axios 1.17.0 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,88 @@
1
1
  # Changelog
2
2
 
3
+ ## v1.18.0 — June 13, 2026
4
+
5
+ This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
6
+
7
+ ## 🔒 Security Fixes
8
+
9
+ * **Redirect Header Safety:** Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (__#10892__)
10
+
11
+ * **URL And Request Hardening:** Rejects malformed `http:` and `https:` URLs that omit `//` with `ERR_INVALID_URL`, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local `NO_PROXY` matching. (__#11000__)
12
+
13
+ ## 🐛 Bug Fixes
14
+
15
+ * **Status Validation:** Added `transitional.validateStatusUndefinedResolves` so applications can opt in to treating `validateStatus: undefined` like the option was omitted, while `validateStatus: null` remains the explicit way to accept every status. (__#10899__)
16
+
17
+ ## 🔧 Maintenance & Chores
18
+
19
+ * **Documentation:** Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the `proxy` request config as Node.js-only in the advanced docs. (__#10984__, __#10988__, __#10992__, __#10995__)
20
+
21
+ * **Dependencies:** Bumped `@babel/core`, `@babel/preset-env`, `@commitlint/cli`, `@commitlint/config-conventional`, `@rollup/plugin-babel`, `@rollup/plugin-commonjs`, `@vitest/browser`, `@vitest/browser-playwright`, `eslint`, `lint-staged`, `rollup`, `vitest`, and `actions/checkout`. (__#10989__, __#10996__, __#10997__)
22
+
23
+ * **Release Metadata:** Prepared the 1.18.0 release by updating package metadata and the runtime `VERSION` value. (__#11003__)
24
+
25
+ ## 🌟 New Contributors
26
+
27
+ We are thrilled to welcome our new contributors. Thank you for helping improve axios:
28
+
29
+ * __@drori12__ (__#10984__)
30
+ * __@eyupcanakman__ (__#10899__)
31
+ * __@Adi-Beker__ (__#10995__)
32
+
33
+ [Full Changelog](https://github.com/axios/axios/compare/v1.17.0...v1.18.0)
34
+
35
+ ## v1.17.0 — June 1, 2026
36
+
37
+ This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
38
+
39
+ ## 🔒 Security Fixes
40
+
41
+ * **Config Hardening:** Guarded `socketPath`, `params`, and `paramsSerializer` reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (__#10901__, __#10922__)
42
+ * **Release Publishing:** Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (__#10926__)
43
+
44
+ ## 🚀 New Features
45
+
46
+ * **HTTP Compression:** Added Node HTTP adapter support for zstd response decompression, with `transitional.advertiseZstdAcceptEncoding` controlling whether `zstd` is advertised in `Accept-Encoding`. (__#6792__, __#10920__)
47
+
48
+ ## 🐛 Bug Fixes
49
+
50
+ * **Authentication Handling:** Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (__#10929__, __#10896__)
51
+ * **Proxy TLS:** Preserved user `httpsAgent` TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (__#10957__)
52
+ * **React Native FormData:** Cleared default `Content-Type` for React Native `FormData` so multipart boundaries can be generated correctly. (__#10898__)
53
+ * **Headers:** Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (__#10875__)
54
+ * **Request Data Merging:** Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (__#10812__)
55
+ * **Bundler Compatibility:** Converted `resolveConfig` from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (__#10891__)
56
+ * **Types:** Corrected `AxiosHeaders.toJSON()` return types and updated CommonJS `isCancel` typings to narrow to `CanceledError<T>`. (__#10956__, __#10952__)
57
+ * **Build Tooling:** Avoided emitting a null `Authorization` header from the GitHub build helper when `GITHUB_TOKEN` is unset. (__#10931__)
58
+
59
+ ## 🔧 Maintenance & Chores
60
+
61
+ * **HTTP/2 Internals:** Extracted `Http2Sessions` into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (__#10861__)
62
+ * **Package Publishing:** Reduced published package size by switching to a `files` allowlist and dropping unneeded unminified bundle source maps. (__#10939__)
63
+ * **CI and Release Automation:** Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (__#10907__, __#10911__, __#10916__, __#10927__, __#10935__, __#10983__)
64
+ * **Developer Workflow:** Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (__#10925__, __#10914__, __#10958__)
65
+ * **Documentation and Policy:** Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (__#10890__, __#10889__, __#10921__, __#10945__, __#10905__, __#10933__, __#10915__, __#10887__, __#10955__)
66
+ * **Dependencies:** Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, `fs-extra`, `qs`, docs dependencies, and GitHub Actions dependencies including `actions/dependency-review-action` and `zizmorcore/zizmor-action`. (__#10871__, __#10879__, __#10918__, __#10919__, __#10934__, __#10947__, __#10954__, __#10960__)
67
+
68
+ ## 🌟 New Contributors
69
+
70
+ We are thrilled to welcome our new contributors. Thank you for helping improve axios:
71
+
72
+ * __@BasixKOR__ (__#6792__)
73
+ * __@carladams1299-lab__ (__#10861__)
74
+ * __@LaplaceYoung__ (__#10812__)
75
+ * __@JamieMagee__ (__#10939__)
76
+ * __@RonGamzu__ (__#10905__)
77
+ * __@sapirbaruch__ (__#10891__)
78
+ * __@nezukoagent__ (__#10901__)
79
+ * __@devareddy05__ (__#10929__)
80
+ * __@Mohammad-Faiz-Cloud-Engineer__ (__#10922__)
81
+ * __@azandabot__ (__#10931__)
82
+ * __@niksy__ (__#10896__)
83
+
84
+ [Full Changelog](https://github.com/axios/axios/compare/v1.16.1...v1.17.0)
85
+
3
86
  ## v1.16.1 — May 13, 2026
4
87
 
