Comparing axios@1.15.2...axios@1.16.0 • npm-diff.app 📦🔃

-interface RawAxiosHeaders {
-  [key: string]: axios.AxiosHeaderValue;
-}
 type MethodsHeaders = Partial<
   {
     [Key in axios.Method as Lowercase<Key>]: AxiosHeaders;
 type BrowserProgressEvent = any;
 declare class AxiosHeaders {
-  constructor(headers?: RawAxiosHeaders | AxiosHeaders | string);
+  constructor(headers?: axios.RawAxiosHeaders | AxiosHeaders | string);
   [key: string]: any;
     value?: axios.AxiosHeaderValue,
     rewrite?: boolean | AxiosHeaderMatcher
   ): AxiosHeaders;
-  set(headers?: RawAxiosHeaders | AxiosHeaders | string, rewrite?: boolean): AxiosHeaders;
+  set(headers?: axios.RawAxiosHeaders | AxiosHeaders | string, rewrite?: boolean): AxiosHeaders;
   get(headerName: string, parser: RegExp): RegExpExecArray | null;
   get(headerName: string, matcher?: true | AxiosHeaderParser): axios.AxiosHeaderValue;
   normalize(format: boolean): AxiosHeaders;
   concat(
-    ...targets: Array<AxiosHeaders | RawAxiosHeaders | string | undefined | null>
+    ...targets: Array<AxiosHeaders | axios.RawAxiosHeaders | string | undefined | null>
   ): AxiosHeaders;
-  toJSON(asStrings?: boolean): RawAxiosHeaders;
+  toJSON(asStrings?: boolean): axios.RawAxiosHeaders;
-  static from(thing?: AxiosHeaders | RawAxiosHeaders | string): AxiosHeaders;
+  static from(thing?: AxiosHeaders | axios.RawAxiosHeaders | string): AxiosHeaders;
   static accessor(header: string | string[]): AxiosHeaders;
   static concat(
-    ...targets: Array<AxiosHeaders | RawAxiosHeaders | string | undefined | null>
+    ...targets: Array<AxiosHeaders | axios.RawAxiosHeaders | string | undefined | null>
   ): AxiosHeaders;
   setContentType(value: ContentType, rewrite?: boolean | AxiosHeaderMatcher): AxiosHeaders;
   static readonly ERR_CANCELED = 'ERR_CANCELED';
   static readonly ERR_FORM_DATA_DEPTH_EXCEEDED = 'ERR_FORM_DATA_DEPTH_EXCEEDED';
   static readonly ECONNABORTED = 'ECONNABORTED';
+  static readonly ECONNREFUSED = 'ECONNREFUSED';
   static readonly ETIMEDOUT = 'ETIMEDOUT';
 }
     data?: D,
     config?: axios.AxiosRequestConfig<D>
   ): Promise<R>;
+  query<T = any, R = axios.AxiosResponse<T>, D = any>(
+    url: string,
+    data?: D,
+    config?: axios.AxiosRequestConfig<D>
+  ): Promise<R>;
 }
 declare enum HttpStatusCode {
 declare namespace axios {
   type AxiosError<T = unknown, D = any> = InternalAxiosError<T, D>;
+  interface RawAxiosHeaders {
+    [key: string]: AxiosHeaderValue;
+  }
   type RawAxiosRequestHeaders = Partial<
     RawAxiosHeaders & {
       [Key in CommonRequestHeadersList]: AxiosHeaderValue;
     | 'PATCH'
     | 'PURGE'
     | 'LINK'
-    | 'UNLINK';
+    | 'UNLINK'
+    | 'QUERY';
   type Method = (UppercaseMethod | Lowercase<UppercaseMethod>) & {};
     maxRate?: number | [MaxUploadRate, MaxDownloadRate];
     beforeRedirect?: (
       options: Record<string, any>,
-      responseDetails: { headers: Record<string, string>; statusCode: HttpStatusCode }
+      responseDetails: { headers: Record<string, string>; statusCode: HttpStatusCode },
+      requestDetails: { headers: Record<string, string>; url: string; method: string },
     ) => void;
     socketPath?: string | null;
     allowedSocketPaths?: string | string[] | null;
     httpAgent?: any;
     httpsAgent?: any;
     proxy?: AxiosProxyConfig | false;
-    cancelToken?: CancelToken;
+    cancelToken?: CancelToken | undefined;
     decompress?: boolean;
     transitional?: TransitionalOptions;
     signal?: GenericAbortSignal;
           | LookupAddress
         >);
     withXSRFToken?: boolean | ((config: InternalAxiosRequestConfig) => boolean | undefined);
+    parseReviver?: (this: any, key: string, value: any, context?: { source: string }) => any;
     fetchOptions?:
       | Omit<RequestInit, 'body' | 'headers' | 'method' | 'signal'>
       | Record<string, any>;
     http2Options?: Record<string, any> & {
       sessionTimeout?: number;
     };
+    formDataHeaderPolicy?: 'legacy' | 'content-only';
+    redact?: string[];
   }
   // Alias
     purge?: RawAxiosRequestHeaders;
     link?: RawAxiosRequestHeaders;
     unlink?: RawAxiosRequestHeaders;
+    query?: RawAxiosRequestHeaders;
   }
   interface AxiosDefaults<D = any> extends Omit<AxiosRequestConfig<D>, 'headers'> {

