axios 1.16.0 → 1.17.0

package/dist/axios.js

@@ -1,4 +1,4 @@
-/*! Axios v1.16.0 Copyright (c) 2026 Matt Zabriskie and contributors */
+/*! Axios v1.17.0 Copyright (c) 2026 Matt Zabriskie and contributors */
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -964,7 +964,10 @@
       if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
         return;
       }
-      var targetKey = caseless && findKey(result, key) || key;
+
+      // findKey lowercases the key, so caseless lookup only applies to strings —
+      // symbol keys are identity-matched.
+      var targetKey = caseless && typeof key === 'string' && findKey(result, key) || key;
       // Read via own-prop only — a bare `result[targetKey]` walks the prototype
       // chain, so a polluted Object.prototype value could surface here and get
       // copied into the merged result.
@@ -979,11 +982,22 @@
         result[targetKey] = val;
       }
     };
-    for (var _len = arguments.length, objs = new Array(_len), _key2 = 0; _key2 < _len; _key2++) {
-      objs[_key2] = arguments[_key2];
-    }
-    for (var i = 0, l = objs.length; i < l; i++) {
-      objs[i] && forEach(objs[i], assignValue);
+    for (var i = 0, l = arguments.length; i < l; i++) {
+      var source = i < 0 || arguments.length <= i ? undefined : arguments[i];
+      if (!source || isBuffer(source)) {
+        continue;
+      }
+      forEach(source, assignValue);
+      if (_typeof(source) !== 'object' || isArray(source)) {
+        continue;
+      }
+      var symbols = Object.getOwnPropertySymbols(source);
+      for (var j = 0; j < symbols.length; j++) {
+        var symbol = symbols[j];
+        if (propertyIsEnumerable.call(source, symbol)) {
+          assignValue(source[symbol], symbol);
+        }
+      }
     }
     return result;
   }
@@ -1203,6 +1217,7 @@
       return hasOwnProperty.call(obj, prop);
     };
   }(Object.prototype);
+  var propertyIsEnumerable = Object.prototype.propertyIsEnumerable;
 
   /**
    * Determine if a value is a RegExp object
@@ -1291,10 +1306,10 @@
    * @returns {Object} The JSON-compatible object.
    */
   var toJSONObject = function toJSONObject(obj) {
-    var stack = new Array(10);
-    var _visit = function visit(source, i) {
+    var visited = new WeakSet();
+    var _visit = function visit(source) {
       if (isObject(source)) {
-        if (stack.indexOf(source) >= 0) {
+        if (visited.has(source)) {
           return;
         }
 
@@ -1303,19 +1318,20 @@
           return source;
         }
         if (!('toJSON' in source)) {
-          stack[i] = source;
+          // add-on descent / delete-on-ascent: preserves path semantics, so DAG nodes serialise at every occurrence (see #7230).
+          visited.add(source);
           var target = isArray(source) ? [] : {};
           forEach(source, function (value, key) {
-            var reducedValue = _visit(value, i + 1);
+            var reducedValue = _visit(value);
             !isUndefined(reducedValue) && (target[key] = reducedValue);
           });
-          stack[i] = undefined;
+          visited["delete"](source);
           return target;
         }
       }
       return source;
     };
-    return _visit(obj, 0);
+    return _visit(obj);
   };
 
   /**
@@ -1487,8 +1503,6 @@
     return parsed;
   });
 
