axios 1.15.2 → 1.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -6
- package/README.md +356 -20
- package/dist/axios.js +1389 -1071
- package/dist/axios.js.map +1 -1
- package/dist/axios.min.js +3 -3
- package/dist/axios.min.js.map +1 -1
- package/dist/browser/axios.cjs +1486 -1123
- package/dist/browser/axios.cjs.map +1 -1
- package/dist/esm/axios.js +1488 -1124
- package/dist/esm/axios.js.map +1 -1
- package/dist/esm/axios.min.js +2 -2
- package/dist/esm/axios.min.js.map +1 -1
- package/dist/node/axios.cjs +1230 -871
- package/dist/node/axios.cjs.map +1 -1
- package/index.d.cts +25 -13
- package/index.d.ts +21 -4
- package/index.js +2 -0
- package/lib/adapters/adapters.js +4 -2
- package/lib/adapters/fetch.js +126 -10
- package/lib/adapters/http.js +178 -59
- package/lib/adapters/xhr.js +6 -2
- package/lib/core/Axios.js +7 -3
- package/lib/core/AxiosError.js +86 -1
- package/lib/core/AxiosHeaders.js +3 -0
- package/lib/core/dispatchRequest.js +19 -7
- package/lib/core/mergeConfig.js +6 -3
- package/lib/core/settle.js +7 -11
- package/lib/defaults/index.js +1 -1
- package/lib/env/data.js +1 -1
- package/lib/helpers/buildURL.js +1 -1
- package/lib/helpers/cookies.js +14 -2
- package/lib/helpers/estimateDataURLDecodedBytes.js +28 -1
- package/lib/helpers/formDataToStream.js +1 -1
- package/lib/helpers/parseProtocol.js +1 -1
- package/lib/helpers/resolveConfig.js +33 -17
- package/lib/helpers/shouldBypassProxy.js +26 -1
- package/lib/helpers/validator.js +1 -1
- package/lib/utils.js +27 -15
- package/package.json +17 -24
package/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,32 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
-
## v1.15.
|
|
3
|
+
## v1.15.2 - April 21, 2026
|
|
4
|
+
|
|
5
|
+
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in `allowedSocketPaths` allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.
|
|
6
|
+
|
|
7
|
+
## 🔒 Security Fixes
|
|
8
|
+
|
|
9
|
+
- **Prototype Pollution Hardening (HTTP Adapter):** Hardened the Node HTTP adapter and `resolveConfig`/`mergeConfig`/validator paths to read only own properties and use null-prototype config objects, preventing polluted `auth`, `baseURL`, `socketPath`, `beforeRedirect`, and `insecureHTTPParser` from influencing requests. (**#10779**)
|
|
10
|
+
- **SSRF via `socketPath`:** Rejects non-string `socketPath` values and adds an opt-in `allowedSocketPaths` config option to restrict permitted Unix domain socket paths, returning `AxiosError` `ERR_BAD_OPTION_VALUE` on mismatch. (**#10777**)
|
|
11
|
+
- **Supply-chain Hardening:** Added `.npmrc` with `ignore-scripts=true`, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded `SECURITY.md`/`THREATMODEL.md` with provenance verification (`npm audit signatures`), 60-day resolution policy, and maintainer incident-response runbook. (**#10776**)
|
|
12
|
+
|
|
13
|
+
## 🚀 New Features
|
|
14
|
+
|
|
15
|
+
- **`allowedSocketPaths` Config Option:** New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (**#10777**)
|
|
16
|
+
|
|
17
|
+
## 🐛 Bug Fixes
|
|
18
|
+
|
|
19
|
+
- **Keep-alive Socket Memory Leak:** Installs a single per-socket `error` listener tracking the active request via `kAxiosSocketListener`/`kAxiosCurrentReq`, eliminating per-request listener accumulation, `MaxListenersExceededWarning`, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (**#10788**)
|
|
20
|
+
|
|
21
|
+
## 🔧 Maintenance & Chores
|
|
22
|
+
|
|
23
|
+
- **Changelog:** Updated `CHANGELOG.md` with v1.15.1 release notes. (**#10781**)
|
|
24
|
+
|
|
25
|
+
[Full Changelog](https://github.com/axios/axios/compare/v1.15.1...v1.15.2)
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## v1.15.1 - April 19, 2026
|
|
4
30
|
|
|
5
31
|
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
|
|
6
32
|
|
|
@@ -68,7 +94,7 @@ We are thrilled to welcome our new contributors. Thank you for helping improve a
|
|
|
68
94
|
|
|
69
95
|
---
|
|
70
96
|
|
|
71
|
-
## v1.15.0
|
|
97
|
+
## v1.15.0 - April 7, 2026
|
|
72
98
|
|
|
73
99
|
This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.