@@ -25,11 +25,13 @@
25	utils.forEach(knownAdapters, (fn, value) => {	25	utils.forEach(knownAdapters, (fn, value) => {
26	if (fn) {	26	if (fn) {
27	try {	27	try {
28	Object.defineProperty(fn, 'name', { value });	28	// Null-proto descriptors so a polluted Object.prototype.get cannot turn
		29	// these data descriptors into accessor descriptors on the way in.
		30	Object.defineProperty(fn, 'name', { __proto__: null, value });
29	} catch (e) {	31	} catch (e) {
30	// eslint-disable-next-line no-empty	32	// eslint-disable-next-line no-empty
31	}	33	}
32	Object.defineProperty(fn, 'adapterName', { value });	34	Object.defineProperty(fn, 'adapterName', { __proto__: null, value });
33	}	35	}
34	});	36	});
35		37

     let contextHeaders = headers && utils.merge(headers.common, headers[config.method]);
     headers &&
-      utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'common'], (method) => {
+      utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query', 'common'], (method) => {
         delete headers[method];
       });
   };
 });
-utils.forEach(['post', 'put', 'patch'], function forEachMethodWithData(method) {
+utils.forEach(['post', 'put', 'patch', 'query'], function forEachMethodWithData(method) {
   function generateHTTPMethod(isForm) {
     return function httpMethod(url, data, config) {
       return this.request(
   Axios.prototype[method] = generateHTTPMethod();
-  Axios.prototype[method + 'Form'] = generateHTTPMethod(true);
+  // QUERY is a safe/idempotent read method; multipart form bodies don't fit
+  // its semantics, so no queryForm shorthand is generated.
+  if (method !== 'query') {
+    Axios.prototype[method + 'Form'] = generateHTTPMethod(true);
+  }
 });
 export default Axios;

