fix: gadgets and smaller issues by jasonsaayman · Pull Request #10833 · axios/axios

jasonsaayman · 2026-05-01T17:21:56Z

Summary by cubic

Improves security and robustness across request handling and errors. Adds opt-in config.redact for masking in AxiosError#toJSON, introduces Node-only formDataHeaderPolicy (default 'legacy') to control FormData#getHeaders() copying, enforces streamed maxContentLength and upload maxBodyLength, and hardens proxy/cookie/merge behaviors.

Description

Summary of changes
- Added redact?: string[] to request config; AxiosError#toJSON masks matching keys (case-insensitive, deep, arrays, AxiosHeaders, cycle-safe; does not mutate the original config).
- Added Node-only formDataHeaderPolicy?: 'legacy' | 'content-only'; policy applied in resolve and Node http adapter to control which FormData#getHeaders() values are copied.
- Hardened Node http adapter: own‑prop reads for proxy fields and nested auth, preserve user Host while ignoring polluted prototypes, strip stale Proxy-Authorization on redirects that end up without a proxy, and handle malformed userinfo; apply header policy when sending FormData.
- Enforced maxContentLength on streamed responses and maxBodyLength on uploads (Node and fetch).
- Improved NO_PROXY by normalizing IPv4‑mapped IPv6 addresses (dotted and hex forms).
- Cookies: split on ;, exact-name matching, support separators without spaces; avoids regex interpolation.
- Safer merges and descriptors: null‑proto config with own hasOwnProperty; null‑proto defineProperty descriptors for adapter metadata and AxiosHeaders accessors to block polluted get/set traps.
Reasoning
- Close prototype‑pollution gadgets, prevent proxy auth/header leaks on redirects, provide safe error redaction, and let users restrict copied FormData headers.
Additional context
- Types updated in index.d.ts/index.d.cts. README and advanced docs updated. Defaults preserve v1 behavior (formDataHeaderPolicy: 'legacy'). No intended breaking runtime changes.

Docs

Update /docs/ with config.redact usage and formDataHeaderPolicy details (default 'legacy', 'content-only' copies only Content-Type/Content-Length). Ensure site rebuild reflects README and advanced guides.

Testing

Added/updated tests:
- Proxy safety: own‑prop reads, Host preservation, stale Proxy-Authorization stripping, malformed credentials handling.
- Redaction: arrays, deep objects, AxiosHeaders, cycles, non‑mutation.
- NO_PROXY: IPv4‑mapped IPv6 normalization (dotted and hex).
- Cookies: exact-name reads, separators without spaces, regex‑metacharacter names.
- Size limits: streamed responses and uploads (Node and fetch).
- FormData: CRLF injection resistance and header policy behavior.
- Prototype‑pollution coverage across config, adapters, headers, merge, descriptors, and utils.
No further tests needed.

Semantic version impact

Minor: backward‑compatible features and fixes. Adds config.redact and Node formDataHeaderPolicy (default preserves v1 behavior).

^{Written for commit 58816ea. Summary will update on new commits.}

cubic-dev-ai

2 issues found across 19 files

Confidence score: 3/5

There is a concrete regression risk in lib/core/AxiosError.js: the redaction traversal can break existing toJSONObject behavior for values with toJSON (like Date), which may cause serialized config data loss when config.redact is enabled.
The issue is moderately severe (6/10) with high confidence, so this is not a merge-blocker by itself, but it does introduce meaningful user-impacting behavior change that should be reviewed before relying on redacted serialization paths.
tests/unit/prototypePollution.test.js appears to have a coverage gap (missing customNested in the source object), so the inherited-read scenario described by the test is not actually being validated.
Pay close attention to lib/core/AxiosError.js and tests/unit/prototypePollution.test.js - preserve toJSON serialization semantics during redaction and ensure the inherited-read test path is truly exercised.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:27">
P2: Redaction traversal breaks existing `toJSONObject` semantics for objects with `toJSON` (e.g., `Date`), causing serialized config data loss when `config.redact` is used.</violation>
</file>

<file name="tests/unit/prototypePollution.test.js">

<violation number="1" location="tests/unit/prototypePollution.test.js:996">
P3: This test never exercises the inherited-read path it describes because `customNested` is missing from the source object.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

jasonsaayman · 2026-05-01T17:59:08Z

@cubic-dev-ai please review in depth again!

