PRE_RELEASE_CHANGELOG.md
zstd is only advertised in the default Accept-Encoding header when transitional.advertiseZstdAcceptEncoding: true is set. (#6792)params and paramsSerializer values when resolving request config, preventing prototype-pollution gadgets from changing serialized URLs. (#10922)Request and preserving config.auth precedence. (#10896)name: 'CanceledError' declaration to CommonJS CanceledError typings to match the ESM declarations. (#10922)isCancel type guard to narrow cancellation errors to CanceledError<T>, matching the ESM declaration. (#10952)config.auth are now restored on same-origin redirects, fixing a regression caused by follow-redirects >= 1.15.8 that broke POST requests answered with a 303 Location. Cross-origin redirects continue to drop credentials, preserving the existing T-R2 mitigation in THREATMODEL.md. (#6929)httpsAgent TLS options such as ca and rejectUnauthorized for HTTPS origins reached through a CONNECT proxy tunnel. (#10953)socketPath and allowedSocketPaths config values when building Node.js requests, preventing prototype-pollution SSRF via Unix sockets. (#10901)Content-Type header for React Native FormData requests so Android can build multipart bodies with the correct boundary. (#10898)transformRequest. (#6392)