axios 0.31.1 → 0.32.0

package/AGENTS.md

@@ -0,0 +1,38 @@
+# AGENTS.md
+
+## Setup
+- Use npm here; `package-lock.json` is committed and CI installs with `npm ci --ignore-scripts`.
+- `mise.toml` pins local Node 20, but CI runs Node 12, 14, 16, 18, 20, 22, and 24; keep `lib/` source compatible with old CommonJS-era syntax and runtime assumptions.
+- CI order is `npm ci --ignore-scripts`, `npm run build`, then `npm test`.
+
+## Commands
+- `npm run build`: runs `grunt build`, which cleans `dist/` and uses Rollup from `lib/axios.js` to create `dist/axios*.js` and `dist/esm/axios*.js`.
+- `npm test`: runs JS tests and declaration tests through `bin/ssl_hotfix.js`; use this full command on Node >16 so old tooling gets `NODE_OPTIONS=--openssl-legacy-provider`.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt test`: JS-only verification, running ESLint on `lib/**/*.js`, Mocha on `test/unit/**/*.js`, and Karma on `test/specs/**/*.spec.js`.
+- `./node_modules/.bin/mocha --timeout 30000 test/unit/<path>.js`: run one Node/Mocha unit test file without Karma or dtslint.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt karma:single`: run the browser suite only.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/dtslint --localTs node_modules/typescript/lib`: run the declaration tests in `test/typescript/axios.ts`.
+- `npm run fix`: ESLint autofix for `lib/**/*.js` only.
+
+## Structure
+- Package entry is `index.js` -> `lib/axios.js`; the TypeScript surface is the root `index.d.ts`.
+- `lib/defaults/index.js` chooses the runtime adapter: `lib/adapters/xhr.js` for browsers and `lib/adapters/http.js` for Node.
+- Browser bundlers also rely on `package.json` `browser` mappings from `./lib/adapters/http.js` to `./lib/adapters/xhr.js` and from `./lib/platform/node/index.js` to `./lib/platform/browser/index.js`.
+- `lib/env/data.js` stores the package version and is generated by `grunt version` or `npm run preversion`; do not edit it except as part of a version bump.
+- `grunt build` uses `rollup.config.js`; `webpack.config.js` is not the package build path, while Karma has its own webpack config inside `karma.conf.js`.
+
+## Tests
+- Node tests live in `test/unit/**/*.js` and use Mocha plus Node `assert`.
+- Browser tests live in `test/specs/**/*.spec.js` and use Jasmine/Jasmine-Ajax; globals such as `axios` and `getAjaxRequest` come from `test/specs/__helpers.js`.
+- Karma defaults to `FirefoxHeadless` and `ChromeHeadless` whenever `process.env.GITHUB_ACTIONS !== 'false'`, including when the variable is unset; set `GITHUB_ACTIONS=false` only if you need non-headless local browsers.
+- There is no committed single-browser-spec target; do not leave `fdescribe`, `fit`, or `.only` in tests.
+- Declaration changes should update both `index.d.ts` and `test/typescript/axios.ts`, then run the dtslint command above.
+
+## Source Conventions
+- `lib/` is CommonJS with `'use strict'`, `var`, semicolons, 2-space indentation, and no trailing commas; ESLint only checks `lib/**/*.js`.
+- Public API behavior usually needs README docs, TypeScript declarations, and declaration tests updated together.
+- Adapter or platform changes usually need both Node and browser paths considered, including Mocha coverage for `http.js` behavior and Karma coverage for `xhr.js` behavior.
+
+## Node 12+ Compatibility
+- All shipped code AND test code must run on Node 12 through Node 24. CI runs the full matrix, so a test that only works on Node 16+ will break the build. Avoid `??`, `?.`, top-level `await`, private class fields, `Array.prototype.at`, `structuredClone`, etc. in both `lib/` and `test/`.
+- Be wary of `Object.prototype` pollution tests on Node 12/14: setting `Object.prototype.get` (or `set`) before any code that calls `Object.defineProperty` with a value-only descriptor will throw `TypeError: Getter must be a function`, because the descriptor inherits the polluted property. Construct servers/clients first, pre-load any lazy-required Node internals (e.g. `require('dns')`), then apply the pollution.

