axios 0.31.0 → 0.32.0

package/AGENTS.md

@@ -0,0 +1,38 @@
+# AGENTS.md
+
+## Setup
+- Use npm here; `package-lock.json` is committed and CI installs with `npm ci --ignore-scripts`.
+- `mise.toml` pins local Node 20, but CI runs Node 12, 14, 16, 18, 20, 22, and 24; keep `lib/` source compatible with old CommonJS-era syntax and runtime assumptions.
+- CI order is `npm ci --ignore-scripts`, `npm run build`, then `npm test`.
+
+## Commands
+- `npm run build`: runs `grunt build`, which cleans `dist/` and uses Rollup from `lib/axios.js` to create `dist/axios*.js` and `dist/esm/axios*.js`.
+- `npm test`: runs JS tests and declaration tests through `bin/ssl_hotfix.js`; use this full command on Node >16 so old tooling gets `NODE_OPTIONS=--openssl-legacy-provider`.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt test`: JS-only verification, running ESLint on `lib/**/*.js`, Mocha on `test/unit/**/*.js`, and Karma on `test/specs/**/*.spec.js`.
+- `./node_modules/.bin/mocha --timeout 30000 test/unit/<path>.js`: run one Node/Mocha unit test file without Karma or dtslint.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt karma:single`: run the browser suite only.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/dtslint --localTs node_modules/typescript/lib`: run the declaration tests in `test/typescript/axios.ts`.
+- `npm run fix`: ESLint autofix for `lib/**/*.js` only.
+
+## Structure
+- Package entry is `index.js` -> `lib/axios.js`; the TypeScript surface is the root `index.d.ts`.
+- `lib/defaults/index.js` chooses the runtime adapter: `lib/adapters/xhr.js` for browsers and `lib/adapters/http.js` for Node.
+- Browser bundlers also rely on `package.json` `browser` mappings from `./lib/adapters/http.js` to `./lib/adapters/xhr.js` and from `./lib/platform/node/index.js` to `./lib/platform/browser/index.js`.
+- `lib/env/data.js` stores the package version and is generated by `grunt version` or `npm run preversion`; do not edit it except as part of a version bump.
+- `grunt build` uses `rollup.config.js`; `webpack.config.js` is not the package build path, while Karma has its own webpack config inside `karma.conf.js`.
+
+## Tests
+- Node tests live in `test/unit/**/*.js` and use Mocha plus Node `assert`.
+- Browser tests live in `test/specs/**/*.spec.js` and use Jasmine/Jasmine-Ajax; globals such as `axios` and `getAjaxRequest` come from `test/specs/__helpers.js`.
+- Karma defaults to `FirefoxHeadless` and `ChromeHeadless` whenever `process.env.GITHUB_ACTIONS !== 'false'`, including when the variable is unset; set `GITHUB_ACTIONS=false` only if you need non-headless local browsers.
+- There is no committed single-browser-spec target; do not leave `fdescribe`, `fit`, or `.only` in tests.
+- Declaration changes should update both `index.d.ts` and `test/typescript/axios.ts`, then run the dtslint command above.
+
+## Source Conventions
+- `lib/` is CommonJS with `'use strict'`, `var`, semicolons, 2-space indentation, and no trailing commas; ESLint only checks `lib/**/*.js`.
+- Public API behavior usually needs README docs, TypeScript declarations, and declaration tests updated together.
+- Adapter or platform changes usually need both Node and browser paths considered, including Mocha coverage for `http.js` behavior and Karma coverage for `xhr.js` behavior.
+
+## Node 12+ Compatibility
+- All shipped code AND test code must run on Node 12 through Node 24. CI runs the full matrix, so a test that only works on Node 16+ will break the build. Avoid `??`, `?.`, top-level `await`, private class fields, `Array.prototype.at`, `structuredClone`, etc. in both `lib/` and `test/`.
+- Be wary of `Object.prototype` pollution tests on Node 12/14: setting `Object.prototype.get` (or `set`) before any code that calls `Object.defineProperty` with a value-only descriptor will throw `TypeError: Getter must be a function`, because the descriptor inherits the polluted property. Construct servers/clients first, pre-load any lazy-required Node internals (e.g. `require('dns')`), then apply the pollution.

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## Unreleased
+
+### Notable behavior changes
+
+- `utils.merge` (used internally by `mergeConfig` and to merge request headers) now returns objects with a `null` prototype to harden against prototype-pollution gadgets. As a result, `error.config`, `error.config.headers`, and any merged header bucket no longer inherit from `Object.prototype`. Two consequences:
+  - `obj.hasOwnProperty(key)` on a merged config or header object throws `TypeError: obj.hasOwnProperty is not a function`. Use `Object.prototype.hasOwnProperty.call(obj, key)` or `key in obj` instead.
+  - Implicit string coercion (e.g. `String(obj)`, `'' + obj`, or any path that calls `ToPrimitive`) throws `TypeError: Cannot convert object to primitive value` because there is no inherited `toString`. Coerce explicitly via `JSON.stringify(obj)` or by reading individual properties.
+
+  Property access (`obj[key]`), enumeration, and `JSON.stringify` are unaffected.
+
 ## [0.30.0](https://github.com/axios/axios/compare/v0.29.0...v0.30.0) (2025-03-26)
 
 ## Release notes:

package/CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

package/README.md

@@ -83,12 +83,6 @@ Using npm:
 $ npm install axios
 ```
 
-Using bower:
-
-```bash
-$ bower install axios
-```
-
 Using yarn:
 
 ```bash
@@ -336,13 +330,21 @@ These are the available config options for making requests. Only the `url` is re
 
   // `params` are the URL parameters to be sent with the request
   // Must be a plain object or a URLSearchParams object
+  // Null bytes in param values stay percent-encoded as `%00` in the resulting query string
+  // Axios does not reverse `encodeURIComponent` output for `%00`,
+  // so null-byte injection cannot be smuggled through the serializer.
   params: {
     ID: 12345
   },
 
   // `paramsSerializer` is an optional config in charge of serializing `params`
+  // Nested objects are walked with a bounded recursion depth:
+  // once `maxDepth` is exceeded the serializer throws `ERR_FORM_DATA_DEPTH_EXCEEDED`
+  // instead of overflowing the call stack. The same cap applies to `toFormData` when
+  // `Content-Type: multipart/form-data` triggers automatic FormData serialization.
   paramsSerializer: {
-    indexes: null // array indexes format (null - no brackets, false - empty brackets, true - brackets with indexes)
+    indexes: null, // array indexes format (null - no brackets, false - empty brackets, true - brackets with indexes)
+    maxDepth: 100 // maximum recursion depth for nested params (default: 100, Infinity disables the limit)
   },
 
   // `data` is the data to be sent as the request body
@@ -400,6 +402,9 @@ These are the available config options for making requests. Only the `url` is re
   xsrfHeaderName: 'X-XSRF-TOKEN', // default
 
   // `undefined` (default) - set XSRF header only for the same origin requests
+  // Only an explicit `true` (own property on the config) will add the XSRF header for
+  // cross-origin requests. Values inherited from `Object.prototype` are ignored
+  // so a polluted prototype cannot silently enable the token.
   withXSRFToken: boolean | undefined | ((config: AxiosRequestConfig) => boolean | undefined),
 
   // `onUploadProgress` allows handling of progress events for uploads
@@ -415,11 +420,27 @@ These are the available config options for making requests. Only the `url` is re
   },
 
   // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
+  // Also enforced on streamed responses (`responseType: 'stream'`): bytes are counted as they
+  // arrive and the stream is aborted with an error once the cap is exceeded.
   maxContentLength: 2000,
 
   // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
+  // Also enforced on stream uploads: uploaded bytes are tracked and the request is aborted
+  // once the cap is exceeded, even when the native http transport is used directly.
   maxBodyLength: 2000,
 
