Remove isomorphic-fetch dependency #3782
Conversation
💥 No ChangesetLatest commit: fe963f8 Merging this PR will not cause any packages to be released. If these changes should not cause updates to packages in this repo, this is fine 🙂 If these changes should be published to npm, you need to add a changeset. This PR includes no changesetsWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Click here to learn what changesets are, and how to add one. Click here if you're a maintainer who wants to add a changeset to this PR |
Binary Size ReportAffected SDKs
Test Logs |
Size Analysis ReportAffected Products
|
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| size | 1.83 kB | 1.86 kB | +27 B (+1.5%) |
| size_with_ext_deps | 5.71 kB | 5.74 kB | +27 B (+0.5%) |
Dependencies
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| variables | DEFAULT_REGIONFUNCTIONS_TYPEfactorynameversion |
DEFAULT_REGIONFUNCTIONS_TYPEnameversion |
- factory |
httpsCallable
Size
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| size | 5.20 kB | 5.21 kB | +7 B (+0.1%) |
| size_with_ext_deps | 9.79 kB | 9.80 kB | +5 B (+0.1%) |
Dependencies
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| variables | Click to show 8 depsDEFAULT_REGIONFUNCTIONS_TYPELONG_TYPEUNSIGNED_LONG_TYPEerrorCodeMapfactorynameversion |
Click to show 7 depsDEFAULT_REGIONFUNCTIONS_TYPELONG_TYPEUNSIGNED_LONG_TYPEerrorCodeMapnameversion |
- factory |
useFunctionsEmulator
Size
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| size | 1.80 kB | 1.82 kB | +27 B (+1.5%) |
| size_with_ext_deps | 5.65 kB | 5.67 kB | +27 B (+0.5%) |
Dependencies
| Type | Base (f900417) | Head (0182171) | Diff |
|---|---|---|---|
| variables | DEFAULT_REGIONFUNCTIONS_TYPEfactorynameversion |
DEFAULT_REGIONFUNCTIONS_TYPEnameversion |
- factory |
@firebase/performance-exp
-
registerPerformanceSize
Type Base (f900417) Head (0182171) Diff size ? 16.4 kB ? (?) size_with_ext_deps ? 44.4 kB ? (?) Dependencies
Type Base (f900417) Head (0182171) Diff functions ? Click to show 46 deps
addToQueuechangeInitializationStatusconfigValidconvertMetricValueToIntegercreateNetworkRequestEntrycreateUserTimingTracedispatchQueueEventsgetApplicationInfogetAuthTokenPromisegetConfiggetDocumentReadyCompletegetEffectiveConnectionTypegetIidgetIidPromisegetInitializationPromisegetRemoteConfiggetServiceWorkerStatusgetStoredConfiggetVisibilityStateinitializePerfisPerfInitializedisValidCustomAttributeNameisValidCustomAttributeValueisValidMetricNamelogNetworkRequestlogTracemergeStringspostToFlEndpointprocessConfigprocessQueueregisterPerformancesendEventsToFlsendLogsendTraceLogserializeNetworkRequestserializeTraceserializersetupApisetupNetworkRequestssetupOobResourcessetupOobTracessetupTransportServicesetupUserTimingTracesshouldLogAfterSamplingstoreConfigtransportHandler? classes ? ApiPerformanceControllerSettingsServiceTrace? variables ? Click to show 44 deps
ATTRIBUTE_FORMAT_REGEXCONFIG_EXPIRY_LOCAL_STORAGE_KEYCONFIG_LOCAL_STORAGE_KEYCOULD_NOT_GET_CONFIG_MSGDEFAULT_CONFIGSDEFAULT_ENTRY_NAMEDEFAULT_REMAINING_TRIESDEFAULT_SEND_INTERVAL_MSERROR_DESCRIPTION_MAPERROR_FACTORYFID_WAIT_TIME_MSFIRST_CONTENTFUL_PAINT_COUNTER_NAMEFIRST_INPUT_DELAY_COUNTER_NAMEFIRST_PAINT_COUNTER_NAMEFIS_AUTH_PREFIXINITIAL_SEND_TIME_DELAY_MSMAX_ATTRIBUTE_NAME_LENGTHMAX_ATTRIBUTE_VALUE_LENGTHMAX_METRIC_NAME_LENGTHOOB_TRACE_PAGE_LOAD_PREFIXREMOTE_CONFIG_SDK_VERSIONRESERVED_ATTRIBUTE_PREFIXESRESERVED_AUTO_PREFIXSDK_VERSIONSERVICESERVICE_NAMETRACE_MEASURE_PREFIXTRACE_START_MARK_PREFIXTRACE_STOP_MARK_PREFIXVisibilityStateapiInstanceconsoleLoggeriidinitializationPromiseinitializationStatusisTransportSetuploggernameoobMetricsqueueremainingTriessettingsServiceInstanceversionwindowInstance? External Dependencies
Module Base (f900417) Head (0182171) Diff @firebase/logger? LogLevelLogger? @firebase/util? ErrorFactoryisIndexedDBAvailablevalidateIndexedDBOpenable? @firebase/app? default export? @firebase/component? Component?
