axios 1.18.0 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,37 @@
1
1
  # Changelog
2
2
 
3
+ ## v1.18.0 — June 13, 2026
4
+
5
+ This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
6
+
7
+ ## 🔒 Security Fixes
8
+
9
+ * **Redirect Header Safety:** Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (__#10892__)
10
+
11
+ * **URL And Request Hardening:** Rejects malformed `http:` and `https:` URLs that omit `//` with `ERR_INVALID_URL`, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local `NO_PROXY` matching. (__#11000__)
12
+
13
+ ## 🐛 Bug Fixes
14
+
15
+ * **Status Validation:** Added `transitional.validateStatusUndefinedResolves` so applications can opt in to treating `validateStatus: undefined` like the option was omitted, while `validateStatus: null` remains the explicit way to accept every status. (__#10899__)
16
+
17
+ ## 🔧 Maintenance & Chores
18
+
19
+ * **Documentation:** Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the `proxy` request config as Node.js-only in the advanced docs. (__#10984__, __#10988__, __#10992__, __#10995__)
20
+
21
+ * **Dependencies:** Bumped `@babel/core`, `@babel/preset-env`, `@commitlint/cli`, `@commitlint/config-conventional`, `@rollup/plugin-babel`, `@rollup/plugin-commonjs`, `@vitest/browser`, `@vitest/browser-playwright`, `eslint`, `lint-staged`, `rollup`, `vitest`, and `actions/checkout`. (__#10989__, __#10996__, __#10997__)
22
+
23
+ * **Release Metadata:** Prepared the 1.18.0 release by updating package metadata and the runtime `VERSION` value. (__#11003__)
24
+
25
+ ## 🌟 New Contributors
26
+
27
+ We are thrilled to welcome our new contributors. Thank you for helping improve axios:
28
+
29
+ * __@drori12__ (__#10984__)
30
+ * __@eyupcanakman__ (__#10899__)
31
+ * __@Adi-Beker__ (__#10995__)
32
+
33
+ [Full Changelog](https://github.com/axios/axios/compare/v1.17.0...v1.18.0)
34
+
3
35
  ## v1.17.0 — June 1, 2026
4
36
 
5
37
  This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
package/README.md CHANGED
@@ -298,7 +298,6 @@
298
298
  </tr>
299
299
  </table>
300
300
 
301
-
302
301
  <!--<div>marker</div>-->
303
302
 
304
303
  <br><br>
@@ -430,6 +429,12 @@ Using bun:
430
429
  $ bun add axios
431
430
  ```
432
431
 
432
+ Using Deno:
433
+
434
+ ```bash
435
+ $ deno add axios
436
+ ```
437
+
433
438
  Once the package is installed, import it with `import` or `require`:
434
439
 
435
440
  ```js
@@ -513,16 +518,16 @@ axios
513
518
  // Want to use async/await? Add the `async` keyword to your outer function/method.
514
519
  async function getUser() {
515
520
  try {
516
- // Example: GET request with query parameters
517
- const response = await axios.get('/user', {
518
- params: {
519
- ID: 12345
520
- }
521
- });
521
+ // Example: GET request with query parameters
522
+ const response = await axios.get('/user', {
523
+ params: {
524
+ ID: 12345,
525
+ },
526
+ });
522
527
 
523
- // Using the `params` option improves readability and automatically formats query strings
528
+ // Using the `params` option improves readability and automatically formats query strings
524
529
 
525
- console.log(response);
530
+ console.log(response);
526
531
  } catch (error) {
527
532
  console.error(error);
528
533
  }
@@ -770,6 +775,8 @@ These config options are available for requests. Only `url` is required. Request
770
775
 
771
776
  // `data` is the data to be sent as the request body
772
777
  // Only applicable for request methods 'PUT', 'POST', 'DELETE', and 'PATCH'
778
+ // `data` is request-specific: axios does not inherit or deep-merge it from defaults.
779
+ // To add shared body fields, use a request interceptor or transformRequest.
773
780
  // When no `transformRequest` is set, it must be of one of the following types:
774
781
  // - string, plain object, ArrayBuffer, ArrayBufferView, URLSearchParams
775
782
  // - Browser only: FormData, File, Blob
@@ -891,8 +898,11 @@ These config options are available for requests. Only `url` is required. Request
891
898
  redact: ['authorization', 'password'],
892
899
 
