fix(http): decode URL basic auth credentials#10825
Merged
jasonsaayman merged 4 commits intoaxios:v1.xfrom Apr 30, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete behavior risk in
lib/adapters/http.js: unconditional URL credential decoding can throw on malformed percent-escapes, which can break request setup for affected inputs. - This lands as moderate merge risk because the issue is user-facing and high-confidence, even though it appears scoped to a specific parsing edge case rather than broad functionality.
- Pay close attention to
lib/adapters/http.js- guard or safely handle credential decoding errors so malformed URLs do not cause unexpected setup failures or error-type changes.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:642">
P2: Unconditionally decoding URL credentials can throw on malformed percent escapes, breaking request setup and changing the error type.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jasonsaayman
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Decodes username and password values parsed from URL userinfo before passing them to Node's HTTP
authoption.This fixes Basic auth credentials such as
my%40email.com:pass@hostbeing sent asmy%40email.com:passinstead ofmy@email.com:pass.Closes #5158.
Validation
npm run test:vitest:unit -- tests/unit/adapters/http.test.jsgit diff --checknpx eslint lib/adapters/http.js tests/unit/adapters/http.test.jsSummary by cubic
Decodes URL-encoded Basic Auth credentials in request URLs and guards against malformed encodings. The Authorization header now uses decoded values without throwing on bad input.
Description
parsed.usernameandparsed.passwordwith a newdecodeURIComponentSafehelper before composing theauthoption in the Node HTTP adapter.Docs
/docs/that URL-encoded credentials in request URLs are decoded in the Node HTTP adapter, and malformed encodings are left as-is.Testing
Semantic version impact
Written for commit f4e3955. Summary will update on new commits. Review in cubic