5
88
  This release ships a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
@@ -1432,7 +1515,7 @@ This functionality is considered as a fix.
1432
1515
 
1433
1516
  - fix: improve AxiosHeaders class [#5224](https://github.com/axios/axios/pull/5224)
1434
1517
  - fix: TypeScript type definitions for commonjs [#5196](https://github.com/axios/axios/pull/5196)
1435
- - fix: type definition of use method on AxiosInterceptorManager to match the the README [#5071](https://github.com/axios/axios/pull/5071)
1518
+ - fix: type definition of use method on AxiosInterceptorManager to match the README [#5071](https://github.com/axios/axios/pull/5071)
1436
1519
  - fix: \_\_dirname is not defined in the sandbox [#5269](https://github.com/axios/axios/pull/5269)
1437
1520
  - fix: AxiosError.toJSON method to avoid circular references [#5247](https://github.com/axios/axios/pull/5247)
1438
1521
  - fix: Z_BUF_ERROR when content-encoding is set but the response body is empty [#5250](https://github.com/axios/axios/pull/5250)
package/README.md CHANGED
@@ -298,7 +298,6 @@
298
298
  </tr>
299
299
  </table>
300
300
 
301
-
302
301
  <!--<div>marker</div>-->
303
302
 
304
303
  <br><br>
@@ -430,6 +429,12 @@ Using bun:
430
429
  $ bun add axios
431
430
  ```
432
431
 
432
+ Using Deno:
433
+
434
+ ```bash
435
+ $ deno add axios
436
+ ```
437
+
433
438
  Once the package is installed, import it with `import` or `require`:
434
439
 
435
440
  ```js
@@ -513,16 +518,16 @@ axios
513
518
  // Want to use async/await? Add the `async` keyword to your outer function/method.
514
519
  async function getUser() {
515
520
  try {
516
- // Example: GET request with query parameters
517
- const response = await axios.get('/user', {
518
- params: {
519
- ID: 12345
520
- }
521
- });
521
+ // Example: GET request with query parameters
522
+ const response = await axios.get('/user', {
523
+ params: {
524
+ ID: 12345,
525
+ },
526
+ });
522
527
 
523
- // Using the `params` option improves readability and automatically formats query strings
528
+ // Using the `params` option improves readability and automatically formats query strings
524
529
 
525
- console.log(response);
530
+ console.log(response);
526
531
  } catch (error) {
527
532
  console.error(error);
528
533
  }
@@ -770,9 +775,12 @@ These config options are available for requests. Only `url` is required. Request
770
775
 
771
776
  // `data` is the data to be sent as the request body
772
777
  // Only applicable for request methods 'PUT', 'POST', 'DELETE', and 'PATCH'
778
+ // `data` is request-specific: axios does not inherit or deep-merge it from defaults.
779
+ // To add shared body fields, use a request interceptor or transformRequest.
773
780
  // When no `transformRequest` is set, it must be of one of the following types:
774
781
  // - string, plain object, ArrayBuffer, ArrayBufferView, URLSearchParams
775
782
  // - Browser only: FormData, File, Blob
783
+ // - React Native: FormData
776
784
  // - Node only: Stream, Buffer, FormData (form-data package)
777
785
  data: {
778
786
  firstName: 'Fred'
@@ -877,10 +885,12 @@ These config options are available for requests. Only `url` is required. Request
877
885
  // Do whatever you want with the Axios progress event
878
886
  },
879
887
 
