Merged
Conversation
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: Dmitriy Mozgovoy <robotshara@gmail.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
…am reader instead of an async iterator; (#6584)
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
* add mergeConfig types * Update index.d.ts --------- Co-authored-by: Jay <jasonsaayman@gmail.com>
* chore(tests): add failing tests for baseUrl * chore(tests): simplify to just warning * feat: warn about likely-misspelled options * chore: add semi-colon * chore: add missing semi-colons --------- Co-authored-by: Ell Bradshaw <ell@c9a.co> Co-authored-by: Jay <jasonsaayman@gmail.com>
* CI: add Node.js 22, drop non-LTS 21 * CI: update actions versions 3 -> 4 Previous actions version showed deprecation warnings when run. Update them to V4
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Co-authored-by: rana-aakash <aakash.rana@rooter.io> Co-authored-by: Dmitriy Mozgovoy <robotshara@gmail.com>
…updates (#7282) Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [ffurrer2/extract-release-notes](https://github.com/ffurrer2/extract-release-notes). Updates `actions/checkout` from 5 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) Updates `ffurrer2/extract-release-notes` from 2 to 3 - [Release notes](https://github.com/ffurrer2/extract-release-notes/releases) - [Changelog](https://github.com/ffurrer2/extract-release-notes/blob/main/CHANGELOG.md) - [Commits](ffurrer2/extract-release-notes@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: ffurrer2/extract-release-notes dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jay <jasonsaayman@gmail.com>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.1 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.1...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jay <jasonsaayman@gmail.com>
…id param reassignment (#7272) Co-authored-by: Jay <jasonsaayman@gmail.com>
* docs: add abort controller example * docs: add typescript example for custom instance * Update server.js * Delete examples/abort-controller/server.js * Delete examples/abort-controller/index.html --------- Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Dmitriy Mozgovoy <robotshara@gmail.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
Moved the existing API client generators to their own section and added Hey API
Bumps the github-actions group with 1 update: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request). Updates `peter-evans/create-pull-request` from 7 to 8 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@v7...v8) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…y with 2 updates (#7231) Bumps the production_dependencies group with 2 updates in the / directory: [follow-redirects](https://github.com/follow-redirects/follow-redirects) and [form-data](https://github.com/form-data/form-data). Updates `follow-redirects` from 1.15.6 to 1.15.11 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.6...v1.15.11) Updates `form-data` from 4.0.4 to 4.0.5 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.4...v4.0.5) --- updated-dependencies: - dependency-name: follow-redirects dependency-version: 1.15.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production_dependencies - dependency-name: form-data dependency-version: 4.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production_dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
* test(http): fix HTTPS protocol test by using local HTTPS server instead of external request * docs: update var usage in documentation examples * docs: updated var to const --------- Co-authored-by: Jay <jasonsaayman@gmail.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
* fix(types): add handlers to AxiosInterceptorManager interface * fix: runwhen should be optional Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * chore: make handlers optional * chore: optional handlers --------- Co-authored-by: Tibor Pilz <tibor.pilz@iu.org> Co-authored-by: Jay <jasonsaayman@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…5756) When #4787 was implemented, the project was switched to `"type": "module"` and "./index.js" became an esm file instead of commonjs, however, the "main" entry in package.json still points to "index.js". As a result, consumers using this field may get unexpected behavior since the main field is supposed to be commonjs if the entry is provided. Many consumers won't run into this as a practical problem (for example when just doing `const axios = require('axios').default` from inside of a cjs file in node) because the "exports" map takes precedence over the main/module fields, but tools that don't parse the object map when resolving still run into problems here. The fix for this is to just point the "main" entry-point to the commonjs artifacts located at "./dist/node/index.cjs". I also added a module entrypoint to improve compatability for the cases where the export map is not used (webpack 4 for example) since that would likely be reading the cjs "main" entrypoint now that main has switched back to cjs. Co-authored-by: Jay <jasonsaayman@gmail.com>
* fix(interceptor): handle the error in the same interceptor * fix(interceptor): pass the config and data in promise chain * fix(interceptor): filter out unexpected config and data in promise chain --------- Co-authored-by: Jay <jasonsaayman@gmail.com>
* Initial plan * fix(types): restore AxiosError.cause type from unknown to Error Co-authored-by: jasonsaayman <4814473+jasonsaayman@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jasonsaayman <4814473+jasonsaayman@users.noreply.github.com>
Co-authored-by: DigitalBrainJS <12586868+DigitalBrainJS@users.noreply.github.com>
* chore: add mise * chore: re-position ci * chore: move sponsors script * chore: fix yml * chore: yml * fix: yml * fix: yml * chore: tweak sponsor yml * chore: implement security suggestion * chore: update templates for issues and PRs and update all workflows * fix: copilot feedback * feat: always run CI * fix: linked resources * chore: cancel run if new run starts * feat: generate release notes with copilot
Contributor
There was a problem hiding this comment.
