hiderfong/prop-data-guard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1773bda06bb3df3663164b68169029fa33fb5253
prop-data-guard/frontend/node_modules/axios/CHANGELOG.md
T
hiderfong 1773bda06b feat: initial commit - Phase 1 & 2 core features
2026-04-22 17:07:33 +08:00

115 KiB
Raw Blame History

Changelog

v1.15.1 — April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

  • Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

  • CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

  • Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

  • withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

  • maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

  • Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

  • Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

  • AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

  • Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

  • FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)

  • HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)

  • Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)

  • Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)

  • buildFullPath: Uses strict equality in the base/relative URL check. (#7252)

  • AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)

  • Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

  • Docs Artefact Cleanup: Removes the docs content that was incorrectly committed. (#10727)

🔧 Maintenance & Chores

  • Threat Model & Security Docs: Ongoing refinement of THREATMODEL.md, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (#10672, #10715, #10718, #10722, #10763, #10765)

  • Test Coverage & Migration: Expanded shouldBypassProxy coverage for wildcard/IPv6/edge cases, documented and tested AxiosError.status, and migrated progressEventReducer tests to Vitest. (#10723, #10725, #10741)

  • Type Refactor: Uses TypeScript utility types to deduplicate literal unions. (#7520)

  • Repo & CI: Adds CODEOWNERS, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (#10739, #10738, #10746)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

  • @curiouscoder-cmd (#7252)
  • @tryonelove (#7520)
  • @darwin808 (#7314)
  • @zoontek (#10702)
  • @AKIB473 (#10725)

Full Changelog

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

  • Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

  • SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

  • Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

  • Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

  • CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

  • Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

  • Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

  • @Kilros0817 (#10625)
  • @shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
  • @ashstrc (#10624, #10644)
  • @Abhi3975 (#10589)
  • @raashish1601 (#10573)

Full Changelog

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

  • Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

  • CommonJS Compatibility: Restored require('axios') in Node.js by correcting the main field in package.json to point to the built CJS bundle. (#7532)

  • Fetch Adapter: Cancel the ReadableStream body after the request stream capability probe to prevent resource leaks. (#7515)

  • Proxy: Upgraded proxy-from-env to v2 and switched to the named getProxyForUrl export, fixing proxy detection from environment variables and resolving CJS bundling errors. (#7499)

  • HTTP/2: Close detached HTTP/2 sessions on timeout to free resources when no new requests arrive. (#7457)

  • Headers: Trim trailing CRLF characters from normalised header values. (#7456)

🔧 Maintenance & Chores

  • Toolchain Modernisation: Migrated test suite to Vitest, updated ESLint to v10, upgraded Rollup and @rollup/plugin-babel, migrated to Husky 9, upgraded TypeScript to latest, and modernised the Express test harness. (#7484, #7489, #7498, #7505, #7506, #7507, #7508, #7509, #7510, #7516, #7522)

  • Dependencies: Bumped multer to v2, minimatch, tar, pacote, @babel/preset-env, and additional dev dependencies. (#7453, #7480, #7491, #7504, #7517, #7531)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

  • @penkzhou (#7515)
  • @aviu16 (#7456)
  • @fedotov (#7457)

Full Changelog

v1.13.6 — February 27, 2026

This release adds React Native Blob support, fixes several enumeration and export regressions, and patches FormData detection for WeChat Mini Program environments.

🚀 New Features

  • React Native Blob Support: Axios now correctly handles native Blob objects in React Native environments. (#5764)

🐛 Bug Fixes

  • AxiosError: Fixed AxiosError.from not copying the status field from the source error. (#7403)

  • AxiosError: Made the message property enumerable so it appears in JSON.stringify output and Object.keys. (#7392)

  • FormData Detection: Corrected safe FormData detection for WeChat Mini Program environments. (#7324)

  • React Native / Browserify Export: Fixed broken module export that caused import failures in React Native and Browserify. (#7386)

🔧 Maintenance & Chores

  • Dependencies: Migrated @rollup/plugin-babel from v5 to v6 and bumped the development dependencies group. (#7424, #7432)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

  • @moh3n9595 (#5764)
  • @skrtheboss (#7403)
  • @ybbus (#7392)
  • @Shiwaangee (#7324)
  • @Gudahtt (#7386)

Full Changelog

v1.13.5 — February 8, 2026

This release patches a prototype pollution denial-of-service vulnerability, fixes a missing status field regression in AxiosError, adds interceptor ordering control, and introduces URL validation for isAbsoluteURL.

