Comparing axios@1.16.1...axios@1.17.0 • npm-diff.app 📦🔃

     ...targets: Array<AxiosHeaders | axios.RawAxiosHeaders | string | undefined | null>
   ): AxiosHeaders;
-  toJSON(asStrings?: boolean): axios.RawAxiosHeaders;
+  toJSON(asStrings: true): Record<string, string>;
+  toJSON(asStrings?: false): Record<string, string | string[]>;
+  toJSON(asStrings?: boolean): Record<string, string | string[]>;
   static from(thing?: AxiosHeaders | axios.RawAxiosHeaders | string): AxiosHeaders;
   static readonly ETIMEDOUT = 'ETIMEDOUT';
 }
-declare class CanceledError<T> extends AxiosError<T> {}
+declare class CanceledError<T> extends AxiosError<T> {
+  readonly name: 'CanceledError';
+}
 declare class Axios {
   constructor(config?: axios.AxiosRequestConfig);
     forcedJSONParsing?: boolean;
     clarifyTimeoutError?: boolean;
     legacyInterceptorReqResOrdering?: boolean;
+    advertiseZstdAcceptEncoding?: boolean;
   }
   interface GenericAbortSignal {
     CanceledError: typeof CanceledError;
     HttpStatusCode: typeof HttpStatusCode;
     readonly VERSION: string;
-    isCancel(value: any): value is Cancel;
+    isCancel<T = any>(value: any): value is CanceledError<T>;
     all<T>(values: Array<T | Promise<T>>): Promise<T[]>;
     spread<T, R>(callback: (...args: T[]) => R): (array: T[]) => R;
     isAxiosError<T = any, D = any>(payload: any): payload is AxiosError<T, D>;

@@ -101,6 +101,7 @@
101	forcedJSONParsing: validators.transitional(validators.boolean),	101	forcedJSONParsing: validators.transitional(validators.boolean),
102	clarifyTimeoutError: validators.transitional(validators.boolean),	102	clarifyTimeoutError: validators.transitional(validators.boolean),
103	legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),	103	legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
		104	advertiseZstdAcceptEncoding: validators.transitional(validators.boolean),
104	},	105	},
105	false	106	false
106	);	107	);

@@ -89,7 +89,7 @@
89	const lHeader = normalizeHeader(_header);	89	const lHeader = normalizeHeader(_header);
90		90
91	if (!lHeader) {	91	if (!lHeader) {
92	throw new Error('header name must be a non-empty string');	92	return;
93	}	93	}
94		94
95	const key = utils.findKey(self, lHeader);	95	const key = utils.findKey(self, lHeader);
@@ -117,7 +117,7 @@
117	key;	117	key;
118	for (const entry of header) {	118	for (const entry of header) {
119	if (!utils.isArray(entry)) {	119	if (!utils.isArray(entry)) {
120	throw TypeError('Object iterator must return a key-value pair');	120	throw new TypeError('Object iterator must return a key-value pair');
121	}	121	}
122		122
123	obj[(key = entry[0])] = (dest = obj[key])	123	obj[(key = entry[0])] = (dest = obj[key])

@@ -1,7 +1,7 @@
1	'use strict';	1	'use strict';
2		2
3	import utils from '../utils.js';	3	import utils from '../utils.js';
4	import AxiosURLSearchParams from '../helpers/AxiosURLSearchParams.js';	4	import AxiosURLSearchParams from './AxiosURLSearchParams.js';
5		5
6	/**	6	/**
7	* It replaces URL-encoded forms of `:`, `$`, `,`, and spaces with	7	* It replaces URL-encoded forms of `:`, `$`, `,`, and spaces with

