v4.9.1
Immutable
release. Only release title and notes can be modified.
What's Changed
Security
- Do not forward credential headers (
Authorization,Cookie,Proxy-Authorization) on cross-origin redirect, and clearauth/digestAuth, matching the WHATWG Fetch spec and undici'sRedirectHandler(#812). Same-origin redirects are unchanged and the caller'soptionsobject is never mutated.
Dependencies
- Update runtime dependencies: undici (
^7.24.0), qs, form-data, formstream, and type-fest.
Internal
- Migrate the toolchain to Vite+ (Vitest 4, Oxlint, Oxfmt, tsdown).
- Two-stage release workflow with manual approval, publishing the 4.x line to the
latest-4npm dist-tag (#817).
Full Changelog: v4.9.0...v4.9.1