axios 0.31.0 → 0.32.0

package/dist/esm/axios.js

@@ -1,4 +1,4 @@
-// axios v0.31.0 Copyright (c) 2026 Matt Zabriskie
+// axios v0.32.0 Copyright (c) 2026 Matt Zabriskie
 var bind = function bind(fn, thisArg) {
   return function wrap() {
     return fn.apply(thisArg, arguments);
@@ -52,8 +52,14 @@ function isUndefined(val) {
  * @returns {boolean} True if value is a Buffer, otherwise false
  */
 function isBuffer(val) {
-  return val !== null && !isUndefined(val) && val.constructor !== null && !isUndefined(val.constructor)
-    && typeof val.constructor.isBuffer === 'function' && val.constructor.isBuffer(val);
+  return (
+    val !== null &&
+    !isUndefined(val) &&
+    val.constructor !== null &&
+    !isUndefined(val.constructor) &&
+    typeof val.constructor.isBuffer === 'function' &&
+    val.constructor.isBuffer(val)
+  );
 }
 
 /**
@@ -65,7 +71,6 @@ function isBuffer(val) {
  */
 var isArrayBuffer = kindOfTest('ArrayBuffer');
 
-
 /**
  * Determine if a value is a view on an ArrayBuffer
  *
@@ -74,10 +79,10 @@ var isArrayBuffer = kindOfTest('ArrayBuffer');
  */
 function isArrayBufferView(val) {
   var result;
-  if ((typeof ArrayBuffer !== 'undefined') && (ArrayBuffer.isView)) {
+  if (typeof ArrayBuffer !== 'undefined' && ArrayBuffer.isView) {
     result = ArrayBuffer.isView(val);
   } else {
-    result = (val) && (val.buffer) && (isArrayBuffer(val.buffer));
+    result = val && val.buffer && isArrayBuffer(val.buffer);
   }
   return result;
 }
@@ -209,8 +214,16 @@ function isStream(val) {
  */
 function isFormData(thing) {
   var pattern = '[object FormData]';
-  return thing && (
-    (typeof FormData === 'function' && thing instanceof FormData) ||
+  if (!thing) return false;
+  if (typeof FormData === 'function' && thing instanceof FormData) return true;
+  // Reject non-objects (strings, numbers, booleans) up front — Object.getPrototypeOf
+  // throws a TypeError on primitives in ES5 environments.
+  if (!isObject(thing)) return false;
+  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData.
+  var proto = Object.getPrototypeOf(thing);
+  if (!proto || proto === Object.prototype) return false;
+  if (!isFunction(thing.append)) return false;
+  return (
     toString.call(thing) === pattern ||
     (isFunction(thing.toString) && thing.toString() === pattern)
   );
@@ -231,7 +244,9 @@ var isURLSearchParams = kindOfTest('URLSearchParams');
  * @returns {String} The String freed of excess whitespace
  */
 function trim(str) {
-  return str.trim ? str.trim() : str.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
+  return str.trim
+    ? str.trim()
+    : str.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
 }
 
 /**
@@ -251,10 +266,11 @@ function trim(str) {
  */
 function isStandardBrowserEnv() {
   var product;
-  if (typeof navigator !== 'undefined' && (
-    (product = navigator.product) === 'ReactNative' ||
-    product === 'NativeScript' ||
-    product === 'NS')
+  if (
+    typeof navigator !== 'undefined' &&
+    ((product = navigator.product) === 'ReactNative' ||
+      product === 'NativeScript' ||
+      product === 'NS')
   ) {
     return false;
   }
@@ -319,14 +335,20 @@ function forEach(obj, fn) {
  * @returns {Object} Result of all merge properties
  */
 function merge(/* obj1, obj2, obj3, ... */) {
-  var result = {};
+  var result = Object.create(null);
   function assignValue(val, key) {
+    var target;
+
     if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
       return;
     }
 
