Node-fetch version 2.2.0 refines the popular lightweight module that brings the familiar window.fetch API to Node.js environments, differing subtly yet meaningfully from its predecessor, version 2.1.2. Both versions maintain the core promise of providing an easy-to-use interface for making HTTP requests in Node.js, boasting zero dependencies for streamlined integration. However, under the hood, several development dependencies show key distinctions valuable to developers.
Notably, the nyc coverage tool dependency jumps from version 11.4.1 to 11.9.0, reflecting likely improvements in testing and code coverage analysis during development. rollup, the JavaScript module bundler, sees a significant upgrade from 0.55.1 to 0.63.4, suggesting potential enhancements in the module's build process, possibly leading to better performance or smaller bundle sizes. Most notably, url-search-params is updated from 0.10.0 to 1.0.2. This likely indicates updates related to working with URL parameters. In terms of distribution, version 2.2.0 has a smaller file count (8 vs 9) but a larger unpacked size (137549 vs 100225) compared to version 2.1.2, hinting at changes in how the module is packaged or potentially more comprehensive documentation. The release date also differs with 2.2.0 released on July 22, 2018 and 2.1.2 released on March 25, 2018. For developers, upgrading promises access to the newest build toolchain improvements and dependency updates, which could lead to better stability and compatibility with other modern JavaScript tools, especially concerning URL handling.
All the vulnerabilities related to the version 2.2.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.