Gathering detailed insights and metrics for axios
Gathering detailed insights and metrics for axios
Promise based HTTP client for the browser and node.js
Installations
npm install axiosDeveloper Guide
BETA
Typescript
Yes
Module System
ESM, UMD
Node Version
18.20.8
NPM Version
10.8.2
Releases
94
Languages
4
JavaScript
TypeScript
HTML
Handlebars
JavaScript (87.9%)
TypeScript (10.2%)
HTML (1.69%)
Handlebars (0.21%)
Developer
Download Statistics
Total Downloads
9,424,606,595
Last Day
11,676,391
Last Week
56,150,773
Last Month
254,568,449
Last Year
2,777,820,503
GitHub Statistics
MIT License
106,807 Stars
1,669 Commits
11,137 Forks
1,180 Watchers
10 Branches
482 Contributors
Updated on May 08, 2025
Bundle Size
35.82 kB
Minified
13.70 kB
Minified + Gzipped
Maintainers
4
Package Meta Information
Latest Version
1.9.0
Package Id
axios@1.9.0
Unpacked Size
2.06 MB
Size
539.70 kB
File Count
85
NPM Version
10.8.2
Node Version
18.20.8
Published on
Apr 24, 2025
Total Downloads
Cumulative downloads
Total Downloads
9,424,606,595
Last Day
4.4%
11,676,391
Compared to previous day
Last Week
-8.1%
56,150,773
Compared to previous week
Last Month
-1.5%
254,568,449
Compared to previous month
Last Year
14.6%
2,777,820,503
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
3
Dev Dependencies
57
@babel/core@babel/preset-env@commitlint/cli@commitlint/config-conventional@release-it/conventional-changelog@rollup/plugin-babel@rollup/plugin-commonjs@rollup/plugin-json@rollup/plugin-multi-entry@rollup/plugin-node-resolveabortcontroller-polyfillauto-changelogbody-parserchalkcoverallscross-envdev-nulldtslintes6-promiseeslintexpressformdata-nodeformidablefs-extraget-streamgulpgzip-sizehandlebarshuskyistanbul-instrumenter-loaderjasmine-corekarmakarma-chrome-launcherkarma-firefox-launcherkarma-jasminekarma-jasmine-ajaxkarma-rollup-preprocessorkarma-safari-launcherkarma-sauce-launcherkarma-sinonkarma-sourcemap-loadermemoizeeminimistmochamulterpretty-bytesrelease-itrolluprollup-plugin-auto-externalrollup-plugin-bundle-sizerollup-plugin-tersersinonstream-throttlestring-replace-asyncterser-webpack-plugintypescript@rollup/plugin-alias
🥇 Gold sponsors
 API-first authentication, authorization, and fraud prevention |  We’re bound by one common purpose: to give you the financial tools, resources and information you ne... |  Buy real Instagram followers from Twicsy starting at only $2.97. Twicsy has been voted the best site... |
 Hi, we're Descope! We are building something in the authentication space for app developers and... |  At Buzzoid, you can buy Instagram followers quickly, safely, and easily with just a few clicks. Rate... |  At Famety, you can grow your social media following quickly, safely, and easily with just a few clic... |
 Buy Instagram Likes |  Ставки на спорт, БК в Україні |  SS Market offers professional social media services that rapidly increase your YouTube subscriber co... |
| 💜 Become a sponsor | 💜 Become a sponsor | 💜 Become a sponsor |
Promise based HTTP client for the browser and node.js
Table of Contents
- Features
- Browser Support
- Installing
- Example
- Axios API
- Request method aliases
- Concurrency 👎
- Creating an instance
- Instance methods
- Request Config
- Response Schema
- Config Defaults
- Interceptors
- Handling Errors
- Cancellation
- Using application/x-www-form-urlencoded format
- Using multipart/form-data format
- Files Posting
- HTML Form Posting
- 🆕 Progress capturing
- 🆕 Rate limiting
- 🆕 AxiosHeaders
- 🔥 Fetch adapter
- Semver
- Promises
- TypeScript
- Resources
- Credits
- License
Features
- Make XMLHttpRequests from the browser
- Make http requests from node.js
- Supports the Promise API
- Intercept request and response
- Transform request and response data
- Cancel requests
- Automatic transforms for JSON data
- 🆕 Automatic data object serialization to
multipart/form-dataandx-www-form-urlencodedbody encodings - Client side support for protecting against XSRF
Browser Support
 |  |  |  |  |
|---|---|---|---|---|
| Latest ✔ | Latest ✔ | Latest ✔ | Latest ✔ | Latest ✔ |
Installing
Package manager
Using npm:
1$ npm install axios
Using bower:
1$ bower install axios
Using yarn:
1$ yarn add axios
Using pnpm:
1$ pnpm add axios
Using bun:
1$ bun add axios
Once the package is installed, you can import the library using import or require approach:
1import axios, {isCancel, AxiosError} from 'axios';
You can also use the default export, since the named export is just a re-export from the Axios factory:
1import axios from 'axios'; 2 3console.log(axios.isCancel('something'));
If you use require for importing, only default export is available:
1const axios = require('axios'); 2 3console.log(axios.isCancel('something'));
For some bundlers and some ES6 linters you may need to do the following:
1import { default as axios } from 'axios';
For cases where something went wrong when trying to import a module into a custom or legacy environment, you can try importing the module package directly:
1const axios = require('axios/dist/browser/axios.cjs'); // browser commonJS bundle (ES2017) 2// const axios = require('axios/dist/node/axios.cjs'); // node commonJS bundle (ES2017)
CDN
Using jsDelivr CDN (ES5 UMD browser module):
1<script src="https://cdn.jsdelivr.net/npm/axios@1.6.7/dist/axios.min.js"></script>
Using unpkg CDN:
1<script src="https://unpkg.com/axios@1.6.7/dist/axios.min.js"></script>
Example
Note: CommonJS usage
In order to gain the TypeScript typings (for intellisense / autocomplete) while using CommonJS imports withrequire(), use the following approach:
1import axios from 'axios'; 2//const axios = require('axios'); // legacy way 3 4// Make a request for a user with a given ID 5axios.get('/user?ID=12345') 6 .then(function (response) { 7 // handle success 8 console.log(response); 9 }) 10 .catch(function (error) { 11 // handle error 12 console.log(error); 13 }) 14 .finally(function () { 15 // always executed 16 }); 17 18// Optionally the request above could also be done as 19axios.get('/user', { 20 params: { 21 ID: 12345 22 } 23 }) 24 .then(function (response) { 25 console.log(response); 26 }) 27 .catch(function (error) { 28 console.log(error); 29 }) 30 .finally(function () { 31 // always executed 32 }); 33 34// Want to use async/await? Add the `async` keyword to your outer function/method. 35async function getUser() { 36 try { 37 const response = await axios.get('/user?ID=12345'); 38 console.log(response); 39 } catch (error) { 40 console.error(error); 41 } 42}
Note:
async/awaitis part of ECMAScript 2017 and is not supported in Internet Explorer and older browsers, so use with caution.