880
- // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
888
+ // `maxContentLength` defines the max size of the response content in bytes.
889
+ // It is enforced by the Node.js HTTP adapter and the fetch adapter.
881
890
  maxContentLength: 2000,
882
891
 
883
- // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
892
+ // `maxBodyLength` defines the max size of the request content in bytes.
893
+ // It is enforced by the Node.js HTTP adapter and the fetch adapter when the body length can be determined.
884
894
  maxBodyLength: 2000,
885
895
 
886
896
  // `redact` masks matching config keys when AxiosError#toJSON() is called.
@@ -888,8 +898,11 @@ These config options are available for requests. Only `url` is required. Request
888
898
  redact: ['authorization', 'password'],
889
899
 
890
900
  // `validateStatus` defines whether to resolve or reject the promise for a given
891
- // HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
892
- // or `undefined`), Axios resolves the promise; otherwise, Axios rejects it.
901
+ // HTTP response status code. If `validateStatus` returns `true` or is set to
902
+ // `null`, Axios resolves the promise; otherwise, Axios rejects it.
903
+ // Explicit `validateStatus: undefined` resolves every status by default for
904
+ // backward compatibility. Set `transitional.validateStatusUndefinedResolves`
905
+ // to `false` to make explicit `undefined` behave as if this option was omitted.
893
906
  validateStatus: function (status) {
894
907
  return status >= 200 && status < 300; // default
895
908
  },
@@ -898,6 +911,12 @@ These config options are available for requests. Only `url` is required. Request
898
911
  // If set to 0, Axios follows no redirects.
899
912
  maxRedirects: 21, // default
900
913
 
914
+ // `sensitiveHeaders` (Node only option) lists custom secret-bearing headers
915
+ // (such as `X-API-Key`) to remove from cross-origin redirects. Matching is
916
+ // case-insensitive. Same-origin redirects keep these headers. If
917
+ // `maxRedirects` is 0, this option is not used.
918
+ sensitiveHeaders: ['X-API-Key'],
919
+
901
920
  // `beforeRedirect` defines a function that Axios calls before redirect.
902
921
  // Use this to adjust the request options upon redirecting,
903
922
  // to inspect the latest response headers,
@@ -957,6 +976,12 @@ These config options are available for requests. Only `url` is required. Request
957
976
  // for your proxy configuration, you can also define a `no_proxy` environment
958
977
  // variable as a comma-separated list of domains that should not be proxied.
959
978
  // Use `false` to disable proxies, ignoring environment variables.
979
+ // On Node.js versions with native environment proxy support, axios defers
980
+ // environment proxy handling to Node when the selected agent has `proxyEnv`
981
+ // enabled, including processes started with `NODE_USE_ENV_PROXY=1`,
982
+ // `--use-env-proxy`, or `NODE_OPTIONS=--use-env-proxy`. Custom agents without
983
+ // `proxyEnv` continue to use axios environment proxy resolution. Explicit
984
+ // `proxy` config is still handled by axios.
960
985
  // `auth` indicates that HTTP Basic auth should be used to connect to the proxy, and
961
986
  // supplies credentials.
962
987
  // For `http://` targets, axios sends the request to the proxy in
@@ -1033,6 +1058,11 @@ These config options are available for requests. Only `url` is required. Request
1033
1058
  // throw ETIMEDOUT error instead of generic ECONNABORTED on request timeouts
1034
1059
  clarifyTimeoutError: false,
1035
1060
 
