v1.15.2
Breaking Changes📦 axiosView on GitHub →
⚠ 2 breaking✨ 1 features🐛 1 fixes🔧 11 symbols
Summary
This release focuses heavily on security, hardening the Node HTTP adapter against prototype pollution and adding controls to mitigate SSRF via Unix domain sockets, alongside fixing a critical keep-alive socket memory leak.
⚠️ Breaking Changes
- The Node HTTP adapter now strictly reads only own properties and uses null-prototype config objects. Configurations for `auth`, `baseURL`, `socketPath`, `beforeRedirect`, and `insecureHTTPParser` that relied on prototype chain properties may no longer function as expected.
- Non-string values provided for `socketPath` will now be rejected, resulting in an `AxiosError` with code `ERR_BAD_OPTION_VALUE`.
Migration Steps
- If you rely on prototype properties in configuration objects like `auth` or `baseURL` when using the Node HTTP adapter, update your configuration to explicitly set these properties directly.
- If using Unix domain sockets via `socketPath`, ensure the value is a string. If you need to allowlist specific paths, configure the new `allowedSocketPaths` option.
✨ New Features
- Added an opt-in `allowedSocketPaths` configuration option to restrict permitted Unix domain socket paths when using the Node http adapter.
🐛 Bug Fixes
- Fixed a keep-alive socket memory leak by installing a single per-socket error listener, preventing accumulation of per-request listeners under concurrent or long-running keep-alive workloads.