Performing a POST request
1axios.post('/user', { 2 firstName: 'Fred', 3 lastName: 'Flintstone' 4 }) 5 .then(function (response) { 6 console.log(response); 7 }) 8 .catch(function (error) { 9 console.log(error); 10 });
Performing multiple concurrent requests
1function getUserAccount() { 2 return axios.get('/user/12345'); 3} 4 5function getUserPermissions() { 6 return axios.get('/user/12345/permissions'); 7} 8 9Promise.all([getUserAccount(), getUserPermissions()]) 10 .then(function (results) { 11 const acct = results[0]; 12 const perm = results[1]; 13 });
axios API
Requests can be made by passing the relevant config to axios.
axios(config)
1// Send a POST request 2axios({ 3 method: 'post', 4 url: '/user/12345', 5 data: { 6 firstName: 'Fred', 7 lastName: 'Flintstone' 8 } 9});
1// GET request for remote image in node.js 2axios({ 3 method: 'get', 4 url: 'https://bit.ly/2mTM3nY', 5 responseType: 'stream' 6}) 7 .then(function (response) { 8 response.data.pipe(fs.createWriteStream('ada_lovelace.jpg')) 9 });
axios(url[, config])
1// Send a GET request (default method) 2axios('/user/12345');
Request method aliases
For convenience, aliases have been provided for all common request methods.
axios.request(config)
axios.get(url[, config])
axios.delete(url[, config])
axios.head(url[, config])
axios.options(url[, config])
axios.post(url[, data[, config]])
axios.put(url[, data[, config]])
axios.patch(url[, data[, config]])
NOTE
When using the alias methods url, method, and data properties don't need to be specified in config.
Concurrency (Deprecated)
Please use Promise.all to replace the below functions.
Helper functions for dealing with concurrent requests.
axios.all(iterable) axios.spread(callback)
Creating an instance
You can create a new instance of axios with a custom config.
axios.create([config])
1const instance = axios.create({ 2 baseURL: 'https://some-domain.com/api/', 3 timeout: 1000, 4 headers: {'X-Custom-Header': 'foobar'} 5});
Instance methods
The available instance methods are listed below. The specified config will be merged with the instance config.
axios#request(config)
axios#get(url[, config])
axios#delete(url[, config])
axios#head(url[, config])
axios#options(url[, config])
axios#post(url[, data[, config]])
axios#put(url[, data[, config]])
axios#patch(url[, data[, config]])
axios#getUri([config])
Request Config
These are the available config options for making requests. Only the url is required. Requests will default to GET if method is not specified.
1{ 2 // `url` is the server URL that will be used for the request 3 url: '/user', 4 5 // `method` is the request method to be used when making the request 6 method: 'get', // default 7 8 // `baseURL` will be prepended to `url` unless `url` is absolute and option `allowAbsoluteUrls` is set to true. 9 // It can be convenient to set `baseURL` for an instance of axios to pass relative URLs 10 // to methods of that instance. 11 baseURL: 'https://some-domain.com/api/', 12 13 // `allowAbsoluteUrls` determines whether or not absolute URLs will override a configured `baseUrl`. 14 // When set to true (default), absolute values for `url` will override `baseUrl`. 15 // When set to false, absolute values for `url` will always be prepended by `baseUrl`. 16 allowAbsoluteUrls: true, 17 18 // `transformRequest` allows changes to the request data before it is sent to the server 19 // This is only applicable for request methods 'PUT', 'POST', 'PATCH' and 'DELETE' 20 // The last function in the array must return a string or an instance of Buffer, ArrayBuffer, 21 // FormData or Stream 22 // You may modify the headers object. 23 transformRequest: [function (data, headers) { 24 // Do whatever you want to transform the data 25 26 return data; 27 }], 28 29 // `transformResponse` allows changes to the response data to be made before 30 // it is passed to then/catch 31 transformResponse: [function (data) { 32 // Do whatever you want to transform the data 33 34 return data; 35 }], 36 37 // `headers` are custom headers to be sent 38 headers: {'X-Requested-With': 'XMLHttpRequest'}, 39 40 // `params` are the URL parameters to be sent with the request 41 // Must be a plain object or a URLSearchParams object 42 params: { 43 ID: 12345 44 }, 45 46 // `paramsSerializer` is an optional config that allows you to customize serializing `params`. 47 paramsSerializer: { 48 49 // Custom encoder function which sends key/value pairs in an iterative fashion. 50 encode?: (param: string): string => { /* Do custom operations here and return transformed string */ }, 51 52 // Custom serializer function for the entire parameter. Allows user to mimic pre 1.x behaviour. 53 serialize?: (params: Record<string, any>, options?: ParamsSerializerOptions ), 54 55 // Configuration for formatting array indexes in the params. 56 indexes: false // Three available options: (1) indexes: null (leads to no brackets), (2) (default) indexes: false (leads to empty brackets), (3) indexes: true (leads to brackets with indexes). 57 }, 58 59 // `data` is the data to be sent as the request body 60 // Only applicable for request methods 'PUT', 'POST', 'DELETE , and 'PATCH' 61 // When no `transformRequest` is set, must be of one of the following types: 62 // - string, plain object, ArrayBuffer, ArrayBufferView, URLSearchParams 63 // - Browser only: FormData, File, Blob 64 // - Node only: Stream, Buffer, FormData (form-data package) 65 data: { 66 firstName: 'Fred' 67 }, 68 69 // syntax alternative to send data into the body 70 // method post 71 // only the value is sent, not the key 72 data: 'Country=Brasil&City=Belo Horizonte', 73 74 // `timeout` specifies the number of milliseconds before the request times out. 75 // If the request takes longer than `timeout`, the request will be aborted. 76 timeout: 1000, // default is `0` (no timeout) 77 78 // `withCredentials` indicates whether or not cross-site Access-Control requests 79 // should be made using credentials 80 withCredentials: false, // default 81 82 // `adapter` allows custom handling of requests which makes testing easier. 83 // Return a promise and supply a valid response (see lib/adapters/README.md) 84 adapter: function (config) { 85 /* ... */ 86 }, 87 // Also, you can set the name of the built-in adapter, or provide an array with their names 88 // to choose the first available in the environment 89 adapter: 'xhr', // 'fetch' | 'http' | ['xhr', 'http', 'fetch'] 90 91 // `auth` indicates that HTTP Basic auth should be used, and supplies credentials. 92 // This will set an `Authorization` header, overwriting any existing 93 // `Authorization` custom headers you have set using `headers`. 94 // Please note that only HTTP Basic auth is configurable through this parameter. 95 // For Bearer tokens and such, use `Authorization` custom headers instead. 