🔒 Security Fixes

  • Prototype Pollution (DoS): Hardened mergeConfig to ignore __proto__, constructor, and prototype keys, preventing denial-of-service via prototype pollution when merging user-supplied config. (#7369)

🚀 New Features

  • isAbsoluteURL Validation: Added input validation to isAbsoluteURL to handle malformed or unexpected input gracefully. (#7326)

🐛 Bug Fixes

  • AxiosError status: Restored the status field on AxiosError instances, which was missing in v1.13.3 and later. (#7368)

  • Interceptor Ordering: Added a useLegacyInterceptorOrder option to restore pre-v1.13 interceptor execution order for applications relying on the previous behaviour. (569f028)

🔧 Maintenance & Chores

  • CI: Fixed run conditions and updated workflow YAMLs. (#7372, #7373)

  • Dependencies: Bumped karma-sourcemap-loader and minor package versions. (#7356, #7360)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

  • @asmitha-16 (#7326)

Full Changelog

v1.13.4 — January 27, 2026

Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.

🐛 Bug Fixes

  • v1.13.3 Regressions: Fixed multiple issues introduced by the v1.13.3 release, including broken merge configs. (#7352)

  • TypeScript Exports: Corrected TypeScript export declarations to restore proper type resolution. (#4884)

🔧 Maintenance & Chores

  • CI & Build: Refactored CI pipeline and build configuration for stability. (#7340)

Full Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

1.13.2 (2025-11-04)

Bug Fixes

  • http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
  • http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

Contributors to this release

1.13.1 (2025-10-28)

Bug Fixes

  • http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

1.13.0 (2025-10-27)

Bug Fixes

  • fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
  • resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

Contributors to this release

1.12.2 (2025-09-14)

Bug Fixes

  • fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#7030) (cf78825)

Contributors to this release

1.12.1 (2025-09-12)

Bug Fixes

Contributors to this release

1.12.0 (2025-09-11)

Bug Fixes

Features

  • adapter: surface lowlevel network error details; attach original error via cause (#6982) (78b290c)
  • fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
  • support reviver on JSON.parse (#5926) (2a97634), closes #5924
  • types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

1.11.0 (2025-07-22)

Bug Fixes

  • form-data npm package (#6970) (e72c193)
  • prevent RangeError when using large Buffers (#6961) (a2214ca)
  • types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

1.10.0 (2025-06-14)

Bug Fixes

  • adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
  • form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
  • package: add module entry point for React Native; (#6933) (3d343b8)

Features

Contributors to this release

1.9.0 (2025-04-24)

Bug Fixes

  • core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
  • fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
  • headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
  • headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
  • headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
  • http: send minimal end multipart boundary (#6661) (987d2e2)
  • types: fix autocomplete for adapter config (#6855) (e61a893)

Features

  • AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

Contributors to this release

1.8.4 (2025-03-19)

Bug Fixes

  • buildFullPath: handle allowAbsoluteUrls: false without baseURL (#6833) (f10c2e0)

Contributors to this release

1.8.3 (2025-03-10)

Bug Fixes

  • add missing type for allowAbsoluteUrls (#6818) (10fa70e)
  • xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#6814) (ec159e5)

Contributors to this release

1.8.2 (2025-03-07)

Bug Fixes

  • http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

1.8.1 (2025-02-26)

Bug Fixes

  • utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

Contributors to this release

1.8.0 (2025-02-25)

Bug Fixes

  • examples: application crashed when navigating examples in browser (#5938) (1260ded)
  • missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
  • utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

Reverts

  • Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

  • code relying on the above will now combine the URLs instead of prefer request URL

  • feat: add config option for allowing absolute URLs

  • fix: add default value for allowAbsoluteUrls in buildFullPath

  • fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

1.7.9 (2024-12-04)

Reverts

  • Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

1.7.8 (2024-11-25)

Bug Fixes

  • allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
  • core: fixed config merging bug (#6668) (5d99fe4)
  • fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
  • http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
  • http: fixed proxy-from-env module import (#5222) (12b3295)
  • http: use globalThis.TextEncoder when available (#6634) (df956d1)
  • ios11 breaks when build (#6608) (7638952)
  • types: add missing types for mergeConfig function (#6590) (00de614)
  • types: export CJS types from ESM (#6218) (c71811b)
  • updated stream aborted error message to be more clear (#6615) (cc3217a)
  • use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

1.7.7 (2024-08-31)