893
900
  // `validateStatus` defines whether to resolve or reject the promise for a given
894
- // HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
895
- // or `undefined`), Axios resolves the promise; otherwise, Axios rejects it.
901
+ // HTTP response status code. If `validateStatus` returns `true` or is set to
902
+ // `null`, Axios resolves the promise; otherwise, Axios rejects it.
903
+ // Explicit `validateStatus: undefined` resolves every status by default for
904
+ // backward compatibility. Set `transitional.validateStatusUndefinedResolves`
905
+ // to `false` to make explicit `undefined` behave as if this option was omitted.
896
906
  validateStatus: function (status) {
897
907
  return status >= 200 && status < 300; // default
898
908
  },
@@ -902,9 +912,9 @@ These config options are available for requests. Only `url` is required. Request
902
912
  maxRedirects: 21, // default
903
913
 
904
914
  // `sensitiveHeaders` (Node only option) lists custom secret-bearing headers
905
- // to remove from cross-origin redirects. Matching is case-insensitive.
906
- // Same-origin redirects keep these headers. If `maxRedirects` is 0, this
907
- // option is not used.
915
+ // (such as `X-API-Key`) to remove from cross-origin redirects. Matching is
916
+ // case-insensitive. Same-origin redirects keep these headers. If
917
+ // `maxRedirects` is 0, this option is not used.
908
918
  sensitiveHeaders: ['X-API-Key'],
909
919
 
910
920
  // `beforeRedirect` defines a function that Axios calls before redirect.
@@ -966,6 +976,12 @@ These config options are available for requests. Only `url` is required. Request
966
976
  // for your proxy configuration, you can also define a `no_proxy` environment
967
977
  // variable as a comma-separated list of domains that should not be proxied.
968
978
  // Use `false` to disable proxies, ignoring environment variables.
979
+ // On Node.js versions with native environment proxy support, axios defers
980
+ // environment proxy handling to Node when the selected agent has `proxyEnv`
981
+ // enabled, including processes started with `NODE_USE_ENV_PROXY=1`,
982
+ // `--use-env-proxy`, or `NODE_OPTIONS=--use-env-proxy`. Custom agents without
983
+ // `proxyEnv` continue to use axios environment proxy resolution. Explicit
984
+ // `proxy` config is still handled by axios.
969
985
  // `auth` indicates that HTTP Basic auth should be used to connect to the proxy, and
970
986
  // supplies credentials.
971
987
  // For `http://` targets, axios sends the request to the proxy in
@@ -1042,6 +1058,11 @@ These config options are available for requests. Only `url` is required. Request
1042
1058
  // throw ETIMEDOUT error instead of generic ECONNABORTED on request timeouts
1043
1059
  clarifyTimeoutError: false,
1044
1060
 
1061
+ // keep explicit `validateStatus: undefined` resolving every response status
1062
+ // for backward compatibility. Set to false to make explicit undefined behave
1063
+ // as if validateStatus was omitted.
1064
+ validateStatusUndefinedResolves: true,
1065
+
1045
1066
  // advertise `zstd` in the default Accept-Encoding header when the current
1046
1067
  // Node.js runtime supports zstd decompression. Axios still decompresses
1047
1068
  // zstd responses when support exists and `decompress` is true.
@@ -1072,6 +1093,15 @@ These config options are available for requests. Only `url` is required. Request
1072
1093
  }
1073
1094
  ```
1074
1095
 
1096
+ For custom secret-bearing headers in Node.js, list them in `sensitiveHeaders` so Axios removes them when following a redirect to another origin:
1097
+
1098
+ ```js
1099
+ axios.get('https://api.example.com/users', {
1100
+ headers: { 'X-API-Key': 'secret' },
1101
+ sensitiveHeaders: ['X-API-Key'],
1102
+ });
1103
+ ```
1104
+
1075
1105
  ### Strict RFC 3986 percent-encoding for query params
1076
1106
 
1077
1107
  By default, axios decodes `%3A`, `%24`, `%2C` and `%20` back to `:`, `$`, `,` and `+` for readability (the `+` follows the `application/x-www-form-urlencoded` convention for spaces in query strings). These characters are valid in a query component under [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4), so the default output is correct, but some backends require strict percent-encoding and reject the readable form.
@@ -1082,12 +1112,12 @@ Override the default encoder via `paramsSerializer.encode`:
1082
1112
  // Per-request: emit strict RFC 3986 percent-encoding for query values
1083
1113
  axios.get('/foo', {
1084
1114
  params: { filter: JSON.stringify({ startedAt: '2026-01-23' }) },
1085
- paramsSerializer: { encode: encodeURIComponent }
1115
+ paramsSerializer: { encode: encodeURIComponent },
1086
1116
  });
1087
1117
 
1088
1118
  // Or set it on the instance defaults
1089
1119
  const client = axios.create({
1090
- paramsSerializer: { encode: encodeURIComponent }
1120
+ paramsSerializer: { encode: encodeURIComponent },
1091
1121
  });
1092
1122
  ```
1093
1123
 
