axios 1.16.0 → 1.16.1

package/CHANGELOG.md

@@ -1,5 +1,76 @@
 # Changelog
 
+## v1.16.0 — May 2, 2026
+
+This release adds support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.
+
+## ⚠️ Notable Changes
+
+A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:
+
+- **Fetch adapter now enforces `maxBodyLength` and `maxContentLength`.** These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (**#10795**)
+- **Proxy requests now preserve user-supplied `Host` headers.** Previously, the proxy path could overwrite a custom `Host`. Virtual-host-style routing through a proxy will now behave correctly. (**#10822**)
+- **Basic auth credentials embedded in URLs are now URL-decoded.** If you have percent-encoded credentials in a URL (e.g. `https://user:p%40ss@host`), the decoded value is what now goes on the wire. (**#10825**)
+- **`parseProtocol` now strictly requires a colon in the protocol separator.** Strings that loosely parsed as protocols before may no longer match. (**#10729**)
+- **Deprecated `unescape()` replaced with modern UTF-8 encoding.** Non-ASCII URL handling is now spec-correct; consumers depending on legacy `unescape()` quirks may see different output bytes. (**#7378**)
+- **`transformRequest` input typing change was reverted.** The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (**#10745**, **#10810**)
+
+## 🚀 New Features
+
+- **QUERY HTTP Method:** Added support for the QUERY HTTP method across adapters and type definitions. (**#10802**)
+- **ECONNREFUSED Error Constant:** Exposed `ECONNREFUSED` as a constant on `AxiosError` so callers can match connection-refused failures without comparing string literals (closes #6485). (**#10680**)
+- **Encode Helper Export:** Exported the internal `encode` helper from `buildURL` so userland param serializers can reuse the same encoding logic that axios uses internally. (**#6897**)
+
+## 🐛 Bug Fixes
+
+- **HTTP Adapter — Redirects & Headers:** Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing `requestDetails` argument on `beforeRedirect`, preserved user-supplied `Host` headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (**#10794**, **#10800**, **#6241**, **#10822**, **#10825**)
+- **HTTP Adapter — Streams & Timeouts:** Preserved the partial response object on `AxiosError` when a stream is aborted after headers arrive, honoured the `timeout` option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and `maxRedirects: 0`. (**#10708**, **#10819**, **#7149**)
+- **Fetch Adapter:** Enforced `maxBodyLength` / `maxContentLength` in the fetch adapter, set the `User-Agent` header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a `TypeError` in restricted environments. (**#10795**, **#10772**, **#10806**, **#7260**)
+- **XHR Adapter:** Unsubscribed the `cancelToken` and `AbortSignal` listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (**#10787**)
+- **Error Handling:** Attached the parsed response to `AxiosError` when `JSON.parse` fails inside `dispatchRequest`, prevented `settle` from emitting `undefined` error codes, and tightened the `parseProtocol` regex to require a colon in the protocol separator. (**#10724**, **#7276**, **#10729**)
+- **Types & Exports:** Aligned the CommonJS `CancelToken` typings with the ESM build, fixed a compiler error caused by `RawAxiosHeaders`, and re-exported `create` from the package index. (**#7414**, **#6389**, **#6460**)
+- **UTF-8 Encoding:** Replaced the deprecated `unescape()` call with a modern UTF-8 encoding implementation. (**#7378**)
+- **Misc Cleanup:** Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (**#10833**)
+
+## 🔧 Maintenance & Chores
+
+- **Refactor — ES6 Modernisation:** Modernised the `utils` module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (**#10588**, **#7419**)
+- **Tests:** Hardened the HTTP test server lifecycle to fix flaky `FormData` EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (**#10820**, **#10791**, **#10796**)
+- **Docs:** Documented `paramsSerializer.encode` for strict RFC 3986 query encoding, updated the `parseReviver` TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (**#10821**, **#10782**, **#10759**, **#10804**)
+- **Reverted:** Reverted the `transformRequest` input typing change from #10745 after follow-up review. (**#10745**, **#10810**)
+- **Dependencies:** Bumped `actions/setup-node`, the `github-actions` group, and `postcss` (in `/docs`) to their latest versions. (**#10785**, **#10813**, **#10814**)
+- **Release:** Updated changelog and packages, and prepared the 1.16.0 release. (**#10790**, **#10834**)
+
+## 🌟 New Contributors
+
+We are thrilled to welcome our new contributors. Thank you for helping improve axios:
+
