Typed-rest-client is a versatile Node.js package designed to simplify making REST and HTTP requests, particularly within TypeScript environments. Versions 1.0.6 and 1.0.7 share a similar foundation, offering developers robust tools for interacting with web services. Both versions declare the same dependencies, relying on 'tunnel' for proxy support and 'underscore' for utility functions. The development dependencies also remain consistent, including tools like 'mocha' for testing, 'semver' for version management, 'shelljs' for shell commands, and 'typescript' for compilation, along with necessary type definitions.
The key distinction lies in the release date. Version 1.0.6 was published on January 30, 2018, while version 1.0.7 followed shortly after, on January 31, 2018. The one-day gap points to a likely bug fix or minor improvement introduced in version 1.0.7. While the specific changes aren't explicitly documented here, the quick turnaround suggests the update addresses a potential issue identified in the preceding version.
For developers considering using typed-rest-client, these versions offer a reliable and well-structured approach to handling HTTP communications. The consistent dependency profile between 1.0.6 and 1.0.7 implies a stable core functionality. However, opting for version 1.0.7 is generally recommended due to its slightly later release date, indicating a potentially more refined and robust solution, incorporating the latest fixes available at that time. The presence of development dependencies like Mocha and Typescript indicates a commitment to code quality and maintainability, which can give developers confidence in choosing this library.
All the vulnerabilities related to the version 1.0.7 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.