Sourced from axios's releases.
v1.15.0
This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.
⚠️ Important Changes
- Deprecation:
url.parse()usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)🔒 Security Fixes
- Proxy Handling: Fixed a
no_proxyhostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)- Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)
🚀 New Features
- Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)
🔧 Maintenance & Chores
- CI Security: Hardened workflow permissions to least privilege, added the
zizmorsecurity scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)- Dependencies: Bumped
serialize-javascript,handlebars,picomatch,vite, anddenoland/setup-denoto latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)- Documentation: Unified docs, improved
beforeRedirectcredential leakage example, clarifiedwithCredentials/withXSRFTokenbehaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)- Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
- Tests: Added regression coverage for urlencoded
Content-Typecasing. (#10573)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve Axios:
@raashish1601(#10573)@Kilros0817(#10625)@ashstrc(#10624)@Abhi3975(#10589)@theamodhshetty(#7452)v1.14.0
This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.
⚠️ Important Changes
- Breaking Changes: None identified in this release.
- Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably
proxy-from-envv2 alignment andmainentry compatibility fix).🚀 New Features
- Runtime Features: No new end-user features were introduced in this release.
- Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)
🐛 Bug Fixes
- Headers: Trim trailing CRLF in normalised header values. (#7456)
- HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
- Fetch Adapter: Cancel
ReadableStreamcreated during request-stream capability probing to prevent async resource leaks. (#7515)- Proxy Handling: Fixed env proxy behavior with
proxy-from-envv2 usage. (#7499)
... (truncated)
Sourced from axios's changelog.
Changelog
1.13.3 (2026-01-20)
Bug Fixes
- http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
- interceptor: handle the error in the same interceptor (#6269) (5945e40)
- main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
- package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
- silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
- turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
- types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
- types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
- unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)
Features
- add
undefinedas a value in AxiosRequestConfig (#5560) (095033c)- add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
- add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
- added copilot instructions (3f83143)
- compatibility with frozen prototypes (#6265) (860e033)
- enhance pipeFileToResponse with error handling (#7169) (88d7884)
- types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471
Reverts
- Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
- deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)
Contributors to this release
... (truncated)
772a4e5
chore(release): prepare release 1.15.0 (#10671)4b07137
chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)51e57b3
chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)fba1a77
chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)0bf6e28
chore(deps): bump denoland/setup-deno in the github-actions group (#10669)8107157
chore(deps-dev): bump the development_dependencies group with 4 updates
(#10670)e66530e
ci: require npm-publish environment for releases (#10666)49f23cb
chore(sponsor): update sponsor block (#10668)3631854
fix: unrestricted cloud metadata exfiltration via header injection chain
(#10...fb3befb
fix: no_proxy hostname normalization bypass leads to ssrf (#10661)This version modifies prepare script that runs during
installation. Review the package contents before updating.