Node-fetch versions 3.2.6 and 3.2.5 are minor releases of a lightweight module bringing the Fetch API to Node.js, offering a convenient way to make HTTP requests in a server-side environment. Both share the same core dependencies, including data-uri-to-buffer, fetch-blob, and formdata-polyfill, ensuring consistent handling of data URIs, blobs, and FormData objects. The developer tooling also remains consistent between versions, with familiar tools like chai for assertions, mocha for testing, c8 for coverage, and xo for linting.
The primary difference lies in the release date and unpacked size. Version 3.2.6 was released on June 9, 2022, while version 3.2.5 was released on June 1, 2022. This indicates a relatively short period between releases, suggesting that version 3.2.6 likely includes bug fixes or minor improvements over 3.2.5. The "unpackedSize" differs slightly, with 3.2.6 being marginally larger (105987 bytes vs 105945 bytes). This difference signifies that some modifications, though seemingly minor, have been implemented; this could be small tweaks under the hood.
For developers, this means upgrading from 3.2.5 to 3.2.6 is likely a low-risk endeavor, more so if facing issues the later release addresses. Staying updated with the latest patch versions is generally recommended, providing a stable, reliable fetch API implementation in Node.js. Both versions boast the same MIT license, granting developers broad permissions for usage in various projects. The funding link ensures that open source work on developing node-fetch keeps its flow.
All the vulnerabilities related to the version 3.2.6 of the package
node-fetch Inefficient Regular Expression Complexity
node-fetch is a light-weight module that brings window.fetch to node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.
