Typed-rest-client is a valuable tool for Node.js developers using TypeScript, simplifying the process of making REST and HTTP requests. Version 1.4.0 builds upon the solid foundation of version 1.2.0, offering a few key improvements that developers should be aware of. Both versions share core dependencies such as 'tunnel' and 'underscore', ensuring consistent functionality related to tunneling and utility functions. The development dependencies also remain largely the same, including tools like 'nock' for testing, 'mocha' for running tests, 'semver' for version management, and 'shelljs' for shell commands.
The most notable difference lies in the TypeScript version used for development. Version 1.4.0 upgrades to TypeScript 3.1.5, while version 1.2.0 uses TypeScript 2.4.2. This upgrade potentially allows developers to leverage newer TypeScript features and ensures compatibility with more recent TypeScript projects. Developers working with the latest TypeScript versions will likely find v1.4.0 a smoother integration.
Another minor difference is the unpacked size of the package in the distribution, with v1.4.0 being slightly larger (147470) than v1.2.0 (147357), this difference is negligible and doesn't likely represent any significant changes in functionality or added dependencies. The release dates point towards the continued maintenance and updates of the library from Microsoft. Choosing the right version depends primarily on your project's TypeScript version and compatibility requirements.
All the vulnerabilities related to the version 1.4.0 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.