mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-17 19:21:29 +03:00
Code Activity
Files
9c2d8fc7e18c3486e093d444d34344b968209d05
axios/openspec/config.yaml
T
Jay 73869da81b feat: add open spec (#10914) 
* feat: init openspec

* feat: add rule about pre-release changelog
2026-05-19 20:00:21 +02:00

105 lines
6.2 KiB
YAML
Raw Blame History

schema: spec-driven
context: |
axios is a promise-based HTTP client for browsers and Node.js. The default
instance is exported from lib/axios.js via index.js. Browser builds use XHR
or Fetch adapters; Node uses the HTTP/HTTPS adapter. Platform selection lives
under lib/platform/.
Source is ESM (package type: module). Public runtime exports are split by
environment through package exports and browser/react-native aliases. Node CJS
is generated as dist/node/axios.cjs. Do not edit dist/ by hand; it is built
from lib/ by Rollup.
Keep public runtime exports and TypeScript declarations in sync. API changes
usually need both index.d.ts and index.d.cts updates. Smoke and module tests
exercise packaged output, not just the source tree.
Architecture boundaries:
- lib/core/ contains request dispatch, config merge, interceptors, headers,
and axios error/domain logic.
- lib/adapters/ performs I/O. Adapter selection must use capability checks,
not environment-name assumptions.
- lib/platform/ selects the active platform implementation.
- lib/helpers/ should remain generic and reusable outside axios.
Coding conventions:
- Use ESM imports with explicit .js extensions in lib/**/*.js.
- Match existing 'use strict'; placement where surrounding library files use it.
- Use PascalCase for classes, camelCase for functions, and UPPER_SNAKE_CASE
AxiosError codes.
- Prefer Symbol-keyed internal slots over underscore-prefixed properties.
- Do not mutate config objects in place; return new merged/transformed objects.
- Do not use Function.prototype.bind directly; use lib/helpers/bind.js.
Error handling and validation:
- Throw AxiosError for axios-originated failures; never raw Error.
- Wrap third-party errors with AxiosError.from(error, code, config, request,
response).
- Validate config options through the validator helper rather than ad-hoc paths.
Request lifecycle invariants:
- Request interceptors run last-registered-first (LIFO).
- Response interceptors run first-registered-first (FIFO).
- Cancellation supports both CancelToken and AbortSignal and must work before,
during, and after adapter I/O. Always remove signal listeners on settlement.
Security-sensitive constraints:
- For untrusted config reads that affect behavior, avoid prototype-walking reads.
Guard with own-property checks such as utils.hasOwnProp or local own() helpers.
- Object materialization and merge code must keep filtering __proto__,
constructor, and prototype.
- Changes touching URL construction, redirects, proxy/env handling, XSRF,
socket paths, decompression limits, or adapters must consult THREATMODEL.md
and include focused regression tests.
- Keep withXSRFToken cross-origin behavior explicit: only true forces
cross-origin XSRF header attachment.
- Do not weaken beforeRedirect, proxy, or socketPath safeguards without tests
covering credential leakage or SSRF-style cases.
Project workflow:
- Use npm ci; .npmrc intentionally sets ignore-scripts=true.
- Do not add new runtime dependencies without discussion.
- Prefer focused checks over unnecessary full builds when they prove the change.
- Use Conventional Commits for commit messages.
- Add user-visible unreleased changes to PRE_RELEASE_CHANGELOG.md, not
CHANGELOG.md. CHANGELOG.md is release-owned and should only be updated while
preparing an actual release.
- Do not update README.md or the docs site for unreleased runtime/API changes
unless the task is explicitly release preparation. Instead, record the exact
README/docs updates needed under PRE_RELEASE_CHANGELOG.md so they can be
applied during release work.
rules:
proposal:
- Ground the change in axios' public HTTP-client behavior and affected runtimes.
- Call out browser, Node, React Native, Bun, Deno, CJS, and ESM impact when relevant.
- Explicitly identify public API, type declaration, packaging, and documentation impact.
- For user-visible unreleased changes, plan PRE_RELEASE_CHANGELOG.md updates instead of CHANGELOG.md, README.md, or docs changes unless this is release preparation.
- Include security considerations for URL, redirects, proxy/env, XSRF, socket, decompression, adapter, or config-merge changes.
- Treat new runtime dependencies as out of scope unless the proposal explains why discussion is required.
design:
- Preserve lib/core, lib/adapters, lib/platform, and lib/helpers boundaries.
- Prefer minimal changes that match existing source style and exported package shape.
- Use capability detection instead of browser/Node environment assumptions.
- Use AxiosError or AxiosError.from for axios-originated or wrapped failures.
- Preserve interceptor ordering and cancellation cleanup semantics.
- Include type declaration and CJS/ESM packaging design when public API changes.
- For security-sensitive paths, document the threat being mitigated and the regression coverage needed.
tasks:
- Break implementation into focused, reviewable steps with tests near the changed behavior.
- Include index.d.ts and index.d.cts tasks for public API or typing changes.
- Include PRE_RELEASE_CHANGELOG.md tasks for user-visible unreleased changes; avoid CHANGELOG.md, README.md, and docs tasks unless explicitly preparing a release.
- Include browser, unit, smoke, or module test tasks according to runtime/package impact.
- Include THREATMODEL.md review and focused regression tests for security-sensitive changes.
- Do not include manual edits to dist/ or generated lib/env/data.js for normal feature work.
- End with focused verification commands, using npm run lint, npm run test:vitest:unit, browser headless, build, pack, smoke, or module suites as appropriate.
specs:
- Write requirements as observable axios behavior from the consumer perspective.
- State runtime-specific behavior separately when Node, browser, React Native, Bun, Deno, CJS, or ESM differ.
- Cover error shape, cancellation behavior, interceptor ordering, config merging, and type-level behavior when affected.
- Include security requirements for untrusted config, URL, proxy, redirect, XSRF, socket, decompression, or adapter behavior when affected.
View Git Blame Copy Permalink