James M Snell

i'm not planning on back porting both of the original commits since one is only relevant for 24.x. This one commit combines the base change along the 22.x version of...

Landed in 6cb0690fccd6

Just for a differential... I tested quickly in Node.js, Deno, and Bun... Node.js and Bun both remove the `Authorization` header on the redirect. Deno preserves it. I have to assume...

Well, that was `node-fetch` wasn't it? That's not the implementation that is actually in Node.js (which is based on undici) ... it looks like the change in undici's fetch was...

Either way... I guess we need to decide how to handle this as it is technically a breaking change. Our options are: 1. Keep it like it is. Essentially ignore...

> Oh... sorry, I didn't realize node-fetch isn't node's fetch implementation. No worries lol... you're not the first and won't be the last. It's caused quite a bit of confusion...

> So probably a compat flag is the right way to go? That's where I'm leaning also.

"In non-server environments you could not rely on this behavior so there it is not considered a breaking change..." The WHATWG's philosophy of not caring about anything but browsers bites...

@Hacksore @nickhudkins thanks for reporting! Not yet sure when we'll get the fix in but will get it scheduled.

We should keep this open so we don't forget it.