what stackpulse tracks
Axios releases from GitHub
StackPulse watches Axios release notes and keeps the original source link close to every summary.
#stacks/axios/library
Axios release notes, breaking changes, and upgrade notes.
Promise based HTTP client for the browser and Node.js StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
8
breaking
3
security
7
deprecated
1
migrations
1
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv1.16.1highbreakingsecurityMay 13, 2026
v1.16.1
This release includes a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
affected
Users relying on passing `URL` objects as `config.url` will need to revert to string URLs until the feature is reintroduced.
action
Update to v1.16.1 to benefit from security fixes and bug improvements, and revert to string URLs if using `URL` objects as `config.url`.
release_signals
-Reverted support for passing a `URL` object as `config.url` due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed.
!Hardened `formDataToJSON` against already-polluted `Object.prototype` by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization.
!Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations.
!Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline.
v0.32.0criticalbreakingmigrationfeaturesecurityMay 4, 2026
v0.32.0
This release backports security and hardening fixes from the v1.x branch into v0.x, including prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and a breaking change to merged config and header object prototypes.
affected
Users relying on implicit string coercion against merged config or header objects will be affected.
action
Update code to use Object.prototype.hasOwnProperty.call(obj, key) for merged config or header objects.
release_signals
-mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects.
!Default error redaction to prevent credential leaks in logs
!Cookie & XSRF handling improvements
!Proxy bypass IPv6 parity fixes
!Node http adapter hardening with stricter Proxy-Authorization and socketPath handling
!Browser xhr adapter stricter own-property checks
+Default error redaction in AxiosError.toJSON()
+Stricter proxy bypass IPv6 parity handling
+Node http adapter hardening with allowedSocketPaths allowlist
+Browser xhr adapter stricter own-property checks
+Public type surface additions: formDataHeaderPolicy, redact, and allowedSocketPaths
migration_steps1 steps
- 01Use Object.prototype.hasOwnProperty.call(obj, key) for merged config or header objects to avoid implicit string coercion.
v1.16.0highbreakingdeprecationfeaturesecurityMay 2, 2026
v1.16.0
This release introduces support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, along with significant bug fixes for HTTP, fetch, and XHR adapters related to redirects, aborts, headers, and timeouts.
affected
Users relying on `maxBodyLength` and `maxContentLength` in the fetch adapter, or those using percent-encoded credentials in URLs, will be affected.
action
Review the changes related to `maxBodyLength`, `maxContentLength`, and URL-decoded credentials before upgrading.
release_signals
-Fetch adapter now enforces `maxBodyLength` and `maxContentLength`, which were previously ignored.
-Basic auth credentials embedded in URLs are now URL-decoded, changing the behavior for percent-encoded credentials.
-`parseProtocol` now strictly requires a colon in the protocol separator, potentially breaking loose protocol parsing.
!Fetch adapter now enforces `maxBodyLength` and `maxContentLength`, providing better protection against DoS attacks and accidental large uploads.
!Deprecated `unescape()` replaced with modern UTF-8 encoding, affecting non-ASCII URL handling.
+Added support for the QUERY HTTP method across adapters and type definitions.
+Exposed `ECONNREFUSED` as a constant on `AxiosError` for easier error handling.
+Exported the internal `encode` helper from `buildURL` for reuse in userland param serializers.