Bug Fixes

  • fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
  • http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

1.7.6 (2024-08-30)

Bug Fixes

  • fetch: fix content length calculation for FormData payload; (#6524) (085f568)
  • fetch: optimize signals composing logic; (#6582) (df9889b)

Contributors to this release

1.7.5 (2024-08-23)

Bug Fixes

  • adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
  • core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
  • core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
  • fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

Contributors to this release

1.7.4 (2024-08-13)

Bug Fixes

Contributors to this release

1.7.3 (2024-08-01)

Bug Fixes

  • adapter: fix progress event emitting; (#6518) (e3c76fc)
  • fetch: fix withCredentials request config (#6505) (85d4d0e)
  • xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

Contributors to this release

1.7.2 (2024-05-21)

Bug Fixes

Contributors to this release

1.7.1 (2024-05-20)

Bug Fixes

  • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

1.7.0 (2024-05-19)

Features

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

1.7.0-beta.2 (2024-05-19)

Bug Fixes

  • fetch: capitalize HTTP method names; (#6395) (ad3174a)
  • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
  • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

Contributors to this release

1.7.0-beta.1 (2024-05-07)

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)
  • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
  • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

Contributors to this release

1.7.0-beta.0 (2024-04-28)

Features

Contributors to this release

1.6.8 (2024-03-15)

Bug Fixes

  • AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
  • import: use named export for EventEmitter; (7320430)
  • vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

1.6.7 (2024-01-25)

Bug Fixes

  • capture async stack only for rejections with native error objects; (#6203) (1a08f90)

Contributors to this release

1.6.6 (2024-01-24)

Bug Fixes

  • fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
  • wrap errors to improve async stack trace (#5987) (123f354)

Contributors to this release

1.6.5 (2024-01-05)

Bug Fixes

  • ci: refactor notify action as a job of publish action; (#6176) (0736f95)
  • dns: fixed lookup error handling; (#6175) (f4f2b03)

Contributors to this release

1.6.4 (2024-01-03)

Bug Fixes

  • security: fixed formToJSON prototype pollution vulnerability; (#6167) (3c0c11c)
  • security: fixed security vulnerability in follow-redirects (#6163) (75af1cd)

Contributors to this release

1.6.3 (2023-12-26)

Bug Fixes

  • Regular Expression Denial of Service (ReDoS) (#6132) (5e7ad38)

Contributors to this release

1.6.2 (2023-11-14)

Features

  • withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour.
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

1.6.1 (2023-11-08)

Bug Fixes

  • formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
  • platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

Contributors to this release

PRs

  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour.
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

1.6.0 (2023-10-26)

Bug Fixes

  • CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
  • dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
  • types: fix AxiosHeaders types; (#5931) (a1c8ad0)

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes

  • adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
  • formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
  • headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
  • types: removed duplicated code (9e62056)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.5.0 (2023-08-26)

Bug Fixes

  • adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#5837) (9a414bb)
  • dns: fixed cacheable-lookup integration; (#5836) (b3e327d)
  • headers: added support for setting header names that overlap with class methods; (#5831) (d8b4ca0)
  • headers: fixed common Content-Type header merging; (#5832) (8fda276)

Features

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.4.0 (2023-04-27)

Bug Fixes

  • formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
  • package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

  • dns: added support for a custom lookup function; (#5339) (2701911)
  • types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

  • merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

  • types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
  • utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

  • headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
  • params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

  • blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
  • http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

  • formdata: added a check to make sure the FormData class is available in the browser's global scope; (#5545) (a6dfa72)
  • formdata: fixed setting NaN as Content-Length for form payload in some cases; (#5535) (c19f7bf)
  • headers: fixed the filtering logic of the clear method; (#5542) (ea87ebf)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

  • formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#5521) (96d336f)
  • serializer: fixed serialization of array-like objects; (#5518) (08104c0)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.0 (2023-01-31)

Bug Fixes

Features

  • fomdata: added support for spec-compliant FormData & Blob types; (#5316) (6ac574e)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

  • headers: added missed Authorization accessor; (#5502) (342c0ba)
  • types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#5503) (5a3d0a3)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

  • types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#5499) (580f1e8)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

  • types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#5486) (2a71f49)
  • types: fix AxiosRequestConfig generic; (#5478) (9bce81b)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

  • types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#5420) (0811963)