cubic-dev-ai · 2026-05-01T17:59:19Z

@cubic-dev-ai please review in depth again!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

1 issue found across 23 files

Confidence score: 4/5

This PR is likely safe to merge with minimal risk, since the only reported issue is moderate severity (5/10) and scoped to cookie parsing behavior.
In lib/helpers/cookies.js, splitting document.cookie on '; ' is brittle; browsers that emit ';' without a space may cause cookie reads to fail for some users.
Pay close attention to lib/helpers/cookies.js - cookie parsing should tolerate semicolons with or without trailing spaces.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/helpers/cookies.js">

<violation number="1" location="lib/helpers/cookies.js:37">
P2: Splitting `document.cookie` by `'; '` is too strict and can fail to read cookies when the browser omits the space after semicolons.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

jasonsaayman · 2026-05-01T18:21:04Z

@cubic-dev-ai one last pass please with the highest effort!

cubic-dev-ai · 2026-05-01T18:21:13Z

@cubic-dev-ai one last pass please with the highest effort!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

1 issue found across 23 files

Confidence score: 4/5

This PR looks safe to merge overall: the reported issue is low-to-moderate severity (4/10) and appears limited to address normalization edge cases rather than broad functionality breaks.
The main risk is in lib/helpers/shouldBypassProxy.js, where strict IPv4-mapped IPv6 regex handling may miss zero-padded expanded equivalents and cause NO_PROXY mismatches for logically identical addresses.
Pay close attention to lib/helpers/shouldBypassProxy.js - IPv4-mapped IPv6 normalization may fail for expanded/zero-padded forms, leading to proxy bypass behavior inconsistencies.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/helpers/shouldBypassProxy.js">

<violation number="1" location="lib/helpers/shouldBypassProxy.js:96">
P2: The IPv4-mapped IPv6 regexes are too strict and fail to normalize zero-padded expanded forms, which can cause NO_PROXY mismatches for equivalent addresses.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

jasonsaayman · 2026-05-01T18:38:06Z

@cubic-dev-ai one last run through and check please!

cubic-dev-ai · 2026-05-01T18:38:23Z

@cubic-dev-ai one last run through and check please!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

1 issue found across 23 files

Confidence score: 3/5

There is a concrete medium-severity risk in lib/core/AxiosError.js: reading config.redact without an own-property check could execute prototype-chain getters during error serialization.
Given the 6/10 severity and 8/10 confidence, this is likely user-impacting in edge cases and introduces regression/security-adjacent behavior, so the merge risk is moderate rather than minimal.
Pay close attention to lib/core/AxiosError.js - ensure config.redact is accessed via an own-property check to prevent unintended getter execution from the prototype chain.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:116">
P2: Read `config.redact` via an own-property check to avoid prototype-chain getter execution during error serialization.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

jasonsaayman · 2026-05-02T09:32:04Z

@cubic-dev-ai please check again, do a full review in depth!

cubic-dev-ai · 2026-05-02T09:32:14Z

@cubic-dev-ai please check again, do a full review in depth!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

1 issue found across 23 files

Confidence score: 2/5

There is a high-confidence, medium-high severity issue in lib/core/AxiosError.js where prototype-chain toJSON detection can bypass masking logic, creating a real regression risk for redaction behavior.
Because this can expose data that should be redacted (especially if Object.prototype.toJSON is polluted), the impact is security-sensitive and not just cosmetic.
Given the concrete user-impacting risk (severity 7/10, confidence 8/10), this is better treated as high risk until the own-prototype check is enforced.
Pay close attention to lib/core/AxiosError.js - ensure toJSON checks are own-prototype based so masking cannot be short-circuited by prototype pollution.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:36">
P1: Prototype-chain `toJSON` detection can bypass redaction for non-plain objects. Use an own-prototype check so polluted `Object.prototype.toJSON` does not short-circuit masking.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

