Update to @digitalbazar/http-client@3.

- Pulls in newer `ky` and `ky-universal` that should address security
  alerts and provide other improvements.
- Newer `ky` will throw errors on redirects even when in `manual`
  redirect mode. Now using `throwHttpErrors` option to turn off errors.
- One of the updated dependencies can cause tests to rewrite redirect
  `Location` URLs to be relative references. The global `URL` interface
  is now used to rebuild a full URL for further redirect processing.
- Newer `node-forge` will output a one-time warning if code even
  accesses `response.data`. `@digitalbazar/http-client` will forcefully
  set `data` *if* it detects a JSON content type. Calling code can't
  know if that happened, so currently needs to redo content detection to
  know if JSON `data` can be accessed. This is an issue for sites where
  JSON-LD was requested but the response is non-JSON with a `Link`
  header pointing to the JSON-LD.

Author: davidlehn

CHANGELOG.md

@@ -1,5 +1,13 @@
 # jsonld ChangeLog
 
+## 5.3.0 - 2022-xx-xx
+
+### Changed
+- Update to `@digitalbazaar/http-client@3`:
+  - Pulls in newer `ky` and `ky-universal` that should address security alerts
+    and provide other improvements.
+  - Use global `URL` interface to handle relative redirects.
+
 ## 5.2.0 - 2021-04-07
 
 ### Changed

lib/documentLoaders/node.js

@@ -143,7 +143,9 @@ module.exports = ({
           });
       }
       redirects.push(url);
-      return loadDocument(location, redirects);
+      // location can be relative, turn into full url
+      const nextUrl = new URL(location, url).href;
+      return loadDocument(nextUrl, redirects);
     }
 
     // cache for each redirected URL
@@ -163,7 +165,12 @@ module.exports = ({
 
 async function _fetch({url, headers, strictSSL, httpAgent, httpsAgent}) {
   try {
-    const options = {headers, redirect: 'manual'};
+    const options = {
+      headers,
+      redirect: 'manual',
+      // ky specific to avoid redirects throwing
+      throwHttpErrors: false
+    };
     const isHttps = url.startsWith('https:');
     if(isHttps) {
       options.agent =
@@ -174,7 +181,13 @@ async function _fetch({url, headers, strictSSL, httpAgent, httpsAgent}) {
       }
     }
     const res = await httpClient.get(url, options);
-    return {res, body: res.data};
+    // @digitalbazaar/http-client may use node-fetch, which can output
+    // a warning if response.data is accessed and no json was parsed.
+    // Used here is the same type detection logic so the data field is
+    // accessed only if the client likely tried to parse JSON.
+    const contentType = res.headers.get('content-type');
+    const hasJson = contentType && contentType.includes('json');
+    return {res, body: hasJson ? res.data : null};
   } catch(e) {
     // HTTP errors have a response in them
     // ky considers redirects HTTP errors

package.json

@@ -29,7 +29,7 @@
     "lib/**/*.js"
   ],
   "dependencies": {
-    "@digitalbazaar/http-client": "^1.1.0",
+    "@digitalbazaar/http-client": "^3.0.1",
     "canonicalize": "^1.0.1",
     "lru-cache": "^6.0.0",
     "rdf-canonize": "^3.0.0"