Information Exposure due to the handling of the Proxy-Authorization header across hosts

[Shirley0001]

Describe the issue

We encountered the following security issues:
Affected versions of this package are vulnerable to Information Exposure due to the handling of the Proxy-Authorization header across hosts. When using a dependent library, it only clears the authorization header during cross-domain redirects but allows the proxy-authentication header, which contains credentials, to persist. This behavior may lead to the unintended leakage of credentials if an attacker can trigger a cross-domain redirect and capture the persistent proxy-authentication header.
When will a new version be released to address this security issue?

Axios Version

@1.6.5

[justindhillon]

This is handled in lib/adapters/http.js.

My first approach was to just delete Proxy-Authorization whenever we redirect:

function dispatchBeforeRedirect(options, responseDetails) {
  if (options.beforeRedirects.proxy) {
    options.beforeRedirects.proxy(options);
  }
  if (options.beforeRedirects.config) {
    options.beforeRedirects.config(options, responseDetails);
  }
  // Clear Proxy-Authorization header during cross-domain redirects
  delete options.headers['Proxy-Authorization'];
}

My second approach is to remove Proxy-Authorization from header, but then turn it into a veriable returned by options. The same way it is implemented for authorization:

// HTTP basic authentication
let auth = undefined;
if (config.auth) {
  const username = config.auth.username || '';
  const password = config.auth.password || '';
  auth = username + ':' + password;
}

if (!auth && parsed.username) {
  const urlUsername = parsed.username;
  const urlPassword = parsed.password;
  auth = urlUsername + ':' + urlPassword;
}

auth && headers.delete('authorization');

Which way should I fix this security vulnerability?