 'use strict';
 import utils from '../utils.js';
+import AxiosHeaders from './AxiosHeaders.js';
+const REDACTED = '[REDACTED ****]';
+function hasOwnOrPrototypeToJSON(source) {
+  if (utils.hasOwnProp(source, 'toJSON')) {
+    return true;
+  }
+  let prototype = Object.getPrototypeOf(source);
+  while (prototype && prototype !== Object.prototype) {
+    if (utils.hasOwnProp(prototype, 'toJSON')) {
+      return true;
+    }
+    prototype = Object.getPrototypeOf(prototype);
+  }
+  return false;
+}
+// Build a plain-object snapshot of `config` and replace the value of any key
+// (case-insensitive) listed in `redactKeys` with REDACTED. Walks through arrays
+// and AxiosHeaders, and short-circuits on circular references.
+function redactConfig(config, redactKeys) {
+  const lowerKeys = new Set(redactKeys.map((k) => String(k).toLowerCase()));
+  const seen = [];
+  const visit = (source) => {
+    if (source === null || typeof source !== 'object') return source;
+    if (utils.isBuffer(source)) return source;
+    if (seen.indexOf(source) !== -1) return undefined;
+    if (source instanceof AxiosHeaders) {
+      source = source.toJSON();
+    }
+    seen.push(source);
+    let result;
+    if (utils.isArray(source)) {
+      result = [];
+      source.forEach((v, i) => {
+        const reducedValue = visit(v);
+        if (!utils.isUndefined(reducedValue)) {
+          result[i] = reducedValue;
+        }
+      });
+    } else {
+      if (!utils.isPlainObject(source) && hasOwnOrPrototypeToJSON(source)) {
+        seen.pop();
+        return source;
+      }
+      result = Object.create(null);
+      for (const [key, value] of Object.entries(source)) {
+        const reducedValue = lowerKeys.has(key.toLowerCase()) ? REDACTED : visit(value);
+        if (!utils.isUndefined(reducedValue)) {
+          result[key] = reducedValue;
+        }
+      }
+    }
+    seen.pop();
+    return result;
+  };
+  return visit(config);
+}
 class AxiosError extends Error {
   static from(error, code, config, request, response, customProps) {
     const axiosError = new AxiosError(error.message, code || error.code, config, request, response);
     // The native Error constructor sets message as non-enumerable,
     // but axios < v1.13.3 had it as enumerable
     Object.defineProperty(this, 'message', {
+      // Null-proto descriptor so a polluted Object.prototype.get cannot turn
+      // this data descriptor into an accessor descriptor on the way in.
+      __proto__: null,
       value: message,
       enumerable: true,
       writable: true,
+  }
   toJSON() {
+    // Opt-in redaction: when the request config carries a `redact` array, the
+    // value of any matching key (case-insensitive, at any depth) is replaced
+    // with REDACTED in the serialized snapshot. Undefined or empty leaves the
+    // existing serialization behavior unchanged.
+    const config = this.config;
+    const redactKeys = config && utils.hasOwnProp(config, 'redact') ? config.redact : undefined;
+    const serializedConfig =
+      utils.isArray(redactKeys) && redactKeys.length > 0
+        ? redactConfig(config, redactKeys)
+        : utils.toJSONObject(config);
     return {
       // Standard
       message: this.message,
       columnNumber: this.columnNumber,
       stack: this.stack,
       // Axios
+      config: serializedConfig,
       code: this.code,
       status: this.status,
     };
 AxiosError.ERR_BAD_OPTION = 'ERR_BAD_OPTION';
 AxiosError.ECONNABORTED = 'ECONNABORTED';
 AxiosError.ETIMEDOUT = 'ETIMEDOUT';
+AxiosError.ECONNREFUSED = 'ECONNREFUSED';
 AxiosError.ERR_NETWORK = 'ERR_NETWORK';
 AxiosError.ERR_FR_TOO_MANY_REDIRECTS = 'ERR_FR_TOO_MANY_REDIRECTS';
 AxiosError.ERR_DEPRECATED = 'ERR_DEPRECATED';

   ['get', 'set', 'has'].forEach((methodName) => {
     Object.defineProperty(obj, methodName + accessorName, {
+      // Null-proto descriptor so a polluted Object.prototype.get cannot turn
+      // this data descriptor into an accessor descriptor on the way in.
+      __proto__: null,
       value: function (arg1, arg2, arg3) {
         return this[methodName].call(this, header, arg1, arg2, arg3);
       },

@@ -11,7 +11,7 @@
11	*	11	*
12	* @returns {string} The encoded value.	12	* @returns {string} The encoded value.
13	*/	13	*/
14	function encode(val) {	14	export function encode(val) {
15	return encodeURIComponent(val)	15	return encodeURIComponent(val)
16	.replace(/%3A/gi, ':')	16	.replace(/%3A/gi, ':')
17	.replace(/%24/g, '$')	17	.replace(/%24/g, '$')

       read(name) {
         if (typeof document === 'undefined') return null;
+        const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
+        // Match name=value by splitting on the semicolon separator instead of building a
+        // RegExp from `name` — interpolating an unescaped string into a RegExp would let
+        // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or
+        // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or
+        // "; ", so ignore optional whitespace before each cookie name.
+        const cookies = document.cookie.split(';');
+        for (let i = 0; i < cookies.length; i++) {
+          const cookie = cookies[i].replace(/^\s+/, '');
+          const eq = cookie.indexOf('=');
+          if (eq !== -1 && cookie.slice(0, eq) === name) {
+            return decodeURIComponent(cookie.slice(eq + 1));
+          }
+        }
+        return null;
       },
       remove(name) {

