v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

v1.15.0

Compare Source

Bug Fixes

• headers: fixed & optimized clear method; (#​5507) (9915635)
• http: add zlib headers if missing (#​5497) (65e8d1e)

Features

• fomdata: added support for spec-compliant FormData & Blob types; (#​5316) (6ac574e)

Contributors to this release

• Dmitriy Mozgovoy
• ItsNotGoodName

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

• headers: added missed Authorization accessor; (#​5502) (342c0ba)
• types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#​5503) (5a3d0a3)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

• types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#​5499) (580f1e8)

Contributors to this release

• Dmitriy Mozgovoy
• Elliot Ford

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

• types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#​5486) (2a71f49)
• types: fix AxiosRequestConfig generic; (#​5478) (9bce81b)

Contributors to this release

• Dmitriy Mozgovoy
• Daniel Hillmann

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

• types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#​5420) (0811963)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

• fix(ci): fix release script inputs #​5392
• fix(ci): prerelease scipts #​5377
• fix(ci): release scripts #​5376
• fix(ci): typescript tests #​5375
• fix: Brotli decompression #​5353
• fix: add missing HttpStatusCode #​5345

Chores

• chore(ci): set conventional-changelog header config #​5406
• chore(ci): fix automatic contributors resolving #​5403
• chore(ci): improved logging for the contributors list generator #​5398
• chore(ci): fix release action #​5397
• chore(ci): fix version bump script by adding bump argument for target version #​5393
• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #​5342
• chore(ci): GitHub Actions Release script #​5384
• chore(ci): release scripts #​5364

Contributors to this release

• Dmitriy Mozgovoy
• Winnie

[1.2.1] - 2022-12-05

Changed

• feat(exports): export mergeConfig #​5151

Fixed

• fix(CancelledError): include config #​4922
• fix(general): removing multiple/trailing/leading whitespace #​5022
• fix(headers): decompression for responses without Content-Length header #​5306
• fix(webWorker): exception to sending form data in web worker #​5139

Refactors

• refactor(types): AxiosProgressEvent.event type to any #​5308
• refactor(types): add missing types for static AxiosError.from method #​4956

Chores

• chore(docs): remove README link to non-existent upgrade guide #​5307
• chore(docs): typo in issue template name #​5159

Contributors to this release

• Dmitriy Mozgovoy
• Zachary Lysobey
• Kevin Ennis
• Philipp Loose
• secondl1ght
• wenzheng
• Ivan Barsukov
• Arthur Fiorette

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

• changed: refactored module exports #​5162
• change: re-added support for loading Axios with require('axios').default #​5225

Fixed

• fix: improve AxiosHeaders class #​5224
• fix: TypeScript type definitions for commonjs #​5196
• fix: type definition of use method on AxiosInterceptorManager to match the the README #​5071
• fix: __dirname is not defined in the sandbox #​5269
• fix: AxiosError.toJSON method to avoid circular references #​5247
• fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #​5250

Refactors

• refactor: allowing adapters to be loaded by name #​5277

Chores

• chore: force CI restart #​5243
• chore: update ECOSYSTEM.md #​5077
• chore: update get/index.html #​5116
• chore: update Sandbox UI/UX #​5205
• chore:(actions): remove git credentials after checkout #​5235
• chore(actions): bump actions/dependency-review-action from 2 to 3 #​5266
• chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #​5295
• chore(packages): bump engine.io from 6.2.0 to 6.2.1 #​5294
• chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #​5241
• chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #​5245
• chore(docs): update Resources links in README #​5119
• chore(docs): update the link for JSON url #​5265
• chore(docs): fix broken links #​5218
• chore(docs): update and rename UPGRADE_GUIDE.md to MIGRATION_GUIDE.md #​5170
• chore(docs): typo fix line #​856 and #​920 #​5194
• chore(docs): typo fix #​800 #​5193
• chore(docs): fix typos #​5184
• chore(docs): fix punctuation in README.md #​5197
• chore(docs): update readme in the Handling Errors section - issue reference #​5260 #​5261
• chore: remove \b from filename #​5207
• chore(docs): update CHANGELOG.md #​5137
• chore: add sideEffects false to package.json #​5025

Contributors to this release

• Maddy Miller
• Amit Saini
• ecyrbe
• Ikko Ashimine
• Geeth Gunnampalli
• Shreem Asati
• Frieder Bluemle
• 윤세영
• Claudio Busatto
• Remco Haszing
• Dmitriy Mozgovoy
• Csaba Maulis
• MoPaMo
• Daniel Fjeldstad
• Adrien Brunet
• Frazer Smith
• HaiTao
• AZM
• relbns

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.3] - 2022-10-15

Added

• Added custom params serializer support #​5113

Fixed

• Fixed top-level export to keep them in-line with static properties #​5109
• Stopped including null values to query string. #​5108
• Restored proxy config backwards compatibility with 0.x #​5097
• Added back AxiosHeaders in AxiosHeaderValue #​5103
• Pin CDN install instructions to a specific version #​5060
• Handling of array values fixed for AxiosHeaders #​5085