1061
+ // keep explicit `validateStatus: undefined` resolving every response status
1062
+ // for backward compatibility. Set to false to make explicit undefined behave
1063
+ // as if validateStatus was omitted.
1064
+ validateStatusUndefinedResolves: true,
1065
+
1036
1066
  // advertise `zstd` in the default Accept-Encoding header when the current
1037
1067
  // Node.js runtime supports zstd decompression. Axios still decompresses
1038
1068
  // zstd responses when support exists and `decompress` is true.
@@ -1063,6 +1093,15 @@ These config options are available for requests. Only `url` is required. Request
1063
1093
  }
1064
1094
  ```
1065
1095
 
1096
+ For custom secret-bearing headers in Node.js, list them in `sensitiveHeaders` so Axios removes them when following a redirect to another origin:
1097
+
1098
+ ```js
1099
+ axios.get('https://api.example.com/users', {
1100
+ headers: { 'X-API-Key': 'secret' },
1101
+ sensitiveHeaders: ['X-API-Key'],
1102
+ });
1103
+ ```
1104
+
1066
1105
  ### Strict RFC 3986 percent-encoding for query params
1067
1106
 
1068
1107
  By default, axios decodes `%3A`, `%24`, `%2C` and `%20` back to `:`, `$`, `,` and `+` for readability (the `+` follows the `application/x-www-form-urlencoded` convention for spaces in query strings). These characters are valid in a query component under [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4), so the default output is correct, but some backends require strict percent-encoding and reject the readable form.
@@ -1073,12 +1112,12 @@ Override the default encoder via `paramsSerializer.encode`:
1073
1112
  // Per-request: emit strict RFC 3986 percent-encoding for query values
1074
1113
  axios.get('/foo', {
1075
1114
  params: { filter: JSON.stringify({ startedAt: '2026-01-23' }) },
1076
- paramsSerializer: { encode: encodeURIComponent }
1115
+ paramsSerializer: { encode: encodeURIComponent },
1077
1116
  });
1078
1117
 
1079
1118
  // Or set it on the instance defaults
1080
1119
  const client = axios.create({
1081
- paramsSerializer: { encode: encodeURIComponent }
1120
+ paramsSerializer: { encode: encodeURIComponent },
1082
1121
  });
1083
1122
  ```
1084
1123
 
@@ -1167,6 +1206,8 @@ instance.defaults.headers.common['Authorization'] = AUTH_TOKEN;
1167
1206
 
1168
1207
  Axios merges config in this order: library defaults from [lib/defaults/index.js](https://github.com/axios/axios/blob/main/lib/defaults/index.js#L49), the instance `defaults` property, and the request `config` argument. Later values take precedence over earlier ones.
1169
1208
 
1209
+ Some options are request-specific and are only taken from the request `config`. `data` is one of those options: axios does not inherit or deep-merge request bodies from global or instance defaults. If every request needs shared body fields, add them with a request interceptor or `transformRequest`, and scope that logic carefully so sensitive values are not sent to the wrong endpoint.
1210
+
1170
1211
  ```js
1171
1212
  // Create an instance using the config defaults provided by the library
1172
1213
  // At this point the timeout config value is `0` as is the default for the library
@@ -1360,7 +1401,7 @@ These are the internal Axios error codes:
1360
1401
  | ERR_INVALID_URL | Invalid URL provided for axios request. |
1361
1402
  | ECONNABORTED | Typically indicates that the request has been timed out (unless `transitional.clarifyTimeoutError` is set) or aborted by the browser or its plugin. |
1362
1403
  | ERR_CANCELED | The user explicitly canceled the request with an AbortSignal or CancelToken. |
1363
- | ETIMEDOUT | Request timed out after exceeding the configured Axios timeout. Set `transitional.clarifyTimeoutError` to `true`; otherwise Axios throws a generic `ECONNABORTED` error. |
1404
+ | ETIMEDOUT | Request timed out after exceeding the configured Axios timeout. Set `transitional.clarifyTimeoutError` to `true`; otherwise Axios throws a generic `ECONNABORTED` error. |
1364
1405
  | ERR_NETWORK | Network-related issue. In the browser, this error can also be caused by a [CORS](https://developer.mozilla.org/ru/docs/Web/HTTP/Guides/CORS) or [Mixed Content](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content) policy violation. The browser does not allow the JS code to clarify the real reason for the error caused by security issues, so please check the console. |
1365
1406
  | ERR_FR_TOO_MANY_REDIRECTS | Request exceeded the configured maximum number of redirects. |
1366
1407
  | ERR_BAD_RESPONSE | Response cannot be parsed properly or is in an unexpected format. Usually related to a response with `5xx` status code. |
@@ -1401,6 +1442,19 @@ axios.get('/user/12345', {
1401
1442
  });
1402
1443
  ```
1403
1444
 