96 auth: { 97 username: 'janedoe', 98 password: 's00pers3cret' 99 }, 100 101 // `responseType` indicates the type of data that the server will respond with 102 // options are: 'arraybuffer', 'document', 'json', 'text', 'stream' 103 // browser only: 'blob' 104 responseType: 'json', // default 105 106 // `responseEncoding` indicates encoding to use for decoding responses (Node.js only) 107 // Note: Ignored for `responseType` of 'stream' or client-side requests 108 // options are: 'ascii', 'ASCII', 'ansi', 'ANSI', 'binary', 'BINARY', 'base64', 'BASE64', 'base64url', 109 // 'BASE64URL', 'hex', 'HEX', 'latin1', 'LATIN1', 'ucs-2', 'UCS-2', 'ucs2', 'UCS2', 'utf-8', 'UTF-8', 110 // 'utf8', 'UTF8', 'utf16le', 'UTF16LE' 111 responseEncoding: 'utf8', // default 112 113 // `xsrfCookieName` is the name of the cookie to use as a value for xsrf token 114 xsrfCookieName: 'XSRF-TOKEN', // default 115 116 // `xsrfHeaderName` is the name of the http header that carries the xsrf token value 117 xsrfHeaderName: 'X-XSRF-TOKEN', // default 118 119 // `undefined` (default) - set XSRF header only for the same origin requests 120 withXSRFToken: boolean | undefined | ((config: InternalAxiosRequestConfig) => boolean | undefined), 121 122 // `onUploadProgress` allows handling of progress events for uploads 123 // browser & node.js 124 onUploadProgress: function ({loaded, total, progress, bytes, estimated, rate, upload = true}) { 125 // Do whatever you want with the Axios progress event 126 }, 127 128 // `onDownloadProgress` allows handling of progress events for downloads 129 // browser & node.js 130 onDownloadProgress: function ({loaded, total, progress, bytes, estimated, rate, download = true}) { 131 // Do whatever you want with the Axios progress event 132 }, 133 134 // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js 135 maxContentLength: 2000, 136 137 // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed 138 maxBodyLength: 2000, 139 140 // `validateStatus` defines whether to resolve or reject the promise for a given 141 // HTTP response status code. If `validateStatus` returns `true` (or is set to `null` 142 // or `undefined`), the promise will be resolved; otherwise, the promise will be 143 // rejected. 144 validateStatus: function (status) { 145 return status >= 200 && status < 300; // default 146 }, 147 148 // `maxRedirects` defines the maximum number of redirects to follow in node.js. 149 // If set to 0, no redirects will be followed. 150 maxRedirects: 21, // default 151 152 // `beforeRedirect` defines a function that will be called before redirect. 153 // Use this to adjust the request options upon redirecting, 154 // to inspect the latest response headers, 155 // or to cancel the request by throwing an error 156 // If maxRedirects is set to 0, `beforeRedirect` is not used. 157 beforeRedirect: (options, { headers }) => { 158 if (options.hostname === "example.com") { 159 options.auth = "user:password"; 160 } 161 }, 162 163 // `socketPath` defines a UNIX Socket to be used in node.js. 164 // e.g. '/var/run/docker.sock' to send requests to the docker daemon. 165 // Only either `socketPath` or `proxy` can be specified. 166 // If both are specified, `socketPath` is used. 167 socketPath: null, // default 168 169 // `transport` determines the transport method that will be used to make the request. 170 // If defined, it will be used. Otherwise, if `maxRedirects` is 0, 171 // the default `http` or `https` library will be used, depending on the protocol specified in `protocol`. 172 // Otherwise, the `httpFollow` or `httpsFollow` library will be used, again depending on the protocol, 173 // which can handle redirects. 174 transport: undefined, // default 175 176 // `httpAgent` and `httpsAgent` define a custom agent to be used when performing http 177 // and https requests, respectively, in node.js. This allows options to be added like 178 // `keepAlive` that are not enabled by default. 179 httpAgent: new http.Agent({ keepAlive: true }), 180 httpsAgent: new https.Agent({ keepAlive: true }), 181 182 // `proxy` defines the hostname, port, and protocol of the proxy server. 183 // You can also define your proxy using the conventional `http_proxy` and 184 // `https_proxy` environment variables. If you are using environment variables 185 // for your proxy configuration, you can also define a `no_proxy` environment 186 // variable as a comma-separated list of domains that should not be proxied. 187 // Use `false` to disable proxies, ignoring environment variables. 188 // `auth` indicates that HTTP Basic auth should be used to connect to the proxy, and 189 // supplies credentials. 190 // This will set an `Proxy-Authorization` header, overwriting any existing 191 // `Proxy-Authorization` custom headers you have set using `headers`. 192 // If the proxy server uses HTTPS, then you must set the protocol to `https`. 193 proxy: { 194 protocol: 'https', 195 host: '127.0.0.1', 196 // hostname: '127.0.0.1' // Takes precedence over 'host' if both are defined 197 port: 9000, 198 auth: { 199 username: 'mikeymike', 200 password: 'rapunz3l' 201 } 202 }, 203 204 // `cancelToken` specifies a cancel token that can be used to cancel the request 205 // (see Cancellation section below for details) 206 cancelToken: new CancelToken(function (cancel) { 207 }), 208 209 // an alternative way to cancel Axios requests using AbortController 210 signal: new AbortController().signal, 211 212 // `decompress` indicates whether or not the response body should be decompressed 213 // automatically. If set to `true` will also remove the 'content-encoding' header 214 // from the responses objects of all decompressed responses 215 // - Node only (XHR cannot turn off decompression) 216 decompress: true, // default 217 218 // `insecureHTTPParser` boolean. 219 // Indicates where to use an insecure HTTP parser that accepts invalid HTTP headers. 220 // This may allow interoperability with non-conformant HTTP implementations. 221 // Using the insecure parser should be avoided. 222 // see options https://nodejs.org/dist/latest-v12.x/docs/api/http.html#http_http_request_url_options_callback 223 // see also https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#strict-http-header-parsing-none 224 insecureHTTPParser: undefined, // default 225 226 // transitional options for backward compatibility that may be removed in the newer versions 227 transitional: { 228 // silent JSON parsing mode 229 // `true` - ignore JSON parsing errors and set response.data to null if parsing failed (old behaviour) 230 // `false` - throw SyntaxError if JSON parsing failed (Note: responseType must be set to 'json') 231 silentJSONParsing: true, // default value for the current Axios version 232 233 // try to parse the response string as JSON even if `responseType` is not 'json' 234 forcedJSONParsing: true, 235 236 // throw ETIMEDOUT error instead of generic ECONNABORTED on request timeouts 237 clarifyTimeoutError: false, 238 }, 239 240 env: { 241 // The FormData class to be used to automatically serialize the payload into a FormData object 242 FormData: window?.FormData || global?.FormData 243 }, 244 245 formSerializer: { 246 visitor: (value, key, path, helpers) => {}; // custom visitor function to serialize form values 247 dots: boolean; // use dots instead of brackets format 248 metaTokens: boolean; // keep special endings like {} in parameter key 249 indexes: boolean; // array indexes format null - no brackets, false - empty brackets, true - brackets with indexes 250 }, 251 252 // http adapter only (node.js) 253 maxRate: [ 254 100 * 1024, // 100KB/s upload limit, 255 100 * 1024 // 100KB/s download limit 256 ] 257}
Response Schema
The response for a request contains the following information.
