axios 1.17.0 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/esm/axios.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! Axios v1.17.0 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  /**
3
3
  * Create a bound version of a function with a specified `this` context
4
4
  *
@@ -18,6 +18,57 @@ const { toString } = Object.prototype;
18
18
  const { getPrototypeOf } = Object;
19
19
  const { iterator, toStringTag } = Symbol;
20
20
 
21
+ /* Creating a function that will check if an object has a property. */
22
+ const hasOwnProperty = (
23
+ ({ hasOwnProperty }) =>
24
+ (obj, prop) =>
25
+ hasOwnProperty.call(obj, prop)
26
+ )(Object.prototype);
27
+
28
+ /**
29
+ * Walk the prototype chain (excluding the shared Object.prototype) looking for
30
+ * an own `prop`. This distinguishes genuine own/inherited members — including
31
+ * class accessors and template prototypes — from members injected via
32
+ * Object.prototype pollution (e.g. `Object.prototype.username = '...'`), which
33
+ * live on Object.prototype itself and are therefore never matched.
34
+ *
35
+ * @param {*} thing The value whose chain to inspect
36
+ * @param {string|symbol} prop The property key to look for
37
+ *
38
+ * @returns {boolean} True when `prop` is owned below Object.prototype
39
+ */
40
+ const hasOwnInPrototypeChain = (thing, prop) => {
41
+ let obj = thing;
42
+ const seen = [];
43
+
44
+ while (obj != null && obj !== Object.prototype) {
45
+ if (seen.indexOf(obj) !== -1) {
46
+ return false;
47
+ }
48
+ seen.push(obj);
49
+
50
+ if (hasOwnProperty(obj, prop)) {
51
+ return true;
52
+ }
53
+ obj = getPrototypeOf(obj);
54
+ }
55
+ return false;
56
+ };
57
+
58
+ /**
59
+ * Read `obj[prop]` only when it is safe from Object.prototype pollution. Own
60
+ * properties and members inherited from a non-Object.prototype source (a class
61
+ * instance or template object) are honored; a value reachable only through a
62
+ * polluted Object.prototype is ignored and `undefined` is returned.
63
+ *
64
+ * @param {*} obj The source object
65
+ * @param {string|symbol} prop The property key to read
66
+ *
67
+ * @returns {*} The resolved value, or undefined when unsafe/absent
68
+ */
69
+ const getSafeProp = (obj, prop) =>
70
+ obj != null && hasOwnInPrototypeChain(obj, prop) ? obj[prop] : undefined;
71
+
21
72
  const kindOf = ((cache) => (thing) => {
22
73
  const str = toString.call(thing);
23
74
  return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase());
@@ -143,7 +194,7 @@ const isBoolean = (thing) => thing === true || thing === false;
143
194
  * @returns {boolean} True if value is a plain Object, otherwise false
144
195
  */
145
196
  const isPlainObject = (val) => {
146
- if (kindOf(val) !== 'object') {
197
+ if (!isObject(val)) {
147
198
  return false;
148
199
  }
149
200
 
@@ -151,9 +202,12 @@ const isPlainObject = (val) => {
151
202
  return (
152
203
  (prototype === null ||
153
204
  prototype === Object.prototype ||
154
- Object.getPrototypeOf(prototype) === null) &&
155
- !(toStringTag in val) &&
156
- !(iterator in val)
205
+ getPrototypeOf(prototype) === null) &&
206
+ // Treat any genuine (non-Object.prototype-polluted) Symbol.toStringTag or
207
+ // Symbol.iterator as evidence the value is a tagged/iterable type rather
208
+ // than a plain object, while ignoring keys injected onto Object.prototype.
209
+ !hasOwnInPrototypeChain(val, toStringTag) &&
210
+ !hasOwnInPrototypeChain(val, iterator)
157
211
  );
158
212
  };
159
213
 
@@ -680,13 +734,6 @@ const toCamelCase = (str) => {
680
734
  });
681
735
  };
682
736
 
683
- /* Creating a function that will check if an object has a property. */
684
- const hasOwnProperty = (
685
- ({ hasOwnProperty }) =>
686
- (obj, prop) =>
687
- hasOwnProperty.call(obj, prop)
688
- )(Object.prototype);
689
-
690
737
  const { propertyIsEnumerable } = Object.prototype;
691
738
 
692
739
  /**
@@ -900,6 +947,20 @@ const asap =
900
947
 
901
948
  const isIterable = (thing) => thing != null && isFunction$1(thing[iterator]);
902
949
 
