — Object.getPrototypeOf
+  // throws a TypeError on primitives in ES5 environments.
+  if (!isObject(thing)) return false;
+  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData (GHSA-6chq-wfr3-2hj9).
+  var proto = Object.getPrototypeOf(thing);
+  if (!proto || proto === Object.prototype) return false;
+  if (!isFunction(thing.append)) return false;
+  return toString.call(thing) === pattern ||
+    (isFunction(thing.toString) && thing.toString() === pattern);
 }
 /**
@@ -600,7 +606,8 @@ var descriptors = {};
   'ERR_BAD_REQUEST',
   'ERR_CANCELED',
   'ERR_NOT_SUPPORT',
-  'ERR_INVALID_URL'
+  'ERR_INVALID_URL',
+  'ERR_FORM_DATA_DEPTH_EXCEEDED'
 // eslint-disable-next-line func-names
 ].forEach(function(code) {
   descriptors[code] = {value: code};
@@ -701,6 +708,7 @@ function toFormData(obj, formData, options) {
   var dots = options.dots;
   var indexes = options.indexes;
   var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
+  var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
   var useBlob = _Blob && isSpecCompliant(formData);
   if (!utils.isFunction(visitor)) {
@@ -777,9 +785,19 @@ function toFormData(obj, formData, options) {
     isVisitable: isVisitable
   });
-  function build(value, path) {
+  function build(value, path, depth) {
     if (utils.isUndefined(value)) return;
+    // eslint-disable-next-line no-param-reassign
+    depth = depth || 0;
+    if (depth > maxDepth) {
+      throw new AxiosError_1(
+        'Maximum object depth of ' + maxDepth + ' exceeded (got ' + depth + ' levels)',
+        AxiosError_1.ERR_FORM_DATA_DEPTH_EXCEEDED
+      );
+    }
     if (stack.indexOf(value) !== -1) {
       throw Error('Circular reference detected in ' + path.join('.'));
     }
@@ -792,7 +810,7 @@ function toFormData(obj, formData, options) {
       );
       if (result === true) {
-        build(el, path ? path.concat(key) : [key]);
+        build(el, path ? path.concat(key) : [key], depth + 1);
       }
     });
@@ -803,7 +821,7 @@ function toFormData(obj, formData, options) {
     throw new TypeError('data must be an object');
   }
-  build(obj);
+  build(obj, null, 0);
   return formData;
 }
@@ -811,16 +829,17 @@ function toFormData(obj, formData, options) {
 var toFormData_1 = toFormData;
 function encode$1(str) {
+  // Do not map `%00` back to a raw null byte (GHSA-xhjh-pmcv-23jw): that reversed
+  // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
   var charMap = {
     '!': '%21',
     "'": '%27',
     '(': '%28',
     ')': '%29',
     '~': '%7E',
-    '%20': '+',
-    '%00': '\x00'
+    '%20': '+'
   };
-  return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
+  return encodeURIComponent(str).replace(/[!'\(\)~]|%20/g, function replacer(match) {
     return charMap[match];
   });
 }
@@ -1337,7 +1356,8 @@ var xhr = function xhrAdapter(config) {
     var requestData = config.data;
     var requestHeaders = config.headers;
     var responseType = config.responseType;
-    var withXSRFToken = config.withXSRFToken;
+    // Guard against prototype pollution (GHSA-xx6v-rp6x-q39c): only honor own properties.
+    var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken') ? config.withXSRFToken : undefined;
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -1465,8 +1485,11 @@ var xhr = function xhrAdapter(config) {
     // Specifically not if we're in a web worker, or react-native.
     if (utils.isStandardBrowserEnv()) {
       // Add xsrf header
-      withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-      if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+      if (utils.isFunction(withXSRFToken)) {
+        withXSRFToken = withXSRFToken(config);
+      }
+      // Strict boolean check (GHSA-xx6v-rp6x-q39c): only `true` short-circuits the same-origin guard.
+      if (withXSRFToken === true || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
         // Add xsrf header
         var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
         if (xsrfValue) {
@@ -1624,17 +1647,20 @@ var defaults = {
     var isFileList;
     if (isObjectPayload) {
+      var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+      var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
       if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-        return toURLEncodedForm(data, this.formSerializer).toString();
+        return toURLEncodedForm(data, formSerializer).toString();
       }
       if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-        var _FormData = this.env && this.env.FormData;
+        var _FormData = envOption && envOption.FormData;
         return toFormData_1(
           isFileList ? {'files[]': data} : data,
           _FormData && new _FormData(),
-          this.formSerializer
+          formSerializer
         );
       }
     }
@@ -1852,7 +1878,17 @@ var dispatchRequest = function dispatchRequest(config) {
 var mergeConfig = function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  var config = {};
+  // Use a null-prototype object so a polluted Object.prototype cannot leak
+  // values (e.g. transport, adapter) into the returned config via inheritance.
+  var config = Object.create(null);
+  function getOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+  }
+  function hasOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop);
+  }
   function getMergedValue(target, source) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -1869,34 +1905,34 @@ var mergeConfig = function mergeConfig(config1, config2) {
   // eslint-disable-next-line consistent-return
   function mergeDeepProperties(prop) {
-    if (!utils.isUndefined(config2[prop])) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
   // eslint-disable-next-line consistent-return
   function valueFromConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
     }
   }
   // eslint-disable-next-line consistent-return
   function defaultToConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
   // eslint-disable-next-line consistent-return
   function mergeDirectKeys(prop) {
-    if (prop in config2) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (prop in config1) {
+    if (hasOwn(config2, prop)) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop)) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
@@ -1945,7 +1981,7 @@ var mergeConfig = function mergeConfig(config1, config2) {
 };
 var data = {
-  "version": "0.31.0"
+  "version": "0.31.1"
 };
 var VERSION = data.version;