-    if (isPlainObject(result[key]) && isPlainObject(val)) {
-      result[key] = merge(result[key], val);
+    target = Object.prototype.hasOwnProperty.call(result, key)
+      ? result[key]
+      : undefined;
+
+    if (isPlainObject(target) && isPlainObject(val)) {
+      result[key] = merge(target, val);
     } else if (isPlainObject(val)) {
       result[key] = merge({}, val);
     } else if (isArray(val)) {
@@ -368,7 +390,7 @@ function extend(a, b, thisArg) {
  * @return {string} content value without BOM
  */
 function stripBOM(content) {
-  if (content.charCodeAt(0) === 0xFEFF) {
+  if (content.charCodeAt(0) === 0xfeff) {
     content = content.slice(1);
   }
   return content;
@@ -383,7 +405,10 @@ function stripBOM(content) {
  */
 
 function inherits(constructor, superConstructor, props, descriptors) {
-  constructor.prototype = Object.create(superConstructor.prototype, descriptors);
+  constructor.prototype = Object.create(
+    superConstructor.prototype,
+    descriptors
+  );
   constructor.prototype.constructor = constructor;
   props && Object.assign(constructor.prototype, props);
 }
@@ -412,13 +437,20 @@ function toFlatObject(sourceObj, destObj, filter, propFilter) {
     i = props.length;
     while (i-- > 0) {
       prop = props[i];
-      if ((!propFilter || propFilter(prop, sourceObj, destObj)) && !merged[prop]) {
+      if (
+        (!propFilter || propFilter(prop, sourceObj, destObj)) &&
+        !merged[prop]
+      ) {
         destObj[prop] = sourceObj[prop];
         merged[prop] = true;
       }
     }
     sourceObj = filter !== false && Object.getPrototypeOf(sourceObj);
-  } while (sourceObj && (!filter || filter(sourceObj, destObj)) && sourceObj !== Object.prototype);
+  } while (
+    sourceObj &&
+    (!filter || filter(sourceObj, destObj)) &&
+    sourceObj !== Object.prototype
+  );
 
   return destObj;
 }
@@ -440,7 +472,6 @@ function endsWith(str, searchString, position) {
   return lastIndex !== -1 && lastIndex === position;
 }
 
-
 /**
  * Returns new array from array like object or null if failed
  * @param {*} [thing]
@@ -536,6 +567,82 @@ var utils = {
   hasOwnProperty: hasOwnProperty
 };
 
+var defaultRedactKeys = ['authorization', 'proxy-authorization', 'cookie', 'set-cookie', 'x-api-key', 'password'];
+
+var REDACTED_VALUE = '[REDACTED ****]';
+
+function makeValueDescriptor(value) {
+  var descriptor = Object.create(null);
+  descriptor.value = value;
+  return descriptor;
+}
+
+function getRedactKeys(config) {
+  // An empty array is treated as "no override" so an upstream `redact: []` cannot
+  // silently disable redaction. To opt out, pass non-string values or unset keys.
+  var override = config && utils.isArray(config.redact) && config.redact.length ? config.redact : null;
+  var redact = override || defaultRedactKeys;
+  var keys = {};
+
+  utils.forEach(redact, function eachRedactKey(key) {
+    if (typeof key === 'string') {
+      keys[key.toLowerCase()] = true;
+    }
+  });
+
+  return keys;
+}
+
+function shouldRedact(key, keys) {
+  return typeof key === 'string' && keys[key.toLowerCase()];
+}
+
+var CIRCULAR_VALUE = '[Circular]';
+
+function serializeConfigValue(value, keys, key, seen) {
+  var result;
+
+  if (shouldRedact(key, keys)) {
+    return REDACTED_VALUE;
+  }
+
+  if (utils.isArray(value)) {
+    if (seen.indexOf(value) !== -1) {
+      return CIRCULAR_VALUE;
+    }
+    seen.push(value);
+    result = [];
+    utils.forEach(value, function eachArrayValue(item, index) {
+      result[index] = serializeConfigValue(item, keys, index, seen);
+    });
+    seen.pop();
+    return result;
+  }
+
+  if (utils.isPlainObject(value)) {
+    if (seen.indexOf(value) !== -1) {
+      return CIRCULAR_VALUE;
+    }
+    seen.push(value);
+    result = {};
+    utils.forEach(value, function eachObjectValue(item, itemKey) {
+      result[itemKey] = serializeConfigValue(item, keys, itemKey, seen);
+    });
+    seen.pop();
+    return result;
+  }
+
+  return value;
+}
+
+function serializeConfig(config) {
+  if (!config) {
+    return config;
+  }
+
+  return serializeConfigValue(config, getRedactKeys(config), undefined, []);
+}
+
 /**
  * Create an Error with the specified message, config, error code, request and response.
  *
@@ -578,7 +685,7 @@ utils.inherits(AxiosError, Error, {
       columnNumber: this.columnNumber,
       stack: this.stack,
       // Axios
-      config: this.config,
+      config: serializeConfig(this.config),
       code: this.code,
       status: this.response && this.response.status ? this.response.status : null
     };
@@ -586,7 +693,7 @@ utils.inherits(AxiosError, Error, {
 });
 
 var prototype$1 = AxiosError.prototype;
-var descriptors = {};
+var descriptors = Object.create(null);
 