950
+ /**
951
+ * Determine if a value is iterable via an iterator that is NOT sourced solely
952
+ * from a polluted Object.prototype. Use this instead of `isIterable` whenever
953
+ * the iterable comes from untrusted input (e.g. user-supplied header sources),
954
+ * so `Object.prototype[Symbol.iterator] = ...` cannot turn an ordinary object
955
+ * into an attacker-controlled entries iterator.
956
+ *
957
+ * @param {*} thing The value to test
958
+ *
959
+ * @returns {boolean} True if value has a non-polluted iterator
960
+ */
961
+ const isSafeIterable = (thing) =>
962
+ thing != null && hasOwnInPrototypeChain(thing, iterator) && isIterable(thing);
963
+
903
964
  var utils$1 = {
904
965
  isArray,
905
966
  isArrayBuffer,
@@ -944,6 +1005,8 @@ var utils$1 = {
944
1005
  isHTMLForm,
945
1006
  hasOwnProperty,
946
1007
  hasOwnProp: hasOwnProperty, // an alias to avoid ESLint no-prototype-builtins detection
1008
+ hasOwnInPrototypeChain,
1009
+ getSafeProp,
947
1010
  reduceDescriptors,
948
1011
  freezeMethods,
949
1012
  toObjectSet,
@@ -960,6 +1023,7 @@ var utils$1 = {
960
1023
  setImmediate: _setImmediate,
961
1024
  asap,
962
1025
  isIterable,
1026
+ isSafeIterable,
963
1027
  };
964
1028
 
965
1029
  // RawAxiosHeaders whose duplicates are ignored by node
@@ -1192,8 +1256,8 @@ let AxiosHeaders$1 = class AxiosHeaders {
1192
1256
  setHeaders(header, valueOrRewrite);
1193
1257
  } else if (utils$1.isString(header) && (header = header.trim()) && !isValidHeaderName(header)) {
1194
1258
  setHeaders(parseHeaders(header), valueOrRewrite);
1195
- } else if (utils$1.isObject(header) && utils$1.isIterable(header)) {
1196
- let obj = {},
1259
+ } else if (utils$1.isObject(header) && utils$1.isSafeIterable(header)) {
1260
+ let obj = Object.create(null),
1197
1261
  dest,
1198
1262
  key;
1199
1263
  for (const entry of header) {
@@ -1201,11 +1265,14 @@ let AxiosHeaders$1 = class AxiosHeaders {
1201
1265
  throw new TypeError('Object iterator must return a key-value pair');
1202
1266
  }
1203
1267
 
1204
- obj[(key = entry[0])] = (dest = obj[key])
1205
- ? utils$1.isArray(dest)
1206
- ? [...dest, entry[1]]
1207
- : [dest, entry[1]]
1208
- : entry[1];
1268
+ key = entry[0];
1269
+
1270
+ if (utils$1.hasOwnProp(obj, key)) {
1271
+ dest = obj[key];
1272
+ obj[key] = utils$1.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]];
1273
+ } else {
1274
+ obj[key] = entry[1];
1275
+ }
1209
1276
  }
1210
1277
 
1211
1278
  setHeaders(obj, valueOrRewrite);
@@ -1498,7 +1565,19 @@ function redactConfig(config, redactKeys) {
1498
1565
  let AxiosError$1 = class AxiosError extends Error {
1499
1566
  static from(error, code, config, request, response, customProps) {
1500
1567
  const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
1501
- axiosError.cause = error;
1568
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
1569
+ // error often carries circular internals (sockets, requests, agents), so
1570
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
1571
+ // own-property walk throw "Converting circular structure to JSON".
1572
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
1573
+ // `message` descriptor below (prototype-pollution-safe descriptor).
1574
+ Object.defineProperty(axiosError, 'cause', {
1575
+ __proto__: null,
1576
+ value: error,
1577
+ writable: true,
1578
+ enumerable: false,
1579
+ configurable: true,
1580
+ });
1502
1581
  axiosError.name = error.name;
1503
1582
 
1504
1583
  // Preserve status from the original error if not already set from response
@@ -1599,6 +1678,10 @@ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
1599
1678
  // eslint-disable-next-line strict
1600
1679
  var httpAdapter = null;
1601
1680
 
1681
+ // Default nesting limit shared with the inverse transform (formDataToJSON) so
1682
+ // the FormData <-> JSON round-trip stays symmetric.
1683
+ const DEFAULT_FORM_DATA_MAX_DEPTH = 100;
1684
+
1602
1685
  /**
1603
1686
  * Determines if the given thing is a array or js object.
1604
1687
  *
@@ -1709,8 +1792,9 @@ function toFormData$1(obj, formData, options) {
1709
1792
  const dots = options.dots;
1710
1793
  const indexes = options.indexes;
1711
1794
  const _Blob = options.Blob || (typeof Blob !== 'undefined' && Blob);
1712
- const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
1795
+ const maxDepth = options.maxDepth === undefined ? DEFAULT_FORM_DATA_MAX_DEPTH : options.maxDepth;
1713
1796
  const useBlob = _Blob && utils$1.isSpecCompliantForm(formData);
1797
+ const stack = [];
1714
1798
 
1715
1799
  if (!utils$1.isFunction(visitor)) {
1716
1800
  throw new TypeError('visitor must be a function');
@@ -1732,12 +1816,50 @@ function toFormData$1(obj, formData, options) {
1732
1816
  }
1733
1817
 
1734
1818
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
1735
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
1819
+ if (useBlob && typeof _Blob === 'function') {
1820
+ return new _Blob([value]);
1821
+ }
1822
+ if (typeof Buffer !== 'undefined') {
1823
+ return Buffer.from(value);
1824
+ }
1825
+ throw new AxiosError$1('Blob is not supported. Use a Buffer instead.', AxiosError$1.ERR_NOT_SUPPORT);
1736
1826
  }
1737
1827
 
