Skip to content

Commit 2af6116

Browse files
chore: backport fixes from the v1x branch (#10838)
* chore: some AI improvements, PR and issue templates updated and adjusted * chore: backport fixes * chore: fix eslint issues * fix: test run issues * fix: readme issue Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix: tests in v12.x node * chore: update agents.md * chore: fix tests * fix: final reviews --------- Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
1 parent a589dc5 commit 2af6116

29 files changed

Lines changed: 1840 additions & 266 deletions

.github/ISSUE_TEMPLATE.md

Lines changed: 14 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,23 @@
1-
<!-- Click "Preview" for a more readable version --
1+
<!--
2+
Thanks for opening an issue. Before submitting, please search existing issues and make sure you are using a supported Axios version.
23
3-
Please read and follow the instructions before submitting an issue:
4-
5-
- Read all our documentation, especially the [README](https://github.com/axios/axios/blob/main/README.md). It may contain information that helps you solve your issue.
6-
- Ensure your issue isn't already [reported](https://github.com/axios/axios/issues?utf8=%E2%9C%93&q=is%3Aissue).
7-
- Please, ensure your issue is not related to CORS or Mixed Content Issue (only relevant for browsers)
8-
- If you aren't sure that the issue is caused by axios or you just need help, please use [Stack Overflow](https://stackoverflow.com/questions/tagged/axios) or [our chat](https://gitter.im/mzabriskie/axios).
9-
- If you're reporting a bug, ensure it isn't already fixed in the latest Axios version.
10-
- If you need a new feature there's a chance it's already implemented in a [library](https://github.com/axios/axios/blob/main/ECOSYSTEM.md) or you can implement it using [interceptors](https://github.com/axios/axios#interceptors).
11-
- Don't remove any title of the issue template, or it will be treated as invalid by the bot.
4+
If this is a usage question rather than a bug or feature request, Stack Overflow may be a better place to ask: https://stackoverflow.com/questions/tagged/axios
5+
-->
126

13-
**⚠️👆 Delete the instructions before submitting the issue 👆⚠️**
7+
### What happened?
148

15-
-->
9+
<!-- Describe the bug, feature request, or documentation issue. What did you expect instead? -->
1610

17-
#### Summary
11+
### Reproduction
1812

19-
Describe your issue here, including as much detail as necessary.
13+
<!-- Share a minimal code example, repository, sandbox, or clear steps to reproduce. Remove any private information. -->
2014

21-
If you're reporting a bug, include the relevant code and stack traces to debug it (removing any private information).
15+
### Environment
2216

23-
If you're requesting a feature, include some context and examples of code using it.
17+
- Axios version:
18+
- Runtime/platform: <!-- Node, browser, React Native, etc. -->
19+
- Adapter: <!-- http, xhr, fetch, or unknown -->
2420

25-
#### Environment
21+
### Additional context
2622

27-
- **Axios Version [e.g. 1.7.0]**
28-
- **Target platform [e.g Node / Browser / React Native version where Axios is running]**
29-
- **Adapter [e.g. FETCH / XHR / HTTP]**
30-
- Additional Library/Framework Versions [e.g. React 16.7]
31-
- OS: [e.g. iOS 12.1.0, OSX 10.13.4]
23+
<!-- Anything else that would help us understand or prioritize this issue. -->

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,13 @@
1-
<!-- Instructions
1+
<!-- Thanks for contributing. Keep this brief and remove anything that does not apply. -->
22

3-
If you would like to add a PR description you may do so or let our AI agent create one, after the creation
4-
you may then edit the file if the AI agent got it wrong.
3+
### Summary
54

6-
Please read and follow the instructions before creating and submitting a pull request:
5+
<!-- What changed and why? -->
76