@@ -1,1 +1,1 @@
1	export const VERSION = "1.15.2";	1	export const VERSION = "1.16.0";

     function onAdapterResolution(response) {
       throwIfCancellationRequested(config);
+      // Transform response data
+      // Expose the current response on config so that transformResponse can
+      // attach it to any AxiosError it throws (e.g. on JSON parse failure).
+      // We clean it up afterwards to avoid polluting the config object.
+      config.response = response;
+      try {
+        response.data = transformData.call(config, config.transformResponse, response);
+      } finally {
+        delete config.response;
+      }
       response.headers = AxiosHeaders.from(response.headers);
         // Transform response data
         if (reason && reason.response) {
+          reason.response.data = transformData.call(
+            config,
+            config.transformResponse,
+            reason.response
+          config.response = reason.response;
+          try {
+            reason.response.data = transformData.call(
+              config,
+              config.transformResponse,
+              reason.response
+            );
+          } finally {
+            delete config.response;
+          }
           reason.response.headers = AxiosHeaders.from(reason.response.headers);
+        }
+      }

     return bytes > 0 ? bytes : 0;
+  }
+  if (typeof Buffer !== 'undefined' && typeof Buffer.byteLength === 'function') {
+    return Buffer.byteLength(body, 'utf8');
+  }
+  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
+  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
+  // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
+  // but 3 UTF-8 bytes).
+  let bytes = 0;
+  for (let i = 0, len = body.length; i < len; i++) {
+    const c = body.charCodeAt(i);
+    if (c < 0x80) {
+      bytes += 1;
+    } else if (c < 0x800) {
+      bytes += 2;
+    } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) {
+      const next = body.charCodeAt(i + 1);
+      if (next >= 0xdc00 && next <= 0xdfff) {
+        bytes += 4;
+        i++;
+      } else {
+        bytes += 3;
+      }
+    } else {
+      bytes += 3;
+    }
+  }
+  return bytes;
+}

@@ -77,7 +77,7 @@
77	}	77	}
78		78
79	if (boundary.length < 1 \|\| boundary.length > 70) {	79	if (boundary.length < 1 \|\| boundary.length > 70) {
80	throw Error('boundary must be 10-70 characters long');	80	throw Error('boundary must be 1-70 characters long');
81	}	81	}
82		82
83	const boundaryBytes = textEncoder.encode('--' + boundary + CRLF);	83	const boundaryBytes = textEncoder.encode('--' + boundary + CRLF);

   formToJSON,
   getAdapter,
   mergeConfig,
+  create,
 } = axios;
 export {
   axios as default,
+  create,
   Axios,
   AxiosError,
   CanceledError,

@@ -170,7 +170,7 @@
170	},	170	},
171	};	171	};
172		172
173	utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch'], (method) => {	173	utils.forEach(['delete', 'get', 'head', 'post', 'put', 'patch', 'query'], (method) => {
174	defaults.headers[method] = {};	174	defaults.headers[method] = {};
175	});	175	});
176		176

   config2 = config2 || {};
   // Use a null-prototype object so that downstream reads such as `config.auth`
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype
+  // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype.
+  // `hasOwnProperty` is restored as a non-enumerable own slot to preserve
+  // ergonomics for user code that relies on it.
   const config = Object.create(null);
   Object.defineProperty(config, 'hasOwnProperty', {
+    // Null-proto descriptor so a polluted Object.prototype.get cannot turn
+    // this data descriptor into an accessor descriptor on the way in.
+    __proto__: null,
     value: Object.prototype.hasOwnProperty,
     enumerable: false,
     writable: true,

@@ -1,6 +1,6 @@
1	'use strict';	1	'use strict';
2		2
3	export default function parseProtocol(url) {	3	export default function parseProtocol(url) {
4	const match = /^([-+\w]{1,25})(:?\/\/\|:)/.exec(url);	4	const match = /^([-+\w]{1,25}):(?:\/\/)?/.exec(url);
5	return (match && match[1]) \|\| '';	5	return (match && match[1]) \|\| '';
6	}	6	}