1738
1828
  return value;
1739
1829
  }
1740
1830
 
1831
+ function throwIfMaxDepthExceeded(depth) {
1832
+ if (depth > maxDepth) {
1833
+ throw new AxiosError$1(
1834
+ 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1835
+ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
1836
+ );
1837
+ }
1838
+ }
1839
+
1840
+ function stringifyWithDepthLimit(value, depth) {
1841
+ if (maxDepth === Infinity) {
1842
+ return JSON.stringify(value);
1843
+ }
1844
+
1845
+ const ancestors = [];
1846
+
1847
+ return JSON.stringify(value, function limitDepth(_key, currentValue) {
1848
+ if (!utils$1.isObject(currentValue)) {
1849
+ return currentValue;
1850
+ }
1851
+
1852
+ while (ancestors.length && ancestors[ancestors.length - 1] !== this) {
1853
+ ancestors.pop();
1854
+ }
1855
+
1856
+ ancestors.push(currentValue);
1857
+ throwIfMaxDepthExceeded(depth + ancestors.length - 1);
1858
+
1859
+ return currentValue;
1860
+ });
1861
+ }
1862
+
1741
1863
  /**
1742
1864
  * Default visitor.
1743
1865
  *
@@ -1761,7 +1883,7 @@ function toFormData$1(obj, formData, options) {
1761
1883
  // eslint-disable-next-line no-param-reassign
1762
1884
  key = metaTokens ? key : key.slice(0, -2);
1763
1885
  // eslint-disable-next-line no-param-reassign
1764
- value = JSON.stringify(value);
1886
+ value = stringifyWithDepthLimit(value, 1);
1765
1887
  } else if (
1766
1888
  (utils$1.isArray(value) && isFlatArray(value)) ||
1767
1889
  ((utils$1.isFileList(value) || utils$1.endsWith(key, '[]')) && (arr = utils$1.toArray(value)))
@@ -1794,8 +1916,6 @@ function toFormData$1(obj, formData, options) {
1794
1916
  return false;
1795
1917
  }
1796
1918
 
1797
- const stack = [];
1798
-
1799
1919
  const exposedHelpers = Object.assign(predicates, {
1800
1920
  defaultVisitor,
1801
1921
  convertValue,
@@ -1805,12 +1925,7 @@ function toFormData$1(obj, formData, options) {
1805
1925
  function build(value, path, depth = 0) {
1806
1926
  if (utils$1.isUndefined(value)) return;
1807
1927
 
1808
- if (depth > maxDepth) {
1809
- throw new AxiosError$1(
1810
- 'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
1811
- AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
1812
- );
1813
- }
1928
+ throwIfMaxDepthExceeded(depth);
1814
1929
 
1815
1930
  if (stack.indexOf(value) !== -1) {
1816
1931
  throw new Error('Circular reference detected in ' + path.join('.'));
@@ -1884,9 +1999,7 @@ prototype.append = function append(name, value) {
1884
1999
 
1885
2000
  prototype.toString = function toString(encoder) {
1886
2001
  const _encode = encoder
1887
- ? function (value) {
1888
- return encoder.call(this, value, encode$1);
1889
- }
2002
+ ? (value) => encoder.call(this, value, encode$1)
1890
2003
  : encode$1;
1891
2004
 
1892
2005
  return this._pairs
@@ -1925,8 +2038,7 @@ function buildURL(url, params, options) {
1925
2038
  if (!params) {
1926
2039
  return url;
1927
2040
  }
1928
-
1929
- const _encode = (options && options.encode) || encode;
2041
+ url = url || '';
1930
2042
 
1931
2043
  const _options = utils$1.isFunction(options)
1932
2044
  ? {
@@ -1934,7 +2046,11 @@ function buildURL(url, params, options) {
1934
2046
  }
1935
2047
  : options;
1936
2048
 
1937
- const serializeFn = _options && _options.serialize;
2049
+ // Read serializer options pollution-safely: own properties and methods on a
2050
+ // class/template prototype are honored, but values injected onto a polluted
2051
+ // Object.prototype are ignored.
2052
+ const _encode = utils$1.getSafeProp(_options, 'encode') || encode;
2053
+ const serializeFn = utils$1.getSafeProp(_options, 'serialize');
1938
2054
 
1939
2055
  let serializedParams;
1940
2056
 
@@ -2031,6 +2147,7 @@ var transitionalDefaults = {
2031
2147
  clarifyTimeoutError: false,
2032
2148
  legacyInterceptorReqResOrdering: true,
2033
2149
  advertiseZstdAcceptEncoding: false,
2150
+ validateStatusUndefinedResolves: true,
2034
2151
  };
2035
2152
 
2036
2153
  var URLSearchParams$1 = typeof URLSearchParams !== 'undefined' ? URLSearchParams : AxiosURLSearchParams;
@@ -2122,6 +2239,17 @@ function toURLEncodedForm(data, options) {
2122
2239
  });
2123
2240
  }
2124
2241
 
