Typed-rest-client is a Node.js library designed to simplify making REST and HTTP requests, particularly useful for TypeScript projects needing strongly-typed interactions with web services. Comparing versions 1.2.0 and 1.1.2, the core functionality remains consistent, focusing on providing robust HTTP clients with TypeScript definitions. Both versions share identical dependencies on "tunnel" and "underscore," and similar development dependencies including "nock" for testing, "mocha" for running tests, "semver" for version management, "shelljs" for script execution, and "typescript" for type checking. This ensures a stable and familiar development environment for contributors and users alike.
The key difference lies in the releaseDate and unpackedSize. Version 1.2.0 was released on March 19, 2019, while version 1.1.2 was released on February 5, 2019, indicating a newer release with possible bug fixes or minor improvements. The unpackedSize has slightly increased from 144564 to 147357, suggesting potential additions to the codebase, perhaps related to enhanced error handling or documentation. For developers, upgrading to 1.2.0 offers the latest refinements and stability enhancements. While the package's dependencies and core development tools remain the same ensuring backwards compatibility, the small update might introduce subtle improvements that contribute to a smoother and more reliable experience when working with APIs. If you are using version 1.1.2, upgrading to version 1.2.0 is recommended to benefit from the most recent adjustments.
All the vulnerabilities related to the version 1.2.0 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.