1{ 2 // `data` is the response that was provided by the server 3 data: {}, 4 5 // `status` is the HTTP status code from the server response 6 status: 200, 7 8 // `statusText` is the HTTP status message from the server response 9 statusText: 'OK', 10 11 // `headers` the HTTP headers that the server responded with 12 // All header names are lowercase and can be accessed using the bracket notation. 13 // Example: `response.headers['content-type']` 14 headers: {}, 15 16 // `config` is the config that was provided to `axios` for the request 17 config: {}, 18 19 // `request` is the request that generated this response 20 // It is the last ClientRequest instance in node.js (in redirects) 21 // and an XMLHttpRequest instance in the browser 22 request: {} 23}
When using then, you will receive the response as follows:
1axios.get('/user/12345') 2 .then(function (response) { 3 console.log(response.data); 4 console.log(response.status); 5 console.log(response.statusText); 6 console.log(response.headers); 7 console.log(response.config); 8 });
When using catch, or passing a rejection callback as second parameter of then, the response will be available through the error object as explained in the Handling Errors section.
Config Defaults
You can specify config defaults that will be applied to every request.
Global axios defaults
1axios.defaults.baseURL = 'https://api.example.com'; 2 3// Important: If axios is used with multiple domains, the AUTH_TOKEN will be sent to all of them. 4// See below for an example using Custom instance defaults instead. 5axios.defaults.headers.common['Authorization'] = AUTH_TOKEN; 6 7axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded';
Custom instance defaults
1// Set config defaults when creating the instance 2const instance = axios.create({ 3 baseURL: 'https://api.example.com' 4}); 5 6// Alter defaults after instance has been created 7instance.defaults.headers.common['Authorization'] = AUTH_TOKEN;
Config order of precedence
Config will be merged with an order of precedence. The order is library defaults found in lib/defaults/index.js, then defaults property of the instance, and finally config argument for the request. The latter will take precedence over the former. Here's an example.
1// Create an instance using the config defaults provided by the library 2// At this point the timeout config value is `0` as is the default for the library 3const instance = axios.create(); 4 5// Override timeout default for the library 6// Now all requests using this instance will wait 2.5 seconds before timing out 7instance.defaults.timeout = 2500; 8 9// Override timeout for this request as it's known to take a long time 10instance.get('/longRequest', { 11 timeout: 5000 12});
Interceptors
You can intercept requests or responses before they are handled by then or catch.
1 2const instance = axios.create(); 3 4// Add a request interceptor 5instance.interceptors.request.use(function (config) { 6 // Do something before request is sent 7 return config; 8 }, function (error) { 9 // Do something with request error 10 return Promise.reject(error); 11 }); 12 13// Add a response interceptor 14instance.interceptors.response.use(function (response) { 15 // Any status code that lie within the range of 2xx cause this function to trigger 16 // Do something with response data 17 return response; 18 }, function (error) { 19 // Any status codes that falls outside the range of 2xx cause this function to trigger 20 // Do something with response error 21 return Promise.reject(error); 22 });
If you need to remove an interceptor later you can.
1const instance = axios.create(); 2const myInterceptor = instance.interceptors.request.use(function () {/*...*/}); 3axios.interceptors.request.eject(myInterceptor);
You can also clear all interceptors for requests or responses.
1const instance = axios.create(); 2instance.interceptors.request.use(function () {/*...*/}); 3instance.interceptors.request.clear(); // Removes interceptors from requests 4instance.interceptors.response.use(function () {/*...*/}); 5instance.interceptors.response.clear(); // Removes interceptors from responses
You can add interceptors to a custom instance of axios.
1const instance = axios.create(); 2instance.interceptors.request.use(function () {/*...*/});
When you add request interceptors, they are presumed to be asynchronous by default. This can cause a delay in the execution of your axios request when the main thread is blocked (a promise is created under the hood for the interceptor and your request gets put on the bottom of the call stack). If your request interceptors are synchronous you can add a flag to the options object that will tell axios to run the code synchronously and avoid any delays in request execution.
1axios.interceptors.request.use(function (config) { 2 config.headers.test = 'I am only a header!'; 3 return config; 4}, null, { synchronous: true });
If you want to execute a particular interceptor based on a runtime check,
you can add a runWhen function to the options object. The request interceptor will not be executed if and only if the return
of runWhen is false. The function will be called with the config
object (don't forget that you can bind your own arguments to it as well.) This can be handy when you have an
asynchronous request interceptor that only needs to run at certain times.
1function onGetCall(config) { 2 return config.method === 'get'; 3} 4axios.interceptors.request.use(function (config) { 5 config.headers.test = 'special get headers'; 6 return config; 7}, null, { runWhen: onGetCall });
Note: options parameter(having
synchronousandrunWhenproperties) is only supported for request interceptors at the moment.
Multiple Interceptors
Given you add multiple response interceptors and when the response was fulfilled
- then each interceptor is executed
- then they are executed in the order they were added
- then only the last interceptor's result is returned
- then every interceptor receives the result of its predecessor
- and when the fulfillment-interceptor throws
- then the following fulfillment-interceptor is not called
- then the following rejection-interceptor is called
- once caught, another following fulfill-interceptor is called again (just like in a promise chain).
Read the interceptor tests for seeing all this in code.
Error Types
There are many different axios error messages that can appear that can provide basic information about the specifics of the error and where opportunities may lie in debugging.
The general structure of axios errors is as follows:
| Property | Definition |
|---|---|
| message | A quick summary of the error message and the status it failed with. |
| name | This defines where the error originated from. For axios, it will always be an 'AxiosError'. |
| stack | Provides the stack trace of the error. |
| config | An axios config object with specific instance configurations defined by the user from when the request was made |
| code | Represents an axios identified error. The table below lists out specific definitions for internal axios error. |
| status | HTTP response status code. See here for common HTTP response status code meanings. |
Below is a list of potential axios identified error:
| Code | Definition |
|---|---|
| ERR_BAD_OPTION_VALUE | Invalid or unsupported value provided in axios configuration. |
| ERR_BAD_OPTION | Invalid option provided in axios configuration. |
| ECONNABORTED | Request timed out due to exceeding timeout specified in axios configuration. |
| ETIMEDOUT | Request timed out due to exceeding default axios timelimit. |
| ERR_NETWORK | Network-related issue. |
| ERR_FR_TOO_MANY_REDIRECTS | Request is redirected too many times; exceeds max redirects specified in axios configuration. |
| ERR_DEPRECATED | Deprecated feature or method used in axios. |
| ERR_BAD_RESPONSE | Response cannot be parsed properly or is in an unexpected format. |
| ERR_BAD_REQUEST | Requested has unexpected format or missing required parameters. |
| ERR_CANCELED | Feature or method is canceled explicitly by the user. |
| ERR_NOT_SUPPORT | Feature or method not supported in the current axios environment. |
| ERR_INVALID_URL | Invalid URL provided for axios request. |
Handling Errors
the default behavior is to reject every response that returns with a status code that falls out of the range of 2xx and treat it as an error.
1axios.get('/user/12345') 2 .catch(function (error) { 3 if (error.response) { 4 // The request was made and the server responded with a status code 5 // that falls out of the range of 2xx 6 console.log(error.response.data); 7 console.log(error.response.status); 8 console.log(error.response.headers); 9 } else if (error.request) { 10 // The request was made but no response was received 11 // `error.request` is an instance of XMLHttpRequest in the browser and an instance of 12 // http.ClientRequest in node.js 13 console.log(error.request); 14 } else { 15 // Something happened in setting up the request that triggered an Error 16 console.log('Error', error.message); 17 } 18 console.log(error.config); 19 });
Using the validateStatus config option, you can override the default condition (status >= 200 && status < 300) and define HTTP code(s) that should throw an error.
1axios.get('/user/12345', { 2 validateStatus: function (status) { 3 return status < 500; // Resolve only if the status code is less than 500 4 } 5})
Using toJSON you get an object with more information about the HTTP error.
1axios.get('/user/12345') 2 .catch(function (error) { 3 console.log(error.toJSON()); 4 });
Cancellation
AbortController
Starting from v0.22.0 Axios supports AbortController to cancel requests in fetch API way:
1const controller = new AbortController(); 2 3axios.get('/foo/bar', { 4 signal: controller.signal 5}).then(function(response) { 6 //... 7}); 8// cancel the request 9controller.abort()
CancelToken 👎deprecated
You can also cancel a request using a CancelToken.
The axios cancel token API is based on the withdrawn cancellable promises proposal.
This API is deprecated since v0.22.0 and shouldn't be used in new projects
You can create a cancel token using the CancelToken.source factory as shown below:
1const CancelToken = axios.CancelToken; 2const source = CancelToken.source(); 3 4axios.get('/user/12345', { 5 cancelToken: source.token 6}).catch(function (thrown) { 7 if (axios.isCancel(thrown)) { 8 console.log('Request canceled', thrown.message); 9 } else { 10 // handle error 11 } 12}); 13 14axios.post('/user/12345', { 15 name: 'new name' 16}, { 17 cancelToken: source.token 18}) 19 20// cancel the request (the message parameter is optional) 21source.cancel('Operation canceled by the user.');
You can also create a cancel token by passing an executor function to the CancelToken constructor:
1const CancelToken = axios.CancelToken; 2let cancel; 3 4axios.get('/user/12345', { 5 cancelToken: new CancelToken(function executor(c) { 6 // An executor function receives a cancel function as a parameter 7 cancel = c; 8 }) 9}); 10 11// cancel the request 12cancel();
Note: you can cancel several requests with the same cancel token/abort controller. If a cancellation token is already cancelled at the moment of starting an Axios request, then the request is cancelled immediately, without any attempts to make a real request.
During the transition period, you can use both cancellation APIs, even for the same request:
Using application/x-www-form-urlencoded format
URLSearchParams
By default, axios serializes JavaScript objects to JSON. To send data in the application/x-www-form-urlencoded format instead, you can use the URLSearchParams API, which is supported in the vast majority of browsers,and Node starting with v10 (released in 2018).
1const params = new URLSearchParams({ foo: 'bar' }); 2params.append('extraparam', 'value'); 3axios.post('/foo', params);
Query string (Older browsers)
For compatibility with very old browsers, there is a polyfill available (make sure to polyfill the global environment).
Alternatively, you can encode data using the qs library:
1const qs = require('qs'); 2axios.post('/foo', qs.stringify({ 'bar': 123 }));
Or in another way (ES6),
1import qs from 'qs'; 2const data = { 'bar': 123 }; 3const options = { 4 method: 'POST', 5 headers: { 'content-type': 'application/x-www-form-urlencoded' }, 6 data: qs.stringify(data), 7 url, 8}; 9axios(options);
Older Node.js versions
For older Node.js engines, you can use the querystring module as follows:
1const querystring = require('querystring'); 2axios.post('https://something.com/', querystring.stringify({ foo: 'bar' }));
You can also use the qs library.
Note: The
qslibrary is preferable if you need to stringify nested objects, as thequerystringmethod has known issues with that use case.
🆕 Automatic serialization to URLSearchParams
Axios will automatically serialize the data object to urlencoded format if the content-type header is set to "application/x-www-form-urlencoded".
1const data = { 2 x: 1, 3 arr: [1, 2, 3], 4 arr2: [1, [2], 3], 5 users: [{name: 'Peter', surname: 'Griffin'}, {name: 'Thomas', surname: 'Anderson'}], 6}; 7 8await axios.postForm('https://postman-echo.com/post', data, 9 {headers: {'content-type': 'application/x-www-form-urlencoded'}} 10);
The server will handle it as:
1 { 2 x: '1', 3 'arr[]': [ '1', '2', '3' ], 4 'arr2[0]': '1', 5 'arr2[1][0]': '2', 6 'arr2[2]': '3', 7 'arr3[]': [ '1', '2', '3' ], 8 'users[0][name]': 'Peter', 9 'users[0][surname]': 'griffin', 10 'users[1][name]': 'Thomas', 11 'users[1][surname]': 'Anderson' 12 }
If your backend body-parser (like body-parser of express.js) supports nested objects decoding, you will get the same object on the server-side automatically
1 var app = express(); 2 3 app.use(bodyParser.urlencoded({ extended: true })); // support encoded bodies 4 5 app.post('/', function (req, res, next) { 6 // echo body as JSON 7 res.send(JSON.stringify(req.body)); 8 }); 9 10 server = app.listen(3000);
Using multipart/form-data format
FormData
To send the data as a multipart/formdata you need to pass a formData instance as a payload.
