v1.16.1
Breaking Changes📦 axiosView on GitHub →
⚠ 1 breaking✨ 1 features🐛 8 fixes🔧 5 symbols
Summary
This release focuses heavily on security, hardening `formDataToJSON` against prototype pollution and fixing a cleartext leak via HTTP proxies. It also restores compatibility with Webpack 4 and includes several maintenance refactors.
⚠️ Breaking Changes
- Support for passing a `URL` object as `config.url` has been reverted due to regressions. If you relied on this feature, revert to passing strings for the URL configuration.
Migration Steps
- If you were passing a `URL` object to `config.url`, change it back to passing a string URL.
✨ New Features
- Hardened `formDataToJSON` against prototype pollution by walking own properties only.
🐛 Bug Fixes
- Fixed an issue where HTTPS request data could leak in cleartext to an HTTP proxy under specific configurations.
- Removed all GitHub Actions caches as a defence-in-depth security measure against cache poisoning.
- Updated the `fromDataURI` regex to match RFC 2397 more strictly, resolving edge cases in `data:` URL handling.
- Unicode header values are now preserved when passing through request interceptors, preventing corruption of non-ASCII header content.
- Guarded against malformed `ProgressEvent` payloads during XHR uploads, preventing crashes when `loaded` or `total` properties are missing or invalid.
- Fixed an "unexpected token" error in the fetch adapter that prevented compatibility with Webpack 4.
- Made `parseReviver` `context.source` optional in type definitions to align with the ES2023 specification.
- Fixed empty sponsor arrays in the sponsor processing script and added the ability to inject additional sponsors.