2242
+ const MAX_DEPTH = DEFAULT_FORM_DATA_MAX_DEPTH;
2243
+
2244
+ function throwIfDepthExceeded(index) {
2245
+ if (index > MAX_DEPTH) {
2246
+ throw new AxiosError$1(
2247
+ 'FormData field is too deeply nested (' + index + ' levels). Max depth: ' + MAX_DEPTH,
2248
+ AxiosError$1.ERR_FORM_DATA_DEPTH_EXCEEDED
2249
+ );
2250
+ }
2251
+ }
2252
+
2125
2253
  /**
2126
2254
  * It takes a string like `foo[x][y][z]` and returns an array like `['foo', 'x', 'y', 'z']
2127
2255
  *
@@ -2134,9 +2262,16 @@ function parsePropPath(name) {
2134
2262
  // foo.x.y.z
2135
2263
  // foo-x-y-z
2136
2264
  // foo x y z
2137
- return utils$1.matchAll(/\w+|\[(\w*)]/g, name).map((match) => {
2138
- return match[0] === '[]' ? '' : match[1] || match[0];
2139
- });
2265
+ const path = [];
2266
+ const pattern = /\w+|\[(\w*)]/g;
2267
+ let match;
2268
+
2269
+ while ((match = pattern.exec(name)) !== null) {
2270
+ throwIfDepthExceeded(path.length);
2271
+ path.push(match[0] === '[]' ? '' : match[1] || match[0]);
2272
+ }
2273
+
2274
+ return path;
2140
2275
  }
2141
2276
 
2142
2277
  /**
@@ -2168,6 +2303,8 @@ function arrayToObject(arr) {
2168
2303
  */
2169
2304
  function formDataToJSON(formData) {
2170
2305
  function buildPath(path, value, target, index) {
2306
+ throwIfDepthExceeded(index);
2307
+
2171
2308
  let name = path[index++];
2172
2309
 
2173
2310
  if (name === '__proto__') return true;
@@ -2653,7 +2790,11 @@ var cookies = platform.hasStandardBrowserEnv
2653
2790
  const cookie = cookies[i].replace(/^\s+/, '');
2654
2791
  const eq = cookie.indexOf('=');
2655
2792
  if (eq !== -1 && cookie.slice(0, eq) === name) {
2656
- return decodeURIComponent(cookie.slice(eq + 1));
2793
+ try {
2794
+ return decodeURIComponent(cookie.slice(eq + 1));
2795
+ } catch (e) {
2796
+ return cookie.slice(eq + 1);
2797
+ }
2657
2798
  }
2658
2799
  }
2659
2800
  return null;
@@ -2704,6 +2845,31 @@ function combineURLs(baseURL, relativeURL) {
2704
2845
  : baseURL;
2705
2846
  }
2706
2847
 
2848
+ const malformedHttpProtocol = /^https?:(?!\/\/)/i;
2849
+ const httpProtocolControlCharacters = /[\t\n\r]/g;
2850
+
2851
+ function stripLeadingC0ControlOrSpace(url) {
2852
+ let i = 0;
2853
+ while (i < url.length && url.charCodeAt(i) <= 0x20) {
2854
+ i++;
2855
+ }
2856
+ return url.slice(i);
2857
+ }
2858
+
2859
+ function normalizeURLForProtocolCheck(url) {
2860
+ return stripLeadingC0ControlOrSpace(url).replace(httpProtocolControlCharacters, '');
2861
+ }
2862
+
2863
+ function assertValidHttpProtocolURL(url, config) {
2864
+ if (typeof url === 'string' && malformedHttpProtocol.test(normalizeURLForProtocolCheck(url))) {
2865
+ throw new AxiosError$1(
2866
+ 'Invalid URL: missing "//" after protocol',
2867
+ AxiosError$1.ERR_INVALID_URL,
2868
+ config
2869
+ );
2870
+ }
2871
+ }
2872
+
2707
2873
  /**
2708
2874
  * Creates a new URL by combining the baseURL with the requestedURL,
2709
2875
  * only when the requestedURL is not already an absolute URL.
@@ -2714,9 +2880,11 @@ function combineURLs(baseURL, relativeURL) {
2714
2880
  *
2715
2881
  * @returns {string} The combined full path
2716
2882
  */
2717
- function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
2883
+ function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls, config) {
2884
+ assertValidHttpProtocolURL(requestedURL, config);
2718
2885
  let isRelativeUrl = !isAbsoluteURL(requestedURL);
2719
2886
  if (baseURL && (isRelativeUrl || allowAbsoluteUrls === false)) {
2887
+ assertValidHttpProtocolURL(baseURL, config);
2720
2888
  return combineURLs(baseURL, requestedURL);
2721
2889
  }
2722
2890
  return requestedURL;
@@ -2735,6 +2903,7 @@ const headersToObject = (thing) => (thing instanceof AxiosHeaders$1 ? { ...thing
2735
2903
  */
2736
2904
  function mergeConfig$1(config1, config2) {
2737
2905
  // eslint-disable-next-line no-param-reassign
2906
+ config1 = config1 || {};
2738
2907
  config2 = config2 || {};
2739
2908
 
2740
2909
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -2787,6 +2956,28 @@ function mergeConfig$1(config1, config2) {
2787
2956
  }
2788
2957
  }
2789
2958
 