29 issues found across 242 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="lib/core/AxiosError.js">
<violation number="1" location="lib/core/AxiosError.js:6">
P2: The `from` method no longer copies all properties from the original error via `toFlatObject`. While the original error is preserved in `cause`, this is a breaking change - code accessing properties like `error.errno` directly (instead of `error.cause.errno`) will fail. Consider restoring `toFlatObject` call or documenting this as a breaking change.</violation>
</file>
<file name="lib/helpers/combineURLs.js">
<violation number="1" location="lib/helpers/combineURLs.js:13">
P1: Regex regression: `/\/?\/$` only removes at most 2 trailing slashes, whereas the original `/\/+$/` removed all trailing slashes. URLs with 3+ trailing slashes will not be normalized correctly, potentially causing malformed combined URLs.</violation>
</file>
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:361">
P2: Remove debug `console.warn` from production code. This will log to the console whenever an abort error is emitted, which is inappropriate for a library.</violation>
</file>
<file name=".npmignore">
<violation number="1" location=".npmignore:2">
P1: Unignore the `dist/` directory itself before unignoring its contents; otherwise `dist` remains excluded and the package will ship without built artifacts.</violation>
<violation number="2" location=".npmignore:3">
P1: Unignore the `lib/` directory before its contents so the published package includes `lib` artifacts.</violation>
</file>
<file name="lib/helpers/formDataToJSON.js">
<violation number="1" location="lib/helpers/formDataToJSON.js:45">
P2: Incorrect JSDoc type annotation. The parameter description says "The FormData object to convert to JSON" but the type is annotated as `{string}`. Should be `{FormData}` to match the actual expected type and description.</violation>
</file>
<file name=".github/workflows/release-branch.yml">
<violation number="1" location=".github/workflows/release-branch.yml:46">
P2: `commit-message` uses a GitHub expression (`${{version}}`) instead of the action’s `{{version}}` placeholder. This will not resolve to the bumped version and can fail the workflow with an undefined expression. Use the action’s `{{version}}` template instead.</violation>
</file>
<file name="README.md">
<violation number="1" location="README.md:1653">
P2: The fetch adapter example destructures `data` from a Promise without awaiting it, so the snippet doesn’t work as written. Use `await` (or `.then`) when reading the response.</violation>
<violation number="2" location="README.md:1665">
P2: This example also destructures `data` from a Promise without awaiting it. Add `await` (or show a `.then`) so readers can copy/paste a working snippet.</violation>
</file>
<file name="lib/helpers/formDataToStream.js">
<violation number="1" location="lib/helpers/formDataToStream.js:75">
P2: The error message says "10-70 characters" but the condition actually validates "1-70 characters" (`boundary.length < 1`). This mismatch will confuse users when they see an error for a boundary less than 10 chars that should actually be valid.</violation>
</file>
<file name="lib/core/buildFullPath.js">
<violation number="1" location="lib/core/buildFullPath.js:18">
P2: Use strict equality (`===`) instead of loose equality (`==`) when comparing with `false`. Loose equality causes `0 == false` and `"" == false` to be `true`, which could lead to unexpected URL combining behavior.</violation>
</file>
<file name="examples/postMultipartFormData/index.html">
<violation number="1" location="examples/postMultipartFormData/index.html:514">
P2: Potential XSS vulnerability: `err.message` is rendered using `innerHTML`. If the error message contains malicious HTML (e.g., from a malformed server response), it could execute arbitrary scripts. Use `textContent` instead for untrusted content.</violation>
<violation number="2" location="examples/postMultipartFormData/index.html:520">
P2: Potential XSS vulnerability: `err.message` is rendered using `innerHTML` without sanitization. Use `textContent` or properly escape the error message before inserting into the DOM.</violation>
</file>
<file name="examples/abort-controller/index.html">
<violation number="1" location="examples/abort-controller/index.html:60">
P2: Avoid injecting server response data with innerHTML; it can execute HTML/JS if the message contains markup. Use textContent and set the CSS class separately.</violation>
<violation number="2" location="examples/abort-controller/index.html:111">
P2: Do not render server response content via innerHTML. Use textContent and update classes separately to prevent XSS.</violation>
</file>
<file name="lib/helpers/composeSignals.js">
<violation number="1" location="lib/helpers/composeSignals.js:38">
