Typed-rest-client version 0.13.0 delivers notable enhancements over its predecessor, version 0.12.0, offering developers a more robust and refined experience for building RESTful API integrations in Node.js and TypeScript environments. Both versions provide Node Rest and HTTP clients designed specifically for TypeScript, easing the process of making network requests within typed applications. They share core dependencies like tunnel and underscore, ensuring consistent underlying functionality for tasks like proxying and utility functions.
The key differentiators lie in the development dependencies and overall maturity of the project. Version 0.13.0 incorporates newer tooling: moving to Mocha (testing framework) as a development dependency along with its type definitions, and bumping the versions of TypeScript and ShellJS. The 0.13.0 release also adds type definitions for node as a development dependency. These updates indicate a commitment to modern development practices, improved testing rigor, and enhanced type safety. Developers upgrading to 0.13.0 can expect smoother integration with contemporary Node.js projects and reduced chances of compatibility issues, as well as improved tooling when contributing to the project itself. Version 0.13.0 demonstrates ongoing maintenance and adaptation to the evolving JavaScript and TypeScript ecosystem.
All the vulnerabilities related to the version 0.13.0 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.