-  var $internals = Symbol('internals');
-  var INVALID_HEADER_VALUE_CHARS_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
   function trimSPorHTAB(str) {
     var start = 0;
     var end = str.length;
@@ -1508,12 +1522,38 @@
     }
     return start === 0 && end === str.length ? str : str.slice(start, end);
   }
+
+  // The control-code ranges are intentional: header sanitization strips C0/DEL bytes.
+  // eslint-disable-next-line no-control-regex
+  var INVALID_UNICODE_HEADER_VALUE_CHARS = new RegExp("[\\u0000-\\u0008\\u000a-\\u001f\\u007f]+", 'g');
+  // eslint-disable-next-line no-control-regex
+  var INVALID_BYTE_STRING_HEADER_VALUE_CHARS = new RegExp("[^\\u0009\\u0020-\\u007e\\u0080-\\u00ff]+", 'g');
+  function sanitizeValue(value, invalidChars) {
+    if (utils$1.isArray(value)) {
+      return value.map(function (item) {
+        return sanitizeValue(item, invalidChars);
+      });
+    }
+    return trimSPorHTAB(String(value).replace(invalidChars, ''));
+  }
+  var sanitizeHeaderValue = function sanitizeHeaderValue(value) {
+    return sanitizeValue(value, INVALID_UNICODE_HEADER_VALUE_CHARS);
+  };
+  var sanitizeByteStringHeaderValue = function sanitizeByteStringHeaderValue(value) {
+    return sanitizeValue(value, INVALID_BYTE_STRING_HEADER_VALUE_CHARS);
+  };
+  function toByteStringHeaderObject(headers) {
+    var byteStringHeaders = Object.create(null);
+    utils$1.forEach(headers.toJSON(), function (value, header) {
+      byteStringHeaders[header] = sanitizeByteStringHeaderValue(value);
+    });
+    return byteStringHeaders;
+  }
+
+  var $internals = Symbol('internals');
   function normalizeHeader(header) {
     return header && String(header).trim().toLowerCase();
   }
-  function sanitizeHeaderValue(str) {
-    return trimSPorHTAB(str.replace(INVALID_HEADER_VALUE_CHARS_RE, ''));
-  }
   function normalizeValue(value) {
     if (value === false || value == null) {
       return value;
@@ -1578,7 +1618,7 @@
         function setHeader(_value, _header, _rewrite) {
           var lHeader = normalizeHeader(_header);
           if (!lHeader) {
-            throw new Error('header name must be a non-empty string');
+            return;
           }
           var key = utils$1.findKey(self, lHeader);
           if (!key || self[key] === undefined || _rewrite === true || _rewrite === undefined && self[key] !== false) {
@@ -1604,7 +1644,7 @@
             for (_iterator.s(); !(_step = _iterator.n()).done;) {
               var entry = _step.value;
               if (!utils$1.isArray(entry)) {
-                throw TypeError('Object iterator must return a key-value pair');
+                throw new TypeError('Object iterator must return a key-value pair');
               }
               obj[key = entry[0]] = (dest = obj[key]) ? utils$1.isArray(dest) ? [].concat(_toConsumableArray(dest), [entry[1]]) : [dest, entry[1]] : entry[1];
             }
@@ -2146,7 +2186,7 @@
         throw new AxiosError('Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
       }
       if (stack.indexOf(value) !== -1) {
-        throw Error('Circular reference detected in ' + path.join('.'));
+        throw new Error('Circular reference detected in ' + path.join('.'));
       }
       stack.push(value);
       utils$1.forEach(value, function each(el, key) {
@@ -2338,7 +2378,8 @@
     silentJSONParsing: true,
     forcedJSONParsing: true,
     clarifyTimeoutError: false,
-    legacyInterceptorReqResOrdering: true
+    legacyInterceptorReqResOrdering: true,
+    advertiseZstdAcceptEncoding: false
   };
 
   var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -2477,7 +2518,7 @@
         }
         return !isNumericKey;
       }
-      if (!target[name] || !utils$1.isObject(target[name])) {
+      if (!utils$1.hasOwnProp(target, name) || !utils$1.isObject(target[name])) {
         target[name] = [];
       }
       var result = buildPath(path, value, target[name], index);
@@ -2777,6 +2818,9 @@
     var bytesNotified = 0;
     var _speedometer = speedometer(50, 250);
     return throttle(function (e) {
+      if (!e || typeof e.loaded !== 'number') {
+        return;
+      }
       var rawLoaded = e.loaded;
       var total = e.lengthComputable ? e.total : undefined;
       var loaded = total != null ? Math.min(rawLoaded, total) : rawLoaded;
@@ -3070,12 +3114,12 @@
    *
    * @returns {string} UTF-8 bytes as a Latin-1 string
    */
-  var encodeUTF8 = function encodeUTF8(str) {
+  var encodeUTF8$1 = function encodeUTF8(str) {
     return encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, function (_, hex) {
       return String.fromCharCode(parseInt(hex, 16));
     });
   };
-  var resolveConfig = (function (config) {
+  function resolveConfig(config) {
     var newConfig = mergeConfig({}, config);
 
     // Read only own properties to prevent prototype pollution gadgets
@@ -3093,15 +3137,15 @@
     var allowAbsoluteUrls = own('allowAbsoluteUrls');
     var url = own('url');
     newConfig.headers = headers = AxiosHeaders.from(headers);
-    newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
+    newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), own('params'), own('paramsSerializer'));
 
     // HTTP basic authentication
     if (auth) {
-      headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : '')));
+      headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8$1(auth.password) : '')));
     }
     if (utils$1.isFormData(data)) {
-      if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) {
-        headers.setContentType(undefined); // browser handles it
+      if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1.isReactNative(data)) {
+        headers.setContentType(undefined); // browser/web worker/RN handles it
       } else if (utils$1.isFunction(data.getHeaders)) {
         // Node.js FormData (like form-data package)
         setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -3129,7 +3173,7 @@
       }
     }
     return newConfig;
-  });
+  }
 
   var isXHRAdapterSupported = typeof XMLHttpRequest !== 'undefined';
   var xhrAdapter = isXHRAdapterSupported && function (config) {
@@ -3249,7 +3293,7 @@
 
