Typed-rest-client is a Node.js library designed to simplify making REST and HTTP requests, particularly within TypeScript environments. Version 1.7.3 introduces a few subtle, yet potentially impactful, updates compared to the prior stable version, 1.7.2. While the core dependencies like qs, tunnel, and underscore remain consistent, indicating no significant changes to request parameter serialization, tunneling capabilities, or utility functions, the unpacked size in the dist object has slightly increased from 153889 to 154122. This points to minor code additions, likely bug fixes, or documentation updates.
Developers should note that the development dependencies, crucial for contributing to or modifying the library, also remain unchanged (nock, mocha, semver, shelljs, typescript and their associated types). The lack of updates in these areas suggests a focus on stability and backward compatibility. Given the unchanged dependency versions and the relatively small increase in size, upgrading from 1.7.2 to 1.7.3 should be a smooth process. The primary advantage of upgrading is likely to gain the benefit of minor bug fixes and improvements, ensuring a more stable and reliable experience. The project is licensed under MIT license which gives developers more flexibility in the usage of the library. The library is authored and maintained by Microsoft.
All the vulnerabilities related to the version 1.7.3 of the package
Potential leak of authentication data to 3rd parties
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandlerAuthorization header.The expected behavior is that the next request will NOT set the Authorization header.
The problem was fixed on April 1st 2020.
There is no workaround.
This is similar to the following issues in nature:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.