8-
- Create an issue explaining the feature. It could save you some effort in case we don't consider it should be included in axios.
9-
- If you're fixing a bug, try to commit the failing test/s and the code fixing it in different commits.
10-
- Ensure you're following our [contributing guide](https://github.com/axios/axios/blob/main/CONTRIBUTING.md).
7+
### Related issue
118

12-
**⚠️👆 Delete the instructions before submitting the pull request 👆⚠️**
9+
<!-- Link an issue or write N/A. -->
1310

14-
Describe your pull request here. -->
11+
### Testing
12+
13+
<!-- What did you run to verify this change? If not tested, please say why. -->

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,5 @@ sauce_connect.log
1010
.vscode/
1111
.claude/
1212
openspec/
13-
dist/
13+
.opencode/
14+
dist/

AGENTS.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# AGENTS.md
2+
3+
## Setup
4+
- Use npm here; `package-lock.json` is committed and CI installs with `npm ci --ignore-scripts`.
5+
- `mise.toml` pins local Node 20, but CI runs Node 12, 14, 16, 18, 20, 22, and 24; keep `lib/` source compatible with old CommonJS-era syntax and runtime assumptions.
6+
- CI order is `npm ci --ignore-scripts`, `npm run build`, then `npm test`.
7+
8+
## Commands
9+
- `npm run build`: runs `grunt build`, which cleans `dist/` and uses Rollup from `lib/axios.js` to create `dist/axios*.js` and `dist/esm/axios*.js`.
10+
- `npm test`: runs JS tests and declaration tests through `bin/ssl_hotfix.js`; use this full command on Node >16 so old tooling gets `NODE_OPTIONS=--openssl-legacy-provider`.
11+
- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt test`: JS-only verification, running ESLint on `lib/**/*.js`, Mocha on `test/unit/**/*.js`, and Karma on `test/specs/**/*.spec.js`.
12+
- `./node_modules/.bin/mocha --timeout 30000 test/unit/<path>.js`: run one Node/Mocha unit test file without Karma or dtslint.
13+
- `node bin/ssl_hotfix.js ./node_modules/.bin/grunt karma:single`: run the browser suite only.
14+
- `node bin/ssl_hotfix.js ./node_modules/.bin/dtslint --localTs node_modules/typescript/lib`: run the declaration tests in `test/typescript/axios.ts`.
15+
- `npm run fix`: ESLint autofix for `lib/**/*.js` only.
16+
17+
## Structure
18+
- Package entry is `index.js` -> `lib/axios.js`; the TypeScript surface is the root `index.d.ts`.
19+
- `lib/defaults/index.js` chooses the runtime adapter: `lib/adapters/xhr.js` for browsers and `lib/adapters/http.js` for Node.
20+
- Browser bundlers also rely on `package.json` `browser` mappings from `./lib/adapters/http.js` to `./lib/adapters/xhr.js` and from `./lib/platform/node/index.js` to `./lib/platform/browser/index.js`.
21+
- `lib/env/data.js` stores the package version and is generated by `grunt version` or `npm run preversion`; do not edit it except as part of a version bump.
22+
- `grunt build` uses `rollup.config.js`; `webpack.config.js` is not the package build path, while Karma has its own webpack config inside `karma.conf.js`.
23+
24+
## Tests
25+
- Node tests live in `test/unit/**/*.js` and use Mocha plus Node `assert`.
26+
- Browser tests live in `test/specs/**/*.spec.js` and use Jasmine/Jasmine-Ajax; globals such as `axios` and `getAjaxRequest` come from `test/specs/__helpers.js`.
27+
- Karma defaults to `FirefoxHeadless` and `ChromeHeadless` whenever `process.env.GITHUB_ACTIONS !== 'false'`, including when the variable is unset; set `GITHUB_ACTIONS=false` only if you need non-headless local browsers.
28+
- There is no committed single-browser-spec target; do not leave `fdescribe`, `fit`, or `.only` in tests.
29+
- Declaration changes should update both `index.d.ts` and `test/typescript/axios.ts`, then run the dtslint command above.
30+
31+
## Source Conventions
32+
- `lib/` is CommonJS with `'use strict'`, `var`, semicolons, 2-space indentation, and no trailing commas; ESLint only checks `lib/**/*.js`.
33+
- Public API behavior usually needs README docs, TypeScript declarations, and declaration tests updated together.
34+
- Adapter or platform changes usually need both Node and browser paths considered, including Mocha coverage for `http.js` behavior and Karma coverage for `xhr.js` behavior.
35+
36+
## Node 12+ Compatibility
37+
- All shipped code AND test code must run on Node 12 through Node 24. CI runs the full matrix, so a test that only works on Node 16+ will break the build. Avoid `??`, `?.`, top-level `await`, private class fields, `Array.prototype.at`, `structuredClone`, etc. in both `lib/` and `test/`.
38+
- Be wary of `Object.prototype` pollution tests on Node 12/14: setting `Object.prototype.get` (or `set`) before any code that calls `Object.defineProperty` with a value-only descriptor will throw `TypeError: Getter must be a function`, because the descriptor inherits the polluted property. Construct servers/clients first, pre-load any lazy-required Node internals (e.g. `require('dns')`), then apply the pollution.

CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,15 @@
11
# Changelog
22

3+
## Unreleased
4+
5+
### Notable behavior changes
6+
7+
- `utils.merge` (used internally by `mergeConfig` and to merge request headers) now returns objects with a `null` prototype to harden against prototype-pollution gadgets. As a result, `error.config`, `error.config.headers`, and any merged header bucket no longer inherit from `Object.prototype`. Two consequences:
8+
- `obj.hasOwnProperty(key)` on a merged config or header object throws `TypeError: obj.hasOwnProperty is not a function`. Use `Object.prototype.hasOwnProperty.call(obj, key)` or `key in obj` instead.
9+
- Implicit string coercion (e.g. `String(obj)`, `'' + obj`, or any path that calls `ToPrimitive`) throws `TypeError: Cannot convert object to primitive value` because there is no inherited `toString`. Coerce explicitly via `JSON.stringify(obj)` or by reading individual properties.
10+
11+
Property access (`obj[key]`), enumeration, and `JSON.stringify` are unaffected.
12+
313
## [0.30.0](https://github.com/axios/axios/compare/v0.29.0...v0.30.0) (2025-03-26)
414

515
## Release notes:

CLAUDE.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
@AGENTS.md

README.md

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -331,14 +331,14 @@ These are the available config options for making requests. Only the `url` is re
331331
// `params` are the URL parameters to be sent with the request
332332
// Must be a plain object or a URLSearchParams object
333333
// Null bytes in param values stay percent-encoded as `%00` in the resulting query string
334-
// (GHSA-xhjh-pmcv-23jw) — Axios does not reverse `encodeURIComponent` output for `%00`,
334+
// Axios does not reverse `encodeURIComponent` output for `%00`,
335335
// so null-byte injection cannot be smuggled through the serializer.
336336
params: {
337337
ID: 12345
338338
},
339339

340340
// `paramsSerializer` is an optional config in charge of serializing `params`
341-
// Nested objects are walked with a bounded recursion depth (GHSA-62hf-57xw-28j9):
341+
// Nested objects are walked with a bounded recursion depth:
342342
// once `maxDepth` is exceeded the serializer throws `ERR_FORM_DATA_DEPTH_EXCEEDED`
343343
// instead of overflowing the call stack. The same cap applies to `toFormData` when
344344
// `Content-Type: multipart/form-data` triggers automatic FormData serialization.
@@ -404,7 +404,7 @@ These are the available config options for making requests. Only the `url` is re
404404
// `undefined` (default) - set XSRF header only for the same origin requests
405405
// Only an explicit `true` (own property on the config) will add the XSRF header for
406406
// cross-origin requests. Values inherited from `Object.prototype` are ignored
407-
// (GHSA-xx6v-rp6x-q39c), so a polluted prototype cannot silently enable the token.
407+
// so a polluted prototype cannot silently enable the token.
408408
withXSRFToken: boolean | undefined | ((config: AxiosRequestConfig) => boolean | undefined),
409409

