Node-fetch is a lightweight module that brings the window.fetch API, familiar to browser-based JavaScript developers, to the Node.js environment. This allows for making web requests in a consistent manner across both client-side and server-side JavaScript. Versions 2.1.0 and 2.1.1 are very similar, suggesting a minor patch rather than a significant feature release.
Both versions share the same core functionality, description, dependencies and development dependencies, indicating no major API changes or added features between them. The development dependencies listed are tools primarily used for testing, code coverage, and building the library itself. Developers integrating the library into their projects don't need to worry about these, as they relate to the internal development process of node-fetch.
The discernible differences lie in the dist object. Version 2.1.1 shows a slight increase in unpackedSize (98310 bytes vs 98268 bytes in 2.1.0) indicating a patch or minor change in the code, likely a bug fix or small improvement. The releaseDate also differs, with version 2.1.1 being released approximately 3 minutes after version 2.1.0. This further reinforces the idea of a critical bug fix that needed to be rolled out quickly. Unless encountering a specific issue addressed in the patch, upgrading is likely not strictly necessary but is generally recommended for stability and reliability of the library. The 'fileCount' for both versions remains at 9.
All the vulnerabilities related to the version 2.1.1 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.