 [
   'ERR_BAD_OPTION_VALUE',
@@ -600,14 +707,15 @@ var descriptors = {};
   'ERR_BAD_REQUEST',
   'ERR_CANCELED',
   'ERR_NOT_SUPPORT',
-  'ERR_INVALID_URL'
+  'ERR_INVALID_URL',
+  'ERR_FORM_DATA_DEPTH_EXCEEDED'
 // eslint-disable-next-line func-names
 ].forEach(function(code) {
-  descriptors[code] = {value: code};
+  descriptors[code] = makeValueDescriptor(code);
 });
 
 Object.defineProperties(AxiosError, descriptors);
-Object.defineProperty(prototype$1, 'isAxiosError', {value: true});
+Object.defineProperty(prototype$1, 'isAxiosError', makeValueDescriptor(true));
 
 // eslint-disable-next-line func-names
 AxiosError.from = function(error, code, config, request, response, customProps) {
@@ -701,6 +809,7 @@ function toFormData(obj, formData, options) {
   var dots = options.dots;
   var indexes = options.indexes;
   var _Blob = options.Blob || typeof Blob !== 'undefined' && Blob;
+  var maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
   var useBlob = _Blob && isSpecCompliant(formData);
 
   if (!utils.isFunction(visitor)) {
@@ -777,9 +886,19 @@ function toFormData(obj, formData, options) {
     isVisitable: isVisitable
   });
 
-  function build(value, path) {
+  function build(value, path, depth) {
     if (utils.isUndefined(value)) return;
 
+    // eslint-disable-next-line no-param-reassign
+    depth = depth || 0;
+
+    if (depth > maxDepth) {
+      throw new AxiosError_1(
+        'Maximum object depth of ' + maxDepth + ' exceeded (got ' + depth + ' levels)',
+        AxiosError_1.ERR_FORM_DATA_DEPTH_EXCEEDED
+      );
+    }
+
     if (stack.indexOf(value) !== -1) {
       throw Error('Circular reference detected in ' + path.join('.'));
     }
@@ -792,7 +911,7 @@ function toFormData(obj, formData, options) {
       );
 
       if (result === true) {
-        build(el, path ? path.concat(key) : [key]);
+        build(el, path ? path.concat(key) : [key], depth + 1);
       }
     });
 
@@ -803,7 +922,7 @@ function toFormData(obj, formData, options) {
     throw new TypeError('data must be an object');
   }
 
-  build(obj);
+  build(obj, null, 0);
 
   return formData;
 }
@@ -811,18 +930,22 @@ function toFormData(obj, formData, options) {
 var toFormData_1 = toFormData;
 
 function encode$1(str) {
+  // Do not map `%00` back to a raw null byte: that reversed
+  // the safe percent-encoding from encodeURIComponent and enabled null byte injection.
   var charMap = {
     '!': '%21',
     "'": '%27',
     '(': '%28',
     ')': '%29',
     '~': '%7E',
-    '%20': '+',
-    '%00': '\x00'
+    '%20': '+'
   };
-  return encodeURIComponent(str).replace(/[!'\(\)~]|%20|%00/g, function replacer(match) {
-    return charMap[match];
-  });
+  return encodeURIComponent(str).replace(
+    /[!'\(\)~]|%20/g,
+    function replacer(match) {
+      return charMap[match];
+    }
+  );
 }
 
 function AxiosURLSearchParams(params, options) {
@@ -838,13 +961,17 @@ prototype.append = function append(name, value) {
 };
 
 prototype.toString = function toString(encoder) {
-  var _encode = encoder ? function(value) {
-    return encoder.call(this, value, encode$1);
-  } : encode$1;
+  var _encode = encoder
+    ? function(value) {
+      return encoder.call(this, value, encode$1);
+    }
+    : encode$1;
 
