v0.31.0
📦 axiosView on GitHub →
✨ 2 features🐛 5 fixes🔧 2 symbols
Summary
This release backports critical security fixes related to header injection and proxy bypass from v1.x, hardens the CI/CD supply chain, and resolves TypeScript typing issues in AxiosInstance.
Migration Steps
- If relying on CI/CD, note that all publishes are now gated behind a required `npm-publish` GitHub Environment with configurable reviewer protections.
✨ New Features
- Introduced OIDC Trusted Publishing workflow with npm provenance attestations.
- Added security scanning using `zizmor` with SARIF upload to code scanning.
🐛 Bug Fixes
- Backported security hardening from v1.x: outgoing header values are sanitized to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values).
- Backported security hardening from v1.x: improved `NO_PROXY`/`no_proxy` enforcement covering wildcards, explicit ports, loopback aliases (`localhost`, `127.0.0.1`, `::1`), bracketed IPv6, and trailing-dot hostnames.
- Proxy bypass check now occurs before proxy URL parsing, using `parsed.host` for correct port and IPv6 handling.
- Fixed TypeScript return types in `AxiosInstance` methods to correctly resolve to `Promise<R>` and corrected generic call signature for better response data type enforcement.
- Fixed a performance regression in `isEmptyObject()` that caused excessive computation when the argument was a large string.