1445
+ By default, explicit `validateStatus: undefined` keeps legacy behavior and resolves every response status because `transitional.validateStatusUndefinedResolves` defaults to `true`. Set it to `false` to make explicit `validateStatus: undefined` behave like the option was omitted, so Axios uses the configured/default validator and rejects non-2xx responses by default.
1446
+
1447
+ `validateStatus: null` still accepts every response status. If you disable the transitional behavior and intentionally want all statuses to resolve, use `null` or `() => true`.
1448
+
1449
+ ```js
1450
+ axios.get('/user/12345', {
1451
+ validateStatus: undefined,
1452
+ transitional: {
1453
+ validateStatusUndefinedResolves: false,
1454
+ },
1455
+ });
1456
+ ```
1457
+
1404
1458
  Use `toJSON` to get more information about the HTTP error.
1405
1459
 
1406
1460
  ```js
@@ -1412,12 +1466,14 @@ axios.get('/user/12345').catch(function (error) {
1412
1466
  To avoid logging secrets from `error.config`, pass a `redact` array in the request config. Matching config keys are masked case-insensitively at any depth when `AxiosError#toJSON()` is called.
1413
1467
 
1414
1468
  ```js
1415
- axios.get('/user/12345', {
1416
- headers: { Authorization: 'Bearer token' },
1417
- redact: ['authorization']
1418
- }).catch(function (error) {
1419
- console.log(error.toJSON().config.headers.Authorization); // [REDACTED ****]
1420
- });
1469
+ axios
1470
+ .get('/user/12345', {
1471
+ headers: { Authorization: 'Bearer token' },
1472
+ redact: ['authorization'],
1473
+ })
1474
+ .catch(function (error) {
1475
+ console.log(error.toJSON().config.headers.Authorization); // [REDACTED ****]
1476
+ });
1421
1477
  ```
1422
1478
 
1423
1479
  ## Handling timeouts
@@ -1527,11 +1583,44 @@ axios.get('/user/12345', {
1527
1583
  cancel();
1528
1584
  ```
1529
1585
 
1586
+ `CancelToken` also exposes low-level helpers for legacy integrations:
1587
+
1588
+ ```js
1589
+ const source = axios.CancelToken.source();
1590
+
1591
+ const listener = (cancel) => {
1592
+ console.log(cancel.message);
1593
+ };
1594
+
1595
+ source.token.subscribe(listener);
1596
+
1597
+ const signal = source.token.toAbortSignal();
1598
+ // Pass `signal` to APIs that accept AbortSignal.
1599
+
1600
+ source.cancel('Operation canceled by the user.');
1601
+ source.token.unsubscribe(listener);
1602
+ ```
1603
+
1604
+ Canceled requests reject with `axios.CanceledError`. The legacy `axios.Cancel` export is an alias of `axios.CanceledError`, and cancellation errors include `__CANCEL__` for `axios.isCancel` compatibility.
1605
+
1530
1606
  > Note: You can cancel several requests with the same cancel token or abort controller.
1531
1607
  > If a cancellation token is already cancelled when an Axios request starts, Axios cancels the request immediately without making a real request.
1532
1608
 
1533
1609
  > During the transition period, you can use both cancellation APIs, even for the same request:
1534
1610
 
1611
+ ```js
1612
+ const controller = new AbortController();
1613
+ const source = axios.CancelToken.source();
1614
+
1615
+ axios.get('/user/12345', {
1616
+ cancelToken: source.token,
1617
+ signal: controller.signal,
1618
+ });
1619
+
1620
+ controller.abort();
1621
+ source.cancel('Operation canceled by the user.');
1622
+ ```
1623
+
1535
1624
  ## Using `application/x-www-form-urlencoded` format
1536
1625
 
1537
1626
  ### URLSearchParams
@@ -1640,6 +1729,7 @@ server = app.listen(3000);
1640
1729
 
1641
1730
  To send data as `multipart/form-data`, pass a FormData instance as the payload.
1642
1731
  You do not need to set the `Content-Type` header. Axios detects it from the payload type.
1732
+ For browser, web worker, and React Native `FormData`, leave `Content-Type` unset so the runtime can add the multipart boundary.
1643
1733
 
