Comparing axios@1.15.1...axios@1.15.2 • npm-diff.app 📦🔃

+/*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */
+/*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */
 'use strict';
 /**
 function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
+  const config = {};
+  // Use a null-prototype object so that downstream reads such as `config.auth`
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype
+  // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+  // own slot to preserve ergonomics for user code that relies on it.
+  const config = Object.create(null);
+  Object.defineProperty(config, 'hasOwnProperty', {
+    value: Object.prototype.hasOwnProperty,
+    enumerable: false,
+    writable: true,
+    configurable: true,
+  });
   function getMergedValue(target, source, prop, caseless) {
     if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) {
       return utils$1.merge.call({ caseless }, target, source);
     httpsAgent: defaultToConfig2,
     cancelToken: defaultToConfig2,
     socketPath: defaultToConfig2,
+    allowedSocketPaths: defaultToConfig2,
     responseEncoding: defaultToConfig2,
     validateStatus: mergeDirectKeys,
     headers: (a, b, prop) =>
 var resolveConfig = (config) => {
   const newConfig = mergeConfig({}, config);
+  let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig;
+  // Read only own properties to prevent prototype pollution gadgets
+  // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
+  const own = (key) => (utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);
+  const data = own('data');
+  let withXSRFToken = own('withXSRFToken');
+  const xsrfHeaderName = own('xsrfHeaderName');
+  const xsrfCookieName = own('xsrfCookieName');
+  let headers = own('headers');
+  const auth = own('auth');
+  const baseURL = own('baseURL');
+  const allowAbsoluteUrls = own('allowAbsoluteUrls');
+  const url = own('url');
   newConfig.headers = headers = AxiosHeaders.from(headers);
   newConfig.url = buildURL(
+    buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls),
+    buildFullPath(baseURL, url, allowAbsoluteUrls),
     config.params,
     config.paramsSerializer
   );
   );
+}
+const VERSION = "1.15.1";
+const VERSION = "1.15.2";
 const validators$1 = {};
   let i = keys.length;
   while (i-- > 0) {
     const opt = keys[i];
+    const validator = schema[opt];
+    // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
+    // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.
+    const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
     if (validator) {
       const value = options[opt];
       const result = value === undefined || validator(value, opt, options);

@@ -497,6 +497,7 @@
497	497	responseDetails: { headers: Record<string, string>; statusCode: HttpStatusCode }
498	498	) => void;
499	499	socketPath?: string \| null;
	500	allowedSocketPaths?: string \| string[] \| null;
500	501	transport?: any;
501	502	httpAgent?: any;
502	503	httpsAgent?: any;

+/*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */
+/*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
   typeof define === 'function' && define.amd ? define(factory) :
   function mergeConfig(config1, config2) {
     // eslint-disable-next-line no-param-reassign
     config2 = config2 || {};
+    var config = {};
+    // Use a null-prototype object so that downstream reads such as `config.auth`
+    // or `config.baseURL` cannot inherit polluted values from Object.prototype
+    // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+    // own slot to preserve ergonomics for user code that relies on it.
+    var config = Object.create(null);
+    Object.defineProperty(config, 'hasOwnProperty', {
+      value: Object.prototype.hasOwnProperty,
+      enumerable: false,
+      writable: true,
+      configurable: true
+    });
     function getMergedValue(target, source, prop, caseless) {
       if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) {
         return utils$1.merge.call({
       httpsAgent: defaultToConfig2,
       cancelToken: defaultToConfig2,
       socketPath: defaultToConfig2,
+      allowedSocketPaths: defaultToConfig2,
       responseEncoding: defaultToConfig2,
       validateStatus: mergeDirectKeys,
       headers: function headers(a, b, prop) {
   var resolveConfig = (function (config) {
     var newConfig = mergeConfig({}, config);
+    var data = newConfig.data,
+      withXSRFToken = newConfig.withXSRFToken,
+      xsrfHeaderName = newConfig.xsrfHeaderName,
+      xsrfCookieName = newConfig.xsrfCookieName,
+      headers = newConfig.headers,
+      auth = newConfig.auth;
+    // Read only own properties to prevent prototype pollution gadgets
+    // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
+    var own = function own(key) {
+      return utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined;
+    };
+    var data = own('data');
+    var withXSRFToken = own('withXSRFToken');
+    var xsrfHeaderName = own('xsrfHeaderName');
+    var xsrfCookieName = own('xsrfCookieName');
+    var headers = own('headers');
+    var auth = own('auth');
+    var baseURL = own('baseURL');
+    var allowAbsoluteUrls = own('allowAbsoluteUrls');
+    var url = own('url');
     newConfig.headers = headers = AxiosHeaders.from(headers);
+    newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer);
+    newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
     // HTTP basic authentication
     if (auth) {
     });
+  }
+  var VERSION = "1.15.1";
+  var VERSION = "1.15.2";
   var validators$1 = {};
     var i = keys.length;
     while (i-- > 0) {
       var opt = keys[i];
+      var validator = schema[opt];
+      // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
+      // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.
+      var validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
       if (validator) {
         var value = options[opt];
         var result = value === undefined || validator(value, opt, options);

