1.2.4

bumped `tough-cookie` version to 2.3.1 to resolve ReDoS vulnerability (NSP advisory 130)

CHANGELOG.md

@@ -0,0 +1,63 @@
+## 1.2.4 (August 16, 2016)
+
+* __Documentation:__ Added this changelog.
+
+## 1.2.3 (August 16, 2016)
+
+* __Patch:__ Upgraded `tough-cookie` to `2.31` to resolve [a ReDoS vulnerability](https://nodesecurity.io/advisories/130). (contributed by [Rocky Assad](https://github.com/fourq))
+* __Patch:__ Fixed delete method to not have a `data` argument (in line with the documentation). (contributed by [MychaelZ](https://github.com/MychaelZ))
+
+## 1.2.2
+
+(never existed due to an administrative error)
+
+## 1.2.1 (April 27, 2015)
+
+* __Documentation:__ Fixed tips button in README.
+
+## 1.2.0 (April 27, 2015)
+
+* __Minor:__ Allow request payloads for custom HTTP verbs.
+
+## 1.1.3 (April 11, 2015)
+
+* __Patch:__ Changed redirect handling to correctly resolve relative paths to the original request domain.
+* __Documentation:__ Added clarification regarding convenience methods, and the fact that they use `bhttp.request` internally.
+
+## 1.1.2 (April 9, 2015)
+
+* __Patch:__ Fixed to send the correct `Content-Type` header for request payloads - specifically, for JSON-encoded payloads.
+
+## 1.1.1 (April 9, 2015)
+
+* __Patch:__ Replaced `.resume()` with a `.pipe()` to the `dev-null` module, and monkeypatched the progress event handling into the response stream, to prevent "old mode" stream errors in some versions of Node.js 0.10.
+
+## 1.1.0 (April 8, 2015)
+
+* __Minor:__ Added a response timeout configuration option.
+* __Minor:__ Added progress events.
+* __Minor:__ Added a ConnectionTimeoutError type.
+* __Patch:__ Isolated error types to the `bhttp` module, rather than storing them directly on the `errors` module.
+* __Patch:__ Made internal debugging statements clearer.
+* __Documentation:__ Added clarification regarding the agent problem only existing until Node.js 0.10.
+
+## 1.0.4 (March 17, 2015)
+
+* __Documentation:__ Fixed two missing `return`s in the session example.
+
+## 1.0.3 (February 22, 2015)
+
+* __Documentation:__ Fixed a missing `require()` in the usage example.
+
+## 1.0.2 (January 24, 2015)
+
+* __Patch:__ Fixed broken nodeback API.
+* __Documentation:__ Added a simple usage example.
+
+## 1.0.1 (January 23, 2015)
+
+* __Documentation:__ Added a remark regarding HTTPS use.
+
+## 1.0.0 (January 23, 2015)
+
+* Initial release

lib/bhttp.coffee

@@ -589,7 +589,7 @@ bhttpAPI =
 	patch: (url, data, options = {}, callback) ->
 		options.method = "patch"
 		doPayloadRequest.bind(this) url, data, options, callback
-	delete: (url, data, options = {}, callback) ->
+	delete: (url, options = {}, callback) ->
 		options.method = "delete"
 		@request url, options, callback
 	request: (url, options = {}, callback) ->

lib/bhttp.js

@@ -1,4 +1,5 @@
-var Promise, S, addErrorData, bhttpAPI, bhttpErrors, concatStream, createCookieJar, debug, debugRequest, debugResponse, devNull, doPayloadRequest, doRedirect, errors, extend, formData, formFixArray, http, https, isStream, makeRequest, ofTypes, packageConfig, prepareCleanup, prepareDefaults, prepareOptions, preparePayload, prepareProtocol, prepareRequest, prepareSession, prepareUrl, processResponse, querystring, redirectGet, redirectUnchanged, sink, spy, stream, streamLength, toughCookie, urlUtil, util, _;
+// Generated by CoffeeScript 1.9.3
+var Promise, S, _, addErrorData, bhttpAPI, bhttpErrors, concatStream, createCookieJar, debug, debugRequest, debugResponse, devNull, doPayloadRequest, doRedirect, errors, extend, formData, formFixArray, http, https, isStream, makeRequest, ofTypes, packageConfig, prepareCleanup, prepareDefaults, prepareOptions, preparePayload, prepareProtocol, prepareRequest, prepareSession, prepareUrl, processResponse, querystring, redirectGet, redirectUnchanged, sink, spy, stream, streamLength, toughCookie, urlUtil, util;
 
 urlUtil = require("url");
 