@@ -1176,6 +1206,8 @@ instance.defaults.headers.common['Authorization'] = AUTH_TOKEN;
1176
1206
 
1177
1207
  Axios merges config in this order: library defaults from [lib/defaults/index.js](https://github.com/axios/axios/blob/main/lib/defaults/index.js#L49), the instance `defaults` property, and the request `config` argument. Later values take precedence over earlier ones.
1178
1208
 
1209
+ Some options are request-specific and are only taken from the request `config`. `data` is one of those options: axios does not inherit or deep-merge request bodies from global or instance defaults. If every request needs shared body fields, add them with a request interceptor or `transformRequest`, and scope that logic carefully so sensitive values are not sent to the wrong endpoint.
1210
+
1179
1211
  ```js
1180
1212
  // Create an instance using the config defaults provided by the library
1181
1213
  // At this point the timeout config value is `0` as is the default for the library
@@ -1369,7 +1401,7 @@ These are the internal Axios error codes:
1369
1401
  | ERR_INVALID_URL | Invalid URL provided for axios request. |
1370
1402
  | ECONNABORTED | Typically indicates that the request has been timed out (unless `transitional.clarifyTimeoutError` is set) or aborted by the browser or its plugin. |
1371
1403
  | ERR_CANCELED | The user explicitly canceled the request with an AbortSignal or CancelToken. |
1372
- | ETIMEDOUT | Request timed out after exceeding the configured Axios timeout. Set `transitional.clarifyTimeoutError` to `true`; otherwise Axios throws a generic `ECONNABORTED` error. |
1404
+ | ETIMEDOUT | Request timed out after exceeding the configured Axios timeout. Set `transitional.clarifyTimeoutError` to `true`; otherwise Axios throws a generic `ECONNABORTED` error. |
1373
1405
  | ERR_NETWORK | Network-related issue. In the browser, this error can also be caused by a [CORS](https://developer.mozilla.org/ru/docs/Web/HTTP/Guides/CORS) or [Mixed Content](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content) policy violation. The browser does not allow the JS code to clarify the real reason for the error caused by security issues, so please check the console. |
1374
1406
  | ERR_FR_TOO_MANY_REDIRECTS | Request exceeded the configured maximum number of redirects. |
1375
1407
  | ERR_BAD_RESPONSE | Response cannot be parsed properly or is in an unexpected format. Usually related to a response with `5xx` status code. |
@@ -1410,6 +1442,19 @@ axios.get('/user/12345', {
1410
1442
  });
1411
1443
  ```
1412
1444
 
1445
+ By default, explicit `validateStatus: undefined` keeps legacy behavior and resolves every response status because `transitional.validateStatusUndefinedResolves` defaults to `true`. Set it to `false` to make explicit `validateStatus: undefined` behave like the option was omitted, so Axios uses the configured/default validator and rejects non-2xx responses by default.
1446
+
1447
+ `validateStatus: null` still accepts every response status. If you disable the transitional behavior and intentionally want all statuses to resolve, use `null` or `() => true`.
1448
+
1449
+ ```js
1450
+ axios.get('/user/12345', {
1451
+ validateStatus: undefined,
1452
+ transitional: {
1453
+ validateStatusUndefinedResolves: false,
1454
+ },
1455
+ });
1456
+ ```
1457
+
1413
1458
  Use `toJSON` to get more information about the HTTP error.
1414
1459
 
