axios 0.31.1 → 0.33.0

package/AGENTS.md

@@ -0,0 +1,38 @@
+# AGENTS.md
+
+## Setup
+- Use npm here; `package-lock.json` is committed and CI installs with `npm ci --ignore-scripts`.
+- `mise.toml` pins local Node 20, but CI runs Node 12, 14, 16, 18, 20, 22, and 24; keep `lib/` source compatible with old CommonJS-era syntax and runtime assumptions.
+- CI order is `npm ci --ignore-scripts`, `npm run build`, then `npm test`.
+
+## Commands
+- `npm run build`: runs `grunt build`, which cleans `dist/` and uses Rollup from `lib/axios.js` to create `dist/axios*.js` and `dist/esm/axios*.js`.
+- `npm test`: runs JS tests and declaration tests through `bin/ssl_hotfix.js`; use this full command on Node >16 so old tooling gets `NODE_OPTIONS=--openssl-legacy-provider`.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt test`: JS-only verification, running ESLint on `lib/**/*.js`, Mocha on `test/unit/**/*.js`, and Karma on `test/specs/**/*.spec.js`.
+- `./node_modules/.bin/mocha --timeout 30000 test/unit/<path>.js`: run one Node/Mocha unit test file without Karma or dtslint.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt karma:single`: run the browser suite only.
+- `node bin/ssl_hotfix.js ./node_modules/.bin/dtslint --localTs node_modules/typescript/lib`: run the declaration tests in `test/typescript/axios.ts`.
+- `npm run fix`: ESLint autofix for `lib/**/*.js` only.
+
+## Structure
+- Package entry is `index.js` -> `lib/axios.js`; the TypeScript surface is the root `index.d.ts`.
+- `lib/defaults/index.js` chooses the runtime adapter: `lib/adapters/xhr.js` for browsers and `lib/adapters/http.js` for Node.
+- Browser bundlers also rely on `package.json` `browser` mappings from `./lib/adapters/http.js` to `./lib/adapters/xhr.js` and from `./lib/platform/node/index.js` to `./lib/platform/browser/index.js`.
+- `lib/env/data.js` stores the package version and is generated by `grunt version` or `npm run preversion`; do not edit it except as part of a version bump.
+- `grunt build` uses `rollup.config.js`; `webpack.config.js` is not the package build path, while Karma has its own webpack config inside `karma.conf.js`.
+
+## Tests
+- Node tests live in `test/unit/**/*.js` and use Mocha plus Node `assert`.
+- Browser tests live in `test/specs/**/*.spec.js` and use Jasmine/Jasmine-Ajax; globals such as `axios` and `getAjaxRequest` come from `test/specs/__helpers.js`.
+- Karma defaults to `FirefoxHeadless` and `ChromeHeadless` whenever `process.env.GITHUB_ACTIONS !== 'false'`, including when the variable is unset; set `GITHUB_ACTIONS=false` only if you need non-headless local browsers.
+- There is no committed single-browser-spec target; do not leave `fdescribe`, `fit`, or `.only` in tests.
+- Declaration changes should update both `index.d.ts` and `test/typescript/axios.ts`, then run the dtslint command above.
+
+## Source Conventions
+- `lib/` is CommonJS with `'use strict'`, `var`, semicolons, 2-space indentation, and no trailing commas; ESLint only checks `lib/**/*.js`.
+- Public API behavior usually needs README docs, TypeScript declarations, and declaration tests updated together.
+- Adapter or platform changes usually need both Node and browser paths considered, including Mocha coverage for `http.js` behavior and Karma coverage for `xhr.js` behavior.
+
+## Node 12+ Compatibility
+- All shipped code AND test code must run on Node 12 through Node 24. CI runs the full matrix, so a test that only works on Node 16+ will break the build. Avoid `??`, `?.`, top-level `await`, private class fields, `Array.prototype.at`, `structuredClone`, etc. in both `lib/` and `test/`.
+- Be wary of `Object.prototype` pollution tests on Node 12/14: setting `Object.prototype.get` (or `set`) before any code that calls `Object.defineProperty` with a value-only descriptor will throw `TypeError: Getter must be a function`, because the descriptor inherits the polluted property. Construct servers/clients first, pre-load any lazy-required Node internals (e.g. `require('dns')`), then apply the pollution.

