Node-fetch is a lightweight module bringing the window.fetch API to Node.js, enabling developers to make HTTP requests in a familiar and consistent manner across both browser and server-side environments. Version 2.6.0, released on May 16, 2019, refines the package from its previous stable version 2.5.0, released on May 1, 2019.
While the core functionality remains the same, several under-the-hood improvements have been implemented. Both versions share the same dependencies and devDependencies, ensuring a consistent development environment for contributors. Developers relying on these tools for testing, building, and code coverage can expect similar behavior between the versions.
A key difference lies in the dist object. The unpackedSize of version 2.6.0 is slightly larger (156222 bytes) compared to version 2.5.0 (154848 bytes), hinting at potential code modifications, bug fixes, or performance enhancements introduced in the newer release. This increment, though subtle, suggests a refined codebase. Both versions contain 8 files.
For developers, updating from 2.5.0 to 2.6.0 should be a seamless transition, assuming no direct reliance on internal implementation details. Given the semver versioning, this patch version likely addresses bug fixes and minor features. Users can benefit from any performance improvements or bug fixes embedded within the 2.6.0. Reviewing the project's changelog on GitHub is recommended for the most comprehensive overview of the changes. This allows users to make informed decisions about updating based on their specific needs.
All the vulnerabilities related to the version 2.6.0 of the package
The size option isn't honored after following a redirect in node-fetch
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
We released patched versions for both stable and beta channels:
v2: 2.6.1v3: 3.0.0-beta.9None, it is strongly recommended to update as soon as possible.
If you have any questions or comments about this advisory:
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.