1415
1460
  ```js
@@ -1421,12 +1466,14 @@ axios.get('/user/12345').catch(function (error) {
1421
1466
  To avoid logging secrets from `error.config`, pass a `redact` array in the request config. Matching config keys are masked case-insensitively at any depth when `AxiosError#toJSON()` is called.
1422
1467
 
1423
1468
  ```js
1424
- axios.get('/user/12345', {
1425
- headers: { Authorization: 'Bearer token' },
1426
- redact: ['authorization']
1427
- }).catch(function (error) {
1428
- console.log(error.toJSON().config.headers.Authorization); // [REDACTED ****]
1429
- });
1469
+ axios
1470
+ .get('/user/12345', {
1471
+ headers: { Authorization: 'Bearer token' },
1472
+ redact: ['authorization'],
1473
+ })
1474
+ .catch(function (error) {
1475
+ console.log(error.toJSON().config.headers.Authorization); // [REDACTED ****]
1476
+ });
1430
1477
  ```
1431
1478
 
1432
1479
  ## Handling timeouts
@@ -1536,11 +1583,44 @@ axios.get('/user/12345', {
1536
1583
  cancel();
1537
1584
  ```
1538
1585
 
1586
+ `CancelToken` also exposes low-level helpers for legacy integrations:
1587
+
1588
+ ```js
1589
+ const source = axios.CancelToken.source();
1590
+
1591
+ const listener = (cancel) => {
1592
+ console.log(cancel.message);
1593
+ };
1594
+
1595
+ source.token.subscribe(listener);
1596
+
1597
+ const signal = source.token.toAbortSignal();
1598
+ // Pass `signal` to APIs that accept AbortSignal.
1599
+
1600
+ source.cancel('Operation canceled by the user.');
1601
+ source.token.unsubscribe(listener);
1602
+ ```
1603
+
1604
+ Canceled requests reject with `axios.CanceledError`. The legacy `axios.Cancel` export is an alias of `axios.CanceledError`, and cancellation errors include `__CANCEL__` for `axios.isCancel` compatibility.
1605
+
1539
1606
  > Note: You can cancel several requests with the same cancel token or abort controller.
1540
1607
  > If a cancellation token is already cancelled when an Axios request starts, Axios cancels the request immediately without making a real request.
1541
1608
 
1542
1609
  > During the transition period, you can use both cancellation APIs, even for the same request:
1543
1610
 
1611
+ ```js
1612
+ const controller = new AbortController();
1613
+ const source = axios.CancelToken.source();
1614
+
1615
+ axios.get('/user/12345', {
1616
+ cancelToken: source.token,
1617
+ signal: controller.signal,
1618
+ });
1619
+
1620
+ controller.abort();
1621
+ source.cancel('Operation canceled by the user.');
1622
+ ```
1623
+
1544
1624
  ## Using `application/x-www-form-urlencoded` format
1545
1625
 
1546
1626
  ### URLSearchParams
@@ -1742,6 +1822,9 @@ FormData serializer supports additional options via `config.formSerializer: obje
1742
1822
  input object exceeds this depth, an `AxiosError` with `code: 'ERR_FORM_DATA_DEPTH_EXCEEDED'` is
1743
1823
  thrown instead of overflowing the call stack. This protects server applications from DoS
1744
1824
  attacks via deeply nested payloads. Set to `Infinity` to disable the limit and restore pre-fix behaviour.
1825
+ - `Blob: typeof Blob` - Blob constructor used when converting ArrayBuffer-like values for spec-compliant
1826
+ `FormData`. Override it only for runtimes that provide a compatible `Blob` constructor under a
1827
+ different binding.
1745
1828
 
1746
1829
  ```js
1747
1830
  // Raise the limit for a schema that genuinely nests deeper than 100 levels:
@@ -2068,6 +2151,7 @@ console.log(headers);
2068
2151
  set(headerName, value: Axios, rewrite?: boolean);
2069
2152
  set(headerName, value, rewrite?: (this: AxiosHeaders, value: string, name: string, headers: RawAxiosHeaders) => boolean);
2070
2153
  set(headers?: RawAxiosHeaders | AxiosHeaders | string, rewrite?: boolean);
2154
+ set(headers?: Iterable<[string, AxiosHeaderValue]>, rewrite?: boolean);
2071
2155
  ```
2072
2156
 