|
|
74
100
|
|
|
@@ -108,7 +134,7 @@ We are thrilled to welcome our new contributors. Thank you for helping improve a
|
|
|
108
134
|
|
|
109
135
|
---
|
|
110
136
|
|
|
111
|
-
## v1.14.0
|
|
137
|
+
## v1.14.0 - March 27, 2026
|
|
112
138
|
|
|
113
139
|
This release fixes a security vulnerability in the `formidable` dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.
|
|
114
140
|
|
|
@@ -146,7 +172,7 @@ We are thrilled to welcome our new contributors. Thank you for helping improve a
|
|
|
146
172
|
|
|
147
173
|
---
|
|
148
174
|
|
|
149
|
-
## v1.13.6
|
|
175
|
+
## v1.13.6 - February 27, 2026
|
|
150
176
|
|
|
151
177
|
This release adds React Native Blob support, fixes several enumeration and export regressions, and patches FormData detection for WeChat Mini Program environments.
|
|
152
178
|
|
|
@@ -182,7 +208,7 @@ We are thrilled to welcome our new contributors. Thank you for helping improve a
|
|
|
182
208
|
|
|
183
209
|
---
|
|
184
210
|
|
|
185
|
-
## v1.13.5
|
|
211
|
+
## v1.13.5 - February 8, 2026
|
|
186
212
|
|
|
187
213
|
This release patches a prototype pollution denial-of-service vulnerability, fixes a missing `status` field regression in `AxiosError`, adds interceptor ordering control, and introduces URL validation for `isAbsoluteURL`.
|
|
188
214
|
|
|
@@ -216,7 +242,7 @@ We are thrilled to welcome our new contributors. Thank you for helping improve a
|
|
|
216
242
|
|
|
217
243
|
---
|
|
218
244
|
|
|
219
|
-
## v1.13.4
|
|
245
|
+
## v1.13.4 - January 27, 2026
|
|
220
246
|
|
|
221
247
|
Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.
|
|
222
248
|
|
package/README.md
CHANGED
|
@@ -1,32 +1,297 @@
|
|
|
1
|
-
<h3 align="center"
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
1
|
+
<h3 align="center">💎 Platinum sponsors <br /></h3>
|
|
2
|
+
<table align="center">
|
|
3
|
+
<tr>
|
|
4
|
+
<td align="center" width="50%">
|
|
5
|
+
<a
|
|
6
|
+
href="https://thanks.dev/?utm_source=axios&utm_medium=sponsorlist&utm_campaign=sponsorship"
|
|
7
|
+
style="padding: 10px; display: inline-block"
|
|
8
|
+
target="_blank"
|
|
9
|
+
>
|
|
10
|
+
<img
|
|
11
|
+
width="90px"
|
|
12
|
+
height="90px"
|
|
13
|
+
src="https://images.opencollective.com/thanks-dev/360b917/logo/256.png?height=256"
|
|
14
|
+
alt="Thanks.dev"
|
|
15
|
+
/>
|
|
16
|
+
</a>
|
|
17
|
+
<p
|
|
18
|
+
align="center"
|
|
19
|
+
>
|
|
20
|
+
We're passionate about making open source sustainable. Scan your dependency tree to better understand which open source projects need funding.