P1: Race condition: if any input signal is already aborted, the composed signal will never be notified. The `abort` event only fires once, so if a signal was aborted before `addEventListener` is called, the handler will never execute. Check `signal.aborted` after adding the listener.</violation>
</file>
<file name="examples/abort-controller/server.js">
<violation number="1" location="examples/abort-controller/server.js:9">
P3: Use the standard JSON media type (`application/json`) so clients parse the response correctly.</violation>
</file>
<file name="examples/server.js">
<violation number="1" location="examples/server.js:73">
P0: Path validation is broken because this file is already in `examples/` directory. `path.join(__dirname, 'examples')` creates `examples/examples/` which doesn't exist, causing all file requests to fail. Should use `__dirname` directly as the base path.</violation>
<violation number="2" location="examples/server.js:77">
P1: The `startsWith` check for path traversal prevention is vulnerable. A path like `/base/path-evil/file` would pass a check for `/base/path`. Use `safeBasePath + path.sep` to ensure proper directory boundary checking.</violation>
</file>
<file name="lib/core/settle.js">
<violation number="1" location="lib/core/settle.js:12">
P3: The JSDoc now claims this function returns the response object, but `settle` does not return anything (it only calls `resolve`/`reject`). This makes the documentation/typing misleading for consumers.</violation>
</file>
<file name="MIGRATION_GUIDE.md">
<violation number="1" location="MIGRATION_GUIDE.md:411">
P2: The documented default `maxContentLength`/`maxBodyLength` values are inaccurate; axios defaults set both to `-1` (no limit). Update the defaults section so migration guidance matches actual behavior.</violation>
</file>
<file name="lib/helpers/buildURL.js">
<violation number="1" location="lib/helpers/buildURL.js:7">
P2: The JSDoc comment is outdated - it claims the function handles `[` and `]` characters, but those replacements were removed from the implementation. Update the comment to match the actual behavior.</violation>
</file>
<file name="lib/adapters/xhr.js">
<violation number="1" location="lib/adapters/xhr.js:112">
P2: Inconsistent config variable: should use `_config` (resolved config) instead of `config` to match the rest of the adapter.</violation>
<violation number="2" location="lib/adapters/xhr.js:178">
P2: Inconsistent config variable: should use `_config` (resolved config) instead of `config` to match the rest of the adapter.</violation>
</file>
<file name="lib/core/dispatchRequest.js">
<violation number="1" location="lib/core/dispatchRequest.js:46">
P1: Unconditionally setting `application/x-www-form-urlencoded` as the default Content-Type for POST/PUT/PATCH requests is incorrect. This will apply the wrong content-type to requests with raw string data or other payloads where `transformRequest` doesn't explicitly set a content-type. This changes axios's default behavior in an unexpected way - for example, `axios.post('/api', 'plain text')` would now incorrectly have `Content-Type: application/x-www-form-urlencoded` instead of no content-type. Consider removing this line or making it conditional based on the actual data type.</violation>
</file>
<file name="lib/core/AxiosHeaders.js">
<violation number="1" location="lib/core/AxiosHeaders.js:277">
P1: Logic bug: This always resets `this[$internals]` to a new object on every call, losing track of previously registered accessors. The inner `=` should be `||` to only initialize when the object doesn't exist.</violation>
</file>
<file name="lib/core/Axios.js">
<violation number="1" location="lib/core/Axios.js:184">
P1: Calling `.call()` on potentially undefined `onRejected` will crash. When interceptors are registered without a rejection handler via `use(fulfilled)`, the `rejected` property is `undefined`. Add a null check before invoking.</violation>
<violation number="2" location="lib/core/Axios.js:199">
P2: Using `.then(fn).catch(handler)` instead of `.then(fn, handler)` changes interceptor error propagation semantics. Errors thrown by fulfilled handlers will now be caught by the paired rejection handler, which differs from the standard axios interceptor behavior.</violation>
</file>
<file name="lib/helpers/ZlibHeaderTransformStream.js">
<violation number="1" location="lib/helpers/ZlibHeaderTransformStream.js:16">
P2: Zlib headers are not limited to CMF 0x78. Treating any other CMF as “missing header” will prepend a default header to valid streams (e.g., CMF 0x58), corrupting decompression. Consider validating the full CMF/FLG per RFC 1950 instead of checking only `chunk[0] !== 0x78`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Merge v1.x into main to ship Axios 1.x with a modern ESM-first core, new adapters (including fetch), stronger headers/error APIs, and updated CI/release tooling. Includes TypeScript updates, refreshed docs, and a migration guide.
New Features
Migration
Written for commit af4f6d9. Summary will update on new commits.