simple-get - npm Package Compare versions

Comparing version 3.1.0 to 3.1.1

index.js

@@ -46,2 +46,3 @@ module.exports = simpleGet
 
+  const originalHost = opts.hostname // hostname before potential redirect
   const protocol = opts.protocol === 'https:' ? https : http // Support http/https urls
@@ -54,2 +55,9 @@ const req = protocol.request(opts, res => {
 
+      const redirectHost = url.parse(opts.url).hostname // eslint-disable-line node/no-deprecated-api
+      // If redirected host is different than original host, drop headers to prevent cookie leak (#73)
+      if (redirectHost !== null && redirectHost !== originalHost) {
+        delete opts.headers.cookie
+        delete opts.headers.authorization
+      }
+
       if (opts.method === 'POST' && [301, 302].includes(res.statusCode)) {
@@ -56,0 +64,0 @@ opts.method = 'GET' // On 301/302 redirect, change POST to GET (see #35)

package.json

 {
   "name": "simple-get",
   "description": "Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "author": {
@@ -6,0 +6,0 @@ "name": "Feross Aboukhadijeh",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

13595

increased by3.3%

Lines of code

90

increased by8.43%

Worsened metrics

Number of medium supply chain risk alerts

3

increased by50%

No dependency changes