 const { isFunction } = utils;
+/**
+ * Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
+ * This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
+ *
+ * @param {string} str The string to encode
+ *
+ * @returns {string} UTF-8 bytes as a Latin-1 string
+ */
+const encodeUTF8 = (str) =>
+  encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) =>
+    String.fromCharCode(parseInt(hex, 16))
+  );
+// Node's WHATWG URL parser returns `username` and `password` percent-encoded.
+// Decode before composing the `auth` option so credentials such as
+// `my%40email.com:pass` are sent as `my@email.com:pass`. Falls back to the
+// original value for malformed input so a bad encoding never throws.
+const decodeURIComponentSafe = (value) => {
+  if (!utils.isString(value)) {
+    return value;
+  }
+  try {
+    return decodeURIComponent(value);
+  } catch (error) {
+    return value;
+  }
+};
 const test = (fn, ...args) => {
   try {
     return !!fn(...args);
+  }
 };
+const maybeWithAuthCredentials = (url) => {
+  const protocolIndex = url.indexOf('://');
+  let urlToCheck = url;
+  if (protocolIndex !== -1) {
+    urlToCheck = urlToCheck.slice(protocolIndex + 3);
+  }
+  return urlToCheck.includes('@') || urlToCheck.includes(':');
+};
 const factory = (env) => {
   const globalObject =
     utils.global !== undefined && utils.global !== null
     const hasMaxContentLength = utils.isNumber(maxContentLength) && maxContentLength > -1;
     const hasMaxBodyLength = utils.isNumber(maxBodyLength) && maxBodyLength > -1;
+    const own = (key) => (utils.hasOwnProp(config, key) ? config[key] : undefined);
     let _fetch = envFetch || fetch;
     let requestContentLength;
     try {
+      // HTTP basic authentication
+      let auth = undefined;
+      const configAuth = own('auth');
+      if (configAuth) {
+        const username = configAuth.username || '';
+        const password = configAuth.password || '';
+        auth = {
+          username,
+          password
+        };
+      }
+      if (maybeWithAuthCredentials(url)) {
+        const parsedURL = new URL(url, platform.origin);
+        if (!auth && (parsedURL.username || parsedURL.password)) {
+          const urlUsername = decodeURIComponentSafe(parsedURL.username);
+          const urlPassword = decodeURIComponentSafe(parsedURL.password);
+          auth = {
+            username: urlUsername,
+            password: urlPassword
+          };
+        }
+        if (parsedURL.username || parsedURL.password) {
+          parsedURL.username = '';
+          parsedURL.password = '';
+          url = parsedURL.href;
+        }
+      }
+      if (auth) {
+        headers.delete('authorization');
+        headers.set(
+          'Authorization',
+          'Basic ' + btoa(encodeUTF8((auth.username || '') + ':' + (auth.password || '')))
+        );
+      }
       // Enforce maxContentLength for data: URLs up-front so we never materialize
       // an oversized payload. The HTTP adapter applies the same check (see http.js
       // "if (protocol === 'data:')" branch).

@@ -1,1 +1,1 @@
1	export const VERSION = "1.16.1";	1	export const VERSION = "1.17.0";

@@ -73,11 +73,11 @@
73	} = options \|\| {};	73	} = options \|\| {};
74		74
75	if (!utils.isFormData(form)) {	75	if (!utils.isFormData(form)) {
76	throw TypeError('FormData instance required');	76	throw new TypeError('FormData instance required');
77	}	77	}
78		78
79	if (boundary.length < 1 \|\| boundary.length > 70) {	79	if (boundary.length < 1 \|\| boundary.length > 70) {
80	throw Error('boundary must be 1-70 characters long');	80	throw new Error('boundary must be 1-70 characters long');
81	}	81	}
82		82
83	const boundaryBytes = textEncoder.encode('--' + boundary + CRLF);	83	const boundaryBytes = textEncoder.encode('--' + boundary + CRLF);

@@ -35,7 +35,7 @@
35	String.fromCharCode(parseInt(hex, 16))	35	String.fromCharCode(parseInt(hex, 16))
36	);	36	);
37		37
38	export default (config) => {	38	function resolveConfig(config) {
39	const newConfig = mergeConfig({}, config);	39	const newConfig = mergeConfig({}, config);
40		40
41	// Read only own properties to prevent prototype pollution gadgets	41	// Read only own properties to prevent prototype pollution gadgets
@@ -56,8 +56,8 @@
56		56
57	newConfig.url = buildURL(	57	newConfig.url = buildURL(
58	buildFullPath(baseURL, url, allowAbsoluteUrls),	58	buildFullPath(baseURL, url, allowAbsoluteUrls),
59	config.params,
60	config.paramsSerializer	59	own('params'),
		60	own('paramsSerializer')
61	);	61	);
62		62
63	// HTTP basic authentication	63	// HTTP basic authentication
@@ -70,8 +70,12 @@
70	}	70	}
71		71
72	if (utils.isFormData(data)) {	72	if (utils.isFormData(data)) {
73	if (platform.hasStandardBrowserEnv \|\| platform.hasStandardBrowserWebWorkerEnv) {
74	headers.setContentType(undefined); // browser handles it	73	if (
		74	platform.hasStandardBrowserEnv \|\|
		75	platform.hasStandardBrowserWebWorkerEnv \|\|
		76	utils.isReactNative(data)
		77	) {
		78	headers.setContentType(undefined); // browser/web worker/RN handles it
75	} else if (utils.isFunction(data.getHeaders)) {	79	} else if (utils.isFunction(data.getHeaders)) {
76	// Node.js FormData (like form-data package)	80	// Node.js FormData (like form-data package)
77	setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));	81	setFormDataHeaders(headers, data.getHeaders(), own('formDataHeaderPolicy'));
@@ -103,4 +107,6 @@
103	}	107	}
104		108
105	return newConfig;	109	return newConfig;
106	};	110	}
		111
		112	export default resolveConfig;