jasonsaayman · 2026-05-02T09:56:45Z

@cubic-dev-ai please give the full pr another in depth review

cubic-dev-ai · 2026-05-02T09:56:55Z

@cubic-dev-ai please give the full pr another in depth review

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

2 issues found across 23 files

Confidence score: 3/5

There is some real merge risk: lib/core/AxiosError.js has a medium-severity, high-confidence concern where redaction output should use a null-prototype object to avoid prototype-setter traps when copying keys.
lib/helpers/shouldBypassProxy.js may incorrectly handle IPv4-mapped IPv6 compressed forms, so equivalent addresses can fail NO_PROXY matching and cause unexpected proxy bypass behavior.
Given one concrete correctness issue and one defensive-hardening gap (both with high confidence), this looks manageable but not entirely low-risk.
Pay close attention to lib/core/AxiosError.js and lib/helpers/shouldBypassProxy.js - redaction object safety and IPv6/NO_PROXY equivalence handling need careful validation.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:59">
P2: Use a null-prototype object for redaction output to avoid prototype-setter traps when copying keys.</violation>
</file>

<file name="lib/helpers/shouldBypassProxy.js">

<violation number="1" location="lib/helpers/shouldBypassProxy.js:96">
P2: The IPv4-mapped IPv6 regex is too narrow and misses valid compressed forms, which can cause NO_PROXY host comparisons to fail for equivalent addresses.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

jasonsaayman · 2026-05-02T10:34:38Z

@cubic-dev-ai please review in depth again!

cubic-dev-ai · 2026-05-02T10:34:46Z

@cubic-dev-ai please review in depth again!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

No issues found across 23 files

Confidence score: 5/5

Automated review surfaced no issues in the provided summaries.
No files require special attention.