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## Unreleased
+
+### Notable behavior changes
+
+- `utils.merge` (used internally by `mergeConfig` and to merge request headers) now returns objects with a `null` prototype to harden against prototype-pollution gadgets. As a result, `error.config`, `error.config.headers`, and any merged header bucket no longer inherit from `Object.prototype`. Two consequences:
+  - `obj.hasOwnProperty(key)` on a merged config or header object throws `TypeError: obj.hasOwnProperty is not a function`. Use `Object.prototype.hasOwnProperty.call(obj, key)` or `key in obj` instead.
+  - Implicit string coercion (e.g. `String(obj)`, `'' + obj`, or any path that calls `ToPrimitive`) throws `TypeError: Cannot convert object to primitive value` because there is no inherited `toString`. Coerce explicitly via `JSON.stringify(obj)` or by reading individual properties.
+
+  Property access (`obj[key]`), enumeration, and `JSON.stringify` are unaffected.
+
 ## [0.30.0](https://github.com/axios/axios/compare/v0.29.0...v0.30.0) (2025-03-26)
 
 ## Release notes:

package/CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

package/README.md

@@ -331,14 +331,14 @@ These are the available config options for making requests. Only the `url` is re
   // `params` are the URL parameters to be sent with the request
   // Must be a plain object or a URLSearchParams object
   // Null bytes in param values stay percent-encoded as `%00` in the resulting query string
-  // (GHSA-xhjh-pmcv-23jw) — Axios does not reverse `encodeURIComponent` output for `%00`,
+  // Axios does not reverse `encodeURIComponent` output for `%00`,
   // so null-byte injection cannot be smuggled through the serializer.
   params: {
     ID: 12345
   },
 
   // `paramsSerializer` is an optional config in charge of serializing `params`
-  // Nested objects are walked with a bounded recursion depth (GHSA-62hf-57xw-28j9):
+  // Nested objects are walked with a bounded recursion depth:
   // once `maxDepth` is exceeded the serializer throws `ERR_FORM_DATA_DEPTH_EXCEEDED`
   // instead of overflowing the call stack. The same cap applies to `toFormData` when
   // `Content-Type: multipart/form-data` triggers automatic FormData serialization.
@@ -404,7 +404,7 @@ These are the available config options for making requests. Only the `url` is re
   // `undefined` (default) - set XSRF header only for the same origin requests
   // Only an explicit `true` (own property on the config) will add the XSRF header for
   // cross-origin requests. Values inherited from `Object.prototype` are ignored
-  // (GHSA-xx6v-rp6x-q39c), so a polluted prototype cannot silently enable the token.
+  // so a polluted prototype cannot silently enable the token.
   withXSRFToken: boolean | undefined | ((config: AxiosRequestConfig) => boolean | undefined),
 
   // `onUploadProgress` allows handling of progress events for uploads
@@ -421,7 +421,7 @@ These are the available config options for making requests. Only the `url` is re
 
   // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
   // Also enforced on streamed responses (`responseType: 'stream'`): bytes are counted as they
-  // arrive and the stream is aborted with an error once the cap is exceeded (GHSA-vf2m-468p-8v99).
+  // arrive and the stream is aborted with an error once the cap is exceeded.
   maxContentLength: 2000,
 
   // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
@@ -429,6 +429,18 @@ These are the available config options for making requests. Only the `url` is re
   // once the cap is exceeded, even when the native http transport is used directly.
   maxBodyLength: 2000,
 
+  // `formDataHeaderPolicy` controls which headers the Node adapter copies from
+  // FormData `getHeaders()`.
+  // 'legacy' (default) copies all returned headers for v1 compatibility.
+  // 'content-only' copies only Content-Type and Content-Length.
+  formDataHeaderPolicy: 'legacy',
+
+  // `redact` masks matching config keys when AxiosError#toJSON() is called.
+  // Matching is case-insensitive and recursive. It does not change the request.
+  // An empty array is treated as "no override" and falls back to the defaults so
+  // an accidental `redact: []` cannot silently disable redaction.
+  redact: ['authorization', 'password'],
+
   // `validateStatus` defines whether to resolve or reject the promise for a given
   // HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
   // or `undefined`), the promise will be resolved; otherwise, the promise will be
@@ -454,10 +466,18 @@ These are the available config options for making requests. Only the `url` is re
 
   // `socketPath` defines a UNIX Socket to be used in node.js.
   // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
+  // Avoid passing user-controlled values because socket paths bypass host,
+  // port, DNS, and proxy controls.
   // Only either `socketPath` or `proxy` can be specified.
   // If both are specified, `socketPath` is used.
   socketPath: null, // default
 
+  // `allowedSocketPaths` constrains `socketPath` to known-safe Unix sockets.
+  // Use this when config can include partially user-controlled input.
+  // Set to a string or array of strings. An empty array denies all socket paths.
+  // Set to `null` on a request to clear an instance-level allowlist.
+  allowedSocketPaths: null, // default
+
   // `httpAgent` and `httpsAgent` define a custom agent to be used when performing http
   // and https requests, respectively, in node.js. This allows options to be added like
   // `keepAlive` that are not enabled by default.