1644
1734
  ```js
1645
1735
  const formData = new FormData();
@@ -1732,6 +1822,9 @@ FormData serializer supports additional options via `config.formSerializer: obje
1732
1822
  input object exceeds this depth, an `AxiosError` with `code: 'ERR_FORM_DATA_DEPTH_EXCEEDED'` is
1733
1823
  thrown instead of overflowing the call stack. This protects server applications from DoS
1734
1824
  attacks via deeply nested payloads. Set to `Infinity` to disable the limit and restore pre-fix behaviour.
1825
+ - `Blob: typeof Blob` - Blob constructor used when converting ArrayBuffer-like values for spec-compliant
1826
+ `FormData`. Override it only for runtimes that provide a compatible `Blob` constructor under a
1827
+ different binding.
1735
1828
 
1736
1829
  ```js
1737
1830
  // Raise the limit for a schema that genuinely nests deeper than 100 levels:
@@ -2058,6 +2151,7 @@ console.log(headers);
2058
2151
  set(headerName, value: Axios, rewrite?: boolean);
2059
2152
  set(headerName, value, rewrite?: (this: AxiosHeaders, value: string, name: string, headers: RawAxiosHeaders) => boolean);
2060
2153
  set(headers?: RawAxiosHeaders | AxiosHeaders | string, rewrite?: boolean);
2154
+ set(headers?: Iterable<[string, AxiosHeaderValue]>, rewrite?: boolean);
2061
2155
  ```
2062
2156
 
2063
2157
  The `rewrite` argument controls the overwriting behavior:
@@ -2068,6 +2162,21 @@ The `rewrite` argument controls the overwriting behavior:
2068
2162
 
2069
2163
  The option can also accept a user-defined function that determines whether to overwrite the value.
2070
2164
 
2165
+ Empty or whitespace-only header names are ignored.
2166
+
2167
+ Iterable key/value pairs, such as a `Map`, are accepted:
2168
+
2169
+ ```js
2170
+ const headers = new AxiosHeaders();
2171
+
2172
+ headers.set(
2173
+ new Map([
2174
+ ['X-Trace-Id', 'abc123'],
2175
+ ['Accept', 'application/json'],
2176
+ ])
2177
+ );
2178
+ ```
2179
+
2071
2180
  Returns `this`.
2072
2181
 
2073
2182
  ### AxiosHeaders#get(header)
@@ -2188,6 +2297,14 @@ toJSON(asStrings?: false): Record<string, string | string[]>;
2188
2297
  Resolves all internal header values into a new null prototype object.
2189
2298
  Set `asStrings` to true to resolve arrays as a string containing all elements, separated by commas.
2190
2299
 
2300
+ ### AxiosHeaders#toString()
2301
+
2302
+ ```
2303
+ toString(): string;
2304
+ ```
2305
+
2306
+ Returns the headers as a CRLF-free HTTP header block, one `name: value` pair per line.
2307
+
2191
2308
  ### AxiosHeaders.from(thing?)
2192
2309
 
2193
2310
  ```
@@ -2243,6 +2360,8 @@ const { data } = fetchAxios.get(url);
2243
2360
  The adapter supports the same features as the `xhr` adapter, including upload and download progress capturing.
2244
2361
  It also supports response types such as `stream` and `formdata` when the environment supports them.
2245
2362
 
2363
+ When `auth` is omitted, the fetch adapter can read HTTP Basic auth credentials from the request URL, for example `https://user:pass@example.com`. Percent-encoded URL credentials are decoded before the `Authorization` header is generated, and `auth` takes precedence over URL-embedded credentials.
2364
+
2246
2365
  ### Custom fetch
2247
2366
 
2248
2367
  Since `v1.12.0`, you can configure the fetch adapter to use a custom fetch API instead of environment globals.
@@ -2365,6 +2484,20 @@ try {
2365
2484
  }
2366
2485
  ```
2367
2486
 
2487
+ Use `axios.isCancel<T>()` to narrow cancellation errors to `CanceledError<T>`:
2488
+
2489
+ ```typescript
2490
+ const controller = new AbortController();
2491
+
2492
+ try {
2493
+ await axios.get<User>('/user?ID=12345', { signal: controller.signal });
2494
+ } catch (error) {
2495
+ if (axios.isCancel<User>(error)) {
2496
+ handleCancellation(error);
2497
+ }
2498
+ }
2499
+ ```
2500
+
2368
2501
  Because axios publishes an ESM default export and a CJS `module.exports`, TypeScript has a few caveats.
2369
2502
  The recommended setting is `"moduleResolution": "node16"`, which is implied by `"module": "node16"`. This requires TypeScript 4.7 or greater.
2370
2503
  If you use ESM, your settings should be fine.