2959
+ function getMergedTransitionalOption(prop) {
2960
+ const transitional2 = utils$1.hasOwnProp(config2, 'transitional') ? config2.transitional : undefined;
2961
+
2962
+ if (!utils$1.isUndefined(transitional2)) {
2963
+ if (utils$1.isPlainObject(transitional2)) {
2964
+ if (utils$1.hasOwnProp(transitional2, prop)) {
2965
+ return transitional2[prop];
2966
+ }
2967
+ } else {
2968
+ return undefined;
2969
+ }
2970
+ }
2971
+
2972
+ const transitional1 = utils$1.hasOwnProp(config1, 'transitional') ? config1.transitional : undefined;
2973
+
2974
+ if (utils$1.isPlainObject(transitional1) && utils$1.hasOwnProp(transitional1, prop)) {
2975
+ return transitional1[prop];
2976
+ }
2977
+
2978
+ return undefined;
2979
+ }
2980
+
2790
2981
  // eslint-disable-next-line consistent-return
2791
2982
  function mergeDirectKeys(a, b, prop) {
2792
2983
  if (utils$1.hasOwnProp(config2, prop)) {
@@ -2839,6 +3030,18 @@ function mergeConfig$1(config1, config2) {
2839
3030
  (utils$1.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
2840
3031
  });
2841
3032
 
3033
+ if (
3034
+ utils$1.hasOwnProp(config2, 'validateStatus') &&
3035
+ utils$1.isUndefined(config2.validateStatus) &&
3036
+ getMergedTransitionalOption('validateStatusUndefinedResolves') === false
3037
+ ) {
3038
+ if (utils$1.hasOwnProp(config1, 'validateStatus')) {
3039
+ config.validateStatus = getMergedValue(undefined, config1.validateStatus);
3040
+ } else {
3041
+ delete config.validateStatus;
3042
+ }
3043
+ }
3044
+
2842
3045
  return config;
2843
3046
  }
2844
3047
 
@@ -2850,7 +3053,7 @@ function setFormDataHeaders(headers, formHeaders, policy) {
2850
3053
  return;
2851
3054
  }
2852
3055
 
2853
- Object.entries(formHeaders).forEach(([key, val]) => {
3056
+ Object.entries(formHeaders || {}).forEach(([key, val]) => {
2854
3057
  if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
2855
3058
  headers.set(key, val);
2856
3059
  }
@@ -2890,18 +3093,24 @@ function resolveConfig(config) {
2890
3093
  newConfig.headers = headers = AxiosHeaders$1.from(headers);
2891
3094
 
2892
3095
  newConfig.url = buildURL(
2893
- buildFullPath(baseURL, url, allowAbsoluteUrls),
3096
+ buildFullPath(baseURL, url, allowAbsoluteUrls, newConfig),
2894
3097
  own('params'),
2895
3098
  own('paramsSerializer')
2896
3099
  );
2897
3100
 
2898
3101
  // HTTP basic authentication
2899
3102
  if (auth) {
2900
- headers.set(
2901
- 'Authorization',
2902
- 'Basic ' +
2903
- btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8$1(auth.password) : ''))
2904
- );
3103
+ const username = utils$1.getSafeProp(auth, 'username') || '';
3104
+ const password = utils$1.getSafeProp(auth, 'password') || '';
3105
+
3106
+ try {
3107
+ headers.set(
3108
+ 'Authorization',
3109
+ 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : ''))
3110
+ );
3111
+ } catch (e) {
3112
+ throw AxiosError$1.from(e, AxiosError$1.ERR_BAD_OPTION_VALUE, config);
3113
+ }
2905
3114
  }
2906
3115
 
2907
3116
  if (utils$1.isFormData(data)) {
@@ -3152,6 +3361,7 @@ var xhrAdapter = isXHRAdapterSupported &&
3152
3361
  config
3153
3362
  )
3154
3363
  );
3364
+ done();
3155
3365
  return;
3156
3366
  }
3157
3367
 
@@ -3203,7 +3413,7 @@ const composeSignals = (signals, timeout) => {
3203
3413
  signals = null;
3204
3414
  };
3205
3415
 
3206
- signals.forEach((signal) => signal.addEventListener('abort', onabort));
3416
+ signals.forEach((signal) => signal.addEventListener('abort', onabort, { once: true }));
3207
3417
 
3208
3418
  const { signal } = controller;
3209
3419
 
@@ -3306,11 +3516,19 @@ const trackStream = (stream, chunkSize, onProgress, onFinish) => {
3306
3516
  * Estimate decoded byte length of a data:// URL *without* allocating large buffers.
3307
3517
  * - For base64: compute exact decoded size using length and padding;
3308
3518
  * handle %XX at the character-count level (no string allocation).
3309
- * - For non-base64: use UTF-8 byteLength of the encoded body as a safe upper bound.
3519
+ * - For non-base64: compute the exact percent-decoded UTF-8 byte length.
3310
3520
  *
3311
3521
  * @param {string} url
3312
3522
  * @returns {number}
3313
3523
  */
3524
+ const isHexDigit = (charCode) =>
3525
+ (charCode >= 48 && charCode <= 57) ||
3526
+ (charCode >= 65 && charCode <= 70) ||
3527
+ (charCode >= 97 && charCode <= 102);
3528
+
3529
+ const isPercentEncodedByte = (str, i, len) =>
3530
+ i + 2 < len && isHexDigit(str.charCodeAt(i + 1)) && isHexDigit(str.charCodeAt(i + 2));
3531
+
3314
3532
  function estimateDataURLDecodedBytes(url) {
3315
3533
  if (!url || typeof url !== 'string') return 0;
3316
3534
  if (!url.startsWith('data:')) return 0;
@@ -3330,9 +3548,7 @@ function estimateDataURLDecodedBytes(url) {
3330
3548
  if (body.charCodeAt(i) === 37 /* '%' */ && i + 2 < len) {
3331
3549
  const a = body.charCodeAt(i + 1);
3332
3550
  const b = body.charCodeAt(i + 2);
3333
- const isHex =
3334
- ((a >= 48 && a <= 57) || (a >= 65 && a <= 70) || (a >= 97 && a <= 102)) &&
3335
- ((b >= 48 && b <= 57) || (b >= 65 && b <= 70) || (b >= 97 && b <= 102));
3551
+ const isHex = isHexDigit(a) && isHexDigit(b);
3336
3552
 
