Node-fetch is a lightweight module bringing the window.fetch API to Node.js, enabling developers to make HTTP requests in a familiar and consistent way across both browser and server environments. Version 2.4.0, released in April 2019, follows the earlier stable version 2.3.0, released in November 2018, introducing updates primarily reflected in the development dependencies.
Notable changes for developers upgrading include updates to testing and build tooling. abort-controller sees an upgrade from version 1.0.2 to 1.1.0, while abortcontroller-polyfill progresses from 1.1.9 to 1.3.0, suggesting potential improvements or bug fixes related to request cancellation. codecov, the code coverage tool, is updated from version 3.0.0 to 3.3.0, which may bring enhanced reporting capabilities. Furthermore, cross-env, crucial for setting environment variables across platforms, is updated from 5.1.3 to 5.2.0. form-data sees a bump from 2.3.1 to 2.3.3 and promise from 8.0.1 to 8.0.3 potentially improving functionality regarding the use of Promises. Rollup plugin babel also sees an update from 3.0.3 to 3.0.7 and string-to-arraybuffer is updated from version 1.0.0 to 1.0.2. While these updates primarily concern the development environment, they signify ongoing maintenance and improvements, ensuring the library remains compatible with the latest tooling and best practices. The core functionality of node-fetch remains consistent, providing a reliable fetch implementation for Node.js projects. The unpacked size of version 2.4.0 is slightly smaller, potentially indicating optimizations.
All the vulnerabilities related to the version 2.4.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.