+- **@singhankit001** (**#10588**)
+- **@cuiweixie** (**#7419**)
+- **@iruizsalinas** (**#10787**)
+- **@MarcosNocetti** (**#10680**)
+- **@deepview-autofix** (**#10729**)
+- **@atharvasingh7007** (**#10745**)
+- **@OfekDanny** (**#10772**)
+- **@mnahkies** (**#7414**)
+- **@tboyila** (**#10759**)
+- **@Kingo64** (**#6897**)
+- **@ramram1048** (**#6389**)
+- **@FLNacif** (**#6460**)
+- **@zozo123** (**#10806**)
+- **@pierluigilenoci** (**#10802**)
+- **@afurm** (**#10708**)
+- **@karan-lrn** (**#7378**)
+- **@ebeigarts** (**#7149**)
+- **@Raymondo97** (**#10782**)
+- **@mixelburg** (**#10821**)
+- **@ashishkr96** (**#10822**)
+- **@cyphercodes** (**#10819**)
+- **@Jye10032** (**#7260**)
+- **@VeerShah41** (**#7276**)
+
+[Full Changelog](https://github.com/axios/axios/compare/v1.15.2...v1.16.0)
+
 ## v1.15.2 - April 21, 2026
 
 This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in `allowedSocketPaths` allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

package/README.md

@@ -244,14 +244,13 @@
                     width="71px"
                     height="70px"
                     src="https://images.opencollective.com/buzzoid-buy-instagram-followers/56a09fe/logo.png"
-                    alt="Buzzoid"
+                    alt="Buzzoid - Buy Instagram Followers"
                 />
             </a>
             <p
                 align="center"
             >
-                A lightweight open-source API Development, Testing &amp; Mocking
-                platform
+                At Buzzoid, you can buy Instagram followers quickly, safely, and easily with just a few clicks. Rated world&#39;s #1 IG service since 2012.
             </p>
             <p align="center">
                 <a
@@ -263,10 +262,29 @@
         </td>
         <td align="center" width="33.333333333333336%">
             <a
-                href="https://opencollective.com/axios/contribute"
+                href="https://twicsy.com/buy-instagram-followers/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship"
+                style="padding: 10px; display: inline-block"
                 target="_blank"
-                >💜 Become a sponsor</a
             >
+                <img
+                    width="71px"
+                    height="70px"
+                    src="https://images.opencollective.com/buy-instagram-followers-twicsy/b4c5d7f/logo/256.png?height=256"
+                    alt="Buy Instagram Followers Twicsy"
+                />
+            </a>
+            <p
+                align="center"
+            >
+                Buy real Instagram followers from Twicsy. Twicsy has been voted the best site to buy followers from the likes of US Magazine.
+            </p>
+            <p align="center">
+                <a
+                    href="https://twicsy.com/buy-instagram-followers/?utm_source=axios_docs_website&utm_medium=website&utm_campaign=axios_open_collective_sponsorship"
+                    target="_blank"
+                    ><b>twicsy.com</b></a
+                >
+            </p>
         </td>
         <td align="center" width="33.333333333333336%">
             <a
@@ -495,8 +513,16 @@ axios
 // Want to use async/await? Add the `async` keyword to your outer function/method.
 async function getUser() {
   try {
-    const response = await axios.get('/user?ID=12345');
-    console.log(response);
+// Example: GET request with query parameters
+const response = await axios.get('/user', {
+  params: {
+    ID: 12345
+  }
+});
+
+// Using the `params` option improves readability and automatically formats query strings
+
+console.log(response);
   } catch (error) {
     console.error(error);
   }
@@ -934,15 +960,24 @@ These are the available config options for making requests. Only the `url` is re
   // Use `false` to disable proxies, ignoring environment variables.
   // `auth` indicates that HTTP Basic auth should be used to connect to the proxy, and
   // supplies credentials.
-  // This will set a `Proxy-Authorization` header, overwriting any existing
-  // `Proxy-Authorization` custom headers you have set using `headers`.
+  // For `http://` targets, axios sends the request to the proxy in
+  // forward-proxy mode and stamps `Proxy-Authorization` onto the request
+  // headers (overwriting any user-supplied `Proxy-Authorization` header).
+  // For `https://` targets, axios establishes a CONNECT tunnel through the
+  // proxy and performs TLS end-to-end with the origin; `Proxy-Authorization`
+  // is sent on the CONNECT request only, never on the wrapped TLS request,
+  // so the proxy never sees the URL, headers, or body. Supply a custom
+  // `httpsAgent` to opt out of automatic CONNECT tunneling.