package/CHANGELOG.md

@@ -1,6 +1,148 @@
 # Changelog
 
-## [0.30.0](https://github.com/axios/axios/compare/v0.29.0...v0.30.0) (2025-03-26)
+## v0.32.0 — May 4, 2026
+
+This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.
+
+## ⚠️ Breaking Changes & Deprecations
+
+- Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)
+
+## 🔒 Security Fixes
+
+- Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
+- Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
+- Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
+- Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
+- Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
+- URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
+- Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)
+
+## 🔧 Maintenance & Chores
+
+- Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)
+
+[**Full Changelog**](https://github.com/axios/axios/compare/v0.31.1...v0.32.0)
+
+## 0.31.1 (2024-12-19)
+
+This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed `dist/` artefacts along with Bower support.
+
+## ⚠️ Breaking Changes & Deprecations
+
+* **Bower & Committed `dist/` Removed:** `dist/` bundles are no longer committed to the repo, and `bower.json` plus the Grunt `package2bower` task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (__#10747__)
+
+## 🔒 Security Fixes
+
+* **Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9):** Tightened `isFormData` to reject plain/null-prototype objects and require `append`, and guarded the Node HTTP adapter so `data.getHeaders()` is only merged when it is not inherited from `Object.prototype`. Blocks injected headers via polluted `getHeaders`. (__#10750__)
+* **Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf):** `mergeConfig`, defaults resolution, and the HTTP adapter now uses own-property checks for `transport`, `env`, `Blob`, `formSerializer`, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (__#10752__)
+* **FormData / Params Recursion DoS:** Added a configurable `maxDepth` (default `100`, `Infinity` disables) to `toFormData` and params serialisation, throwing `AxiosError` with code `ERR_FORM_DATA_DEPTH_EXCEEDED` when exceeded. Circular-reference detection is preserved. (__#10728__)
+* **Null-Byte Injection in Query Strings:** Removed the unsafe `%00` → null-byte substitution from `AxiosURLSearchParams.encode` so `%00` is preserved as-is. Other encoding behaviour (including `%20` → `+`) unchanged. (__#10737__)
+* **Consolidated v1 Security Backport:** Rolls up remaining v1 hardenings into `v0.x`: `maxContentLength` enforcement for `responseType: 'stream'` via a guarded transform with deferred piping, `maxBodyLength` enforcement for streamed uploads on native `http`/`https` with `maxRedirects: 0`, and stricter `withXSRFToken` handling so only own boolean `true` enables cross-origin XSRF headers. (__#10764__)
+
+## 🔧 Maintenance & Chores
+
+* **CODEOWNERS:** Added `.github/CODEOWNERS` with `* @jasonsaayman` to set a default reviewer for all paths. (__#10740__)
+
+[Full Changelog](https://github.com/axios/axios/compare/v0.31.0...v0.31.1)
+
+## 0.31.0 (2024-12-17)
+
+This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and `zizmor` scanning, resolves TypeScript typing issues in `AxiosInstance`, and fixes a performance regression in `isEmptyObject()`.
+
+## 🔒 Security Fixes
+
+* **Header Injection & Proxy Bypass:** Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper `NO_PROXY`/`no_proxy` enforcement covering wildcards, explicit ports, loopback aliases (`localhost`, `127.0.0.1`, `::1`), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and `parsed.host` is used for correct port and IPv6 handling. (__#10688__)
+
+* **CI Security:** SHA-pins all actions and disables credential persistence in v0.x CI, introduces `zizmor` security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required `npm-publish` GitHub Environment with configurable reviewer protections. (__#10638__, __#10639__, __#10667__)
