Typed-rest-client version 1.7.2 represents a minor update to the popular TypeScript-based HTTP and REST client library, building upon the solid foundation of version 1.7.1. Developers leveraging this library for their Node.js applications will find the core functionality remains consistent, ensuring a smooth transition for existing projects. A notable difference lies in the dependencies: version 1.7.2 updates the tunnel dependency from version 0.0.4 to 0.0.6. This likely addresses bug fixes or minor improvements within the tunneling functionality, potentially affecting users who rely on the library's capability to communicate through proxies or other network tunnels.
While the development dependencies remain the same, suggesting no major changes in the testing or build processes, the dist object reveals interesting changes. The fileCount increases from 27 to 28 while the unpackedSize decreases significantly from 186018 to 153889. This suggests internal refactoring which may improve performance, reduce bundle size, or streamline the library's internal structure without affecting the public API. The release date provides another indicator: version 1.7.2 was published on February 27, 2020, a couple of months after version 1.7.1 which was released December 19, 2019. Users should review the changelog for a comprehensive overview of specific bug fixes and enhancements introduced in this version. For developers, the stability and continued maintenance of typed-rest-client is a key benefit, backed by Microsoft Corporation.
All the vulnerabilities related to the version 1.7.2 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.