fix: gadgets and smaller issues

[jasonsaayman]

Summary by cubic

Improves security and robustness across request handling and errors. Adds opt-in config.redact for masking in AxiosError#toJSON, introduces Node-only formDataHeaderPolicy (default 'legacy') to control FormData#getHeaders() copying, enforces streamed maxContentLength and upload maxBodyLength, and hardens proxy/cookie/merge behaviors.

Description

• Summary of changes
  • Added redact?: string[] to request config; AxiosError#toJSON masks matching keys (case-insensitive, deep, arrays, AxiosHeaders, cycle-safe; does not mutate the original config).
  • Added Node-only formDataHeaderPolicy?: 'legacy' | 'content-only'; policy applied in resolve and Node http adapter to control which FormData#getHeaders() values are copied.
  • Hardened Node http adapter: own‑prop reads for proxy fields and nested auth, preserve user Host while ignoring polluted prototypes, strip stale Proxy-Authorization on redirects that end up without a proxy, and handle malformed userinfo; apply header policy when sending FormData.
  • Enforced maxContentLength on streamed responses and maxBodyLength on uploads (Node and fetch).
  • Improved NO_PROXY by normalizing IPv4‑mapped IPv6 addresses (dotted and hex forms).
  • Cookies: split on ;, exact-name matching, support separators without spaces; avoids regex interpolation.
  • Safer merges and descriptors: null‑proto config with own hasOwnProperty; null‑proto defineProperty descriptors for adapter metadata and AxiosHeaders accessors to block polluted get/set traps.
• Reasoning
  • Close prototype‑pollution gadgets, prevent proxy auth/header leaks on redirects, provide safe error redaction, and let users restrict copied FormData headers.
• Additional context
  • Types updated in index.d.ts/index.d.cts. README and advanced docs updated. Defaults preserve v1 behavior (formDataHeaderPolicy: 'legacy'). No intended breaking runtime changes.

Docs

• Update /docs/ with config.redact usage and formDataHeaderPolicy details (default 'legacy', 'content-only' copies only Content-Type/Content-Length). Ensure site rebuild reflects README and advanced guides.

Testing

• Added/updated tests:
  • Proxy safety: own‑prop reads, Host preservation, stale Proxy-Authorization stripping, malformed credentials handling.
  • Redaction: arrays, deep objects, AxiosHeaders, cycles, non‑mutation.
  • NO_PROXY: IPv4‑mapped IPv6 normalization (dotted and hex).
  • Cookies: exact-name reads, separators without spaces, regex‑metacharacter names.
  • Size limits: streamed responses and uploads (Node and fetch).
  • FormData: CRLF injection resistance and header policy behavior.
  • Prototype‑pollution coverage across config, adapters, headers, merge, descriptors, and utils.
• No further tests needed.

Semantic version impact

Minor: backward‑compatible features and fixes. Adds config.redact and Node formDataHeaderPolicy (default preserves v1 behavior).

^{Written for commit 58816ea. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 19 files

Confidence score: 3/5

• There is a concrete regression risk in lib/core/AxiosError.js: the redaction traversal can break existing toJSONObject behavior for values with toJSON (like Date), which may cause serialized config data loss when config.redact is enabled.
• The issue is moderately severe (6/10) with high confidence, so this is not a merge-blocker by itself, but it does introduce meaningful user-impacting behavior change that should be reviewed before relying on redacted serialization paths.
• tests/unit/prototypePollution.test.js appears to have a coverage gap (missing customNested in the source object), so the inherited-read scenario described by the test is not actually being validated.
• Pay close attention to lib/core/AxiosError.js and tests/unit/prototypePollution.test.js - preserve toJSON serialization semantics during redaction and ensure the inherited-read test path is truly exercised.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:27">
P2: Redaction traversal breaks existing `toJSONObject` semantics for objects with `toJSON` (e.g., `Date`), causing serialized config data loss when `config.redact` is used.</violation>
</file>

<file name="tests/unit/prototypePollution.test.js">

<violation number="1" location="tests/unit/prototypePollution.test.js:996">
P3: This test never exercises the inherited-read path it describes because `customNested` is missing from the source object.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai please review in depth again!