2073
2157
  The `rewrite` argument controls the overwriting behavior:
@@ -2080,6 +2164,19 @@ The option can also accept a user-defined function that determines whether to ov
2080
2164
 
2081
2165
  Empty or whitespace-only header names are ignored.
2082
2166
 
2167
+ Iterable key/value pairs, such as a `Map`, are accepted:
2168
+
2169
+ ```js
2170
+ const headers = new AxiosHeaders();
2171
+
2172
+ headers.set(
2173
+ new Map([
2174
+ ['X-Trace-Id', 'abc123'],
2175
+ ['Accept', 'application/json'],
2176
+ ])
2177
+ );
2178
+ ```
2179
+
2083
2180
  Returns `this`.
2084
2181
 
2085
2182
  ### AxiosHeaders#get(header)
@@ -2200,6 +2297,14 @@ toJSON(asStrings?: false): Record<string, string | string[]>;
2200
2297
  Resolves all internal header values into a new null prototype object.
2201
2298
  Set `asStrings` to true to resolve arrays as a string containing all elements, separated by commas.
2202
2299
 
2300
+ ### AxiosHeaders#toString()
2301
+
2302
+ ```
2303
+ toString(): string;
2304
+ ```
2305
+
2306
+ Returns the headers as a CRLF-free HTTP header block, one `name: value` pair per line.
2307
+
2203
2308
  ### AxiosHeaders.from(thing?)
2204
2309
 