       // Add headers to the request
       if ('setRequestHeader' in request) {
-        utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) {
+        utils$1.forEach(toByteStringHeaderObject(requestHeaders), function setRequestHeader(val, key) {
           request.setRequestHeader(key, val);
         });
       }
@@ -3311,42 +3355,43 @@
   };
 
   var composeSignals = function composeSignals(signals, timeout) {
-    var _signals = signals = signals ? signals.filter(Boolean) : [],
-      length = _signals.length;
-    if (timeout || length) {
-      var controller = new AbortController();
-      var aborted;
-      var onabort = function onabort(reason) {
-        if (!aborted) {
-          aborted = true;
-          unsubscribe();
-          var err = reason instanceof Error ? reason : this.reason;
-          controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
-        }
-      };
-      var timer = timeout && setTimeout(function () {
-        timer = null;
-        onabort(new AxiosError("timeout of ".concat(timeout, "ms exceeded"), AxiosError.ETIMEDOUT));
-      }, timeout);
-      var unsubscribe = function unsubscribe() {
-        if (signals) {
-          timer && clearTimeout(timer);
-          timer = null;
-          signals.forEach(function (signal) {
-            signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
-          });
-          signals = null;
-        }
-      };
+    signals = signals ? signals.filter(Boolean) : [];
+    if (!timeout && !signals.length) {
+      return;
+    }
+    var controller = new AbortController();
+    var aborted = false;
+    var onabort = function onabort(reason) {
+      if (!aborted) {
+        aborted = true;
+        unsubscribe();
+        var err = reason instanceof Error ? reason : this.reason;
+        controller.abort(err instanceof AxiosError ? err : new CanceledError(err instanceof Error ? err.message : err));
+      }
+    };
+    var timer = timeout && setTimeout(function () {
+      timer = null;
+      onabort(new AxiosError("timeout of ".concat(timeout, "ms exceeded"), AxiosError.ETIMEDOUT));
+    }, timeout);
+    var unsubscribe = function unsubscribe() {
+      if (!signals) {
+        return;
+      }
+      timer && clearTimeout(timer);
+      timer = null;
       signals.forEach(function (signal) {
-        return signal.addEventListener('abort', onabort);
+        signal.unsubscribe ? signal.unsubscribe(onabort) : signal.removeEventListener('abort', onabort);
       });
-      var signal = controller.signal;
-      signal.unsubscribe = function () {
-        return utils$1.asap(unsubscribe);
-      };
-      return signal;
-    }
+      signals = null;
+    };
+    signals.forEach(function (signal) {
+      return signal.addEventListener('abort', onabort);
+    });
+    var signal = controller.signal;
+    signal.unsubscribe = function () {
+      return utils$1.asap(unsubscribe);
+    };
+    return signal;
   };
 
   var streamChunk = /*#__PURE__*/_regenerator().m(function streamChunk(chunk, chunkSize) {
@@ -3644,10 +3689,39 @@
     return bytes;
   }
 
-  var VERSION = "1.16.0";
+  var VERSION = "1.17.0";
 
