fix: replace deprecated unescape() with modern UTF-8 encoding#7378
Merged
jasonsaayman merged 5 commits intoaxios:v1.xfrom Apr 28, 2026
Merged
Conversation
- Replace deprecated unescape(encodeURIComponent()) pattern with a regex-based encodeUTF8() helper function in resolveConfig.js - Fix incorrect JSDoc comment for isFileList in utils.js (said 'File' instead of 'FileList') The new encodeUTF8 function produces identical output to the deprecated pattern, verified against existing basicAuth.spec.js test expectations.
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 4/5
- Potential crash for non‑Latin1 usernames in
lib/helpers/resolveConfig.jswhen creating the Authorization header viabtoa, which could affect users with UTF‑8 credentials. - Overall risk is low since it’s a single moderate issue with limited scope, but it is user‑facing for non‑ASCII logins.
- Pay close attention to
lib/helpers/resolveConfig.js- ensure username is UTF‑8 encoded beforebtoato avoid crashes.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="lib/helpers/resolveConfig.js">
<violation number="1" location="lib/helpers/resolveConfig.js:35">
P2: `btoa` throws on non‑Latin1 characters; since `auth.username` is passed through unchanged, non‑Latin1 usernames will crash during Authorization header creation. Encode the username to UTF‑8 bytes as well to avoid runtime failures.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jasonsaayman
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The new encodeUTF8 function produces identical output to the deprecated pattern, verified against existing basicAuth.spec.js test expectations.
Summary by cubic
Replaced deprecated unescape(encodeURIComponent()) with a modern UTF‑8 encoder for Basic Auth, and fixed the JSDoc for isFileList. No behavior change.
Description
Testing
Written for commit 91a4aa5. Summary will update on new commits. Review in cubic