![snyk-top-banner](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests/pr-banner-default.svg) <h3>Snyk has created this PR to upgrade axios from 1.15.2 to 1.16.0.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **1 version** ahead of your current version. - The recommended version was released **21 days ago**. #### Breaking Change Risk ![Merge Risk: Medium](https://img.shields.io/badge/Merge%20Risk%3A%20Medium-8B4513?style=for-the-badge) > **Notice:** This assessment is enhanced by AI. <details> <summary>Release notes</summary> <details> <summary>Package name: axios</summary> <ul> <li> 1.16.0 - <a href="https://redirect.github.com/axios/axios/releases/tag/v1.16.0">2026-05-02</a><h2>v1.16.0 — May 2, 2026</h2> This release adds support for the QUERY HTTP method and a new <code>ECONNREFUSED</code> error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors. <h2><g-emoji class="g-emoji" alias="warning">⚠️</g-emoji> Notable Changes</h2> A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading: <ul> <li>Fetch adapter now enforces <code>maxBodyLength</code> and <code>maxContentLength</code>. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310518523" data-permission-text="Title is private" data-url="axios/axios#10795" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10795/hovercard" href="https://redirect.github.com/axios/axios/pull/10795">#10795</a>)</li> <li>Proxy requests now preserve user-supplied <code>Host</code> headers. Previously, the proxy path could overwrite a custom <code>Host</code>. Virtual-host-style routing through a proxy will now behave correctly. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a>)</li> <li>Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. <code>https://user:p%40ss@host</code>), the decoded value is what now goes on the wire. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4351589744" data-permission-text="Title is private" data-url="axios/axios#10825" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10825/hovercard" href="https://redirect.github.com/axios/axios/pull/10825">#10825</a>)</li> <li><code>parseProtocol</code> now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a>)</li> <li>Deprecated <code>unescape()</code> replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy <code>unescape()</code> quirks may see different output bytes. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a>)</li> <li><code>transformRequest</code> input typing change was reverted. The typing change introduced in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a> was reverted in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a> after follow-up review — net behavior is unchanged from 1.15.2. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li>QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323864507" data-permission-text="Title is private" data-url="axios/axios#10802" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10802/hovercard" href="https://redirect.github.com/axios/axios/pull/10802">#10802</a>)</li> <li>ECONNREFUSED Error Constant: Exposed <code>ECONNREFUSED</code> as a constant on <code>AxiosError</code> so callers can match connection-refused failures without comparing string literals (closes <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2398798239" data-permission-text="Title is private" data-url="axios/axios#6485" data-hovercard-type="issue" data-hovercard-url="/axios/axios/issues/6485/hovercard" href="https://redirect.github.com/axios/axios/issues/6485">#6485</a>). (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4235938363" data-permission-text="Title is private" data-url="axios/axios#10680" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10680/hovercard" href="https://redirect.github.com/axios/axios/pull/10680">#10680</a>)</li> <li>Encode Helper Export: Exported the internal <code>encode</code> helper from <code>buildURL</code> so userland param serializers can reuse the same encoding logic that axios uses internally. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3023608053" data-permission-text="Title is private" data-url="axios/axios#6897" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6897/hovercard" href="https://redirect.github.com/axios/axios/pull/6897">#6897</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li>HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing <code>requestDetails</code> argument on <code>beforeRedirect</code>, preserved user-supplied <code>Host</code> headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310371730" data-permission-text="Title is private" data-url="axios/axios#10794" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10794/hovercard" href="https://redirect.github.com/axios/axios/pull/10794">#10794</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323346513" data-permission-text="Title is private" data-url="axios/axios#10800" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10800/hovercard" href="https://redirect.github.com/axios/axios/pull/10800">#10800</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2141603120" data-permission-text="Title is private" data-url="axios/axios#6241" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6241/hovercard" href="https://redirect.github.com/axios/axios/pull/6241">#6241</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4351589744" data-permission-text="Title is private" data-url="axios/axios#10825" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10825/hovercard" href="https://redirect.github.com/axios/axios/pull/10825">#10825</a>)</li> <li>HTTP Adapter — Streams & Timeouts: Preserved the partial response object on <code>AxiosError</code> when a stream is aborted after headers arrive, honoured the <code>timeout</code> option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and <code>maxRedirects: 0</code>. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4260994859" data-permission-text="Title is private" data-url="axios/axios#10708" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10708/hovercard" href="https://redirect.github.com/axios/axios/pull/10708">#10708</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4344944445" data-permission-text="Title is private" data-url="axios/axios#10819" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10819/hovercard" href="https://redirect.github.com/axios/axios/pull/10819">#10819</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3509777101" data-permission-text="Title is private" data-url="axios/axios#7149" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7149/hovercard" href="https://redirect.github.com/axios/axios/pull/7149">#7149</a>)</li> <li>Fetch Adapter: Enforced <code>maxBodyLength</code> / <code>maxContentLength</code> in the fetch adapter, set the <code>User-Agent</code> header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a <code>TypeError</code> in restricted environments. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310518523" data-permission-text="Title is private" data-url="axios/axios#10795" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10795/hovercard" href="https://redirect.github.com/axios/axios/pull/10795">#10795</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4294198336" data-permission-text="Title is private" data-url="axios/axios#10772" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10772/hovercard" href="https://redirect.github.com/axios/axios/pull/10772">#10772</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336242387" data-permission-text="Title is private" data-url="axios/axios#10806" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10806/hovercard" href="https://redirect.github.com/axios/axios/pull/10806">#10806</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3662226069" data-permission-text="Title is private" data-url="axios/axios#7260" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7260/hovercard" href="https://redirect.github.com/axios/axios/pull/7260">#7260</a>)</li> <li>XHR Adapter: Unsubscribed the <code>cancelToken</code> and <code>AbortSignal</code> listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4303641135" data-permission-text="Title is private" data-url="axios/axios#10787" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10787/hovercard" href="https://redirect.github.com/axios/axios/pull/10787">#10787</a>)</li> <li>Error Handling: Attached the parsed response to <code>AxiosError</code> when <code>JSON.parse</code> fails inside <code>dispatchRequest</code>, prevented <code>settle</code> from emitting <code>undefined</code> error codes, and tightened the <code>parseProtocol</code> regex to require a colon in the protocol separator. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4270604544" data-permission-text="Title is private" data-url="axios/axios#10724" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10724/hovercard" href="https://redirect.github.com/axios/axios/pull/10724">#10724</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3678162351" data-permission-text="Title is private" data-url="axios/axios#7276" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7276/hovercard" href="https://redirect.github.com/axios/axios/pull/7276">#7276</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a>)</li> <li>Types & Exports: Aligned the CommonJS <code>CancelToken</code> typings with the ESM build, fixed a compiler error caused by <code>RawAxiosHeaders</code>, and re-exported <code>create</code> from the package index. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3959718695" data-permission-text="Title is private" data-url="axios/axios#7414" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7414/hovercard" href="https://redirect.github.com/axios/axios/pull/7414">#7414</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2291674940" data-permission-text="Title is private" data-url="axios/axios#6389" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6389/hovercard" href="https://redirect.github.com/axios/axios/pull/6389">#6389</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2365076865" data-permission-text="Title is private" data-url="axios/axios#6460" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6460/hovercard" href="https://redirect.github.com/axios/axios/pull/6460">#6460</a>)</li> <li>UTF-8 Encoding: Replaced the deprecated <code>unescape()</code> call with a modern UTF-8 encoding implementation. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a>)</li> <li>Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4365717510" data-permission-text="Title is private" data-url="axios/axios#10833" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10833/hovercard" href="https://redirect.github.com/axios/axios/pull/10833">#10833</a>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li>Refactor — ES6 Modernisation: Modernised the <code>utils</code> module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4173424907" data-permission-text="Title is private" data-url="axios/axios#10588" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10588/hovercard" href="https://redirect.github.com/axios/axios/pull/10588">#10588</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3967256044" data-permission-text="Title is private" data-url="axios/axios#7419" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7419/hovercard" href="https://redirect.github.com/axios/axios/pull/7419">#7419</a>)</li> <li>Tests: Hardened the HTTP test server lifecycle to fix flaky <code>FormData</code> EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4345005129" data-permission-text="Title is private" data-url="axios/axios#10820" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10820/hovercard" href="https://redirect.github.com/axios/axios/pull/10820">#10820</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4305591702" data-permission-text="Title is private" data-url="axios/axios#10791" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10791/hovercard" href="https://redirect.github.com/axios/axios/pull/10791">#10791</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310668356" data-permission-text="Title is private" data-url="axios/axios#10796" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10796/hovercard" href="https://redirect.github.com/axios/axios/pull/10796">#10796</a>)</li> <li>Docs: Documented <code>paramsSerializer.encode</code> for strict RFC 3986 query encoding, updated the <code>parseReviver</code> TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4346633084" data-permission-text="Title is private" data-url="axios/axios#10821" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10821/hovercard" href="https://redirect.github.com/axios/axios/pull/10821">#10821</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298576114" data-permission-text="Title is private" data-url="axios/axios#10782" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10782/hovercard" href="https://redirect.github.com/axios/axios/pull/10782">#10782</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4290932663" data-permission-text="Title is private" data-url="axios/axios#10759" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10759/hovercard" href="https://redirect.github.com/axios/axios/pull/10759">#10759</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4335735712" data-permission-text="Title is private" data-url="axios/axios#10804" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10804/hovercard" href="https://redirect.github.com/axios/axios/pull/10804">#10804</a>)</li> <li>Reverted: Reverted the <code>transformRequest</code> input typing change from <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a> after follow-up review. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a>)</li> <li>Dependencies: Bumped <code>actions/setup-node</code>, the <code>github-actions</code> group, and <code>postcss</code> (in <code>/docs</code>) to their latest versions. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4301894928" data-permission-text="Title is private" data-url="axios/axios#10785" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10785/hovercard" href="https://redirect.github.com/axios/axios/pull/10785">#10785</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4342327794" data-permission-text="Title is private" data-url="axios/axios#10813" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10813/hovercard" href="https://redirect.github.com/axios/axios/pull/10813">#10813</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4342985432" data-permission-text="Title is private" data-url="axios/axios#10814" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10814/hovercard" href="https://redirect.github.com/axios/axios/pull/10814">#10814</a>)</li> <li>Release: Updated changelog and packages, and prepared the 1.16.0 release. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4304455485" data-permission-text="Title is private" data-url="axios/axios#10790" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10790/hovercard" href="https://redirect.github.com/axios/axios/pull/10790">#10790</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4368693595" data-permission-text="Title is private" data-url="axios/axios#10834" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10834/hovercard" href="https://redirect.github.com/axios/axios/pull/10834">#10834</a>)</li> </ul> <h2>🌟 New Contributors</h2> We are thrilled to welcome our new contributors. Thank you for helping improve axios: <ul> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/singhankit001/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/singhankit001">@ singhankit001</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4173424907" data-permission-text="Title is private" data-url="axios/axios#10588" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10588/hovercard" href="https://redirect.github.com/axios/axios/pull/10588">#10588</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cuiweixie/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cuiweixie">@ cuiweixie</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3967256044" data-permission-text="Title is private" data-url="axios/axios#7419" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7419/hovercard" href="https://redirect.github.com/axios/axios/pull/7419">#7419</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/iruizsalinas/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/iruizsalinas">@ iruizsalinas</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4303641135" data-permission-text="Title is private" data-url="axios/axios#10787" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10787/hovercard" href="https://redirect.github.com/axios/axios/pull/10787">#10787</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/MarcosNocetti/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/MarcosNocetti">@ MarcosNocetti</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4235938363" data-permission-text="Title is private" data-url="axios/axios#10680" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10680/hovercard" href="https://redirect.github.com/axios/axios/pull/10680">#10680</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/deepview-autofix/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/deepview-autofix">@ deepview-autofix</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/atharvasingh7007/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/atharvasingh7007">@ atharvasingh7007</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/OfekDanny/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/OfekDanny">@ OfekDanny</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4294198336" data-permission-text="Title is private" data-url="axios/axios#10772" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10772/hovercard" href="https://redirect.github.com/axios/axios/pull/10772">#10772</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mnahkies/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mnahkies">@ mnahkies</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3959718695" data-permission-text="Title is private" data-url="axios/axios#7414" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7414/hovercard" href="https://redirect.github.com/axios/axios/pull/7414">#7414</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/tboyila/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/tboyila">@ tboyila</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4290932663" data-permission-text="Title is private" data-url="axios/axios#10759" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10759/hovercard" href="https://redirect.github.com/axios/axios/pull/10759">#10759</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Kingo64/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Kingo64">@ Kingo64</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3023608053" data-permission-text="Title is private" data-url="axios/axios#6897" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6897/hovercard" href="https://redirect.github.com/axios/axios/pull/6897">#6897</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ramram1048/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ramram1048">@ ramram1048</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2291674940" data-permission-text="Title is private" data-url="axios/axios#6389" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6389/hovercard" href="https://redirect.github.com/axios/axios/pull/6389">#6389</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/FLNacif/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/FLNacif">@ FLNacif</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2365076865" data-permission-text="Title is private" data-url="axios/axios#6460" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6460/hovercard" href="https://redirect.github.com/axios/axios/pull/6460">#6460</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/zozo123/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/zozo123">@ zozo123</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336242387" data-permission-text="Title is private" data-url="axios/axios#10806" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10806/hovercard" href="https://redirect.github.com/axios/axios/pull/10806">#10806</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/pierluigilenoci/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/pierluigilenoci">@ pierluigilenoci</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323864507" data-permission-text="Title is private" data-url="axios/axios#10802" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10802/hovercard" href="https://redirect.github.com/axios/axios/pull/10802">#10802</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/afurm/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/afurm">@ afurm</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4260994859" data-permission-text="Title is private" data-url="axios/axios#10708" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10708/hovercard" href="https://redirect.github.com/axios/axios/pull/10708">#10708</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/karan-lrn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/karan-lrn">@ karan-lrn</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ebeigarts/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ebeigarts">@ ebeigarts</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3509777101" data-permission-text="Title is private" data-url="axios/axios#7149" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7149/hovercard" href="https://redirect.github.com/axios/axios/pull/7149">#7149</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Raymondo97/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Raymondo97">@ Raymondo97</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298576114" data-permission-text="Title