Comparingaxios@1.15.1
axios@1.15.1axios@1.15.1...axios@1.15.2**/!(*.map|*.min.js)Size
Gzip
Dependencies
Publish
Install
Publish
Install
View file@@ -1,4 +1,4 @@ | |||
| 1 | /*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */ | 1 | /*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */ |
| 2 | 'use strict'; | 2 | 'use strict'; |
| 3 | 3 | ||
| 4 | /** | 4 | /** |
@@ -2581,8 +2581,19 @@ | |||
| 2581 | function mergeConfig(config1, config2) { | 2581 | function mergeConfig(config1, config2) { |
| 2582 | // eslint-disable-next-line no-param-reassign | 2582 | // eslint-disable-next-line no-param-reassign |
| 2583 | config2 = config2 || {}; | 2583 | config2 = config2 || {}; |
| 2584 | const config = {}; | ||
| 2585 | 2584 | ||
| 2585 | // Use a null-prototype object so that downstream reads such as `config.auth` | ||
| 2586 | // or `config.baseURL` cannot inherit polluted values from Object.prototype | ||
| 2587 | // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable | ||
| 2588 | // own slot to preserve ergonomics for user code that relies on it. | ||
| 2589 | const config = Object.create(null); | ||
| 2590 | Object.defineProperty(config, 'hasOwnProperty', { | ||
| 2591 | value: Object.prototype.hasOwnProperty, | ||
| 2592 | enumerable: false, | ||
| 2593 | writable: true, | ||
| 2594 | configurable: true, | ||
| 2595 | }); | ||
| 2596 | |||
| 2586 | function getMergedValue(target, source, prop, caseless) { | 2597 | function getMergedValue(target, source, prop, caseless) { |
| 2587 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { | 2598 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { |
| 2588 | return utils$1.merge.call({ caseless }, target, source); | 2599 | return utils$1.merge.call({ caseless }, target, source); |
@@ -2654,6 +2665,7 @@ | |||
| 2654 | httpsAgent: defaultToConfig2, | 2665 | httpsAgent: defaultToConfig2, |
| 2655 | cancelToken: defaultToConfig2, | 2666 | cancelToken: defaultToConfig2, |
| 2656 | socketPath: defaultToConfig2, | 2667 | socketPath: defaultToConfig2, |
| 2668 | allowedSocketPaths: defaultToConfig2, | ||
| 2657 | responseEncoding: defaultToConfig2, | 2669 | responseEncoding: defaultToConfig2, |
| 2658 | validateStatus: mergeDirectKeys, | 2670 | validateStatus: mergeDirectKeys, |
| 2659 | headers: (a, b, prop) => | 2671 | headers: (a, b, prop) => |
@@ -2675,12 +2687,24 @@ | |||
| 2675 | var resolveConfig = (config) => { | 2687 | var resolveConfig = (config) => { |
| 2676 | const newConfig = mergeConfig({}, config); | 2688 | const newConfig = mergeConfig({}, config); |
| 2677 | 2689 | ||
| 2678 | let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig; | 2690 | // Read only own properties to prevent prototype pollution gadgets |
| 2691 | // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj. | ||
| 2692 | const own = (key) => (utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined); | ||
| 2679 | 2693 | ||
| 2694 | const data = own('data'); | ||
| 2695 | let withXSRFToken = own('withXSRFToken'); | ||
| 2696 | const xsrfHeaderName = own('xsrfHeaderName'); | ||
| 2697 | const xsrfCookieName = own('xsrfCookieName'); | ||
| 2698 | let headers = own('headers'); | ||
| 2699 | const auth = own('auth'); | ||
| 2700 | const baseURL = own('baseURL'); | ||
| 2701 | const allowAbsoluteUrls = own('allowAbsoluteUrls'); | ||
| 2702 | const url = own('url'); | ||
| 2703 | |||
| 2680 | newConfig.headers = headers = AxiosHeaders.from(headers); | 2704 | newConfig.headers = headers = AxiosHeaders.from(headers); |
| 2681 | 2705 | ||
| 2682 | newConfig.url = buildURL( | 2706 | newConfig.url = buildURL( |
| 2683 | buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), | 2707 | buildFullPath(baseURL, url, allowAbsoluteUrls), |
| 2684 | config.params, | 2708 | config.params, |
| 2685 | config.paramsSerializer | 2709 | config.paramsSerializer |
| 2686 | ); | 2710 | ); |
@@ -3627,7 +3651,7 @@ | |||
| 3627 | ); | 3651 | ); |
| 3628 | } | 3652 | } |
| 3629 | 3653 | ||
| 3630 | const VERSION = "1.15.1"; | 3654 | const VERSION = "1.15.2"; |