+  // `formDataHeaderPolicy` controls which headers the Node adapter copies from
+  // FormData `getHeaders()`.
+  // 'legacy' (default) copies all returned headers for v1 compatibility.
+  // 'content-only' copies only Content-Type and Content-Length.
+  formDataHeaderPolicy: 'legacy',
+
+  // `redact` masks matching config keys when AxiosError#toJSON() is called.
+  // Matching is case-insensitive and recursive. It does not change the request.
+  // An empty array is treated as "no override" and falls back to the defaults so
+  // an accidental `redact: []` cannot silently disable redaction.
+  redact: ['authorization', 'password'],
+
   // `validateStatus` defines whether to resolve or reject the promise for a given
   // HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
   // or `undefined`), the promise will be resolved; otherwise, the promise will be
@@ -445,10 +466,18 @@ These are the available config options for making requests. Only the `url` is re
 
   // `socketPath` defines a UNIX Socket to be used in node.js.
   // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
+  // Avoid passing user-controlled values because socket paths bypass host,
+  // port, DNS, and proxy controls.
   // Only either `socketPath` or `proxy` can be specified.
   // If both are specified, `socketPath` is used.
   socketPath: null, // default
 
+  // `allowedSocketPaths` constrains `socketPath` to known-safe Unix sockets.
+  // Use this when config can include partially user-controlled input.
+  // Set to a string or array of strings. An empty array denies all socket paths.
+  // Set to `null` on a request to clear an instance-level allowlist.
+  allowedSocketPaths: null, // default
+
   // `httpAgent` and `httpsAgent` define a custom agent to be used when performing http
   // and https requests, respectively, in node.js. This allows options to be added like
   // `keepAlive` that are not enabled by default.
@@ -522,6 +551,7 @@ These are the available config options for making requests. Only the `url` is re
       dots: boolean; // use dots instead of brackets format
       metaTokens: boolean; // keep special endings like {} in parameter key
       indexes: boolean; // array indexes format null - no brackets, false - empty brackets, true - brackets with indexes
+      maxDepth: number; // maximum recursion depth for nested objects (default: 100, Infinity disables the limit)
   }
 }
 ```
@@ -603,6 +633,8 @@ instance.defaults.headers.common['Authorization'] = AUTH_TOKEN;
 
 Config will be merged with an order of precedence. The order is library defaults found in [lib/defaults.js](https://github.com/axios/axios/blob/master/lib/defaults/index.js#L28), then `defaults` property of the instance, and finally `config` argument for the request. The latter will take precedence over the former. Here's an example.
 
+> Note: the merged config object is created with a null prototype (`Object.create(null)`) and only own properties of the inputs are copied across. A polluted `Object.prototype` cannot leak values (for example `transport`, `adapter`, or `transformRequest`) into the outgoing config through inheritance, and keys such as `__proto__`, `constructor`, and `prototype` are dropped during the merge.
+
 ```js
 // Create an instance using the config defaults provided by the library
 // At this point the timeout config value is `0` as is the default for the library
@@ -1011,6 +1043,13 @@ The back-end body-parser could potentially use this meta-information to automati
     - `false`(default) - add empty brackets (`arr[]: 1`, `arr[]: 2`, `arr[]: 3`)
     - `true` - add brackets with indexes  (`arr[0]: 1`, `arr[1]: 2`, `arr[2]: 3`)
 
+- `maxDepth: number = 100` - maximum recursion depth when serializing nested objects. Throws an `AxiosError` with
+code `ERR_FORM_DATA_DEPTH_EXCEEDED` if the limit is exceeded. Set to `Infinity` to disable the limit.
+
+> **Security note:** If your server-side code forwards client-supplied objects to axios as request `data` or `params`,
+> keep `maxDepth` at a reasonable value (the default of 100 is sufficient for most use cases) to prevent
+> denial-of-service via deeply nested payloads.
+
 Let's say we have an object like this one:
 
 ```js

package/UPGRADE_GUIDE.md

@@ -159,8 +159,8 @@ axios.get('some/url')
 Previous versions of axios shipped with an AMD, CommonJS, and Global build. This has all been rolled into a single UMD build.
 
 ```js
-// AMD
-require(['bower_components/axios/dist/axios'], function (axios) {
+// AMD (for example with a RequireJS path mapped to `axios/dist/axios`)
+require(['axios/dist/axios'], function (axios) {
   /* ... */
 });