npm - axios - Versions diffs - 1.6.1 → 1.6.3 - Mend

axios 1.6.1 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of axios might be problematic. Click here for more details.

Files changed (23) hide show

package/CHANGELOG.md +44 -0
package/README.md +19 -7
package/dist/axios.js +39 -48
package/dist/axios.js.map +1 -1
package/dist/axios.min.js +1 -1
package/dist/axios.min.js.map +1 -1
package/dist/browser/axios.cjs +43 -48
package/dist/browser/axios.cjs.map +1 -1
package/dist/esm/axios.js +43 -48
package/dist/esm/axios.js.map +1 -1
package/dist/esm/axios.min.js +1 -1
package/dist/esm/axios.min.js.map +1 -1
package/dist/node/axios.cjs +43 -48
package/dist/node/axios.cjs.map +1 -1
package/index.d.cts +1 -0
package/index.d.ts +1 -0
package/lib/adapters/xhr.js +10 -7
package/lib/core/mergeConfig.js +1 -0
package/lib/env/data.js +1 -1
package/lib/helpers/combineURLs.js +1 -1
package/lib/helpers/cookies.js +37 -47
package/lib/helpers/isURLSameOrigin.js +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,40 @@
 # Changelog
+## [1.6.3](https://github.com/axios/axios/compare/v1.6.2...v1.6.3) (2023-12-26)
+### Bug Fixes
+* Regular Expression Denial of Service (ReDoS) ([#6132](https://github.com/axios/axios/issues/6132)) ([5e7ad38](https://github.com/axios/axios/commit/5e7ad38fb0f819fceb19fb2ee5d5d38f56aa837d))
+### Contributors to this release
+- <img src="https://avatars.githubusercontent.com/u/4814473?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Jay](https://github.com/jasonsaayman "+15/-6 (#6145 )")
+- <img src="https://avatars.githubusercontent.com/u/22686401?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Willian Agostini](https://github.com/WillianAgostini "+17/-2 (#6132 )")
+- <img src="https://avatars.githubusercontent.com/u/12586868?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+3/-0 (#6084 )")
+## [1.6.2](https://github.com/axios/axios/compare/v1.6.1...v1.6.2) (2023-11-14)
+### Features
+* **withXSRFToken:** added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ([#6046](https://github.com/axios/axios/issues/6046)) ([cff9967](https://github.com/axios/axios/commit/cff996779b272a5e94c2b52f5503ccf668bc42dc))
+### PRs
+- feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old &#x60;withCredentials&#x60; behavior; ( [#6046](https://api.github.com/repos/axios/axios/pulls/6046) )
+```
+📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour.
+You should now use withXSRFToken along with withCredential to get the old behavior.
+This functionality is considered as a fix.
+```
+### Contributors to this release
+- <img src="https://avatars.githubusercontent.com/u/12586868?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+271/-146 (#6081 #6080 #6079 #6078 #6046 #6064 #6063 )")
+- <img src="https://avatars.githubusercontent.com/u/79681367?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Ng Choon Khon (CK)](https://github.com/ckng0221 "+4/-4 (#6073 )")
+- <img src="https://avatars.githubusercontent.com/u/9162827?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Muhammad Noman](https://github.com/mnomanmemon "+2/-2 (#6048 )")
 ## [1.6.1](https://github.com/axios/axios/compare/v1.6.0...v1.6.1) (2023-11-08)
@@ -13,6 +48,15 @@
 - <img src="https://avatars.githubusercontent.com/u/12586868?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+432/-65 (#6059 #6056 #6055 )")
 - <img src="https://avatars.githubusercontent.com/u/3982806?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Fabian Meyer](https://github.com/meyfa "+5/-2 (#5835 )")
+### PRs
+- feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old &#x60;withCredentials&#x60; behavior; ( [#6046](https://api.github.com/repos/axios/axios/pulls/6046) )
+```
+📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour.
+You should now use withXSRFToken along with withCredential to get the old behavior.
+This functionality is considered as a fix.
+```
 # [1.6.0](https://github.com/axios/axios/compare/v1.5.1...v1.6.0) (2023-10-26)

package/README.md CHANGED Viewed

@@ -1,8 +1,17 @@
-<h1 align="center">
-   <b>
-        <a href="https://axios-http.com"><img src="https://axios-http.com/assets/logo.svg" /></a><br>
-    </b>
-</h1>
+<div align="center">
+   <a href="https://axios-http.com"><img src="https://axios-http.com/assets/logo.svg" /></a><br>
+</div>
+<h3 align="center">
+   A special thanks to your headline sponsors
+   <br><br>
+</h3>
+<div align="center">
+   <a href="https://runalloy.com?utm_source=github&utm_medium=referral&utm_campaign=121423_axios"><img style="width:20rem" src="https://github.com/axios/axios/assets/4814473/d50a6cbb-bbe7-4e70-9e1a-f698c6cdc437" /></a>
+   <br><br>
+</div>
 <p align="center">Promise based HTTP client for the browser and node.js</p>
@@ -452,6 +461,9 @@ These are the available config options for making requests. Only the `url` is re
   // `xsrfHeaderName` is the name of the http header that carries the xsrf token value
   xsrfHeaderName: 'X-XSRF-TOKEN', // default
+  // `undefined` (default) - set XSRF header only for the same origin requests
+  withXSRFToken: boolean | undefined | ((config: InternalAxiosRequestConfig) => boolean | undefined),
   // `onUploadProgress` allows handling of progress events for uploads
   // browser & node.js
@@ -543,7 +555,7 @@ These are the available config options for making requests. Only the `url` is re
   // automatically. If set to `true` will also remove the 'content-encoding' header
   // from the responses objects of all decompressed responses
   // - Node only (XHR cannot turn off decompression)
-  decompress: true // default
+  decompress: true, // default
   // `insecureHTTPParser` boolean.
   // Indicates where to use an insecure HTTP parser that accepts invalid HTTP headers.
@@ -551,7 +563,7 @@ These are the available config options for making requests. Only the `url` is re
   // Using the insecure parser should be avoided.
   // see options https://nodejs.org/dist/latest-v12.x/docs/api/http.html#http_http_request_url_options_callback
   // see also https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#strict-http-header-parsing-none
-  insecureHTTPParser: undefined // default
+  insecureHTTPParser: undefined, // default
   // transitional options for backward compatibility that may be removed in the newer versions
   transitional: {

