v1.18.0
📦 axiosView on GitHub →
✨ 2 features🐛 2 fixes🔧 6 symbols
Summary
Version 1.18.0 focuses on security hardening related to redirects and URL parsing, and introduces configuration options to control the behavior of `validateStatus` when undefined.
Migration Steps
- If you relied on `validateStatus: undefined` behaving a certain way previously, consider setting `transitional.validateStatusUndefinedResolves: true` if you wish to maintain that behavior, otherwise it defaults to false (treating undefined like omitted).
✨ New Features
- Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects to prevent auth header leakage.
- Introduced `transitional.validateStatusUndefinedResolves` option to allow opting into treating `validateStatus: undefined` as if the option was omitted.
🐛 Bug Fixes
- Rejected malformed `http:` and `https:` URLs that omit `//` with `ERR_INVALID_URL`.
- Tightened prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local `NO_PROXY` matching.