Release notes:

Bug Fixes

• Regular Expression Denial of Service (ReDoS) (#6132) (5e7ad38)

Contributors to this release

• Jay
• Willian Agostini
• Dmitriy Mozgovoy

Release notes:

Features

• withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

• feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

• Dmitriy Mozgovoy
• Ng Choon Khon (CK)
• Muhammad Noman

Release notes:

Bug Fixes

• formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
• platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

Contributors to this release

• Dmitriy Mozgovoy
• Fabian Meyer

Release notes:

Bug Fixes

• CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
• dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
• types: fix AxiosHeaders types; (#5931) (a1c8ad0)

PRs

• CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

• Dmitriy Mozgovoy
• Valentin Panov
• Rinku Chaudhari

Release notes:

Bug Fixes

• adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
• formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
• headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
• types: removed duplicated code (9e62056)

Contributors to this release

• Dmitriy Mozgovoy
• David Dallas
• Sean Sattler
• Mustafa Ateş Uzun
• Przemyslaw Motacki
• Michael Di Prisco

Release notes:

Bug Fixes

• adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#5837) (9a414bb)
• dns: fixed cacheable-lookup integration; (#5836) (b3e327d)
• headers: added support for setting header names that overlap with class methods; (#5831) (d8b4ca0)
• headers: fixed common Content-Type header merging; (#5832) (8fda276)

Features

• export getAdapter function (#5324) (ca73eb8)
• export: export adapters without unsafe prefix (#5839) (1601f4a)

Contributors to this release

• Dmitriy Mozgovoy
• 夜葬
• Jonathan Budiman
• Michael Di Prisco

Release notes:

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#5339) (2701911)
• types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

• Dmitriy Mozgovoy
• Arthur Fiorette
• PIYUSH NEGI

Release notes:

Bug Fixes

• types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
• utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

• Dmitriy Mozgovoy
• Michael Di Prisco

Release notes:

Bug Fixes

• headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
• params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

• Dmitriy Mozgovoy

Release notes:

Bug Fixes

• blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
• http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

• Dmitriy Mozgovoy
• lcysgsg
• Michael Di Prisco