This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.
⚠️ Important Changes
- Deprecation:
url.parse()usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)
🔒 Security Fixes
- Proxy Handling: Fixed a
no_proxyhostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661) - Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)
🚀 New Features
- Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)
🔧 Maintenance & Chores
- CI Security: Hardened workflow permissions to least privilege, added the
zizmorsecurity scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666) - Dependencies: Bumped
serialize-javascript,handlebars,picomatch,vite, anddenoland/setup-denoto latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616) - Documentation: Unified docs, improved
beforeRedirectcredential leakage example, clarifiedwithCredentials/withXSRFTokenbehaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589) - Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
- Tests: Added regression coverage for urlencoded
Content-Typecasing. (#10573)
🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve Axios: