Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump undici #510

Merged
merged 5 commits into from
Feb 20, 2023
Merged

Bump undici #510

merged 5 commits into from
Feb 20, 2023

Conversation

WalshyDev
Copy link
Member

This PR bumps undici to 5.20.0 which resolves GHSA-5r9g-qh6m-jxff and GHSA-r6ch-mqf9-qc9w. This removes the scary npm audit warnings when installing wrangler.

Continuing #508

Few things to note:

Still working through the few tests still failing... not sure why they're failing yet though.

Caused by: Error: To use the new ReadableStream() constructor, enable the streams_enable_constructors feature flag.

For some reason it's detecting ReadableStream in use even for a very basic test:

test("fetch mock", async () => {
  const fetchMock = getMiniflareFetchMock();

  fetchMock.disableNetConnect();
  fetchMock
    .get("https://example.com")
    .intercept({ path: "/" })
    .reply(200, "body");

  const response = await fetch("https://example.com");
  expect(await response.text()).toBe("body");
});

@changeset-bot
Copy link

changeset-bot bot commented Feb 19, 2023
edited
Loading

⚠️ No Changeset found

Latest commit: 0cfd518

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@mrbbot
Copy link
Contributor

mrbbot commented Feb 20, 2023

Hey! 👋 Thanks for the PR @WalshyDev and @Cherry. I've pushed some fixes that are passing tests locally, let's see if they pass CI. 🙂 I've reverted the bump to Node 16.17.0 too, since that would be a breaking change, and it looks like that segfault's just Vitest flaking.

@mrbbot mrbbot requested a review from penalosa February 20, 2023 13:16
mrbbot
mrbbot reviewed Feb 20, 2023
View reviewed changes
types/global.d.ts
@@ -2,6 +2,8 @@ declare global {
// TODO(soon): remove once included in `@types/node`
// eslint-disable-next-line no-var
var CryptoKey: typeof import("crypto").webcrypto.CryptoKey;
// eslint-disable-next-line no-var
var MessagePort: typeof import("worker_threads").MessagePort;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was required for undici type checking to pass.

packages/vitest-environment-miniflare/src/index.ts
globalThis.ReadableStream = stream.ReadableStream;
globalThis.WritableStream = stream.WritableStream;
globalThis.TransformStream = stream.TransformStream;
require("undici/lib/fetch");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just importing undici doesn't work here, as the fetch implementation is lazily imported

packages/core/src/standards/http.ts Outdated
export class Request extends Body<BaseRequest> {
// noinspection TypeScriptFieldCanBeMadeReadonly
#cf?: IncomingRequestCfProperties | RequestInitCfProperties;

constructor(input: RequestInfo, init?: RequestInit) {
// If body is a FixedLengthStream, set Content-Length to its expected length
const contentLength: number | undefined = (init?.body as any)?.[
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may replace init.body later on with a different ReadableStream, so extract contentLength first

@mrbbot mrbbot linked an issue Feb 20, 2023 that may be closed by this pull request
Update undici dependency due to vulnerability #507
Closed
penalosa
penalosa approved these changes Feb 20, 2023
View reviewed changes
packages/core/src/standards/http.ts Outdated Show resolved Hide resolved
packages/core/src/standards/http.ts Outdated Show resolved Hide resolved
packages/core/src/standards/streams.ts
Comment on lines +89 to +99
async pull(controller) {
let result = await reader.read();
while (!result.done && result.value.byteLength === 0) {
result = await reader.read();
}
if (result.done) {
queueMicrotask(() => controller.close());
} else if (result.value.byteLength > 0) {
controller.enqueue(result.value);
}
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be reading the whole stream in one invocation of pull?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will only read the whole stream if all chunks are empty, which seems unlikely. The while loop is just there to ensure we get a non-empty result to enqueue.

@mrbbot mrbbot merged commit c9acef1 into cloudflare:master Feb 20, 2023
@tolbrino tolbrino mentioned this pull request Feb 23, 2023
Closed
mrbbot added a commit that referenced this pull request Mar 22, 2023
@mrbbot
Fix cloning of Responses constructed with byte streams, closes #527
0a2785d 
This applies the same fix for `Request` bodies from #510 to
`Response`s. Notably, byte streams are returned from lots of Workers
runtime APIs (e.g. KV, R2) to support BYOB reads. It's likely these
are then used in `Response`s and cloned for caching.
@mrbbot mrbbot mentioned this pull request Mar 22, 2023
Merged
mrbbot added a commit that referenced this pull request Mar 22, 2023
@mrbbot
Fix cloning of Responses constructed with byte streams, closes #527
221d07d 
This applies the same fix for `Request` bodies from #510 to
`Response`s. Notably, byte streams are returned from lots of Workers
runtime APIs (e.g. KV, R2) to support BYOB reads. It's likely these
are then used in `Response`s and cloned for caching.
mrbbot added a commit that referenced this pull request Mar 23, 2023
@mrbbot
Fix cloning of Responses constructed with byte streams, closes #527 (
015e1d6 
…#543)

This applies the same fix for `Request` bodies from #510 to
`Response`s. Notably, byte streams are returned from lots of Workers
runtime APIs (e.g. KV, R2) to support BYOB reads. It's likely these
are then used in `Response`s and cloned for caching.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrbbot mrbbot mrbbot left review comments

@penalosa penalosa penalosa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update undici dependency due to vulnerability
3 participants
@WalshyDev @mrbbot @penalosa