|
|
21
|
+
</p>
|
|
22
|
+
<p align="center">
|
|
23
|
+
<a
|
|
24
|
+
href="https://thanks.dev/?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
25
|
+
target="_blank"
|
|
26
|
+
><b>thanks.dev</b></a
|
|
27
|
+
>
|
|
28
|
+
</p>
|
|
29
|
+
</td>
|
|
30
|
+
<td align="center" width="50%">
|
|
31
|
+
<a
|
|
32
|
+
href="https://hopper.security/?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
33
|
+
style="padding: 10px; display: inline-block"
|
|
34
|
+
target="_blank"
|
|
35
|
+
>
|
|
36
|
+
<img
|
|
37
|
+
width="90px"
|
|
38
|
+
height="90px"
|
|
39
|
+
src="https://images.opencollective.com/hopper-security/c4f7de2/avatar.png"
|
|
40
|
+
alt="Hopper Security"
|
|
41
|
+
/>
|
|
42
|
+
</a>
|
|
43
|
+
<p align="center">
|
|
44
|
+
Hopper provides a secure, open-source registry where every component is verified against malware and continuously remediated for vulnerabilities across all versions. In simple terms, Hopper removes the need to manage software supply chain risk altogether.
|
|
45
|
+
</p>
|
|
46
|
+
<p align="center">
|
|
47
|
+
<a
|
|
48
|
+
href="https://hopper.security/?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
49
|
+
target="_blank"
|
|
50
|
+
><b>hopper.security</b></a
|
|
51
|
+
>
|
|
52
|
+
</p>
|
|
53
|
+
</td>
|
|
54
|
+
</tr>
|
|
55
|
+
</table>
|
|
56
|
+
<table align="center">
|
|
57
|
+
<tr>
|
|
58
|
+
<td align="center" width="50%">
|
|
59
|
+
<a
|
|
60
|
+
href="https://opencollective.com/axios/contribute"
|
|
61
|
+
target="_blank"
|
|
62
|
+
>💜 Become a sponsor</a
|
|
63
|
+
>
|
|
64
|
+
</td>
|
|
65
|
+
<td align="center" width="50%">
|
|
66
|
+
<a
|
|
67
|
+
href="https://opencollective.com/axios/contribute"
|
|
68
|
+
target="_blank"
|
|
69
|
+
>💜 Become a sponsor</a
|
|
70
|
+
>
|
|
71
|
+
</td>
|
|
72
|
+
</tr>
|
|
73
|
+
</table>
|
|
74
|
+
<h3 align="center">🥇 Gold sponsors <br /></h3>
|
|
75
|
+
<table align="center" width="100%">
|
|
76
|
+
<tr width="33.333333333333336%">
|
|
77
|
+
<td align="center" width="33.333333333333336%">
|
|
78
|
+
<a
|
|
79
|
+
href="https://www.principal.com/about-us?utm_source=axios&utm_medium=sponsorlist&utm_campaign=sponsorship"
|
|
80
|
+
style="padding: 10px; display: inline-block"
|
|
81
|
+
target="_blank"
|
|
82
|
+
>
|
|
83
|
+
<img
|
|
84
|
+
width="90px"
|
|
85
|
+
height="90px"
|
|
86
|
+
src="https://images.opencollective.com/principal/431e690/logo.png"
|
|
87
|
+
alt="Principal Financial Group"
|
|
88
|
+
/>
|
|
89
|
+
</a>
|
|
90
|
+
<p
|
|
91
|
+
align="center"
|
|
92
|
+
>
|
|
93
|
+
Free tools to help with your financial planning needs!