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

  • fix(ci): fix release script inputs #5392
  • fix(ci): prerelease scipts #5377
  • fix(ci): release scripts #5376
  • fix(ci): typescript tests #5375
  • fix: Brotli decompression #5353
  • fix: add missing HttpStatusCode #5345

Chores

  • chore(ci): set conventional-changelog header config #5406
  • chore(ci): fix automatic contributors resolving #5403
  • chore(ci): improved logging for the contributors list generator #5398
  • chore(ci): fix release action #5397
  • chore(ci): fix version bump script by adding bump argument for target version #5393
  • chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #5342
  • chore(ci): GitHub Actions Release script #5384
  • chore(ci): release scripts #5364

Contributors to this release

[1.2.1] - 2022-12-05

Changed

  • feat(exports): export mergeConfig #5151

Fixed

  • fix(CancelledError): include config #4922
  • fix(general): removing multiple/trailing/leading whitespace #5022
  • fix(headers): decompression for responses without Content-Length header #5306
  • fix(webWorker): exception to sending form data in web worker #5139

Refactors

  • refactor(types): AxiosProgressEvent.event type to any #5308
  • refactor(types): add missing types for static AxiosError.from method #4956

Chores

  • chore(docs): remove README link to non-existent upgrade guide #5307
  • chore(docs): typo in issue template name #5159

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

  • changed: refactored module exports #5162
  • change: re-added support for loading Axios with require('axios').default #5225

Fixed

  • fix: improve AxiosHeaders class #5224
  • fix: TypeScript type definitions for commonjs #5196
  • fix: type definition of use method on AxiosInterceptorManager to match the the README #5071
  • fix: __dirname is not defined in the sandbox #5269
  • fix: AxiosError.toJSON method to avoid circular references #5247
  • fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #5250

Refactors

  • refactor: allowing adapters to be loaded by name #5277

Chores

  • chore: force CI restart #5243
  • chore: update ECOSYSTEM.md #5077
  • chore: update get/index.html #5116
  • chore: update Sandbox UI/UX #5205
  • chore:(actions): remove git credentials after checkout #5235
  • chore(actions): bump actions/dependency-review-action from 2 to 3 #5266
  • chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #5295
  • chore(packages): bump engine.io from 6.2.0 to 6.2.1 #5294
  • chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #5241
  • chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #5245
  • chore(docs): update Resources links in README #5119
  • chore(docs): update the link for JSON url #5265
  • chore(docs): fix broken links #5218
  • chore(docs): update and rename UPGRADE_GUIDE.md to MIGRATION_GUIDE.md #5170
  • chore(docs): typo fix line #856 and #920 #5194
  • chore(docs): typo fix #800 #5193
  • chore(docs): fix typos #5184
  • chore(docs): fix punctuation in README.md #5197
  • chore(docs): update readme in the Handling Errors section - issue reference #5260 #5261
  • chore: remove \b from filename #5207
  • chore(docs): update CHANGELOG.md #5137
  • chore: add sideEffects false to package.json #5025

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.3] - 2022-10-15

Added

  • Added custom params serializer support #5113

Fixed

  • Fixed top-level export to keep them in-line with static properties #5109
  • Stopped including null values to query string. #5108
  • Restored proxy config backwards compatibility with 0.x #5097
  • Added back AxiosHeaders in AxiosHeaderValue #5103
  • Pin CDN install instructions to a specific version #5060
  • Handling of array values fixed for AxiosHeaders #5085

Chores

  • docs: match badge style, add link to them #5046
  • chore: fixing comments typo #5054
  • chore: update issue template #5061
  • chore: added progress capturing section to the docs; #5084

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.2] - 2022-10-07

Fixed

  • Fixed broken exports for UMD builds.

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.1] - 2022-10-07

Fixed

  • Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful.

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.0] - 2022-10-06

Fixed

  • Fixed missing exports in type definition index.d.ts #5003
  • Fixed query params composing #5018
  • Fixed GenericAbortSignal interface by making it more generic #5021
  • Fixed adding "clear" to AxiosInterceptorManager #5010
  • Fixed commonjs & umd exports #5030
  • Fixed inability to access response headers when using axios 1.x with Jest #5036