2205
2310
  ```
package/dist/axios.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! Axios v1.18.0 Copyright (c) 2026 Matt Zabriskie and contributors */
1
+ /*! Axios v1.18.1 Copyright (c) 2026 Matt Zabriskie and contributors */
2
2
  (function (global, factory) {
3
3
  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
4
4
  typeof define === 'function' && define.amd ? define(factory) :
@@ -2040,7 +2040,19 @@
2040
2040
  key: "from",
2041
2041
  value: function from(error, code, config, request, response, customProps) {
2042
2042
  var axiosError = new AxiosError(error.message, code || error.code, config, request, response);
2043
- axiosError.cause = error;
2043
+ // Match native `Error` `cause` semantics: non-enumerable. The wrapped
2044
+ // error often carries circular internals (sockets, requests, agents), so
2045
+ // an enumerable `cause` makes structured loggers (pino/winston) and any
2046
+ // own-property walk throw "Converting circular structure to JSON".
2047
+ // Regression from #6982; see #7205. `__proto__: null` mirrors the
2048
+ // `message` descriptor below (prototype-pollution-safe descriptor).
2049
+ Object.defineProperty(axiosError, 'cause', {
2050
+ __proto__: null,
2051
+ value: error,
2052
+ writable: true,
2053
+ enumerable: false,
2054
+ configurable: true
2055
+ });
2044
2056
  axiosError.name = error.name;
2045
2057
 
2046
2058
  // Preserve status from the original error if not already set from response
@@ -2192,7 +2204,13 @@
2192
2204
  throw new AxiosError('Blob is not supported. Use a Buffer instead.');
2193
2205
  }
2194
2206
  if (utils$1.isArrayBuffer(value) || utils$1.isTypedArray(value)) {
2195
- return useBlob && typeof Blob === 'function' ? new Blob([value]) : Buffer.from(value);
2207
+ if (useBlob && typeof _Blob === 'function') {
2208
+ return new _Blob([value]);
2209
+ }
2210
+ if (typeof Buffer !== 'undefined') {
2211
+ return Buffer.from(value);
2212
+ }
2213
+ throw new AxiosError('Blob is not supported. Use a Buffer instead.', AxiosError.ERR_NOT_SUPPORT);
2196
2214
  }
2197
2215
  return value;
2198
2216
  }
@@ -2325,8 +2343,9 @@
2325
2343
  this._pairs.push([name, value]);
2326
2344
  };
2327
2345
  prototype.toString = function toString(encoder) {
2346
+ var _this = this;
2328
2347
  var _encode = encoder ? function (value) {
2329
- return encoder.call(this, value, encode$1);
2348
+ return encoder.call(_this, value, encode$1);
2330
2349
  } : encode$1;
2331
2350
  return this._pairs.map(function each(pair) {
2332
2351
  return _encode(pair[0]) + '=' + _encode(pair[1]);
@@ -2358,6 +2377,7 @@
2358
2377
  if (!params) {
2359
2378
  return url;
2360
2379
  }
2380
+ url = url || '';
2361
2381
  var _options = utils$1.isFunction(options) ? {
2362
2382
  serialize: options
2363
2383
  } : options;
@@ -3005,7 +3025,11 @@
3005
3025
  var cookie = cookies[i].replace(/^\s+/, '');
3006
3026
  var eq = cookie.indexOf('=');
3007
3027
  if (eq !== -1 && cookie.slice(0, eq) === name) {
3008
- return decodeURIComponent(cookie.slice(eq + 1));
3028
+ try {
3029
+ return decodeURIComponent(cookie.slice(eq + 1));
3030
+ } catch (e) {
3031
+ return cookie.slice(eq + 1);
3032
+ }
3009
3033
  }
3010
3034
  }
3011
3035
  return null;
@@ -3105,6 +3129,7 @@
3105
3129
  */
3106
3130
  function mergeConfig(config1, config2) {
3107
3131
  // eslint-disable-next-line no-param-reassign
3132
+ config1 = config1 || {};
3108
3133
  config2 = config2 || {};
3109
3134
 
3110
3135
  // Use a null-prototype object so that downstream reads such as `config.auth`
@@ -3240,7 +3265,7 @@
3240
3265
  headers.set(formHeaders);
3241
3266
  return;
3242
3267
  }
3243
- Object.entries(formHeaders).forEach(function (_ref) {
3268
+ Object.entries(formHeaders || {}).forEach(function (_ref) {
3244
3269
  var _ref2 = _slicedToArray(_ref, 2),
3245
3270
  key = _ref2[0],
3246
3271
  val = _ref2[1];
@@ -3287,7 +3312,11 @@
3287
3312
  if (auth) {
3288
3313
  var username = utils$1.getSafeProp(auth, 'username') || '';
3289
3314
  var password = utils$1.getSafeProp(auth, 'password') || '';
3290
- headers.set('Authorization', 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : '')));
3315
+ try {
3316
+ headers.set('Authorization', 'Basic ' + btoa(username + ':' + (password ? encodeUTF8$1(password) : '')));
3317
+ } catch (e) {
3318
+ throw AxiosError.from(e, AxiosError.ERR_BAD_OPTION_VALUE, config);
3319
+ }
3291
3320
  }
3292
3321
  if (utils$1.isFormData(data)) {
3293
3322
  if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv || utils$1.isReactNative(data)) {
@@ -3492,6 +3521,7 @@
3492
3521
  var protocol = parseProtocol(_config.url);
3493
3522
  if (protocol && !platform.protocols.includes(protocol)) {
3494
3523
  reject(new AxiosError('Unsupported protocol ' + protocol + ':', AxiosError.ERR_BAD_REQUEST, config));
3524
+ done();
3495
3525
  return;
3496
3526
  }
3497