410410
// `onUploadProgress` allows handling of progress events for uploads
@@ -421,14 +421,26 @@ These are the available config options for making requests. Only the `url` is re
421421

422422
// `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
423423
// Also enforced on streamed responses (`responseType: 'stream'`): bytes are counted as they
424-
// arrive and the stream is aborted with an error once the cap is exceeded (GHSA-vf2m-468p-8v99).
424+
// arrive and the stream is aborted with an error once the cap is exceeded.
425425
maxContentLength: 2000,
426426

427427
// `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
428428
// Also enforced on stream uploads: uploaded bytes are tracked and the request is aborted
429429
// once the cap is exceeded, even when the native http transport is used directly.
430430
maxBodyLength: 2000,
431431

432+
// `formDataHeaderPolicy` controls which headers the Node adapter copies from
433+
// FormData `getHeaders()`.
434+
// 'legacy' (default) copies all returned headers for v1 compatibility.
435+
// 'content-only' copies only Content-Type and Content-Length.
436+
formDataHeaderPolicy: 'legacy',
437+
438+
// `redact` masks matching config keys when AxiosError#toJSON() is called.
439+
// Matching is case-insensitive and recursive. It does not change the request.
440+
// An empty array is treated as "no override" and falls back to the defaults so
441+
// an accidental `redact: []` cannot silently disable redaction.
442+
redact: ['authorization', 'password'],
443+
432444
// `validateStatus` defines whether to resolve or reject the promise for a given
433445
// HTTP response status code. If `validateStatus` returns `true` (or is set to `null`
434446
// or `undefined`), the promise will be resolved; otherwise, the promise will be
@@ -454,10 +466,18 @@ These are the available config options for making requests. Only the `url` is re
454466

455467
// `socketPath` defines a UNIX Socket to be used in node.js.
456468
// e.g. '/var/run/docker.sock' to send requests to the docker daemon.
469+
// Avoid passing user-controlled values because socket paths bypass host,
470+
// port, DNS, and proxy controls.
457471
// Only either `socketPath` or `proxy` can be specified.
458472
// If both are specified, `socketPath` is used.
459473
socketPath: null, // default
460474

475+
// `allowedSocketPaths` constrains `socketPath` to known-safe Unix sockets.
476+
// Use this when config can include partially user-controlled input.
477+
// Set to a string or array of strings. An empty array denies all socket paths.
478+
// Set to `null` on a request to clear an instance-level allowlist.
479+
allowedSocketPaths: null, // default
480+
461481
// `httpAgent` and `httpsAgent` define a custom agent to be used when performing http
462482
// and https requests, respectively, in node.js. This allows options to be added like
463483
// `keepAlive` that are not enabled by default.

index.d.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -154,11 +154,14 @@ export interface AxiosRequestConfig<D = any> {
154154
onUploadProgress?: (progressEvent: ProgressEvent) => void;
155155
onDownloadProgress?: (progressEvent: ProgressEvent) => void;
156156
maxContentLength?: number;
157+
formDataHeaderPolicy?: 'legacy' | 'content-only';
158+
redact?: string[];
157159
validateStatus?: ((status: number) => boolean) | null;
158160
maxBodyLength?: number;
159161
maxRedirects?: number;
160162
beforeRedirect?: (options: Record<string, any>, responseDetails: {headers: Record<string, string>}) => void;
161163
socketPath?: string | null;
164+
allowedSocketPaths?: string | string[] | null;
162165
httpAgent?: any;
163166
httpsAgent?: any;
164167
proxy?: AxiosProxyConfig | false;

0 commit comments

Comments
 (0)