GitHub Dependabot Alert: 'follow-redirects' Package Leaks Authorization Headers on Redirects

A critical security flaw has been flagged in the widely used `follow-redirects` npm package, posing a medium-severity risk of leaking sensitive authorization headers. The vulnerability triggers when the package automatically follows HTTP redirects to a different host, inadvertently exposing authentication tokens and credentials that should remain private. This leak represents a direct threat to application security, potentially allowing unauthorized access to protected resources and user data.

The alert, issued via GitHub's Dependabot, specifically warns that the authorization header is not stripped during cross-host redirects. The `follow-redirects` library is a fundamental dependency for handling HTTP requests in countless Node.js applications, making this vulnerability a widespread concern for developers and organizations relying on it for network communication. The issue is not theoretical; it is an active flaw that requires immediate patching to prevent credential exposure in production environments.

To mitigate this risk, developers must urgently update their `follow-redirects` dependency to the latest patched version. The fix involves modifying the `package.json` file to specify the secure minimum version as detailed in the Dependabot alert. Failure to apply this update leaves applications vulnerable to man-in-the-middle attacks and credential harvesting, underscoring the persistent pressure on maintainers to manage transitive dependencies and respond swiftly to security disclosures in the open-source ecosystem.