-  return this._pairs.map(function each(pair) {
-    return _encode(pair[0]) + '=' + _encode(pair[1]);
-  }, '').join('&');
+  return this._pairs
+    .map(function each(pair) {
+      return _encode(pair[0]) + '=' + _encode(pair[1]);
+    }, '')
+    .join('&');
 };
 
 var AxiosURLSearchParams_1 = AxiosURLSearchParams;
@@ -1127,8 +1254,21 @@ var cookies = (
         },
 
         read: function read(name) {
-          var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
-          return (match ? decodeURIComponent(match[3]) : null);
+          var nameEQ = name + '=';
+          var cookies = document.cookie.split(';');
+          var cookie;
+
+          for (var i = 0; i < cookies.length; i++) {
+            cookie = cookies[i];
+            while (cookie.charAt(0) === ' ') {
+              cookie = cookie.substring(1);
+            }
+            if (cookie.indexOf(nameEQ) === 0) {
+              return decodeURIComponent(cookie.substring(nameEQ.length));
+            }
+          }
+
+          return null;
         },
 
         remove: function remove(name) {
@@ -1337,7 +1477,10 @@ var xhr = function xhrAdapter(config) {
     var requestData = config.data;
     var requestHeaders = config.headers;
     var responseType = config.responseType;
-    var withXSRFToken = config.withXSRFToken;
+    // Guard against prototype pollution: only honor own properties.
+    var withXSRFToken = utils.hasOwnProperty(config, 'withXSRFToken')
+      ? config.withXSRFToken
+      : undefined;
     var onCanceled;
     function done() {
       if (config.cancelToken) {
@@ -1358,13 +1501,23 @@ var xhr = function xhrAdapter(config) {
     // HTTP basic authentication
     if (config.auth) {
       var username = config.auth.username || '';
-      var password = config.auth.password ? unescape(encodeURIComponent(config.auth.password)) : '';
+      var password = config.auth.password
+        ? unescape(encodeURIComponent(config.auth.password))
+        : '';
       requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);
     }
 
-    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
+    var fullPath = buildFullPath(
+      config.baseURL,
+      config.url,
+      config.allowAbsoluteUrls
+    );
 
-    request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);
+    request.open(
+      config.method.toUpperCase(),
+      buildURL(fullPath, config.params, config.paramsSerializer),
+      true
+    );
 
     // Set the request timeout in MS
     request.timeout = config.timeout;
@@ -1374,9 +1527,14 @@ var xhr = function xhrAdapter(config) {
         return;
       }
       // Prepare the response
-      var responseHeaders = 'getAllResponseHeaders' in request ? parseHeaders(request.getAllResponseHeaders()) : null;
-      var responseData = !responseType || responseType === 'text' ||  responseType === 'json' ?
-        request.responseText : request.response;
+      var responseHeaders =
+        'getAllResponseHeaders' in request
+          ? parseHeaders(request.getAllResponseHeaders())
+          : null;
+      var responseData =
+        !responseType || responseType === 'text' || responseType === 'json'
+          ? request.responseText
+          : request.response;
       var response = {
         data: responseData,
         status: request.status,
@@ -1386,13 +1544,17 @@ var xhr = function xhrAdapter(config) {
         request: request
       };
 
-      settle(function _resolve(value) {
-        resolve(value);
-        done();
-      }, function _reject(err) {
-        reject(err);
-        done();
-      }, response);
+      settle(
+        function _resolve(value) {
+          resolve(value);
+          done();
+        },
+        function _reject(err) {
+          reject(err);
+          done();
+        },
+        response
+      );
 
       // Clean up request
       request = null;
@@ -1412,7 +1574,10 @@ var xhr = function xhrAdapter(config) {
         // handled by onerror instead
         // With one exception: request that using file: protocol, most browsers
         // will return status as 0 even though it's a successful request
-        if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf('file:') === 0)) {
+        if (
+          request.status === 0 &&
+          !(request.responseURL && request.responseURL.indexOf('file:') === 0)
+        ) {
           return;
         }
         // readystate handler is calling before onerror or ontimeout handlers,
@@ -1427,7 +1592,14 @@ var xhr = function xhrAdapter(config) {
         return;
       }
 
-      reject(new AxiosError_1('Request aborted', AxiosError_1.ECONNABORTED, config, request));
+      reject(
+        new AxiosError_1(
+          'Request aborted',
+          AxiosError_1.ECONNABORTED,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -1437,7 +1609,14 @@ var xhr = function xhrAdapter(config) {
     request.onerror = function handleError() {
       // Real errors are hidden from us by the browser
       // onerror should only fire if it's a network error
-      reject(new AxiosError_1('Network Error', AxiosError_1.ERR_NETWORK, config, request));
+      reject(
+        new AxiosError_1(
+          'Network Error',
+          AxiosError_1.ERR_NETWORK,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -1445,16 +1624,23 @@ var xhr = function xhrAdapter(config) {
 