@@ -87,7 +87,7 @@
87	while (i-- > 0) {	87	while (i-- > 0) {
88	const opt = keys[i];	88	const opt = keys[i];
89	// Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply	89	// Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
90	// a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.	90	// a non-function validator and cause a TypeError.
91	const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;	91	const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
92	if (validator) {	92	if (validator) {
93	const value = options[opt];	93	const value = options[opt];

 import AxiosHeaders from '../core/AxiosHeaders.js';
 import buildURL from './buildURL.js';
+const FORM_DATA_CONTENT_HEADERS = ['content-type', 'content-length'];
+function setFormDataHeaders(headers, formHeaders, policy) {
+  if (policy !== 'content-only') {
+    headers.set(formHeaders);
+    return;
+  }
+  Object.entries(formHeaders).forEach(([key, val]) => {
+    if (FORM_DATA_CONTENT_HEADERS.includes(key.toLowerCase())) {
+      headers.set(key, val);
+    }
+  });
+}
+/**
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
+ *
+ * @param {string} str The string to encode
+ *
+ * @returns {string} UTF-8 bytes as a Latin-1 string
+ */
+const encodeUTF8 = (str) =>
+  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
+    String.fromCharCode(parseInt(hex, 16))
+  );
 export default (config) => {
   const newConfig = mergeConfig({}, config);
   // Read only own properties to prevent prototype pollution gadgets
+  // (e.g. Object.prototype.baseURL = 'https://evil.com').
   const own = (key) => (utils.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);
   const data = own('data');
     headers.set(
       'Authorization',
       'Basic ' +
+        btoa(
+          (auth.username || '') +
+            ':' +
+            (auth.password ? unescape(encodeURIComponent(auth.password)) : '')
+        btoa((auth.username || '') + ':' + (auth.password ? encodeUTF8(auth.password) : ''))
     );
+  }
       headers.setContentType(undefined); // browser handles it
     } else if (utils.isFunction(data.getHeaders)) {
       // Node.js FormData (like form-data package)
+      const formHeaders = data.getHeaders();
+      // Only set safe headers to avoid overwriting security headers
+      const allowedHeaders = ['content-type', 'content-length'];
+      Object.entries(formHeaders).forEach(([key, val]) => {
+        if (allowedHeaders.includes(key.toLowerCase())) {
+          headers.set(key, val);
+        }
+      setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
+    }
+  }
     // Strict boolean check — prevents proto-pollution gadgets (e.g. Object.prototype.withXSRFToken = 1)
     // and misconfigurations (e.g. "false") from short-circuiting the same-origin check and leaking
+    // the XSRF token cross-origin.
     const shouldSendXSRF =
+      withXSRFToken === true ||
+      withXSRFToken === true || (withXSRFToken == null && isURLSameOrigin(newConfig.url));
     if (shouldSendXSRF) {
       const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);

   if (!response.status || !validateStatus || validateStatus(response.status)) {
     resolve(response);
   } else {
+    reject(
+      new AxiosError(
+        'Request failed with status code ' + response.status,
+        [AxiosError.ERR_BAD_REQUEST, AxiosError.ERR_BAD_RESPONSE][
+          Math.floor(response.status / 100) - 4
+        ],
+        response.config,
+        response.request,
+        response
+      )
+    reject(new AxiosError(
+      'Request failed with status code ' + response.status,
+      response.status >= 400 && response.status < 500 ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE,
+      response.config,
+      response.request,
+      response
+    ));
+  }
+}

   return [entryHost, entryPort];
 };
+// Convert IPv4-mapped IPv6 (::ffff:0:0/96 prefix) to IPv4 dotted form so both
+// sides of a NO_PROXY comparison see the same canonical address. Without this,
+// `NO_PROXY=192.168.1.5` would not match a request to `http://[::ffff:192.168.1.5]/`
+// (Node's URL parser normalises that to `[::ffff:c0a8:105]`), and vice-versa,
+// allowing the proxy-bypass policy to be circumvented by using the alternate
+// representation. Returns the input unchanged when not IPv4-mapped.
+const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i;
+const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
+const unmapIPv4MappedIPv6 = (host) => {
+  if (typeof host !== 'string' || host.indexOf(':') === -1) return host;
+  const dotted = host.match(IPV4_MAPPED_DOTTED_RE);
+  if (dotted) return dotted[1];
+  const hex = host.match(IPV4_MAPPED_HEX_RE);
+  if (hex) {
+    const high = parseInt(hex[1], 16);
+    const low = parseInt(hex[2], 16);
+    return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`;
+  }
+  return host;
+};
 const normalizeNoProxyHost = (hostname) => {
   if (!hostname) {
     return hostname;
     hostname = hostname.slice(1, -1);
+  }
+  return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, ''));
 };
 export default function shouldBypassProxy(location) {