|
|
94
|
+
</p>
|
|
95
|
+
<p align="center">
|
|
96
|
+
<a
|
|
97
|
+
href="https://www.principal.com/about-us?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
98
|
+
target="_blank"
|
|
99
|
+
><b>principal.com</b></a
|
|
100
|
+
>
|
|
101
|
+
</p>
|
|
102
|
+
</td>
|
|
103
|
+
<td align="center" width="33.333333333333336%">
|
|
104
|
+
<a
|
|
105
|
+
href="https://opensource.sap.com?utm_source=axios&utm_medium=sponsorlist&utm_campaign=sponsorship"
|
|
106
|
+
style="padding: 10px; display: inline-block"
|
|
107
|
+
target="_blank"
|
|
108
|
+
>
|
|
109
|
+
<img
|
|
110
|
+
width="90px"
|
|
111
|
+
height="90px"
|
|
112
|
+
src="https://avatars.githubusercontent.com/u/2531208?s=200&v=4"
|
|
113
|
+
alt="SAP"
|
|
114
|
+
/>
|
|
115
|
+
</a>
|
|
116
|
+
<p
|
|
117
|
+
align="center"
|
|
118
|
+
title="SAP SE, a global software company, is one of the largest vendors of ERP and other enterprise applications."
|
|
119
|
+
>
|
|
120
|
+
BSAP SE, a global software company, is one of the largest vendors of ERP and other enterprise applications.
|
|
121
|
+
</p>
|
|
122
|
+
<p align="center">
|
|
123
|
+
<a
|
|
124
|
+
href="https://opensource.sap.com?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
125
|
+
target="_blank"
|
|
126
|
+
><b>opensource.sap.com</b></a
|
|
127
|
+
>
|
|
128
|
+
</p>
|
|
129
|
+
</td>
|
|
130
|
+
<td align="center" width="33.333333333333336%">
|
|
131
|
+
<a
|
|
132
|
+
href="https://www.descope.com/?utm_source=axios&utm_medium=referral&utm_campaign=axios-oss-sponsorship"
|
|
133
|
+
style="padding: 10px; display: inline-block"
|
|
134
|
+
target="_blank"
|
|
135
|
+
>
|
|
136
|
+
<img
|
|
137
|
+
width="90px"
|
|
138
|
+
height="90px"
|
|
139
|
+
src="https://images.opencollective.com/descope/b53243e/logo.png"
|
|
140
|
+
alt="Descope"
|
|
141
|
+
/>
|
|
142
|
+
</a>
|
|
143
|
+
<p
|
|
144
|
+
align="center"
|
|
145
|
+
title="Hi, we're Descope! We are building something in the authentication space for app developers and can’t wait to place it in your hands."
|
|
146
|
+
>
|
|
147
|
+
Reduce user friction, prevent account takeover, and get a 360° view of your customer and agentic identities with the Descope External IAM platform.
|
|
148
|
+
</p>
|
|
149
|
+
<p align="center">
|
|
150
|
+
<a
|
|
151
|
+
href="https://www.descope.com/?utm_source=axios&utm_medium=referral&utm_campaign=axios-oss-sponsorship"
|
|
152
|
+
target="_blank"
|
|
153
|
+
><b>descope.com</b></a
|
|
154
|
+
>
|
|
155
|
+
</p>
|
|
156
|
+
</td>
|
|
157
|
+
</tr>
|
|
158
|
+
<tr width="33.333333333333336%">
|
|
159
|
+
<td align="center" width="33.333333333333336%">
|
|
160
|
+
<a
|
|
161
|
+
href="https://stytch.com/"
|
|
162
|
+
style="padding: 10px; display: inline-block"
|
|
163
|
+
target="_blank"
|
|
164
|
+
>
|
|
165
|
+
<img
|
|
166
|
+
width="90px"
|
|
167
|
+
height="90px"
|
|
168
|
+
src="https://images.opencollective.com/stytch/f84ce43/logo/256.png?height=256"
|
|
169
|
+
alt="Stytch"
|
|
170
|
+
/>
|
|
171
|
+
</a>
|
|
172
|
+
<p
|
|
173
|
+
align="center"
|
|
174
|
+
>
|
|
175
|
+
The identity platform for humans & AI agents
|
|
176
|
+
</p>
|
|
177
|
+
<p align="center">
|
|
178
|
+
<a
|
|
179
|
+
href="https://stytch.com"
|
|
180
|
+
target="_blank"
|
|
181
|
+
><b>stytch.com</b></a
|
|
182
|
+
>
|
|
183
|
+
</p>
|
|
184
|
+
</td>
|
|
185
|
+
<td align="center" width="33.333333333333336%">
|
|
186
|
+
<a
|
|
187
|
+
href="https://rxdb.info/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship&utm_content=logo"
|
|
188
|
+
style="padding: 10px; display: inline-block"
|
|
189
|
+
target="_blank"
|
|
190
|
+
>
|
|
191
|
+
<img
|
|
192
|
+
width="90px"
|
|
193
|
+
height="90px"
|
|
194
|
+
src="https://rxdb.info/files/logo/logo_text_white.svg"
|
|
195
|
+
alt="RxDB"
|
|
196
|
+
/>
|
|
197
|
+
</a>
|
|
198
|
+
<p
|
|
199
|
+
align="center"
|
|
200
|
+
>
|
|
201
|
+
RxDB is a NoSQL database for JavaScript that runs directly in your app.