+
+## 🐛 Bug Fixes
+
+* **TypeScript — `AxiosInstance` Return Types:** Fixes return types in `AxiosInstance` methods to correctly resolve to `Promise<R>` (matching `AxiosPromise<T>` semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (__#6253__, __#7328__)
+
+* **Performance:** Fixes a performance regression in `isEmptyObject()` that caused excessive computation when the argument was a large string. (__#6484__)
+
+## 🔧 Maintenance & Chores
+
+* **Versioning & CI Workflow:** Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (__#10690__, __#10691__, __#10692__)
+
+## 🌟 New Contributors
+
+We are thrilled to welcome our new contributors. Thank you for helping improve axios:
+
+* __@nakataki17__ (__#6253__)
+* __@gmasclet__ (__#6484__)
+* __@shaanmajid__ (__#10638__, __#10639__, __#10667__)
+* __@ivan-churakov__ (__#7328__)
+
+[Full Changelog](https://github.com/axios/axios/compare/v0.30.3...v0.31.0)
+
+## 0.30.3 (2024-12-10)
+
+This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).
+
+Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.
+
+## 🛡️ Security Fixes
+
+- **Backport: Fix DoS via __proto__ key in merge config**
+  - Patched a vulnerability where specifically crafted configuration objects using the __proto__ key could cause a Denial of Service during the merge process. - _by @FeBe95 in [PR #7388](https://github.com/axios/axios/pull/7388)_
+
+## ⚙️ Maintenance & CI
+
+- **CI Infrastructure Update**
+  - Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - _by @jasonsaayman in [PR #7407](https://github.com/axios/axios/pull/7407)_
+
+## ⚠️ Breaking Changes
+
+Configuration Merging Behavior:
+
+As part of the security fix, Axios now restricts the merging of the __proto__ key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.
+
+Full Changelog: [v0.30.2...v0.30.3](https://github.com/axios/axios/compare/v0.30.2...v0.30.3)
+
+## 0.30.2 (2024-11-28)
+
+## What's Changed
+* Backport `maxContentLength` vulnerability fix to v0.x by @FeBe95 in https://github.com/axios/axios/pull/7034
+
+## New Contributors
+* @FeBe95 made their first contribution in https://github.com/axios/axios/pull/7034
+
+**Full Changelog**: https://github.com/axios/axios/compare/v0.30.1...v0.30.2
+
+## 0.30.1 (2024-11-27)
+
+## Release notes:
+
+### Bug Fixes
+* chore(deps): bump form-data from 4.0.0 to 4.0.4 for v0.x by @wolandec in https://github.com/axios/axios/pull/6978
+
+### Contributors to this release
+* @wolandec made their first contribution in https://github.com/axios/axios/pull/6978
+
+**Full Changelog**: https://github.com/axios/axios/compare/v0.30.0...v0.30.1
+
+## 0.30.0 (2024-11-21)
+
+## Release notes:
+
+### Bug Fixes
+* fix: modify log while request is aborted by @mori5321 in https://github.com/axios/axios/pull/4917
+* fix: update CHANGELOG.md for v0.x by @TehZarathustra in https://github.com/axios/axios/pull/6271
+* fix: modify upgrade guide for 0.28.1's breaking change by @nafeger in https://github.com/axios/axios/pull/6787
+* fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @thatguyinabeanie in https://github.com/axios/axios/pull/6829
+* fix: add allowAbsoluteUrls type by @thatguyinabeanie in https://github.com/axios/axios/pull/6849
+
+### Contributors to this release
+* @mori5321 made their first contribution in https://github.com/axios/axios/pull/4917
+* @TehZarathustra made their first contribution in https://github.com/axios/axios/pull/6271
+* @nafeger made their first contribution in https://github.com/axios/axios/pull/6787
+* @thatguyinabeanie made their first contribution in https://github.com/axios/axios/pull/6829
+
+**Full Changelog**: https://github.com/axios/axios/compare/v0.29.0...v0.30.0
+
+## 0.29.0 (2024-11-21)
 
