follow-redirects is vulnerable to information disclosure. The vulnerability exists because the HTTP Authorization header is sent via an insecure HTTP channel when a same-hostname HTTPS-to-HTTP redirect is received, allowing attackers in the same network to discover credentials by sniffing the network traffic.