|
|
202
|
+
</p>
|
|
203
|
+
<p align="center">
|
|
204
|
+
<a
|
|
205
|
+
href="https://rxdb.info/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship&utm_content=logo"
|
|
206
|
+
target="_blank"
|
|
207
|
+
><b>rxdb.info</b></a
|
|
208
|
+
>
|
|
209
|
+
</p>
|
|
210
|
+
</td>
|
|
211
|
+
<td align="center" width="33.333333333333336%">
|
|
212
|
+
<a
|
|
213
|
+
href="https://poprey.com/?utm_source=axios&utm_medium=sponsorlist&utm_campaign=sponsorship"
|
|
214
|
+
style="padding: 10px; display: inline-block"
|
|
215
|
+
target="_blank"
|
|
216
|
+
>
|
|
217
|
+
<img
|
|
218
|
+
width="70px"
|
|
219
|
+
height="70px"
|
|
220
|
+
src="https://images.opencollective.com/instagram-likes/2a72a03/avatar.png"
|
|
221
|
+
alt="Poprey"
|
|
222
|
+
/>
|
|
223
|
+
</a>
|
|
224
|
+
<p align="center">
|
|
225
|
+
Buy Instagram Likes
|
|
226
|
+
</p>
|
|
227
|
+
<p align="center">
|
|
228
|
+
<a
|
|
229
|
+
href="https://poprey.com/?utm_source=axios&utm_medium=readme_sponsorlist&utm_campaign=sponsorship"
|
|
230
|
+
target="_blank"
|
|
231
|
+
><b>poprey.com</b></a
|
|
232
|
+
>
|
|
233
|
+
</p>
|
|
234
|
+
</td>
|
|
235
|
+
</tr>
|
|
236
|
+
<tr width="33.333333333333336%">
|
|
237
|
+
<td align="center" width="33.333333333333336%">
|
|
238
|
+
<a
|
|
239
|
+
href="https://buzzoid.com/buy-instagram-followers/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship"
|
|
240
|
+
style="padding: 10px; display: inline-block"
|
|
241
|
+
target="_blank"
|
|
242
|
+
>
|
|
243
|
+
<img
|
|
244
|
+
width="71px"
|
|
245
|
+
height="70px"
|
|
246
|
+
src="https://images.opencollective.com/buzzoid-buy-instagram-followers/56a09fe/logo.png"
|
|
247
|
+
alt="Buzzoid"
|
|
248
|
+
/>
|
|
249
|
+
</a>
|
|
250
|
+
<p
|
|
251
|
+
align="center"
|
|
252
|
+
>
|
|
253
|
+
A lightweight open-source API Development, Testing & Mocking
|
|
254
|
+
platform
|
|
255
|
+
</p>
|
|
256
|
+
<p align="center">
|
|
257
|
+
<a
|
|
258
|
+
href="https://buzzoid.com/buy-instagram-followers/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship"
|
|
259
|
+
target="_blank"
|
|
260
|
+
><b>buzzoid.com</b></a
|
|
261
|
+
>
|
|
262
|
+
</p>
|
|
263
|
+
</td>
|
|
264
|
+
<td align="center" width="33.333333333333336%">
|
|
265
|
+
<a
|
|
266
|
+
href="https://opencollective.com/axios/contribute"
|
|
267
|
+
target="_blank"
|
|
268
|
+
>💜 Become a sponsor</a
|
|
