Node-fetch is a lightweight module bringing the familiar window.fetch API to Node.js, allowing developers to make HTTP requests in a consistent manner across both browser and server environments. Comparing versions 2.1.0 and 2.0.0, developers will find subtle yet important distinctions. Most notably, version 2.1.0 introduces a fileCount and unpackedSize property within its dist metadata, offering insights into the package's composition. While the core functionality remains largely the same, this addition can be beneficial for those concerned with package size and installation efficiency, especially within resource-constrained environments.
The development dependencies, encompassing tools for testing, code coverage, and building, remain identical between the versions, including crucial libraries like Babel, Chai, Mocha, and Rollup. This consistency underscores the commitment to maintaining a robust and well-tested codebase. Both versions utilize the MIT license, providing developers with the freedom to use, modify, and distribute the package. The repository URL also remains constant, linking back to the official GitHub repository for contributions and issue tracking. The releaseDate indicates that version 2.1.0 was released approximately a month after version 2.0.0 suggesting an incremental update, possibly addressing bug fixes or minor improvements. Notably, 2.1.0 version has a direct link to the tarball package with its metadata making easier to use with automated tools.
All the vulnerabilities related to the version 2.1.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.