Node-fetch, a lightweight module bringing the Fetch API to Node.js, saw a release of version 3.2.0 on January 20, 2022, following version 3.1.1 released just days prior on January 16, 2022. While both versions share the MIT license, author (David Frank), and repository, and maintain the core functionality of providing a Fetch API, some subtle differences exist that developers should note.
The key change between the two versions lies in the dependencies. Version 3.2.0 updates fetch-blob dependency from version 3.1.3 to version 3.1.4. The devDependencies see few changes as well with version 3.1.1 using busboy version 0.3.1 while version 3.2.0 uses version 1.4.0, and version 3.1.1 having delay of version 5.0.0 which is absent from the dependencies of version 3.2.0. These updates likely include bug fixes, performance improvements, or new features within the fetch-blob and busboy package. Developers relying heavily on specific functionalities within fetch-blob and busboy should investigate the changes between these minor versions to ensure compatibility and leverage any potential benefits.
Moreover, the unpacked size of version 3.2.0 increased slightly to 103830 bytes compared to version 3.1.1's 102809 bytes, which could be attributed to the updated dependencies and potentially minor code adjustments. Both versions maintain a compact footprint.
All the vulnerabilities related to the version 3.2.0 of the package
node-fetch Inefficient Regular Expression Complexity
node-fetch is a light-weight module that brings window.fetch to node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.