@@ -219,7 +219,7 @@
219	}	219	}
220		220
221	if (stack.indexOf(value) !== -1) {	221	if (stack.indexOf(value) !== -1) {
222	throw Error('Circular reference detected in ' + path.join('.'));	222	throw new Error('Circular reference detected in ' + path.join('.'));
223	}	223	}
224		224
225	stack.push(value);	225	stack.push(value);

@@ -5,4 +5,5 @@
5	forcedJSONParsing: true,	5	forcedJSONParsing: true,
6	clarifyTimeoutError: false,	6	clarifyTimeoutError: false,
7	legacyInterceptorReqResOrdering: true,	7	legacyInterceptorReqResOrdering: true,
		8	advertiseZstdAcceptEncoding: false,
8	};	9	};

       return;
+    }
+    // findKey lowercases the key, so caseless lookup only applies to strings —
+    // symbol keys are identity-matched.
+    const targetKey = (caseless && typeof key === 'string' && findKey(result, key)) || key;
     // Read via own-prop only — a bare `result[targetKey]` walks the prototype
     // chain, so a polluted Object.prototype value could surface here and get
     // copied into the merged result.
   };
   for (let i = 0, l = objs.length; i < l; i++) {
+    const source = objs[i];
+    if (!source || isBuffer(source)) {
+      continue;
+    }
+    forEach(source, assignValue);
+    if (typeof source !== 'object' || isArray(source)) {
+      continue;
+    }
+    const symbols = Object.getOwnPropertySymbols(source);
+    for (let j = 0; j < symbols.length; j++) {
+      const symbol = symbols[j];
+      if (propertyIsEnumerable.call(source, symbol)) {
+        assignValue(source[symbol], symbol);
+      }
+    }
+  }
   return result;
+}
     hasOwnProperty.call(obj, prop)
 )(Object.prototype);
+const { propertyIsEnumerable } = Object.prototype;
 /**
  * Determine if a value is a RegExp object
+ *