Chores

• docs: match badge style, add link to them #​5046
• chore: fixing comments typo #​5054
• chore: update issue template #​5061
• chore: added progress capturing section to the docs; #​5084

Contributors to this release

• Jason Saayman
• scarf
• Lenz Weber-Tronic
• Arvindh
• Félix Legrelle
• Patrick Petrovic
• Dmitriy Mozgovoy
• littledian
• ChronosMasterOfAllTime

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.2] - 2022-10-07

Fixed

• Fixed broken exports for UMD builds.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.1] - 2022-10-07

Fixed

• Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.0] - 2022-10-06

Fixed

• Fixed missing exports in type definition index.d.ts #​5003
• Fixed query params composing #​5018
• Fixed GenericAbortSignal interface by making it more generic #​5021
• Fixed adding "clear" to AxiosInterceptorManager #​5010
• Fixed commonjs & umd exports #​5030
• Fixed inability to access response headers when using axios 1.x with Jest #​5036

Contributors to this release

• Trim21
• Dmitriy Mozgovoy
• shingo.sasaki
• Ivan Pepelko
• Richard Kořínek

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.0.0] - 2022-10-04

Added

• Added stack trace to AxiosError #​4624
• Add AxiosError to AxiosStatic #​4654
• Replaced Rollup as our build runner #​4596
• Added generic TS types for the exposed toFormData helper #​4668
• Added listen callback function #​4096
• Added instructions for installing using PNPM #​4207
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill #​4229
• Added axios-url-template in ECOSYSTEM.md #​4238
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #​4248
• Added react hook plugin #​4319
• Adding HTTP status code for transformResponse #​4580
• Added blob to the list of protocols supported by the browser #​4678
• Resolving proxy from env on redirect #​4436
• Added enhanced toFormData implementation with additional options 4704
• Adding Canceler parameters config and request #​4711
• Added automatic payload serialization to application/x-www-form-urlencoded #​4714
• Added the ability for webpack users to overwrite built-ins #​4715
• Added string[] to AxiosRequestHeaders type #​4322
• Added the ability for the url-encoded-form serializer to respect the formSerializer config #​4721
• Added isCancel type assert #​4293
• Added data URL support for node.js #​4725
• Adding types for progress event callbacks #​4675
• URL params serializer #​4734
• Added axios.formToJSON method #​4735
• Bower platform add data protocol #​4804
• Use WHATWG URL API instead of url.parse() #​4852
• Add ENUM containing Http Status Codes to typings #​4903
• Improve typing of timeout in index.d.ts #​4934

Changed

• Updated AxiosError.config to be optional in the type definition #​4665
• Updated README emphasizing the URLSearchParam built-in interface over other solutions #​4590
• Include request and config when creating a CanceledError instance #​4659
• Changed func-names eslint rule to as-needed #​4492
• Replacing deprecated substr() with slice() as substr() is deprecated #​4468
• Updating HTTP links in README.md to use HTTPS #​4387
• Updated to a better trim() polyfill #​4072
• Updated types to allow specifying partial default headers on instance create #​4185
• Expanded isAxiosError types #​4344
• Updated type definition for axios instance methods #​4224
• Updated eslint config #​4722
• Updated Docs #​4742
• Refactored Axios to use ES2017 #​4787

Deprecated

• There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

Removed

• Removed incorrect argument for NetworkError constructor #​4656
• Removed Webpack #​4596
• Removed function that transform arguments to array #​4544

Fixed

• Fixed grammar in README #​4649
• Fixed code error in README #​4599
• Optimized the code that checks cancellation #​4587
• Fix url pointing to defaults.js in README #​4532
• Use type alias instead of interface for AxiosPromise #​4505
• Fix some word spelling and lint style in code comments #​4500
• Edited readme with 3 updated browser icons of Chrome, FireFox and Safari #​4414
• Bump follow-redirects from 1.14.9 to 1.15.0 #​4673
• Fixing http tests to avoid hanging when assertions fail #​4435
• Fix TS definition for AxiosRequestTransformer #​4201
• Fix grammatical issues in README #​4232
• Fixing instance.defaults.headers type #​4557
• Fixed race condition on immediate requests cancellation #​4261
• Fixing Z_BUF_ERROR when no content #​4701
• Fixing proxy beforeRedirect regression #​4708
• Fixed AxiosError status code type #​4717
• Fixed AxiosError stack capturing #​4718
• Fixing AxiosRequestHeaders typings #​4334
• Fixed max body length defaults #​4731
• Fixed toFormData Blob issue on node>v17 #​4728
• Bump grunt from 1.5.2 to 1.5.3 #​4743
• Fixing content-type header repeated #​4745
• Fixed timeout error message for http 4738
• Request ignores false, 0 and empty string as body values #​4785
• Added back missing minified builds #​4805
• Fixed a type error #​4815
• Fixed a regression bug with unsubscribing from cancel token; #​4819
• Remove repeated compression algorithm #​4820
• The error of calling extend to pass parameters #​4857
• SerializerOptions.indexes allows boolean | null | undefined #​4862
• Require interceptors to return values #​4874
• Removed unused imports #​4949
• Allow null indexes on formSerializer and paramsSerializer #​4960