@@ -90,10 +91,10 @@ errors.create({
 });
 
 ofTypes = function(obj, types) {
-  var match, type, _i, _len;
+  var i, len, match, type;
   match = false;
-  for (_i = 0, _len = types.length; _i < _len; _i++) {
+  for (i = 0, len = types.length; i < len; i++) {
-    type = types[_i];
+    type = types[i];
     match = match || obj instanceof type;
   }
   return match;
@@ -140,27 +141,27 @@ prepareSession = function(request, response, requestState) {
 prepareDefaults = function(request, response, requestState) {
   debugRequest("preparing defaults");
   return Promise["try"](function() {
-    var _base, _base1, _base2, _ref, _ref1, _ref2, _ref3, _ref4, _ref5, _ref6, _ref7;
+    var base, base1, base2, ref, ref1, ref2, ref3, ref4, ref5, ref6, ref7;
     request.responseOptions = {
-      discardResponse: (_ref = request.options.discardResponse) != null ? _ref : false,
+      discardResponse: (ref = request.options.discardResponse) != null ? ref : false,
-      keepRedirectResponses: (_ref1 = request.options.keepRedirectResponses) != null ? _ref1 : false,
+      keepRedirectResponses: (ref1 = request.options.keepRedirectResponses) != null ? ref1 : false,
-      followRedirects: (_ref2 = request.options.followRedirects) != null ? _ref2 : true,
+      followRedirects: (ref2 = request.options.followRedirects) != null ? ref2 : true,
-      noDecode: (_ref3 = request.options.noDecode) != null ? _ref3 : false,
+      noDecode: (ref3 = request.options.noDecode) != null ? ref3 : false,
-      decodeJSON: (_ref4 = request.options.decodeJSON) != null ? _ref4 : false,
+      decodeJSON: (ref4 = request.options.decodeJSON) != null ? ref4 : false,
-      stream: (_ref5 = request.options.stream) != null ? _ref5 : false,
+      stream: (ref5 = request.options.stream) != null ? ref5 : false,
-      justPrepare: (_ref6 = request.options.justPrepare) != null ? _ref6 : false,
+      justPrepare: (ref6 = request.options.justPrepare) != null ? ref6 : false,
-      redirectLimit: (_ref7 = request.options.redirectLimit) != null ? _ref7 : 10,
+      redirectLimit: (ref7 = request.options.redirectLimit) != null ? ref7 : 10,
       onDownloadProgress: request.options.onDownloadProgress,
       responseTimeout: request.options.responseTimeout
     };
-    if ((_base = request.options).allowChunkedMultipart == null) {
+    if ((base = request.options).allowChunkedMultipart == null) {
-      _base.allowChunkedMultipart = false;
+      base.allowChunkedMultipart = false;
     }
-    if ((_base1 = request.options).forceMultipart == null) {
+    if ((base1 = request.options).forceMultipart == null) {
-      _base1.forceMultipart = false;
+      base1.forceMultipart = false;
     }
-    if ((_base2 = request.options.headers)["user-agent"] == null) {
+    if ((base2 = request.options.headers)["user-agent"] == null) {
-      _base2["user-agent"] = "bhttp/" + packageConfig.version;
+      base2["user-agent"] = "bhttp/" + packageConfig.version;
     }
     request.options.method = request.options.method.toLowerCase();
     return Promise.resolve([request, response, requestState]);
@@ -170,7 +171,7 @@ prepareDefaults = function(request, response, requestState) {
 prepareUrl = function(request, response, requestState) {
   debugRequest("preparing URL");
   return Promise["try"](function() {
-    var urlOptions, _ref;
+    var ref, urlOptions;
     urlOptions = urlUtil.parse(request.url, true);
     _.extend(request.options, {
       hostname: urlOptions.hostname,
@@ -178,7 +179,7 @@ prepareUrl = function(request, response, requestState) {
     });
     request.options.path = urlUtil.format({
       pathname: urlOptions.pathname,
-      query: (_ref = request.options.query) != null ? _ref : urlOptions.query
+      query: (ref = request.options.query) != null ? ref : urlOptions.query
     });
     request.protocol = S(urlOptions.protocol).chompRight(":").toString();
     return Promise.resolve([request, response, requestState]);
@@ -188,7 +189,7 @@ prepareUrl = function(request, response, requestState) {
 prepareProtocol = function(request, response, requestState) {
   debugRequest("preparing protocol");
   return Promise["try"](function() {
-    var _base;
+    var base;
     request.protocolModule = (function() {
       switch (request.protocol) {
         case "http":
@@ -202,8 +203,8 @@ prepareProtocol = function(request, response, requestState) {
