Node-fetch version 2.0.0 marks a significant update from version 1.7.3, introducing key changes that developers should be aware of. While both versions aim to bring the window.fetch API to Node.js, version 2.0.0 drops the direct dependency on the encoding and is-stream packages, streamlining the core dependencies. Instead, it leverages newer language features and development tools, evident in the introduction of Babel for code transformation and Rollup for bundling. This shift suggests a modernization of the codebase, potentially leading to improved performance and maintainability.
The update also introduces several new development dependencies like whatwg-url and url-search-params, hinting at enhanced URL parsing capabilities. Developers upgrading should note the removal of bluebird with the usage of native promises instead, potentially impacting existing promise-related code and requiring adjustments. The change in the repository URL from git+https to https in version 2.0.0 is minor but suggests a refinement in the package metadata. Overall, the move to version 2.0.0 signals a transition towards a more modern JavaScript development workflow, potentially offering developers a more robust and feature-rich fetch implementation at the cost of adjustments.
All the vulnerabilities related to the version 2.0.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.