   // If the proxy server uses HTTPS, then you must set the protocol to `https`.
   // A user-supplied `Host` header in `headers` is preserved when forwarding
   // through a proxy (case-insensitive match on `host`/`Host`/`HOST`); this
   // lets you target a virtual host that differs from the request URL — for
   // example, hitting `127.0.0.1:4000` while having the proxy treat the
   // request as `example.com`. If no `Host` header is supplied, axios
-  // defaults it to the request URL's `hostname:port` as before.
+  // defaults it to the request URL's `hostname:port` as before. The Host
+  // header is only set in forward-proxy mode (HTTP targets); for HTTPS
+  // tunneling the Host header is sent inside the TLS connection, not seen
+  // by the proxy.
   proxy: {
     protocol: 'https',
     host: '127.0.0.1',
@@ -1180,7 +1215,7 @@ const instance = axios.create();
 const myInterceptor = instance.interceptors.request.use(function () {
   /*...*/
 });
-axios.interceptors.request.eject(myInterceptor);
+instance.interceptors.request.eject(myInterceptor);
 ```
 
 You can also clear all interceptors for requests or responses.

package/dist/axios.js

@@ -1,4 +1,4 @@
-/*! Axios v1.16.0 Copyright (c) 2026 Matt Zabriskie and contributors */
+/*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -1291,10 +1291,10 @@
    * @returns {Object} The JSON-compatible object.
    */
   var toJSONObject = function toJSONObject(obj) {
-    var stack = new Array(10);
-    var _visit = function visit(source, i) {
+    var visited = new WeakSet();
+    var _visit = function visit(source) {
       if (isObject(source)) {
-        if (stack.indexOf(source) >= 0) {
+        if (visited.has(source)) {
           return;
         }
 
@@ -1303,19 +1303,20 @@
           return source;
         }
         if (!('toJSON' in source)) {
-          stack[i] = source;
+          // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230).
+          visited.add(source);
           var target = isArray(source) ? [] : {};
           forEach(source, function (value, key) {
-            var reducedValue = _visit(value, i + 1);
+            var reducedValue = _visit(value);
             !isUndefined(reducedValue) && (target[key] = reducedValue);
           });
-          stack[i] = undefined;
+          visited["delete"](source);
           return target;
         }
       }
       return source;
     };
-    return _visit(obj, 0);
+    return _visit(obj);
   };
 
   /**
@@ -1487,8 +1488,6 @@
     return parsed;
   });
 
-  var $internals = Symbol('internals');
-  var INVALID_HEADER_VALUE_CHARS_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
   function trimSPorHTAB(str) {
     var start = 0;
     var end = str.length;
@@ -1508,12 +1507,38 @@
     }
     return start === 0 && end === str.length ? str : str.slice(start, end);
   }
+
+  // The control-code ranges are intentional: header sanitization strips C0/DEL bytes.
+  // eslint-disable-next-line no-control-regex
+  var INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp("[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+", 'g');
+  // eslint-disable-next-line no-control-regex
+  var INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp("[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+", 'g');
+  function sanitizeValue(value, invalidChars) {
+    if (utils$1.isArray(value)) {
+      return value.map(function (item) {
+        return sanitizeValue(item, invalidChars);
+      });
+    }
+    return trimSPorHTAB(String(value).replace(invalidChars, ''));
+  }
+  var sanitizeHeaderValue = function sanitizeHeaderValue(value) {
+    return sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS);
+  };
+  var sanitizeByteStringHeaderValue = function sanitizeByteStringHeaderValue(value) {
+    return sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS);
+  };
+  function toByteStringHeaderObject(headers) {
+    var byteStringHeaders = Object.create(null);
+    utils$1.forEach(headers.toJSON(), function (value, header) {
+      byteStringHeaders[header] = sanitizeByteStringHeaderValue(value);
+    });
+    return byteStringHeaders;
+  }
+
+  var $internals = Symbol('internals');
   function normalizeHeader(header) {
     return header && String(header).trim().toLowerCase();
   }
-  function sanitizeHeaderValue(str) {
-    return trimSPorHTAB(str.replace(INVALID_HEADER_VALUE_CHARS_RE, ''));
-  }
   function normalizeValue(value) {
     if (value === false || value == null) {
       return value;
@@ -2477,7 +2502,7 @@
         }
         return !isNumericKey;
       }
