.eslintrc

@@ -23,6 +23,7 @@
     no-alert: "error",
     no-caller: "error",
     no-case-declarations: "error",
+    no-console: ["error", { allow: ["warn"] }],
     no-div-regex: "error",
     no-else-return: "error",
     no-empty-function: "error",

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/setup-node@v3
         with:
-          node-version: '18.0'
+          node-version: '22.0'
       - uses: actions/checkout@v4
       - run: npm ci
       - run: npm run lint
@@ -51,6 +51,10 @@ jobs:
           - '17.x'
           - '18.0'
           - '18.x'
+          - '20.0'
+          - '20.x'
+          - '22.0'
+          - '22.x'
     steps:
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3

SECURITY.md

@@ -1,6 +1,3 @@
 # Reporting a Vulnerability
 
-If you discover a security vulnerability in follow-redirects please disclose it via [our huntr page](https://huntr.dev/repos/follow-redirects/follow-redirects). Bounties, CVE assignment, response times and past reports are all there.
-
-
-Thank you for improving the security of follow-redirects.
+If you discover a security vulnerability in follow-redirects please disclose it via https://github.com/follow-redirects/follow-redirects/security/advisories

index.js

@@ -6,10 +6,21 @@ var Writable = require("stream").Writable;
 var assert = require("assert");
 var debug = require("./debug");
 
+// Preventive platform detection
+// istanbul ignore next
+(function detectUnsupportedEnvironment() {
+  var looksLikeNode = typeof process !== "undefined";
+  var looksLikeBrowser = typeof window !== "undefined" && typeof document !== "undefined";
+  var looksLikeV8 = isFunction(Error.captureStackTrace);
+  if (!looksLikeNode && (looksLikeBrowser || !looksLikeV8)) {
+    console.warn("The follow-redirects package should be excluded from browser builds.");
+  }
+}());
+
 // Whether to use the native URL object or the legacy url module
 var useNativeURL = false;
 try {
-  assert(new URL());
+  assert(new URL(""));
 }
 catch (error) {
   useNativeURL = error.code === "ERR_INVALID_URL";
@@ -346,17 +357,17 @@ RedirectableRequest.prototype._performRequest = function () {
     var buffers = this._requestBodyBuffers;
     (function writeNext(error) {
       // Only write if this request has not been redirected yet
-      /* istanbul ignore else */
+      // istanbul ignore else
       if (request === self._currentRequest) {
         // Report any write errors
-        /* istanbul ignore if */
+        // istanbul ignore if
         if (error) {
           self.emit("error", error);
         }
         // Write the next buffer if there are still left
         else if (i < buffers.length) {
           var buffer = buffers[i++];
-          /* istanbul ignore else */
+          // istanbul ignore else
           if (!request.finished) {
             request.write(buffer.data, buffer.encoding, writeNext);
           }
@@ -461,7 +472,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
      redirectUrl.protocol !== "https:" ||
      redirectUrl.host !== currentHost &&
      !isSubdomain(redirectUrl.host, currentHost)) {
-    removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+    removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
   }
 
   // Evaluate the beforeRedirect callback
@@ -552,7 +563,7 @@ function noop() { /* empty */ }
 
 function parseUrl(input) {
   var parsed;
-  /* istanbul ignore else */
+  // istanbul ignore else
   if (useNativeURL) {
     parsed = new URL(input);
   }
@@ -567,7 +578,7 @@ function parseUrl(input) {
 }
 
 function resolveUrl(relative, base) {
-  /* istanbul ignore next */
+  // istanbul ignore next
   return useNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative));
 }
 
@@ -616,7 +627,10 @@ function removeMatchingHeaders(regex, headers) {
 function createErrorType(code, message, baseClass) {
   // Create constructor
   function CustomError(properties) {
-    Error.captureStackTrace(this, this.constructor);
+    // istanbul ignore else
+    if (isFunction(Error.captureStackTrace)) {
+      Error.captureStackTrace(this, this.constructor);
+    }
     Object.assign(this, properties || {});
     this.code = code;
     this.message = this.cause ? message + ": " + this.cause.message : message;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "follow-redirects",
-  "version": "1.15.5",
+  "version": "1.15.9",
   "description": "HTTP and HTTPS modules that follow redirects.",
   "license": "MIT",
   "main": "index.js",
@@ -16,7 +16,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git@github.com:follow-redirects/follow-redirects.git"
+    "url": "git+ssh://git@github.com/follow-redirects/follow-redirects.git"
   },
   "homepage": "https://github.com/follow-redirects/follow-redirects",
   "bugs": {

test/server.js

@@ -60,6 +60,10 @@ module.exports = function (defaultPorts) {
 
   function stopServer(server) {
     return new Promise(function (resolve, reject) {
+      // Node 19 uses KeepAlive by default
+      if (server.closeIdleConnections) {
+        server.closeIdleConnections();
+      }
       server.close(function (error) {
         return error ? reject(error) : resolve();
       });

test/test.js

@@ -607,7 +607,9 @@ describe("follow-redirects", function () {
 
       return server.start(app)
         .then(asPromise(function (resolve, reject) {
-          var req = http.get("http://localhost:3600/data", concatJson(reject, reject));
+          var opts = url.parse("http://localhost:3600/data");
+          opts.agent = new http.Agent({ keepAlive: false });
+          var req = http.get(opts, concatJson(reject, reject));
           req.on("error", reject);
           req.setTimeout(100, function () {
             throw new Error("should not have timed out");
@@ -1529,6 +1531,7 @@ describe("follow-redirects", function () {
 
   [
     "Authorization",
+    "Proxy-Authorization",
     "Cookie",
   ].forEach(function (header) {
     describe("when the client passes an header named " + header, function () {