The size option isn't honored after following a redirect in node-fetch
Impact
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Patches
We released patched versions for both stable and beta channels:
For v2: 2.6.1
For v3: 3.0.0-beta.9
Workarounds
None, it is strongly recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory:
This version was pushed to npm by akepinski, a new releaser for node-fetch since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in the `.dependabot/config.yml` file in this repo:
- Update frequency
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps node-fetch from 2.6.0 to 2.6.1. This update includes a security fix.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Release notes
Sourced from node-fetch's releases.
Changelog
Sourced from node-fetch's changelog.
Commits
b5e2e41
update version number2358a6c
Honor thesize
option after following a redirect and revert data uri support8c197f8
docs: Fix typos and grammatical errors in README.md (#686)1e99050
fix: Change error message thrown with redirect mode set to error (#653)244e6f6
docs: Show backers in README6a5d192
fix: Properly parse meta tag when parameters are reversed (#682)47a24a0
chore: Add opencollective badge7b13662
chore: Add funding link5535c2e
fix: Check for global.fetch before binding it (#674)1d5778a
docs: Add Discord badgeMaintainer changes
This version was pushed to npm by akepinski, a new releaser for node-fetch since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in the `.dependabot/config.yml` file in this repo: - Update frequency - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)