Typed-rest-client provides Node.js Rest and HTTP clients specifically designed for use with TypeScript, facilitating strongly-typed interactions with web services. Version 1.0.0 represents a significant milestone compared to the previous stable version, 0.15.1, primarily indicated by the major version bump. While the core dependencies on tunnel and underscore remain consistent, suggesting a continued reliance on these utilities for HTTP tunneling and general utility functions, the update likely introduces breaking changes, new features, or significant refactoring. Developers should carefully review the migration guide or release notes for version 1.0.0 to understand the specific changes and adapt their code accordingly.
The development dependencies, including mocha, shelljs, typescript, and associated type definitions, are identical, indicating a consistent testing and build environment across both versions. This suggests a continuous commitment to code quality and type safety.
Both versions are licensed under the MIT license, assuring developers of the freedom to use, modify, and distribute the library. The repository URL points to the official GitHub repository under the Microsoft organization, providing a central location for bug reports, feature requests, and contributions.
The key difference lies in the semantic versioning jump to 1.0.0, warranting a thorough evaluation of the changes before upgrading. Developers using version 0.15.1 should assess the impact of the upgrade on their applications, considering potential API changes and new functionalities introduced in version 1.0.0. The increased version suggests stability or a turning point in the project.
All the vulnerabilities related to the version 1.0.0 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.