is private" data-url="axios/axios#10782" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10782/hovercard" href="https://redirect.github.com/axios/axios/pull/10782">#10782</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mixelburg/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mixelburg">@ mixelburg</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4346633084" data-permission-text="Title is private" data-url="axios/axios#10821" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10821/hovercard" href="https://redirect.github.com/axios/axios/pull/10821">#10821</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ashishkr96/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ashishkr96">@ ashishkr96</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cyphercodes/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cyphercodes">@ cyphercodes</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4344944445" data-permission-text="Title is private" data-url="axios/axios#10819" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10819/hovercard" href="https://redirect.github.com/axios/axios/pull/10819">#10819</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Jye10032/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Jye10032">@ Jye10032</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3662226069" data-permission-text="Title is private" data-url="axios/axios#7260" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7260/hovercard" href="https://redirect.github.com/axios/axios/pull/7260">#7260</a>)</li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/VeerShah41/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/VeerShah41">@ VeerShah41</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3678162351" data-permission-text="Title is private" data-url="axios/axios#7276" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7276/hovercard" href="https://redirect.github.com/axios/axios/pull/7276">#7276</a>)</li> </ul> <a href="https://redirect.github.com/axios/axios/compare/v1.15.2...v1.16.0">Full Changelog</a> </li> <li> 1.15.2 - <a href="https://redirect.github.com/axios/axios/releases/tag/v1.15.2">2026-04-21</a>This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in <code>allowedSocketPaths</code> allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs. <h2>🔒 Security Fixes</h2> <ul> <li>Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and <code>resolveConfig</code>/<code>mergeConfig</code>/validator paths to read only own properties and use null-prototype config objects, preventing polluted <code>auth</code>, <code>baseURL</code>, <code>socketPath</code>, <code>beforeRedirect</code>, and <code>insecureHTTPParser</code> from influencing requests. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297881989" data-permission-text="Title is private" data-url="axios/axios#10779" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10779/hovercard" href="https://redirect.github.com/axios/axios/pull/10779">#10779</a>)</li> <li>SSRF via <code>socketPath</code>: Rejects non-string <code>socketPath</code> values and adds an opt-in <code>allowedSocketPaths</code> config option to restrict permitted Unix domain socket paths, returning <code>AxiosError</code> <code>ERR_BAD_OPTION_VALUE</code> on mismatch. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297772207" data-permission-text="Title is private" data-url="axios/axios#10777" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10777/hovercard" href="https://redirect.github.com/axios/axios/pull/10777">#10777</a>)</li> <li>Supply-chain Hardening: Added <code>.npmrc</code> with <code>ignore-scripts=true</code>, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded <code>SECURITY.md</code>/<code>THREATMODEL.md</code> with provenance verification (<code>npm audit signatures</code>), 60-day resolution policy, and maintainer incident-response runbook. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297522478" data-permission-text="Title is private" data-url="axios/axios#10776" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10776/hovercard" href="https://redirect.github.com/axios/axios/pull/10776">#10776</a>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><code>allowedSocketPaths</code> Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297772207" data-permission-text="Title is private" data-url="axios/axios#10777" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10777/hovercard" href="https://redirect.github.com/axios/axios/pull/10777">#10777</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li>Keep-alive Socket Memory Leak: Installs a single per-socket <code>error</code> listener tracking the active request via <code>kAxiosSocketListener</code>/<code>kAxiosCurrentReq</code>, eliminating per-request listener accumulation, <code>MaxListenersExceededWarning</code>, and linear heap growth under concurrent or long-running keep-alive workloads (fixes <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298011964" data-permission-text="Title is private" data-url="axios/axios#10780" data-hovercard-type="issue" data-hovercard-url="/axios/axios/issues/10780/hovercard" href="https://redirect.github.com/axios/axios/issues/10780">#10780</a>). (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4304224147" data-permission-text="Title is private" data-url="axios/axios#10788" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10788/hovercard" href="https://redirect.github.com/axios/axios/pull/10788">#10788</a>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li>Changelog: Updated <code>CHANGELOG.md</code> with v1.15.1 release notes. (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298245836" data-permission-text="Title is private" data-url="axios/axios#10781" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10781/hovercard" href="https://redirect.github.com/axios/axios/pull/10781">#10781</a>)</li> </ul> <a href="https://redirect.github.com/axios/axios/compare/v1.15.1...v1.15.2">Full Changelog</a> </li> </ul> from <a href="https://redirect.github.com/axios/axios/releases">axios GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJlMjE3ZGU0YS02ZGE2LTRhNGUtYThiZC1jNjQxMDUyZjI2YTciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImUyMTdkZTRhLTZkYTYtNGE0ZS1hOGJkLWM2NDEwNTJmMjZhNyJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?pkg=axios&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"breakingChangeRiskLevel":"medium","FF_showPullRequestBreakingChanges":true,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":["commitMessage","title"],"templateUrl":"https://app.snyk.io/rest/groups/f6659a58-7be6-43af-8ec5-3d06dd5bfeaa/settings/pull_request_template?version=2024-10-15"},"dependencies":[{"name":"axios","from":"1.15.2","to":"1.16.0"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","prPublicId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","packageManager":"npm","priorityScoreList":[],"projectPublicId":"3ec84776-2902-4d8e-9cd9-a5d98be10724","projectUrl":"https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"group","description":"default","title":"group"},"templateVariants":["custom"],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2026-05-02T15:04:00.274Z"},"vulns":[]}' Co-authored-by: snyk-bot <[email protected]>