3527
 
@@ -3531,7 +3561,9 @@
3531
3561
  signals = null;
3532
3562
  };
3533
3563
  signals.forEach(function (signal) {
3534
- return signal.addEventListener('abort', onabort);
3564
+ return signal.addEventListener('abort', onabort, {
3565
+ once: true
3566
+ });
3535
3567
  });
3536
3568
  var signal = controller.signal;
3537
3569
  signal.unsubscribe = function () {
@@ -3841,7 +3873,7 @@
3841
3873
  return bytes;
3842
3874
  }
3843
3875
 
3844
- var VERSION = "1.18.0";
3876
+ var VERSION = "1.18.1";
3845
3877
 
3846
3878
  var DEFAULT_CHUNK_SIZE = 64 * 1024;
3847
3879
  var isFunction = utils$1.isFunction;
@@ -4045,7 +4077,7 @@
4045
4077
  }();
4046
4078
  return /*#__PURE__*/function () {
4047
4079
  var _ref4 = _asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee4(config) {
4048
- var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, own, _fetch, composedSignal, request, unsubscribe, requestContentLength, pendingBodyError, maxBodyLengthError, auth, configAuth, username, password, parsedURL, urlUsername, urlPassword, estimated, outboundLength, mustEnforceStreamBody, trackRequestStream, _request, contentTypeHeader, _ref5, _ref6, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, responseHeaders, declaredLength, isStreamResponse, options, responseContentLength, _ref7, _ref8, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, _t3, _t4;
4080
+ var _resolveConfig, url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, _resolveConfig$withCr, withCredentials, fetchOptions, maxContentLength, maxBodyLength, hasMaxContentLength, hasMaxBodyLength, own, _fetch, composedSignal, request, unsubscribe, requestContentLength, pendingBodyError, maxBodyLengthError, auth, configAuth, username, password, parsedURL, urlUsername, urlPassword, estimated, outboundLength, mustEnforceStreamBody, trackRequestStream, _request, contentTypeHeader, _ref5, _ref6, onProgress, flush, isCredentialsSupported, contentType, resolvedOptions, response, responseHeaders, declaredLength, isStreamResponse, options, responseContentLength, _ref7, _ref8, _onProgress, _flush, bytesRead, onChunkProgress, responseData, materializedSize, canceledError, networkError, _t3, _t4;
4049
4081
  return _regenerator().w(function (_context4) {
4050
4082
  while (1) switch (_context4.p = _context4.n) {
4051
4083
  case 0:
@@ -4317,7 +4349,17 @@
4317
4349
  canceledError = composedSignal.reason;
4318
4350
  canceledError.config = config;
4319
4351
  request && (canceledError.request = request);
4320
- _t4 !== canceledError && (canceledError.cause = _t4);
4352
+ if (_t4 !== canceledError) {
4353
+ // Non-enumerable to match native Error `cause` semantics so loggers
4354
+ // don't recurse into circular fetch internals (see #7205).
4355
+ Object.defineProperty(canceledError, 'cause', {
4356
+ __proto__: null,
4357
+ value: _t4,
4358
+ writable: true,
4359
+ enumerable: false,
4360
+ configurable: true
4361
+ });
4362
+ }
4321
4363
  throw canceledError;
4322
4364
  case 17:
4323
4365
  if (!pendingBodyError) {
@@ -4338,9 +4380,16 @@
4338
4380
  _context4.n = 20;
4339
4381
  break;
4340
4382
  }
4341
- throw Object.assign(new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, _t4 && _t4.response), {
4342
- cause: _t4.cause || _t4
4383
+ networkError = new AxiosError('Network Error', AxiosError.ERR_NETWORK, config, request, _t4 && _t4.response); // Non-enumerable to match native Error `cause` semantics so loggers
4384
+ // don't recurse into circular fetch internals (see #7205).
4385
+ Object.defineProperty(networkError, 'cause', {
4386
+ __proto__: null,
4387
+ value: _t4.cause || _t4,
4388
+ writable: true,
4389
+ enumerable: false,
4390
+ configurable: true
4343
4391
  });
4392
+ throw networkError;
4344
4393
  case 20:
4345
4394
  throw AxiosError.from(_t4, _t4 && _t4.code, config, request, _t4 && _t4.response);
4346
4395
  case 21:
@@ -4472,7 +4521,7 @@
4472
4521
  return "adapter ".concat(id, " ") + (state === false ? 'is not supported by the environment' : 'is not available in the build');
4473
4522
  });
4474
4523
  var s = length ? reasons.length > 1 ? 'since :\n' + reasons.map(renderReason).join('\n') : ' ' + renderReason(reasons[0]) : 'as no adapter specified';
4475
- throw new AxiosError("There is no suitable adapter to dispatch the request " + s, 'ERR_NOT_SUPPORT');
4524
+ throw new AxiosError("There is no suitable adapter to dispatch the request " + s, AxiosError.ERR_NOT_SUPPORT);
4476
4525
  }
4477
4526
  return adapter;
4478
4527
  }
@@ -4615,7 +4664,7 @@
4615
4664
  */
4616
4665
 
4617
4666
  function assertOptions(options, schema, allowUnknown) {
4618
- if (_typeof(options) !== 'object') {
4667
+ if (_typeof(options) !== 'object' || options === null) {
4619
4668
  throw new AxiosError('options must be an object', AxiosError.ERR_BAD_OPTION_VALUE);
4620
4669
  }
4621
4670
  var keys = Object.keys(options);