Method-override versions 2.0.0 and 2.0.1 are minor releases of a middleware package designed to enable HTTP verb overriding in web applications, particularly useful when working with clients or proxies that don't fully support all HTTP methods like PUT or DELETE. Both versions share the same core functionality of allowing developers to simulate HTTP methods beyond the standard GET and POST by inspecting request headers, query parameters, or request bodies.
The primary difference between the two is in their dependencies. While both rely on parseurl at version 1.0.1 and share the same development dependencies (mocha, istanbul, and supertest) for testing and code coverage, version 2.0.1 updates the methods dependency from version 1.0.0 to 1.0.1. This seemingly small update likely includes minor bug fixes or improvements within the methods package, which defines standard HTTP methods.
For developers, both versions offer a straightforward way to enhance their application's capability to handle different HTTP verbs, facilitating RESTful API design and interaction with diverse client environments. The MIT license grants developers broad freedom to use, modify, and distribute the package. When upgrading from 2.0.0 to 2.0.1, developers should ensure compatibility with the updated methods package, although the changes are likely minimal and non-breaking. Regular updates ensure you are using the latest bug fixes and improvements. For developers that want to maintain the existing behavior can stay on 2.0.0. Both versions are hosted on GitHub making it easy to contribute to the project.
All the vulnerabilities related to the version 2.0.1 of the package
method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header
Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header.
Update to version 2.3.10 or later
