Title: build(deps): bump axios from 0.21.1 to 0.32.0 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #6 · https-github-com-PAVDSSVD/AdguardForiOS · GitHub
Open Graph Title: build(deps): bump axios from 0.21.1 to 0.32.0 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #6 · https-github-com-PAVDSSVD/AdguardForiOS
X Title: build(deps): bump axios from 0.21.1 to 0.32.0 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #6 · https-github-com-PAVDSSVD/AdguardForiOS
Description: Bumps axios from 0.21.1 to 0.32.0.
Release notes
Sourced from axios's releases.
v0.32.0 — May 4, 2026
This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.
⚠️ Breaking Changes & Deprecations
Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)
🔒 Security Fixes
Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
URL parameters: AxiosURLSearchParams keeps encoded and applies consistent encoding throughout. (#10838)
Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)
🔧 Maintenance & Chores
Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)
Full Changelog
v0.31.1
This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.
⚠️ Breaking Changes & Deprecations
Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)
🔒 Security Fixes
Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
Null-Byte Injection in Query Strings: Removed the unsafe → null-byte substitution from AxiosURLSearchParams.encode so is preserved as-is. Other encoding behaviour (including → +) unchanged. (#10737)
Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)
🔧 Maintenance & Chores
CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)
Full Changelog
v0.31.0
This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().
🔒 Security Fixes
... (truncated)
Commits
8db2d44 chore: bump version to v0.32.0 (#10840)
2af6116 chore: backport fixes from the v1x branch (#10838)
a589dc5 chore: bump version to v0.31.1 (#10766)
b0c632f fix: backport security issues (#10764)
b52187f fix: harden config merging (#10752)
e3ddeb4 fix: header security issues (#10750)
f4f2d76 chore: stop committing dist/ and remove bower (#10747)
1f2f644 chore: add CODEOWNERS (#10740)
44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
4c4f07f fix: form data recursion (#10728)
Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show
Open Graph Description: Bumps axios from 0.21.1 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v1.x ...
X Description: Bumps axios from 0.21.1 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v...
Opengraph URL: https://github.com/https-github-com-PAVDSSVD/AdguardForiOS/pull/6
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:39975703-6407-b088-8006-f933a2273edf |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | B114:3ADF04:7E7E64:AF13E4:6A507E31 |
| html-safe-nonce | c13be032f41d4913e85bd4ec2f8f219fd86251cfc0f5a1bb6864d7ba86586d4e |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCMTE0OjNBREYwNDo3RTdFNjQ6QUYxM0U0OjZBNTA3RTMxIiwidmlzaXRvcl9pZCI6Ijg5MTA5NzY2NDc0NzEwNzA3NjkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 9c9954e28379b57084ec76d18038b3ca1ad9ab74939f1a7f788d09ae9d6ce95e |
| hovercard-subject-tag | pull_request:3773279368 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/https-github-com-PAVDSSVD/AdguardForiOS/pull/6/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps axios from 0.21.1 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v1.x ... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | d6dc8294eb500fa36bbc57472d61fe87c522f9c3c1d64f70f4926f66a66a7efb |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/https-github-com-PAVDSSVD/AdguardForiOS git https://github.com/https-github-com-PAVDSSVD/AdguardForiOS.git |
| octolytics-dimension-user_id | 148691212 |
| octolytics-dimension-user_login | https-github-com-PAVDSSVD |
| octolytics-dimension-repository_id | 1208523990 |
| octolytics-dimension-repository_nwo | https-github-com-PAVDSSVD/AdguardForiOS |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | true |
| octolytics-dimension-repository_parent_id | 43807802 |
| octolytics-dimension-repository_parent_nwo | AdguardTeam/AdguardForiOS |
| octolytics-dimension-repository_network_root_id | 43807802 |
| octolytics-dimension-repository_network_root_nwo | AdguardTeam/AdguardForiOS |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7ac0ad2f2c7e4b9056617355fd9e33e22b0c8df9 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width