     if (request.protocolModule == null) {
       return Promise.reject()(new bhttpErrors.UnsupportedProtocolError("The protocol specified (" + protocol + ") is not currently supported by this module."));
     }
-    if ((_base = request.options).port == null) {
+    if ((base = request.options).port == null) {
-      _base.port = (function() {
+      base.port = (function() {
         switch (request.protocol) {
           case "http":
             return 80;
@@ -219,7 +220,7 @@ prepareProtocol = function(request, response, requestState) {
 prepareOptions = function(request, response, requestState) {
   debugRequest("preparing options");
   return Promise["try"](function() {
-    var _base;
+    var base;
     if (((request.options.formFields != null) || (request.options.files != null)) && ((request.options.inputStream != null) || (request.options.inputBuffer != null))) {
       return Promise.reject(addErrorData(new bhttpErrors.ConflictingOptionsError("You cannot define both formFields/files and a raw inputStream or inputBuffer."), request, response, requestState));
     }
@@ -227,8 +228,8 @@ prepareOptions = function(request, response, requestState) {
       return Promise.reject(addErrorData(new bhttpErrors.ConflictingOptionsError("You cannot use both encodeJSON and a raw inputStream or inputBuffer.", void 0, "If you meant to JSON-encode the stream, you will currently have to do so manually."), request, response, requestState));
     }
     if (request.responseOptions.stream) {
-      if ((_base = request.options).agent == null) {
+      if ((base = request.options).agent == null) {
-        _base.agent = false;
+        base.agent = false;
       }
     }
     return Promise.resolve([request, response, requestState]);
@@ -238,7 +239,7 @@ prepareOptions = function(request, response, requestState) {
 preparePayload = function(request, response, requestState) {
   debugRequest("preparing payload");
   return Promise["try"](function() {
-    var containsStreams, fieldName, fieldValue, formDataObject, multipart, streamOptions, valueElement, _i, _len, _ref, _ref1, _ref2;
+    var containsStreams, fieldName, fieldValue, formDataObject, i, len, multipart, ref, ref1, ref2, streamOptions, valueElement;
     request.onUploadProgress = request.options.onUploadProgress;
     multipart = request.options.forceMultipart || (request.options.files != null);
     multipart = multipart || _.any(request.options.formFields, function(item) {
@@ -251,13 +252,13 @@ preparePayload = function(request, response, requestState) {
     if (request.options.encodeJSON && containsStreams) {
       return Promise.reject()(new bhttpErrors.ConflictingOptionsError("Sending a JSON-encoded payload containing data from a stream is not currently supported.", void 0, "Either don't use encodeJSON, or read your stream into a string or Buffer."));
     }
-    if ((_ref = request.options.method) !== "get" && _ref !== "head" && _ref !== "delete") {
+    if ((ref = request.options.method) !== "get" && ref !== "head" && ref !== "delete") {
       if ((request.options.encodeJSON || (request.options.formFields != null)) && !multipart) {
         debugRequest("got url-encodable form-data");
         if (request.options.encodeJSON) {
           debugRequest("... but encodeJSON was set, so we will send JSON instead");
           request.options.headers["content-type"] = "application/json";
-          request.payload = JSON.stringify((_ref1 = request.options.formFields) != null ? _ref1 : null);
+          request.payload = JSON.stringify((ref1 = request.options.formFields) != null ? ref1 : null);
         } else if (!_.isEmpty(request.options.formFields)) {
           request.options.headers["content-type"] = "application/x-www-form-urlencoded";
           request.payload = querystring.stringify(formFixArray(request.options.formFields));
@@ -269,14 +270,14 @@ preparePayload = function(request, response, requestState) {
       } else if ((request.options.formFields != null) && multipart) {
         debugRequest("got multipart form-data");
         formDataObject = new formData();
-        _ref2 = formFixArray(request.options.formFields);
+        ref2 = formFixArray(request.options.formFields);
-        for (fieldName in _ref2) {
+        for (fieldName in ref2) {
-          fieldValue = _ref2[fieldName];
+          fieldValue = ref2[fieldName];
           if (!_.isArray(fieldValue)) {
             fieldValue = [fieldValue];
           }
-          for (_i = 0, _len = fieldValue.length; _i < _len; _i++) {
+          for (i = 0, len = fieldValue.length; i < len; i++) {
-            valueElement = fieldValue[_i];
+            valueElement = fieldValue[i];
             if (valueElement._bhttpStreamWrapper != null) {
               streamOptions = valueElement.options;
               valueElement = valueElement.stream;
@@ -300,10 +301,10 @@ preparePayload = function(request, response, requestState) {
       } else if (request.options.inputStream != null) {
         debugRequest("got inputStream");
         return Promise["try"](function() {
-          var _ref3;
+          var ref3;
           request.payloadStream = request.options.inputStream;
           if ((request.payloadStream._bhttpStreamWrapper != null) && ((request.payloadStream.options.contentLength != null) || (request.payloadStream.options.knownLength != null))) {
-            return Promise.resolve((_ref3 = request.payloadStream.options.contentLength) != null ? _ref3 : request.payloadStream.options.knownLength);
+            return Promise.resolve((ref3 = request.payloadStream.options.contentLength) != null ? ref3 : request.payloadStream.options.knownLength);
           } else {
             return streamLength(request.options.inputStream);
           }
@@ -338,16 +339,16 @@ preparePayload = function(request, response, requestState) {
 prepareCleanup = function(request, response, requestState) {
   debugRequest("preparing cleanup");
   return Promise["try"](function() {
-    var fixedHeaders, key, value, _i, _len, _ref, _ref1;
+    var fixedHeaders, i, key, len, ref, ref1, value;
-    _ref = ["query", "formFields", "files", "encodeJSON", "inputStream", "inputBuffer", "discardResponse", "keepRedirectResponses", "followRedirects", "noDecode", "decodeJSON", "allowChunkedMultipart", "forceMultipart", "onUploadProgress", "onDownloadProgress"];
+    ref = ["query", "formFields", "files", "encodeJSON", "inputStream", "inputBuffer", "discardResponse", "keepRedirectResponses", "followRedirects", "noDecode", "decodeJSON", "allowChunkedMultipart", "forceMultipart", "onUploadProgress", "onDownloadProgress"];
-    for (_i = 0, _len = _ref.length; _i < _len; _i++) {
+    for (i = 0, len = ref.length; i < len; i++) {
-      key = _ref[_i];
+      key = ref[i];
       delete request.options[key];
     }
     fixedHeaders = {};
-    _ref1 = request.options.headers;
+    ref1 = request.options.headers;
-    for (key in _ref1) {
+    for (key in ref1) {
-      value = _ref1[key];
+      value = ref1[key];
       fixedHeaders[key.toLowerCase()] = value;
     }
     request.options.headers = fixedHeaders;
@@ -444,26 +445,26 @@ processResponse = function(request, response, requestState) {
     var cookieHeader, promises;
     if ((request.cookieJar != null) && (response.headers["set-cookie"] != null)) {
       promises = (function() {
-        var _i, _len, _ref, _results;
+        var i, len, ref, results;
-        _ref = response.headers["set-cookie"];
+        ref = response.headers["set-cookie"];
-        _results = [];
+        results = [];
-        for (_i = 0, _len = _ref.length; _i < _len; _i++) {
+        for (i = 0, len = ref.length; i < len; i++) {
-          cookieHeader = _ref[_i];
+          cookieHeader = ref[i];
           debugResponse("storing cookie: %s", cookieHeader);
-          _results.push(request.cookieJar.set(cookieHeader, request.url));
+          results.push(request.cookieJar.set(cookieHeader, request.url));
         }
-        return _results;
+        return results;
       })();
       return Promise.all(promises);
     } else {
       return Promise.resolve();
     }
   }).then(function() {
-    var completedBytes, progressStream, totalBytes, _ref, _ref1;
+    var completedBytes, progressStream, ref, ref1, totalBytes;
     response.request = request;
     response.requestState = requestState;
     response.redirectHistory = requestState.redirectHistory;
-    if (((_ref = response.statusCode) === 301 || _ref === 302 || _ref === 303 || _ref === 307) && request.responseOptions.followRedirects) {
+    if (((ref = response.statusCode) === 301 || ref === 302 || ref === 303 || ref === 307) && request.responseOptions.followRedirects) {
       if (requestState.redirectHistory.length >= (request.responseOptions.redirectLimit - 1)) {