-      if (!target[name] || !utils$1.isObject(target[name])) {
+      if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) {
         target[name] = [];
       }
       var result = buildPath(path, value, target[name], index);
@@ -2777,6 +2802,9 @@
     var bytesNotified = 0;
     var _speedometer = speedometer(50, 250);
     return throttle(function (e) {
+      if (!e || typeof e.loaded !== 'number') {
+        return;
+      }
       var rawLoaded = e.loaded;
       var total = e.lengthComputable ? e.total : undefined;
       var loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded;
@@ -3249,7 +3277,7 @@
 
       // Add headers to the request
       if ('setRequestHeader' in request) {
-        utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) {
+        utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) {
           request.setRequestHeader(key, val);
         });
       }
@@ -3311,42 +3339,43 @@
   };
 
   var composeSignals = function composeSignals(signals, timeout) {
-    var _signals = signals = signals ? signals.filter(Boolean) : [],
-      length = _signals.length;
-    if (timeout || length) {
-      var controller = new AbortController();
-      var aborted;
-      var onabort = function onabort(reason) {
-        if (!aborted) {
-          aborted = true;
-          unsubscribe();
-          var err = reason instanceof Error ? reason : this.reason;
-          controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
-        }
-      };
-      var timer = timeout && setTimeout(function () {
-        timer = null;
-        onabort(new AxiosError("timeout of ".concat(timeout, "ms exceeded"), AxiosError.ETIMEDOUT));
-      }, timeout);
-      var unsubscribe = function unsubscribe() {
-        if (signals) {
-          timer && clearTimeout(timer);
-          timer = null;
-          signals.forEach(function (signal) {
-            signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
-          });
-          signals = null;
-        }
-      };
+    signals = signals ? signals.filter(Boolean) : [];
+    if (!timeout && !signals.length) {
+      return;
+    }
+    var controller = new AbortController();
+    var aborted = false;
+    var onabort = function onabort(reason) {
+      if (!aborted) {
+        aborted = true;
+        unsubscribe();
+        var err = reason instanceof Error ? reason : this.reason;
+        controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
+      }
+    };
+    var timer = timeout && setTimeout(function () {
+      timer = null;
+      onabort(new AxiosError("timeout of ".concat(timeout, "ms exceeded"), AxiosError.ETIMEDOUT));
+    }, timeout);
+    var unsubscribe = function unsubscribe() {
+      if (!signals) {
+        return;
+      }
+      timer && clearTimeout(timer);
+      timer = null;
       signals.forEach(function (signal) {
-        return signal.addEventListener('abort', onabort);
+        signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
       });
-      var signal = controller.signal;
-      signal.unsubscribe = function () {
-        return utils$1.asap(unsubscribe);
-      };
-      return signal;
-    }
+      signals = null;
+    };
+    signals.forEach(function (signal) {
+      return signal.addEventListener('abort', onabort);
+    });
+    var signal = controller.signal;
+    signal.unsubscribe = function () {
+      return utils$1.asap(unsubscribe);
+    };
+    return signal;
   };
 
   var streamChunk = /*#__PURE__*/_regenerator().m(function streamChunk(chunk, chunkSize) {
@@ -3644,7 +3673,7 @@
     return bytes;
   }
 
-  var VERSION = "1.16.0";
+  var VERSION = "1.16.1";
 
   var DEFAULT_CHUNK_SIZE = 64 * 1024;
   var isFunction = utils$1.isFunction;
@@ -3659,8 +3688,7 @@
     }
   };
   var factory = function factory(env) {
-    var _utils$global;
-    var globalObject = (_utils$global = utils$1.global) !== null && _utils$global !== void 0 ? _utils$global : globalThis;
+    var globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis;
     var ReadableStream = globalObject.ReadableStream,
       TextEncoder = globalObject.TextEncoder;
     env = utils$1.merge.call({
@@ -3900,7 +3928,7 @@
               resolvedOptions = _objectSpread2(_objectSpread2({}, fetchOptions), {}, {
                 signal: composedSignal,
                 method: method.toUpperCase(),
-                headers: headers.normalize().toJSON(),
+                headers: toByteStringHeaderObject(headers.normalize()),
                 body: data,
                 duplex: 'half',
                 credentials: isCredentialsSupported ? withCredentials : undefined