+{
   "name": "axios",
+  "version": "1.17.0",
   "description": "Promise based HTTP client for the browser and node.js",
   "main": "./dist/node/axios.cjs",
   "module": "./index.js",
     "Justin Beckwith (https://github.com/JustinBeckwith)",
     "Martti Laine (https://github.com/codeclown)",
     "Xianming Zhong (https://github.com/chinesedfan)",
+    "Shaan Majid (https://github.com/shaanmajid)",
     "Willian Agostini (https://github.com/WillianAgostini)",
+    "Shaan Majid (https://github.com/shaanmajid)",
     "Remco Haszing (https://github.com/remcohaszing)",
     "Rikki Gibson (https://github.com/RikkiGibson)"
   ],
     "url": "https://github.com/axios/axios/issues"
   },
   "homepage": "https://axios-http.com",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "index.d.cts",
+    "CHANGELOG.md",
+    "MIGRATION_GUIDE.md",
+    "lib/",
+    "dist/axios.js",
+    "dist/axios.min.js",
+    "dist/axios.min.js.map",
+    "dist/esm/axios.js",
+    "dist/esm/axios.min.js",
+    "dist/esm/axios.min.js.map",
+    "dist/browser/axios.cjs",
+    "dist/node/axios.cjs"
+  ],
   "scripts": {
     "build": "gulp clear && cross-env NODE_ENV=production rollup -c -m",
     "version": "npm run build && git add package.json",
   },
   "devDependencies": {
     "@babel/core": "^7.29.0",
+    "@babel/preset-env": "^7.29.2",
+    "@commitlint/cli": "^20.5.0",
+    "@babel/preset-env": "^7.29.5",
+    "@commitlint/cli": "^21.0.1",
+    "@commitlint/config-conventional": "^21.0.1",
     "@eslint/js": "^10.0.1",
     "@rollup/plugin-alias": "^6.0.0",
     "@rollup/plugin-babel": "^7.0.0",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
     "@rollup/plugin-terser": "^1.0.0",
+    "@vitest/browser": "^4.1.5",
+    "@vitest/browser": "^4.1.7",
+    "@vitest/browser-playwright": "^4.1.7",
     "abortcontroller-polyfill": "^1.7.8",
     "acorn": "^8.16.0",
     "body-parser": "^2.2.2",
     "chalk": "^5.6.2",
     "cross-env": "^10.1.0",
     "dev-null": "^0.1.1",
+    "eslint": "^10.4.0",
     "express": "^5.2.1",
     "formdata-node": "^6.0.3",
     "formidable": "^3.5.4",
     "fs-extra": "^11.3.4",
     "get-stream": "^9.0.1",
+    "globals": "^17.6.0",
     "gulp": "^5.0.1",
     "husky": "^9.1.7",
+    "lint-staged": "^17.0.5",
     "minimist": "^1.2.8",
     "multer": "^2.1.1",
+    "playwright": "^1.60.0",
     "prettier": "^3.8.3",
+    "rollup": "^4.60.4",
     "rollup-plugin-bundle-size": "^1.0.3",
     "selfsigned": "^5.5.0",
     "stream-throttle": "^0.1.3",
     "typescript": "^5.9.3",
+    "vitest": "^4.1.7"
   },
   "commitlint": {
     "rules": {

 # Changelog
+## v1.16.1 — May 13, 2026
+This release ships a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
+## 🔒 Security Fixes
+* **Prototype Pollution Defence-in-Depth:** Hardened `formDataToJSON` against already-polluted `Object.prototype` by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (__#7413__)
+* **Proxy Cleartext Leak:** Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (__#10858__)
+* **CI Cache Removal:** Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (__#10882__)
+## 🐛 Bug Fixes
+* **Data URI Parsing:** Updated the `fromDataURI` regex to match RFC 2397 more strictly, fixing edge cases in `data:` URL handling. (__#10829__)
+* **Unicode Headers:** Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (__#10850__)
+* **XHR Upload Progress:** Guarded against malformed `ProgressEvent` payloads emitted by some environments during XHR upload, preventing crashes when `loaded` / `total` are missing or invalid. (__#10868__)
+* **Webpack 4 Fetch Adapter:** Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (__#10864__)
+* **Type Definitions:** Made `parseReviver` `context.source` optional in the type definitions to align with the ES2023 specification. (__#10837__)
+* **URL Object Support Reverted:** Reverted the change that allowed passing a `URL` object as `config.url` (originally __#10866__) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (__#10874__)
+## 🔧 Maintenance & Chores
+* **Cycle Detection Refactor:** Replaced the array-based cycle tracker in `toJSONObject` with a `WeakSet`, improving performance and memory behaviour on large nested structures. (__#10832__)
+* **composeSignals Cleanup:** Refactored `composeSignals` to use a clearer early-return structure, simplifying the cancellation/abort composition path. (__#10844__)
+* **AI Readiness & Repo Docs:** Added `AGENTS.md` and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (__#10835__, __#10841__)
+* **Docs Improvements:** Clarified the GET request example, fixed the interceptor `eject` example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (__#10836__, __#10853__, __#10856__)
+* **Sponsorship Tooling:** Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (__#10843__, __#10859__, __#10869__)
+* **Dependencies:** Bumped `@commitlint/cli` from 20.5.0 to 20.5.2. (__#10846__)
+## 🌟 New Contributors
+We are thrilled to welcome our new contributors. Thank you for helping improve axios:
+* __@hpinmetaverse__ (__#10836__)
+* __@tommyhgunz14__ (__#7413__)
+* __@abhu85__ (__#10829__)
+* __@divyanshuraj1095__ (__#10853__)
+* __@sagodi97__ (__#10856__)
+* __@rkdfx__ (__#10868__)
+* __@Liuwei1125__ (__#10866__)
+[Full Changelog](https://github.com/axios/axios/compare/v1.16.0...v1.16.1)
 ## v1.16.0 — May 2, 2026
 This release adds support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