         return Promise.reject(addErrorData(new bhttpErrors.RedirectError("The maximum amount of redirects ({request.responseOptions.redirectLimit}) was reached.")));
       }
@@ -486,7 +487,7 @@ processResponse = function(request, response, requestState) {
         case 303:
           return redirectGet(request, response, requestState);
         case 307:
-          if (request.containsStreams && ((_ref1 = request.options.method) !== "get" && _ref1 !== "head")) {
+          if (request.containsStreams && ((ref1 = request.options.method) !== "get" && ref1 !== "head")) {
             return Promise.reject(addErrorData(new bhttpErrors.RedirectError("Encountered a 307 redirect for POST, PUT or DELETE, but your payload contained (single-use) streams. We therefore can't automatically follow the redirect."), request, response, requestState));
           } else {
             return redirectUnchanged(request, response, requestState);
@@ -511,7 +512,7 @@ processResponse = function(request, response, requestState) {
         });
       }
       return new Promise(function(resolve, reject) {
-        var attachProgressStream, _on, _progressStreamAttached, _resume;
+        var _on, _progressStreamAttached, _resume, attachProgressStream;
         _resume = response.resume.bind(response);
         _on = response.on.bind(response);
         _progressStreamAttached = false;
@@ -540,8 +541,8 @@ processResponse = function(request, response, requestState) {
             return reject(err);
           });
           return response.pipe(concatStream(function(body) {
-            var err, _ref2;
+            var err, ref2;
-            if (request.responseOptions.decodeJSON || (((_ref2 = response.headers["content-type"]) != null ? _ref2 : "").split(";")[0] === "application/json" && !request.responseOptions.noDecode)) {
+            if (request.responseOptions.decodeJSON || (((ref2 = response.headers["content-type"]) != null ? ref2 : "").split(";")[0] === "application/json" && !request.responseOptions.noDecode)) {
               try {
                 response.body = JSON.parse(body);
               } catch (_error) {
@@ -575,12 +576,12 @@ doPayloadRequest = function(url, data, options, callback) {
 redirectGet = function(request, response, requestState) {
   debugResponse("following forced-GET redirect to %s", response.headers["location"]);
   return Promise["try"](function() {
-    var key, options, _i, _len, _ref;
+    var i, key, len, options, ref;
     options = _.clone(requestState.originalOptions);
     options.method = "get";
-    _ref = ["inputBuffer", "inputStream", "files", "formFields"];
+    ref = ["inputBuffer", "inputStream", "files", "formFields"];
-    for (_i = 0, _len = _ref.length; _i < _len; _i++) {
+    for (i = 0, len = ref.length; i < len; i++) {
-      key = _ref[_i];
+      key = ref[i];
       delete options[key];
     }
     return doRedirect(request, response, requestState, options);
@@ -674,7 +675,7 @@ bhttpAPI = {
     options.method = "patch";
     return doPayloadRequest.bind(this)(url, data, options, callback);
   },
-  "delete": function(url, data, options, callback) {
+  "delete": function(url, options, callback) {
     if (options == null) {
       options = {};
     }
@@ -690,7 +691,7 @@ bhttpAPI = {
   _doRequest: function(url, options, requestState) {
     return Promise["try"]((function(_this) {
       return function() {
-        var request, response, _ref;
+        var ref, request, response;
         request = {
           url: url,
           options: _.clone(options)
@@ -703,7 +704,7 @@ bhttpAPI = {
           };
         }
         if (requestState.sessionOptions == null) {
-          requestState.sessionOptions = (_ref = _this._sessionOptions) != null ? _ref : {};
+          requestState.sessionOptions = (ref = _this._sessionOptions) != null ? ref : {};
         }
         return prepareRequest(request, response, requestState);
       };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "bhttp",
-  "version": "1.2.1",
+  "version": "1.2.4",
   "description": "A sane HTTP client library for Node.js with Streams2 support.",
   "main": "index.js",
   "scripts": {
@@ -35,7 +35,7 @@
     "string": "^3.0.0",
     "through2-sink": "^1.0.0",
     "through2-spy": "^1.2.0",
-    "tough-cookie": "^0.12.1"
+    "tough-cookie": "^2.3.1"
   },
   "devDependencies": {
     "gulp": "~3.8.0",