Security defaults
SSRF protection, cross-origin header stripping, CRLF injection defense, prototype-pollution-safe merging, and 13 security defaults that prevent the class of CVEs found in axios.
Tree-shakeable
Named exports only, sideEffects: false, conditional dynamic import for Node TLS. Ship only what you use.
Universal runtime
Runs on Node 20+, Bun, Deno, and modern browsers. Uses globalThis.fetch everywhere with undici only for TLS overrides on Node.
Axios-portable
createClient, interceptors, request/response envelope, .get/.post/.put/.patch/.delete/.head/.options -- migrate from axios in minutes.
Validator extension
Opt-in runtime response validation via Standard Schema (Zod, Valibot, ArkType), .parse() objects, or plain functions. Zero validator runtime deps.
Upload and progress
FormData, auto-conversion from plain objects with File/Blob values, binary body pass-through, upload and download progress events.
Get started in 60 seconds
import { createClient } from '@parcely/core'
import { z } from 'zod'
const http = createClient({
baseURL: 'https://api.example.com',
headers: { Accept: 'application/json' },
timeout: 5000,
})
// Typed response with runtime validation
const User = z.object({ id: z.string(), name: z.string() })
const { data, status } = await http.get('/users/me', {
validate: User,
})
// data is typed as { id: string; name: string }
// Post with auto-serialised JSON body
await http.post('/users', { name: 'Mickey' })
// Upload with progress
const form = new FormData()
form.set('avatar', file)
await http.post('/upload', form, {
onUploadProgress: ({ percent }) => console.log(percent),
})