what stackpulse tracks
Axios releases from GitHub
StackPulse watches Axios release notes and keeps the original source link close to every summary.
#stacks/axios/library
Axios release notes, breaking changes, and upgrade notes.
Promise based HTTP client for the browser and Node.js StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
8
breaking
3
security
7
deprecated
1
migrations
1
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv1.18.0highfeaturesecurityJun 13, 2026
v1.18.0
This release focuses on security improvements, including redirect header safety and URL hardening, along with bug fixes and maintenance updates.
affected
Users relying on custom auth headers or handling malformed URLs may be affected by the security and URL hardening changes.
action
Review and update any code that uses custom headers or handles URLs to ensure compatibility with the new security measures.
release_signals
!Redirect Header Safety: Strips caller-specified sensitive headers on cross-origin redirects to prevent leaks
!URL And Request Hardening: Rejects malformed URLs and tightens config reads, stream size limits, and FormData depth handling
+Added Node HTTP adapter support for stripping sensitive headers on cross-origin redirects
+Rejects malformed `http:` and `https:` URLs that omit `//` with `ERR_INVALID_URL`
+Added `transitional.validateStatusUndefinedResolves` for handling `validateStatus: undefined`
v0.33.0highfeaturesecurityJun 13, 2026
v0.33.0
This release focuses on security hardening for request config handling and form serialization, adds Node.js 26 support, and updates the release workflow.
affected
Users relying on nested request config options or form serialization may be affected by the security hardening changes.
action
Review and test request config handling and form serialization in your application.
release_signals
!Hardens request config handling with own-property reads for nested options.
!Adds bounded form serialization depth checks.
!Normalizes nullish Basic Auth credentials.
!Treats `0.0.0.0` as local for proxy bypass.
+Adds Node.js 26 to the v0.x CI and release/publish matrices.
v1.17.0highfeaturesecurityJun 3, 2026
v1.17.0
This release introduces Node HTTP zstd decompression, hardens security configurations, and fixes various regressions related to authentication, headers, proxies, and type handling.
affected
Users relying on inherited prototype values for `socketPath`, `params`, or `paramsSerializer` may need to adjust their configurations.
action
Review configurations for `socketPath`, `params`, and `paramsSerializer` to ensure they are not relying on inherited prototype values.
release_signals
!Guarded `socketPath`, `params`, and `paramsSerializer` reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths.
!Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance.
+Added Node HTTP adapter support for zstd response decompression, with `transitional.advertiseZstdAcceptEncoding` controlling whether `zstd` is advertised in `Accept-Encoding`.
v1.16.1highbreakingsecurityMay 13, 2026
v1.16.1
This release includes a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
affected
Users relying on passing `URL` objects as `config.url` will need to revert to string URLs until the feature is reintroduced.
action
Update to v1.16.1 to benefit from security fixes and bug improvements, and revert to string URLs if using `URL` objects as `config.url`.
release_signals
-Reverted support for passing a `URL` object as `config.url` due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed.
!Hardened `formDataToJSON` against already-polluted `Object.prototype` by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization.
!Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations.
!Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline.
v0.32.0criticalbreakingmigrationfeaturesecurityMay 4, 2026
v0.32.0
This release backports security and hardening fixes from the v1.x branch into v0.x, including prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and a breaking change to merged config and header object prototypes.
affected
Users relying on implicit string coercion against merged config or header objects will be affected.
action
Update code to use Object.prototype.hasOwnProperty.call(obj, key) for merged config or header objects.
release_signals
-mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects.
!Default error redaction to prevent credential leaks in logs
!Cookie & XSRF handling improvements
!Proxy bypass IPv6 parity fixes
!Node http adapter hardening with stricter Proxy-Authorization and socketPath handling
!Browser xhr adapter stricter own-property checks
+Default error redaction in AxiosError.toJSON()
+Stricter proxy bypass IPv6 parity handling
+Node http adapter hardening with allowedSocketPaths allowlist
+Browser xhr adapter stricter own-property checks
+Public type surface additions: formDataHeaderPolicy, redact, and allowedSocketPaths
migration_steps1 steps
- 01Use Object.prototype.hasOwnProperty.call(obj, key) for merged config or header objects to avoid implicit string coercion.
v1.16.0highbreakingdeprecationfeaturesecurityMay 2, 2026
v1.16.0
This release introduces support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, along with significant bug fixes for HTTP, fetch, and XHR adapters related to redirects, aborts, headers, and timeouts.
affected
Users relying on `maxBodyLength` and `maxContentLength` in the fetch adapter, or those using percent-encoded credentials in URLs, will be affected.
action
Review the changes related to `maxBodyLength`, `maxContentLength`, and URL-decoded credentials before upgrading.
release_signals
-Fetch adapter now enforces `maxBodyLength` and `maxContentLength`, which were previously ignored.
-Basic auth credentials embedded in URLs are now URL-decoded, changing the behavior for percent-encoded credentials.
-`parseProtocol` now strictly requires a colon in the protocol separator, potentially breaking loose protocol parsing.
!Fetch adapter now enforces `maxBodyLength` and `maxContentLength`, providing better protection against DoS attacks and accidental large uploads.
!Deprecated `unescape()` replaced with modern UTF-8 encoding, affecting non-ASCII URL handling.
+Added support for the QUERY HTTP method across adapters and type definitions.
+Exposed `ECONNREFUSED` as a constant on `AxiosError` for easier error handling.
+Exported the internal `encode` helper from `buildURL` for reuse in userland param serializers.
v1.15.2highfeaturesecurityApr 21, 2026
v1.15.2
This release focuses on security hardening, including prototype pollution mitigation, SSRF prevention via Unix domain sockets, and supply-chain improvements. It also fixes a keep-alive socket memory leak and introduces a new `allowedSocketPaths` config option.
affected
Users relying on Unix domain sockets or handling sensitive configurations in Node.js environments are most affected.
action
Review and update configurations to use the `allowedSocketPaths` option if Unix domain sockets are utilized.
release_signals
!Prototype Pollution Hardening: Hardened Node HTTP adapter and config paths to prevent polluted properties from influencing requests.
!SSRF via `socketPath`: Rejects non-string `socketPath` values and adds `allowedSocketPaths` to restrict Unix domain socket paths.
!Supply-chain Hardening: Added `.npmrc` with `ignore-scripts=true`, lockfile lint CI, and expanded security documentation.
+`allowedSocketPaths` Config Option: New request config option to allowlist Unix domain socket paths used by the Node HTTP adapter.