| 3631 | 3655 | ||
| 3632 | const validators$1 = {}; | 3656 | const validators$1 = {}; |
| 3633 | 3657 | ||
@@ -3712,7 +3736,9 @@ | |||
| 3712 | let i = keys.length; | 3736 | let i = keys.length; |
| 3713 | while (i-- > 0) { | 3737 | while (i-- > 0) { |
| 3714 | const opt = keys[i]; | 3738 | const opt = keys[i]; |
| 3715 | const validator = schema[opt]; | 3739 | // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply |
| 3740 | // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj. | ||
| 3741 | const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; | ||
| 3716 | if (validator) { | 3742 | if (validator) { |
| 3717 | const value = options[opt]; | 3743 | const value = options[opt]; |
| 3718 | const result = value === undefined || validator(value, opt, options); | 3744 | const result = value === undefined || validator(value, opt, options); |
View fileView file@@ -497,6 +497,7 @@ | |||
| 497 | responseDetails: { headers: Record<string, string>; statusCode: HttpStatusCode } | 497 | responseDetails: { headers: Record<string, string>; statusCode: HttpStatusCode } |
| 498 | ) => void; | 498 | ) => void; |
| 499 | socketPath?: string | null; | 499 | socketPath?: string | null; |
| 500 | allowedSocketPaths?: string | string[] | null; | ||
| 500 | transport?: any; | 501 | transport?: any; |
| 501 | httpAgent?: any; | 502 | httpAgent?: any; |
| 502 | httpsAgent?: any; | 503 | httpsAgent?: any; |
View file@@ -1,4 +1,4 @@ | |||
| 1 | /*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */ | 1 | /*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */ |
| 2 | (function (global, factory) { | 2 | (function (global, factory) { |
| 3 | typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() : | 3 | typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() : |
| 4 | typeof define === 'function' && define.amd ? define(factory) : | 4 | typeof define === 'function' && define.amd ? define(factory) : |
@@ -2843,7 +2843,18 @@ | |||
| 2843 | function mergeConfig(config1, config2) { | 2843 | function mergeConfig(config1, config2) { |
| 2844 | // eslint-disable-next-line no-param-reassign | 2844 | // eslint-disable-next-line no-param-reassign |
| 2845 | config2 = config2 || {}; | 2845 | config2 = config2 || {}; |
| 2846 | var config = {}; | 2846 | |
| 2847 | // Use a null-prototype object so that downstream reads such as `config.auth` | ||
| 2848 | // or `config.baseURL` cannot inherit polluted values from Object.prototype | ||
| 2849 | // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable | ||
| 2850 | // own slot to preserve ergonomics for user code that relies on it. | ||
| 2851 | var config = Object.create(null); | ||
| 2852 | Object.defineProperty(config, 'hasOwnProperty', { | ||
| 2853 | value: Object.prototype.hasOwnProperty, | ||
| 2854 | enumerable: false, | ||
| 2855 | writable: true, | ||
| 2856 | configurable: true | ||
| 2857 | }); | ||
| 2847 | function getMergedValue(target, source, prop, caseless) { | 2858 | function getMergedValue(target, source, prop, caseless) { |
| 2848 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { | 2859 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { |
| 2849 | return utils$1.merge.call({ | 2860 | return utils$1.merge.call({ |
@@ -2915,6 +2926,7 @@ | |||
| 2915 | httpsAgent: defaultToConfig2, | 2926 | httpsAgent: defaultToConfig2, |
| 2916 | cancelToken: defaultToConfig2, | 2927 | cancelToken: defaultToConfig2, |
| 2917 | socketPath: defaultToConfig2, | 2928 | socketPath: defaultToConfig2, |
| 2929 | allowedSocketPaths: defaultToConfig2, | ||
| 2918 | responseEncoding: defaultToConfig2, | 2930 | responseEncoding: defaultToConfig2, |
| 2919 | validateStatus: mergeDirectKeys, | 2931 | validateStatus: mergeDirectKeys, |
| 2920 | headers: function headers(a, b, prop) { | 2932 | headers: function headers(a, b, prop) { |
@@ -2934,14 +2946,23 @@ | |||
| 2934 | 2946 | ||
| 2935 | var resolveConfig = (function (config) { | 2947 | var resolveConfig = (function (config) { |
| 2936 | var newConfig = mergeConfig({}, config); | 2948 | var newConfig = mergeConfig({}, config); |
| 2937 | var data = newConfig.data, | ||
| 2938 | withXSRFToken = newConfig.withXSRFToken, | ||
| 2939 | xsrfHeaderName = newConfig.xsrfHeaderName, | ||
| 2940 | xsrfCookieName = newConfig.xsrfCookieName, | ||
| 2941 | headers = newConfig.headers, | ||
| 2942 | auth = newConfig.auth; | 2949 | |
| 2950 | // Read only own properties to prevent prototype pollution gadgets | ||
| 2951 | // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj. | ||
| 2952 | var own = function own(key) { | ||
| 2953 | return utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined; | ||
| 2954 | }; | ||
| 2955 | var data = own('data'); | ||
| 2956 | var withXSRFToken = own('withXSRFToken'); | ||
| 2957 | var xsrfHeaderName = own('xsrfHeaderName'); | ||
| 2958 | var xsrfCookieName = own('xsrfCookieName'); | ||
| 2959 | var headers = own('headers'); | ||
| 2960 | var auth = own('auth'); | ||
| 2961 | var baseURL = own('baseURL'); | ||
| 2962 | var allowAbsoluteUrls = own('allowAbsoluteUrls'); | ||
| 2963 | var url = own('url'); | ||
| 2943 | newConfig.headers = headers = AxiosHeaders.from(headers); | 2964 | newConfig.headers = headers = AxiosHeaders.from(headers); |
| 2944 | newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer); | 2965 | newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer); |
| 2945 | 2966 | ||
| 2946 | // HTTP basic authentication | 2967 | // HTTP basic authentication |
| 2947 | if (auth) { | 2968 | if (auth) { |
@@ -3889,7 +3910,7 @@ | |||
| 3889 | }); | 3910 | }); |
| 3890 | } | 3911 | } |
| 3891 | 3912 | ||
| 3892 | var VERSION = "1.15.1"; | 3913 | var VERSION = "1.15.2"; |
| 3893 | 3914 | ||
| 3894 | var validators$1 = {}; | 3915 | var validators$1 = {}; |
| 3895 | 3916 | ||
@@ -3954,7 +3975,9 @@ | |||
| 3954 | var i = keys.length; | 3975 | var i = keys.length; |
| 3955 | while (i-- > 0) { | 3976 | while (i-- > 0) { |
| 3956 | var opt = keys[i]; | 3977 | var opt = keys[i]; |
| 3957 | var validator = schema[opt]; | 3978 | // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply |
| 3979 | // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj. | ||
| 3980 | var validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; | ||
| 3958 | if (validator) { | 3981 | if (validator) { |
| 3959 | var value = options[opt]; | 3982 | var value = options[opt]; |
| 3960 | var result = value === undefined || validator(value, opt, options); | 3983 | var result = value === undefined || validator(value, opt, options); |
View file@@ -1,4 +1,4 @@ | |||
| 1 | /*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */ | 1 | /*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */ |
| 2 | /** | 2 | /** |
| 3 | * Create a bound version of a function with a specified `this` context | 3 | * Create a bound version of a function with a specified `this` context |
| 4 | * | 4 | * |
@@ -2579,8 +2579,19 @@ | |||
| 2579 | function mergeConfig$1(config1, config2) { | 2579 | function mergeConfig$1(config1, config2) { |
| 2580 | // eslint-disable-next-line no-param-reassign | 2580 | // eslint-disable-next-line no-param-reassign |
| 2581 | config2 = config2 || {}; | 2581 | config2 = config2 || {}; |
| 2582 | const config = {}; | ||
| 2583 | 2582 | ||
| 2583 | // Use a null-prototype object so that downstream reads such as `config.auth` | ||
| 2584 | // or `config.baseURL` cannot inherit polluted values from Object.prototype | ||
| 2585 | // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable | ||
| 2586 | // own slot to preserve ergonomics for user code that relies on it. | ||
| 2587 | const config = Object.create(null); | ||
| 2588 | Object.defineProperty(config, 'hasOwnProperty', { | ||
| 2589 | value: Object.prototype.hasOwnProperty, | ||
| 2590 | enumerable: false, | ||
| 2591 | writable: true, | ||
| 2592 | configurable: true, | ||
| 2593 | }); | ||
| 2594 | |||
| 2584 | function getMergedValue(target, source, prop, caseless) { | 2595 | function getMergedValue(target, source, prop, caseless) { |
| 2585 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { | 2596 | if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) { |
| 2586 | return utils$1.merge.call({ caseless }, target, source); | 2597 | return utils$1.merge.call({ caseless }, target, source); |
@@ -2652,6 +2663,7 @@ | |||
| 2652 | httpsAgent: defaultToConfig2, | 2663 | httpsAgent: defaultToConfig2, |
| 2653 | cancelToken: defaultToConfig2, | 2664 | cancelToken: defaultToConfig2, |
| 2654 | socketPath: defaultToConfig2, | 2665 | socketPath: defaultToConfig2, |
| 2666 | allowedSocketPaths: defaultToConfig2, | ||
| 2655 | responseEncoding: defaultToConfig2, | 2667 | responseEncoding: defaultToConfig2, |
| 2656 | validateStatus: mergeDirectKeys, | 2668 | validateStatus: mergeDirectKeys, |
| 2657 | headers: (a, b, prop) => | 2669 | headers: (a, b, prop) => |
@@ -2673,12 +2685,24 @@ | |||
| 2673 | var resolveConfig = (config) => { | 2685 | var resolveConfig = (config) => { |
| 2674 | const newConfig = mergeConfig$1({}, config); | 2686 | const newConfig = mergeConfig$1({}, config); |
| 2675 | 2687 | ||
| 2676 | let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig; | 2688 | // Read only own properties to prevent prototype pollution gadgets |
| 2689 | // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj. | ||
| 2690 | const own = (key) => (utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined); | ||
| 2677 | 2691 | ||
| 2692 | const data = own('data'); | ||
| 2693 | let withXSRFToken = own('withXSRFToken'); | ||
| 2694 | const xsrfHeaderName = own('xsrfHeaderName'); | ||
| 2695 | const xsrfCookieName = own('xsrfCookieName'); | ||
| 2696 | let headers = own('headers'); | ||
| 2697 | const auth = own('auth'); | ||
| 2698 | const baseURL = own('baseURL'); | ||
| 2699 | const allowAbsoluteUrls = own('allowAbsoluteUrls'); | ||
| 2700 | const url = own('url'); | ||
| 2701 | |||
| 2678 | newConfig.headers = headers = AxiosHeaders$1.from(headers); | 2702 | newConfig.headers = headers = AxiosHeaders$1.from(headers); |
| 2679 | 2703 | ||
| 2680 | newConfig.url = buildURL( | 2704 | newConfig.url = buildURL( |
| 2681 | buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), | 2705 | buildFullPath(baseURL, url, allowAbsoluteUrls), |
| 2682 | config.params, | 2706 | config.params, |
| 2683 | config.paramsSerializer | 2707 | config.paramsSerializer |
| 2684 | ); | 2708 | ); |
@@ -3625,7 +3649,7 @@ | |||
| 3625 | ); | 3649 | ); |
| 3626 | } | 3650 | } |
| 3627 | 3651 | ||
| 3628 | const VERSION$1 = "1.15.1"; | 3652 | const VERSION$1 = "1.15.2"; |
| 3629 | 3653 | ||
| 3630 | const validators$1 = {}; | 3654 | const validators$1 = {}; |
| 3631 | 3655 | ||
@@ -3710,7 +3734,9 @@ | |||
| 3710 | let i = keys.length; | 3734 | let i = keys.length; |
| 3711 | while (i-- > 0) { | 3735 | while (i-- > 0) { |
| 3712 | const opt = keys[i]; | 3736 | const opt = keys[i]; |
| 3713 | const validator = schema[opt]; | 3737 | // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply |
| 3738 | // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj. | ||
| 3739 | const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; | ||
| 3714 | if (validator) { | 3740 | if (validator) { |
| 3715 | const value = options[opt]; | 3741 | const value = options[opt]; |
| 3716 | const result = value === undefined || validator(value, opt, options); | 3742 | const result = value === undefined || validator(value, opt, options); |
View fileView fileView file@@ -17,8 +17,19 @@ | |||
| 17 | export default function mergeConfig(config1, config2) { | 17 | export default function mergeConfig(config1, config2) { |
| 18 | // eslint-disable-next-line no-param-reassign | 18 | // eslint-disable-next-line no-param-reassign |
| 19 | config2 = config2 || {}; | 19 | config2 = config2 || {}; |
| 20 | const config = {}; | ||
| 21 | 20 | ||
| 21 | // Use a null-prototype object so that downstream reads such as `config.auth` | ||
| 22 | // or `config.baseURL` cannot inherit polluted values from Object.prototype | ||
| 23 | // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable | ||
