feat: update dependencies, node

node_modules/node-fetch/@types/index.d.ts

@@ -1,5 +1,4 @@
 /// <reference types="node" />
-/// <reference lib="dom" />
 
 import {RequestOptions} from 'http';
 import {FormData} from 'formdata-polyfill/esm.min.js';

node_modules/node-fetch/README.md

@@ -442,7 +442,7 @@ console.log(data)
 If you for some reason need to post a stream coming from any arbitrary place,
 then you can append a [Blob] or a [File] look-a-like item.
 
-The minium requirement is that it has:
+The minimum requirement is that it has:
 1. A `Symbol.toStringTag` getter or property that is either `Blob` or `File`
 2. A known size.
 3. And either a `stream()` method or a `arrayBuffer()` method that returns a ArrayBuffer.

node_modules/node-fetch/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-fetch",
-  "version": "3.2.6",
+  "version": "3.2.10",
   "description": "A light-weight module that brings Fetch API to node.js",
   "main": "./src/index.js",
   "sideEffects": false,

node_modules/node-fetch/src/index.js

@@ -22,7 +22,7 @@ import {FetchError} from './errors/fetch-error.js';
 import {AbortError} from './errors/abort-error.js';
 import {isRedirect} from './utils/is-redirect.js';
 import {FormData} from 'formdata-polyfill/esm.min.js';
-import {isDomainOrSubdomain} from './utils/is.js';
+import {isDomainOrSubdomain, isSameProtocol} from './utils/is.js';
 import {parseReferrerPolicyFromHeader} from './utils/referrer.js';
 import {
 	Blob,
@@ -203,7 +203,10 @@ export default async function fetch(url, options_) {
 						// that is not a subdomain match or exact match of the initial domain.
 						// For example, a redirect from "foo.com" to either "foo.com" or "sub.foo.com"
 						// will forward the sensitive headers, but a redirect to "bar.com" will not.
-						if (!isDomainOrSubdomain(request.url, locationURL)) {
+						// headers will also be ignored when following a redirect to a domain using
+						// a different protocol. For example, a redirect from "https://foo.com" to "http://foo.com"
+						// will not forward the sensitive headers
+						if (!isDomainOrSubdomain(request.url, locationURL) || !isSameProtocol(request.url, locationURL)) {
 							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
 								requestOptions.headers.delete(name);
 							}

node_modules/node-fetch/src/request.js

@@ -65,7 +65,7 @@ export default class Request extends Body {
 			method = method.toUpperCase();
 		}
 
-		if ('data' in init) {
+		if (!isRequest(init) && 'data' in init) {
 			doBadDataWarn();
 		}
 

node_modules/node-fetch/src/utils/is.js

@@ -71,3 +71,17 @@ export const isDomainOrSubdomain = (destination, original) => {
 
 	return orig === dest || orig.endsWith(`.${dest}`);
 };
+
+/**
+ * isSameProtocol reports whether the two provided URLs use the same protocol.
+ *
+ * Both domains must already be in canonical form.
+ * @param {string|URL} original
+ * @param {string|URL} destination
+ */
+export const isSameProtocol = (destination, original) => {
+	const orig = new URL(original).protocol;
+	const dest = new URL(destination).protocol;
+
+	return orig === dest;
+};

node_modules/node-fetch/src/utils/referrer.js

@@ -119,7 +119,7 @@ export function isOriginPotentiallyTrustworthy(url) {
 	// 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
 	// We are returning FALSE here because we cannot ensure conformance to
 	// let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
-	if (/^(.+\.)*localhost$/.test(url.host)) {
+	if (url.host === 'localhost' || url.host.endsWith('.localhost')) {
 		return false;
 	}