Setting the Content-Type header is not required as Axios guesses it based on the payload type.
1const formData = new FormData(); 2formData.append('foo', 'bar'); 3 4axios.post('https://httpbin.org/post', formData);
In node.js, you can use the form-data library as follows:
1const FormData = require('form-data'); 2 3const form = new FormData(); 4form.append('my_field', 'my value'); 5form.append('my_buffer', new Buffer(10)); 6form.append('my_file', fs.createReadStream('/foo/bar.jpg')); 7 8axios.post('https://example.com', form)
🆕 Automatic serialization to FormData
Starting from v0.27.0, Axios supports automatic object serialization to a FormData object if the request Content-Type
header is set to multipart/form-data.
The following request will submit the data in a FormData format (Browser & Node.js):
1import axios from 'axios'; 2 3axios.post('https://httpbin.org/post', {x: 1}, { 4 headers: { 5 'Content-Type': 'multipart/form-data' 6 } 7}).then(({data}) => console.log(data));
In the node.js build, the (form-data) polyfill is used by default.
You can overload the FormData class by setting the env.FormData config variable,
but you probably won't need it in most cases:
1const axios = require('axios'); 2var FormData = require('form-data'); 3 4axios.post('https://httpbin.org/post', {x: 1, buf: new Buffer(10)}, { 5 headers: { 6 'Content-Type': 'multipart/form-data' 7 } 8}).then(({data}) => console.log(data));
Axios FormData serializer supports some special endings to perform the following operations:
{}- serialize the value with JSON.stringify[]- unwrap the array-like object as separate fields with the same key
Note: unwrap/expand operation will be used by default on arrays and FileList objects
FormData serializer supports additional options via config.formSerializer: object property to handle rare cases:
-
visitor: Function- user-defined visitor function that will be called recursively to serialize the data object to aFormDataobject by following custom rules. -
dots: boolean = false- use dot notation instead of brackets to serialize arrays and objects; -
metaTokens: boolean = true- add the special ending (e.guser{}: '{"name": "John"}') in the FormData key. The back-end body-parser could potentially use this meta-information to automatically parse the value as JSON. -
indexes: null|false|true = false- controls how indexes will be added to unwrapped keys offlatarray-like objects.null- don't add brackets (arr: 1,arr: 2,arr: 3)false(default) - add empty brackets (arr[]: 1,arr[]: 2,arr[]: 3)true- add brackets with indexes (arr[0]: 1,arr[1]: 2,arr[2]: 3)
Let's say we have an object like this one:
1const obj = { 2 x: 1, 3 arr: [1, 2, 3], 4 arr2: [1, [2], 3], 5 users: [{name: 'Peter', surname: 'Griffin'}, {name: 'Thomas', surname: 'Anderson'}], 6 'obj2{}': [{x:1}] 7};
The following steps will be executed by the Axios serializer internally:
1const formData = new FormData(); 2formData.append('x', '1'); 3formData.append('arr[]', '1'); 4formData.append('arr[]', '2'); 5formData.append('arr[]', '3'); 6formData.append('arr2[0]', '1'); 7formData.append('arr2[1][0]', '2'); 8formData.append('arr2[2]', '3'); 9formData.append('users[0][name]', 'Peter'); 10formData.append('users[0][surname]', 'Griffin'); 11formData.append('users[1][name]', 'Thomas'); 12formData.append('users[1][surname]', 'Anderson'); 13formData.append('obj2{}', '[{"x":1}]');
Axios supports the following shortcut methods: postForm, putForm, patchForm
which are just the corresponding http methods with the Content-Type header preset to multipart/form-data.
Files Posting
You can easily submit a single file:
1await axios.postForm('https://httpbin.org/post', { 2 'myVar' : 'foo', 3 'file': document.querySelector('#fileInput').files[0] 4});
or multiple files as multipart/form-data:
1await axios.postForm('https://httpbin.org/post', { 2 'files[]': document.querySelector('#fileInput').files 3});
FileList object can be passed directly:
1await axios.postForm('https://httpbin.org/post', document.querySelector('#fileInput').files)All files will be sent with the same field names: files[].
🆕 HTML Form Posting (browser)
Pass HTML Form element as a payload to submit it as multipart/form-data content.
1await axios.postForm('https://httpbin.org/post', document.querySelector('#htmlForm'));FormData and HTMLForm objects can also be posted as JSON by explicitly setting the Content-Type header to application/json:
1await axios.post('https://httpbin.org/post', document.querySelector('#htmlForm'), { 2 headers: { 3 'Content-Type': 'application/json' 4 } 5})
For example, the Form
1<form id="form"> 2 <input type="text" name="foo" value="1"> 3 <input type="text" name="deep.prop" value="2"> 4 <input type="text" name="deep prop spaced" value="3"> 5 <input type="text" name="baz" value="4"> 6 <input type="text" name="baz" value="5"> 7 8 <select name="user.age"> 9 <option value="value1">Value 1</option> 10 <option value="value2" selected>Value 2</option> 11 <option value="value3">Value 3</option> 12 </select> 13 14 <input type="submit" value="Save"> 15</form>
will be submitted as the following JSON object:
1{ 2 "foo": "1", 3 "deep": { 4 "prop": { 5 "spaced": "3" 6 } 7 }, 8 "baz": [ 9 "4", 10 "5" 11 ], 12 "user": { 13 "age": "value2" 14 } 15}
Sending Blobs/Files as JSON (base64) is not currently supported.
🆕 Progress capturing
Axios supports both browser and node environments to capture request upload/download progress.
The frequency of progress events is forced to be limited to 3 times per second.
1await axios.post(url, data, { 2 onUploadProgress: function (axiosProgressEvent) { 3 /*{ 4 loaded: number; 5 total?: number; 6 progress?: number; // in range [0..1] 7 bytes: number; // how many bytes have been transferred since the last trigger (delta) 8 estimated?: number; // estimated time in seconds 9 rate?: number; // upload speed in bytes 10 upload: true; // upload sign 11 }*/ 12 }, 13 14 onDownloadProgress: function (axiosProgressEvent) { 15 /*{ 16 loaded: number; 17 total?: number; 18 progress?: number; 19 bytes: number; 20 estimated?: number; 21 rate?: number; // download speed in bytes 22 download: true; // download sign 23 }*/ 24 } 25});
You can also track stream upload/download progress in node.js:
1const {data} = await axios.post(SERVER_URL, readableStream, { 2 onUploadProgress: ({progress}) => { 3 console.log((progress * 100).toFixed(2)); 4 }, 5 6 headers: { 7 'Content-Length': contentLength 8 }, 9 10 maxRedirects: 0 // avoid buffering the entire stream 11});
Note: Capturing FormData upload progress is not currently supported in node.js environments.
