iMacTia
commented
5 years ago @wyantb I'm really sorry you had issues because of this change. The reason we went for releasing it even with a minor release is because we've addressed it as a security bug.
You're perfectly right about backwards-compatibility, however this change should only take place when you're redirected to a different hostname, so there should be no impact on normal applications.
We've decided to address this as a security bug because sending the same auth header to different hostnames by mistake is wrong in most cases.
I'm actually curious about your specific case and how this has affected you. Would you be willing to share more details about your scenario? Maybe we can actually do some improvement that won't affect people in your same position.
wyantb
In https://github.com/lostisland/faraday_middleware/pull/183 , the FollowRedirects middleware behavior changed from keeping auth headers by default to clearing auth headers by default. I appreciate that the option is useful, but I don't think that a minor version bump (from 0.12.2 to 0.13.1) should introduce such a notable change without warning.
How about making the default false? If others like me have a
Gemfile.lockthat fixes their faraday_middleware version to an older version, they may not detect this issue for some time in their projects. Having the default be backwards compatible would avoid some sticker shock.