pkit · August 17, 2023 17:15 · pkit · Aug 17, 2023
diff --git a/node-fetch+3.3.2.patch b/node-fetch+3.3.2.patch
 diff --git a/node_modules/node-fetch/src/index.js b/node_modules/node-fetch/src/index.js
 index 7c4aee8..270cbb6 100644
 --- a/node_modules/node-fetch/src/index.js
 +++ b/node_modules/node-fetch/src/index.js
 @@ -197,21 +197,6 @@ export default async function fetch(url, options_) {
 							referrerPolicy: request.referrerPolicy
 						};
 
 -						// when forwarding sensitive headers like "Authorization",
 -						// "WWW-Authenticate", and "Cookie" to untrusted targets,
 -						// headers will be ignored when following a redirect to a domain
 -						// that is not a subdomain match or exact match of the initial domain.
 -						// For example, a redirect from "foo.com" to either "foo.com" or "sub.foo.com"
 -						// will forward the sensitive headers, but a redirect to "bar.com" will not.
 -						// headers will also be ignored when following a redirect to a domain using
 -						// a different protocol. For example, a redirect from "https://foo.com" to "http://foo.com"
 -						// will not forward the sensitive headers
 -						if (!isDomainOrSubdomain(request.url, locationURL) || !isSameProtocol(request.url, locationURL)) {
 -							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
 -								requestOptions.headers.delete(name);
 -							}
 -						}
 -
 						// HTTP-redirect fetch step 9
 						if (response_.statusCode !== 303 && request.body && options_.body instanceof Stream.Readable) {
 							reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));
	diff --git a/node_modules/node-fetch/src/index.js b/node_modules/node-fetch/src/index.js
	index 7c4aee8..270cbb6 100644
	--- a/node_modules/node-fetch/src/index.js
	+++ b/node_modules/node-fetch/src/index.js
	@@ -197,21 +197,6 @@ export default async function fetch(url, options_) {
	referrerPolicy: request.referrerPolicy
	};

	- // when forwarding sensitive headers like "Authorization",
	- // "WWW-Authenticate", and "Cookie" to untrusted targets,
	- // headers will be ignored when following a redirect to a domain
	- // that is not a subdomain match or exact match of the initial domain.
	- // For example, a redirect from "foo.com" to either "foo.com" or "sub.foo.com"
	- // will forward the sensitive headers, but a redirect to "bar.com" will not.
	- // headers will also be ignored when following a redirect to a domain using
	- // a different protocol. For example, a redirect from "https://foo.com" to "http://foo.com"
	- // will not forward the sensitive headers
	- if (!isDomainOrSubdomain(request.url, locationURL) \|\| !isSameProtocol(request.url, locationURL)) {
	- for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
	- requestOptions.headers.delete(name);
	- }
	- }
	-
	// HTTP-redirect fetch step 9
	if (response_.statusCode !== 303 && request.body && options_.body instanceof Stream.Readable) {
	reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));