+'use strict';
+// Node-only: relies on the built-in `http2` module. Browser/react-native
+// builds replace `lib/adapters/http.js` (the sole importer) with `lib/helpers/null.js`
+// via the `browser` package.json field, so this module is never reached in
+// those environments. Do not import it from any browser-reachable code path.
+import http2 from 'http2';
+import util from 'util';
+class Http2Sessions {
+  constructor() {
+    this.sessions = Object.create(null);
+  }
+  getSession(authority, options) {
+    options = Object.assign(
+      {
+        sessionTimeout: 1000,
+      },
+      options
+    );
+    let authoritySessions = this.sessions[authority];
+    if (authoritySessions) {
+      let len = authoritySessions.length;
+      for (let i = 0; i < len; i++) {
+        const [sessionHandle, sessionOptions] = authoritySessions[i];
+        if (
+          !sessionHandle.destroyed &&
+          !sessionHandle.closed &&
+          util.isDeepStrictEqual(sessionOptions, options)
+        ) {
+          return sessionHandle;
+        }
+      }
+    }
+    const session = http2.connect(authority, options);
+    let removed;
+    let timer;
+    const removeSession = () => {
+      if (removed) {
+        return;
+      }
+      removed = true;
+      if (timer) {
+        clearTimeout(timer);
+        timer = null;
+      }
+      let entries = authoritySessions,
+        len = entries.length,
+        i = len;
+      while (i--) {
+        if (entries[i][0] === session) {
+          if (len === 1) {
+            delete this.sessions[authority];
+          } else {
+            entries.splice(i, 1);
+          }
+          if (!session.closed) {
+            session.close();
+          }
+          return;
+        }
+      }
+    };
+    const originalRequestFn = session.request;
+    const { sessionTimeout } = options;
+    if (sessionTimeout != null) {
+      let streamsCount = 0;
+      session.request = function () {
+        const stream = originalRequestFn.apply(this, arguments);
+        streamsCount++;
+        if (timer) {
+          clearTimeout(timer);
+          timer = null;
+        }
+        stream.once('close', () => {
+          if (!--streamsCount) {
+            timer = setTimeout(() => {
+              timer = null;
+              removeSession();
+            }, sessionTimeout);
+          }
+        });
+        return stream;
+      };
+    }
+    session.once('close', removeSession);
+    let entry = [session, options];
+    authoritySessions
+      ? authoritySessions.push(entry)
+      : (authoritySessions = this.sessions[authority] = [entry]);
+    return session;
+  }
+}
+export default Http2Sessions;

Comparingaxios@1.16.1

Comparingaxios@1.16.1

Source

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

dist/browser/axios.cjs +++121---15

dist/node/axios.cjs +++249---107

index.d.cts +++8---3

dist/axios.js +++113---21

dist/esm/axios.js +++121---15

lib/core/Axios.js +++1---0

lib/core/AxiosHeaders.js +++2---2

lib/helpers/buildURL.js +++1---1

lib/env/data.js +++1---1

lib/adapters/fetch.js +++79---0

lib/helpers/formDataToStream.js +++2---2

lib/adapters/http.js +++62---118

lib/helpers/resolveConfig.js +++12---6

lib/helpers/toFormData.js +++1---1

lib/defaults/transitional.js +++1---0

lib/utils.js +++23---2

package.json +++29---13

CHANGELOG.md +++42---0

README.md +++237---237

index.d.ts +++4---1

lib/helpers/Http2Sessions.js +++119---0

+++0---0

dist/browser/axios.cjs +++121---15

dist/node/axios.cjs +++249---107

index.d.cts +++8---3

dist/axios.js +++113---21

dist/esm/axios.js +++121---15

lib/core/Axios.js +++1---0

lib/core/AxiosHeaders.js +++2---2

lib/helpers/buildURL.js +++1---1

lib/env/data.js +++1---1

lib/adapters/fetch.js +++79---0

lib/helpers/formDataToStream.js +++2---2

lib/adapters/http.js +++62---118

lib/helpers/resolveConfig.js +++12---6

lib/helpers/toFormData.js +++1---1

lib/defaults/transitional.js +++1---0

lib/utils.js +++23---2

package.json +++29---13

CHANGELOG.md +++42---0

README.md +++237---237

index.d.ts +++4---1

lib/helpers/Http2Sessions.js +++119---0

Packagephobia

Bundlephobia

Source

Source

Comparing
`axios@1.16.1`

Comparing
`axios@1.16.1`