+/*! Axios v1.15.1 Copyright (c) 2026 Matt Zabriskie and contributors */
+/*! Axios v1.15.2 Copyright (c) 2026 Matt Zabriskie and contributors */
 /**
  * Create a bound version of a function with a specified `this` context
+ *
 function mergeConfig$1(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
+  const config = {};
+  // Use a null-prototype object so that downstream reads such as `config.auth`
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype
+  // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+  // own slot to preserve ergonomics for user code that relies on it.
+  const config = Object.create(null);
+  Object.defineProperty(config, 'hasOwnProperty', {
+    value: Object.prototype.hasOwnProperty,
+    enumerable: false,
+    writable: true,
+    configurable: true,
+  });
   function getMergedValue(target, source, prop, caseless) {
     if (utils$1.isPlainObject(target) && utils$1.isPlainObject(source)) {
       return utils$1.merge.call({ caseless }, target, source);
     httpsAgent: defaultToConfig2,
     cancelToken: defaultToConfig2,
     socketPath: defaultToConfig2,
+    allowedSocketPaths: defaultToConfig2,
     responseEncoding: defaultToConfig2,
     validateStatus: mergeDirectKeys,
     headers: (a, b, prop) =>
 var resolveConfig = (config) => {
   const newConfig = mergeConfig$1({}, config);
+  let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig;
+  // Read only own properties to prevent prototype pollution gadgets
+  // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
+  const own = (key) => (utils$1.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);
+  const data = own('data');
+  let withXSRFToken = own('withXSRFToken');
+  const xsrfHeaderName = own('xsrfHeaderName');
+  const xsrfCookieName = own('xsrfCookieName');
+  let headers = own('headers');
+  const auth = own('auth');
+  const baseURL = own('baseURL');
+  const allowAbsoluteUrls = own('allowAbsoluteUrls');
+  const url = own('url');
   newConfig.headers = headers = AxiosHeaders$1.from(headers);
   newConfig.url = buildURL(
+    buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls),
+    buildFullPath(baseURL, url, allowAbsoluteUrls),
     config.params,
     config.paramsSerializer
   );
   );
+}
+const VERSION$1 = "1.15.1";
+const VERSION$1 = "1.15.2";
 const validators$1 = {};
   let i = keys.length;
   while (i-- > 0) {
     const opt = keys[i];
+    const validator = schema[opt];
+    // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
+    // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.
+    const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
     if (validator) {
       const value = options[opt];
       const result = value === undefined || validator(value, opt, options);

 export default function mergeConfig(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
+  const config = {};
+  // Use a null-prototype object so that downstream reads such as `config.auth`
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype
+  // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+  // own slot to preserve ergonomics for user code that relies on it.
+  const config = Object.create(null);
+  Object.defineProperty(config, 'hasOwnProperty', {
+    value: Object.prototype.hasOwnProperty,
+    enumerable: false,
+    writable: true,
+    configurable: true,
+  });
   function getMergedValue(target, source, prop, caseless) {
     if (utils.isPlainObject(target) && utils.isPlainObject(source)) {
       return utils.merge.call({ caseless }, target, source);
     httpsAgent: defaultToConfig2,
     cancelToken: defaultToConfig2,
     socketPath: defaultToConfig2,
+    allowedSocketPaths: defaultToConfig2,
     responseEncoding: defaultToConfig2,
     validateStatus: mergeDirectKeys,
     headers: (a, b, prop) =>