| 24 | // own slot to preserve ergonomics for user code that relies on it. | ||
| 25 | const config = Object.create(null); | ||
| 26 | Object.defineProperty(config, 'hasOwnProperty', { | ||
| 27 | value: Object.prototype.hasOwnProperty, | ||
| 28 | enumerable: false, | ||
| 29 | writable: true, | ||
| 30 | configurable: true, | ||
| 31 | }); | ||
| 32 | |||
| 22 | function getMergedValue(target, source, prop, caseless) { | 33 | function getMergedValue(target, source, prop, caseless) { |
| 23 | if (utils.isPlainObject(target) && utils.isPlainObject(source)) { | 34 | if (utils.isPlainObject(target) && utils.isPlainObject(source)) { |
| 24 | return utils.merge.call({ caseless }, target, source); | 35 | return utils.merge.call({ caseless }, target, source); |
@@ -90,6 +101,7 @@ | |||
| 90 | httpsAgent: defaultToConfig2, | 101 | httpsAgent: defaultToConfig2, |
| 91 | cancelToken: defaultToConfig2, | 102 | cancelToken: defaultToConfig2, |
| 92 | socketPath: defaultToConfig2, | 103 | socketPath: defaultToConfig2, |
| 104 | allowedSocketPaths: defaultToConfig2, | ||
| 93 | responseEncoding: defaultToConfig2, | 105 | responseEncoding: defaultToConfig2, |
| 94 | validateStatus: mergeDirectKeys, | 106 | validateStatus: mergeDirectKeys, |
| 95 | headers: (a, b, prop) => | 107 | headers: (a, b, prop) => |
View file@@ -10,12 +10,24 @@ | |||
| 10 | export default (config) => { | 10 | export default (config) => { |
| 11 | const newConfig = mergeConfig({}, config); | 11 | const newConfig = mergeConfig({}, config); |
| 12 | 12 | ||
| 13 | let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig; | 13 | // Read only own properties to prevent prototype pollution gadgets |
| 14 | // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj. | ||
| 15 | const own = (key) => (utils.hasOwnProp(newConfig, key) ? newConfig[key] : undefined); | ||
| 14 | 16 | ||
| 17 | const data = own('data'); | ||
| 18 | let withXSRFToken = own('withXSRFToken'); | ||
| 19 | const xsrfHeaderName = own('xsrfHeaderName'); | ||
| 20 | const xsrfCookieName = own('xsrfCookieName'); | ||
| 21 | let headers = own('headers'); | ||
| 22 | const auth = own('auth'); | ||
| 23 | const baseURL = own('baseURL'); | ||
| 24 | const allowAbsoluteUrls = own('allowAbsoluteUrls'); | ||
| 25 | const url = own('url'); | ||
| 26 | |||
| 15 | newConfig.headers = headers = AxiosHeaders.from(headers); | 27 | newConfig.headers = headers = AxiosHeaders.from(headers); |
| 16 | 28 | ||
| 17 | newConfig.url = buildURL( | 29 | newConfig.url = buildURL( |
| 18 | buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), | 30 | buildFullPath(baseURL, url, allowAbsoluteUrls), |
| 19 | config.params, | 31 | config.params, |
| 20 | config.paramsSerializer | 32 | config.paramsSerializer |
| 21 | ); | 33 | ); |
View file@@ -86,7 +86,9 @@ | |||
| 86 | let i = keys.length; | 86 | let i = keys.length; |
| 87 | while (i-- > 0) { | 87 | while (i-- > 0) { |
| 88 | const opt = keys[i]; | 88 | const opt = keys[i]; |
| 89 | const validator = schema[opt]; | 89 | // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply |
| 90 | // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj. | ||
| 91 | const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined; | ||
| 90 | if (validator) { | 92 | if (validator) { |
| 91 | const value = options[opt]; | 93 | const value = options[opt]; |
| 92 | const result = value === undefined || validator(value, opt, options); | 94 | const result = value === undefined || validator(value, opt, options); |
View file@@ -1,6 +1,6 @@ | |||
| 1 | { | 1 | { |
| 2 | "name": "axios", | 2 | "name": "axios", |
| 3 | "version": "1.15.1", | 3 | "version": "1.15.2", |
| 4 | "description": "Promise based HTTP client for the browser and node.js", | 4 | "description": "Promise based HTTP client for the browser and node.js", |
| 5 | "main": "./dist/node/axios.cjs", | 5 | "main": "./dist/node/axios.cjs", |
| 6 | "module": "./index.js", | 6 | "module": "./index.js", |
View fileView file@@ -92,6 +92,8 @@ | |||
| 92 | - [Semver](#semver) | 92 | - [Semver](#semver) |
| 93 | - [Promises](#promises) | 93 | - [Promises](#promises) |
| 94 | - [TypeScript](#typescript) | 94 | - [TypeScript](#typescript) |
| 95 | - [Contributing](#contributing) | ||
| 96 | - [Local setup](#local-setup) | ||
| 95 | - [Resources](#resources) | 97 | - [Resources](#resources) |
| 96 | - [Credits](#credits) | 98 | - [Credits](#credits) |
| 97 | - [License](#license) | 99 | - [License](#license) |
@@ -598,8 +600,19 @@ | |||
| 598 | // e.g. '/var/run/docker.sock' to send requests to the docker daemon. | 600 | // e.g. '/var/run/docker.sock' to send requests to the docker daemon. |
| 599 | // Only either `socketPath` or `proxy` can be specified. | 601 | // Only either `socketPath` or `proxy` can be specified. |
| 600 | // If both are specified, `socketPath` is used. | 602 | // If both are specified, `socketPath` is used. |
| 603 | // | ||
| 604 | // Security: when `socketPath` is set, hostname/port of the URL are ignored, | ||
| 605 | // which bypasses hostname-based SSRF protections. Never derive `socketPath` | ||
| 606 | // from untrusted input. Use `allowedSocketPaths` (below) to restrict accepted | ||
| 607 | // socket paths for defense-in-depth. | ||
| 601 | socketPath: null, // default | 608 | socketPath: null, // default |
| 602 | 609 | ||
| 610 | // `allowedSocketPaths` restricts which `socketPath` values are accepted. | ||
| 611 | // Accepts a string or array of strings. Entries and the incoming socketPath | ||
| 612 | // are compared after path.resolve(). A mismatch throws AxiosError with code | ||
| 613 | // `ERR_BAD_OPTION_VALUE`. When null/undefined, no restriction is applied. | ||
| 614 | allowedSocketPaths: null, // default | ||
| 615 | |||
| 603 | // `transport` determines the transport method that will be used to make the request. | 616 | // `transport` determines the transport method that will be used to make the request. |
| 604 | // If defined, it will be used. Otherwise, if `maxRedirects` is 0, | 617 | // If defined, it will be used. Otherwise, if `maxRedirects` is 0, |
| 605 | // the default `http` or `https` library will be used, depending on the protocol specified in `protocol`. | 618 | // the default `http` or `https` library will be used, depending on the protocol specified in `protocol`. |
@@ -2009,6 +2022,23 @@ | |||
| 2009 | 2022 | ||
| 2010 | [](https://gitpod.io/#https://github.com/axios/axios/blob/main/examples/server.js) | 2023 | [](https://gitpod.io/#https://github.com/axios/axios/blob/main/examples/server.js) |
| 2011 | 2024 | ||
| 2025 | ## Contributing | ||
| 2026 | |||
| 2027 | ### Local setup | ||
| 2028 | |||
| 2029 | As a supply-chain hardening measure, this repository ships a project-level `.npmrc` that sets `ignore-scripts=true`. This blocks npm lifecycle scripts (`preinstall`, `install`, `postinstall`, `prepare`) from any direct or transitive dependency when you run `npm install` or `npm ci` inside the repo. See [THREATMODEL.md](./THREATMODEL.md) (threat T-S2) for the rationale. | ||
| 2030 | |||
| 2031 | One consequence: the repository's own `prepare` hook (which installs Husky's git hooks) will **not** run automatically. After your first install, enable the git hooks manually: | ||
| 2032 | |||
| 2033 | ```bash | ||
| 2034 | npm ci | ||
| 2035 | npm rebuild husky && npx husky | ||
| 2036 | ``` | ||
| 2037 | |||
| 2038 | Run those two commands once per fresh checkout. You do **not** need to re-run them after every subsequent `npm install`. | ||
| 2039 | |||
| 2040 | Do not remove `ignore-scripts=true` from `.npmrc` to "fix" this — that re-opens the lifecycle-script attack surface for every other package in the tree. All CI workflows already invoke npm with `--ignore-scripts`, so local behaviour matches CI. | ||
| 2041 | |||
| 2012 | ## Resources | 2042 | ## Resources |
| 2013 | 2043 | ||
| 2014 | - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) | 2044 | - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) |
View fileSize
Gzip
Dependencies