Node-fetch is a lightweight module that brings the window.fetch API familiar to browser-based JavaScript to Node.js environments, enabling developers to make HTTP requests in a consistent way across platforms. Comparing versions 2.1.2 and 2.1.1, we see a relatively small increment, suggesting bug fixes or minor enhancements rather than significant feature additions. Both versions share the same core description, dependencies, development dependencies, license (MIT), and repository information, indicating a stable and well-maintained project. The author remains David Frank across both versions.
Looking at the differences, the most obvious change lies in the dist object. Version 2.1.2 comes packaged in a tarball (node-fetch-2.1.2.tgz) with an unpacked size of 100225 bytes and was released on March 25, 2018. Version 2.1.1 (node-fetch-2.1.1.tgz) has a slightly smaller unpacked size of 98310 bytes and was released earlier, on March 5, 2018, both share a file count of 9. This increase in size, though small, could be indicative of added functionality, improved error handling, or internal code refinements. Developers should consider reviewing the changelog (typically available on the project's GitHub page) to understand the specific changes introduced in version 2.1.2. Furthermore, the release date of 2.1.2 signifies a more recent iteration, potentially addressing discovered issues or incorporating community feedback since the previous release of 2.1.1. For developers using node-fetch, upgrading is generally recommended to benefit from the latest improvements and fixes, but always test new versions in a non-production environment first to ensure compatibility.
All the vulnerabilities related to the version 2.1.2 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.