Node-fetch is a lightweight JavaScript module that brings the familiar window.fetch API from browsers to Node.js environments, simplifying the process of making HTTP requests. Comparing versions 2.5.0 and 2.4.1, developers will find subtle but potentially important distinctions. While both versions share the same core functionality and description, the key differences lie in their development dependencies and release metadata.
Version 2.5.0 introduces @ungap/url-search-params as a new development dependency, replacing url-search-params which was present in version 2.4.1. This change likely reflects an update or optimization in how URL search parameters are handled during the development and testing phases of the module. Furthermore, the dist object reveals that version 2.5.0 has a slightly larger unpacked size (154848 bytes) compared to version 2.4.1 (152130 bytes), This increase, may be attributed to the updated dependency or internal code adjustments. Finally, version 2.5.0 was released on May 1st, 2019, a few days after version 2.4.1, released on April 27th, 2019.
For developers using Node-fetch, these changes might not necessitate immediate action unless they are directly involved in contributing to or extending the library itself. However, staying informed about such updates ensures compatibility and access to the most refined features and potential bug fixes. Always consult the official release notes and documentation for comprehensive details on each version's changes and potential impact on your projects.
All the vulnerabilities related to the version 2.5.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.