269
|
+
>
|
|
270
|
+
</td>
|
|
271
|
+
<td align="center" width="33.333333333333336%">
|
|
272
|
+
<a
|
|
273
|
+
href="https://opencollective.com/axios/contribute"
|
|
274
|
+
target="_blank"
|
|
275
|
+
>💜 Become a sponsor</a
|
|
276
|
+
>
|
|
277
|
+
</td>
|
|
278
|
+
</tr>
|
|
279
|
+
</table>
|
|
280
|
+
|
|
16
281
|
|
|
17
282
|
<!--<div>marker</div>-->
|
|
18
283
|
|
|
19
284
|
<br><br>
|
|
20
285
|
|
|
21
286
|
<div align="center">
|
|
22
|
-
<a href="https://axios
|
|
287
|
+
<a href="https://axios.rest"><img src="https://axios.rest/logo.svg" alt="Axios" /></a><br>
|
|
23
288
|
</div>
|
|
24
289
|
|
|
25
290
|
<p align="center">Promise based HTTP client for the browser and node.js</p>
|
|
26
291
|
|
|
27
292
|
<p align="center">
|
|
28
|
-
<a href="https://axios
|
|
29
|
-
<a href="https://axios
|
|
293
|
+
<a href="https://axios.rest/"><b>Website</b></a> •
|
|
294
|
+
<a href="https://axios.rest/pages/getting-started/first-steps.html"><b>Documentation</b></a>
|
|
30
295
|
</p>
|
|
31
296
|
|
|
32
297
|
<div align="center">
|
|
@@ -41,7 +306,6 @@
|
|
|
41
306
|
[](https://npm-stat.com/charts.html?package=axios)
|
|
42
307
|
[](https://gitter.im/mzabriskie/axios)
|
|
43
308
|
[](https://www.codetriage.com/axios/axios)
|
|
44
|
-
[](https://snyk.io/test/npm/axios)
|
|
45
309
|
[](CONTRIBUTORS.md)
|
|
46
310
|
|
|
47
311
|
</div>
|
|
@@ -87,7 +351,7 @@
|
|
|
87
351
|
- [🔥 Fetch adapter](#-fetch-adapter)
|
|
88
352
|
- [🔥 Custom fetch](#-custom-fetch)
|
|
89
353
|
- [🔥 Using with Tauri](#-using-with-tauri)
|
|
90
|
-
- [🔥 Using with SvelteKit](#-using-with-sveltekit
|
|
354
|
+
- [🔥 Using with SvelteKit](#-using-with-sveltekit)
|
|
91
355
|
- [🔥 HTTP2](#-http2)
|
|
92
356
|
- [Semver](#semver)
|
|
93
357
|
- [Promises](#promises)
|
|
@@ -216,6 +480,7 @@ axios
|
|
|
216
480
|
params: {
|
|
217
481
|
ID: 12345,
|
|
218
482
|
},
|
|
483
|
+
timeout: 5000, // 5 seconds — see "Handling Timeouts" below for matching error handling
|
|
219
484
|
})
|
|
220
485
|
.then(function (response) {
|
|
221
486
|
console.log(response);
|
|
@@ -238,6 +503,9 @@ async function getUser() {
|
|
|
238
503
|
}
|
|
239
504
|
```
|
|
240
505
|
|
|
506
|
+
> **Note**: Set a `timeout` in production — without one, a stalled request can hang
|
|
507
|
+
> indefinitely. See [Handling Timeouts](#handling-timeouts) for the matching error handling.
