You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!-- Click "Preview" for a more readable version --
1
+
<!--
2
+
Thanks for opening an issue. Before submitting, please search existing issues and make sure you are using a supported Axios version.
2
3
3
-
Please read and follow the instructions before submitting an issue:
4
-
5
-
- Read all our documentation, especially the [README](https://github.com/axios/axios/blob/main/README.md). It may contain information that helps you solve your issue.
6
-
- Ensure your issue isn't already [reported](https://github.com/axios/axios/issues?utf8=%E2%9C%93&q=is%3Aissue).
7
-
- Please, ensure your issue is not related to CORS or Mixed Content Issue (only relevant for browsers)
8
-
- If you aren't sure that the issue is caused by axios or you just need help, please use [Stack Overflow](https://stackoverflow.com/questions/tagged/axios) or [our chat](https://gitter.im/mzabriskie/axios).
9
-
- If you're reporting a bug, ensure it isn't already fixed in the latest Axios version.
10
-
- If you need a new feature there's a chance it's already implemented in a [library](https://github.com/axios/axios/blob/main/ECOSYSTEM.md) or you can implement it using [interceptors](https://github.com/axios/axios#interceptors).
11
-
- Don't remove any title of the issue template, or it will be treated as invalid by the bot.
4
+
If this is a usage question rather than a bug or feature request, Stack Overflow may be a better place to ask: https://stackoverflow.com/questions/tagged/axios
5
+
-->
12
6
13
-
**⚠️👆 Delete the instructions before submitting the issue 👆⚠️**
7
+
### What happened?
14
8
15
-
-->
9
+
<!-- Describe the bug, feature request, or documentation issue. What did you expect instead? -->
16
10
17
-
#### Summary
11
+
###Reproduction
18
12
19
-
Describe your issue here, including as much detail as necessary.
13
+
<!-- Share a minimal code example, repository, sandbox, or clear steps to reproduce. Remove any private information. -->
20
14
21
-
If you're reporting a bug, include the relevant code and stack traces to debug it (removing any private information).
15
+
### Environment
22
16
23
-
If you're requesting a feature, include some context and examples of code using it.
17
+
- Axios version:
18
+
- Runtime/platform: <!-- Node, browser, React Native, etc. -->
19
+
- Adapter: <!-- http, xhr, fetch, or unknown -->
24
20
25
-
#### Environment
21
+
###Additional context
26
22
27
-
-**Axios Version [e.g. 1.7.0]**
28
-
-**Target platform [e.g Node / Browser / React Native version where Axios is running]**
- Use npm here; `package-lock.json` is committed and CI installs with `npm ci --ignore-scripts`.
5
+
-`mise.toml` pins local Node 20, but CI runs Node 12, 14, 16, 18, 20, 22, and 24; keep `lib/` source compatible with old CommonJS-era syntax and runtime assumptions.
6
+
- CI order is `npm ci --ignore-scripts`, `npm run build`, then `npm test`.
7
+
8
+
## Commands
9
+
-`npm run build`: runs `grunt build`, which cleans `dist/` and uses Rollup from `lib/axios.js` to create `dist/axios*.js` and `dist/esm/axios*.js`.
10
+
-`npm test`: runs JS tests and declaration tests through `bin/ssl_hotfix.js`; use this full command on Node >16 so old tooling gets `NODE_OPTIONS=--openssl-legacy-provider`.
11
+
-`node bin/ssl_hotfix.js ./node_modules/.bin/grunt test`: JS-only verification, running ESLint on `lib/**/*.js`, Mocha on `test/unit/**/*.js`, and Karma on `test/specs/**/*.spec.js`.
12
+
-`./node_modules/.bin/mocha --timeout 30000 test/unit/<path>.js`: run one Node/Mocha unit test file without Karma or dtslint.
13
+
-`node bin/ssl_hotfix.js ./node_modules/.bin/grunt karma:single`: run the browser suite only.
14
+
-`node bin/ssl_hotfix.js ./node_modules/.bin/dtslint --localTs node_modules/typescript/lib`: run the declaration tests in `test/typescript/axios.ts`.