⚠️ Warning It is recommended to disable redirects by setting maxRedirects: 0 to upload the stream in the node.js environment, as follow-redirects package will buffer the entire stream in RAM without following the "backpressure" algorithm.
🆕 Rate limiting
Download and upload rate limits can only be set for the http adapter (node.js):
1const {data} = await axios.post(LOCAL_SERVER_URL, myBuffer, { 2 onUploadProgress: ({progress, rate}) => { 3 console.log(`Upload [${(progress*100).toFixed(2)}%]: ${(rate / 1024).toFixed(2)}KB/s`) 4 }, 5 6 maxRate: [100 * 1024], // 100KB/s limit 7});
🆕 AxiosHeaders
Axios has its own AxiosHeaders class to manipulate headers using a Map-like API that guarantees caseless work.
Although HTTP is case-insensitive in headers, Axios will retain the case of the original header for stylistic reasons
and for a workaround when servers mistakenly consider the header's case.
The old approach of directly manipulating headers object is still available, but deprecated and not recommended for future usage.
Working with headers
An AxiosHeaders object instance can contain different types of internal values. that control setting and merging logic.
The final headers object with string values is obtained by Axios by calling the toJSON method.
Note: By JSON here we mean an object consisting only of string values intended to be sent over the network.
The header value can be one of the following types:
string- normal string value that will be sent to the servernull- skip header when rendering to JSONfalse- skip header when rendering to JSON, additionally indicates thatsetmethod must be called withrewriteoption set totrueto overwrite this value (Axios uses this internally to allow users to opt out of installing certain headers likeUser-AgentorContent-Type)undefined- value is not set
Note: The header value is considered set if it is not equal to undefined.
The headers object is always initialized inside interceptors and transformers:
1 axios.interceptors.request.use((request: InternalAxiosRequestConfig) => { 2 request.headers.set('My-header', 'value'); 3 4 request.headers.set({ 5 "My-set-header1": "my-set-value1", 6 "My-set-header2": "my-set-value2" 7 }); 8 9 request.headers.set('User-Agent', false); // disable subsequent setting the header by Axios 10 11 request.headers.setContentType('text/plain'); 12 13 request.headers['My-set-header2'] = 'newValue' // direct access is deprecated 14 15 return request; 16 } 17 );
You can iterate over an AxiosHeaders instance using a for...of statement:
1const headers = new AxiosHeaders({ 2 foo: '1', 3 bar: '2', 4 baz: '3' 5}); 6 7for(const [header, value] of headers) { 8 console.log(header, value); 9} 10 11// foo 1 12// bar 2 13// baz 3
new AxiosHeaders(headers?)
Constructs a new AxiosHeaders instance.
constructor(headers?: RawAxiosHeaders | AxiosHeaders | string);
If the headers object is a string, it will be parsed as RAW HTTP headers.
1const headers = new AxiosHeaders(` 2Host: www.bing.com 3User-Agent: curl/7.54.0 4Accept: */*`); 5 6console.log(headers); 7 8// Object [AxiosHeaders] { 9// host: 'www.bing.com', 10// 'user-agent': 'curl/7.54.0', 11// accept: '*/*' 12// }
AxiosHeaders#set
1set(headerName, value: Axios, rewrite?: boolean); 2set(headerName, value, rewrite?: (this: AxiosHeaders, value: string, name: string, headers: RawAxiosHeaders) => boolean); 3set(headers?: RawAxiosHeaders | AxiosHeaders | string, rewrite?: boolean);
The rewrite argument controls the overwriting behavior:
false- do not overwrite if header's value is set (is notundefined)undefined(default) - overwrite the header unless its value is set tofalsetrue- rewrite anyway
The option can also accept a user-defined function that determines whether the value should be overwritten or not.
Returns this.
AxiosHeaders#get(header)
get(headerName: string, matcher?: true | AxiosHeaderMatcher): AxiosHeaderValue;
get(headerName: string, parser: RegExp): RegExpExecArray | null;
Returns the internal value of the header. It can take an extra argument to parse the header's value with RegExp.exec,
matcher function or internal key-value parser.
1const headers = new AxiosHeaders({ 2 'Content-Type': 'multipart/form-data; boundary=Asrf456BGe4h' 3}); 4 5console.log(headers.get('Content-Type')); 6// multipart/form-data; boundary=Asrf456BGe4h 7 8console.log(headers.get('Content-Type', true)); // parse key-value pairs from a string separated with \s,;= delimiters: 9// [Object: null prototype] { 10// 'multipart/form-data': undefined, 11// boundary: 'Asrf456BGe4h' 12// } 13 14 15console.log(headers.get('Content-Type', (value, name, headers) => { 16 return String(value).replace(/a/g, 'ZZZ'); 17})); 18// multipZZZrt/form-dZZZtZZZ; boundZZZry=Asrf456BGe4h 19 20console.log(headers.get('Content-Type', /boundary=(\w+)/)?.[0]); 21// boundary=Asrf456BGe4h 22
Returns the value of the header.
AxiosHeaders#has(header, matcher?)
has(header: string, matcher?: AxiosHeaderMatcher): boolean;
Returns true if the header is set (has no undefined value).
AxiosHeaders#delete(header, matcher?)
delete(header: string | string[], matcher?: AxiosHeaderMatcher): boolean;
Returns true if at least one header has been removed.
AxiosHeaders#clear(matcher?)
clear(matcher?: AxiosHeaderMatcher): boolean;
Removes all headers.
Unlike the delete method matcher, this optional matcher will be used to match against the header name rather than the value.
1const headers = new AxiosHeaders({ 2 'foo': '1', 3 'x-foo': '2', 4 'x-bar': '3', 5}); 6 7console.log(headers.clear(/^x-/)); // true 8 9console.log(headers.toJSON()); // [Object: null prototype] { foo: '1' }
Returns true if at least one header has been cleared.
AxiosHeaders#normalize(format);
If the headers object was changed directly, it can have duplicates with the same name but in different cases.
This method normalizes the headers object by combining duplicate keys into one.
Axios uses this method internally after calling each interceptor.
