feat: cap maximum number of retries at 25

[johannschopplich]

🔗 Linked issue

Related:

• GHSA-q6hx-3m4p-749h

❓ Type of change

• 📖 Documentation (updates to the documentation, readme, or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

This PR adds a sanity default value for the configurable retries option.

This enhancement is suggested by @pi0 following the security issue detected by @OhB00. In the Nuxt module API Party the fetch options were passed to a server route, which consumed the fetch options as-is. This enabled attackers to force a retry value of whatever.

It might be best to set a maximum number of retries. Not only for security reasons, but also for developers as a safety measures.

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (ff395c2) 56.86% compared to head (68c5f44) 57.00%.

❗ Current head 68c5f44 differs from pull request most recent head a83a5d2. Consider uploading reports for the commit a83a5d2 to get more accurate results

Files	Patch %	Lines
src/fetch.ts	71.42%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #343      +/-   ##
==========================================
+ Coverage   56.86%   57.00%   +0.13%     
==========================================
  Files          16       16              
  Lines         728      735       +7     
  Branches      113      114       +1     
==========================================
+ Hits          414      419       +5     
- Misses        303      305       +2     
  Partials       11       11              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pi0]

I think we can use a normal paragraph since no user action is involved...

[johannschopplich]

Good point!

[pi0]

What about introducing new maxRetries option to allow setting the default?

[johannschopplich]

I wonder if this defeats the purpose of this PR. My understanding was to include a sensible default for maximum retries. Instead of a maxRetries option, retries basically does the same, right?
If you dislike the idea of an internal maximum, which I completely get, please close this PR. 🙂

[pi0]

Well it could be a configurable global in fetch factory so basically it is second cap but also configurable if someone/framework/util needs too :)

[johannschopplich]

I don't think these changes are useful to most users. There are much more interesting PRs at hand to elevate ofetch to the next level, such as #357 for local/global interceptors.

So I'm closing this PR. All the best to ofetch! Love it. 🙌