  * also have a `name` and `type` attribute to specify filename and content type
  *
  * @see https://github.com/facebook/react-native/blob/26684cf3adf4094eb6c405d345a75bf8c7c0bf88/Libraries/Network/FormData.js#L68-L71
  *
  * @param {*} value The value to test
  *
  * @returns {boolean} True if value is a React Native Blob, otherwise false
  */
 const isReactNativeBlob = (value) => {
   return !!(value && typeof value.uri !== 'undefined');
-}
+};
 /**
  * Determine if environment is React Native
  * ReactNative `FormData` has a non-standard `getParts()` method
  *
  * @param {*} formData The formData to test
  *
  * @returns {boolean} True if environment is React Native, otherwise false
  */
 const isReactNative = (formData) => formData && typeof formData.getParts !== 'undefined';
  *
  * @param {*} val The value to test
  *
- * @returns {boolean} True if value is a File, otherwise false
+ * @returns {boolean} True if value is a FileList, otherwise false
  */
 const isFileList = kindOfTest('FileList');
 const isFormData = (thing) => {
   if (!thing) return false;
   if (FormDataCtor && thing instanceof FormDataCtor) return true;
-  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData (GHSA-6chq-wfr3-2hj9).
+  // Reject plain objects inheriting directly from Object.prototype so prototype-pollution gadgets can't spoof FormData.
   const proto = getPrototypeOf(thing);
   if (!proto || proto === Object.prototype) return false;
   if (!isFunction(thing.append)) return false;
   const kind = kindOf(thing);
-  return kind === 'formdata' ||
+  return (
+    kind === 'formdata' ||
     // detect form-data instance
-    (kind === 'object' && isFunction(thing.toString) && thing.toString() === '[object FormData]');
+    (kind === 'object' && isFunction(thing.toString) && thing.toString() === '[object FormData]')
+  );
 };
 /**
  *
  * @returns {Object} Result of all merge properties
  */
-function merge(/* obj1, obj2, obj3, ... */) {
+function merge(...objs) {
   const { caseless, skipUndefined } = (isContextDefined(this) && this) || {};
   const result = {};
   const assignValue = (val, key) => {
     }
     const targetKey = (caseless && findKey(result, key)) || key;
-    if (isPlainObject(result[targetKey]) && isPlainObject(val)) {
-      result[targetKey] = merge(result[targetKey], val);
+    // Read via own-prop only — a bare `result[targetKey]` walks the prototype
+    // chain, so a polluted Object.prototype value could surface here and get
+    // copied into the merged result.
+    const existing = hasOwnProperty(result, targetKey) ? result[targetKey] : undefined;
+    if (isPlainObject(existing) && isPlainObject(val)) {
+      result[targetKey] = merge(existing, val);
     } else if (isPlainObject(val)) {
       result[targetKey] = merge({}, val);
     } else if (isArray(val)) {
     }
   };
-  for (let i = 0, l = arguments.length; i < l; i++) {
-    arguments[i] && forEach(arguments[i], assignValue);
+  for (let i = 0, l = objs.length; i < l; i++) {
+    objs[i] && forEach(objs[i], assignValue);
   }
   return result;
 }
     (val, key) => {
       if (thisArg && isFunction(val)) {
         Object.defineProperty(a, key, {
+          // Null-proto descriptor so a polluted Object.prototype.get cannot
+          // hijack defineProperty's accessor-vs-data resolution.
+          __proto__: null,
           value: bind(val, thisArg),
           writable: true,
           enumerable: true,
         });
       } else {
         Object.defineProperty(a, key, {
+          __proto__: null,
           value: val,
           writable: true,
           enumerable: true,
 const inherits = (constructor, superConstructor, props, descriptors) => {
   constructor.prototype = Object.create(superConstructor.prototype, descriptors);
   Object.defineProperty(constructor.prototype, 'constructor', {
+    __proto__: null,
     value: constructor,
     writable: true,
     enumerable: false,
     configurable: true,
   });
   Object.defineProperty(constructor, 'super', {
+    __proto__: null,
     value: superConstructor.prototype,
   });
   props && Object.assign(constructor.prototype, props);
 const freezeMethods = (obj) => {
   reduceDescriptors(obj, (descriptor, name) => {
     // skip restricted props in strict mode
-    if (isFunction(obj) && ['arguments', 'caller', 'callee'].indexOf(name) !== -1) {
+    if (isFunction(obj) && ['arguments', 'caller', 'callee'].includes(name)) {
       return false;
     }