   var DEFAULT_CHUNK_SIZE = 64 * 1024;
   var isFunction = utils$1.isFunction;
+
+  /**
+   * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
+   * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
+   *
+   * @param {string} str The string to encode
+   *
+   * @returns {string} UTF-8 bytes as a Latin-1 string
+   */
+  var encodeUTF8 = function encodeUTF8(str) {
+    return encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, function (_, hex) {
+      return String.fromCharCode(parseInt(hex, 16));
+    });
+  };
+
+  // Node's WHATWG URL parser returns `username` and `password` percent-encoded.
+  // Decode before composing the `auth` option so credentials such as
+  // `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
+  // original value for malformed input so a bad encoding never throws.
+  var decodeURIComponentSafe = function decodeURIComponentSafe(value) {
+    if (!utils$1.isString(value)) {
+      return value;
+    }
+    try {
+      return decodeURIComponent(value);
+    } catch (error) {
+      return value;
+    }
+  };
   var test = function test(fn) {
     try {
       for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
@@ -3658,9 +3732,16 @@
       return false;
     }
   };
+  var maybeWithAuthCredentials = function maybeWithAuthCredentials(url) {
+    var protocolIndex = url.indexOf('://');
+    var urlToCheck = url;
+    if (protocolIndex !== -1) {
+      urlToCheck = urlToCheck.slice(protocolIndex + 3);
+    }
+    return urlToCheck.includes('@') || urlToCheck.includes(':');
+  };
   var factory = function factory(env) {
-    var _utils$global;
-    var globalObject = (_utils$global = utils$1.global) !== null && _utils$global !== void 0 ? _utils$global : globalThis;
+    var globalObject = utils$1.global !== undefined && utils$1.global !== null ? utils$1.global : globalThis;
     var ReadableStream = globalObject.ReadableStream,
       TextEncoder = globalObject.TextEncoder;
     env = utils$1.merge.call({
@@ -3812,13 +3893,16 @@
     }();
     return /*#__PURE__*/function () {
       var _ref4 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee4(config) {
-        var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, _fetch, composedSignal, request, unsubscribe, requestContentLength, estimated, outboundLength, _request, contentTypeHeader, _progressEventDecorat, _progressEventDecorat2, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, declaredLength, isStreamResponse, options, responseContentLength, _ref5, _ref6, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, _t3, _t4, _t5;
+        var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, own, _fetch, composedSignal, request, unsubscribe, requestContentLength, auth, configAuth, username, password, parsedURL, urlUsername, urlPassword, estimated, outboundLength, _request, contentTypeHeader, _progressEventDecorat, _progressEventDecorat2, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, declaredLength, isStreamResponse, options, responseContentLength, _ref5, _ref6, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, _t3, _t4, _t5;
         return _regenerator().w(function (_context4) {
           while (1) switch (_context4.p = _context4.n) {
             case 0:
               _resolveConfig = resolveConfig(config), url = _resolveConfig.url, method = _resolveConfig.method, data = _resolveConfig.data, signal = _resolveConfig.signal, cancelToken = _resolveConfig.cancelToken, timeout = _resolveConfig.timeout, onDownloadProgress = _resolveConfig.onDownloadProgress, onUploadProgress = _resolveConfig.onUploadProgress, responseType = _resolveConfig.responseType, headers = _resolveConfig.headers, _resolveConfig$withCr = _resolveConfig.withCredentials, withCredentials = _resolveConfig$withCr === void 0 ? 'same-origin' : _resolveConfig$withCr, fetchOptions = _resolveConfig.fetchOptions, maxContentLength = _resolveConfig.maxContentLength, maxBodyLength = _resolveConfig.maxBodyLength;
               hasMaxContentLength = utils$1.isNumber(maxContentLength) && maxContentLength > -1;
               hasMaxBodyLength = utils$1.isNumber(maxBodyLength) && maxBodyLength > -1;
+              own = function own(key) {
+                return utils$1.hasOwnProp(config, key) ? config[key] : undefined;
+              };
               _fetch = envFetch || fetch;
               responseType = responseType ? (responseType + '').toLowerCase() : 'text';
               composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout);
@@ -3827,6 +3911,41 @@
                 composedSignal.unsubscribe();
               };
               _context4.p = 1;
+              // HTTP basic authentication
+              auth = undefined;
+              configAuth = own('auth');
+              if (configAuth) {
+                username = configAuth.username || '';
+                password = configAuth.password || '';
+                auth = {
+                  username: username,
+                  password: password
+                };
+              }
+              if (maybeWithAuthCredentials(url)) {
+                parsedURL = new URL(url, platform.origin);
+                if (!auth && (parsedURL.username || parsedURL.password)) {
+                  urlUsername = decodeURIComponentSafe(parsedURL.username);
+                  urlPassword = decodeURIComponentSafe(parsedURL.password);
+                  auth = {
+                    username: urlUsername,
+                    password: urlPassword
+                  };
+                }
+                if (parsedURL.username || parsedURL.password) {
+                  parsedURL.username = '';
+                  parsedURL.password = '';
+                  url = parsedURL.href;
+                }
+              }
+              if (auth) {
+                headers["delete"]('authorization');
+                headers.set('Authorization', 'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || ''))));
+              }
+
+              // Enforce maxContentLength for data: URLs up-front so we never materialize
+              // an oversized payload. The HTTP adapter applies the same check (see http.js
+              // "if (protocol === 'data:')" branch).
               if (!(hasMaxContentLength && typeof url === 'string' && url.startsWith('data:'))) {
                 _context4.n = 2;
                 break;
@@ -3900,7 +4019,7 @@
               resolvedOptions = _objectSpread2(_objectSpread2({}, fetchOptions), {}, {
                 signal: composedSignal,
                 method: method.toUpperCase(),
-                headers: headers.normalize().toJSON(),
+                headers: toByteStringHeaderObject(headers.normalize()),
                 body: data,
                 duplex: 'half',
                 credentials: isCredentialsSupported ? withCredentials : undefined
@@ -4412,7 +4531,8 @@
             silentJSONParsing: validators.transitional(validators["boolean"]),
             forcedJSONParsing: validators.transitional(validators["boolean"]),
             clarifyTimeoutError: validators.transitional(validators["boolean"]),
-            legacyInterceptorReqResOrdering: validators.transitional(validators["boolean"])
+            legacyInterceptorReqResOrdering: validators.transitional(validators["boolean"]),
+            advertiseZstdAcceptEncoding: validators.transitional(validators["boolean"])
           }, false);
         }
         if (paramsSerializer != null) {