3337
3553
  if (isHex) {
3338
3554
  effectiveLen -= 2;
@@ -3373,18 +3589,17 @@ function estimateDataURLDecodedBytes(url) {
3373
3589
  return bytes > 0 ? bytes : 0;
3374
3590
  }
3375
3591
 
3376
- if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
3377
- return Buffer.byteLength(body, 'utf8');
3378
- }
3379
-
3380
3592
  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
3381
3593
  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
3382
- // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
3383
- // but 3 UTF-8 bytes).
3594
+ // Valid %XX triplets count as one decoded byte; this matches the bytes that
3595
+ // decodeURIComponent(body) would produce before Buffer re-encodes the string.
3384
3596
  let bytes = 0;
3385
3597
  for (let i = 0, len = body.length; i < len; i++) {
3386
3598
  const c = body.charCodeAt(i);
3387
- if (c < 0x80) {
3599
+ if (c === 37 /* '%' */ && isPercentEncodedByte(body, i, len)) {
3600
+ bytes += 1;
3601
+ i += 2;
3602
+ } else if (c < 0x80) {
3388
3603
  bytes += 1;
3389
3604
  } else if (c < 0x800) {
3390
3605
  bytes += 2;
@@ -3403,7 +3618,7 @@ function estimateDataURLDecodedBytes(url) {
3403
3618
  return bytes;
3404
3619
  }
3405
3620
 
3406
- const VERSION$1 = "1.17.0";
3621
+ const VERSION$1 = "1.18.1";
3407
3622
 
3408
3623
  const DEFAULT_CHUNK_SIZE = 64 * 1024;
3409
3624
 
@@ -3624,14 +3839,28 @@ const factory = (env) => {
3624
3839
 
3625
3840
  let requestContentLength;
3626
3841
 
3842
+ // AxiosError we raise while the request body is being streamed. Captured
3843
+ // by identity so the catch block can surface it directly, regardless of
3844
+ // how the runtime wraps the resulting fetch rejection (undici exposes it
3845
+ // as `err.cause`; some browsers drop the original error entirely).
3846
+ let pendingBodyError = null;
3847
+
3848
+ const maxBodyLengthError = () =>
3849
+ new AxiosError$1(
3850
+ 'Request body larger than maxBodyLength limit',
3851
+ AxiosError$1.ERR_BAD_REQUEST,
3852
+ config,
3853
+ request
3854
+ );
3855
+
3627
3856
  try {
3628
3857
  // HTTP basic authentication
3629
3858
  let auth = undefined;
3630
3859
  const configAuth = own('auth');
3631
3860
 
3632
3861
  if (configAuth) {
3633
- const username = configAuth.username || '';
3634
- const password = configAuth.password || '';
3862
+ const username = utils$1.getSafeProp(configAuth, 'username') || '';
3863
+ const password = utils$1.getSafeProp(configAuth, 'password') || '';
3635
3864
  auth = {
3636
3865
  username,
3637
3866
  password
@@ -3680,53 +3909,96 @@ const factory = (env) => {
3680
3909
  }
3681
3910
  }
3682
3911
 
3683
- // Enforce maxBodyLength against the outbound request body before dispatch.
3684
- // Mirrors http.js behavior (ERR_BAD_REQUEST / 'Request body larger than
3685
- // maxBodyLength limit'). Skip when the body length cannot be determined
3686
- // (e.g. a live ReadableStream supplied by the caller).
3912
+ // Enforce maxBodyLength against known-size bodies before dispatch using
3913
+ // the body's *actual* size never a caller-declared Content-Length,
3914
+ // which could under-report to slip an oversized body past the check.
3915
+ // Unknown-size streams return undefined here and are counted per-chunk
3916
+ // below as fetch consumes them.
3687
3917
  if (hasMaxBodyLength && method !== 'get' && method !== 'head') {
3688
- const outboundLength = await resolveBodyLength(headers, data);
3689
- if (
3690
- typeof outboundLength === 'number' &&
3691
- isFinite(outboundLength) &&
3692
- outboundLength > maxBodyLength
3693
- ) {
3694
- throw new AxiosError$1(
3695
- 'Request body larger than maxBodyLength limit',
3696
- AxiosError$1.ERR_BAD_REQUEST,
3697
- config,
3698
- request
3699
- );
3918
+ const outboundLength = await getBodyLength(data);
3919
+ if (typeof outboundLength === 'number' && isFinite(outboundLength)) {
3920
+ requestContentLength = outboundLength;
3921
+ if (outboundLength > maxBodyLength) {
3922
+ throw maxBodyLengthError();
3923
+ }
3700
3924
  }
3701
3925
  }
3702
3926
 