           // will return status as 0 even though it's a successful request
           if (
             request.status === 0 &&
-            !(request.responseURL && request.responseURL.indexOf('file:') === 0)
+            !(request.responseURL && request.responseURL.startsWith('file:'))
           ) {
             return;
           }
         }
         reject(new AxiosError('Request aborted', AxiosError.ECONNABORTED, config, request));
+        done();
         // Clean up request
         request = null;
         // attach the underlying event for consumers who want details
         err.event = event || null;
         reject(err);
+        done();
         request = null;
       };
             request
           )
         );
+        done();
         // Clean up request
         request = null;
           }
           reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel);
           request.abort();
+          done();
           request = null;
         };
       const protocol = parseProtocol(_config.url);
-      if (protocol && platform.protocols.indexOf(protocol) === -1) {
+      if (protocol && !platform.protocols.includes(protocol)) {
         reject(
           new AxiosError(
             'Unsupported protocol ' + protocol + ':',

+{
   "name": "axios",
+  "version": "1.16.0",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "./dist/node/axios.cjs",
   "module": "./index.js",
     "Dmitriy Mozgovoy (https://github.com/DigitalBrainJS)",
     "Nick Uraltsev (https://github.com/nickuraltsev)",
     "Emily Morehouse (https://github.com/emilyemorehouse)",
+    "Rubén Norte (https://github.com/rubennorte)",
     "Justin Beckwith (https://github.com/JustinBeckwith)",
+    "Rubén Norte (https://github.com/rubennorte)",
     "Martti Laine (https://github.com/codeclown)",
     "Xianming Zhong (https://github.com/chinesedfan)",
+    "Willian Agostini (https://github.com/WillianAgostini)",
+    "Shaan Majid (https://github.com/shaanmajid)",
     "Remco Haszing (https://github.com/remcohaszing)",
+    "Shaan Majid (https://github.com/shaanmajid)",
+    "Willian Agostini (https://github.com/WillianAgostini)",
     "Rikki Gibson (https://github.com/RikkiGibson)"
   ],
   "sideEffects": false,
     "prepare": "husky"
   },
   "dependencies": {
+    "follow-redirects": "^1.16.0",
     "form-data": "^4.0.5",
     "proxy-from-env": "^2.1.0"
   },
   "devDependencies": {
     "@babel/core": "^7.29.0",
+    "@babel/preset-env": "^7.29.0",
+    "@commitlint/cli": "^20.4.4",
+    "@babel/preset-env": "^7.29.2",
+    "@commitlint/cli": "^20.5.0",
+    "@commitlint/config-conventional": "^20.5.0",
     "@eslint/js": "^10.0.1",
     "@rollup/plugin-alias": "^6.0.0",
     "@rollup/plugin-babel": "^7.0.0",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
     "@rollup/plugin-terser": "^1.0.0",
+    "@vitest/browser": "^4.1.1",
+    "@vitest/browser": "^4.1.5",
+    "@vitest/browser-playwright": "^4.1.5",
     "abortcontroller-polyfill": "^1.7.8",
+    "auto-changelog": "^2.5.0",
     "body-parser": "^2.2.2",
     "chalk": "^5.6.2",
     "cross-env": "^10.1.0",
     "dev-null": "^0.1.1",
+    "eslint": "^10.2.1",
     "express": "^5.2.1",
     "formdata-node": "^6.0.3",
+    "formidable": "^3.5.4",
     "fs-extra": "^11.3.4",
     "get-stream": "^9.0.1",
+    "globals": "^17.5.0",
     "gulp": "^5.0.1",
+    "handlebars": "^4.7.8",
     "husky": "^9.1.7",
     "lint-staged": "^16.4.0",
+    "memoizee": "^0.4.17",
     "minimist": "^1.2.8",
     "multer": "^2.1.1",
+    "pacote": "^21.5.0",
+    "playwright": "^1.58.2",
+    "prettier": "^3.8.1",
+    "pretty-bytes": "^7.1.0",
+    "playwright": "^1.59.1",
+    "prettier": "^3.8.3",
+    "rollup": "^4.60.2",
     "rollup-plugin-bundle-size": "^1.0.3",
     "selfsigned": "^5.5.0",
     "stream-throttle": "^0.1.3",
+    "string-replace-async": "^3.0.2",
+    "tar-stream": "^3.1.8",
     "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
   },
   "commitlint": {
     "rules": {