Contributors to this release

PRs

  • CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.0.0] - 2022-10-04

Added

  • Added stack trace to AxiosError #4624
  • Add AxiosError to AxiosStatic #4654
  • Replaced Rollup as our build runner #4596
  • Added generic TS types for the exposed toFormData helper #4668
  • Added listen callback function #4096
  • Added instructions for installing using PNPM #4207
  • Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill #4229
  • Added axios-url-template in ECOSYSTEM.md #4238
  • Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #4248
  • Added react hook plugin #4319
  • Adding HTTP status code for transformResponse #4580
  • Added blob to the list of protocols supported by the browser #4678
  • Resolving proxy from env on redirect #4436
  • Added enhanced toFormData implementation with additional options 4704
  • Adding Canceler parameters config and request #4711
  • Added automatic payload serialization to application/x-www-form-urlencoded #4714
  • Added the ability for webpack users to overwrite built-ins #4715
  • Added string[] to AxiosRequestHeaders type #4322
  • Added the ability for the url-encoded-form serializer to respect the formSerializer config #4721
  • Added isCancel type assert #4293
  • Added data URL support for node.js #4725
  • Adding types for progress event callbacks #4675
  • URL params serializer #4734
  • Added axios.formToJSON method #4735
  • Bower platform add data protocol #4804
  • Use WHATWG URL API instead of url.parse() #4852
  • Add ENUM containing Http Status Codes to typings #4903
  • Improve typing of timeout in index.d.ts #4934

Changed

  • Updated AxiosError.config to be optional in the type definition #4665
  • Updated README emphasizing the URLSearchParam built-in interface over other solutions #4590
  • Include request and config when creating a CanceledError instance #4659
  • Changed func-names eslint rule to as-needed #4492
  • Replacing deprecated substr() with slice() as substr() is deprecated #4468
  • Updating HTTP links in README.md to use HTTPS #4387
  • Updated to a better trim() polyfill #4072
  • Updated types to allow specifying partial default headers on instance create #4185
  • Expanded isAxiosError types #4344
  • Updated type definition for axios instance methods #4224
  • Updated eslint config #4722
  • Updated Docs #4742
  • Refactored Axios to use ES2017 #4787

Deprecated

  • There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

Removed

  • Removed incorrect argument for NetworkError constructor #4656
  • Removed Webpack #4596
  • Removed function that transform arguments to array #4544

Fixed

  • Fixed grammar in README #4649
  • Fixed code error in README #4599
  • Optimized the code that checks cancellation #4587
  • Fix url pointing to defaults.js in README #4532
  • Use type alias instead of interface for AxiosPromise #4505
  • Fix some word spelling and lint style in code comments #4500
  • Edited readme with 3 updated browser icons of Chrome, FireFox and Safari #4414
  • Bump follow-redirects from 1.14.9 to 1.15.0 #4673
  • Fixing http tests to avoid hanging when assertions fail #4435
  • Fix TS definition for AxiosRequestTransformer #4201
  • Fix grammatical issues in README #4232
  • Fixing instance.defaults.headers type #4557
  • Fixed race condition on immediate requests cancellation #4261
  • Fixing Z_BUF_ERROR when no content #4701
  • Fixing proxy beforeRedirect regression #4708
  • Fixed AxiosError status code type #4717
  • Fixed AxiosError stack capturing #4718
  • Fixing AxiosRequestHeaders typings #4334
  • Fixed max body length defaults #4731
  • Fixed toFormData Blob issue on node>v17 #4728
  • Bump grunt from 1.5.2 to 1.5.3 #4743
  • Fixing content-type header repeated #4745
  • Fixed timeout error message for http 4738
  • Request ignores false, 0 and empty string as body values #4785
  • Added back missing minified builds #4805
  • Fixed a type error #4815
  • Fixed a regression bug with unsubscribing from cancel token; #4819
  • Remove repeated compression algorithm #4820
  • The error of calling extend to pass parameters #4857
  • SerializerOptions.indexes allows boolean | null | undefined #4862
  • Require interceptors to return values #4874
  • Removed unused imports #4949
  • Allow null indexes on formSerializer and paramsSerializer #4960

Chores

  • Set permissions for GitHub actions #4765
  • Included githubactions in the dependabot config #4770
  • Included dependency review #4771
  • Update security.md #4784
  • Remove unnecessary spaces #4854
  • Simplify the import path of AxiosError #4875
  • Fix Gitpod dead link #4941
  • Enable syntax highlighting for a code block #4970
  • Using Logo Axios in Readme.md #4993
  • Fix markup for note in README #4825
  • Fix typo and formatting, add colons #4853
  • Fix typo in readme #4942

Security

  • Update SECURITY.md #4687

Contributors to this release

Reference in New Issue View Git Blame Copy Permalink