fix(headers): don't forward secure headers on protocol change #1605
Conversation
backport for node-fetch#1599 to the 2.x branch
|
I forgot to ask earlier, but are 2.x versions released automatically when a PR is closed, the same as new 3.x versions? If not, how/when can we have a new release published with this fix, and can we help with that in any way if needed? |
|
apparently the release is not done automatically as there is no v2.6.8 by now while these changes are merged for some days and the newer 3.x release with this fix is available for some days too. @jimmywarting @cvalb Can someone please publish a new 2.x release to fix this security issue for all projects depending on this older version? Many thanks in Advance, |
|
It should make an release automatically but i think it failed to publish at that one point for some reason. |
|
Hello @jimmywarting @gr2m, a new version will rolled up to 2.x.x on npm? |
|
@gr2m or @jimmywarting - any news about a new 2.x npm release? It did not happen until now and looking at the npm download statistic in comparison to the 3.x release its much needed... Thanks |
|
Thanks @victal for back-porting this! @jimmywarting @gr2m it would be awesome if a new 2.x version could be released on npm 🙏 |
|
Hello, Any update on 2.x release @jimmywarting @gr2m? I've been checking the releases and I don't think it was even triggered, or at least, it does not appear on the release history. It would be really helpful if anyone could trigger a new release 🙏🙏. |
|
🎉 This PR is included in version 2.6.8 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
This seemed to be a breaking change for us; after dep. update a server w/ 302 protocol redirect response makes fetch to return 401 error instead of following up with redirect and returning 200. |
Purpose
Backport of #1599 to the 2.x branch as it's a security fix (Resolves the issue at https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/)
Additional information