|
|
508
|
+
|
|
241
509
|
> **Note**: `async/await` is part of ECMAScript 2017 and is not supported in Internet
|
|
242
510
|
> Explorer and older browsers, so use with caution.
|
|
243
511
|
|
|
@@ -426,6 +694,27 @@ These are the available config options for making requests. Only the `url` is re
|
|
|
426
694
|
return data;
|
|
427
695
|
}],
|
|
428
696
|
|
|
697
|
+
// `parseReviver` is an optional function that will be passed as the
|
|
698
|
+
// second argument (reviver) to JSON.parse()
|
|
699
|
+
parseReviver: function (key, value, context) {
|
|
700
|
+
// In modern environments, context.source provides the raw JSON string
|
|
701
|
+
// allowing for precision-safe parsing of BigInt
|
|
702
|
+
if (typeof value === 'number' && context?.source) {
|
|
703
|
+
const isInteger = Number.isInteger(value);
|
|
704
|
+
const isUnsafe = !Number.isSafeInteger(value);
|
|
705
|
+
const isValidIntegerString = /^-?\d+$/.test(context.source);
|
|
706
|
+
|
|
707
|
+
if (isInteger && isUnsafe && isValidIntegerString) {
|
|
708
|
+
try {
|
|
709
|
+
return BigInt(context.source);
|
|
710
|
+
} catch {
|
|
711
|
+
// Fallback: return original value if parsing fails
|
|
712
|
+
}
|
|
713
|
+
}
|
|
714
|
+
}
|
|
715
|
+
return value;
|
|
716
|
+
},
|
|
717
|
+
|
|
429
718
|
// `headers` are custom headers to be sent
|
|
430
719
|
headers: {'X-Requested-With': 'XMLHttpRequest'},
|
|
431
720
|
|
|
@@ -463,6 +752,11 @@ These are the available config options for making requests. Only the `url` is re
|
|
|
463
752
|
firstName: 'Fred'
|
|
464
753
|
},
|
|
465
754
|
|
|
755
|
+
// `formDataHeaderPolicy` controls how node.js FormData#getHeaders() is copied.
|
|
756
|
+
// 'legacy' (default) copies all returned headers for v1 compatibility.
|
|
757
|
+
// 'content-only' copies only Content-Type and Content-Length.
|
|
758
|
+
formDataHeaderPolicy: 'legacy',
|
|
759
|
+
|
|
466
760
|
// syntax alternative to send data into the body
|
|
467
761
|
// method post
|
|
468
762
|
// only the value is sent, not the key
|
|
@@ -557,6 +851,10 @@ These are the available config options for making requests. Only the `url` is re
|
|
|
557
851
|
// `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
|
|
558
852
|
maxBodyLength: 2000,
|
|
559
853
|
|
|
854
|
+
// `redact` masks matching config keys when AxiosError#toJSON() is called.
|
|
855
|
+
// Matching is case-insensitive and recursive. It does not change the request.
|
|
856
|
+
redact: ['authorization', 'password'],
|
|
857
|
+
|
|
560
858
|
// `validateStatus` defines whether to resolve or reject the promise for a given
|
|
561
859
|
// HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
|
|
562
860
|
// or `undefined`), the promise will be resolved; otherwise, the promise will be
|
|
@@ -639,6 +937,12 @@ These are the available config options for making requests. Only the `url` is re
|
|
|
639
937
|
// This will set a `Proxy-Authorization` header, overwriting any existing
|
|
640
938
|
// `Proxy-Authorization` custom headers you have set using `headers`.
|
|
641
939
|
// If the proxy server uses HTTPS, then you must set the protocol to `https`.
|
|
940
|
+
// A user-supplied `Host` header in `headers` is preserved when forwarding
|
|
941
|
+
// through a proxy (case-insensitive match on `host`/`Host`/`HOST`); this
|
|
942
|
+
// lets you target a virtual host that differs from the request URL — for
|
|
943
|
+
// example, hitting `127.0.0.1:4000` while having the proxy treat the
|
|
944
|
+
// request as `example.com`. If no `Host` header is supplied, axios
|
|
945
|
+
// defaults it to the request URL's `hostname:port` as before.
