Skip to content

Bump axios from 0.31.1 to 0.32.0#320

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/axios-0.32.0
Closed

Bump axios from 0.31.1 to 0.32.0#320
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/axios-0.32.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps axios from 0.31.1 to 0.32.0.

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

  • Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

  • Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
  • Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
  • Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
  • Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
  • Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
  • URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
  • Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

  • Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 30, 2026
@dependabot
Bump axios from 0.31.1 to 0.32.0
2d4f7e9 
Bumps [axios](https://github.com/axios/axios) from 0.31.1 to 0.32.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.31.1...v0.32.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 0.32.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-0.32.0 branch from edab8b3 to 2d4f7e9 Compare June 2, 2026 11:06
@dependabot @github

dependabot Bot commented on behalf of github Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

Looks like axios is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 5, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/axios-0.32.0 branch June 5, 2026 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants