v0.31.1
Breaking Changes📦 axiosView on GitHub →
⚠ 2 breaking✨ 1 features🐛 6 fixes🔧 9 symbols
Summary
This release backports significant security hardenings from the v1 line, addressing prototype pollution, recursion DoS, and XSRF handling. It also removes deprecated Bower support and committed `dist/` artifacts.
⚠️ Breaking Changes
- Bower support has been removed, and committed `dist/` artifacts are no longer included in the repository. Consumers relying on Bower or direct git tree installs must switch to npm or a CDN.
- The `bower.json` file and the Grunt `package2bower` task have been removed.
Migration Steps
- If using Bower, migrate installations to use npm or a CDN.
- If relying on direct access to files in the `dist/` directory within the repository, update code to use npm/CDN artifacts.
✨ New Features
- Added configurable `maxDepth` (default 100) to `toFormData` and params serialization to prevent FormData/Params Recursion DoS attacks.
🐛 Bug Fixes
- Prototype pollution vulnerability in Header Merge fixed by tightening `isFormData` checks and guarding HTTP adapter header merging.
- Prototype pollution vulnerability in Config Merging fixed by using own-property checks for specific configuration keys and returning merged configs as null-prototype objects.
- Null-byte injection vulnerability in Query Strings fixed by removing the unsafe `%00` to null-byte substitution in `AxiosURLSearchParams.encode`.
- Backported security hardening: `maxContentLength` enforcement for `responseType: 'stream'` via guarded transform.
- Backported security hardening: `maxBodyLength` enforcement for streamed uploads on native `http`/`https` when `maxRedirects: 0`.
- Backported security hardening: Stricter `withXSRFToken` handling requires own boolean `true` to enable cross-origin XSRF headers.