[cubic-dev-ai]

@cubic-dev-ai please review in depth again!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 23 files

Confidence score: 4/5

• This PR is likely safe to merge with minimal risk, since the only reported issue is moderate severity (5/10) and scoped to cookie parsing behavior.
• In lib/helpers/cookies.js, splitting document.cookie on '; ' is brittle; browsers that emit ';' without a space may cause cookie reads to fail for some users.
• Pay close attention to lib/helpers/cookies.js - cookie parsing should tolerate semicolons with or without trailing spaces.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/helpers/cookies.js">

<violation number="1" location="lib/helpers/cookies.js:37">
P2: Splitting `document.cookie` by `'; '` is too strict and can fail to read cookies when the browser omits the space after semicolons.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai one last pass please with the highest effort!

[cubic-dev-ai]

@cubic-dev-ai one last pass please with the highest effort!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 23 files

Confidence score: 4/5

• This PR looks safe to merge overall: the reported issue is low-to-moderate severity (4/10) and appears limited to address normalization edge cases rather than broad functionality breaks.
• The main risk is in lib/helpers/shouldBypassProxy.js, where strict IPv4-mapped IPv6 regex handling may miss zero-padded expanded equivalents and cause NO_PROXY mismatches for logically identical addresses.
• Pay close attention to lib/helpers/shouldBypassProxy.js - IPv4-mapped IPv6 normalization may fail for expanded/zero-padded forms, leading to proxy bypass behavior inconsistencies.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/helpers/shouldBypassProxy.js">

<violation number="1" location="lib/helpers/shouldBypassProxy.js:96">
P2: The IPv4-mapped IPv6 regexes are too strict and fail to normalize zero-padded expanded forms, which can cause NO_PROXY mismatches for equivalent addresses.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai one last run through and check please!

[cubic-dev-ai]

@cubic-dev-ai one last run through and check please!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 23 files

Confidence score: 3/5

• There is a concrete medium-severity risk in lib/core/AxiosError.js: reading config.redact without an own-property check could execute prototype-chain getters during error serialization.
• Given the 6/10 severity and 8/10 confidence, this is likely user-impacting in edge cases and introduces regression/security-adjacent behavior, so the merge risk is moderate rather than minimal.
• Pay close attention to lib/core/AxiosError.js - ensure config.redact is accessed via an own-property check to prevent unintended getter execution from the prototype chain.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:116">
P2: Read `config.redact` via an own-property check to avoid prototype-chain getter execution during error serialization.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai please check again, do a full review in depth!

[cubic-dev-ai]

@cubic-dev-ai please check again, do a full review in depth!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 23 files

Confidence score: 2/5

• There is a high-confidence, medium-high severity issue in lib/core/AxiosError.js where prototype-chain toJSON detection can bypass masking logic, creating a real regression risk for redaction behavior.
• Because this can expose data that should be redacted (especially if Object.prototype.toJSON is polluted), the impact is security-sensitive and not just cosmetic.
• Given the concrete user-impacting risk (severity 7/10, confidence 8/10), this is better treated as high risk until the own-prototype check is enforced.
• Pay close attention to lib/core/AxiosError.js - ensure toJSON checks are own-prototype based so masking cannot be short-circuited by prototype pollution.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:36">
P1: Prototype-chain `toJSON` detection can bypass redaction for non-plain objects. Use an own-prototype check so polluted `Object.prototype.toJSON` does not short-circuit masking.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai please give the full pr another in depth review

[cubic-dev-ai]

@cubic-dev-ai please give the full pr another in depth review

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

2 issues found across 23 files

Confidence score: 3/5

• There is some real merge risk: lib/core/AxiosError.js has a medium-severity, high-confidence concern where redaction output should use a null-prototype object to avoid prototype-setter traps when copying keys.
• lib/helpers/shouldBypassProxy.js may incorrectly handle IPv4-mapped IPv6 compressed forms, so equivalent addresses can fail NO_PROXY matching and cause unexpected proxy bypass behavior.
• Given one concrete correctness issue and one defensive-hardening gap (both with high confidence), this looks manageable but not entirely low-risk.
• Pay close attention to lib/core/AxiosError.js and lib/helpers/shouldBypassProxy.js - redaction object safety and IPv6/NO_PROXY equivalence handling need careful validation.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/core/AxiosError.js">

<violation number="1" location="lib/core/AxiosError.js:59">
P2: Use a null-prototype object for redaction output to avoid prototype-setter traps when copying keys.</violation>
</file>

<file name="lib/helpers/shouldBypassProxy.js">

<violation number="1" location="lib/helpers/shouldBypassProxy.js:96">
P2: The IPv4-mapped IPv6 regex is too narrow and misses valid compressed forms, which can cause NO_PROXY host comparisons to fail for equivalent addresses.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai please review in depth again!

[cubic-dev-ai]

@cubic-dev-ai please review in depth again!

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 23 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.