v0.32.0
Breaking Changes📦 axiosView on GitHub →
⚠ 1 breaking✨ 2 features🐛 6 fixes🔧 11 symbols
Summary
This release backports comprehensive security and hardening fixes from the v1.x branch into v0.x, including prototype-pollution protections and stricter handling of sensitive data and network configurations. A key breaking change involves merged config and header objects now having null prototypes.
⚠️ Breaking Changes
- mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects.
Migration Steps
- When accessing properties on objects returned by mergeConfig or header merging, use Object.prototype.hasOwnProperty.call(obj, key) instead of direct property access or implicit string coercion.
✨ New Features
- AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs, configurable via config.redact.
- Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults.
🐛 Bug Fixes
- Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken.
- NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1.
- Strips Proxy-Authorization when no proxy is in use in the Node http adapter.
- Gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) in the Node http adapter to reduce accidental Unix socket exposure.
- Stricter own-property checks when reading config and headers in the Browser xhr adapter.
- AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout.