Node-fetch versions 2.6.3 and 2.6.2 are both lightweight modules designed to bring the window.fetch API to Node.js, enabling developers to make HTTP requests in a familiar and consistent manner across both browser and server-side environments. Examining their metadata reveals subtle differences, primarily revolving around dependency management and potentially bug fixes or minor enhancements incorporated in the newer version.
The key distinction lies in the listed dependencies. Version 2.6.3 specifically declares whatwg-url as a direct dependency with the constraint "^5.0.0". Notably, version 2.6.2 also includes whatwg-url but lists it as a devDependency. This suggests a shift: in version 2.6.3, whatwg-url became essential for the core functionality of the package, while in 2.6.2 it was likely only required for development tasks like testing or building. This change would impact users differently: any projects already using whatwg-url as a top-level dependency would not be impacted in case of installing 2.6.3. But those not using it and relying in node-fetch transitive dependency, will now get the package installed in their node_modules folder.
Further differencing them is their release dates and unpacked size and potentially internal adjustments. Version 2.6.3 was released on September 20, 2021, after version 2.6.2 that came out a couple of weeks before on September 6, 2021, and shows a larger unpacked size (149812 bytes vs 147576 bytes). Therefore, developers might consider upgrading to 2.6.3 to benefit from any bug fixes, security patches, or performance improvements included in this release. This would also be necessary as 2.x library received no love in the recent years and lacks many features that current fetch implementations have.
All the vulnerabilities related to the version 2.6.3 of the package
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