Set format to true for converting headers name to lowercase and capitalize the initial letters (cOntEnt-type => Content-Type)
1const headers = new AxiosHeaders({ 2 'foo': '1', 3}); 4 5headers.Foo = '2'; 6headers.FOO = '3'; 7 8console.log(headers.toJSON()); // [Object: null prototype] { foo: '1', Foo: '2', FOO: '3' } 9console.log(headers.normalize().toJSON()); // [Object: null prototype] { foo: '3' } 10console.log(headers.normalize(true).toJSON()); // [Object: null prototype] { Foo: '3' }
Returns this.
AxiosHeaders#concat(...targets)
concat(...targets: Array<AxiosHeaders | RawAxiosHeaders | string | undefined | null>): AxiosHeaders;
Merges the instance with targets into a new AxiosHeaders instance. If the target is a string, it will be parsed as RAW HTTP headers.
Returns a new AxiosHeaders instance.
AxiosHeaders#toJSON(asStrings?)
toJSON(asStrings?: boolean): RawAxiosHeaders;
Resolve all internal headers values into a new null prototype object.
Set asStrings to true to resolve arrays as a string containing all elements, separated by commas.
AxiosHeaders.from(thing?)
from(thing?: AxiosHeaders | RawAxiosHeaders | string): AxiosHeaders;
Returns a new AxiosHeaders instance created from the raw headers passed in,
or simply returns the given headers object if it's an AxiosHeaders instance.
AxiosHeaders.concat(...targets)
concat(...targets: Array<AxiosHeaders | RawAxiosHeaders | string | undefined | null>): AxiosHeaders;
Returns a new AxiosHeaders instance created by merging the target objects.
Shortcuts
The following shortcuts are available:
-
setContentType,getContentType,hasContentType -
setContentLength,getContentLength,hasContentLength -
setAccept,getAccept,hasAccept -
setUserAgent,getUserAgent,hasUserAgent -
setContentEncoding,getContentEncoding,hasContentEncoding
🔥 Fetch adapter
Fetch adapter was introduced in v1.7.0. By default, it will be used if xhr and http adapters are not available in the build,
or not supported by the environment.
To use it by default, it must be selected explicitly:
1const {data} = axios.get(url, { 2 adapter: 'fetch' // by default ['xhr', 'http', 'fetch'] 3})
You can create a separate instance for this:
1const fetchAxios = axios.create({ 2 adapter: 'fetch' 3}); 4 5const {data} = fetchAxios.get(url);
The adapter supports the same functionality as xhr adapter, including upload and download progress capturing.
Also, it supports additional response types such as stream and formdata (if supported by the environment).
Semver
Until axios reaches a 1.0 release, breaking changes will be released with a new minor version. For example 0.5.1, and 0.5.4 will have the same API, but 0.6.0 will have breaking changes.
Promises
axios depends on a native ES6 Promise implementation to be supported. If your environment doesn't support ES6 Promises, you can polyfill.
TypeScript
axios includes TypeScript definitions and a type guard for axios errors.
1let user: User = null; 2try { 3 const { data } = await axios.get('/user?ID=12345'); 4 user = data.userDetails; 5} catch (error) { 6 if (axios.isAxiosError(error)) { 7 handleAxiosError(error); 8 } else { 9 handleUnexpectedError(error); 10 } 11}
Because axios dual publishes with an ESM default export and a CJS module.exports, there are some caveats.
The recommended setting is to use "moduleResolution": "node16" (this is implied by "module": "node16"). Note that this requires TypeScript 4.7 or greater.
If use ESM, your settings should be fine.
If you compile TypeScript to CJS and you can’t use "moduleResolution": "node 16", you have to enable esModuleInterop.
If you use TypeScript to type check CJS JavaScript code, your only option is to use "moduleResolution": "node16".
Online one-click setup
You can use Gitpod, an online IDE(which is free for Open Source) for contributing or running the examples online.
Resources
Credits
axios is heavily inspired by the $http service provided in AngularJS. Ultimately axios is an effort to provide a standalone $http-like service for use outside of AngularJS.
License
High
0/10
Summary
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Affected Versions
< 0.30.0
Patched Versions
0.30.0
High
0/10
Summary
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Affected Versions
>= 1.0.0, < 1.8.2
Patched Versions
1.8.2
High
7.5/10
Summary
axios Inefficient Regular Expression Complexity vulnerability
Affected Versions
< 0.21.2
Patched Versions
0.21.2
High
0/10
Summary
Server-Side Request Forgery in axios
Affected Versions
>= 1.3.2, <= 1.7.3
Patched Versions
1.7.4
High
7.5/10
Summary
Denial of Service in axios
Affected Versions
<= 0.18.0
Patched Versions
0.18.1
Moderate
6.5/10
Summary
Axios Cross-Site Request Forgery Vulnerability
Affected Versions
>= 0.8.1, < 0.28.0
Patched Versions
0.28.0
Moderate
6.5/10
Summary
Axios Cross-Site Request Forgery Vulnerability
Affected Versions
>= 1.0.0, < 1.6.0
Patched Versions
1.6.0
Moderate
5.9/10
Summary
Axios vulnerable to Server-Side Request Forgery
Affected Versions
< 0.21.1
Patched Versions
0.21.1
Reason
30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 27 commits out of 28 are checked with a SAST tool
Reason
Found 12/23 approved changesets -- score normalized to 5
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Warn: no linked content found
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/ci.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/ci.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/ci.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/ci.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/codeql-analysis.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/codeql-analysis.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/codeql-analysis.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/depsreview.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/depsreview.yaml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/depsreview.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/depsreview.yaml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/labeler.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/labeler.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/notify.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/notify.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-tag.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/npm-tag.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-tag.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/npm-tag.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-guard.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr-guard.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-guard.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr-guard.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/pr.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/publish.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sponsors.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/sponsors.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sponsors.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/sponsors.yml/v1.x?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sponsors.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/sponsors.yml/v1.x?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/axios/axios/stale.yml/v1.x?enable=pin
- Info: 0 out of 22 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 13 third-party GitHubAction dependencies pinned
- Info: 6 out of 6 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:25
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:13
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/npm-tag.yml:14
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:15
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:18
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/depsreview.yaml:5
- Warn: no topLevel permission defined: .github/workflows/labeler.yml:1
- Warn: no topLevel permission defined: .github/workflows/notify.yml:1
- Warn: no topLevel permission defined: .github/workflows/npm-tag.yml:1
- Warn: no topLevel permission defined: .github/workflows/pr-guard.yml:1
- Warn: no topLevel permission defined: .github/workflows/pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Warn: no topLevel permission defined: .github/workflows/sponsors.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
34 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-75v8-2h7p-7m2m
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
- Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
- Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
5.3
/10
Last Scanned on 2025-05-05
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More