jasonsaayman added 8 commits April 30, 2026 19:17

chore: remove un-needed ghsa in the comments of files

36ed9c9

fix: auth header

65027d6

fix: escape regex chars in cookies.read

3c7ef0f

fix: read-side merge and descriptors

a14364d

fix: enable redaction in the .toJson for errors

4eb10fa

fix: general IPv4-mapped IPv6 normalization in NO_PROXY

a1b8949

fix: added regression tests for scenarios already covered

49c22cf

chore: remove un-needed comments

53ee0af

jasonsaayman self-assigned this May 1, 2026

github-code-quality Bot found potential problems May 1, 2026

View reviewed changes

Comment thread lib/adapters/http.js Fixed

cubic-dev-ai Bot reviewed May 1, 2026

View reviewed changes

Comment thread lib/core/AxiosError.js Outdated

Comment thread tests/unit/prototypePollution.test.js

jasonsaayman added 2 commits May 1, 2026 19:48

fix: harden proxy host detection and error redaction

1127f54

fix: make form-data header change opt-in

11394a7

github-code-quality Bot found potential problems May 1, 2026

View reviewed changes

Comment thread lib/adapters/http.js Fixed

fix: apply suggestions form github review

42b2423

cubic-dev-ai Bot reviewed May 1, 2026

View reviewed changes

Comment thread lib/helpers/cookies.js Outdated

fix: cubic review

ab2dd18

cubic-dev-ai Bot reviewed May 1, 2026

View reviewed changes

Comment thread lib/helpers/shouldBypassProxy.js Outdated

fix: widen the regexs for matches

d8f6040

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels May 1, 2026

Merge branch 'v1.x' into fix/gadgets-and-smaller-issues

b993657

cubic-dev-ai Bot reviewed May 1, 2026

View reviewed changes

Comment thread lib/core/AxiosError.js Outdated

fix: smaller issue found by cubic

bed50b9

cubic-dev-ai Bot reviewed May 2, 2026

View reviewed changes

Comment thread lib/core/AxiosError.js Outdated

fix: address prototype chain

c539370

cubic-dev-ai Bot reviewed May 2, 2026

View reviewed changes

Comment thread lib/core/AxiosError.js Outdated

Comment thread lib/helpers/shouldBypassProxy.js Outdated

fix: update as per cubic

58816ea

cubic-dev-ai Bot reviewed May 2, 2026

View reviewed changes

jasonsaayman merged commit 9d92bcd into v1.x May 2, 2026
26 checks passed

jasonsaayman deleted the fix/gadgets-and-smaller-issues branch May 2, 2026 10:41

github-actions Bot mentioned this pull request May 2, 2026

[Vulnerability] axios/axios: Prototype Pollution 7azimo01/vulnerability-spoiler-alert#428

Open

coderabbitai Bot mentioned this pull request Jun 7, 2026

feat: hive 기능 아키텍처 개편 및 전체 화면 UI 통일 BeeKeeprs/mobile#23

Open

4 tasks

Uh oh!

Conversation

jasonsaayman commented May 1, 2026 • edited by cubic-dev-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by cubic

Description

Docs

Testing

Semantic version impact

Uh oh!

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

jasonsaayman commented May 1, 2026

Uh oh!

cubic-dev-ai Bot commented May 1, 2026

Uh oh!

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jasonsaayman commented May 1, 2026

Uh oh!

cubic-dev-ai Bot commented May 1, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jasonsaayman commented May 1, 2026

Uh oh!

cubic-dev-ai Bot commented May 1, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jasonsaayman commented May 2, 2026

Uh oh!

cubic-dev-ai Bot commented May 2, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jasonsaayman commented May 2, 2026

Uh oh!

cubic-dev-ai Bot commented May 2, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

jasonsaayman commented May 2, 2026

Uh oh!

cubic-dev-ai Bot commented May 2, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

jasonsaayman commented May 1, 2026 •

edited by cubic-dev-ai Bot

Loading