@@ -1,1 +1,1 @@
1		export const VERSION = "1.15.1";
	1	export const VERSION = "1.15.2";

+{
   "name": "axios",
+  "version": "1.15.1",
+  "version": "1.15.2",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "./dist/node/axios.cjs",
   "module": "./index.js",

 - [Semver](#semver)
 - [Promises](#promises)
 - [TypeScript](#typescript)
+- [Contributing](#contributing)
+  - [Local setup](#local-setup)
 - [Resources](#resources)
 - [Credits](#credits)
 - [License](#license)
   // e.g. '/var/run/docker.sock' to send requests to the docker daemon.
   // Only either `socketPath` or `proxy` can be specified.
   // If both are specified, `socketPath` is used.
+  //
+  // Security: when `socketPath` is set, hostname/port of the URL are ignored,
+  // which bypasses hostname-based SSRF protections. Never derive `socketPath`
+  // from untrusted input. Use `allowedSocketPaths` (below) to restrict accepted
+  // socket paths for defense-in-depth.
   socketPath: null, // default
+  // `allowedSocketPaths` restricts which `socketPath` values are accepted.
+  // Accepts a string or array of strings. Entries and the incoming socketPath
+  // are compared after path.resolve(). A mismatch throws AxiosError with code
+  // `ERR_BAD_OPTION_VALUE`. When null/undefined, no restriction is applied.
+  allowedSocketPaths: null, // default
   // `transport` determines the transport method that will be used to make the request.
   // If defined, it will be used. Otherwise, if `maxRedirects` is 0,
   // the default `http` or `https` library will be used, depending on the protocol specified in `protocol`.
 [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/axios/axios/blob/main/examples/server.js)
+## Contributing
+### Local setup
+As a supply-chain hardening measure, this repository ships a project-level `.npmrc` that sets `ignore-scripts=true`. This blocks npm lifecycle scripts (`preinstall`, `install`, `postinstall`, `prepare`) from any direct or transitive dependency when you run `npm install` or `npm ci` inside the repo. See [THREATMODEL.md](./THREATMODEL.md) (threat T-S2) for the rationale.
+One consequence: the repository's own `prepare` hook (which installs Husky's git hooks) will **not** run automatically. After your first install, enable the git hooks manually:
+```bash
+npm ci
+npm rebuild husky && npx husky
+```
+Run those two commands once per fresh checkout. You do **not** need to re-run them after every subsequent `npm install`.
+Do not remove `ignore-scripts=true` from `.npmrc` to "fix" this — that re-opens the lifecycle-script attack surface for every other package in the tree. All CI workflows already invoke npm with `--ignore-scripts`, so local behaviour matches CI.
 ## Resources
 - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)

@@ -397,6 +397,7 @@
397	397	}
398	398	) => void;
399	399	socketPath?: string \| null;
	400	allowedSocketPaths?: string \| string[] \| null;
400	401	transport?: any;
401	402	httpAgent?: any;
402	403	httpsAgent?: any;

Comparingaxios@1.15.1

Comparingaxios@1.15.1

Source

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

dist/browser/axios.cjs +++32---6

dist/node/axios.cjs +++91---37

index.d.cts +++1---0

dist/axios.js +++34---11

dist/esm/axios.js +++32---6

lib/env/data.js +++1---1

lib/adapters/http.js +++69---22

lib/core/mergeConfig.js +++13---1

lib/helpers/resolveConfig.js +++14---2

lib/helpers/validator.js +++3---1

package.json +++1---1

CHANGELOG.md +++112---44

README.md +++30---0

index.d.ts +++1---0

+++0---0

Bundlephobia

Packagephobia

dist/browser/axios.cjs +++32---6

dist/node/axios.cjs +++91---37

index.d.cts +++1---0

dist/axios.js +++34---11

dist/esm/axios.js +++32---6

lib/env/data.js +++1---1

lib/adapters/http.js +++69---22

lib/core/mergeConfig.js +++13---1

lib/helpers/resolveConfig.js +++14---2

lib/helpers/validator.js +++3---1

package.json +++1---1

CHANGELOG.md +++112---44

README.md +++30---0

index.d.ts +++1---0

Source

Source

Comparing
`axios@1.15.1`

Comparing
`axios@1.15.1`