15
+
-`npm run fix`: ESLint autofix for `lib/**/*.js` only.
16
+
17
+
## Structure
18
+
- Package entry is `index.js` -> `lib/axios.js`; the TypeScript surface is the root `index.d.ts`.
19
+
-`lib/defaults/index.js` chooses the runtime adapter: `lib/adapters/xhr.js` for browsers and `lib/adapters/http.js` for Node.
20
+
- Browser bundlers also rely on `package.json``browser` mappings from `./lib/adapters/http.js` to `./lib/adapters/xhr.js` and from `./lib/platform/node/index.js` to `./lib/platform/browser/index.js`.
21
+
-`lib/env/data.js` stores the package version and is generated by `grunt version` or `npm run preversion`; do not edit it except as part of a version bump.
22
+
-`grunt build` uses `rollup.config.js`; `webpack.config.js` is not the package build path, while Karma has its own webpack config inside `karma.conf.js`.
23
+
24
+
## Tests
25
+
- Node tests live in `test/unit/**/*.js` and use Mocha plus Node `assert`.
26
+
- Browser tests live in `test/specs/**/*.spec.js` and use Jasmine/Jasmine-Ajax; globals such as `axios` and `getAjaxRequest` come from `test/specs/__helpers.js`.
27
+
- Karma defaults to `FirefoxHeadless` and `ChromeHeadless` whenever `process.env.GITHUB_ACTIONS !== 'false'`, including when the variable is unset; set `GITHUB_ACTIONS=false` only if you need non-headless local browsers.
28
+
- There is no committed single-browser-spec target; do not leave `fdescribe`, `fit`, or `.only` in tests.
29
+
- Declaration changes should update both `index.d.ts` and `test/typescript/axios.ts`, then run the dtslint command above.
30
+
31
+
## Source Conventions
32
+
-`lib/` is CommonJS with `'use strict'`, `var`, semicolons, 2-space indentation, and no trailing commas; ESLint only checks `lib/**/*.js`.
33
+
- Public API behavior usually needs README docs, TypeScript declarations, and declaration tests updated together.
34
+
- Adapter or platform changes usually need both Node and browser paths considered, including Mocha coverage for `http.js` behavior and Karma coverage for `xhr.js` behavior.
35
+
36
+
## Node 12+ Compatibility
37
+
- All shipped code AND test code must run on Node 12 through Node 24. CI runs the full matrix, so a test that only works on Node 16+ will break the build. Avoid `??`, `?.`, top-level `await`, private class fields, `Array.prototype.at`, `structuredClone`, etc. in both `lib/` and `test/`.
38
+
- Be wary of `Object.prototype` pollution tests on Node 12/14: setting `Object.prototype.get` (or `set`) before any code that calls `Object.defineProperty` with a value-only descriptor will throw `TypeError: Getter must be a function`, because the descriptor inherits the polluted property. Construct servers/clients first, pre-load any lazy-required Node internals (e.g. `require('dns')`), then apply the pollution.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+10Lines changed: 10 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,15 @@
1
1
# Changelog
2
2
3
+
## Unreleased
4
+
5
+
### Notable behavior changes
6
+
7
+
-`utils.merge` (used internally by `mergeConfig` and to merge request headers) now returns objects with a `null` prototype to harden against prototype-pollution gadgets. As a result, `error.config`, `error.config.headers`, and any merged header bucket no longer inherit from `Object.prototype`. Two consequences:
8
+
-`obj.hasOwnProperty(key)` on a merged config or header object throws `TypeError: obj.hasOwnProperty is not a function`. Use `Object.prototype.hasOwnProperty.call(obj, key)` or `key in obj` instead.
9
+
- Implicit string coercion (e.g. `String(obj)`, `'' + obj`, or any path that calls `ToPrimitive`) throws `TypeError: Cannot convert object to primitive value` because there is no inherited `toString`. Coerce explicitly via `JSON.stringify(obj)` or by reading individual properties.
10
+
11
+
Property access (`obj[key]`), enumeration, and `JSON.stringify` are unaffected.
0 commit comments