package/dist/axios.js CHANGED Viewed

@@ -1,4 +1,4 @@
-// Axios v1.6.1 Copyright (c) 2023 Matt Zabriskie and contributors
+// Axios v1.6.3 Copyright (c) 2023 Matt Zabriskie and contributors
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
@@ -1910,44 +1910,31 @@
   var cookies = platform.hasStandardBrowserEnv ?
   // Standard browser envs support document.cookie
-  function standardBrowserEnv() {
-    return {
-      write: function write(name, value, expires, path, domain, secure) {
-        var cookie = [];
-        cookie.push(name + '=' + encodeURIComponent(value));
-        if (utils$1.isNumber(expires)) {
-          cookie.push('expires=' + new Date(expires).toGMTString());
-        }
-        if (utils$1.isString(path)) {
-          cookie.push('path=' + path);
-        }
-        if (utils$1.isString(domain)) {
-          cookie.push('domain=' + domain);
-        }
-        if (secure === true) {
-          cookie.push('secure');
-        }
-        document.cookie = cookie.join('; ');
-      },
-      read: function read(name) {
-        var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
-        return match ? decodeURIComponent(match[3]) : null;
-      },
-      remove: function remove(name) {
-        this.write(name, '', Date.now() - 86400000);
-      }
-    };
-  }() :
-  // Non standard browser env (web workers, react-native) lack needed support.
-  function nonStandardBrowserEnv() {
-    return {
-      write: function write() {},
-      read: function read() {
-        return null;
-      },
-      remove: function remove() {}
-    };
-  }();
+  {
+    write: function write(name, value, expires, path, domain, secure) {
+      var cookie = [name + '=' + encodeURIComponent(value)];
+      utils$1.isNumber(expires) && cookie.push('expires=' + new Date(expires).toGMTString());
+      utils$1.isString(path) && cookie.push('path=' + path);
+      utils$1.isString(domain) && cookie.push('domain=' + domain);
+      secure === true && cookie.push('secure');
+      document.cookie = cookie.join('; ');
+    },
+    read: function read(name) {
+      var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
+      return match ? decodeURIComponent(match[3]) : null;
+    },
+    remove: function remove(name) {
+      this.write(name, '', Date.now() - 86400000);
+    }
+  } :
+  // Non-standard browser env (web workers, react-native) lack needed support.
+  {
+    write: function write() {},
+    read: function read() {
+      return null;
+    },
+    remove: function remove() {}
+  };
   /**
    * Determines whether the specified URL is absolute
@@ -1972,7 +1959,7 @@
    * @returns {string} The combined URL
    */
   function combineURLs(baseURL, relativeURL) {
-    return relativeURL ? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '') : baseURL;
+    return relativeURL ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '') : baseURL;
   }
   /**
@@ -2001,7 +1988,7 @@
     var originURL;
     /**
-    * Parse a URL to discover it's components
+    * Parse a URL to discover its components
     *
     * @param {String} url The URL to be parsed
     * @returns {Object}
@@ -2120,7 +2107,8 @@
     return new Promise(function dispatchXhrRequest(resolve, reject) {
       var requestData = config.data;
       var requestHeaders = AxiosHeaders$1.from(config.headers).normalize();
-      var responseType = config.responseType;
+      var responseType = config.responseType,
+        withXSRFToken = config.withXSRFToken;
       var onCanceled;
       function done() {
         if (config.cancelToken) {
@@ -2245,11 +2233,13 @@
       // This is only done if running in a standard browser environment.
       // Specifically not if we're in a web worker, or react-native.
       if (platform.hasStandardBrowserEnv) {
-        // Add xsrf header
-        // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
-        var xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
-        if (xsrfValue) {
-          requestHeaders.set(config.xsrfHeaderName, xsrfValue);
+        withXSRFToken && utils$1.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
+        if (withXSRFToken || withXSRFToken !== false && isURLSameOrigin(fullPath)) {
+          // Add xsrf header
+          var xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+          if (xsrfValue) {
+            requestHeaders.set(config.xsrfHeaderName, xsrfValue);
+          }
         }
       }
@@ -2499,6 +2489,7 @@
       timeout: defaultToConfig2,
       timeoutMessage: defaultToConfig2,
       withCredentials: defaultToConfig2,
+      withXSRFToken: defaultToConfig2,
       adapter: defaultToConfig2,
       responseType: defaultToConfig2,
       xsrfCookieName: defaultToConfig2,
@@ -2528,7 +2519,7 @@
     return config;
   }
-  var VERSION = "1.6.1";
+  var VERSION = "1.6.3";
   var validators$1 = {};