v1.15.1

🐛 Bug Fixes

• Tightened validation and sanitisation across request header construction to close the header-injection attack surface.
• Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames.
• Replaced unsafe `in` checks with `hasOwnProperty` to prevent authentication bypass via prototype pollution on config objects.
• Short-circuits `withXSRFToken` on any truthy non-boolean value, preventing ambiguous config from silently leaking the XSRF token cross-origin.
• Enforces `maxBodyLength` even when `maxRedirects` is set to `0`, closing a bypass path for oversized request bodies.
• Applies `maxContentLength` to streamed responses that previously bypassed the cap.
• Completes an earlier incomplete CVE fix to fully close the regression window.
• Fixes FormData handling: removes `Content-Type` when no boundary is present on `FormData` fetch requests, supports multi-select fields, cancels `request.body` instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation.
• HTTP Adapter now handles socket-only request errors without leaking keep-alive listeners.
• Clamps `loaded` to `total` for computable upload/download progress events.
• Aligns `runWhen` type with the runtime behaviour in `InterceptorManager` and makes response header keys case-insensitive.
• Uses strict equality in the base/relative URL check within `buildFullPath`.
• Improves the regex used for param serialisation in `AxiosURLSearchParams` to avoid edge-case mismatches.
• Parses out header/config values instead of throwing on malformed input.
• Removes the docs content that was incorrectly committed.