sianting
diff --git a/‎.github/workflows/licensed.yml
Copy file name to clipboardExpand all lines: .github/workflows/licensed.yml
+4Lines changed: 4 additions & 0 deletions b/‎.github/workflows/licensed.yml
Copy file name to clipboardExpand all lines: .github/workflows/licensed.yml
+4Lines changed: 4 additions & 0 deletions
diff --git a/‎.licenses/npm/node-fetch.dep.yml
Copy file name to clipboardExpand all lines: .licenses/npm/node-fetch.dep.yml
+1-1Lines changed: 1 addition & 1 deletion b/‎.licenses/npm/node-fetch.dep.yml
Copy file name to clipboardExpand all lines: .licenses/npm/node-fetch.dep.yml
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/cache-save/index.js
Copy file name to clipboardExpand all lines: dist/cache-save/index.js
+28-2Lines changed: 28 additions & 2 deletions b/‎dist/cache-save/index.js
Copy file name to clipboardExpand all lines: dist/cache-save/index.js
+28-2Lines changed: 28 additions & 2 deletions
diff --git a/‎dist/setup/index.js
Copy file name to clipboardExpand all lines: dist/setup/index.js
+28-2Lines changed: 28 additions & 2 deletions b/‎dist/setup/index.js
Copy file name to clipboardExpand all lines: dist/setup/index.js
+28-2Lines changed: 28 additions & 2 deletions
diff --git a/‎package-lock.json
Copy file name to clipboardExpand all lines: package-lock.json
+3-3Lines changed: 3 additions & 3 deletions b/‎package-lock.json
Copy file name to clipboardExpand all lines: package-lock.json
+3-3Lines changed: 3 additions & 3 deletions
@@ -14,6 +14,10 @@ jobs:
     name: Check licenses
     steps:
       - uses: actions/checkout@v2
+      - name: Set Node.js 12.x
+        uses: actions/setup-node@v2
+        with:
+          node-version: 12.x
       - run: npm ci
       - name: Install licensed
         run: |
 
@@ -34585,9 +34585,17 @@ AbortError.prototype = Object.create(Error.prototype);
 AbortError.prototype.constructor = AbortError;
 AbortError.prototype.name = 'AbortError';
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
+
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
 
 /**
  * Fetch function
@@ -34675,7 +34683,19 @@ function fetch(url, opts) {
 				const location = headers.get('Location');
 
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
 				// HTTP fetch step 5.5
 				switch (request.redirect) {
@@ -34723,6 +34743,12 @@ function fetch(url, opts) {
 							size: request.size
 						};
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
 						if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {
 							reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));
 
@@ -37137,9 +37137,17 @@ AbortError.prototype = Object.create(Error.prototype);
 AbortError.prototype.constructor = AbortError;
 AbortError.prototype.name = 'AbortError';
 
+const URL$1 = Url.URL || whatwgUrl.URL;
+
 // fix an issue where "PassThrough", "resolve" aren't a named export for node <10
 const PassThrough$1 = Stream.PassThrough;
-const resolve_url = Url.resolve;
+
+const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) {
+	const orig = new URL$1(original).hostname;
+	const dest = new URL$1(destination).hostname;
+
+	return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest);
+};
 
 /**
  * Fetch function
@@ -37227,7 +37235,19 @@ function fetch(url, opts) {
 				const location = headers.get('Location');
 
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : resolve_url(request.url, location);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL$1(location, request.url).toString();
+				} catch (err) {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
 				// HTTP fetch step 5.5
 				switch (request.redirect) {
@@ -37275,6 +37295,12 @@ function fetch(url, opts) {
 							size: request.size
 						};
 
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOpts.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
 						if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) {
 							reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));