Search code, repositories, users, issues, pull requests...

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

`v1.15.1`

`v1.15.0`

Bug Fixes

headers: fixed & optimized clear method; (#5507) (9915635)
http: add zlib headers if missing (#5497) (65e8d1e)

Features

fomdata: added support for spec-compliant FormData & Blob types; (#5316) (6ac574e)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

headers: added missed Authorization accessor; (#5502) (342c0ba)
types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#5503) (5a3d0a3)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#5499) (580f1e8)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#5486) (2a71f49)
types: fix AxiosRequestConfig generic; (#5478) (9bce81b)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#5420) (0811963)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

fix(ci): fix release script inputs #5392
fix(ci): prerelease scipts #5377
fix(ci): release scripts #5376
fix(ci): typescript tests #5375
fix: Brotli decompression #5353
fix: add missing HttpStatusCode #5345

Chores

chore(ci): set conventional-changelog header config #5406
chore(ci): fix automatic contributors resolving #5403
chore(ci): improved logging for the contributors list generator #5398
chore(ci): fix release action #5397
chore(ci): fix version bump script by adding bump argument for target version #5393
chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #5342
chore(ci): GitHub Actions Release script #5384
chore(ci): release scripts #5364

Contributors to this release

[1.2.1] - 2022-12-05

Changed

feat(exports): export mergeConfig #5151

Fixed

fix(CancelledError): include config #4922
fix(general): removing multiple/trailing/leading whitespace #5022
fix(headers): decompression for responses without Content-Length header #5306
fix(webWorker): exception to sending form data in web worker #5139

Refactors

refactor(types): AxiosProgressEvent.event type to any #5308
refactor(types): add missing types for static AxiosError.from method #4956

Chores

chore(docs): remove README link to non-existent upgrade guide #5307
chore(docs): typo in issue template name #5159

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

changed: refactored module exports #5162
change: re-added support for loading Axios with require('axios').default #5225

Fixed

fix: improve AxiosHeaders class #5224
fix: TypeScript type definitions for commonjs #5196
fix: type definition of use method on AxiosInterceptorManager to match the the README #5071
fix: __dirname is not defined in the sandbox #5269
fix: AxiosError.toJSON method to avoid circular references #5247
fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #5250

Refactors

refactor: allowing adapters to be loaded by name #5277

Chores

chore: force CI restart #5243
chore: update ECOSYSTEM.md #5077
chore: update get/index.html #5116
chore: update Sandbox UI/UX #5205
chore:(actions): remove git credentials after checkout #5235
chore(actions): bump actions/dependency-review-action from 2 to 3 #5266
chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #5295
chore(packages): bump engine.io from 6.2.0 to 6.2.1 #5294
chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #5241
chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #5245
chore(docs): update Resources links in README #5119
chore(docs): update the link for JSON url #5265
chore(docs): fix broken links #5218
chore(docs): update and rename UPGRADE_GUIDE.md to MIGRATION_GUIDE.md #5170
chore(docs): typo fix line #856 and #920 #5194
chore(docs): typo fix #800 #5193
chore(docs): fix typos #5184
chore(docs): fix punctuation in README.md #5197
chore(docs): update readme in the Handling Errors section - issue reference #5260 #5261
chore: remove \b from filename #5207
chore(docs): update CHANGELOG.md #5137
chore: add sideEffects false to package.json #5025

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.3] - 2022-10-15

Added

Added custom params serializer support #5113

Fixed

Fixed top-level export to keep them in-line with static properties #5109
Stopped including null values to query string. #5108
Restored proxy config backwards compatibility with 0.x #5097
Added back AxiosHeaders in AxiosHeaderValue #5103
Pin CDN install instructions to a specific version #5060
Handling of array values fixed for AxiosHeaders #5085

Chores

docs: match badge style, add link to them #5046
chore: fixing comments typo #5054
chore: update issue template #5061
chore: added progress capturing section to the docs; #5084

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.2] - 2022-10-07

Fixed

Fixed broken exports for UMD builds.

Contributors to this release

Jason Saayman

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.1] - 2022-10-07

Fixed

Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful.

