Node-fetch is a lightweight module that brings the familiar window.fetch API to Node.js, enabling developers to make HTTP requests in a straightforward and consistent manner. Comparing versions 2.2.0 and 2.2.1, we see that both maintain the same core functionality, providing a clean and simple interface for fetching resources. Package maintainers likely focused on internal improvements and bug fixes to improve stability and performance, or address compatibilities. While the exposed API remains consistent, developers benefit from the updated version through increased reliability and potential enhancements to underlying mechanisms.
Looking at the metadata of the packages, both versions have the same dependencies and devDependencies. The most explicit changes are in the unpackedSize (137549 vs 142342), and the releaseDate. A small increase in unpacked size can indicate minor additions or modifications to the codebase. Because the versions are close, 2.2.0 and 2.2.1, we can consider that the changes will not be of large scale - most probably bug fixes and small changes.
Node-fetch is favored by developers for its promise-based approach, mirroring the browser's fetch API, which leads to cleaner and more readable asynchronous code. The module's small size and lack of dependencies makes it an attractive option for projects prioritizing minimal bloat and broad compatibility. The active development and maintenance of this library are indications of a commitment to providing developers with a reliable and up-to-date tool for making HTTP requests in Node.js environments.
All the vulnerabilities related to the version 2.2.1 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.