     // Handle timeout
     request.ontimeout = function handleTimeout() {
-      var timeoutErrorMessage = config.timeout ? 'timeout of ' + config.timeout + 'ms exceeded' : 'timeout exceeded';
+      var timeoutErrorMessage = config.timeout
+        ? 'timeout of ' + config.timeout + 'ms exceeded'
+        : 'timeout exceeded';
       var transitional$1 = config.transitional || transitional;
       if (config.timeoutErrorMessage) {
         timeoutErrorMessage = config.timeoutErrorMessage;
       }
-      reject(new AxiosError_1(
-        timeoutErrorMessage,
-        transitional$1.clarifyTimeoutError ? AxiosError_1.ETIMEDOUT : AxiosError_1.ECONNABORTED,
-        config,
-        request));
+      reject(
+        new AxiosError_1(
+          timeoutErrorMessage,
+          transitional$1.clarifyTimeoutError
+            ? AxiosError_1.ETIMEDOUT
+            : AxiosError_1.ECONNABORTED,
+          config,
+          request
+        )
+      );
 
       // Clean up request
       request = null;
@@ -1465,10 +1651,19 @@ var xhr = function xhrAdapter(config) {
     // Specifically not if we're in a web worker, or react-native.
     if (utils.isStandardBrowserEnv()) {
       // Add xsrf header
-      withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
-      if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
+      if (utils.isFunction(withXSRFToken)) {
+        withXSRFToken = withXSRFToken(config);
+      }
+      // Strict boolean check: only `true` short-circuits the same-origin guard.
+      if (
+        withXSRFToken === true ||
+        (withXSRFToken !== false && isURLSameOrigin(fullPath))
+      ) {
         // Add xsrf header
-        var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+        var xsrfValue =
+          config.xsrfHeaderName &&
+          config.xsrfCookieName &&
+          cookies.read(config.xsrfCookieName);
         if (xsrfValue) {
           requestHeaders[config.xsrfHeaderName] = xsrfValue;
         }
@@ -1478,7 +1673,10 @@ var xhr = function xhrAdapter(config) {
     // Add headers to the request
     if ('setRequestHeader' in request) {
       utils.forEach(requestHeaders, function setRequestHeader(val, key) {
-        if (typeof requestData === 'undefined' && key.toLowerCase() === 'content-type') {
+        if (
+          typeof requestData === 'undefined' &&
+          key.toLowerCase() === 'content-type'
+        ) {
           // Remove Content-Type if data is undefined
           delete requestHeaders[key];
         } else {
@@ -1515,30 +1713,46 @@ var xhr = function xhrAdapter(config) {
         if (!request) {
           return;
         }
-        reject(!cancel || cancel.type ? new CanceledError_1(null, config, request) : cancel);
+        reject(
+          !cancel || cancel.type
+            ? new CanceledError_1(null, config, request)
+            : cancel
+        );
         request.abort();
         request = null;
       };
 
       config.cancelToken && config.cancelToken.subscribe(onCanceled);
       if (config.signal) {
-        config.signal.aborted ? onCanceled() : config.signal.addEventListener('abort', onCanceled);
+        config.signal.aborted
+          ? onCanceled()
+          : config.signal.addEventListener('abort', onCanceled);
       }
     }
 
     // false, 0 (zero number), and '' (empty string) are valid JSON values
-    if (!requestData && requestData !== false && requestData !== 0 && requestData !== '') {
+    if (
+      !requestData &&
+      requestData !== false &&
+      requestData !== 0 &&
+      requestData !== ''
+    ) {
       requestData = null;
     }
 
     var protocol = parseProtocol(fullPath);
 
     if (protocol && platform.protocols.indexOf(protocol) === -1) {
-      reject(new AxiosError_1('Unsupported protocol ' + protocol + ':', AxiosError_1.ERR_BAD_REQUEST, config));
+      reject(
+        new AxiosError_1(
+          'Unsupported protocol ' + protocol + ':',
+          AxiosError_1.ERR_BAD_REQUEST,
+          config
+        )
+      );
       return;
     }
 