Contributors to this release

Jason Saayman

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.0] - 2022-10-06

Fixed

Fixed missing exports in type definition index.d.ts #5003
Fixed query params composing #5018
Fixed GenericAbortSignal interface by making it more generic #5021
Fixed adding "clear" to AxiosInterceptorManager #5010
Fixed commonjs & umd exports #5030
Fixed inability to access response headers when using axios 1.x with Jest #5036

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.0.0] - 2022-10-04

Added

Added stack trace to AxiosError #4624
Add AxiosError to AxiosStatic #4654
Replaced Rollup as our build runner #4596
Added generic TS types for the exposed toFormData helper #4668
Added listen callback function #4096
Added instructions for installing using PNPM #4207
Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill #4229
Added axios-url-template in ECOSYSTEM.md #4238
Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #4248
Added react hook plugin #4319
Adding HTTP status code for transformResponse #4580
Added blob to the list of protocols supported by the browser #4678
Resolving proxy from env on redirect #4436
Added enhanced toFormData implementation with additional options 4704
Adding Canceler parameters config and request #4711
Added automatic payload serialization to application/x-www-form-urlencoded #4714
Added the ability for webpack users to overwrite built-ins #4715
Added string[] to AxiosRequestHeaders type #4322
Added the ability for the url-encoded-form serializer to respect the formSerializer config #4721
Added isCancel type assert #4293
Added data URL support for node.js #4725
Adding types for progress event callbacks #4675
URL params serializer #4734
Added axios.formToJSON method #4735
Bower platform add data protocol #4804
Use WHATWG URL API instead of url.parse() #4852
Add ENUM containing Http Status Codes to typings #4903
Improve typing of timeout in index.d.ts #4934

Changed

Updated AxiosError.config to be optional in the type definition #4665
Updated README emphasizing the URLSearchParam built-in interface over other solutions #4590
Include request and config when creating a CanceledError instance #4659
Changed func-names eslint rule to as-needed #4492
Replacing deprecated substr() with slice() as substr() is deprecated #4468
Updating HTTP links in README.md to use HTTPS #4387
Updated to a better trim() polyfill #4072
Updated types to allow specifying partial default headers on instance create #4185
Expanded isAxiosError types #4344
Updated type definition for axios instance methods #4224
Updated eslint config #4722
Updated Docs #4742
Refactored Axios to use ES2017 #4787

Deprecated

There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

Removed

Removed incorrect argument for NetworkError constructor #4656
Removed Webpack #4596
Removed function that transform arguments to array #4544

Fixed

Fixed grammar in README #4649
Fixed code error in README #4599
Optimized the code that checks cancellation #4587
Fix url pointing to defaults.js in README #4532
Use type alias instead of interface for AxiosPromise #4505
Fix some word spelling and lint style in code comments #4500
Edited readme with 3 updated browser icons of Chrome, FireFox and Safari #4414
Bump follow-redirects from 1.14.9 to 1.15.0 #4673
Fixing http tests to avoid hanging when assertions fail #4435
Fix TS definition for AxiosRequestTransformer #4201
Fix grammatical issues in README #4232
Fixing instance.defaults.headers type #4557
Fixed race condition on immediate requests cancellation #4261
Fixing Z_BUF_ERROR when no content #4701
Fixing proxy beforeRedirect regression #4708
Fixed AxiosError status code type #4717
Fixed AxiosError stack capturing #4718
Fixing AxiosRequestHeaders typings #4334
Fixed max body length defaults #4731
Fixed toFormData Blob issue on node>v17 #4728
Bump grunt from 1.5.2 to 1.5.3 #4743
Fixing content-type header repeated #4745
Fixed timeout error message for http 4738
Request ignores false, 0 and empty string as body values #4785
Added back missing minified builds #4805
Fixed a type error #4815
Fixed a regression bug with unsubscribing from cancel token; #4819
Remove repeated compression algorithm #4820
The error of calling extend to pass parameters #4857
SerializerOptions.indexes allows boolean | null | undefined #4862
Require interceptors to return values #4874
Removed unused imports #4949
Allow null indexes on formSerializer and paramsSerializer #4960

Chores

Set permissions for GitHub actions #4765
Included githubactions in the dependabot config #4770
Included dependency review #4771
Update security.md #4784
Remove unnecessary spaces #4854
Simplify the import path of AxiosError #4875
Fix Gitpod dead link #4941
Enable syntax highlighting for a code block #4970
Using Logo Axios in Readme.md #4993
Fix markup for note in README #4825
Fix typo and formatting, add colons #4853
Fix typo in readme #4942

Security

Update SECURITY.md #4687

Contributors to this release

`v1.14.0`

`v1.13.6`

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

Breaking Changes: None identified in this release.
Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @moh3n9595 for the initial implementation. (#5764)
Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

Environment Compatibility:
- Fixed module exports for React Native and Browserify environments. (#7386)
- Added safe FormData detection for the WeChat Mini Program environment. (#7324)
Error Handling:
- AxiosError.message is now correctly enumerable. (#7392)
- AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

Dependencies: Updated the development_dependencies group (5 updates). (#7432)
Infrastructure: Migrated @rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

Full Changelog: v1.13.5...v1.13.6

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-12-09T02:00:16Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-04-24T22:50:03Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-06-14T13:58:08Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-11-18T11:50:07Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2026-04-21T21:45:27Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code