node-fetch - npm Package Compare versions

Comparing version 2.6.6 to 2.6.7

lib/index.es.js

@@ -1404,6 +1404,14 @@ process.emitWarning("The .es.js file is deprecated. Use .mjs instead.");
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
 
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
+
 /**
@@ -1495,3 +1503,15 @@ * Fetch function
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
@@ -1544,2 +1564,8 @@ // HTTP fetch step 5.5
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
@@ -1546,0 +1572,0 @@ if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {

lib/index.js

@@ -1408,6 +1408,14 @@ 'use strict';
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
 
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
+
 /**
@@ -1499,3 +1507,15 @@ * Fetch function
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
@@ -1548,2 +1568,8 @@ // HTTP fetch step 5.5
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
@@ -1550,0 +1576,0 @@ if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {

package.json

 {
     "name": "node-fetch",
-    "version": "2.6.6",
+    "version": "2.6.7",
     "description": "A light-weight module that brings window.fetch to node.js",
@@ -42,2 +42,10 @@ "main": "lib/index.js",
     },
+    "peerDependencies": { 
+        "encoding": "^0.1.0"
+    },
+    "peerDependenciesMeta": {
+        "encoding": {
+            "optional": true
+        }
+    },
     "devDependencies": {
@@ -44,0 +52,0 @@ "@ungap/url-search-params": "^0.1.2",

No alert changes

Improved metrics

Total package byte prevSize

152240

increased by1.97%

Lines of code

4396

increased by1.52%

Worsened metrics

Dependency count

2

increased by100%

No dependency changes