mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-17 19:21:29 +03:00
Code Activity
Files
2d2314a1ac29ce6723eb53e130b4a36617fd201c
axios/PRE_RELEASE_CHANGELOG.md
T
Mohammad Faiz 73a7c55282 fix: clean up error handling, fix a proto-pollution gap, and seal a few loose ends (#10922) 
* Clean up error handling, fix a proto-pollution gap, and seal a few loose ends.

Been poking around the codebase and found a handful of things that needed tidying up:

- resolveConfig.js - config.params and config.paramsSerializer were being accessed directly off user input instead of going through the own() guard. If someone crafted a config with inherited params from the prototype, you'd get unexpected behavior. Swapped to own('params') / own('paramsSerializer') like the rest of the module does.

- http.js - there was a stray console.warn('emit error', err) in an abort-event catch block. Debug leftover, shouldn't reach production. Replaced with a quiet catch.

- AxiosHeaders.js - three places were throwing raw Error or TypeError instead of AxiosError. Swapped them over with ERR_BAD_OPTION_VALUE. Also added the missing AxiosError import (creates a circular dep with AxiosError.js which imports AxiosHeaders, but it works fine at runtime since the throws are inside method bodies, not at module eval time).

- toFormData.js - the circular reference detection was throwing a bare Error. Changed to AxiosError without a code, so it stays distinguishable from the depth-exceeded error that uses ERR_FORM_DATA_DEPTH_EXCEEDED. (There's a test that explicitly checks this distinction.)

- formDataToStream.js - two more raw throws (TypeError and Error) → AxiosError.

- buildURL.js - import self-path ../helpers/AxiosURLSearchParams.js when it lives in the same directory as the importer. Changed to ./AxiosURLSearchParams.js.

- index.d.cts - CanceledError was missing readonly name: 'CanceledError' that index.d.ts already has. Added it to keep the CJS declarations in sync.

Lint passes clean, all 770 unit tests green. Nothing breaking - all changes are either internal (no consumer-facing API change) or type-only.

* Update AxiosHeaders.js

* Update AxiosHeaders.js

* fix: revert breaking error-type changes per review feedback

Reverts AxiosError throws back to native Error/TypeError in AxiosHeaders,
formDataToStream, and toFormData to avoid breaking existing consumers
who catch by constructor name or check isAxiosError().

Adds regression tests for resolveConfig own('params')/own('paramsSerializer')
guard as requested in review.

Removes unused AxiosError imports from AxiosHeaders and formDataToStream.

* docs: add pre-release notes for config hardening

---------

Co-authored-by: Jason Saayman <jasonsaayman@gmail.com>
2026-05-26 21:09:03 +02:00

2.0 KiB
Raw Blame History

Pre-Release Changelog

Unreleased

New Features

  • HTTP Adapter - Zstandard: Added automatic zstd decompression on Node.js versions that support it. zstd is only advertised in the default Accept-Encoding header when transitional.advertiseZstdAcceptEncoding: true is set. (#6792)

Bug Fixes

  • AxiosHeaders: Silently skip empty response header names emitted by some React Native Android responses instead of throwing. (#6959, #10875)
  • Config Security: Ignore inherited params and paramsSerializer values when resolving request config, preventing prototype-pollution gadgets from changing serialized URLs. (#10922)
  • Types: Add the missing readonly name: 'CanceledError' declaration to CommonJS CanceledError typings to match the ESM declarations. (#10922)
  • HTTP Adapter - Auth on Redirect: HTTP Basic credentials supplied via config.auth are now restored on same-origin redirects, fixing a regression caused by follow-redirects >= 1.15.8 that broke POST requests answered with a 303 Location. Cross-origin redirects continue to drop credentials, preserving the existing T-R2 mitigation in THREATMODEL.md. (#6929)
  • HTTP Adapter - Socket Path: Ignore inherited socketPath and allowedSocketPaths config values when building Node.js requests, preventing prototype-pollution SSRF via Unix sockets. (#10901)
  • React Native FormData: Clear the default Content-Type header for React Native FormData requests so Android can build multipart bodies with the correct boundary. (#10898)
  • Request Data: Preserve enumerable symbol keys when merging plain request data before transformRequest. (#6392)

Release Documentation TODO

  • Update README.md request config docs for transitional.advertiseZstdAcceptEncoding and zstd decompression support.
  • Update docs/pages/advanced/request-config.md for transitional.advertiseZstdAcceptEncoding and zstd decompression support.
  • Update decompression-bomb security guidance in README.md and docs/pages/misc/security.md to mention zstd.
View Git Blame Copy Permalink