3927
+ // A streamed body under maxBodyLength must be counted as fetch consumes
3928
+ // it; its size is never trusted from a caller-declared Content-Length.
3929
+ const mustEnforceStreamBody =
3930
+ hasMaxBodyLength && (utils$1.isReadableStream(data) || utils$1.isStream(data));
3931
+
3932
+ const trackRequestStream = (stream, onProgress, flush) =>
3933
+ trackStream(
3934
+ stream,
3935
+ DEFAULT_CHUNK_SIZE,
3936
+ (loadedBytes) => {
3937
+ if (hasMaxBodyLength && loadedBytes > maxBodyLength) {
3938
+ throw (pendingBodyError = maxBodyLengthError());
3939
+ }
3940
+ onProgress && onProgress(loadedBytes);
3941
+ },
3942
+ flush
3943
+ );
3944
+
3703
3945
  if (
3704
- onUploadProgress &&
3705
3946
  supportsRequestStream &&
3706
3947
  method !== 'get' &&
3707
3948
  method !== 'head' &&
3708
- (requestContentLength = await resolveBodyLength(headers, data)) !== 0
3949
+ (onUploadProgress || mustEnforceStreamBody)
3709
3950
  ) {
3710
- let _request = new Request(url, {
3711
- method: 'POST',
3712
- body: data,
3713
- duplex: 'half',
3714
- });
3951
+ requestContentLength =
3952
+ requestContentLength == null ? await resolveBodyLength(headers, data) : requestContentLength;
3953
+
3954
+ // A declared length of 0 is only trusted to skip the wrap when we are
3955
+ // not enforcing a stream limit (which must not rely on that header).
3956
+ if (requestContentLength !== 0 || mustEnforceStreamBody) {
3957
+ let _request = new Request(url, {
3958
+ method: 'POST',
3959
+ body: data,
3960
+ duplex: 'half',
3961
+ });
3715
3962
 
3716
- let contentTypeHeader;
3963
+ let contentTypeHeader;
3717
3964
 
3718
- if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3719
- headers.setContentType(contentTypeHeader);
3720
- }
3965
+ if (utils$1.isFormData(data) && (contentTypeHeader = _request.headers.get('content-type'))) {
3966
+ headers.setContentType(contentTypeHeader);
3967
+ }
3721
3968
 
3722
- if (_request.body) {
3723
- const [onProgress, flush] = progressEventDecorator(
3724
- requestContentLength,
3725
- progressEventReducer(asyncDecorator(onUploadProgress))
3726
- );
3969
+ if (_request.body) {
3970
+ const [onProgress, flush] =
3971
+ (onUploadProgress &&
3972
+ progressEventDecorator(
3973
+ requestContentLength,
3974
+ progressEventReducer(asyncDecorator(onUploadProgress))
3975
+ )) ||
3976
+ [];
3727
3977
 
3728
- data = trackStream(_request.body, DEFAULT_CHUNK_SIZE, onProgress, flush);
3978
+ data = trackRequestStream(_request.body, onProgress, flush);
3979
+ }
3729
3980
  }
3981
+ } else if (
3982
+ mustEnforceStreamBody &&
3983
+ !isRequestSupported &&
3984
+ isReadableStreamSupported &&
3985
+ method !== 'get' &&
3986
+ method !== 'head'
3987
+ ) {
3988
+ data = trackRequestStream(data);
3989
+ } else if (
3990
+ mustEnforceStreamBody &&
3991
+ isRequestSupported &&
3992
+ !supportsRequestStream &&
3993
+ method !== 'get' &&
3994
+ method !== 'head'
3995
+ ) {
3996
+ throw new AxiosError$1(
3997
+ 'Stream request bodies are not supported by the current fetch implementation',
3998
+ AxiosError$1.ERR_NOT_SUPPORT,
3999
+ config,
4000
+ request
4001
+ );
3730
4002
  }
3731
4003
 
3732
4004
  if (!utils$1.isString(withCredentials)) {
@@ -3769,10 +4041,12 @@ const factory = (env) => {
3769
4041
  ? _fetch(request, fetchOptions)
3770
4042
  : _fetch(url, resolvedOptions));
3771
4043
 
4044
+ const responseHeaders = AxiosHeaders$1.from(response.headers);
4045
+
3772
4046
  // Cheap pre-check: if the server honestly declares a content-length that
3773
4047
  // already exceeds the cap, reject before we start streaming.
3774
4048
  if (hasMaxContentLength) {
3775
- const declaredLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4049
+ const declaredLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3776
4050
  if (declaredLength != null && declaredLength > maxContentLength) {
3777
4051
  throw new AxiosError$1(
3778
4052
  'maxContentLength size of ' + maxContentLength + ' exceeded',
@@ -3797,7 +4071,7 @@ const factory = (env) => {
3797
4071
  options[prop] = response[prop];
3798
4072
  });
3799
4073
 