Test Logs
| @@ -16,10 +16,22 @@ | |||
| */ | |||
| import { registerVersion } from '@firebase/app-exp'; | |||
| import { registerFunctions } from './config'; | |||
| import 'isomorphic-fetch'; | |||
| import 'whatwg-fetch'; | |||
There was a problem hiding this comment.
Instead of including a new polyfill, we can replace Header with a string map. I prefer to not include a new polyfill that only provides Header and given that the workaround is really simple.
There was a problem hiding this comment.
Fixed (it is a string-keyed object, fetch signature does not accept Maps).
| * https://github.com/apollographql/apollo-link/issues/513#issuecomment-548219023 | ||
| */ | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||
| (global as any).fetch = (nodeFetch as unknown) as typeof fetch; |
There was a problem hiding this comment.
I'm worried about introducing hard to debug issues in developers' app by patching globals. For example, they might use a different fetch polyfill which can be overwritten by our node-fetch polyfill depending on the import order. node-fetch might have a bug that the other polyfill doesn't have. It will be really hard for developers to track down the issue.
Though the chance of this kind of bug is slim, but it's not impossible, I think it's a good practice to not patch globals to future proof the SDK and developers' apps.
There was a problem hiding this comment.
Fixed, it is passed in now.
| }; | ||
|
|
||
| export function registerFunctions(): void { | ||
| export function registerFunctions(fetchImpl: typeof fetch): void { | ||
| const namespaceExports = { |
There was a problem hiding this comment.
Didn't notice it before, but exp packages don't use namespace exports, so it can be removed.
|
Hi! sorry to bother. Any ideas on when this one will be released? Thanks! |
|
It should be in this week's release, which will likely go out today sometime. I'm not sure what issue you are hoping to fix but it shouldn't affect functionality, it just fixes a potential vulnerability and will avoid an ugly warning message on npm install. |
|
Thanks for the answer! Yeah I had the same vulnerability and had to use node-fetch as well but it still remains for this package, I followed the issues and discussions related to the vuln so just wanted to know when it'll be merged as my boss is always aiming for the 0 vulnerabilities when doing npm i or npm audit lol |
|
Hi, I'm trying to build a website with Gridsome, and the build process gives me the following error, which I believe is related with this commit: If I edit the file But I don't want to edit that file in node_modules... do you know if there is another way to solve this problem? Thanks! |
|
See issue #3890 Just released a fix in 7.22.1 |
The
isomorphic-fetchdependency has not been updated in years and depends on an older version ofnode-fetchwhich has now been discovered to have security issues. Removing isomorphic-fetch and consuming node-fetch directly.I tried another approach that involved passing the node-fetch implementation directly into the functions service, but it involved passing through many layers, and since it is passed into the Service constructor, the
createTestServicetest util function needs to detect the environment and pass the correct fetch implementation as well which seems like a lot of places. This seems like the simplest approach and only touches theindex.node.tsfile.Fixes #3768