Node-fetch is a lightweight npm package that brings the window.fetch API familiar to browser-side JavaScript to Node.js environments. Comparing versions 2.3.0 and 2.2.1 reveals subtle but potentially impactful changes for developers. Both versions share the same core description and maintain a consistent set of development dependencies used for testing and building, including tools like Babel, Chai, and Rollup. The library has no production dependencies. Both versions are MIT licensed and authored by David Frank.
The key differences lie in the added development dependencies and the underlying distribution details. Version 2.3.0 introduces "abort-controller" and "abortcontroller-polyfill" as new development dependencies. These suggest an enhanced focus on supporting request cancellation, aligning with modern web API standards. For developers, this means potential improvements in managing and terminating fetch requests, which is crucial for handling long-running operations or user-initiated cancellations, leading to more efficient resource management.
Furthermore, examining the "dist" object highlights a slight increase in the unpacked size from 142,342 bytes in 2.2.1 to 152,599 bytes in 2.3.0. The file count remains the same at 8. This size difference, combined with the new dependencies, likely indicates the inclusion of code related to the AbortController API. Finally v2.3.0 was released on November 13th 2018 about a week after v2.2.1 released on November 5th 2018. Developers should consider upgrading to version 2.3.0 to leverage the updated features and potential performance benefits stemming from improved request cancellation capabilities.
All the vulnerabilities related to the version 2.3.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.