Chores

• Set permissions for GitHub actions #​4765
• Included githubactions in the dependabot config #​4770
• Included dependency review #​4771
• Update security.md #​4784
• Remove unnecessary spaces #​4854
• Simplify the import path of AxiosError #​4875
• Fix Gitpod dead link #​4941
• Enable syntax highlighting for a code block #​4970
• Using Logo Axios in Readme.md #​4993
• Fix markup for note in README #​4825
• Fix typo and formatting, add colons #​4853
• Fix typo in readme #​4942

Security

• Update SECURITY.md #​4687

Contributors to this release

• Bertrand Marron

• Dmitriy Mozgovoy

• Dan Mooney

• Michael Li

• aong

• Des Preston

• Ted Robertson

• zhoulixiang

• Arthur Fiorette

• Kumar Shanu

• JALAL

• Jingyi Lin

• Philipp Loose

• Alexander Shchukin

• Dave Cardwell

• Cat Scarlet

• Luca Pizzini

• Kai

• Maxime Bargiel

• Brian Helba

• reslear

• Jamie Slome

• Landro3

• rafw87

• Afzal Sayed

• Koki Oyatsu

• Dave

• 暴走老七

• Spencer

• Adrian Wieprzkowicz

• Jamie Telin

• 毛呆

• Kirill Shakirov

• Rraji Abdelbari

• Jelle Schutter

• Tom Ceuppens

• Johann Cooper

• Dimitris Halatsis

• chenjigeng

• João Gabriel Quaresma

• Victor Augusto

• neilnaveen

• Pavlos

• Kiryl Valkovich

• Naveen

• wenzheng

• hcwhan

• Bassel Rachid

• Grégoire Pineau

• felipedamin

• Karl Horky

• Yue JIN

• Usman Ali Siddiqui

• WD

• Günther Foidl

• Stephen Jennings

• C.T.Lin

• mia-z

• Parth Banathia

• parth0105pluang

• Marco Weber

• Luca Pizzini

• Willian Agostini

• Huyen Nguyen

v1.14.0

Compare Source

v1.13.6

Compare Source

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#​5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#​7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#​7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#​7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#​7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#​7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#​7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#​7424)
• Documentation: Added missing JSDoc comments to utilities. (#​7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#​7386)
• @​ybbus (#​7392)
• @​Shiwaangee (#​7324)
• @​skrtheboss (#​7403)
• @​Janaka66 (#​7427)
• @​moh3n9595 (#​5764)
• @​digital-wizard48 (#​7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Compare Source

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #​7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #​7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #​7369)

Fixes

• Fix/5657. (PR #​7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #​7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #​7326)
• Refactor: bump minor package versions. (PR #​7356)

Documentation

• Clarify object-check comment. (PR #​7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #​7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #​7355)
• CI: update workflow YAMLs. (PR #​7372)
• CI: fix run condition. (PR #​7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #​7360)
• Chore(release): prepare release 1.13.5. (PR #​7379)

New Contributors

• @​sachin11063 (first contribution — PR #​7323)
• @​asmitha-16 (first contribution — PR #​7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Compare Source

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#​7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release
  • Cleaned up interceptor test files
  • Improved workflow configurations

Infrastructure & CI/CD

• refactor: ci and build (#​7340) (8ff6c19)

  • Major refactoring of CI/CD workflows
  • Consolidated workflow files for better maintainability
  • Added mise configuration for the development environment
  • Improved sponsor block update automation
  • Enhanced issue and PR templates
  • Added automatic release notes generation
  • Implemented workflow cancellation for concurrent runs

• chore: codegen and some updates to workflows (76cf77b)

  • Code generation improvements
  • Workflow optimisations

Migration Notes

Breaking Changes

None in this release.

Deprecations

None in this release.

Contributors

Thank you to all contributors who made this release possible! Special thanks to:

• jasonsaayman - Release management and CI/CD improvements

v1.13.3

Compare Source

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#​7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#​6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#​5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#​5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7257) (7d19335)
• turn AxiosError into a native error (#​5394) (#​5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#​5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#​7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#​6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#​5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#​6053) (65a7584)
• add Node.js coverage script using c8 (closes #​7289) (#​7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#​6265) (860e033)
• enhance pipeFileToResponse with error handling (#​7169) (88d7884)
• types: Intellisense for string literals in a widened union (#​6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7…" (#​7298) (a4230f5), closes #​7253 #​7 #​7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#​7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

v1.13.2

Compare Source

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#​7206) (8d37233)
• http: use default export for http2 module to support stubs; (#​7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#​7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

v1.13.1

Compare Source

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#​7193) ([bcd5581](https://redirect.github.com/axi

✂ Note

PR body was truncated to here.