 ## Release notes:
 
@@ -14,6 +156,8 @@
 
 ## [0.29.0](https://github.com/axios/axios/compare/v0.28.1...v0.29.0) (2024-11-21)
 
+## 0.28.1 (2024-03-24)
+
 ## Release notes:
 
 ### Bug Fixes
@@ -25,6 +169,8 @@
 
 ## [0.28.1](https://github.com/axios/axios/compare/v0.28.0...v0.28.1) (2024-03-24)
 
+## 0.28.0 (2024-02-12)
+
 ## Release notes:
 
 ### Bug Fixes

package/CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

package/README.md

@@ -331,14 +331,14 @@ These are the available config options for making requests. Only the `url` is re
   // `params` are the URL parameters to be sent with the request
   // Must be a plain object or a URLSearchParams object
   // Null bytes in param values stay percent-encoded as `%00` in the resulting query string
-  // (GHSA-xhjh-pmcv-23jw) — Axios does not reverse `encodeURIComponent` output for `%00`,
+  // Axios does not reverse `encodeURIComponent` output for `%00`,
   // so null-byte injection cannot be smuggled through the serializer.
   params: {
     ID: 12345
   },
 
   // `paramsSerializer` is an optional config in charge of serializing `params`
-  // Nested objects are walked with a bounded recursion depth (GHSA-62hf-57xw-28j9):
+  // Nested objects are walked with a bounded recursion depth:
   // once `maxDepth` is exceeded the serializer throws `ERR_FORM_DATA_DEPTH_EXCEEDED`
   // instead of overflowing the call stack. The same cap applies to `toFormData` when
   // `Content-Type: multipart/form-data` triggers automatic FormData serialization.
@@ -404,7 +404,7 @@ These are the available config options for making requests. Only the `url` is re
   // `undefined` (default) - set XSRF header only for the same origin requests
   // Only an explicit `true` (own property on the config) will add the XSRF header for
   // cross-origin requests. Values inherited from `Object.prototype` are ignored
-  // (GHSA-xx6v-rp6x-q39c), so a polluted prototype cannot silently enable the token.
+  // so a polluted prototype cannot silently enable the token.
   withXSRFToken: boolean | undefined | ((config: AxiosRequestConfig) => boolean | undefined),
 
   // `onUploadProgress` allows handling of progress events for uploads
@@ -421,7 +421,7 @@ These are the available config options for making requests. Only the `url` is re
 
   // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
   // Also enforced on streamed responses (`responseType: 'stream'`): bytes are counted as they
-  // arrive and the stream is aborted with an error once the cap is exceeded (GHSA-vf2m-468p-8v99).
+  // arrive and the stream is aborted with an error once the cap is exceeded.
   maxContentLength: 2000,
 
   // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
@@ -429,6 +429,18 @@ These are the available config options for making requests. Only the `url` is re
   // once the cap is exceeded, even when the native http transport is used directly.
   maxBodyLength: 2000,
 
+  // `formDataHeaderPolicy` controls which headers the Node adapter copies from
+  // FormData `getHeaders()`.
+  // 'legacy' (default) copies all returned headers for v1 compatibility.
+  // 'content-only' copies only Content-Type and Content-Length.
+  formDataHeaderPolicy: 'legacy',
+
+  // `redact` masks matching config keys when AxiosError#toJSON() is called.
+  // Matching is case-insensitive and recursive. It does not change the request.
+  // An empty array is treated as "no override" and falls back to the defaults so
+  // an accidental `redact: []` cannot silently disable redaction.
+  redact: ['authorization', 'password'],
+
   // `validateStatus` defines whether to resolve or reject the promise for a given
   // HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
   // or `undefined`), the promise will be resolved; otherwise, the promise will be
@@ -454,10 +466,18 @@ These are the available config options for making requests. Only the `url` is re
 
   // `socketPath` defines a UNIX Socket to be used in node.js.
   // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
+  // Avoid passing user-controlled values because socket paths bypass host,
+  // port, DNS, and proxy controls.
   // Only either `socketPath` or `proxy` can be specified.
   // If both are specified, `socketPath` is used.
   socketPath: null, // default
 
+  // `allowedSocketPaths` constrains `socketPath` to known-safe Unix sockets.
+  // Use this when config can include partially user-controlled input.
+  // Set to a string or array of strings. An empty array denies all socket paths.
+  // Set to `null` on a request to clear an instance-level allowlist.
+  allowedSocketPaths: null, // default
+
   // `httpAgent` and `httpsAgent` define a custom agent to be used when performing http
   // and https requests, respectively, in node.js. This allows options to be added like
   // `keepAlive` that are not enabled by default.