|
|
642
946
|
proxy: {
|
|
643
947
|
protocol: 'https',
|
|
644
948
|
host: '127.0.0.1',
|
|
@@ -715,6 +1019,25 @@ These are the available config options for making requests. Only the `url` is re
|
|
|
715
1019
|
}
|
|
716
1020
|
```
|
|
717
1021
|
|
|
1022
|
+
### Strict RFC 3986 percent-encoding for query params
|
|
1023
|
+
|
|
1024
|
+
By default, axios decodes `%3A`, `%24`, `%2C` and `%20` back to `:`, `$`, `,` and `+` for readability (the `+` follows the `application/x-www-form-urlencoded` convention for spaces in query strings). These characters are valid in a query component under [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4), so the default output is correct, but some backends require strict percent-encoding and reject the readable form.
|
|
1025
|
+
|
|
1026
|
+
Override the default encoder via `paramsSerializer.encode`:
|
|
1027
|
+
|
|
1028
|
+
```js
|
|
1029
|
+
// Per-request: emit strict RFC 3986 percent-encoding for query values
|
|
1030
|
+
axios.get('/foo', {
|
|
1031
|
+
params: { filter: JSON.stringify({ startedAt: '2026-01-23' }) },
|
|
1032
|
+
paramsSerializer: { encode: encodeURIComponent }
|
|
1033
|
+
});
|
|
1034
|
+
|
|
1035
|
+
// Or set it on the instance defaults
|
|
1036
|
+
const client = axios.create({
|
|
1037
|
+
paramsSerializer: { encode: encodeURIComponent }
|
|
1038
|
+
});
|
|
1039
|
+
```
|
|
1040
|
+
|
|
718
1041
|
## 🔥 HTTP/2 Support
|
|
719
1042
|
|
|
720
1043
|
Axios has experimental HTTP/2 support available via the Node.js HTTP adapter.
|
|
@@ -1046,6 +1369,17 @@ axios.get('/user/12345').catch(function (error) {
|
|
|
1046
1369
|
});
|
|
1047
1370
|
```
|
|
1048
1371
|
|
|
1372
|
+
To avoid logging secrets from `error.config`, pass a `redact` array in the request config. Matching config keys are masked case-insensitively at any depth when `AxiosError#toJSON()` is called.
|
|
1373
|
+
|
|
1374
|
+
```js
|
|
1375
|
+
axios.get('/user/12345', {
|
|
1376
|
+
headers: { Authorization: 'Bearer token' },
|
|
1377
|
+
redact: ['authorization']
|
|
1378
|
+
}).catch(function (error) {
|
|
1379
|
+
console.log(error.toJSON().config.headers.Authorization); // [REDACTED ****]
|
|
1380
|
+
});
|
|
1381
|
+
```
|
|
1382
|
+
|
|
1049
1383
|
## Handling Timeouts
|
|
1050
1384
|
|
|
1051
1385
|
```js
|
|
@@ -1287,6 +1621,8 @@ form.append('my_file', fs.createReadStream('/foo/bar.jpg'));
|
|
|
1287
1621
|
axios.post('https://example.com', form);
|
|
1288
1622
|
```
|
|
1289
1623
|
|
|
1624
|
+
In node.js, when a `FormData` object provides `getHeaders()`, axios copies all returned headers by default for v1 compatibility. If the `FormData` object is custom or not fully trusted, set `formDataHeaderPolicy: 'content-only'` to copy only `Content-Type` and `Content-Length`, and set any other request headers explicitly with the request `headers` config.
|
|
1625
|
+
|
|
1290
1626
|
### 🆕 Automatic serialization to FormData
|
|
1291
1627
|
|
|
1292
1628
|
Starting from `v0.27.0`, Axios supports automatic object serialization to a FormData object if the request `Content-Type`
|