-
     // Send the request
     request.send(requestData);
   });
@@ -1624,17 +1838,20 @@ var defaults = {
     var isFileList;
 
     if (isObjectPayload) {
+      var formSerializer = utils.hasOwnProperty(this, 'formSerializer') ? this.formSerializer : undefined;
+      var envOption = utils.hasOwnProperty(this, 'env') ? this.env : undefined;
+
       if (contentType.indexOf('application/x-www-form-urlencoded') !== -1) {
-        return toURLEncodedForm(data, this.formSerializer).toString();
+        return toURLEncodedForm(data, formSerializer).toString();
       }
 
       if ((isFileList = utils.isFileList(data)) || contentType.indexOf('multipart/form-data') > -1) {
-        var _FormData = this.env && this.env.FormData;
+        var _FormData = envOption && envOption.FormData;
 
         return toFormData_1(
           isFileList ? {'files[]': data} : data,
           _FormData && new _FormData(),
-          this.formSerializer
+          formSerializer
         );
       }
     }
@@ -1683,6 +1900,8 @@ var defaults = {
   maxContentLength: -1,
   maxBodyLength: -1,
 
+  redact: defaultRedactKeys.slice(),
+
   env: {
     FormData: platform.classes.FormData,
     Blob: platform.classes.Blob
@@ -1789,11 +2008,16 @@ var dispatchRequest = function dispatchRequest(config) {
   normalizeHeaderName(config.headers, 'Content-Type');
 
   // Flatten headers
-  config.headers = utils.merge(
-    config.headers.common || {},
-    config.headers[config.method] || {},
-    config.headers
-  );
+  var commonHeaders = utils.hasOwnProperty(config.headers, 'common') && config.headers.common
+    ? config.headers.common
+    : {};
+  var methodHeaders = config.method &&
+    utils.hasOwnProperty(config.headers, config.method) &&
+    config.headers[config.method]
+    ? config.headers[config.method]
+    : {};
+
+  config.headers = utils.merge(commonHeaders, methodHeaders, config.headers);
 
   utils.forEach(
     ['delete', 'get', 'head', 'post', 'put', 'patch', 'common'],
@@ -1852,7 +2076,17 @@ var dispatchRequest = function dispatchRequest(config) {
 var mergeConfig = function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  var config = {};
+  // Use a null-prototype object so a polluted Object.prototype cannot leak
+  // values (e.g. transport, adapter) into the returned config via inheritance.
+  var config = Object.create(null);
+
+  function getOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop) ? source[prop] : undefined;
+  }
+
+  function hasOwn(source, prop) {
+    return utils.hasOwnProperty(source, prop);
+  }
 
   function getMergedValue(target, source) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
@@ -1869,34 +2103,34 @@ var mergeConfig = function mergeConfig(config1, config2) {
 
   // eslint-disable-next-line consistent-return
   function mergeDeepProperties(prop) {
-    if (!utils.isUndefined(config2[prop])) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function valueFromConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function defaultToConfig2(prop) {
-    if (!utils.isUndefined(config2[prop])) {
+    if (hasOwn(config2, prop) && !utils.isUndefined(config2[prop])) {
       return getMergedValue(undefined, config2[prop]);
-    } else if (!utils.isUndefined(config1[prop])) {
+    } else if (hasOwn(config1, prop) && !utils.isUndefined(config1[prop])) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
 
   // eslint-disable-next-line consistent-return
   function mergeDirectKeys(prop) {
-    if (prop in config2) {
-      return getMergedValue(config1[prop], config2[prop]);
-    } else if (prop in config1) {
+    if (hasOwn(config2, prop)) {
+      return getMergedValue(getOwn(config1, prop), config2[prop]);
+    } else if (hasOwn(config1, prop)) {
       return getMergedValue(undefined, config1[prop]);
     }
   }
@@ -1928,6 +2162,7 @@ var mergeConfig = function mergeConfig(config1, config2) {
     'httpsAgent': defaultToConfig2,
     'cancelToken': defaultToConfig2,
     'socketPath': defaultToConfig2,
+    'allowedSocketPaths': defaultToConfig2,
     'responseEncoding': defaultToConfig2,
     'validateStatus': mergeDirectKeys
   };
@@ -1945,7 +2180,7 @@ var mergeConfig = function mergeConfig(config1, config2) {
 };
 
 var data = {
-  "version": "0.31.0"
+  "version": "0.32.0"
 };
 
 var VERSION = data.version;