 # Changelog
+## v1.15.2 - April 21, 2026
+This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in `allowedSocketPaths` allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.
+## 🔒 Security Fixes
+- **Prototype Pollution Hardening (HTTP Adapter):** Hardened the Node HTTP adapter and `resolveConfig`/`mergeConfig`/validator paths to read only own properties and use null-prototype config objects, preventing polluted `auth`, `baseURL`, `socketPath`, `beforeRedirect`, and `insecureHTTPParser` from influencing requests. (**#10779**)
+- **SSRF via `socketPath`:** Rejects non-string `socketPath` values and adds an opt-in `allowedSocketPaths` config option to restrict permitted Unix domain socket paths, returning `AxiosError` `ERR_BAD_OPTION_VALUE` on mismatch. (**#10777**)
+- **Supply-chain Hardening:** Added `.npmrc` with `ignore-scripts=true`, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded `SECURITY.md`/`THREATMODEL.md` with provenance verification (`npm audit signatures`), 60-day resolution policy, and maintainer incident-response runbook. (**#10776**)
+## 🚀 New Features
+- **`allowedSocketPaths` Config Option:** New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (**#10777**)
+## 🐛 Bug Fixes
+- **Keep-alive Socket Memory Leak:** Installs a single per-socket `error` listener tracking the active request via `kAxiosSocketListener`/`kAxiosCurrentReq`, eliminating per-request listener accumulation, `MaxListenersExceededWarning`, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (**#10788**)
+## 🔧 Maintenance & Chores
+- **Changelog:** Updated `CHANGELOG.md` with v1.15.1 release notes. (**#10781**)
+[Full Changelog](https://github.com/axios/axios/compare/v1.15.1...v1.15.2)
+---
+## v1.15.1 - April 19, 2026
 This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
 ## 🔒 Security Fixes
 ---
+## v1.15.0 - April 7, 2026
 This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.
 ---
+## v1.14.0 - March 27, 2026
 This release fixes a security vulnerability in the `formidable` dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.
 ---
+## v1.13.6 - February 27, 2026
 This release adds React Native Blob support, fixes several enumeration and export regressions, and patches FormData detection for WeChat Mini Program environments.
 ---
+## v1.13.5 - February 8, 2026
 This release patches a prototype pollution denial-of-service vulnerability, fixes a missing `status` field regression in `AxiosError`, adds interceptor ordering control, and introduces URL validation for `isAbsoluteURL`.
 ---
+## v1.13.4 - January 27, 2026
 Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.

Comparingaxios@1.15.2

Comparingaxios@1.15.2

Source

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

+++0---0

Packagephobia

Bundlephobia

dist/browser/axios.cjs +++880---517

dist/node/axios.cjs +++761---402

index.d.cts +++25---13

lib/adapters/adapters.js +++4---2

dist/axios.js +++772---454

dist/esm/axios.js +++882---518

lib/core/Axios.js +++7---3

lib/core/AxiosError.js +++86---1

lib/core/AxiosHeaders.js +++3---0

lib/helpers/buildURL.js +++1---1

lib/helpers/cookies.js +++14---2

lib/env/data.js +++1---1

lib/core/dispatchRequest.js +++19---7

lib/helpers/estimateDataURLDecodedBytes.js +++28---1

lib/adapters/fetch.js +++126---10

lib/helpers/formDataToStream.js +++1---1

lib/adapters/http.js +++178---59

index.js +++2---0

lib/defaults/index.js +++1---1

lib/core/mergeConfig.js +++6---3

lib/helpers/parseProtocol.js +++1---1

lib/helpers/resolveConfig.js +++33---17

lib/core/settle.js +++7---11

lib/helpers/shouldBypassProxy.js +++26---1

lib/utils.js +++27---15

lib/helpers/validator.js +++1---1

lib/adapters/xhr.js +++6---2

package.json +++17---24

CHANGELOG.md +++32---6

README.md +++356---20

index.d.ts +++21---4

Source

Source

Comparing
`axios@1.15.2`

Comparing
`axios@1.15.2`