Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
node-fetch-native
Advanced tools
A redistribution of node-fetch v3 (+ more!) for better backward and forward compatibility.
Why this package?
require('node-fetch')
with the latest version. This stopped popular libraries from upgrading and dependency conflicts between node-fetch@2
and node-fetch@3
.fetch
is being supported. We are prepared for native fetch support using this package yet keep supporting older Node versions.Features:
✅ Prefer to native globals when available (See Node.js experimental fetch).
✅ Compact build and less install size with zero dependencies vs
✅ Support both CommonJS (require
) and ESM (import
) usage
✅ Use native version if imported without node
condition using conditional exports with zero bundle overhead
✅ Polyfill support for Node.js
✅ Compact and simple proxy supporting both Node.js versions without native fetch using HTTP Agent and versions with native fetch using Undici Proxy Agent
Install node-fetch-native
dependency:
# npm
npm i node-fetch-native
# yarn
yarn add node-fetch-native
# pnpm
pnpm i node-fetch-native
You can now either import or require the dependency:
// ESM
import fetch from "node-fetch-native";
// CommonJS
const fetch = require("node-fetch-native");
More named exports:
// ESM
import {
fetch,
Blob,
FormData,
Headers,
Request,
Response,
AbortController,
} from "node-fetch-native";
// CommonJS
const {
fetch,
Blob,
FormData,
Headers,
Request,
Response,
AbortController,
} = require("node-fetch-native");
Sometimes you want to explicitly use none native (node-fetch
) implementation of fetch
in case of issues with the native/polyfill version of globalThis.fetch
with Node.js or runtime environment.
You have two ways to do this:
FORCE_NODE_FETCH
environment variable before starting the application.node-fetch-native/node
Using the polyfill method, we can ensure global fetch is available in the environment and all files. Natives are always preferred.
Note: I don't recommend this if you are authoring a library! Please prefer the explicit methods.
// ESM
import "node-fetch-native/polyfill";
// CJS
require("node-fetch-native/polyfill");
// You can now use fetch() without any import!
Node.js has no built-in support for HTTP Proxies for fetch (see nodejs/undici#1650 and nodejs/node#8381)
This package bundles a compact and simple proxy-supported solution for both Node.js versions without native fetch using HTTP Agent and versions with native fetch using Undici Proxy Agent.
By default, https_proxy
, http_proxy
, HTTPS_PROXY
, and HTTP_PROXY
environment variables will be checked and used (in order) for the proxy and if not any of them are set, the proxy will be disabled. You can override it using the url
option passed to createFetch
and createProxy
utils.
By default, no_proxy
and NO_PROXY
environment variables will be checked and used for the (comma-separated) list of hosts to ignore the proxy for. You can override it using the noProxy
option passed to createFetch
and createProxy
utils. The entries starting with a dot will be used to check the domain and also any subdomain.
[!NOTE] Using export conditions, this utility adds proxy support for Node.js and for other runtimes, it will simply return native fetch.
[!IMPORTANT] Proxy support is under development. Check unjs/node-fetch-native#107 for the roadmap and contributing!
fetch
with proxy supportYou can simply import { fetch }
from node-fetch-native/proxy
with a preconfigured fetch
function that has proxy support.
import { fetch } from "node-fetch-native/proxy";
console.log(await fetch("https://icanhazip.com").then((r) => r.text());
createFetch
utilityYou can use the createFetch
utility to instantiate a fetch
instance with custom proxy options.
import { createFetch } from "node-fetch-native/proxy";
const fetch = createFetch({ url: "http://localhost:9080" });
console.log(await fetch("https://icanhazip.com").then((r) => r.text());
createProxy
utilitycreateProxy
returns an object with agent
and dispatcher
keys that can be passed as fetch options.
import { fetch } from "node-fetch-native";
import { createProxy } from "node-fetch-native/proxy";
const proxy = createProxy();
// const proxy = createProxy({ url: "http://localhost:8080" });
console.log(await fetch("https://icanhazip.com", { ...proxy }).then((r) => r.text());
node-fetch
Using this method, you can ensure all project dependencies and usages of node-fetch
can benefit from improved node-fetch-native
and won't conflict between node-fetch@2
and node-fetch@3
.
Using npm overrides:
// package.json
{
"overrides": {
"node-fetch": "npm:node-fetch-native@latest"
}
}
Using yarn selective dependency resolutions:
// package.json
{
"resolutions": {
"node-fetch": "npm:node-fetch-native@latest"
}
}
Using pnpm.overrides:
// package.json
{
"pnpm": {
"overrides": {
"node-fetch": "npm:node-fetch-native@latest"
}
}
}
Made with 💛 Published under the MIT license.
FAQs
better fetch for Node.js. Works on any JavaScript runtime!
We found that node-fetch-native demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.