3800
- const responseContentLength = utils$1.toFiniteNumber(response.headers.get('content-length'));
4074
+ const responseContentLength = utils$1.toFiniteNumber(responseHeaders.getContentLength());
3801
4075
 
3802
4076
  const [onProgress, flush] =
3803
4077
  (onDownloadProgress &&
@@ -3888,23 +4162,55 @@ const factory = (env) => {
3888
4162
  const canceledError = composedSignal.reason;
3889
4163
  canceledError.config = config;
3890
4164
  request && (canceledError.request = request);
3891
- err !== canceledError && (canceledError.cause = err);
4165
+ if (err !== canceledError) {
4166
+ // Non-enumerable to match native Error `cause` semantics so loggers
4167
+ // don't recurse into circular fetch internals (see #7205).
4168
+ Object.defineProperty(canceledError, 'cause', {
4169
+ __proto__: null,
4170
+ value: err,
4171
+ writable: true,
4172
+ enumerable: false,
4173
+ configurable: true,
4174
+ });
4175
+ }
3892
4176
  throw canceledError;
3893
4177
  }
3894
4178
 
4179
+ // Surface a maxBodyLength violation we raised while the request body was
4180
+ // being streamed. Matching by identity (rather than reading
4181
+ // `err.cause.isAxiosError`) keeps the error deterministic across runtimes
4182
+ // and avoids both prototype-pollution reads and mis-attributing a foreign
4183
+ // AxiosError that merely happened to land in `err.cause`.
4184
+ if (pendingBodyError) {
4185
+ request && !pendingBodyError.request && (pendingBodyError.request = request);
4186
+ throw pendingBodyError;
4187
+ }
4188
+
4189
+ // Re-throw AxiosErrors we raised synchronously (data: URL / content-length
4190
+ // pre-checks, response size enforcement) without re-wrapping them.
4191
+ if (err instanceof AxiosError$1) {
4192
+ request && !err.request && (err.request = request);
4193
+ throw err;
4194
+ }
4195
+
3895
4196
  if (err && err.name === 'TypeError' && /Load failed|fetch/i.test(err.message)) {
3896
- throw Object.assign(
3897
- new AxiosError$1(
3898
- 'Network Error',
3899
- AxiosError$1.ERR_NETWORK,
3900
- config,
3901
- request,
3902
- err && err.response
3903
- ),
3904
- {
3905
- cause: err.cause || err,
3906
- }
4197
+ const networkError = new AxiosError$1(
4198
+ 'Network Error',
4199
+ AxiosError$1.ERR_NETWORK,
4200
+ config,
4201
+ request,
4202
+ err && err.response
3907
4203
  );
4204
+ // Non-enumerable to match native Error `cause` semantics so loggers
4205
+ // don't recurse into circular fetch internals (see #7205).
4206
+ Object.defineProperty(networkError, 'cause', {
4207
+ __proto__: null,
4208
+ value: err.cause || err,
4209
+ writable: true,
4210
+ enumerable: false,
4211
+ configurable: true,
4212
+ });
4213
+ throw networkError;
3908
4214
  }
3909
4215
 
3910
4216
  throw AxiosError$1.from(err, err && err.code, config, request, err && err.response);
@@ -4042,7 +4348,7 @@ function getAdapter$1(adapters, config) {
4042
4348
 
4043
4349
  throw new AxiosError$1(
4044
4350
  `There is no suitable adapter to dispatch the request ` + s,
4045
- 'ERR_NOT_SUPPORT'
4351
+ AxiosError$1.ERR_NOT_SUPPORT
4046
4352
  );
4047
4353
  }
4048
4354
 
@@ -4223,7 +4529,7 @@ validators$1.spelling = function spelling(correctSpelling) {
4223
4529
  */
4224
4530
 
4225
4531
  function assertOptions(options, schema, allowUnknown) {
4226
- if (typeof options !== 'object') {
4532
+ if (typeof options !== 'object' || options === null) {
4227
4533
  throw new AxiosError$1('options must be an object', AxiosError$1.ERR_BAD_OPTION_VALUE);
4228
4534
  }
4229
4535
  const keys = Object.keys(options);
@@ -4347,6 +4653,7 @@ let Axios$1 = class Axios {
4347
4653
  clarifyTimeoutError: validators.transitional(validators.boolean),
4348
4654
  legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
4349
4655
  advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
4656
+ validateStatusUndefinedResolves: validators.transitional(validators.boolean),
4350
4657
  },
4351
4658
  false
4352
4659
  );
@@ -4476,7 +4783,7 @@ let Axios$1 = class Axios {
4476
4783
 
4477
4784
  getUri(config) {
4478
4785
  config = mergeConfig$1(this.defaults, config);
4479
- const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
4786
+ const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls, config);
4480
4787
  return buildURL(fullPath, config.params, config.paramsSerializer);
4481
4788
  }
4482
4789
  };
@@ -4489,7 +4796,7 @@ utils$1.forEach(['delete', 'get', 'head', 'options'], function forEachMethodNoDa
4489
4796
  mergeConfig$1(config || {}, {
4490
4797
  method,
4491
4798
  url,
4492
- data: (config || {}).data,
4799
+ data: config && utils$1.hasOwnProp(config, 'data') ? config.data : undefined,
4493
4800
  })
4494
4801
  );
4495
4802
  };